Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID

A heap corruption was observed in Oracle Java Runtime Environment version 8u202 latest at the time of this writing while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following or similar crash: --- cut --- $ bin/java -cp . DisplaySfntFont test.ttf Iteratio...

MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow

!/usr/bin/python Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "RETR" commandPOP3 Date: 16/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesyste...

Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4

A heap corruption was observed in Oracle Java Runtime Environment version 8u202 latest at the time of this writing while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of the following or similar crash: --- cut --- $ bin/java -cp...

DHCP Server 2.5.2 - Denial of Service (PoC)

Exploit Title: DHCP Server 2.5.2 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-16 Vendor Homepage: http://www.dhcpserver.de/cms/ Software Link: http://www.dhcpserver.de/cms/wp-content/plugins/download-attachments Tested Version: 2.5.2 Tested on: Windows 7 x32...

ASUS HG100 - Denial of Service

Exploit Title:ASUS HG100 devices denial of serviceDOS via IPv4 packets/SlowHTTPDOS Date: 2019-04-14 Exploit Author: YinT Wang; Vendor Homepage: www.asus.com Version: Hardware version: HG100 、Firmware version: 1.05.12 Tested on: Currnet 1.05.12 CVE : CVE-2018-11492 1. Description The attack at sam...

Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation

Windows: CSRSS SxSSrv Cached Manifest EoP Platform: Windows 10 1809, 1709 Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary and others Summary: The SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a syste...

Joomla! Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion

Exploit Title: Joomla Core 1.5.0 through 3.9.4 - Directory Traversal && Authenticated Arbitrary File Deletion Date: 2019-March-13 Exploit Author: Haboob Team Web Site: haboob.sa Email: [email protected] Software Link: https://www.joomla.org/ Versions: Joomla 1.5.0 through Joomla 3.9.4 CVE :...

PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)

-- coding: utf-8 -- Exploit Title: PCHelpWareV2 1.0.0.5 - 'Group' Denial of Service PoC Date: 15/04/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.uvnc.com/home.html Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi Version: 1.0.0.5 Tested on: Windows 10 Proof of...

Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation

Windows: LUAFV Delayed Virtualization MAXIMUMACCESS DesiredAccess EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver reuses the file’s create request DesiredAccess paramete...

AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)

-- coding: utf-8 -- !/usr/bin/python Exploit Title: AdminExpress 1.2.5 - Denial of Service PoC Date: 2019-04-12 Exploit Author: Mücahit İsmail Aktaş Software Link: https://admin-express.en.softonic.com/ Version: 1.2.5.485 Tested on: Windows XP Professional SP2 Description: 1 Click the "System...

Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation

Exploit Title: Zoho ManageEngine ADManager Plus 6.6 Build 6659 Privilege Escalation Date: 15th April 2019 Exploit Author: Digital Interruption Vendor Homepage: https://www.manageengine.co.uk/ Version: 6.6 Build 6658 Tested on: Windows Server 2012 R2 CVE : CVE-2018-19374 Due to weak permissions...

Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting

Exploit Title: Reflected XSS on Zyxel login pages Date: 10 Apr 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://www.zyxel.com/us/en/ Version: V4.31 Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauthrelogin.cgi CVE : 2019-9955 1. Description ==============...

PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)

-- coding: utf-8 -- Exploit Title: PCHelpWareV2 1.0.0.5 - 'SC' Denial of Service PoC Date: 15/04/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.uvnc.com/home.html Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi Version: 1.0.0.5 Tested on: Windows 10 Proof of Concept...

Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation

Windows: LUAFV Delayed Virtualization Cache Manager Poisoning EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver can confuse the cache and memory manager to replace the...

Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation

Windows: LUAFV PostLuafvPostReadWrite SECTIONOBJECTPOINTERS Race Condition EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver has a race condition in the LuafvPostReadWrite...

Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass

Windows: LUAFV NtSetCachedSigningLevel Device Guard Bypass Platform: Windows 10 1809 not tested earlier. Note I’ve not tested this on Windows 10 SMode. Class: Security Feature Bypass Summary: The NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached...

Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation

Windows: LUAFV Delayed Virtualization Cross Process Handle Duplication EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver doesn’t take into account a virtualized handle bei...

Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation

Windows: LUAFV LuafvCopyShortName Arbitrary Short Name EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver bypasses security checks to copy short names during file...

MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow

!/usr/bin/python Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "LIST" commandPOP3 Date: 14/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesyste...

DirectAdmin 1.561 - Multiple Vulnerabilities

Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server = v1.561 Date: 12.04.2019 Author: InfinitumIT Vendor Homepage: https://www.directadmin.com/ Version: Up to v1.561. CVE: CVE-2019-11193 [email protected] && infinitumit.com.tr Description: Multiple security vulnerabilities ha...

CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "CuteNews 2.1.2 - 'avatar' Remote Code Execution", 'Description' = %q This module exploits a command execution vulnerability in CuteNews prior to...

Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework linux/armle/meterpreter/bindtcp - segfault linux/armle/meterpreter/reversetcp - segfault linux/armle/meterpreterreversehttp - works linux/armle/meterpreterreversehttps -...

RemoteMouse 3.008 - Arbitrary Remote Command Execution

Exploit Title: Remote Mouse 3.008 - Failure to Authenticate Date: 2019-09-04 Exploit Author: 0rphon Software Link: https://www.remotemouse.net/ Version: 3.008 Tested on: Windows 10 Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it This script po...

MailCarrier 2.51 - 'RCPT TO' Buffer Overflow

!/usr/bin/python Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow Remote Date: 12/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesystems Greets to the...

UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)

Exploit Title: UltraVNC Viewer 1.2.2.4 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-14 Vendor Homepage: https://www.uvnc.com/ Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html Tested Version: 1.2.2.4 Tested on: Windows 7 x64...

UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)

Exploit Title: UltraVNC Launcher 1.2.2.4 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-14 Vendor Homepage: https://www.uvnc.com/ Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html Tested Version: 1.2.2.4 Tested on: Windows 7 x64...

MailCarrier 2.51 - POP3 'USER' Buffer Overflow

!/usr/bin/python Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" commandPOP3 Date: 14/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesystems...

MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow

!/usr/bin/python Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "TOP" commandPOP3 Date: 14/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesystem...

ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ATutor %q This module allows the user to run commands on the server with teacher user privilege. The 'Upload files' section in the 'File Manager'...

Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'fileutils' require 'rex/zip' class MetasploitModule 'Microsoft Windows Contact File Format Arbitary Code Execution', 'Description' = %q This vulnerability allow...

CyberArk EPM 10.2.1.603 - Security Restrictions Bypass

Exploit Title: CyberArk Endpoint bypass Google Dork: - Date: 03/06/2018 Exploit Author: Alpcan Onaran, Mustafa Kemal Can Vendor Homepage: https://www.cyberark.com Software Link: - Version: 10.2.1.603 Tested on: Windows 10 CVE : CVE-2018-14894 //If user needs admin privileges, CyberArk gives the...

Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF', 'Description' = %q This module exploits an XML external entity vulnerabilit...

Microsoft Internet Explorer 11 - XML External Entity Injection

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt + ISR: ApparitionSec Vendor www.microsoft.com Product Microsoft Internet Explorer v11 latest version...

D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting

Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524 Date: April 6, 2019 Exploit Author: Semen Alexandrovich Lyhin https://www.linkedin.com/in/semenlyhin/ Vendor Homepage: https://www.dlink.com Version: D-Link DI-524 - V2.06RU CVE : CVE-2019-11017 To re-create Reflect...

Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution

!/usr/bin/python Exploit Title: Dell KACE Systems Management Appliance K1000 = 6.4.120756 Unauthenticated RCE Version: = 6.4.120756 Date: 2019-04-09 Author: Julien Ahrens @MrTuxracer Software Link: https://www.quest.com/products/kace-systems-management-appliance/ Write-up:...

FTPShell Server 6.83 - 'Account name to ban' Local Buffer

!/usr/bin/python Exploit Title: FTP Shell Server 6.83 'Account name to ban' Buffer Overflow Date: 09-04-2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: http://www.ftpshell.com/index.htm Version: 6.83 Software Link : http://www.ftpshell.com/downloadserver.htm Contact:...

FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer

!/usr/bin/python Exploit Title: FTP Shell Server 6.83 'Virtual Path Mapping' Buffer Overflow Date: 09-04-2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: http://www.ftpshell.com/index.htm Version: 6.83 Software Link : http://www.ftpshell.com/downloadserver.htm Contact:...

TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow

Author Grzegorz Wypych - h0rac TP-LINK TL-WR940N/TL-WR941ND buffer overflow remote shell exploit import requests import md5 import base64 import string import struct import socket password = md5.new'admin'.hexdigest cookie = base64.b64encode'admin:'+password print '+ Authorization cookie: ', cook...

Apache Axis 1.4 - Remote Code Execution

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Apache Axis 1.4 Remote Code Execution CVE-2019-0227 https://rhinosecuritylabs.com/Application-Security/CVE-2019-0227-Expired-Domain-to-RCE-in-Apache-Axis Author: David Yesland @daveysec, Rhino...

Microsoft Windows - AppX Deployment Service Privilege Escalation

This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user. 1. The exploit first checks if the targeted file exists, ...

Ashop Shopping Cart Software - 'bannedcustomers.php?blacklistitemid' SQL Injection

Exploit Title: Ashop Shopping Cart Software - SQL Injection Date: 08.04.2019 Exploit Author: Doğukan Karaciğer Vendor Homepage: http://www.ashopsoftware.com Software Link: https://sourceforge.net/projects/ashop/ Demo Site: http://demo.ashopsoftware.com/ Version: Lastest Tested on: Ubuntu-trusty-6...

Tradebox CryptoCurrency - 'symbol' SQL Injection

Title: Tradebox - CryptoCurrency Buy Sell and Trading Date: 04.04.2019 Exploit Author: Abdullah Çelebi Vendor Homepage: https://www.bdtask.com Software Link: tradebox.bdtask.com/demo-v5.3/ Version: 5.4 Category: Webapps Tested on: WAMPP @Win Software description: Tradebox – CryptoCurrency Buy Sel...

SaLICru -SLC-20-cube3(5) - HTML Injection

Exploit Title: Reflected HTML Injection Google Dork: None Date: 16/12/2015 Exploit Author: Ramikan Vendor Homepage:https://www.salicru.com/en/ Software Link: N/A Version: Tested on SaLICru -SLC-20-cube35. Firmware: cs121-SNMP v4.54.82.130611 CVE : CVE-2019-10887 Category:Web Apps Vulnerability:...

ManageEngine ServiceDesk Plus 9.3 - User Enumeration

Exploit Title: ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability Date: 2019-03-29 Exploit Author: Operat0r Vendor Homepage: https://www.manageengine.com/ Software Link: https://www.manageengine.com/products/service-desk/download.html Version: 9.3 Tested on: Ubuntu Linux CVE :...

AllPlayer 7.4 - SEH Buffer Overflow (Unicode)

!/usr/bin/python -w Exploit Author: Chris Au Exploit Title: AllPlayer V7.4 - Local Buffer Overflow SEH Unicode Date: 07-04-2019 Vulnerable Software: AllPlayer V7.4 Vendor Homepage: https://www.allplayer.org/ Version: 7.4 Software Link: http://allplayer.org/Download/ALLPlayerEN.exe Tested Windows...

Jobgator - 'experience' SQL Injection

Exploit Title: NCrypted Jobgator - SQL Injection Date: 05.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.ncrypted.net/jobgator/ Demo Site: https://demo.ncryptedprojects.com/jobgator/ Version: Lastest Tested on: Kali Linux CVE: N/A ----- PoC 1: SQLi ----- Request:...

River Past Cam Do 3.7.6 - 'Activation Code' Local Buffer Overflow

!/usr/bin/python -w Exploit Author: Chris Au Exploit Title: River Past Cam Do 3.7.6 Local Buffer Overflow in Activation Code Date: 07-04-2019 Vulnerable Software: River Past Cam Do 3.7.6 Vendor Homepage: http://www.flexhex.com Version: 3.7.6 Software Link:...

Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow

!/usr/bin/python Exploit Title: Download Accelerator Plus DAP 10.0.6.0 - SEH Buffer Overflow Date: 2019-04-05 Vendor Homepage: http://www.speedbit.com/dap/ Software Link: http://www.speedbit.com/dap/download/downloading.asp Exploit Author: Peyman Forouzan Tested Version: 10.0.6.0 Tested on: Win10...

CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting

Exploit Title: CentOS Web Panel v0.9.8.793 Free and v0.9.8.753 Pro - Email Field Stored Cross-Site Scripting Vulnerability Google Dork: N/A Date: 06 - April - 2019 Exploit Author: DKM Vendor Homepage: http://centos-webpanel.com Software Link: http://centos-webpanel.com Version: v0.9.8.793 Free an...

Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation

?php CARPE DIEM: CVE-2019-0211 Apache Root Privilege Escalation Charles Fol @cfreal 2019-04-08 INFOS https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html USAGE 1. Upload exploit to Apache HTTP server 2. Send request to page 3. Await 6:25AM for logrotate to restart Apache 4...