Craig Heffner

26 exploits Active since Nov 2006
CVE-2014-125122 EXPLOITDB MEDIUM python WORKING POC
Linksys WRT120N 1.0.07 - Unauthenticated Stack-based Buffer Overflow via TM_Block_URL Parameter
A stack-based buffer overflow vulnerability exists in the tmUnblock.cgi endpoint of the Linksys WRT120N wireless router. The vulnerability is triggered by sending a specially crafted HTTP POST request with an overly long TM_Block_URL parameter to the endpoint. By exploiting this flaw, an unauthenticated remote attacker can overwrite memory in a controlled manner, enabling them to temporarily reset the administrator password of the device to a blank value. This grants unauthorized access to the router’s web management interface without requiring valid credentials.
CVE-2014-125117 EXPLOITDB CRITICAL ruby WORKING POC
D-Link DSP-W215 1.02 - Unauthenticated Stack-based Buffer Overflow via /common/info.cgi HTTP POST Request
A stack-based buffer overflow vulnerability in the my_cgi.cgi component of certain D-Link devices, including the DSP-W215 version 1.02, can be exploited via a specially crafted HTTP POST request to the /common/info.cgi endpoint. This flaw enables an unauthenticated attacker to achieve remote code execution with system-level privileges.
CVSS 9.8
CVE-2012-10021 EXPLOITDB CRITICAL ruby WORKING POC
D-Link DIR-605L Wireless N300 Cloud Router <1.13 - Buffer Overflow
A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of sprintf() when processing user-supplied CAPTCHA data via the FILECODE parameter in /goform/formLogin. A remote unauthenticated attacker can exploit this to execute arbitrary code with root privileges on the device.
CVSS 9.8
CVE-2007-1224 EXPLOITDB perl WORKING POC
Grok Developments NetProxy 4.03 - CSRF
Grok Developments NetProxy 4.03 allows remote attackers to bypass URL filtering via a request that omits "http://" from the URL and specifies the destination port (:80).
CVE-2014-125122 METASPLOIT MEDIUM ruby WORKING POC
Linksys WRT120N 1.0.07 - Unauthenticated Stack-based Buffer Overflow via TM_Block_URL Parameter
A stack-based buffer overflow vulnerability exists in the tmUnblock.cgi endpoint of the Linksys WRT120N wireless router. The vulnerability is triggered by sending a specially crafted HTTP POST request with an overly long TM_Block_URL parameter to the endpoint. By exploiting this flaw, an unauthenticated remote attacker can overwrite memory in a controlled manner, enabling them to temporarily reset the administrator password of the device to a blank value. This grants unauthorized access to the router’s web management interface without requiring valid credentials.
CVE-2012-10021 METASPLOIT CRITICAL ruby WORKING POC
D-Link DIR-605L Wireless N300 Cloud Router <1.13 - Buffer Overflow
A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of sprintf() when processing user-supplied CAPTCHA data via the FILECODE parameter in /goform/formLogin. A remote unauthenticated attacker can exploit this to execute arbitrary code with root privileges on the device.
CVSS 9.8
CVE-2014-3936 METASPLOIT ruby WORKING POC
D-Link DSP-W215 <1.01b06 - Buffer Overflow
Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. A1) with firmware 1.01b06 and earlier, DIR-505 with firmware before 1.08b10, and DIR-505L with firmware 1.01 and earlier allows remote attackers to execute arbitrary code via a long Content-Length header in a GetDeviceSettings action in an HNAP request.
CVE-2014-125117 METASPLOIT CRITICAL ruby WORKING POC
D-Link DSP-W215 1.02 - Unauthenticated Stack-based Buffer Overflow via /common/info.cgi HTTP POST Request
A stack-based buffer overflow vulnerability in the my_cgi.cgi component of certain D-Link devices, including the DSP-W215 version 1.02, can be exploited via a specially crafted HTTP POST request to the /common/info.cgi endpoint. This flaw enables an unauthenticated attacker to achieve remote code execution with system-level privileges.
CVSS 9.8
CVE-2013-7389 METASPLOIT ruby WORKING POC
D-Link DIR-645 < 1.04B11 - Cross-Site Scripting via Parental Controls Bind Parameter
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. A1) with firmware before 1.04B11 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceid parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php.
CVE-2013-7389 METASPLOIT ruby WORKING POC
D-Link DIR-645 < 1.04B11 - Cross-Site Scripting via Parental Controls Bind Parameter
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. A1) with firmware before 1.04B11 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceid parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php.
CVE-2015-2051 METASPLOIT HIGH ruby WORKING POC
D-Link DIR-645 Firmware < 1.05b01 - Remote Code Execution via HNAP GetDeviceSettings Action
The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
CVSS 8.8
CVE-2007-1225 EXPLOITDB perl WORKING POC
Grok Developments NetProxy 4.03 - Info Disclosure
The connection log file implementation in Grok Developments NetProxy 4.03 does not record requests that omit http:// in a URL, which might allow remote attackers to conduct unauthorized activities and avoid detection.
CVE-2006-7133 EXPLOITDB text WRITEUP
php_upload_tool 1.0 - Directory Traversal via Filename Parameter
Directory traversal vulnerability in upload/bin/download.php in Upload Tool for PHP 1.0 allows remote attackers to read arbitrary files via (1) ".." sequences or (2) absolute pathnames in the filename parameter.
CVE-2006-7134 EXPLOITDB text WRITEUP
Upload Tool for PHP 1.0 - Unauthenticated Arbitrary File Upload via main_user.php
Unrestricted file upload vulnerability in main_user.php in Upload Tool for PHP 1.0 allows remote attackers to upload and execute arbitrary files with executable extensions such as .php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2006-6028 EXPLOITDB text WORKING POC
DoSePa 1.0.4 - Unauthenticated Directory Traversal via File Parameter
Directory traversal vulnerability in textview.php in Anton Vlasov DoSePa 1.0.4 allows remote attackers to read arbitrary files via a .. (dot dot) sequence or absolute file path in the file parameter.
CVE-2006-5889 EXPLOITDB python WORKING POC
BrewBlogger 1.3.1 - SQL Injection via printLog.php id Parameter
SQL injection vulnerability in printLog.php in BrewBlogger (BB) 1.3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
EIP-2026-101657 EXPLOITDB text WRITEUP
D-Link WBR-1310 - Authentication Bypass
EIP-2026-101653 EXPLOITDB text WRITEUP
D-Link Routers - Authentication Bypass (1)
EIP-2026-101215 EXPLOITDB ruby WORKING POC
D-Link Devices - 'Authentication.cgi' Remote Buffer Overflow (Metasploit)
CVE-2013-6027 EXPLOITDB python WORKING POC
D-Link DIR-100 - Authenticated Stack-Based Buffer Overflow via Ping Diagnostic Parameter
Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi.
EIP-2026-101178 EXPLOITDB text WORKING POC
Belkin F5D8233-4 Wireless N Router (Multiple Scripts) - Authentication Bypass
EIP-2026-101249 EXPLOITDB text WRITEUP
DD-WRT 24-preSP2 - Information Disclosure
CVE-2014-3936 EXPLOITDB ruby WORKING POC
D-Link DSP-W215 <1.01b06 - Buffer Overflow
Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. A1) with firmware 1.01b06 and earlier, DIR-505 with firmware before 1.08b10, and DIR-505L with firmware 1.01 and earlier allows remote attackers to execute arbitrary code via a long Content-Length header in a GetDeviceSettings action in an HNAP request.
CVE-2015-2051 EXPLOITDB HIGH ruby WORKING POC
D-Link DIR-645 Firmware < 1.05b01 - Remote Code Execution via HNAP GetDeviceSettings Action
The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
CVSS 8.8
EIP-2026-101217 EXPLOITDB ruby WORKING POC
D-Link Devices - 'hedwig.cgi' Remote Buffer Overflow in Cookie Header (Metasploit)