Searching For Exploits With SearchSploit
SearchSploit
In certain cases, you may not have access to online exploits and as a result, you must be able to use the exploit sources available locally/offline.
The entire Exploit-db database of exploits comes pre-packaged with Kali Linux, consequently providing you with all exploits locally.
The Exploit-db offline database of exploits can be accessed and queried with a tool called SearchSploit.
使用 SearchSploit 搜索漏洞
SearchSploit
在某些情况下,您可能无法访问在线漏洞,因此,您必须能够使用本地/离线可用的漏洞源。
整个 Exploit-db 漏洞利用数据库预先打包在 Kali Linux 中,因此在本地为您提供所有漏洞利用。
可以使用名为 SearchSploit 的工具访问和查询 Exploit-db 离线漏洞利用数据库。
Demo: Searching For Exploits With SearchSploit(演示:使用 SearchSploit 搜索漏洞)
1
| sudo apt-get update && sudo apt-get install exploitdb -y
|
Let’s get an understanding of where this local database of exploits is stored.
All of these filters or forms of categorization are what we saw online when we accessed the ExploitDB website.
1
2
| ls -al /usr/share/exploitdb
ls -al /usr/share/exploitdb/exploits/windows/remote
|
All the exploits are sorted by the ExploitDB id.
SearchSploit – The Manual
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
| kali@kali:~$ searchsploit -h
用法:searchsploit [选项] term1 [term2] ... [termN]
==========
例子
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | jq
searchsploit --cve 2021-44228
有关更多示例,请参阅手册:https://www.exploit-db.com/searchsploit
=========
选项
=========
## 搜索词
-c, --case [term] 执行区分大小写的搜索(默认为 inSEnsITiVe)
-e, --exact [term] 对 exploit title 执行 EXACT & order 匹配(默认是每个 term 的 AND 匹配)[暗示“-t”]
例如 “WordPress 4.1”不会被检测到“WordPress Core 4.1”)
-s, --strict 执行严格搜索,因此输入值必须存在,禁用对版本范围的模糊搜索
例如 “1.1”不会在“1.0 < 1.3”中被检测到)
-t, --title [term] 只搜索漏洞利用标题(默认是标题和文件路径)
--exclude="term" 从结果中删除值。 通过使用“|” 要分开,您可以链接多个值
例如 --exclude="term1|term2|term3"
--cve [CVE] 搜索常见漏洞和暴露 (CVE) 值
## 输出
-j, --json [term] 以 JSON 格式显示结果
-o, --overflow [term] 允许利用标题溢出它们的列
-p, --path [EDB-ID] 显示漏洞利用的完整路径(如果可能,还将路径复制到剪贴板)
-v, --verbose 在输出中显示更多信息
-w, --www [term] 显示 Exploit-DB.com 的 URL 而不是本地路径
--id 显示 EDB-ID 值而不是本地路径
--disable-colour 在搜索结果中禁用颜色突出显示
## 非搜索
-m, --mirror [EDB-ID] 镜像(又名复制)一个漏洞到当前工作目录
-x, --examine [EDB-ID] 使用 $PAGER 检查(又名打开)漏洞
## 非搜索
-h, --help 显示此帮助屏幕
-u, --update 检查并安装任何 exploitdb 软件包更新(brew、deb 和 git)
## 自动化
--nmap [file.xml] 检查 Nmap 的 XML 输出中的所有结果和服务版本
例如:nmap [host] -sV -oX file.xml
=======
笔记
=======
* 您可以使用任意数量的搜索词
* 默认情况下,搜索词不区分大小写,顺序无关,并且会在版本范围之间搜索
* 如果您希望通过区分大小写的搜索减少结果,请使用“-c”
* 和/或“-e”,如果您希望使用完全匹配来过滤结果
* 和/或 '-s' 如果你想寻找一个精确的版本匹配
* 使用'-t'排除文件路径过滤搜索结果
* 删除误报(尤其是在使用数字搜索时 - 即版本)
* 使用“--nmap”时,添加“-v”(详细),它将搜索更多组合
* 更新或显示帮助时,搜索词将被忽略
|
Update the ExploitDB package.
1
2
| searchsploit vsftpd
searchsploit vsftpd 2.3.4
|
If you ever want to copy an exploit that you’ve identified into your current working directory.
1
2
3
4
| pwd
searchsploit -m 49757
ls -al
vim 49757.py
|
Perform a case-sensitive search.
-c: case sensitive.
1
2
3
| searchsploit -c OpenSSH
searchsploit -c openssh
searchsploit openssh
|
The title search searches for the keyword that you specify within the title of the exploit.
-t: Search for the keyword within the title of all the exploits.
This will ensure that the information that you’re trying to query is only stored within the title as opposed to any other parameter associated with a particular exploit or exploit code.
1
| searchsploit -t Buffer Overflow
|
The exact search option.
And example of this would be, if I wanted to search exactly for a specific service banner that I obtained during the banner grabbing phase of a penetration test.
-e: exact matches.
1
| searchsploit -e "Windows XP"
|
grep -e: match a pattern.
1
| searchsploit -e "Windows XP" | grep -e "Microsoft"
|
1
| searchsploit -e "OpenSSH 7.2p2"
|
Utilize filters that you typically use on the ExploitDB website.
Filters can be used to fine tune your results similar to the ExploitDB website. And they allow you to filter through based on the following categories: type, platform, and/or port or service filters. All of the information you provide in terms of the search filters will all be used to search for exploits that have that information within the title.
If I wanted to search for all exploits that meet a certain parameter.
If I wanted to search for remote exploits for Windows operating systems that target the SMB service.
1
2
3
4
5
6
| searchsploit remote windows smb
searchsploit remote windows buffer
searchsploit remote linux ssh OpenSSH
searchsploit remote linux ssh
searchsploit remote webapps wordpress
searchsploit remote webapps drupal
|
If we were looking for privilege escalation exploits for Windows.
1
2
| searchsploit local windows
searchsploit local windows | grep -e "Microsoft"
|
List the online links for the exploit code. You wanted to learn more abount the exploit itself and access it through ExploitDB online. How would you get the URL pertinent to that particular exploit?
1
| searchsploit remote windows smb | grep -e "EternalBlue"
|
By default, it’ll display the local path to that exploit stored locally.
If we want to get the links to these exploits online, we can use the -w option.
1
| searchsploit remote windows smb -w | grep -e "EternalBlue"
|
We get the ExploitDB links.
Copy it manually. .: Copy it into my current working directory.
1
2
| sudo cp /usr/share/exploitdb/exploits/windows/remote/42031.py .
ls
|
复现视频内容
1
2
3
4
5
6
7
8
9
| ┌──(root㉿kali)-[~]
└─# ls -al /usr/share/exploitdb
total 9936
drwxr-xr-x 4 root root 4096 Apr 9 07:06 .
drwxr-xr-x 351 root root 12288 Feb 24 23:42 ..
drwxr-xr-x 64 root root 4096 Apr 9 07:06 exploits
-rw-r--r-- 1 root root 9928262 Apr 1 20:16 files_exploits.csv
-rw-r--r-- 1 root root 218405 Apr 1 20:16 files_shellcodes.csv
drwxr-xr-x 42 root root 4096 Dec 5 08:38 shellcodes
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(root㉿kali)-[~]
└─# ls -al /usr/share/exploitdb/exploits/windows/remote/
total 27320
drwxr-xr-x 2 root root 401408 Apr 9 07:06 .
drwxr-xr-x 6 root root 4096 Dec 5 08:38 ..
-rw-r--r-- 1 root root 3599 Apr 1 20:16 10007.html
-rw-r--r-- 1 root root 582 Apr 1 20:16 10047.txt
-rw-r--r-- 1 root root 4686 Apr 1 20:16 10053.txt
-rw-r--r-- 1 root root 4083 Apr 1 20:16 10054.txt
-rwxr-xr-x 1 root root 4612 Apr 1 20:16 10056.py
-rw-r--r-- 1 root root 6366 Apr 1 20:16 10070.php
-rw-r--r-- 1 root root 2108 Apr 1 20:16 10079.txt
-rwxr-xr-x 1 root root 5171 Apr 1 20:16 10098.py
-rwxr-xr-x 1 root root 5445 Apr 1 20:16 10099.py
-rw-r--r-- 1 root root 12227 Apr 1 20:16 100.c
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| ┌──(root㉿kali)-[~]
└─# searchsploit
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | jq
searchsploit --cve 2021-44228
For more examples, see the manual: https://www.exploit-db.com/searchsploit
=========
Options
=========
## Search Terms
-c, --case [term] Perform a case-sensitive search (Default is inSEnsITiVe)
-e, --exact [term] Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
-s, --strict Perform a strict search, so input values must exist, disabling fuzzy search for version range
e.g. "1.1" would not be detected in "1.0 < 1.3")
-t, --title [term] Search JUST the exploit title (Default is title AND the file's path)
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values
e.g. --exclude="term1|term2|term3"
--cve [CVE] Search for Common Vulnerabilities and Exposures (CVE) value
## Output
-j, --json [term] Show result in JSON format
-o, --overflow [term] Exploit titles are allowed to overflow their columns
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)
-v, --verbose Display more information in output
-w, --www [term] Show URLs to Exploit-DB.com rather than the local path
--id Display the EDB-ID value rather than local path
--disable-colour Disable colour highlighting in search results
## Non-Searching
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER
## Non-Searching
-h, --help Show this help screen
-u, --update Check for and install any exploitdb package updates (brew, deb & git)
## Automation
--nmap [file.xml] Checks all results in Nmap's XML output with service version
e.g.: nmap [host] -sV -oX file.xml
=======
Notes
=======
* You can use any number of search terms
* By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
* Use '-c' if you wish to reduce results by case-sensitive searching
* And/Or '-e' if you wish to filter results by using an exact match
* And/Or '-s' if you wish to look for an exact version match
* Use '-t' to exclude the file's path to filter the search results
* Remove false positives (especially when searching using numbers - i.e. versions)
* When using '--nmap', adding '-v' (verbose), it will search for even more combinations
* When updating or displaying help, search terms will be ignored
|
1
2
3
4
| ┌──(root㉿kali)-[~]
└─# searchsploit -u
[i] Updating via apt package management (Expect weekly-ish updates): exploitdb
[*] apt update finished
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| ┌──(root㉿kali)-[~]
└─# searchsploit vsftpd
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿kali)-[~]
└─# searchsploit vsftpd 2.3.4
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| ┌──(root㉿kali)-[~/tmp]
└─# pwd
/root/tmp
┌──(root㉿kali)-[~/tmp]
└─# ls
┌──(root㉿kali)-[~/tmp]
└─# searchsploit -m 49757
Exploit: vsftpd 2.3.4 - Backdoor Command Execution
URL: https://www.exploit-db.com/exploits/49757
Path: /usr/share/exploitdb/exploits/unix/remote/49757.py
Codes: CVE-2011-2523
Verified: True
File Type: Python script, ASCII text executable
Copied to: /root/tmp/49757.py
┌──(root㉿kali)-[~/tmp]
└─# ls
49757.py
┌──(root㉿kali)-[~/tmp]
└─# vim 49757.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit -c OpenSSH
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation | linux/remote/6094.txt
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service | multiple/dos/1572.pl
FreeBSD OpenSSH 3.5p1 - Remote Command Execution | freebsd/remote/17462.txt
Novell Netware 6.5 - OpenSSH Remote Stack Overflow | novell/dos/14866.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite | linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One | unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow | linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (1) | unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2) | unix/remote/21579.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service | multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation | linux/local/41173.c
OpenSSH 7.2 - Denial of Service | linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection | multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSH SCP Client - Write Arbitrary Files | multiple/remote/46516.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident | linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool | linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack | multiple/remote/3303.sh
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Paper Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Roaming Through the OpenSSH Client: CVE-2016-0777 and CVE-2016-0778 | english/39247-roaming-through-th
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit -c openssh
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read | linux/local/258.sh
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Paper Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Roaming Through the OpenSSH Client: CVE-2016-0777 and CVE-2016-0778 | english/39247-roaming-through-th
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
|
默认大小写不敏感。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit openssh
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation | linux/remote/6094.txt
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service | multiple/dos/1572.pl
FreeBSD OpenSSH 3.5p1 - Remote Command Execution | freebsd/remote/17462.txt
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read | linux/local/258.sh
Novell Netware 6.5 - OpenSSH Remote Stack Overflow | novell/dos/14866.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite | linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One | unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow | linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (1) | unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2) | unix/remote/21579.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service | multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation | linux/local/41173.c
OpenSSH 7.2 - Denial of Service | linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection | multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSH SCP Client - Write Arbitrary Files | multiple/remote/46516.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident | linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool | linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack | multiple/remote/3303.sh
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Paper Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Roaming Through the OpenSSH Client: CVE-2016-0777 and CVE-2016-0778 | english/39247-roaming-through-th
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit -t vsftpd
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit -t Buffer Overflow
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Buffer Overflow (Metasploit) | windows/remote/11742.rb
010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities | multiple/remote/32945.txt
0verkill 0.16 - Game Client Multiple Local Buffer Overflow Vulnerabilities | linux/local/23634.c
1 Click Audio Converter 2.3.6 - Activex Local Buffer Overflow | windows/local/37211.html
1 Click Extract Audio 2.3.6 - Activex Buffer Overflow | windows/local/37212.html
10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH) | windows/local/45085.py
10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH) | windows/local/45085.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit -e "Windows XP"
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Amaya Web Browser 11 (Windows XP) - bdo tag Remote Stack Overflow | windows/remote/7988.pl
ASX to MP3 Converter 1.82.50 (Windows XP SP3) - '.asx' Local Stack Overflow | windows/local/38382.py
Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Local Buffer Overflow | windows/local/11079.rb
CastRipper (Windows XP SP2) - '.m3u' Local Stack Buffer Overflow | windows/local/10646.c
CastRipper 2.50.70 (Windows XP SP3) - '.pls' Local Stack Buffer Overflow | windows/local/10628.pl
CDex 1.70b2 (Windows XP SP3) - '.ogg' Local Buffer Overflow | windows/local/8231.php
Easy RM to MP3 27.3.700 (Windows XP SP2) - Local Buffer Overflow | windows/local/10619.c
Easy RM to MP3 27.3.700 (Windows XP SP3) - Local Overflow | windows/local/10602.pl
|
1
2
3
4
5
6
7
8
9
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit -e "Windows XP" --disable-colour | grep -e "Microsoft"
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1) | windows/remote/22365.pl
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2) | windows/remote/22366.c
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3) | windows/remote/22367.txt
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4) | windows/remote/22368.txt
Microsoft Internet Explorer (Windows XP SP1) - 'VML' Remote Buffer Overflow | windows/remote/2408.pl
Microsoft Internet Explorer (Windows XP SP2) - 'VML' Remote Buffer Overflow | windows/remote/2425.html
Microsoft Internet Explorer (Windows XP SP2) - HTML Help Control Local Zone Bypass | windows/remote/719.txt
|
1
2
3
4
5
6
7
8
9
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit -e "OpenSSH 7.2p2"
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote windows smb
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit) | windows/remote/47456.rb
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit) | windows/remote/47456.rb
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - 'SMBGhost' Remote Code Execution | windows/remote/48537.py
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit) | windows/remote/16363.rb
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068) | windows/remote/7125.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | windows/remote/20.txt
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py
Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution | windows/remote/44616.py
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal | windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client | windows/remote/19197.txt
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063) | windows/dos/9594.txt
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow | windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Universal Buffer Overflow | windows/remote/9318.py
VideoLAN VLC Media Player 1.0.2 - 'smb://' URI Stack Overflow | windows/remote/9816.py
VideoLAN VLC Media Player 1.0.3 - 'smb://' URI Handling Remote Stack Overflow (PoC) | windows/dos/10333.py
VideoLAN VLC Media Player < 1.1.4 - '.xspf smb://' URI Handling Remote Stack Overflow (PoC) | windows/dos/14892.py
WebExec - (Authenticated) User Code Execution (Metasploit) | windows/remote/45695.rb
WebExec - (Authenticated) User Code Execution (Metasploit) | windows/remote/45695.rb
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote windows buffer
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Buffer Overflow (Metasploit) | windows/remote/11742.rb
3.3/4.0/4.2 MERCUR MailServer - Control-Service Buffer Overflow | windows/remote/21626.c
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow | windows_x86/remote/8614.py
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow (PoC) | windows_x86/dos/8611.pl
32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow | windows_x86/remote/8613.py
32bit FTP Client - Remote Stack Buffer Overflow (Metasploit) | windows_x86/remote/16743.rb
3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow | windows/remote/827.c
3Com TFTP Service (3CTftpSvc) - 'Mode' Remote Buffer Overflow (Metasploit) | windows/remote/16347.rb
3Com TFTP Service (3CTftpSvc) 2.0.1 - Remote Buffer Overflow (Metasploit) | windows/remote/3170.pm
3proxy 0.5.3g (Windows x86) - 'logurl()' Remote Buffer Overflow | windows_x86/remote/4754.pl
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote linux ssh OpenSSH
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation | linux/remote/6094.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite | linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow | linux/remote/21402.txt
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident | linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool | linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote linux ssh
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
(SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Remote Authentication Bypass | linux/remote/23082.txt
Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit) | linux/remote/41679.rb
Cisco UCS Director - default scpuser password (Metasploit) | unix/remote/47346.rb
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation | linux/remote/6094.txt
Dropbear SSH 0.34 - Remote Code Execution | linux/remote/387.c
DropBearSSHD 2015.71 - Command Injection | linux/remote/40119.md
ExaGrid - Known SSH Key and Default Password (Metasploit) | linux/remote/41680.rb
Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access | linux/remote/43386.py
freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Remote Denial of Service | linux/dos/31218.txt
libSSH - Authentication Bypass | linux/remote/45638.py
LibSSH 0.7.6 / 0.8.4 - Unauthorized Access | linux/remote/46307.py
Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit) | python/remote/41942.rb
OpenSSH 1.2 - '.scp' File Create/Overwrite | linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow | linux/remote/21402.txt
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident | linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool | linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5622.txt
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Ruby) | linux/remote/5632.rb
RSSH 2.x - Arbitrary Command Execution | linux/remote/24795.txt
Symantec Messaging Gateway 9.5/9.5.1 - SSH Default Password Security Bypass (Metasploit) | linux/remote/21136.rb
Trustwave SWG 11.8.0.27 - SSH Unauthorized Access | linux/remote/44047.md
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcode Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes) | linux_x86/23622.c
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Papers: No Results
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote webapps wordpress
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution | php/webapps/46528.py
Joomla! Plugin JD-WordPress 2.0 RC2 - Remote File Inclusion | php/webapps/9890.py
Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-comments-post.php' Remote File Inclusion | php/webapps/28295.txt
Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-feed.php' Remote File Inclusion | php/webapps/28296.txt
Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-trackback.php' Remote File Inclusion | php/webapps/28297.txt
Multiple WordPress Plugins (TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution | php/webapps/33851.txt
WordPress 5.0.0 - Image Remote Code Execution | php/webapps/49512.py
WordPress Core 1.5.1.3 - Remote Code Execution | php/webapps/1142.php
WordPress Core 1.5.1.3 - Remote Code Execution (Metasploit) | php/webapps/1145.pm
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote webapps drupal
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
|
1
2
3
4
5
6
7
8
9
10
11
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit local windows
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
.NET Runtime Optimization Service - Local Privilege Escalation | windows/local/16940.c
1 Click Audio Converter 2.3.6 - Activex Local Buffer Overflow | windows/local/37211.html
1 Click Extract Audio 2.3.6 - Activex Buffer Overflow | windows/local/37212.html
10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH) | windows/local/45085.py
10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH) | windows/local/45085.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit local windows --disable-colour | grep -e "Microsoft"
Computer Associates InoculateIT 4.53 - Microsoft Exchange Agent | windows/local/20401.txt
MDAC 2.1.2.4202.3 / Microsoft Windows NT 4.0/SP1-6 JET/ODBC Patch / RDS Fix - Registry Key | windows/local/19506.txt
Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit) | windows/local/33892.rb
Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking | windows/local/14745.c
Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection | windows/local/40859.txt
Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection | windows/local/45354.txt
Microsoft Bluetooth Personal Area Networking - 'BthPan.sys' Local Privilege Escalation (Metasploit) | windows_x86/local/34982.rb
Microsoft Class Package Export Tool 5.0.2752 - 'Clspack.exe' Local Buffer Overflow (PoC) | windows/dos/28822.txt
Microsoft Clip Art Gallery 5.0 - Local Buffer Overflow | windows/local/19789.txt
Microsoft COM for Windows - Privilege Escalation | windows/local/44906.txt
Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server C | windows/local/19425.txt
|
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote windows smb --disable-colour | grep -e "EternalBlue"
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
┌──(root㉿kali)-[~/tmp]
└─# searchsploit remote windows smb --disable-colour -w | grep -e "EternalBlue"
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | https://www.exploit-db.com/exploits/42031
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | https://www.exploit-db.com/exploits/42315
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | https://www.exploit-db.com/exploits/42030
|
1
2
3
4
5
6
| ┌──(root㉿kali)-[~/tmp]
└─# cp /usr/share/exploitdb/exploits/windows/remote/42031.py .
┌──(root㉿kali)-[~/tmp]
└─# ls
42031.py 49757.py
|
