47904 matches found
Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal
Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674 MDTM Directory Traversal Google Dork: N/A Date: 3/13/2019 Exploit Author: Kevin Randall Vendor Homepage: https://www.coreftp.com Software Link: http://www.coreftp.com/server/index.html Version: Firmware: CoreFTP Server FTP / SFTP Serv...
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
============================================= MGC ALERT 2019-001 - Original release date: February 06, 2019 - Last revised: March 13, 2019 - Discovered by: Manuel García Cárdenas - Severity: 7/10 CVSS Base Score - CVE-ID: CVE-2019-9618 ============================================= I. VULNERABILIT...
elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'elFinder PHP Connector exiftran Command Injection', 'Description' = %q This module exploits a command injection vulnerability in elFinder version...
PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)
Exploit Title: PilusCart 1.4.1 - Cross-Site Request Forgery Add Admin Google Dork: N/A Date: 10-03-2019 Exploit Author: Gionathan "John" Reale Vendor Homepage: https://github.com/piluscart Software Link:...
Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)
Exploit Title: Core FTP 2.0 build 653 - 'PBSZ' - Unauthenticated - Denial of Service PoC Date: 2019-03-12 Exploit Author: Hodorsec [email protected] / [email protected] Vendor Homepage: http://www.coreftp.com/ Software Link: http://coreftp.com/server/download/archive/CoreFTPServer653.exe...
Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution
!/usr/bin/env python Exploit Title: FlexPaper PHP Publish Service = 2.3.6 RCE Date: March 2019 Exploit Author: Red Timmy Security - redtimmysec.wordpress.com Vendor Homepage: https://flowpaper.com/download/ Version: = 2.3.6 Tested on: Linux/Unix CVE : CVE-2018-11686 Disclamer: This exploit is for...
OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenKM Document Management %q Versions of the OpenKM Document Management 'AkkuS ' , Vulnerability Discovery, PoC & Msf Module 'References' = 'URL'...
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak
include include include include include include include include include include include include include include Exploit Title: Linux Kernel 4.4 Ubuntu 16.04 - Leak kernel pointer in sndtimeruserccallback Google Dork: - Date: 2019-03-11 Exploit Author: wally0813 Vendor Homepage: - Software Link: -...
Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Liferay CE Portal Tomcat %q This module uses the Liferay CE Portal Groovy script console to execute OS commands. The Groovy...
NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)
Exploit Title: NetSetMan 4.7.1 - Local Buffer Overflow SEH Unicode Exploit Author: Devin Casadey Discovery Date: 2019-03-11 Vendor Homepage: https://www.netsetman.com/ Software Link: https://www.netsetman.com/netsetman.exe Tested Version: 4.7.1 Tested on: Windows XP SP3...
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
!/bin/bash echo -e "\n\e00;33m++ \e00m" echo -e "\e00;32m Authenticated PRTG network Monitor remote code execution \e00m" echo -e "\e00;33m++ \e00m" echo -e "\e00;32m Date: 11/03/2019 \e00m" echo -e "\e00;33m++ \e00m" echo -e "\e00;32m Author: https://github.com/M4LV0 [email protected]...
Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)
PS4 6.20 WebKit Code Execution PoC ============== This repo contains a proof-of-concept PoC RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.j...
OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting
Exploit Title: OrientDB 3.0.17 GA Community Edition March 7th, 2019 | Multiple Vulnerabilities Date: 07.03.2019 Exploit Author: Ozer Goker Vendor Homepage: https://orientdb.org Software Link: https://orientdb.org/download Version: 3.0.17 GA Community Edition March 7th, 2019 Introduction OrientDB ...
McAfee ePO 5.9.1 - Registered Executable Local Access Bypass
Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass Date: 2019-03-07 Exploit Author: @leonjza Vendor Homepage: https://www.mcafee.com/ Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html Version: ePO v5.9.1 Tested on: Windows Server 2012...
DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery
Exploit title: DirectAdmin v1.55 - CSRF via CMDACCOUNTADMIN Admin Panel Date: 03/03/2019 Exploit Author: ManhNho Vendor Homepage: https://www.directadmin.com/ Software Link: https://www.directadmin.com/ Demo Link: https://www.directadmin.com:2222/CMDACCOUNTADMIN Version: 1.55 CVE: CVE-2019-9625...
Kados R10 GreenBee - Multiple SQL Injection
=========================================================================================== Exploit Title: Kados R10 GreenBee - 'menulev1' SQL Injection Dork: N/A Date: 06-03-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: https://www.kados.info/ Software Link:...
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
!/usr/bin/python Exploit Title: Anyburn 4.3 - 'Copy disc to image file' Buffer Overflow - UNICODESEH Version: 4.3 Date: 07-03-2019 Author: Hodorsec [email protected] / [email protected] Vendor Homepage: http://www.anyburn.com/ Software Link: http://www.anyburn.com/download.php Tested on:...
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' class MetasploitModule 'QNAP TS-431 QTS %q This module creates a virtual web server and uploads the php payload into it. Admin privileges cannot access a...
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Drupal RESTful Web Services unserialize RCE', 'Description' = %q This module exploits a PHP unserialize vulnerability in Drupal RESTful Web...
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Imperva SecureSphere PWS Command Injection', 'Description' = %q This module exploits a command injection vulnerability in Imperva SecureSphere...
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FreeBSD Intel SYSRET Privilege Escalation', 'Description' = %q This module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit...
Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass
We already reported four bugs in Android that are caused by the use of getpidcon, which is fundamentally unsafe: https://bugs.chromium.org/p/project-zero/issues/detail?id=727 AndroidID-27111481; unexploitable https://bugs.chromium.org/p/project-zero/issues/detail?id=851 AndroidID-29431260;...
Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem
By following the codepath that Andrea Arcangeli pointed out in his mails regarding the last bug I reported, I noticed that it is possible for userspace on a normal distro to map virtual address 0, which on an X86 system without SMAP enables the exploitation of kernel NULL pointer dereferences. Th...
Android - binder Use-After-Free via racy Initialization of ->allow_user_free
The following bug report solely looks at the situation on the upstream master branch; while from a cursory look, at least the wahoo kernel also looks affected, I have only properly tested this on upstream master. The binder driver permits userspace to free buffers in the kernel-managed shared...
OpenDocMan 1.3.4 - 'search.php where' SQL Injection
=========================================================================================== Exploit Title: OpenDocMan 1.3.4 - ’where’ SQL Injection CVE: N/A Date: 05/03/2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage: https://sourceforge.net/projects/opendocman/files/ Software Link:...
Craft CMS 3.1.12 Pro - Cross-Site Scripting
Exploit Title: Craft CMS 3.1.12 Pro - Cross-Site Scripting Date: 2019-03-04 Exploit Author: Ismail Tasdelen Vendor Homepage: https://craftcms.com/ Software Link : https://github.com/craftcms/cms Software : Craft CMS 3.1.12 Pro Version : 3.1.12 Pro Vulernability Type : Cross-site Scripting...
Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution
Exploit Title: Remote code execution in Raisecom xpon Date: 03/03/2019 Exploit Author: JameelNabbo Website: Ordina.nl Vendor Homepage: https://www.raisecom.com Software Link: https://www.raisecom.com/products/xpon Version: ISCOMHT803G-U2.0.0140521R4.1.47.002 Tested on: MacOSX CVE-2019-7385 POC:...
Bolt CMS 3.6.4 - Cross-Site Scripting
Exploit Title: Bolt CMS - 3.6.4 - Cross-Site Scripting Date: 2019-03-04 Exploit Author: Ismail Tasdelen Vendor Homepage: https://bolt.cm/ Software Link : https://github.com/bolt/bolt Software : Bolt CMS - v 3.6.4 Version : v 3.6.4 Vulernability Type : Cross-site Scripting Vulenrability : Stored X...
Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion
/ Exploit Title: getting Read permission through Type Confusion Date: date Exploit Author: Fahad Aid Alharbi Vendor Homepage: https://www.microsoft.com/en-us/ Version: Chakra 1114 REQUIRED Tested on: Windows 10 CVE : cve-2019-0539 / / author @0x4142 = Fahad Aid Alharbi cve-2019-0539 Getting Read ...
CMSsite 1.0 - Multiple Cross-Site Request Forgery
Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery Delete Admin Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: March 1, 2019 Vendor Homepage: https://github.com/VictorAlagwu/CMSsite Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zi...
Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting
Exploit Title: Fiberhome AN5506-04-F - Stored Cross Site Scripting Date: 04.03.2019 Exploit Author: Tauco Vendor Homepage: http://www.fiberhomegroup.com/en/ Version: RP2669 Tested on: Windows 10 CVE : CVE-2019-9556 Description:...
FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)
Exploit Title: FileZilla 3.40.0 - "Local search" Denial of Service PoC Discovery by: Mr Winst0n Discovery Date: February 20, 2019 Vendor Homepage: https://filezilla-project.org Software Link : https://filezilla-project.org/download.php?type=client&showall=1 Tested Version: 3.40.0 Tested on: Kali...
OOP CMS BLOG 1.0 - Multiple SQL Injection
Exploit Title: OOP CMS BLOG 1.0 - SQL Injection Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: March 1, 2019 Vendor Homepage: http://zsoft.com.bd/ Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blogforup.zip Tested Version: 1.0...
WordPress Plugin Cerber Security, Antispam & Malware Scan 8.0 - Multiple Bypass Vulnerabilities
Exploit Title: WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities Type: WordPress Plugin Date: 2019-03-04 Active installs: 100,000+ Version: 8.0 Software Link: https://wordpress.org/plugins/wp-cerber/ Exploit Author: ed0x21son Category: WebApps, WordPress Tested...
Splunk Enterprise 7.2.4 - Custom App Remote Command Execution (Persistent Backdoor / Custom Binary)
!/usr/bin/python Exploit Title: Splunk Enterprise 7.2.4 Custom App RCE persistent backdoor - custom binary payload Date: March 1, 2019 Exploit Author: Matteo Malvica Original Author: Lee Mazzoleni Vendor Homepage: https://www.splunk.com/ Software Link:...
OOP CMS BLOG 1.0 - Multiple Cross-Site Request Forgery
Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery Delete Admin Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: March 1, 2019 Vendor Homepage: http://zsoft.com.bd/ Software Link :...
elFinder 2.1.47 - 'PHP connector' Command Injection
!/usr/bin/python ''' Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg' def usage: if lensys.argv != 2: print "Usage: python exploit.py URL" sys.exit0 def uploadurl, payload: files = 'upload': payload, open'SecSignal.jpg', 'rb' data = "reqid" : "1693222c439f4", "cmd" : "upload", "target" :...
MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal
!/usr/bin/env python ''' Exploit Title: MarcomCentral FusionPro VDP Creator :/Windows/System32/drivers/etc/hosts. No slash-dot-dots /../.. are required, but you can add some if you want. Note that the slashes are forward slashes! By default, the service sets up a listener on port 8080. Vendor...
zzzphp CMS 1.6.1 - Cross-Site Request Forgery
Exploit Title: Cross-Site Request ForgeryCSRF of zzzphp cms 1.6.1 Google Dork: intext:"2015-2019 zzcms.com" Date: 26/02/2019 Exploit Author: Yang Chenglong Vendor Homepage: http://www.zzzcms.com/index.html Software Link: http://115.29.55.18/zzzphp.zip Version: 1.6.1 Tested on:...
Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Booked Scheduler v2.7.5 - Remote Command Execution', 'Description' = %q This module exploits a file upload vulnerability Booked 2.7.5. In the "Loo...
Google Chrome < M72 - FileWriterImpl Use-After-Free
There's a use-after-free in the implementation of the FileWriter component of the mojo bindings for the filesystem API. The browser-process side of this API is defined in https://cs.chromium.org/chromium/src/thirdparty/blink/public/mojom/filesystem/filewriter.mojom?type=cs&sq=package:chromium&g=0...
Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module
commit cc2d58634e0f "netfilter: nfnatsnmpbasic: use asn1 decoder library", first in 4.16 changed the nfnatsnmpbasic module which, when enabled, parses and modifies the ASN.1-encoded payloads of SNMP messages so that the kernel's ASN.1 infrastructure is used instead of an open-coded parser. The...
Cisco WebEx Meetings < 33.6.6 / < 33.9.1 - Privilege Escalation
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 1. Advisory Information Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 Advisory ID: CORE-2018-0012 Advisory URL:...
tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads
Through fuzzing of network capture .pcap files, we have identified 16 crashes with unique stack traces in tcpdump. These crashes are caused by heap-based out-of-bounds memory reads, and can be reproduced with the latest tcpdump source code from GitHub, compiled with AddressSanitizer: --- cut --- ...
Google Chrome < M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost
There's an object-lifetime issue in the browser process in the handling of P2PSocketDispatcherHost binding in parallel with OnBloatedRenderer event handling. In RenderProcessHostImpl, we have a uniqueptr owning a P2PSocketDispatcherHost, which we bind to an interface using base::Unretained in...
Google Chrome < M72 - PaymentRequest Service Use-After-Free
There are several object-lifetime issues in the browser process in the implementation of payments.mojom.PaymentRequest. The PaymentRequest object contains a std::uniqueptr to a PaymentRequestSpec, which is initialised during the call to PaymentRequest::Init...
Google Chrome < M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free
There's a race-condition / object-lifetime issue in the browser process when the browser process shutdown races against the IO thread handling mojo messages from the renderer. It's at least possible to trigger this by closing the browser while running the attached poc; I'm not sure if there's a...
macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image
XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be...
WordPress Core 5.0 - Remote Code Execution
var wpnonce = ''; var ajaxnonce = ''; var wpattachedfile = ''; var imgurl = ''; var postajaxdata = ''; var postid = 0; var cmd = '?php phpinfo;/'; var cmdlen = cmd.length var payload = '\xff\xd8\xff\xed\x004Photoshop...
FTP Server 1.32 - Denial of Service
!/usr/bin/env python coding: utf-8 Author: Marcelo Vázquez aka s4vitar FTP Server 1.32 Remote Denial of Service DoS Exploit Title: FTP Server 1.32 Remote Denial of Service DoS Date: 2019-02-26 Exploit Author: Marcelo Vázquez aka s4vitar Vendor: The Olive Tree Software Link:...