bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/40199.txt
Offensive Security 75085bf1d7 DB: 2016-08-03 
7 new exploits

Real Server 7/8/9 - Remote Root Exploit (Windows & Linux)
Real Server 7/8/9 - Remote Root Exploit (Windows / Linux)

Apache mod_gzip (with debug_mode) <= 1.2.26.1a - Remote Exploit
Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote Exploit

BSD & Linux - umount Local Root Exploit
BSD & Linux umount - Local Root Exploit

BSD & Linux - lpr Command Local Root Exploit
BSD & Linux lpr - Local Root Exploit

Battlefield 1942 <= 1.6.19 + Vietnam 1.2 - Broadcast Client Crash
Battlefield 1942 1.6.19 + Vietnam 1.2 - Broadcast Client Crash

PHP 4.3.9 & phpBB 2.x - unserialize() Remote Exploit (compiled)
PHP 4.3.9 + phpBB 2.x - unserialize() Remote Exploit (Compiled)

Soldier of Fortune 2 <= 1.03 - 'cl_guid' Server Crash
Soldier of Fortune 2 1.03 - 'cl_guid' Server Crash

Download Center Lite (DCL) <= 1.5 - Remote File Inclusion
Download Center Lite (DCL) 1.5 - Remote File Inclusion

Linux Mandrake 10.2 - cdrdao Local Root Exploit (unfixed)
cdrdao (Mandrake 10.2) - Local Root Exploit

MyBulletinBoard (MyBB) <= 1.00 RC4 - SQL Injection Exploit
MyBulletinBoard (MyBB) 1.00 RC4 - SQL Injection Exploit

e107 <= 0.617 - XSS Remote Cookie Disclosure Exploit
e107 0.617 - XSS Remote Cookie Disclosure Exploit

MyBulletinBoard (MyBB) <= 1.00 RC4 SQL Injection Exploit
MyBulletinBoard (MyBB) 1.00 RC4 SQL Injection Exploit

F-Secure Internet Gatekeeper for Linux < 2.15.484 - Local Root Exploit
F-Secure Internet Gatekeeper for Linux < 2.15.484 (and Gateway < 2.16) - Local Root Exploit

MyBulletinBoard (MyBB) <= 1.03 - Multiple SQL Injection Exploit
MyBulletinBoard (MyBB) 1.03 - Multiple SQL Injection Exploit

MyBulletinBoard (MyBB) <= 1.03 - (misc.php COMMA) SQL Injection
MyBulletinBoard (MyBB) 1.03 - (misc.php COMMA) SQL Injection

MyBulletinBoard (MyBB) <= 1.04 - (misc.php COMMA) SQL Injection (2)
MyBulletinBoard (MyBB) 1.04 - (misc.php COMMA) SQL Injection (2)

Content-Builder (CMS) <= 0.7.2 - Multiple Include Vulnerabilities
Content-Builder (CMS) 0.7.2 - Multiple Include Vulnerabilities

MyBulletinBoard (MyBB) <= 1.1.3 - (usercp.php) Create Admin Exploit
MyBulletinBoard (MyBB) 1.1.3 - (usercp.php) Create Admin Exploit

DZCP (deV!L_z Clanportal) <= 1.34 - (id) SQL Injection Exploit
DZCP (deV!L_z Clanportal) 1.34 - (id) SQL Injection Exploit

Invision Power Board 2.1 <= 2.1.6 - SQL Injection Exploit
Invision Power Board 2.1 <= 2.1.6 - SQL Injection Exploit (1)

MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit
MyBulletinBoard (MyBB) 1.1.5 - (CLIENT-IP) SQL Injection Exploit

PHP Live! <= 3.2.1 - (help.php) Remote Inclusion
PHP Live! 3.2.1 - (help.php) Remote Inclusion

Les Visiteurs (Visitors) <= 2.0 - (config.inc.php) File Include
Les Visiteurs (Visitors) 2.0 - (config.inc.php) File Include

Electronic Engineering Tool (EE TOOL) <= 0.4.1 File Include
Electronic Engineering Tool (EE TOOL) 0.4.1 File Include

DZCP (deV!L_z Clanportal) <= 1.3.6 - Arbitrary File Upload
DZCP (deV!L_z Clanportal) 1.3.6 - Arbitrary File Upload

Tucows Client Code Suite (CSS) <= 1.2.1015 File Include
Tucows Client Code Suite (CSS) 1.2.1015 File Include

KDE 3.5 - (libkhtml) <= 4.2.0 / Unhandled HTML Parse Exception Exploit
KDE 3.5 - (libkhtml) 4.2.0 / Unhandled HTML Parse Exception Exploit

DZCP (deV!L_z Clanportal) <= 1.4.5 - Remote File Disclosure
DZCP (deV!L_z Clanportal) 1.4.5 - Remote File Disclosure

McAfee VirusScan for Mac (Virex) <= 7.7 - Local Root Exploit
McAfee VirusScan for Mac (Virex) 7.7 - Local Root Exploit

WEBO (Web Organizer) <= 1.0 - (baseDir) Remote File Inclusion
WEBO (Web Organizer) 1.0 - (baseDir) Remote File Inclusion

Net Portal Dynamic System (NPDS) <= 5.10 - Remote Code Execution
Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution

Katalog Plyt Audio (pl) <= 1.0 - SQL Injection Exploit
Katalog Plyt Audio (pl) 1.0 - SQL Injection Exploit

study planner (studiewijzer) <= 0.15 - Remote File Inclusion
study planner (studiewijzer) 0.15 - Remote File Inclusion

MyBulletinBoard (MyBB) <= 1.2.3 - Remote Code Execution Exploit
MyBulletinBoard (MyBB) 1.2.3 - Remote Code Execution Exploit

MyBulletinBoard (MyBB) <= 1.2.2 - (CLIENT-IP) SQL Injection Exploit
MyBulletinBoard (MyBB) 1.2.2 - (CLIENT-IP) SQL Injection Exploit

MyBulletinBoard (MyBB) <= 1.2.5 calendar.php Blind SQL Injection Exploit
MyBulletinBoard (MyBB) 1.2.5 calendar.php Blind SQL Injection Exploit

Net Portal Dynamic System (NPDS) <= 5.10 - Remote Code Execution (2)
Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution (2)

LAN Management System (LMS) <= 1.9.6 - Remote File Inclusion Exploit
LAN Management System (LMS) 1.9.6 - Remote File Inclusion Exploit

Ripe Website Manager (CMS) <= 0.8.9 - Remote File Inclusion
Ripe Website Manager (CMS) 0.8.9 - Remote File Inclusion

Simple PHP Blog (sphpblog) <= 0.5.1 - Multiple Vulnerabilities
Simple PHP Blog (sphpblog) 0.5.1 - Multiple Vulnerabilities

TaskFreak! <= 0.6.1 - SQL Injection
TaskFreak! 0.6.1 - SQL Injection
MyBulletinBoard (MyBB) <= 1.2.10 - Remote Code Execution Exploit
mybulletinboard (mybb) <= 1.2.10 - Multiple Vulnerabilities
MyBulletinBoard (MyBB) 1.2.10 - Remote Code Execution Exploit
mybulletinboard (mybb) 1.2.10 - Multiple Vulnerabilities

MyBulletinBoard (MyBB) <= 1.2.11 - private.php SQL Injection Exploit
MyBulletinBoard (MyBB) 1.2.11 - private.php SQL Injection Exploit

PHP Live! <= 3.2.2 - (questid) SQL Injection (1)
PHP Live! 3.2.2 - (questid) SQL Injection (1)

Web Group Communication Center (WGCC) <= 1.0.3 - SQL Injection
Web Group Communication Center (WGCC) 1.0.3 - SQL Injection

C6 Messenger ActiveX Remote Download & Execute Exploit
C6 Messenger ActiveX - Remote Download & Execute Exploit

eLineStudio Site Composer (ESC) <= 2.6 - Multiple Vulnerabilities
eLineStudio Site Composer (ESC) 2.6 - Multiple Vulnerabilities

Simple PHP Blog (SPHPBlog) <= 0.5.1 Code Execution Exploit
Simple PHP Blog (SPHPBlog) 0.5.1 Code Execution Exploit

MyBulletinBoard (MyBB) <= 1.2.11 - private.php SQL Injection Exploit (2)
MyBulletinBoard (MyBB) 1.2.11 - private.php SQL Injection Exploit (2)

DZCP (deV!L_z Clanportal) <= 1.4.9.6 - Blind SQL Injection Exploit
DZCP (deV!L_z Clanportal) 1.4.9.6 - Blind SQL Injection Exploit

Amaya Web Editor XML and HTML parser Vulnerabilities
Amaya Web Editor - XML and HTML parser Vulnerabilities

CMS WEBjump! Multiple SQL Injection
CMS WEBjump! - Multiple SQL Injection

RQms (Rash) <= 1.2.2 - Multiple SQL Injection
RQms (Rash) 1.2.2 - Multiple SQL Injection

Online Grades & Attendance 3.2.6 Credentials Changer SQL Exploit
Online Grades & Attendance 3.2.6 - Credentials Changer SQL Exploit

Apple Safari & Quicktime Denial of Service
Apple Safari & Quicktime - Denial of Service

AudioPLUS 2.00.215 - (.lst & .m3u) Local Buffer Overflow (SEH)
AudioPLUS 2.00.215 - (.lst / .m3u) Local Buffer Overflow (SEH)

PHP Live! <= 3.2.2 - (questid) SQL Injection (2)
PHP Live! 3.2.2 - (questid) SQL Injection (2)

TwonkyMedia Server 4.4.17 & <= 5.0.65 - XSS
TwonkyMedia Server 4.4.17 / 5.0.65 - XSS

Adobe Shockwave 11.5.1.601 Player Multiple Code Execution
Adobe Shockwave 11.5.1.601 Player - Multiple Code Execution

NAS Uploader 1.0 & 1.5 - Remote File Upload
NAS Uploader 1.0 / 1.5 - Remote File Upload

PlayMeNow 7.3 & 7.4 - Buffer Overflow (Metasploit)
PlayMeNow 7.3 / 7.4 - Buffer Overflow (Metasploit)

Nuked KLan 1.7.7 & <= SP4 DoS
Nuked KLan 1.7.7 & SP4 DoS

Aqua Real 1.0 & 2.0 - Local Crash PoC
Aqua Real 1.0 / 2.0 - Local Crash PoC

FreePBX 2.5.x < 2.6.0 - Permanent Cross-Site Scripting (XSS)
FreePBX 2.5.x < 2.6.0 - Permanent Cross-Site Scripting

Ipswitch IMAIL 11.01 reversible encryption + weak ACL
Ipswitch IMAIL 11.01 - reversible encryption + weak ACL

justVisual 2.0 - (index.php) <= LFI
justVisual 2.0 - (index.php) LFI

Simple Machines Forum (SMF) <= 1.1.8 - (avatar) Remote PHP File Execute PoC
Simple Machines Forum (SMF) 1.1.8 - (avatar) Remote PHP File Execute PoC

SafeSHOP 1.5.6 - Cross-Site Scripting & Multiple Cross-Site Request Forgery
SafeSHOP 1.5.6 - Cross-Site Scripting / Multiple Cross-Site Request Forgery

McAfee Email Gateway (formerly IronMail) - Cross-Site Scripting (XSS)
McAfee Email Gateway (formerly IronMail) - Cross-Site Scripting

Local Glibc shared library (.so) <= 2.11.1 Exploit
Local Glibc shared library (.so) 2.11.1 Exploit

Safari 4.0.3 & 4.0.4 - Stack Exhaustion
Safari 4.0.3 / 4.0.4 - Stack Exhaustion

Apache Axis2 administration console - Cross-Site Scripting (XSS) (Authenticated)
Apache Axis2 administration console - (Authenticated) Cross-Site Scripting

CubeCart PHP (shipkey parameter) <= 4.3.x - SQL Injection
CubeCart PHP (shipkey parameter) 4.3.x - SQL Injection

Joomla Health & Fitness Stats Persistent XSS
Joomla Health & Fitness Stats - Persistent XSS

PunBB 1.3.4 & Pun_PM 1.2.6 - Remote Blind SQL Injection Exploit
PunBB 1.3.4 / Pun_PM 1.2.6 - Remote Blind SQL Injection Exploit

MyIT CRM - Multiple Cross-Site Scripting (XSS)
MyIT CRM - Multiple Cross-Site Scripting

Adobe Dreamweaver CS5 <= 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll)
Adobe Dreamweaver CS5 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll)

Avast! <= 5.0.594 - license files DLL Hijacking Exploit (mfc90loc.dll)
Avast! 5.0.594 - (mfc90loc.dll) License Files DLL Hijacking Exploit

BlogBird Platform Multiple XSS Vulnerabilities
BlogBird Platform - Multiple XSS Vulnerabilities

Joomla Component (btg_oglas) HTML & XSS Injection
Joomla Component (btg_oglas) - HTML / XSS Injection

Lotus CMS Fraise 3.0 - LFI & Remote Code Execution Exploit
Lotus CMS Fraise 3.0 - LFI / Remote Code Execution Exploit

Novell ZenWorks 10 & 11 - TFTPD Remote Code Execution
Novell ZenWorks 10 / 11 - TFTPD Remote Code Execution

CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow (1)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (1)

CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow (2)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (2)

CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow (3)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (3)

CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow
CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflow

SmarterMail 7.3 & 7.4 - Multiple Vulnerabilities
SmarterMail 7.3 / 7.4 - Multiple Vulnerabilities

OpenSLP 1.2.1 & < 1647 trunk - Denial of Service Exploit
OpenSLP 1.2.1 / < 1647 trunk - Denial of Service Exploit

ScadaTEC ModbusTagServer & ScadaPhone (.zip) Buffer Overflow Exploit (0Day)
ScadaTEC ModbusTagServer & ScadaPhone - (.zip) Buffer Overflow Exploit (0Day)

MARINET CMS (room.php) <= Blind SQL
MARINET CMS (room.php) Blind SQL

phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection (Metasploit)
phpMyAdmin 3.3.x / 3.4.x - Local File Inclusion via XXE Injection (Metasploit)

ContaoCMS (aka TYPOlight) <= 2.11 - CSRF (Delete Admin & Delete Article)
ContaoCMS (aka TYPOlight) 2.11 - CSRF (Delete Admin / Delete Article)

Ricoh DC Software DL-10 FTP Server (SR10.exe) <= 1.1.0.6 - Remote Buffer Overflow
Ricoh DC Software DL-10 FTP Server (SR10.exe) 1.1.0.6 - Remote Buffer Overflow

Simple PHP Agenda 2.2.8 - CSRF (Add Admin & Add Event)
Simple PHP Agenda 2.2.8 - CSRF (Add Admin / Add Event)

SumatraPDF 2.0.1 - (.chm) & (.mobi) Memory Corruption
SumatraPDF 2.0.1 - (.chm / .mobi) Memory Corruption
Dolibarr ERP & CRM 3 Post-Auth OS Command Injection
Dolibarr ERP & CRM OS Command Injection
Dolibarr ERP & CRM 3 - Post-Auth OS Command Injection
Dolibarr ERP & CRM - OS Command Injection
Microsoft Data Access Components (MDAC) <= 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (1)
Microsoft Data Access Components (MDAC) <= 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (2)
Microsoft Data Access Components (MDAC) 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (1)
Microsoft Data Access Components (MDAC) 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (2)

sflog! <= 1.00 - Multiple Vulnerabilities
sflog! 1.00 - Multiple Vulnerabilities

Inter7 vpopmail (vchkpw) <= 3.4.11 - Buffer Overflow
Inter7 vpopmail (vchkpw) 3.4.11 - Buffer Overflow

White Label CMS 1.5 - CSRF & Persistent XSS
White Label CMS 1.5 - CSRF / Persistent XSS

AIX 3.x/4.x & Windows 95/98/2000/NT 4 & SunOS 5 gethostbyname() - Buffer Overflow
AIX 3.x/4.x / Windows 95/98/2000/NT 4 / SunOS 5 gethostbyname() - Buffer Overflow

gdb (GNU debugger) <= 7.5.1NULL Pointer Dereference
gdb (GNU debugger) 7.5.1NULL Pointer Dereference

Adam Webb NukeJokes 1.7/2.0 Module Multiple Parameter XSS
Adam Webb NukeJokes 1.7/2.0 - Module Multiple Parameter XSS

Polycom HDX Telnet Authorization Bypass (Metasploit)
Polycom HDX - Telnet Authorization Bypass (Metasploit)

Joomla! <= 3.0.2 - (highlight.php) PHP Object Injection
Joomla! 3.0.2 - (highlight.php) PHP Object Injection

Joomla! <= 3.0.3 (remember.php) - PHP Object Injection
Joomla! 3.0.3 (remember.php) - PHP Object Injection

Active Auction House Default.ASP Multiple SQL Injection
Active Auction House - Default.ASP Multiple SQL Injection

Aenovo Multiple Unspecified Cross-Site Scripting Vulnerabilities
Aenovo - Multiple Unspecified Cross-Site Scripting Vulnerabilities

Alisveristr E-commerce Login Multiple SQL Injection
Alisveristr E-commerce Login - Multiple SQL Injection

Cline Communications Multiple SQL Injection
Cline Communications - Multiple SQL Injection

Andy Mack 35mm Slide Gallery 6.0 popup.php Multiple Parameter XSS
Andy Mack 35mm Slide Gallery 6.0 - popup.php Multiple Parameter XSS

Apple Safari 6.0.1 for iOS 6.0 and OS X 10.7/8 - Heap Buffer Overflow
Apple Safari 6.0.1 for iOS 6.0 / OS X 10.7/8 - Heap Buffer Overflow

AIOCP 1.3.x cp_forum_view.php Multiple Parameter XSS
AIOCP 1.3.x - cp_forum_view.php Multiple Parameter XSS

AIOCP 1.3.x cp_news.php Multiple Parameter SQL Injection
AIOCP 1.3.x - cp_news.php Multiple Parameter SQL Injection
AIOCP 1.3.x cp_newsletter.php Multiple Parameter SQL Injection
AIOCP 1.3.x cp_links.php Multiple Parameter SQL Injection
AIOCP 1.3.x - cp_newsletter.php Multiple Parameter SQL Injection
AIOCP 1.3.x - cp_links.php Multiple Parameter SQL Injection

AIOCP 1.3.x cp_show_ec_products.php Multiple Parameter SQL Injection
AIOCP 1.3.x - cp_show_ec_products.php Multiple Parameter SQL Injection

20/20 Applications Data Shed 1.0 listings.asp Multiple Parameter SQL Injection
20/20 Applications Data Shed 1.0 - listings.asp Multiple Parameter SQL Injection

ClickContact Default.ASP Multiple SQL Injection
ClickContact - Default.ASP Multiple SQL Injection

Onpub CMS 1.4 & 1.5 - Multiple SQL Injection
Onpub CMS 1.4 / 1.5 - Multiple SQL Injection

Apache + PHP < 5.3.12 & < 5.4.2 - cgi-bin Remote Code Execution Exploit
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution Exploit

Apache + PHP < 5.3.12 & < 5.4.2 - Remote Code Execution (Multithreaded Scanner)
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner)

ClientExec 3.0 Index.php Multiple Cross-Site Scripting Vulnerabilities
ClientExec 3.0 - Index.php Multiple Cross-Site Scripting Vulnerabilities

AbleDesign MyCalendar 2.20.3 Index.php Multiple Cross-Site Scripting Vulnerabilities
AbleDesign MyCalendar 2.20.3 - Index.php Multiple Cross-Site Scripting Vulnerabilities

AlstraSoft Affiliate Network Pro 8.0 merchants/index.php Multiple Parameter XSS
AlstraSoft Affiliate Network Pro 8.0 - merchants/index.php Multiple Parameter XSS

File(1) <= 4.13 Command File_PrintF Integer Underflow
File(1) 4.13 Command File_PrintF Integer Underflow

ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities
ACDSee 9.0 Photo Manager - Multiple BMP Denial of Service Vulnerabilities

Ahhp Portal Page.php Multiple Remote File Inclusion
Ahhp Portal - Page.php Multiple Remote File Inclusion

Apple QuickTime 7.1.5 Information Disclosure and Multiple Code Execution Vulnerabilities
Apple QuickTime 7.1.5 - Information Disclosure / Multiple Code Execution Vulnerabilities

OpenBase 10.0.x - (Buffer Overflow & Remote Command Execution) Multiple Vulnerabilities
OpenBase 10.0.x - Buffer Overflow / Remote Command Execution

AIDA Web Frame.HTML Multiple Unauthorized Access Vulnerabilities
AIDA Web - Frame.HTML Multiple Unauthorized Access Vulnerabilities

Absolute News Manager .NET 5.1 xlaabsolutenm.aspx Multiple Parameter SQL Injection
Absolute News Manager .NET 5.1 - xlaabsolutenm.aspx Multiple Parameter SQL Injection

Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution and Security Vulnerabilities
Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution / Security Vulnerabilities

Apple iPhone and iPod Touch < 2.0 - Multiple Remote Vulnerabilities
Apple iPhone / Apple iPod Touch < 2.0 - Multiple Remote Vulnerabilities

HPSystem Management Homepage (SMH) <= 2.1.12 - 'message.php' Cross-Site Scripting
HPSystem Management Homepage (SMH) 2.1.12 - 'message.php' Cross-Site Scripting

Apple iPhone 1.1.4/2.0 and iPod 1.1.4/2.0 touch Safari WebKit 'alert()' Function Remote Denial of Service
Apple iPhone 1.1.4/2.0 and iPod 1.1.4/2.0 touch Safari WebKit - 'alert()' Function Remote Denial of Service

3Com Wireless 8760 Dual-Radio 11a/b/g PoE Multiple Security Vulnerabilities
3Com Wireless 8760 Dual-Radio 11a/b/g PoE - Multiple Security Vulnerabilities
AlmondSoft Multiple Classifieds Products index.php replid Parameter SQL Injection
AlmondSoft Multiple Classifieds Products index.php Multiple Parameter XSS
AlmondSoft Multiple Classifieds Products - index.php replid Parameter SQL Injection
AlmondSoft Multiple Classifieds Products - index.php Multiple Parameter XSS

Linux Kernel 2.6.x (2.6.0 <= 2.6.31) - 'pipe.c' Local Privilege Escalation (1)
Linux Kernel 2.6.0 <= 2.6.31 - 'pipe.c' Local Privilege Escalation (1)

CMS Source Multiple Input Validation Vulnerabilities
CMS Source - Multiple Input Validation Vulnerabilities

123 Flash Chat = Multiple Security Vulnerabilities
123 Flash Chat - Multiple Security Vulnerabilities

Pimcore 3.0 & 2.3.0 CMS - SQL Injection
Pimcore 3.0 / 2.3.0 CMS - SQL Injection

Apple Mac OS X 10.6.5 And iOS 4.3.3 Mail Denial of Service
Apple Mac OS X 10.6.5 / iOS 4.3.3 Mail - Denial of Service

CmyDocument Multiple Cross-Site Scripting Vulnerabilities
CmyDocument - Multiple Cross-Site Scripting Vulnerabilities

OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)
OTRS < 3.1.x / < 3.2.x / < 3.3.x - Stored Cross-Site Scripting

OYO File Manager 1.1 (iOS & Android) - Multiple Vulnerabilities
OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities

Airdroid iOS_ Android & Win 3.1.3 - Persistent
Airdroid iOS / Android / Win 3.1.3 - Persistent

SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit
SMF (Simple Machine Forum) 2.0.10 - Remote Memory Exfiltration Exploit

Air Drive Plus Multiple Input Vallidation Vulnerabilities
Air Drive Plus - Multiple Input Vallidation Vulnerabilities

Collabtive Multiple Security Vulnerabilities
Collabtive - Multiple Security Vulnerabilities

Open Upload 0.4.2 - (Add Admin) CSRF
Wireshark 1.12.0 to 1.12.12 - NDS Dissector Denial of Service
Wireshark 2.0.0 to 2.0.4 - MMSE_ WAP_ WBXML_ and WSP Dissectors Denial of Service
Wireshark 2.0.0 to 2.0.4 - CORBA IDL Dissectors Denial of Service
Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - PacketBB Dissector Denial of Service
Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - WSP Dissector Denial of Service
Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - RLC Dissector Denial of Service
2016-08-03 05:06:13 +00:00

87 lines
9.2 KiB
Text
Executable file
Raw Blame History

Sample PCAP
Build Information:
TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.
Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version
1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
Intel Core Processor (Haswell) (with SSE4.2)
Built using gcc 5.3.1 20160407.
--
Fuzzed PCAP takes 100% CPU and runs for a long time on tshark 2.0.2 and a recent build from repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ).
GDB backtrace from 'tshark -2 -V -r <pcap>' aborted after running for a while:
Program received signal SIGABRT, Aborted.
0x00007ffff45bb676 in rlc_decode_li (mode=RLC_AM, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, li=0x7fffffffbab0, max_li=16 '\020', li_on_2_bytes=0) at packet-rlc.c:1722
1722 next_bytes = li_on_2_bytes ? tvb_get_ntohs(tvb, hdr_len) : tvb_get_guint8(tvb, hdr_len);
123 tomb gdb execution "thread apply all bt" 321
Thread 1 (Thread 0x7ffff7fb9740 (LWP 1578)):
#0 0x00007ffff45bb676 in rlc_decode_li (mode=RLC_AM, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, li=0x7fffffffbab0, max_li=16 '\020', li_on_2_bytes=0) at packet-rlc.c:1722
#1 0x00007ffff45bde04 in dissect_rlc_am (channel=RLC_UL_DCCH, tvb=0x9342c0, pinfo=0xb04c18, top_level=0x0, tree=0x0, atm=0x0) at packet-rlc.c:2308
#2 0x00007ffff45be82a in dissect_rlc_dcch (tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-rlc.c:2477
#3 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#4 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#5 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
#6 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2804
#7 0x00007ffff47e7679 in dissect_mac_fdd_dch (tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_mac.c:564
#8 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#9 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#10 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
#11 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2804
#12 0x00007ffff47dab2e in dissect_tb_data (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, offset=3, p_fp_info=0x7fffeca74180, data_handle=0x7ffff7aae8e8 <mac_fdd_dch_handle>, data=0x0) at packet-umts_fp.c:815
#13 0x00007ffff47decbb in dissect_dch_channel_info (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, offset=3, p_fp_info=0x7fffeca74180, data=0x0) at packet-umts_fp.c:2557
#14 0x00007ffff47e476e in dissect_fp_common (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_fp.c:4419
#15 0x00007ffff47e4add in dissect_fp (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_fp.c:4507
#16 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#17 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#18 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
#19 0x00007ffff3c99819 in try_conversation_dissector (addr_a=0xb04cf0, addr_b=0xb04cd8, ptype=PT_UDP, port_a=65359, port_b=8040, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at conversation.c:1323
#20 0x00007ffff47d3839 in decode_udp_ports (tvb=0x848b70, offset=8, pinfo=0xb04c18, tree=0x0, uh_sport=8040, uh_dport=65359, uh_ulen=3554) at packet-udp.c:541
#21 0x00007ffff47d5e21 in dissect (tvb=0x848b70, pinfo=0xb04c18, tree=0x0, ip_proto=17) at packet-udp.c:1080
#22 0x00007ffff47d5e79 in dissect_udp (tvb=0x848b70, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet-udp.c:1086
#23 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb13330, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet.c:660
#24 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb13330, tvb=0x848b70, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:735
#25 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x7b1cc0, uint_val=17, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:1199
#26 0x00007ffff425e409 in ip_try_dissect (heur_first=0, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, iph=0x7fffec869030) at packet-ip.c:1977
#27 0x00007ffff426037c in dissect_ip_v4 (tvb=0x848b20, pinfo=0xb04c18, parent_tree=0x0, data=0x0) at packet-ip.c:2476
#28 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb78930, tvb=0x848b20, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#29 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb78930, tvb=0x848b20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#30 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848b20, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:1199
#31 0x00007ffff3cab5e4 in dissector_try_uint (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848b20, pinfo=0xb04c18, tree=0x0) at packet.c:1225
#32 0x00007ffff40a1c60 in dissect_ethertype (tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet-ethertype.c:262
#33 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:660
#34 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda50000, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffcc20) at packet.c:735
#35 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:2791
#36 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:2804
#37 0x00007ffff40a04d5 in dissect_eth_common (tvb=0xb03d20, pinfo=0xb04c18, parent_tree=0x0, fcs_len=-1) at packet-eth.c:540
#38 0x00007ffff40a106b in dissect_eth (tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0xad6928) at packet-eth.c:836
#39 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb5c7a0, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0xad6928) at packet.c:660
#40 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb5c7a0, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6928) at packet.c:735
#41 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c2c0, uint_val=1, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6928) at packet.c:1199
#42 0x00007ffff40e9887 in dissect_frame (tvb=0xb03d20, pinfo=0xb04c18, parent_tree=0x0, data=0x7fffffffd380) at packet-frame.c:507
#43 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:660
#44 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda51950, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffd380) at packet.c:735
#45 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:2791
#46 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:2804
#47 0x00007ffff3caa079 in dissect_record (edt=0xb04c00, file_type_subtype=1, phdr=0xad68c0, tvb=0xb03d20, fd=0x7fffffffd550, cinfo=0x0) at packet.c:543
#48 0x00007ffff3c9ebf9 in epan_dissect_run (edt=0xb04c00, file_type_subtype=1, phdr=0xad68c0, tvb=0xb03d20, fd=0x7fffffffd550, cinfo=0x0) at epan.c:365
#49 0x000000000041844c in process_packet_first_pass (cf=0x64f100 <cfile>, edt=0xb04c00, offset=20928, whdr=0xad68c0, pd=0xb04e20 "4\a\373\024t,\320\320\375+\004\300\b") at tshark.c:2694
#50 0x0000000000418dd7 in load_cap_file (cf=0x64f100 <cfile>, save_file=0x0, out_file_type=2, out_file_name_res=0, max_packet_count=-1, max_byte_count=0) at tshark.c:2988
#51 0x0000000000416fa0 in main (argc=5, argv=0x7fffffffdda8) at tshark.c:1873
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40199.zip
Reference in a new issue View git blame Copy permalink