47904 matches found
Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution
by Arminius @rawsec Vim/Neovim Arbitrary Code Execution via Modelines ================================================= Product: Vim 8.1.1365, Neovim 0.3.6 Type: Arbitrary Code Execution CVE: CVE-2019-12735 Date: 2019-06-04 Author: Arminius @rawsec Summary ------- Vim before 8.1.1365 and Neovim...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
IceWarp 10.4.4 - Local File Inclusion
Exploit Title: IceWarp =10.4.4 local file include Date: 02/06/2019 Exploit Author: JameelNabbo Website: uitsec.com Vendor Homepage: http://www.icewarp.com Software Link: https://www.icewarp.com/downloads/trial/ Version: 10.4.4 Tested on: Windows 10 CVE: CVE-2019-12593 POC:...
NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow
!/usr/bin/python Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow Google Dork: n/a Date: Advisory Published: Nov 18 Exploit Author: @0x00string Vendor Homepage: nuuo.com Software Link: https://www.nuuo.com/ProductNode.php?node=2 Version: 3.9.1 and prior Tested on: 3.9.1 CVE :...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)
Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH Date: 6-3-2019 Exploit Author: Kevin Randall Vendor Homepage: http://www.dvd-x-player.com/download.htmldvdPlayer Software Link: http://www.dvd-x-player.com/download.htmldvdPlayer Version: 5.5 Pro Tested on: Windows 7 CVE : N/A...
Cisco RV130W 1.0.3.44 - Remote Stack Overflow
!/usr/bin/python Exploit Title: Cisco RV130W Remote Stack Overflow Google Dork: n/a Date: Advisory Published: Feb 2019 Exploit Author: @0x00string Vendor Homepage: cisco.com Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html Version...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting
Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SolutionSearch.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine ServiceDesk Plus 9.3 CVE :...
Nvidia GeForce Experience Web Helper - Command Injection
//Send request to local GFE server function submitRequestport,secret var xhr = new XMLHttpRequest; xhr.open"POST", "http://127.0.0.1:"+port+"/gfeupdate/autoGFEInstall/", true; xhr.setRequestHeader"Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8";...
KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities
Exploit Title: Dell Kace Appliance Multiple Vulnerabilities Date: 12/04/2018 Exploit Author: SlidingWindow, Twitter: @kapilkhot Vendor Homepage: https://www.quest.com/products/kace-systems-management-appliance/ Affected Versions: KACE SMA versions prior to 9.0.270 PATCH SEC201820180410 Tested on:...
AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control
Exploit Title: AUO Solar Data Recorder - Incorrect Access Control Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a proprietary devices:...
WordPress Plugin Form Maker 1.13.3 - SQL Injection
-- coding: utf-8 -- Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection Date: 22-03-2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://10web.io/plugins/ Software Link: https://wordpress.org/plugins/form-maker/ Version: 1.13.3 Tested on: Ubuntu 18.04 CVE :...
Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service
import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure I'm not responsible for what you use this to accomplish and should only be used for education purposes Could clean these up since I don't even use them class TPKTStructure: commonHdr = 'Version','B=3',...
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL
The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm and possibly others: When kgslmementrydestroy in drivers/gpu/msm/kgsl.c is called for a writable entry with memtype KGSLMEMENTRYUSER, it attempts to mark the entry's pages as dirty...
pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting
Exploit Title: pfSense 2.4.4-p3 ACMEPackage 0.5.71 - Stored Cross-Site Scripting Date: 05.28.2019 Exploit Author: Chi Tran Vendor Homepage: https://www.pfsense.org Version: 2.4.4-p3/0.5.71 Software Link: N/A Google Dork: N/A CVE:2019-12347 Introduction pfSense® software is a free, open source...
Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation
While fuzzing Spidermonkey, I encountered the following commented and modified JavaScript program which crashes debug builds of the latest release version of Spidermonkey from commit https://github.com/mozilla/gecko-dev/commit/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c: function O1 this.s = 'foobar...
Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment', 'Description' = %q This module abuses a feature in...
Free SMTP Server 2.5 - Denial of Service (PoC)
Exploit Title: Free SMTP Server - Local Denial of Service Crash PoC Date: February 3, 2009 Exploit Author: Metin Kandemir kandemir Vendor Homepage: http://www.softstack.com/freesmtp.html Software Link: https://free-smtp-server.en.uptodown.com/windows/download Version: 2.5 Tested on: Windows 7...
Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script
IonMonkey can, during a bailout, leak an internal JSOPTIMIZEDOUT magic value to the running script. This magic value can then be used to achieve memory corruption. Prerequisites Magic Values Spidermonkey represents JavaScript values with the C++ type JS::Value 1, which is a NaN-boxed value that c...
EquityPandit 1.0 - Password Disclosure
Exploit title: EquityPandit v1.0 - Insecure Logging Date:27/05/2019 Exploit Author: ManhNho Software name: "EquityPandit" Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit Version: 1.0 Category: Android apps Description: - Sometimes developers keeps sensiti...
Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass
Exploit Title: Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Date: 28-05-2019 Exploit Author: Faudhzan Rahman Website: https://faudhzanrahman.blogspot.com/ Vendor Homepage: http://www.petraware.com Version: 2.0 CVE : CVE-2019-12372...
Phraseanet < 4.0.7 - Cross-Site Scripting
Exploit title: Stored XSS vulnerability in Phraseanet DAM Open Source software Date: 10/10/2018 Exploit Author: Krzysztof Szulski Vendor Homepage: https://www.phraseanet.com Software Link also VM: https://www.phraseanet.com/en/download/ Version affected: 4.0.3 4.0.4-dev and below Version fixed:...
Deltek Maconomy 2.2.5 - Local File Inclusion
Exploit Title: Maconomy Erp local file include Date: 22/05/2019 Exploit Author: JameelNabbo Website: jameelnabbo.com Vendor Homepage: https://www.deltek.com Software Link: https://www.deltek.com/en-gb/products/project-erp/maconomy CVE: CVE-2019-12314 POC: POC:...
Typora 0.9.9.24.6 - Directory Traversal
Exploit Title: Code execution via path traversal Date: 17-05-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: http://typora.io Software Link: https://typora.io/download/Typora.dmg Version: 0.9.9.24.6 Tested on: macOS Mojave v10.14.4 CVE: CVE-2019-12137 References:...
Pidgin 2.13.0 - Denial of Service (PoC)
-- coding: utf-8 -- Exploit Title: Pidgin 2.13.0 - Denial of Service PoC Date: 24/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://pidgin.im/ Software https://cfhcable.dl.sourceforge.net/project/pidgin/Pidgin/2.13.0/pidgin-2.13.0.exe Version: 2.13.0 Tested on: Windows 7, Windows 10 Proo...
Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service (PoC)
!/bin/bash Opencart PoC exploit, just for test... Tested on store with added more than 1000 products Usage: ./cartkiller.sh storeurl threads sleep Example: ./cartkiller.sh https://storename 50 5 Disclaimer: This or previous programs is for Educational purpose ONLY. Do not use it without permissio...
Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)
Exploit Title: Cyberoam General Authentication Client 2.1.2.7 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...
Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)
Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSLv1.3.1.30.zip Tested Version:...
Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)
Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...
Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)
Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...
Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow
Title: Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow Date: May 23rd, 2019 Author: Uday Mittal https://github.com/yaksas443/YaksasCSC-Lab/ Vendor Homepage: http://www.labf.com Software Link: http://www.labf.com/download/axessh.exe Version v4.2 Tested on: Windows 7 SP1 EN x86...
Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)
Exploit Title: Fast AVI MPEG Joiner Dos Exploit Date: 24.5.2019 Vendor Homepage:http://www.alloksoft.com Software Link: http://www.alloksoft.com/fastavimpegjoiner.exe Exploit Author: Achilles Tested Version: 1.2.0812 Tested on: Windows 7 x64 Sp1 Windows XP x86 Sp3 1.- Run python code :Joiner.py 2...
Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption
Exploit Title: Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Date: 03/2019 Author: Simon Zuckerbraun Vendor: https://www.microsoft.com/ Version: February 2019 patch level Tested on: Windows 10 1809 17763.316 CVE: CVE-2019-0752 Content Dim ar1&h3000000...
Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)
Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSLv1.3.1.30.zip Tested Version: 1.3.1.30...
Microsoft Windows 10 (17763.379) - Install DLL
edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer UI and find another way to...
Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE", 'Description' = %q This module exploits a php object instantiation...
Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free
Visual Voicemail VVM is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visual Voicemail is configured over SMS, and carriers inform devices of the...
Terminal Services Manager 3.2.1 - Denial of Service
-- coding: utf-8 -- Exploit Title: Terminal Services Manager 3.2.1 - Local Buffer Overflow Denial of Service Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://lizardsystems.com Software: https://lizardsystems.com/files/releases/terminal-services-manager/tsmanagersetup3.2.1.247.e...
NetAware 1.20 - 'Share Name' Denial of Service (PoC)
-- coding: utf-8 -- Exploit Title: NetAware 1.20 - 'Share Name' Denial of Service PoC Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.infiltration-systems.com Software: http://www.infiltration-systems.com/Files/netaware.zip Version: 1.20 Tested on: Windows 7 Proof of...
NetAware 1.20 - 'Add Block' Denial of Service (PoC)
-- coding: utf-8 -- Exploit Title: NetAware 1.20 - 'Add Block' Denial of Service PoC Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.infiltration-systems.com Software: http://www.infiltration-systems.com/Files/netaware.zip Version: 1.20 Tested on: Windows 7 Proof of Concep...
Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation
Windows: CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The kernel’s Registry Virtualization doesn’t safely open the real key fo...
Nagios XI 5.6.1 - SQL injection
Exploit Title: Nagiosxi username sql injection Date: 22/05/2019 Exploit Author: JameelNabbo Website: jameelnabbo.com Vendor Homepage: https://www.nagios.com Software Link: https://www.nagios.com/products/nagios-xi/ Version: xi-5.6.1 Tested on: MacOSX CVE: CVE-2019-12279 POC: POST...
Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)
There is still a vuln in the code triggered by CVE-2019-0841 The bug that this guy found: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ If you create the following: GetFavDirectory gets the local appdata folder, fyi CreateDirectoryGetFavDirectory +...
Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mac OS X Feedback Assistant Race Condition', 'Description' = %q This module exploits a race condition vulnerability in Mac's Feedback Assistant. ...
Microsoft Internet Explorer 11 - Sandbox Escape
Inject into IE11. Will work on other sandboxes that allow the opening of windows filepickers through a broker. You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug. EDB Note Download:...
Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation
Task Scheduler .job import arbitrary DACL write Tested on: Windows 10 32-bit Bug information: There are two folders for tasks. c:\windows\tasks c:\windows\system32\tasks The first one is only there for legacy purposes. The second one gets used by the task scheduler. In the old days i.e windows xp...
Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation
EDIT: Apparently this was patched earlier this month.. so whatever. Windows Error Reporting Arbitrary DACL write It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata it may mess up the timing if...
TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)
Exploit Title: TapinRadio 2.11.6 - 'Uername' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/tapinradiosetupx64.exe Tested Version: 2.11.6 Tested on: Windows 7 Service Pack 1 x6...
Carel pCOWeb < B1.2.1 - Cross-Site Scripting
Exploit Title: Carel pCOWeb - Stored XSS Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.carel.com/ Version: Carel pCOWeb all versions prior to B1.2.1 Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card 1. Description: In Carel pCOWeb web page...