A mirror of the Gitlab repo: https://gitlab.com/exploit-database/exploitdb
Find a file
Offensive Security 3cfdd1cc27 DB: 2017-10-12
5 new exploits

MultiTheftAuto 0.5 patch 1 - Server Crash and MOTD Deletion Exploit
MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion Exploit

Amaya Web Editor 11.0 - XML and HTML parser Vulnerabilities
Amaya Web Editor 11.0 - XML / HTML Parser Vulnerabilities

Apple Safari & QuickTime - Denial of Service
Apple Safari / QuickTime - Denial of Service

Real Helix DNA - RTSP and SETUP Request Handler Vulnerabilities
Real Helix DNA - RTSP / SETUP Request Handler Vulnerabilities

Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service and Unspecified Vulnerabilities
Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Unspecified Vulnerabilities

Novell Netware - CIFS And AFP Remote Memory Consumption Denial of Service
Novell Netware - CIFS and AFP Remote Memory Consumption Denial of Service

Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities
Multiple Adobe Products - XML External Entity / XML Injection Vulnerabilities

Ghost Recon Advanced Warfighter - Integer Overflow and Array Indexing Overflow
Ghost Recon Advanced Warfighter - Integer Overflow / Array Indexing Overflow

Webkit (Apple Safari < 4.1.2/5.0.2 & Google Chrome < 5.0.375.125) - Memory Corruption
Webkit (Apple Safari < 4.1.2/5.0.2 / Google Chrome < 5.0.375.125) - Memory Corruption

Mozilla Firefox - Interleaving document.write and appendChild Denial of Service
Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Denial of Service

Avirt Mail 4.0/4.2 - 'Mail From:' and 'Rcpt to:' Denial of Service
Avirt Mail 4.0/4.2 - 'Mail From:' / 'Rcpt to:' Denial of Service

BRS Webweaver 1.0 4 - POST and HEAD Denial of Service
BRS Webweaver 1.0 4 - POST / HEAD Denial of Service

Microsoft IIS 5.0 - WebDAV PROPFIND and SEARCH Method Denial of Service
Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service

Microsoft Internet Explorer 5.0.1 - Malformed IMG and XML Parsing Denial of Service
Microsoft Internet Explorer 5.0.1 - Malformed .IMG / .XML Parsing Denial of Service

Extended Module Player (xmp) 2.5.1 - 'oxm.c' And 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities
Extended Module Player (xmp) 2.5.1 - 'oxm.c' / 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities

Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption (PoC) (MS14-035)
Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)

Ubisoft Ghost Recon Advanced Warfighter - Integer Overflow and Array Indexing Overflow
Ubisoft Ghost Recon Advanced Warfighter - Integer Overflow / Array Indexing Overflow

Adobe Photoshop CC & Bridge CC - '.iff' Parsing Memory Corruption
Adobe Photoshop CC / Bridge CC - '.iff' Parsing Memory Corruption

Nitro Pro 10.5.7.32 & Nitro Reader 5.5.3.1 - Heap Memory Corruption
Nitro Pro 10.5.7.32 / Nitro Reader 5.5.3.1 - Heap Memory Corruption

Microsoft Windows - GDI+ EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)
Microsoft Windows - GDI+ EMR_EXTTEXTOUTA / EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)

Google Android - 'cfp_ropp_new_key_reenc' and 'cfp_ropp_new_key' RKP Memory Corruption
Google Android - 'cfp_ropp_new_key_reenc' / 'cfp_ropp_new_key' RKP Memory Corruption

Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc and nt!ExpFindAndRemoveTagBigPages (MS17-017)
Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)

Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys and tcpip.sys
Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys / tcpip.sys

binutils 2.29.51.20170921 - 'read_1_byte' Heap-Based Buffer Overflow

BSD & Linux umount - Privilege Escalation
BSD / Linux - 'umount'  Privilege Escalation

BSD & Linux lpr - Privilege Escalation
BSD / Linux - 'lpr' Privilege Escalation

DelphiTurk CodeBank 3.1 - Local 'Username' and Password Disclosure
DelphiTurk CodeBank 3.1 - Local Username and Password Disclosure

SystemTap 1.0/1.1 - '__get_argv()' and '__get_compat_argv()' Local Memory Corruption
SystemTap 1.0/1.1 - '__get_argv()' / '__get_compat_argv()' Local Memory Corruption

Filemaker Pro 13.03 & Advanced 12.04 - Login Bypass / Privilege Escalation
Filemaker Pro 13.03 / Advanced 12.04 - Login Bypass / Privilege Escalation

ASX to MP3 converter < 3.1.3.7 - Stack Overflow (DEP Bypass)
ASX to MP3 converter < 3.1.3.7 - '.asx' Stack Overflow (DEP Bypass)
ASX to MP3 3.1.3.7 - '.m3u' Buffer Overflow

Microsoft Windows - WINS Vulnerability and OS/SP Scanner
Microsoft Windows - WINS Vulnerability + OS/SP Scanner

Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving document.write and appendChild Exploit (From the Wild)
Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit

Mozilla Firefox - Interleaving document.write and appendChild Exploit (Metasploit)
Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Exploit (Metasploit)

Quest InTrust 10.4.x - ReportTree and SimpleTree Classes
Quest InTrust 10.4.x - ReportTree / SimpleTree Classes

SunOS 4.1.3 - LD_LIBRARY_PATH and LD_OPTIONS
SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS Exploit

RedHat Linux 5.1 & Caldera OpenLinux Standard 1.2 - Mountd
RedHat Linux 5.1 / Caldera OpenLinux Standard 1.2 - Mountd

Microsoft IIS 3.0/4.0 - Using ASP And FSO To Read Server Files
Microsoft IIS 3.0/4.0 - Using ASP and FSO To Read Server Files

tcpdump 3.4 - Protocol Four and Zero Header Length
tcpdump 3.4 - Protocol Four / Zero Header Length

Symantec pcAnywhere 12.5.0 - Login and Password Field Buffer Overflow
Symantec pcAnywhere 12.5.0 - 'Login' / 'Password' Buffer Overflow

Microsoft Internet Explorer 5.0/4.0.1 - IFRAME Exploit
Microsoft Internet Explorer 5.0/4.0.1 - iFrame Exploit

Internet Security Systems ICECap Manager 2.0.23 - Default 'Username' and Password
Internet Security Systems ICECap Manager 2.0.23 - Default Username and Password

Technote 2000/2001 - 'Filename' Parameter Command Execution And File Disclosure
Technote 2000/2001 - 'Filename' Parameter Command Execution and File Disclosure

WFTPD 3.0 - 'RETR' and 'CWD' Buffer Overflow
WFTPD 3.0 - 'RETR' / 'CWD' Buffer Overflow

EFTP Server 2.0.7.337 - Directory and File Existence
EFTP Server 2.0.7.337 - Directory Existence / File Existence

Bajie HTTP Server 0.95 - Example Scripts And Servlets Cross-Site Scripting
Bajie HTTP Server 0.95 - Example Scripts and Servlets Cross-Site Scripting

InternetNow ProxyNow 2.6/2.75 - Multiple Stack and Heap Overflow Vulnerabilities
InternetNow ProxyNow 2.6/2.75 - Multiple Stack / Heap Overflow Vulnerabilities

Microsoft Windows XP - Help And Support Center Interface Spoofing
Microsoft Windows XP - Help and Support Center Interface Spoofing

BigAnt Server 2.97 - SCH And DUPF Buffer Overflow (Metasploit)
BigAnt Server 2.97 - SCH / DUPF Buffer Overflow (Metasploit)

Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence and Disclosure
Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence / File Disclosure

Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting
Apache 2.2.6 mod_negotiation - HTML Injection / HTTP Response Splitting

3D-FTP 8.01 - 'LIST' and 'MLSD' Directory Traversal
3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal

Apache Tomcat 7.0.4 - 'sort' and 'orderBy' Parameters Cross-Site Scripting
Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site Scripting

Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read
Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read

Github Enterprise - Default Session Secret And Deserialization (Metasploit)
Github Enterprise - Default Session Secret and Deserialization (Metasploit)

VX Search Enterprise 10.1.12 - Buffer Overflow

QUOTE&ORDERING SYSTEM 1.0 - 'ordernum' Multiple Vulnerabilities
Quote&Ordering System 1.0 - 'ordernum' Multiple Vulnerabilities

Joomla! Component Flash uploader 2.5.1 - Remote File Inclusion
Joomla! Component Flash Uploader 2.5.1 - Remote File Inclusion

FlexPHPNews 0.0.6 & PRO - Authentication Bypass
FlexPHPNews 0.0.6 / PRO - Authentication Bypass

click&rank - SQL Injection / Cross-Site Scripting
Click&Rank - SQL Injection / Cross-Site Scripting

WordPress Core & MU & Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures
WordPress Core / MU / Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures

PRE HOTELS&RESORTS MANAGEMENT SYSTEM - Authentication Bypass
Pre Hotels&Resorts Management System - Authentication Bypass

PHP-Nuke CMS - (Survey and Poll) SQL Injection
PHP-Nuke CMS (Survey and Poll) - SQL Injection

60 cycleCMS 2.5.2 - Cross-Site Request Forgery (Change 'Username' and Password)
60 cycleCMS 2.5.2 - Cross-Site Request Forgery (Change Username and Password)

XT-Commerce 1.0 Beta 1 - Pass / Creat and Download Backup
XT-Commerce 1.0 Beta 1 - Pass / Create and Download Backup

Allomani Songs & Clips Script 2.7.0 - Cross-Site Request Forgery (Add Admin)
Allomani Songs & Clips 2.7.0 - Cross-Site Request Forgery (Add Admin)

Sun i-Runbook 2.5.2 - Directory And File Content Disclosure
Sun i-Runbook 2.5.2 - Directory and File Content Disclosure

DUclassmate 1.x - account.asp MM-recordId Parameter Arbitrary Password Modification
DUclassmate 1.x - 'account.asp MM-recordId' Arbitrary Password Modification
DUforum 3.x - messages.asp FOR_ID Parameter SQL Injection
DUforum 3.x - messageDetail.asp MSG_ID Parameter SQL Injection
DUforum 3.x - 'messages.asp FOR_ID' SQL Injection
DUforum 3.x - 'messageDetail.asp MSG_ID' SQL Injection

SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation And Input Validation
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation / Input Validation

JAF CMS 4.0.0 RC2 - 'website' and 'main_dir' Parameters Multiple Remote File Inclusion
JAF CMS 4.0.0 RC2 - 'website' / 'main_dir' Multiple Remote File Inclusion

WordPress Plugin WP BackupPlus - Database And Files Backup Download
WordPress Plugin WP BackupPlus - Database and Files Backup Download

WebsiteKit Gbplus - Name and Body Fields HTML Injection Vulnerabilities
WebsiteKit Gbplus - 'Name' / 'Body' HTML Injection

Gogs - (users and repos q pararm) SQL Injection
Gogs - users and repos q SQL Injection

WebFileExplorer 3.6 - 'user' and 'pass' SQL Injection
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection

Joomla! Component 'com_tree' - 'key' Parameter SQL Injection
Joomla! Component com_tree - 'key' Parameter SQL Injection

Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities

WeBid - Multiple Cross-Site Scripting And LDAP Injection Vulnerabilities
WeBid - Multiple Cross-Site Scripting / LDAP Injection Vulnerabilities

Squiz CMS - Multiple Cross-Site Scripting and XML External Entity Injection Vulnerabilities
Squiz CMS - Multiple Cross-Site Scripting / XML External Entity Injection Vulnerabilities

TOTOLINK Routers - Backdoor and Remote Code Execution (PoC)
TOTOLINK Routers - Backdoor / Remote Code Execution (PoC)
up.time 7.5.0 - Arbitrary File Disclose And Delete Exploit
up.time 7.5.0 - Upload And Execute File Exploit
up.time 7.5.0 - Arbitrary File Disclose and Delete Exploit
up.time 7.5.0 - Upload and Execute Exploit

Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass
Wildfly - 'WEB-INF' / 'META-INF' Information Disclosure via Filter Restriction Bypass

WebKit - enqueuePageshowEvent and enqueuePopstateEvent Universal Cross-Site Scripting
WebKit - 'enqueuePageshowEvent' / 'enqueuePopstateEvent' Universal Cross-Site Scripting

WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting
WebKit - 'Document::prepareForDestruction' / 'CachedFrame' Universal Cross-Site Scripting

WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting
WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting
Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)
Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)
2017-10-12 05:01:34 +00:00
platforms DB: 2017-10-12 2017-10-12 05:01:34 +00:00
files.csv DB: 2017-10-12 2017-10-12 05:01:34 +00:00
README.md Add "--exclude" to remove values from results 2017-06-14 15:58:54 +01:00
searchsploit Fix #101 - Git update issue & echo standard. 2017-09-18 18:22:53 +01:00

The Exploit Database Git Repository

This is the official repository of The Exploit Database, a project sponsored by Offensive Security.

The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

This repository is updated daily with the most recently added submissions. Any additional resources can be found in our binary sploits repository.

Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms. For more information, please see the SearchSploit manual.

root@kali:~# searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

  For more examples, see the manual: https://www.exploit-db.com/searchsploit/

=========
 Options
=========
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe).
   -e, --exact    [Term]      Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
   -h, --help                 Show this help screen.
   -j, --json     [Term]      Show result in JSON format.
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory.
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns.
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible).
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path).
   -u, --update               Check for and install any exploitdb package updates (deb or git).
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path.
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using $PAGER.
       --colour               Disable colour highlighting in search results.
       --id                   Display the EDB-ID value rather than local path.
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                                Use "-v" (verbose) to try even more combinations
       --exclude="term"       Remove values from results. By using "|" to separated you can chain multiple values.
                                e.g. --exclude="term1|term2|term3".

=======
 Notes
=======
 * You can use any number of search terms.
 * Search terms are not case-sensitive (by default), and ordering is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
   * And/Or '-e' if you wish to filter results by using an exact match.
 * Use '-t' to exclude the file's path to filter the search results.
   * Remove false positives (especially when searching using numbers - i.e. versions).
 * When updating or displaying help, search terms will be ignored.

root@kali:~#
root@kali:~# searchsploit afd windows local
---------------------------------------------------------------------------------------- -----------------------------------
 Exploit Title                                                                          |  Path
                                                                                        | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------------------------- -----------------------------------
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service                         | windows/dos/17133.c
Microsoft Windows - 'afd.sys' Local Kernel Exploit (PoC) (MS11-046)                     | windows/dos/18755.c
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)        | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080)                   | windows/local/18176.py
Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit)          | windows/local/21844.rb
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)  | win_x86/local/39446.py
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)  | win_x86-64/local/39525.py
Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)                     | win_x86/local/40564.c
---------------------------------------------------------------------------------------- -----------------------------------
root@kali:~#
root@kali:~# searchsploit -p 39446
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
    URL: https://www.exploit-db.com/exploits/39446/
   Path: /usr/share/exploitdb/platforms/win_x86/local/39446.py

Copied EDB-ID 39446's path to the clipboard.

root@kali:~#

SearchSploit requires either "CoreUtils" or "utilities" (e.g. bash, sed, grep, awk, etc.) for the core features to work. The self updating function will require git, and the Nmap XML option to work, will require xmllint (found in the libxml2-utils package in Debian-based systems).