PrestaShop 1.6.x/1.7.x - Remote Code Execution

?php / PrestaShop 1.6.x = 1.6.1.23 & 1.7.x = 1.7.4.4 - Back Office Remote Code Execution See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation. Chaining multiple vulnerabilities to trigger deserialization via phar. Date: December 1st, 2018 Author: farisv Vendor Homepage:...

Apache OFBiz 16.11.05 - Cross-Site Scripting

Exploit Title: Apache OFBiz v16.11.05 - Stored Cross-Site Scripting Vulnerability Google Dork: N/A Date: 09 - December - 2018 Exploit Author: DKM Vendor Homepage: https://ofbiz.apache.org/ Software Link: https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-16.11.05.zip Version: v16.11.05 Test...

LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)

Exploit Title: LanSpy 2.0.1.159 - Local BoF PoC Author: Gionathan "John" Reale Discovey Date: 2018-12-07 Homepage: https://lizardsystems.com Software Link: https://lizardsystems.com/download/lanspysetup.exe Tested Version: 2.0.1.159 Tested on OS: Windows 7 32-bit Steps to Reproduce: Run the pytho...

Kubernetes - (Authenticated) Arbitrary Requests

!/usr/bin/env python3 import argparse from ssl import wrapsocket from socket import createconnection from secrets import base64, tokenbytes def requeststage1namespace, pod, method, target, token: stage1 = "" with open'stage1', 'r' as stage1fd: stage1 = stage1fd.read return stage1.formatnamespace,...

Kubernetes - (Unauthenticated) Arbitrary Requests

!/usr/bin/env python3 import argparse from ssl import wrapsocket from json import loads, dumps from socket import createconnection def requeststage1base, version, target: stage1 = "" with open'ustage1', 'r' as stage1fd: stage1 = stage1fd.read return stage1.formatbase, version, target .encode'utf-...

Textpad 8.1.2 - Denial Of Service (PoC)

Exploit Title: Textpad 8.1.2 - Denial Of Service PoC Author: Gionathan "John" Reale Discovey Date: 2018-12-06 Homepage: https://textpad.com Software Link: https://www.textpad.com/download/v81/win32/txpeng812-32.zip Tested Version: 8.1.2 Tested on OS: Windows 7 32-bit Steps to Reproduce: Run the...

Adiscon LogAnalyzer < 4.1.7 - Cross-Site Scripting

Exploit Title: Adiscon LogAnalyzer 4.1.7 - Cross-Site Scripting Date: 2018-12-05 Software Link: httpås://loganalyzer.adiscon.com/ https://github.com/rsyslog/loganalyzer Exploit Author: Gustavo Sorondo Contact: http://twitter.com/iampuky Website: http://cintainfinita.com/ CVE: CVE-2018-19877...

i-doit CMDB 1.11.2 - Remote Code Execution

Exploit Title: i-doit CMDB 1.11.2 - Remote Code Execution Date: 2018-12-05 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.i-doit.org/ Software Link: https://www.i-doit.org/i-doit-open-1-11-2/ Version: v1.11.2 Category: Webapps Tested on: XAM...

DomainMOD 4.11.01 - 'DisplayName' Cross-Site Scripting

Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19892 A Stored Cross-site...

HasanMWB 1.0 - SQL Injection

Exploit Title: HasanMWB 1.0 - SQL Injection Dork: N/A Date: 2018-12-05 Exploit Author: Ihsan Sencan Vendor Homepage: https://sourceforge.net/projects/hasanmwb/ Software Link: https://netcologne.dl.sourceforge.net/project/hasanmwb/HasanMWB-v1.zip Version: 1.0 Category: Webapps Tested on:...

Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass

Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Date: 2018-11-27 Exploit Author: Luca.Chiou Vendor Homepage: https://www.rockwellautomation.com/ Version: 1408-EM3A-ENT B Tested on: It is a proprietary devices:...

Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption

The following crash due to a stack-based out-of-bounds memory access can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file": Attached are three files which trigger the crash. --- cut --- ==25039==ERROR:...

Xorg X11 Server (AIX) - Local Privilege Escalation

Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation Date: 29/11/2018 Exploit Author: @0xdono Original Discovery and Exploit: Narendra Shinde Vendor Homepage: https://www.x.org/ Platform: AIX Version: X Window System Version 7.1.1 Fileset: X11.base.rte 7.1.5.32 Tested on: AIX 7.1 6.x t...

DomainMOD 4.11.01 - Registrar Cross-Site Scripting

Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/DomainMod/DomainMod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19752 A Stored Cross-site...

Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting

Exploit Title: Dolibarr ERP/CRM = 8.0.3 - Cross-Site Scripting CVE: CVE-2018-19799 Date: 2018-11-23 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://dolibarr.org Software Link: http://sourceforge.net/projects/dolibarr/files/ Version: v8.0.3...

Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download

Exploit Title: Microsoft Lync for Mac 2011 Injection Forced Browsing/Download Author: @nyxgeek - TrustedSec Date: 2018-03-20 Vendor Homepage: microsoft.com Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=36517 CVE: CVE-2018-8474 Version: Lync:Mac 2011 14.4.3, likely earlie...

FreshRSS 1.11.1 - Cross-Site Scripting

Multiple Cross-Site Scripting Vulnerabilities in FreshRSS 1.11.1 Information -------------------- Advisory by Netsparker Name: Multiple Cross-Site Scripting Vulnerabilities in FreshRSS Affected Software: FreshRSS Affected Versions: 1.11.1 Homepage: https://freshrss.org/ Vulnerability: Cross-site...

HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "HP Intelligent Management Java Deserialization RCE", 'Description' = %q This vulnerability allows remote attackers to execute arbitrary code on...

OpenSSH < 7.7 - User Enumeration (2)

!/usr/bin/env python2 CVE-2018-15473 SSH User Enumeration by Leap Security @LeapSecurity https://leapsecurity.io Credits: Matthew Daley, Justin Gardner, Lee David Painter import argparse, logging, paramiko, socket, sys, os class InvalidUsernameException: pass malicious function to malform packet...

Emacs - movemail Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Emacs movemail Privilege Escalation', 'Description' = %q This module exploits a SUID installation of the Emacs movemail utility to run a command ...

Wireshark - 'find_signature' Heap Out-of-Bounds Read

The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file": --- cut --- ==35788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0000e4400 at pc...

NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage

''' + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt + ISR: ApparitionSec Greetz: indoushka | Eduardo B. 0day Vendor www.necam.com Affected Product Code Base NEC...

DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting

Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19749 A Stored Cross-site...

NUUO NVRMini2 3.9.1 - (Authenticated) Command Injection

Exploit Title: NUUO NVRMini2 Authenticated Command Injection Date: December 3, 2018 Exploit Author: Artem Metla Vendor Homepage: https://www.nuuo.com/ProductNode.php?node=2 Version: 3.9.1 Tested on: NUUO NVRMini2 with firmware 3.9.1 CVE : CVE-2018-15716 Advisory:...

KeyBase Botnet 1.5 - SQL Injection

Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on: Windows 10, debian 7 CVE : n/a...

DomainMOD 4.11.01 - Custom SSL Fields Cross-Site Scripting

Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/DomainMod/DomainMod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19751 A Stored Cross-site...

DomainMOD 4.11.01 - Custom Domain Fields Cross-Site Scripting

Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19750 A Stored Cross-site...

Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution

Exploit Title: Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution Date: 2018-11-23 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.fleetco.space Software Link: http://www.fleetco.space/download/215/ Version: v1.2 Category: Webap...

PHP Server Monitor 3.3.1 - Cross-Site Request Forgery

Exploit Title: PHP Server Monitor 3.3.1 - Cross-Site Request Forgery Exploit Author: Javier Olmedo Website: https://www.sidertia.com Date: 2018-11-28 Google Dork: N/A Vendor: https://www.phpservermonitor.org/ Software Link: https://github.com/phpservermon/phpservermon/releases/tag/v3.3.1 Affected...

Budabot 4.0 - Denial of Service (PoC)

Exploit Title: Budabot 4.0 - Denial of Service PoC Date: 2018-10-15 Exploit Author: Ryan Delaney Author Contact: [email protected] Vendor Homepage: http://budabot.com/ Software Link: http://budabot.com/forum/viewtopic.php?f=8&t=1413 Version: 0.6 - 4.0 Tested on: 4.0 CVE: CVE-2018-19290 1...

Mozilla Firefox 63.0.1 - Denial of Service (PoC)

Exploit Title: Mozilla Firefox 63.0.1 - Denial of Service PoC Date: 2018-11-29 Exploit Author: SAIKUMAR CHEBROLU Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/ Bugzilla report: https://bugzilla.mozilla.org/showbug.cgi?id=1504512 Version: Firefox 63.0.1 Tested on: Windows 10 CVE : No...

CyberArk 9.7 - Memory Disclosure

Exploit Title: CyberArk 9.7 - Memory Disclosure Date: 2018-06-04 Exploit Author: Thomas Zuk @Freakazoidile Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ Version: 9.7 and 10 Tested on: Windows 2008, Windows 2012, Windows 7, Windo...

PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure

Exploit Title: PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure Date: 2018-11-28 Exploit Author: paragonsec @ Critical Start Vendor Homepage: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migrationtool Software Link:...

Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting

Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting Date: 2018-11-27 Exploit Author: Luca.Chiou Vendor Homepage: https://www.rockwellautomation.com/ Version: 1408-EM3A-ENT B Tested on: It is a proprietary devices:...

WordPress Plugin Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting

Exploit Title: Wordpress Plugins Advanced-custom-fields 5.7.7 - Cross-Site Scripting Google Dork: N/A Date: 2018-12-02 Exploit Author: Loading Kura Kura Vendor Homepage: https://www.advancedcustomfields.com/ Software Link: https://www.advancedcustomfields.com/ Version: 5.7.7 Tested on: Win10...

Apache Superset < 0.23 - Remote Code Execution

Exploit Title: Apache Superset ' sys.exit else: Script arguments supersetIP = sys.argv1 supersetPort = sys.argv2 Verify these URLs match your environment loginURL = 'http://' + supersetIP + ':' + supersetPort + '/login/' uploadURL = 'http://' + supersetIP + ':' + supersetPort +...

Joomla! Component JE Photo Gallery 1.1 - 'categoryid' SQL Injection

Exploit Title: Joomla! Component JE Photo Gallery 1.1 - SQL Injection Dork: N/A Date: 2018-11-26 Exploit Author: Ihsan Sencan Vendor Homepage: https://joomlaextensions.co.in Software Link: http://joomlaextensions.co.in/download/1387375463JE%20PhotoGallery%20%20J-%203.0%20.zip Version: 1.1 Categor...

VBScript - 'rtFilter' Out-of-Bounds Read

On Error Resume Next Class class1 Public Default Property Get x ReDim arr1 End Property End Class set c = new class1 arr = Array"b", "b", "a", "a", c Call Filterarr, "a" !-- =============================================================================== Preliminary Analysis: The rtFilter function...

HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'HTML5 Video Player 1.2.5 - Buffer Overflow SEH', 'Description' = %q This module exploits a stack based buffer overflow in HTML5 Vide...

Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer

/ Exploit Title: Linux Kernel 4.8 Ubuntu 16.04 - Leak sctp kernel pointer Google Dork: - Date: 2018-11-20 Exploit Author: Jinbum Park Vendor Homepage: - Software Link: - Version: Linux Kernel 4.8 Ubuntu 16.04 Tested on: 4.8.0-36-generic 3616.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x8664 x8664...

Schneider Electric PLC - Session Calculation Authentication Bypass

!/usr/bin/env python ''' Copyright 2018 Photubiasc Exploit Title: Schneider Session Calculation - CVE-2017-6026 Date: 2018-09-30 Exploit Author: Deneut Tijl Vendor Homepage: www.schneider-electric.com Software Link:...

Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass

Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass Vendor: Synaccess Networks Inc. Product web page: https://www.synaccess-net.com Affected version: NP-0201D ver 6.8C NP-02 ver 6.5C NP-02 ver 6.4BC NP-0801D ver 6.4A NP-08 ver 6.10 NP-02 ver 5.53BC Summary: netBooter NP-02B and NP-02BH...

Apache Spark - (Unauthenticated) Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache Spark Unauthenticated Command Execution', 'Description' = %q This module exploits an unauthenticated command execution vulnerability in...

PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)

Product Description PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc. Vulnerabilities List One vulnerability was identified within the PhpSpreadsheet...

VBScript - 'OLEAUT32!VariantClear' and 'scrrun!VBADictionary::put_Item' Use-After-Free

Class class2 Private Sub ClassTerminate var17.RemoveAll End Sub End Class Set var17 = CreateObject"Scripting.Dictionary" Set var17.Item"foo" = new class2 var17.Item"foo" = 1 !-- =============================================================================== Preliminary Analysis: 1st issue: In...

xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation

!/bin/sh raptorxorgy - xorg-x11-server LPE via modulepath switch Copyright c 2018 Marco Ivaldi A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to...

Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux Nested User Namespace idmap Limit Local Privilege Escalation', 'Description' = %q This module exploits a vulnerability in Linux kernels...

Mac OS X - libxpc MITM Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mac OS X libxpc MITM Privilege Escalation', 'Description' = %q This module exploits a vulnerablity in libxpc on macOS MSFLICENSE, 'Author' =...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object

/ This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the...

Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Unitrends Enterprise Backup bpserverd Privilege Escalation', 'Description' = %q It was discovered that the Unitrends bpserverd proprietary...