A mirror of the Gitlab repo: https://gitlab.com/exploit-database/exploitdb
Find a file
Offensive Security 5bd93d7e45 DB: 2017-10-25
12 new exploits

Apple Mac OSX xnu 1228.0 - mach-o Local Kernel Denial of Service (PoC)
Apple Mac OSX xnu 1228.0 - 'mach-o' Local Kernel Denial of Service (PoC)

Apple Mac OSX xnu 1228.0 - super_blob Local kernel Denial of Service (PoC)
Apple Mac OSX xnu 1228.0 - 'super_blob' Local kernel Denial of Service (PoC)

Administrador de Contenidos - Admin Login Bypass
Administrador de Contenidos - Admin Authentication Bypass
Microsoft Windows Kernel - DeferWindowPos Use-After-Free (MS15-073)
Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)
Microsoft Windows Kernel - 'DeferWindowPos' Use-After-Free (MS15-073)
Microsoft Windows Kernel - 'UserCommitDesktopMemory' Use-After-Free (MS15-073)
Microsoft Windows Kernel - HmgAllocateObjectAttr Use-After-Free (MS15-061)
Microsoft Windows Kernel - win32k!vSolidFillRect Buffer Overflow (MS15-061)
Microsoft Windows Kernel - SURFOBJ Null Pointer Dereference (MS15-061)
Microsoft Windows Kernel - 'HmgAllocateObjectAttr' Use-After-Free (MS15-061)
Microsoft Windows Kernel - 'win32k!vSolidFillRect' Buffer Overflow (MS15-061)
Microsoft Windows Kernel - 'SURFOBJ' Null Pointer Dereference (MS15-061)
Microsoft Windows Kernel - FlashWindowEx​ Memory Corruption (MS15-097)
Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)
Microsoft Windows Kernel - 'FlashWindowEx​' Memory Corruption (MS15-097)
Microsoft Windows Kernel - 'bGetRealizedBrush' Use-After-Free (MS15-097)

Microsoft Windows Kernel - NtGdiStretchBlt Pool Buffer Overflows (MS15-097)
Microsoft Windows Kernel - 'NtGdiStretchBlt' Pool Buffer Overflows (MS15-097)

Microsoft Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)
Microsoft Windows Kernel - 'NtGdiBitBlt' Buffer Overflow (MS15-097)

Blue Coat ProxySG 5.x - and Security Gateway OS Denial of Service
Blue Coat ProxySG 5.x and Security Gateway OS - Denial of Service

Microsoft Windows Kernel - win32k!OffsetChildren Null Pointer Dereference
Microsoft Windows Kernel - 'win32k!OffsetChildren' Null Pointer Dereference

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution
Apple Mac OSX - 'IOBluetoothHCIUserClient' Arbitrary Kernel Code Execution
Apple Mac OSX - gst_configure Kernel Buffer Overflow
Apple Mac OSX - IntelAccelerator::gstqConfigure Exploitable Kernel NULL Dereference
Apple Mac OSX - 'gst_configure' Kernel Buffer Overflow
Apple Mac OSX - 'IntelAccelerator::gstqConfigure' Exploitable Kernel NULL Dereference

Microsoft Windows Kernel - NtGdiGetTextExtentExW Out-of-Bounds Memory Read
Microsoft Windows Kernel - 'NtGdiGetTextExtentExW'' Out-of-Bounds Memory Read

Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)

Microsoft Windows 10 Kernel - nt!NtTraceControl (EtwpSetProviderTraits) Pool Memory Disclosure
Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure
Microsoft Windows Kernel - win32k.sys '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)
Microsoft Windows Kernel - win32k.sys .TTF Font Processing Out-of-Bounds Read with Malformed 'glyf' Table (win32k!fsc_CalcGrayRow)
Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)
Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table (win32k!fsc_CalcGrayRow)
AIX 5.2 - netpmon Local Elevated Privileges Exploit
AIX 5.2 - ipl_varyon Local Elevated Privileges Exploit
AIX 5.2 - 'netpmon' Local Privilege Escalation
AIX 5.2 - 'ipl_varyon' Local Privilege Escalation

Willing Webcam 2.8 - Licence Info Disclosure Local Exploit
Willing Webcam 2.8 - Licence Information Disclosure Local Exploit
Solaris 7.0 cancel - Exploit
Solaris 7.0 chkperm - Exploit
Solaris 7.0 - 'cancel' Exploit
Solaris 7.0 - 'chkperm' Exploit

Apple Mac OSX 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption
Apple Mac OSX 10.4.x - 'Shared_Region_Make_Private_Np' Kernel Function Local Memory Corruption

Apple macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free
Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel  Reference Count Leak / Use-After-Free

Mikogo 5.4.1.160608 - Local Credentials Disclosure

THOMSON ST585 - 'user.ini' Arbitrary Download
THOMSON ST585 - 'user.ini' Arbitrary Disclosure

THOMSON TG585n 7.4.3.2 - 'user.ini' Arbitrary Download
THOMSON TG585n 7.4.3.2 - 'user.ini' Arbitrary Disclosure

Adobe Flash and Reader - Live Malware (PoC)
Adobe Flash / Reader - Live Malware (PoC)

Unify eWave ServletExec 3 - JSP Source Disclosure
Unify eWave ServletExec 3 - .JSP Source Disclosure

1C: Arcadia Internet Store 1.0 - Show Path
1C: Arcadia Internet Store 1.0 - Path Disclosure

Adobe ColdFusion 9 - Administrative Login Bypass (Metasploit)
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)

Apache Tomcat 6.0.13 - Cookie Handling Quote Delimiter Session ID Disclosure
Apache Tomcat 6.0.13 - Insecure Cookie Handling Quote Delimiter Session ID Disclosure

myNewsletter 1.1.2 - 'adminLogin.asp' Login Bypass
myNewsletter 1.1.2 - 'adminLogin.asp' Authentication Bypass

2BGal 3.0 - '/admin/configuration.inc.php' Local Inclusion Exploit
2BGal 3.0 - '/admin/configuration.inc.php' Local File Inclusion
Estate Agent Manager 1.3 - 'default.asp' Login Bypass
Property Pro 1.0 - 'vir_Login.asp' Remote Login Bypass
Estate Agent Manager 1.3 - 'default.asp' Authentication Bypass
Property Pro 1.0 - 'vir_Login.asp' Remote Authentication Bypass

Hpecs Shopping Cart - Remote Login Bypass
Hpecs Shopping Cart - Remote Authentication Bypass

HR Assist 1.05 - 'vdateUsr.asp' Remote Login Bypass
HR Assist 1.05 - 'vdateUsr.asp' Remote Authentication Bypass

PHPX 3.5.16 - Cookie Poisoning / Login Bypass
PHPX 3.5.16 - Cookie Poisoning / Authentication Bypass

Absolute File Send 1.0 - Remote Cookie Handling
Absolute File Send 1.0 - Remote Insecure Cookie Handling

Absolute Poll Manager XE 4.1 - Cookie Handling
Absolute Poll Manager XE 4.1 - Insecure Cookie Handling

TR News 2.1 - 'login.php' Remote Login Bypass
TR News 2.1 - 'login.php' Remote Authentication Bypass

PhpAddEdit 1.3 - 'cookie' Login Bypass
PhpAddEdit 1.3 - 'cookie' Authentication Bypass

2532/Gigs 1.2.2 Stable - Remote Login Bypass
2532/Gigs 1.2.2 Stable - Remote Authentication Bypass

Flexcustomer 0.0.6 - Admin Login Bypass / Possible PHP code writing
Flexcustomer 0.0.6 - Admin Authentication Bypass / Possible PHP code writing

ClearBudget 0.6.1 - Insecure Database Download
ClearBudget 0.6.1 - Insecure Database Disclosure

ClanTiger < 1.1.1 - Multiple Cookie Handling Vulnerabilities
ClanTiger < 1.1.1 - Multiple Insecure Cookie Handling Vulnerabilities

2DayBiz Custom T-shirt Design -(SQL Injection / Cross-Site Scripting
2DayBiz Custom T-shirt Design - SQL Injection / Cross-Site Scripting

ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Info Disclosure Vulnerabilities
ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information  Disclosure Vulnerabilities

Amiro.CMS 5.4.0.0 - Folder Disclosure
Amiro.CMS 5.4.0.0 - Path Disclosure

Mura CMS 5.1 - Root Folder Disclosure
Mura CMS 5.1 - Root Path Disclosure
jgbbs-3.0beta1 - Database Download
PSnews - Database Download
jgbbs-3.0beta1 - Database Disclosure
PSnews - Database Disclosure
AspBB - Active Server Page Bulletin Board Database Download
Futility Forum 1.0 Revamp - Database Download
htmlArea 2.03 - Database Download
Uguestbook - Database Download
BaalASP 2.0 - Database Download
Fully Functional ASP Forum 1.0 - Database Download
makit news/blog poster 3.1 - Database Download
AspBB - Active Server Page Bulletin Board Database Disclosure
Futility Forum 1.0 Revamp - Database Disclosure
htmlArea 2.03 - Database Disclosure
Uguestbook - Database Disclosure
BaalASP 2.0 - Database Disclosure
Fully Functional ASP Forum 1.0 - Database Disclosure
makit news/blog poster 3.1 - Database Disclosure

ASP Battle Blog - Database Download
ASP Battle Blog - Database Disclosure

Proxyroll.com Clone PHP Script - Cookie Handling
Proxyroll.com Clone PHP Script - Insecure Cookie Handling

YP Portal MS-Pro Surumu 1.0 - Database Download
YP Portal MS-Pro Surumu 1.0 - Database Disclosure
Lebi soft Ziyaretci Defteri 7.5 - Database Download
Net Gitar Shop 1.0 - Database Download
Lebi soft Ziyaretci Defteri 7.5 - Database Disclosure
Net Gitar Shop 1.0 - Database Disclosure

VP-ASP Shopping Cart 7.0 - Database Download
VP-ASP Shopping Cart 7.0 - Database Disclosure

Asp VevoCart Control System 3.0.4 - Database Download
Asp VevoCart Control System 3.0.4 - Database Disclosure
MoME CMS 0.8.5 - Remote Login Bypass
RoseOnlineCMS 3 B1 - Remote Login Bypass
MoME CMS 0.8.5 - Remote Authentication Bypass
RoseOnlineCMS 3 B1 - Remote Authentication Bypass

al3jeb script - Remote Login Bypass
al3jeb script - Remote Authentication Bypass

Al Sat Scripti - Database Download
Al Sat Scripti - Database Disclosure

Mp3 MuZik - DataBase Download
Mp3 MuZik - Database Disclosure

My School Script - Data Base Download
My School Script - Database Disclosure

Azimut Technologie - Admin Login Bypass
Azimut Technologie - Admin Authentication Bypass

Auction_Software Script - Admin Login Bypass
Auction_Software Script - Admin Authentication Bypass

BSI Hotel Booking System Admin 1.4/2.0 - Login Bypass
BSI Hotel Booking System Admin 1.4/2.0 - Authentication Bypass

DeluxeBB 1.3 - Private Info Disclosure
DeluxeBB 1.3 - Private Information Disclosure

Qcodo Development Framework 0.3.3 - Full Info Disclosure
Qcodo Development Framework 0.3.3 - Full Information Disclosure

CosmoQuest - Login Bypass
CosmoQuest - Authentication Bypass

PHProjekt 2.x/3.x - Login Bypass
PHProjekt 2.x/3.x - Authentication Bypass

MapInfo Discovery 1.0/1.1 - Administrative Login Bypass
MapInfo Discovery 1.0/1.1 - Administrative Authentication Bypass

Keyvan1 ImageGallery - Database Download
Keyvan1 ImageGallery - Database Disclosure

Simple File Manager 024 - Login Bypass
Simple File Manager 024 - Authentication Bypass

Adobe ColdFusion 9 - Administrative Login Bypass
Adobe ColdFusion 9 - Administrative Authentication Bypass

RASPcalendar 1.01 - [ASP] Admin Login
RASPcalendar 1.01 (ASP) - Admin Login

Zend-Framework - Full Info Disclosure
Zend-Framework - Full Information Disclosure

Simple E-document 1.31 - Login Bypass
Simple E-document 1.31 - Authentication Bypass

ZYXEL P-660HN-T1A Router - Login Bypass
ZYXEL P-660HN-T1A Router - Authentication Bypass

agXchange ESM - 'ucschcancelproc.jsp' Open redirection
agXchange ESM - 'ucschcancelproc.jsp' Open Redirection

ESRI ArcGIS for Server - 'where' Form Field SQL Injection
ESRI ArcGIS for Server - 'where' Form SQL Injection

ZTE ZXHN H108N Router - Unauthenticated Config Download
ZTE ZXHN H108N Router - Unauthenticated Config Disclosure
FS Car Rental Script - 'pickup_location' SQL Injection
FS Amazon Clone - 'category_id' SQL Injection
FS Book Store Script - 'category' SQL Injection
FS Ebay Clone - 'pd_maincat_id' SQL Injection
FS Food Delivery Script - 'keywords' SQL Injection
FS Expedia Clone - 'hid' SQL Injection
FS Freelancer Clone - 'sk' SQL Injection
FS Groupon Clone - 'category' SQL Injection
FS Indiamart Clone - 'keywords' SQL Injection
FS Lynda Clone - 'category' SQL Injection
FS OLX Clone - 'catg_id' SQL Injection
2017-10-25 05:01:35 +00:00
platforms DB: 2017-10-25 2017-10-25 05:01:35 +00:00
files.csv DB: 2017-10-25 2017-10-25 05:01:35 +00:00
README.md Fix #104: Add --json support for --id & --www 2017-10-23 11:41:09 +01:00
searchsploit Fix #104: Add --json support for --id & --www 2017-10-23 11:41:09 +01:00

The Exploit Database Git Repository

This is the official repository of The Exploit Database, a project sponsored by Offensive Security.

The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

This repository is updated daily with the most recently added submissions. Any additional resources can be found in our binary sploits repository.

Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms. For more information, please see the SearchSploit manual.

root@kali:~# searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

  For more examples, see the manual: https://www.exploit-db.com/searchsploit/

=========
 Options
=========
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe).
   -e, --exact    [Term]      Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
   -h, --help                 Show this help screen.
   -j, --json     [Term]      Show result in JSON format.
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory.
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns.
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible).
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path).
   -u, --update               Check for and install any exploitdb package updates (deb or git).
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path.
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using $PAGER.
       --colour               Disable colour highlighting in search results.
       --id                   Display the EDB-ID value rather than local path.
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                                Use "-v" (verbose) to try even more combinations
       --exclude="term"       Remove values from results. By using "|" to separated you can chain multiple values.
                                e.g. --exclude="term1|term2|term3".

=======
 Notes
=======
 * You can use any number of search terms.
 * Search terms are not case-sensitive (by default), and ordering is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
   * And/Or '-e' if you wish to filter results by using an exact match.
 * Use '-t' to exclude the file's path to filter the search results.
   * Remove false positives (especially when searching using numbers - i.e. versions).
 * When updating or displaying help, search terms will be ignored.

root@kali:~#
root@kali:~# searchsploit afd windows local
---------------------------------------------------------------------------------------- -----------------------------------
 Exploit Title                                                                          |  Path
                                                                                        | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------------------------- -----------------------------------
Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)                     | win_x86/local/40564.c
Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit)          | windows/local/21844.rb
Microsoft Windows - 'afd.sys' Local Kernel Exploit (PoC) (MS11-046)                     | windows/dos/18755.c
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)  | win_x86-64/local/39525.py
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)  | win_x86/local/39446.py
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service                         | windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)        | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080)                   | windows/local/18176.py
---------------------------------------------------------------------------------------- -----------------------------------
root@kali:~#
root@kali:~# searchsploit -p 39446
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
    URL: https://www.exploit-db.com/exploits/39446/
   Path: /usr/share/exploitdb/platforms/win_x86/local/39446.py

Copied EDB-ID 39446's path to the clipboard.

root@kali:~#

SearchSploit requires either "CoreUtils" or "utilities" (e.g. bash, sed, grep, awk, etc.) for the core features to work. The self updating function will require git, and the Nmap XML option to work, will require xmllint (found in the libxml2-utils package in Debian-based systems).