Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)

!/bin/sh EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47165.zip wrapper for Jann Horn's exploit for CVE-2018-18955 uses dbus service technique --- test@linux-mint-19-2:/kernel-exploits/CVE-2018-18955$ ./exploit.dbus.sh Compiling... Creating...

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)

!/bin/sh EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47167.zip wrapper for Jann Horn's exploit for CVE-2018-18955 uses polkit technique --- test@linux-mint-19-2:/kernel-exploits/CVE-2018-18955$ ./exploit.polkit.sh Compiling... Creating...

Frog CMS 0.9.5 - Cross-Site Scripting

Exploit Title: Frog CMS 0.9.5 - Cross-Site Scripting Date: 2018-12-25 Exploit Author:WangDudu Vendor Homepage: https://github.com/philippe/FrogCMS Software Link: https://github.com/philippe/FrogCMS Version:0.9.5 CVE :CVE-2018-20448 The parameter under /install/index.php is that the Database name...

Ayukov NFTP FTP Client 2.0 - Buffer Overflow

Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow Date: 2018-12-29 Exploit Author: Uday Mittal Vendor Homepage: http://www.ayukov.com/nftp/ Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip Version : below 2.0 Tested on: Microsoft Windows XP SP3 CVE: CVE-2017-15222 EIP Location:...

EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)

Exploit Title: EZ CD Audio Converter 8.0.7 - Denial of Service PoC Date: 2018-12-30 Exploit Author: Achilles Vendor Homepage: https://www.poikosoft.com/ Software Link : https://download.poikosoft.com/ezcdaudioconvertersetupx64.exe Exploit Author: Achilles Tested Version: 8.0.7 64-bit Tested on:...

NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)

Exploit Title: NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service PoC Author: Luis Martinez Date: 2018-12-27 Vendor Homepage: www.nsauditor.com Software Link : http://www.nbmonitor.com/downloads/nbmonitorsetup.exe Tested Version: 1.6.5.0 Vulnerability Type: Denial of Service D...

WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write

/ bool JSArray::shiftCountWithArrayStorageVM& vm, unsigned startIndex, unsigned count, ArrayStorage storage unsigned oldLength = storage-length; RELEASEASSERTcount hasHoles && this-structurevm-holesMustForwardToPrototypevm, this || hasSparseMap || shouldUseSlowPutindexingType return false; if...

Vtiger CRM 7.1.0 - Remote Code Execution

Exploit Title: Vtiger CRM 7.1.0 - Remote Code Execution Date: 2018-12-27 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.vtiger.com Software Link: https://sourceforge.net/projects/vtigercrm/files/latest/download Version: v7.1.0 Category:...

Hashicorp Consul - Remote Command Execution via Services API (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Hashicorp Consul Remote Command Execution via Services API", 'Description' = %q This module exploits Hashicorp Consul's services API to gain remo...

Microsoft Windows - Windows Error Reporting Local Privilege Escalation

Make sure to copy the file report.wer found in the folder PoC-Files in the same folder as the executable before running it... I guess I could have included it as a resource in the exe.. but whatever. Example: "angrypolarbearbug.exe c:\windows\system32\drivers\pci.sys" This will overwrite pci.sys...

NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)

Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service PoC Discovery by: Luis Martinez Discovery Date: 2018-12-27 Vendor Homepage: www.nsauditor.com Software Link : http://www.nsauditor.com/downloads/networksleuthsetup.exe Tested Version: 3.0.0.0 Vulnerability Type: Denial of Service DoS...

WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection

Exploit Title: WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection Date: 2018-12-28 Software Link: https://wordpress.org/plugins/adicons/ Exploit Author: Kaimi Website: https://kaimi.io Version: 1.2 Category: webapps SQL Injection File: addIcon.php Vulnerable code:...

Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Hashicorp Consul Remote Command Execution via Rexec", 'Description' = %q This module exploits a feature of Hashicorp Consul named rexec. ,...

WebKit JSC - 'AbstractValue::set' Use-After-Free

indexingType; mtype = speculationFromStructurestructure.get; mvalue = JSValue; checkConsistency; assertIsRegisteredgraph; It works out marrayModes using structure-indexingType instead of structure-indexingMode. As structure-indexingType masks out the CopyOnWrite flag, which indicates that the...

VMware Workstation/Player < 12.5.5 - Local Privilege Escalation

!/bin/bash VMware Workstation Local Privilege Escalation exploit CVE-2017-4915 - https://www.vmware.com/security/advisories/VMSA-2017-0009.html - https://www.exploit-db.com/exploits/42045/ Affects: - VMware Workstation Player "$VMDIR/$RANDSTR.c" include include include include include include...

Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation

!/bin/bash Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary packages without providing a password, resulting in code execution as root. By default, the first user created o...

Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)

// A proof-of-concept local root exploit for CVE-2017-1000112. // Includes KASLR and SMEP bypasses. No SMAP bypass. // Tested on: // - Ubuntu trusty 4.4.0 kernels // - Ubuntu xenial 4.4.0 and 4.8.0 kernels // - Linux Mint rosa 4.4.0 kernels // - Linux Mint sarah 4.8.0 kernels // - Zorin OS 12.1...

Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation

/ chocoboroot.c linux AFPACKET race condition exploit for CVE-2016-8655. Includes KASLR and SMEP/SMAP bypasses. For Ubuntu 14.04 / 16.04 x8664 kernels 4.4.0 before 4.4.0-53.74. All kernel offsets have been tested on Ubuntu / Linux Mint. vroom vroom ============================== user@ubuntu:$ una...

Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation

// A proof-of-concept local root exploit for CVE-2017-7308. // Includes a SMEP & SMAP bypass. // Tested on Ubuntu / Linux Mint: // - 4.8.0-34-generic // - 4.8.0-36-generic // - 4.8.0-39-generic // - 4.8.0-41-generic // - 4.8.0-42-generic // - 4.8.0-44-generic // - 4.8.0-45-generic //...

bludit Pages Editor 3.0.0 - Arbitrary File Upload

Exploit Title: bludit Pages Editor 3.0.0 - Arbitrary File Upload Date: 2018-10-02 Google Dork: N/A Exploit Author: BouSalman Vendor Homepage: https://www.bludit.com/ Software Link: N/A Version: 3.0.0 Tested on: Ubuntu 18.04 CVE : 2018-1000811 POST /admin/ajax/upload-files HTTP/1.1 Host:...

Product Key Explorer 4.0.9 - Denial of Service (PoC)

Exploit Title: Product Key Explorer 4.0.9 - Denial of Service PoC Date: 2018-12-25 Exploit Author: T3jv1l Vendor Homepage: :http://www.nsauditor.com Software: http://www.nsauditor.com/downloads/productkeyexplorersetup.exe Contact: https://twitter.com/T3jv1l Version: Product Key Explorer 4.0.9...

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload

Exploit Title: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload Date: 2018-12-24 Software Link: https://wordpress.org/plugins/baggage-freight/ Exploit Author: Kaimi Website: https://kaimi.io Version: 0.1.0 Category: webapps Unrestricted file upload for unahtorized...

MAGIX Music Editor 3.1 - Buffer Overflow (SEH)

Exploit Title: MAGIX Music Editor 3.1 - Buffer Overflow SEH Exploit Author: bzyo Twitter: @bzyo Date: 2018-12-24 Vulnerable Software: MAGIX Music Editor 3.1 Vendor Homepage: https://www.magix.com/us/ Version: 3.1 Software Link: https://www.magix.com/us/music/mp3-deluxe/ Music Editor Software is...

NetShareWatcher 1.5.8 - Denial of Service (PoC)

Exploit Title: NetShareWatcher 1.5.8 - Denial of Service PoC Date: 2018-12-25 Exploit Author: T3jv1l Vendor Homepage: :http://www.nsauditor.com Software: http://netsharewatcher.nsauditor.com/downloads/NetShareWatchersetup.exe Contact: https://twitter.com/T3jv1l Version: NetShareWatcher 1.5.8 Test...

WordPress Plugin Audio Record 1.0 - Arbitrary File Upload

Exploit Title: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload Date: 2018-12-24 Software Link: https://wordpress.org/plugins/audio-record/ Exploit Author: Kaimi Website: https://kaimi.io Version: 1.0 Category: webapps Unrestricted file upload in record upload process allowing arbitrary...

ShareAlarmPro 2.1.4 - Denial of Service (PoC)

Exploit Title:ShareAlarmPro 2.1.4 - Denial of Service PoC Date: 2018-12-25 Exploit Author: T3jv1l Vendor Homepage: :http://www.nsauditor.com Software: http://sharealarm.nsauditor.com/downloads/sharealarmprosetup.exe Contact: https://twitter.com/T3jv1l Version:ShareAlarmPro 2.1.4 Tested on: Window...

Iperius Backup 5.8.1 - Buffer Overflow (SEH)

Exploit Title: Iperius Backup 5.8.1 - Buffer Overflow SEH Date: 2018-12-26 Exploit Author: bzyo Twitter: @bzyo Vulnerable Software: Iperius Backup 5.8.1 Vendor Homepage: https://www.iperiusbackup.com Version: 5.8.1 Local Buffer Overflow SEH Unicode Software Link:...

Craft CMS 3.0.25 - Cross-Site Scripting

Exploit Title: Craft CMS 3.0.25 - Cross-Site Scripting Google Dork: N/A Date: 2018-12-20 Exploit Author: Raif Berkay Dincel Contact: www.raifberkaydincel.com More Details 1 : https://www.raifberkaydincel.com/craft-cms-3-0-25-cross-site-scripting-vulnerability.html More Details 2 :...

Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)

Exploit Title: Terminal Services Manager 3.1 - Buffer Overflow SEH Date: 2018-12-25 Exploit Author: bzyo Twitter: @bzyo Vulnerable Software: Terminal Services Manager 3.1 Vendor Homepage: https://lizardsystems.com Version: 3.1 Software Link: https://lizardsystems.com/download/tsmanagersetup.exe...

WSTMart 2.0.8 - Cross-Site Scripting

Exploit Title: WSTMart 2.0.8 - Cross-Site Scripting Date: 2018-12-23 Exploit Author: linfeng Vendor Homepage: https://github.com/wstmall/wstmart/ Software Link: http://www.wstmart.net/ Version: WSTMart 2.0.8181212 CVE: CVE-2018-20367 0x01 stored XSS PoC Function point: mall some commodity details...

FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection

Exploit Title: FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection Google Dork: N/A Date: 2018-12-22 Exploit Author: Sainadh Jamalpur Vendor Homepage: http://frontaccounting.com/ Software Link: https://sourceforge.net/projects/frontaccounting/ Version: 2.4.5 Tested on: XAMPP version 3.2.2 in Windo...

Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)

Exploit Title: Angry IP Scanner for Linux 3.5.3 - Denial of Service PoC Discovery by: Mr Winst0n Discovery Date: 2018-12-22 Vendor Homepage: https://angryip.org/ Software Link : https://angryip.org/download/ Tested Version: 3.5.3 latest version Tested on: Kali linux Vulnerability Type: Denial of...

Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC)

Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46051.zip Password: infected...

WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)

Exploit Title: WSTMart 2.0.8 - Cross-Site Request Forgery Add Admin Date: 2018-12-23 Exploit Author: linfeng Vendor Homepage:https://github.com/wstmall/wstmart/ Software Link:http://www.wstmart.net/ Version: WSTMart 2.0.8181212 CVE :CVE-2018-19138 0x02 CSRF PoC 18/5000 Function point: background...

Netatalk 3.1.12 - Authentication Bypass

Exploit Title: Netatalk Authentication Bypass Date: 12/20/2018 Exploit Author: Jacob Baines Vendor Homepage: http://netatalk.sourceforge.net/ Software Link: https://sourceforge.net/projects/netatalk/files/ Version: Before 3.1.12 Tested on: Seagate NAS OS x8664 CVE : CVE-2018-1160 Advisory:...

SQLScan 1.0 - Denial of Service (PoC)

Exploit Title: McAfee Foundstone SQLScan - Denial of Service PoC and EIP record overwrite Discovery by: Rafael Pedrero Discovery Date: 2018-12-20 Vendor Homepage: http://www.mcafee.com/us/downloads/free-tools/sqlscan.aspx Software Link : http://www.mcafee.com/us/downloads/free-tools/sqlscan.aspx...

AnyBurn 4.3 - Local Buffer Overflow (SEH)

!/usr/bin/env python Exploit Title: AnyBurn 4.3 - Local Buffer Overflow SEH Unicode Date: 20-12-2018 Exploit Author: Matteo Malvica Vendor Homepage: http://www.anyburn.com/ Software Link : http://www.anyburn.com/anyburnsetup.exe Tested Version: 4.3 32-bit Tested on: Windows 7 x64 SP1 Credits:...

ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)

Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF Date: 12/20/2018 Exploit Author: mqt Vendor Homepage: http://http://www.zeuscart.com/ Version: Zeus Cart 4.0 CSRF 1. Vulnerability Description Due to the form not being validated, ZeusCart4.0 suffers from a Cross Site Request Forgery...

Microsoft Edge 42.17134.1.0 - 'Tree::ANode::DocumentLayout' Denial of Service

Exploit Title: Microsoft Edge edgehtml.dll!Tree::ANode::DocumentLayout. Denial of Service PoC Google Dork: N/A Date: 2018-11-11 Exploit Author: Bogdan Kurinnoy [email protected] Vendor Homepage: https://www.microsoft.com/ Version: Microsoft Edge 42.17134.1.0 Microsoft EdgeHTML 17.17134 Tested...

Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Read

The bug is in “MsiAdvertiseProduct” Calling this function will result in a file copy by the installer service. This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCT...

Netatalk 3.1.12 - Authentication Bypass (PoC)

import socket import struct import sys if lensys.argv != 3: sys.exit0 ip = sys.argv1 port = intsys.argv2 sock = socket.socketsocket.AFINET, socket.SOCKSTREAM print "+ Attempting connection to " + ip + ":" + sys.argv2 sock.connectip, port dsipayload = "\x00\x00\x40\x00" client quantum dsipayload +...

Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Copy/Read

The bug is in “MsiAdvertiseProduct” Calling this function will result in a file copy by the installer service. This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCT...

Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)

!/usr/bin/env python Exploit Author: bzyo Twitter: @bzyo Exploit Title: Base64 Decoder 1.1.2 - Local Buffer Overflow SEH Date: 12-20-18 Vulnerable Software: Base64 Decoder 1.1.2 Vendor Homepage: http://4mhz.de/b64dec.html Version: 1.1.2 Software Link:...

Erlang - Port Mapper Daemon Cookie Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Erlang Port Mapper Daemon Cookie RCE', 'Description' = %q The erlang port mapper daemon is used to coordinate distributed erlang instances. Shoul...

XMPlay 3.8.3 - '.m3u' Local Stack Overflow Code Execution

!/usr/bin/env python -- coding: utf-8 -- Exploit Title: XMPlay 3.8.3 - '.m3u' Code Execution PoC Date: 2018-12-19 Exploit Author: s7acktrac3 Vendor Homepage: https://www.xmplay.com/ Software Link: https://support.xmplay.com/filesview.php?fileid=676 Version: 3.8.3 latest Tested on: Windows XP SP3...

LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)

Exploit Title: LanSpy 2.0.1.159 - Local Buffer Overflow SEH Egghunter Exploit Author: bzyo Date: 12-19-18 Twitter: @bzyo Vulnerable Software: LanSpy 2.0.1.159 Vendor Homepage: https://lizardsystems.com Version: 2.0.1.159 Software Link 1:...

VBScript - MSXML Execution Policy Bypass

According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default. However, the...

VBScript - VbsErase Reference Leak Use-After-Free

There is an reference leak in Microsoft VBScript that can be turned into an use-after-free given sufficient time. The vulnerability has been confirmed in Internet Explorer on various Windows versions with the latest patches applied. Details: VbsErase function is used to reset and free the content...

Yeswiki Cercopitheque - 'id' SQL Injection

Exploit Title: SQL Injection in Yeswiki Cercopitheque Date: 02/07/2018 Exploit Author: Mickael BROUTY @ark1nar - FIDENS Vendor Homepage: https://yeswiki.net Software Link: https://repository.yeswiki.net/cercopitheque/yeswiki-cercopitheque-2018-12-07-1.zip Version: Yeswiki Cercopitheque 2018-06-19...

Linux Kernel 4.4 - 'rtnetlink' Stack Memory Disclosure

/ Briefs - CVE-2016-4486 has discovered and reported by Kangjie Lu. - This is local exploit against the CVE-2016-4486. Tested version - Distro : Ubuntu 16.04 - Kernel version : 4.4.0-21-generic - Arch : x8664 Prerequisites - None Goal - Leak kernel stack base address of current process by...