A mirror of the Gitlab repo: https://gitlab.com/exploit-database/exploitdb
Find a file
Offensive Security ed107bc711 DB: 2017-07-12
9 new exploits

Apache 2.0.52 - HTTP GET request Denial of Service
Apache 2.0.52 - GET Request Denial of Service
Microsoft IIS - Malformed HTTP Request Denial of Service (1)
Microsoft IIS - Malformed HTTP Request Denial of Service (2)
Microsoft IIS - HTTP Request Denial of Service (1)
Microsoft IIS - HTTP Request Denial of Service (2)

Microsoft IIS - Malformed HTTP Request Denial of Service
Microsoft IIS - HTTP Request Denial of Service

Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC)
Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC)

Allegro RomPager 2.10 - Malformed URL Request Denial of Service
Allegro RomPager 2.10 - URL Request Denial of Service

AVM KEN! 1.3.10/1.4.30 - Malformed Request Remote Denial of Service
AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service

Netwin SurgeFTP 1.0b - Malformed Request Denial of Service
Netwin SurgeFTP 1.0b - Denial of Service

iCal 3.7 - Malformed HTTP Request Denial of Service
iCal 3.7 - HTTP Request Denial of Service

3ware Disk Managment 1.10 - Malformed HTTP Request Denial of Service
3ware Disk Managment 1.10 - HTTP Request Denial of Service

Pi3Web 2.0.1 - Malformed GET Request Denial of Service
Pi3Web 2.0.1 - GET Request Denial of Service

Loom Software SurfNow 1.x/2.x - Remote HTTP GET Request Denial of Service
Loom Software SurfNow 1.x/2.x - Remote GET Request Denial of Service

Linksys PSUS4 PrintServer - Malformed HTTP POST Request Denial of Service
Linksys PSUS4 PrintServer - POST Request Denial of Service

Multiple IEA Software Products - HTTP POST Request Denial of Service
Multiple IEA Software Products - POST Request Denial of Service

Linksys WRH54G 1.1.3 Wireless-G Router - Malformed HTTP Request Denial of Service
Linksys WRH54G 1.1.3 Wireless-G Router - HTTP Request Denial of Service

Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial of Service
Geo++ GNCASTER 1.4.0.7 - GET Request Denial of Service

D-Link WBR-2310 1.0.4 - HTTP GET Request Remote Buffer Overflow
D-Link WBR-2310 1.0.4 - GET Request Remote Buffer Overflow

Pelco VideoXpert 1.12.105 - Privilege Escalation

Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure

Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree

PlanetDNS PlanetWeb 1.14 - Malformed Request Remote Buffer Overflow
PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow

AN HTTPD 1.38/1.39/1.40/1.41 - Malformed SOCKS4 Request Buffer Overflow
AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow

Omnicron OmniHTTPd 2.x/3.0 - Get Request Buffer Overflow
Omnicron OmniHTTPd 2.x/3.0 - GET Request Buffer Overflow

JBoss 3.x/4.0.2 - Malformed HTTP Request Remote Information Disclosure
JBoss 3.x/4.0.2 - HTTP Request Remote Information Disclosure
Easy File Sharing Web Server 7.2 - GET HTTP Request Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - HEAD HTTP Request Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - GET Request Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - HEAD Request Buffer Overflow (SEH)

Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)

Microsoft Windows Windows 8/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)
NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection
Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

(Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes)
(Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes)

Linux/x86-64 - flush iptables rules Shellcode (84 bytes)
Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes)

Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)
Linux/x86 - Self-Modifying Anti-IDS Shellcode (64 bytes)

Linux/x86 - Bind 8000/TCP + Add User with Root Access Shellcode (225+ bytes)
Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes)
Linux/x86 - File unlinker Shellcode (18+ bytes)
Linux/x86 - Perl script execution Shellcode (99+ bytes)
Linux/x86 - file reader Shellcode (65+ bytes)
Linux/x86 - File Unlinker Shellcode (18+ bytes)
Linux/x86 - Perl Script Execution Shellcode (99+ bytes)
Linux/x86 - File Reader Shellcode (65+ bytes)

Linux/x86 - Add Root User 'r00t' Without Password To /etc/passwd Shellcode (69 bytes)
Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)

Linux/x86 - execve /bin/sh anti-ids Shellcode (40 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes)

Linux/x86 - Add User 'xtz' without Password to /etc/passwd Shellcode (59 bytes)
Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes)

Linux/x86 - 24/7 open cd-rom loop (follows /dev/cdrom symlink) Shellcode (39 bytes)
Linux/x86 -  Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)
Linux/x86 - Radically Self Modifying Code Shellcode (70 bytes)
Linux/x86 - Magic Byte Self Modifying Code Shellcode (76 bytes)
Linux/x86 - Radically Self-Modifying Shellcode (70 bytes)
Linux/x86 - Magic Byte Self-Modifying Shellcode (76 bytes)
Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes)
Linux/x86 - chmod 666 shadow ENCRYPT Shellcode (75 bytes)
Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes)
Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)

Linux/x86 - Add User 't00r' Shellcode (82 bytes)
Linux/x86 - Add User (t00r) Shellcode (82 bytes)
Linux/x86 - execve /bin/sh encrypted Shellcode (58 bytes)
Linux/x86 - execve /bin/sh xor encrypted Shellcode (55 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes)
Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes)

Linux/x86 - Add User 'z' Shellcode (70 bytes)
Linux/x86 - Add User (z) Shellcode (70 bytes)
Linux/x86 - hard / unclean reboot Shellcode (29 bytes)
Linux/x86 - hard / unclean reboot Shellcode (33 bytes)
Linux/x86 - Hard / Unclean Reboot Shellcode (29 bytes)
Linux/x86 - Hard / Unclean Reboot Shellcode (33 bytes)

Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes)
Linux - Drop SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes)

Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes)
Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes)

Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes)
Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes)
Linux/x86 - setuid(0) + setgid(0) + add user 'iph' Without Password to /etc/passwd Polymorphic Shellcode
Linux/x86 - Search For php/html Writable Files and Add Your Code Shellcode (380+ bytes)
Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode
Linux/x86 - Search For PHP/HTML Writable Files and Add Your Code Shellcode (380+ bytes)

Linux/x86 - Remote Port Forwarding Shellcode (87 bytes)
Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)

Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes)
Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes)

Linux/x86 - Add map in /etc/hosts file (google.com 127.1.1.1) Shellcode (77 bytes)
Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes)

Linux/x86 - Add Map google.com to 127.1.1.1 Obfuscated Shellcode (98 bytes)
Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Obfuscated Shellcode (98 bytes)

Linux/x86 - /bin/sh ROT7 Encoded Shellcode
Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode

Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode
Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode

Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)
Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)

Linux/x86-64 - Bind NetCat Shellcode (64 bytes)
Linux/x86-64 - Bind Netcat Shellcode (64 bytes)

Linux/x86 - Reverse zsh 9090/TCP Shellcode (80 bytes)
Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes)
Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)
Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)
Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)
Linux - Reverse Shell Multi/Dual Mode Shellcode (Genearator) (129 bytes)

Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)
Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes)
Linux/x86-64 - Reverse NetCat Shellcode (72 bytes)
Linux/x86-64 - Reverse NetCat Polymorphic Shellcode (106 bytes)
Linux/x86-64 - Reverse Netcat Shellcode (72 bytes)
Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes)

Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass
Simple Machines Forum (SMF) 1.1.6 - POST Request Filter Security Bypass
NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection
Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting
Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)
Pelco Sarix/Spectra Cameras - Remote Code Execution
Pelco VideoXpert 1.12.105 - Directory Traversal
Pelco VideoXpert 1.12.105 - Information Disclosure
NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection
2017-07-12 05:01:24 +00:00
platforms DB: 2017-07-12 2017-07-12 05:01:24 +00:00
files.csv DB: 2017-07-12 2017-07-12 05:01:24 +00:00
README.md Add "--exclude" to remove values from results 2017-06-14 15:58:54 +01:00
searchsploit Missed one with ed901b5499 2017-06-27 11:41:43 +01:00

The Exploit Database Git Repository

This is the official repository of The Exploit Database, a project sponsored by Offensive Security.

The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

This repository is updated daily with the most recently added submissions. Any additional resources can be found in our binary sploits repository.

Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms. For more information, please see the SearchSploit manual.

root@kali:~# searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

  For more examples, see the manual: https://www.exploit-db.com/searchsploit/

=========
 Options
=========
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe).
   -e, --exact    [Term]      Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
   -h, --help                 Show this help screen.
   -j, --json     [Term]      Show result in JSON format.
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory.
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns.
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible).
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path).
   -u, --update               Check for and install any exploitdb package updates (deb or git).
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path.
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using $PAGER.
       --colour               Disable colour highlighting in search results.
       --id                   Display the EDB-ID value rather than local path.
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                                Use "-v" (verbose) to try even more combinations
       --exclude="term"       Remove values from results. By using "|" to separated you can chain multiple values.
                                e.g. --exclude="term1|term2|term3".

=======
 Notes
=======
 * You can use any number of search terms.
 * Search terms are not case-sensitive (by default), and ordering is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
   * And/Or '-e' if you wish to filter results by using an exact match.
 * Use '-t' to exclude the file's path to filter the search results.
   * Remove false positives (especially when searching using numbers - i.e. versions).
 * When updating or displaying help, search terms will be ignored.

root@kali:~#
root@kali:~# searchsploit afd windows local
---------------------------------------------------------------------------------------- -----------------------------------
 Exploit Title                                                                          |  Path
                                                                                        | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------------------------- -----------------------------------
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service                         | windows/dos/17133.c
Microsoft Windows - 'afd.sys' Local Kernel Exploit (PoC) (MS11-046)                     | windows/dos/18755.c
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)        | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080)                   | windows/local/18176.py
Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit)          | windows/local/21844.rb
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)  | win_x86/local/39446.py
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)  | win_x86-64/local/39525.py
Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)                     | win_x86/local/40564.c
---------------------------------------------------------------------------------------- -----------------------------------
root@kali:~#
root@kali:~# searchsploit -p 39446
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
    URL: https://www.exploit-db.com/exploits/39446/
   Path: /usr/share/exploitdb/platforms/win_x86/local/39446.py

Copied EDB-ID 39446's path to the clipboard.

root@kali:~#

SearchSploit requires either "CoreUtils" or "utilities" (e.g. bash, sed, grep, awk, etc.) for the core features to work. The self updating function will require git, and the Nmap XML option to work, will require xmllint (found in the libxml2-utils package in Debian-based systems).