Network Scanner 4.0.0 - Local Buffer Overflow (SEH)

!/usr/bin/python -- coding: utf-8 -- Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd Date: 2016-10-21 Exploit Author: n30m1nd Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit Vendor Homepage: http://www.mitec.cz/ Software Link:...

HackerOne: Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)

Hi there, I noticed when we hit the /userssignin endpoint too many times it will give us HTTP/1.1 429 Too Many Requests Date: Mon, 19 Sep 2016 01:52:19 GMT Content-Type: text/plain However, this can be "reset" although I struggle to get it to work EVERYTIME on /users/signin. This however, does wo...

Asterisk TLS Certificate Common Name NULL Byte Vulnerability (AST-2015-003)

Asterisk is prone to a certificate bypass vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:digium:asterisk"; if...

Nextcloud: More content spoofing through dir param in the files app

Hi! It's still possible to use an invalid dir param to spoof messages in the directory breadcrumbs area. For example, you can use URL-encoded periods to bypass the directory traversal prevention. By referencing a path that returns a 301, you can add a message in the dir param F108266:...

Oracle Glassfish PartItem Arbitrary File Upload Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Glassfish Server. Authentication is not required to exploit this vulnerability. The PartItem class allows remote attackers to write to arbitrary files via a NULL byte in a file name in a...

The vulnerability of the PHP interpreter, which allows a remote attacker to create a file with an incorrect name

A vulnerability in the PHP interpreter’s moveuploadedfile function exists due to the truncation of the path when the character \x00 is present. As a result of exploiting this vulnerability, a malicious actor can create a file with an incorrect name, circumventing the restrictions imposed on the...

WordPress CodeCanyon Real3D FlipBook 2.18.8 File Deletion / Upload / XSS

1 Unauthenticated file/directory deletion Vulnerability exists in a file 'includes/process.php' where the user input eventually goes to PHP unlink or rmdir functions. We can give any file path or directory here. We can even delete the whole wordpress site. In my POC exploit, I'm just deleting the...

Pidgin MXIT Protocol Denial of Service Vulnerability (CNVD-2016-04336)

Pidgin is a cross-platform real-time communication client. A denial of service vulnerability exists in the MXIT protocol processing in Pidgin version 2.10.11, which can be exploited by an attacker to cause a denial of service null pointer backreference by sending packets starting with a null byte...

UBUNTU-CVE-2016-2369

A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerabilit...

The vulnerability of the PHP interpreter allows attackers to read arbitrary files or write to them.

The vulnerability of the PHP interpreter lies in the lack of checks for the sequence “%00” in the path name. Exploiting this vulnerability allows an attacker to read arbitrary files or write to them using specially crafted input data for an application that calls the method DOMDocument.load, the...

The vulnerability of the PHP interpreter allows attackers to read arbitrary files or write to them.

The vulnerability of the PHP interpreter lies in the lack of checks for the sequence “%00” in the path name. Exploiting this vulnerability allows an attacker to read arbitrary files or write to them using specially crafted input data for an application that calls the DOMDocument save method or th...

UBUNTU-CVE-2016-4072

The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the pharanalyzepath function in ext/phar/phar.c...

Network Scanner 4.0.0.0 SEH Crash Proof Of Concept

-- coding: utf-8 -- Exploit Title: Network Scanner Version 4.0.0.0 SEH Crash POC POC Dork: N/A Date: 2016-02-15 Author: INSECT.B Twitter : @INSECT.B Facebook : https://www.facebook.com/B.INSECT00 Blog : http://binsect00.tistory.com Vendor Homepage: http://www.mitec.cz/ Software Link:...

HackerOne: Null byte injection

Hi , I would like to report an issue that I have noticed in https://hackerone.com/users/signin?invitationtoken= . I am not sure if this is a valid security issue , but I have decided to report it anyway and see what you guys think. Details: - When you go to...

commons-fileupload: Arbitrary file upload via deserialization

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance...

HTTP File Server Remote Command Execution Vulnerability-02 (Jan 2016)

HTTP File Server is prone to a remote command execution RCE vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

libldb: remote memory read in the Samba LDAP server

A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server...

libldb: remote memory read in the Samba LDAP server

A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server...

libldb: remote memory read in the Samba LDAP server

A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server...

libldb: remote memory read in the Samba LDAP server

A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server...