47904 matches found
Angry IP Scanner 3.5.3 - Denial of Service (PoC)
!/usr/bin/python -- coding: cp1252 -- Exploit Title: Angry IP Scanner 3.5.3 Denial of Service PoC Author: Fernando Cruz Date: 13/12/2018 Vendor Homepage: https://angryip.org Tested Version: 3.11 Tested on Windows 10 Pro, 64-bit Steps to Produce the Crash: 1.- Run python code : python angryip.py 2...
Linux - 'userfaultfd' Bypasses tmpfs File Permissions
Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vmacanuserfault: It must be an anonymous VMA -vmops==NULL, a hugetlb VMA VMHUGETLB, or a shmem VMA -vmops==shmemvmops. This means that it is, for example, possible to register userfaulfd...
WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains
didBecomePrototype; if structurevm-hasMonoProto DeferredStructureTransitionWatchpointFire deferredvm, structurevm; Structure newStructure = Structure::changePrototypeTransitionvm, structurevm, prototype, deferred; setStructurevm, newStructure; else putDirectvm, knownPolyProtoOffset, prototype; if...
CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "CyberLink LabelPrint 2.5 Stack Buffer Overflow", 'Description' = %q This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and...
phpBB 3.2.3 - Remote Code Execution
// All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var pluploadsalt = ''; var formtoken = ''; var creationtime = ''; var filepath = 'phar://./../files/plupload/$saltaaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5'evil.zip' = aaae9cba5fdadb1f0c384934cd20d11czip // you...
WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection
Exploit Title: WP AutoSuggest 0.24 - SQL Injection Date: 01-12-2018 Software Link: https://wordpress.org/plugins/wp-autosuggest/ Exploit Author: Kaimi Website: https://kaimi.io Version: 0.24 Category: webapps SQL Injection File: autosuggest.php Vulnerable code: if isset$GET'wpaskeys' $wpaskeys =...
HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection
Exploit Title: SQL Injection in HotelDruid version 2.3 Google Dork: N/A Date: 9-12-2018 Exploit Author: Sainadh Jamalpur Vendor Homepage: http://www.hoteldruid.com Software Link: https://sourceforge.net/projects/hoteldruid/ Version: 2.3 REQUIRED Tested on: Windows x64/ Kali linux x64 CVE : N/A...
Adobe ColdFusion 2018 - Arbitrary File Upload
Exploit Title: Unrestricted file upload in Adobe ColdFusion 2018 Google Dork: ext:cfm Date: 10-12-2018 Exploit Author: Pete Freitag of Foundeo Reversed: Vahagn vah13 Vardanian Vendor Homepage: adobe.com Version: 2018 Tested on: Adobe ColdFusion 2018 CVE : CVE-2018-15961 Comment: September 28, 201...
ZTE ZXHN H168N - Improper Access Restrictions
POC: CVE-2018-7357 and CVE-2018-7358 Disclaimer: This POC is for Educational Purposes , I would Not be responsible for any misuse of the information mentioned in this blog post + Unauthenticated + Author: Usman Saeed usman at xc0re.net + Protocol: UPnP + Affected Harware/Software: Model name: ZXH...
Huawei B315s-22 - Information Leak
Product Family: LTE Model B315s – 22 Firmware version: 21.318.01.00.26 Author: Usman Saeed usman at xc0re.net 1. Unauthenticated access to sensitive files: It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server. POC: By...
SmartFTP Client 9.0.2623.0 - Denial of Service (PoC)
-- coding: utf-8 -- Exploit Title: SmartFTP 9.0 Build 2623 - Denial of Service PoC Date: 06/12/2018 Exploit Author: Alejandra Sánchez Vendor Homepage: https://www.smartftp.com/en-us/ Software Link: https://www.smartftp.com/get/SFTPMSI64.exe Version: 9.0.2623.0 Tested on: Windows Server 2016 x64/...
DomainMOD 4.11.01 - Cross-Site Scripting
Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/DomainMod/DomainMod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19913 A Stored Cross-site...
PrestaShop 1.6.x/1.7.x - Remote Code Execution
?php / PrestaShop 1.6.x = 1.6.1.23 & 1.7.x = 1.7.4.4 - Back Office Remote Code Execution See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation. Chaining multiple vulnerabilities to trigger deserialization via phar. Date: December 1st, 2018 Author: farisv Vendor Homepage:...
Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery
Exploit Title: Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery Add/Update Admin Dork: N/A Date: 2018-12-06 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/12825/alumni-tracer-sms-notification-using-phpmysqli.html Software Link:...
McAfee True Key - McAfee.TrueKey.Service Privilege Escalation
McAfee True Key: Multiple Issues with McAfee.TrueKey.Service Implementation Platform: Version 5.1.173.1 on Windows 10 1809. Class: Elevation of Privilege Summary: There are multiple issues in the implementation of the McAfee.TrueKey.Service which can result in privilege escalation through executi...
XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection
When the mmap syscall is invoked on a POSIX shared memory segment DTYPEPSXSHM, pshmmmap maps the shared memory segment's pages into the address space of the calling process. It does this with the following code: int prot = uap-prot; ... if prot & PROTWRITE && fp-fflag & FWRITE == 0 returnEPERM;...
LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)
Exploit Title: LanSpy 2.0.1.159 - Local BoF PoC Author: Gionathan "John" Reale Discovey Date: 2018-12-07 Homepage: https://lizardsystems.com Software Link: https://lizardsystems.com/download/lanspysetup.exe Tested Version: 2.0.1.159 Tested on OS: Windows 7 32-bit Steps to Reproduce: Run the pytho...
PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
Exploit Author: bzyo CVE: CVE-2018-19936 Twitter: @bzyo Exploit Title: PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion Date: 12-07-18 Vulnerable Software: PrinterOn Enterprise 4.1.4 Vendor Homepage: https://www.printeron.com/ Version: 4.1.4 Tested On...
Tourism Website Blog - Remote Code Execution / SQL Injection
Exploit Title: Tourism Website Blog - Remote Code Execution / SQL Injection Dork: N/A Date: 2018-12-06 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/12819/tourism-website-blog-faces-negros-web-application.html Software Link:...
Apache OFBiz 16.11.05 - Cross-Site Scripting
Exploit Title: Apache OFBiz v16.11.05 - Stored Cross-Site Scripting Vulnerability Google Dork: N/A Date: 09 - December - 2018 Exploit Author: DKM Vendor Homepage: https://ofbiz.apache.org/ Software Link: https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-16.11.05.zip Version: v16.11.05 Test...
GNU inetutils < 1.9.4 - 'telnet.c' Multiple Overflows (PoC)
GNU inetutils = 1.9.4 telnet.c multiple overflows ================================================== GNU inetutils is vulnerable to a stack overflow vulnerability in the client-side environment variable handling which can be exploited to escape restricted shells on embedded devices. Most modern...
TP-Link wireless router Archer C1200 - Cross-Site Scripting
Unauthenticated + Author: Usman Saeed usman at xc0re.net + Affected Version: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU · Impact: Client side attacks are very common and are the source of maximum number of user compromises. With this attack, the threat actor can steal cookies, redirect...
ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
Exploit Title: ThinkPHP 5.x v5.0.23,v5.1.31 Remote Code Execution Date: 2018-12-11 Exploit Author: VulnSpy Vendor Homepage: https://thinkphp.cn Software Link: https://github.com/top-think/framework/ Version: v5.x below v5.0.23,v5.1.31 CVE: N/A Exploit...
Kubernetes - (Unauthenticated) Arbitrary Requests
!/usr/bin/env python3 import argparse from ssl import wrapsocket from json import loads, dumps from socket import createconnection def requeststage1base, version, target: stage1 = "" with open'ustage1', 'r' as stage1fd: stage1 = stage1fd.read return stage1.formatbase, version, target .encode'utf-...
Kubernetes - (Authenticated) Arbitrary Requests
!/usr/bin/env python3 import argparse from ssl import wrapsocket from socket import createconnection from secrets import base64, tokenbytes def requeststage1namespace, pod, method, target, token: stage1 = "" with open'stage1', 'r' as stage1fd: stage1 = stage1fd.read return stage1.formatnamespace,...
DomainMOD 4.11.01 - 'DisplayName' Cross-Site Scripting
Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19892 A Stored Cross-site...
i-doit CMDB 1.11.2 - Remote Code Execution
Exploit Title: i-doit CMDB 1.11.2 - Remote Code Execution Date: 2018-12-05 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.i-doit.org/ Software Link: https://www.i-doit.org/i-doit-open-1-11-2/ Version: v1.11.2 Category: Webapps Tested on: XAM...
Textpad 8.1.2 - Denial Of Service (PoC)
Exploit Title: Textpad 8.1.2 - Denial Of Service PoC Author: Gionathan "John" Reale Discovey Date: 2018-12-06 Homepage: https://textpad.com Software Link: https://www.textpad.com/download/v81/win32/txpeng812-32.zip Tested Version: 8.1.2 Tested on OS: Windows 7 32-bit Steps to Reproduce: Run the...
Adiscon LogAnalyzer < 4.1.7 - Cross-Site Scripting
Exploit Title: Adiscon LogAnalyzer 4.1.7 - Cross-Site Scripting Date: 2018-12-05 Software Link: httpås://loganalyzer.adiscon.com/ https://github.com/rsyslog/loganalyzer Exploit Author: Gustavo Sorondo Contact: http://twitter.com/iampuky Website: http://cintainfinita.com/ CVE: CVE-2018-19877...
HasanMWB 1.0 - SQL Injection
Exploit Title: HasanMWB 1.0 - SQL Injection Dork: N/A Date: 2018-12-05 Exploit Author: Ihsan Sencan Vendor Homepage: https://sourceforge.net/projects/hasanmwb/ Software Link: https://netcologne.dl.sourceforge.net/project/hasanmwb/HasanMWB-v1.zip Version: 1.0 Category: Webapps Tested on:...
FreshRSS 1.11.1 - Cross-Site Scripting
Multiple Cross-Site Scripting Vulnerabilities in FreshRSS 1.11.1 Information -------------------- Advisory by Netsparker Name: Multiple Cross-Site Scripting Vulnerabilities in FreshRSS Affected Software: FreshRSS Affected Versions: 1.11.1 Homepage: https://freshrss.org/ Vulnerability: Cross-site...
Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting
Exploit Title: Dolibarr ERP/CRM = 8.0.3 - Cross-Site Scripting CVE: CVE-2018-19799 Date: 2018-11-23 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://dolibarr.org Software Link: http://sourceforge.net/projects/dolibarr/files/ Version: v8.0.3...
OpenSSH < 7.7 - User Enumeration (2)
!/usr/bin/env python2 CVE-2018-15473 SSH User Enumeration by Leap Security @LeapSecurity https://leapsecurity.io Credits: Matthew Daley, Justin Gardner, Lee David Painter import argparse, logging, paramiko, socket, sys, os class InvalidUsernameException: pass malicious function to malform packet...
NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage
''' + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt + ISR: ApparitionSec Greetz: indoushka | Eduardo B. 0day Vendor www.necam.com Affected Product Code Base NEC...
DomainMOD 4.11.01 - Registrar Cross-Site Scripting
Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/DomainMod/DomainMod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19752 A Stored Cross-site...
NUUO NVRMini2 3.9.1 - (Authenticated) Command Injection
Exploit Title: NUUO NVRMini2 Authenticated Command Injection Date: December 3, 2018 Exploit Author: Artem Metla Vendor Homepage: https://www.nuuo.com/ProductNode.php?node=2 Version: 3.9.1 Tested on: NUUO NVRMini2 with firmware 3.9.1 CVE : CVE-2018-15716 Advisory:...
KeyBase Botnet 1.5 - SQL Injection
Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on: Windows 10, debian 7 CVE : n/a...
DomainMOD 4.11.01 - Custom SSL Fields Cross-Site Scripting
Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/DomainMod/DomainMod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19751 A Stored Cross-site...
DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting
Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19749 A Stored Cross-site...
Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download
Exploit Title: Microsoft Lync for Mac 2011 Injection Forced Browsing/Download Author: @nyxgeek - TrustedSec Date: 2018-03-20 Vendor Homepage: microsoft.com Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=36517 CVE: CVE-2018-8474 Version: Lync:Mac 2011 14.4.3, likely earlie...
Xorg X11 Server (AIX) - Local Privilege Escalation
Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation Date: 29/11/2018 Exploit Author: @0xdono Original Discovery and Exploit: Narendra Shinde Vendor Homepage: https://www.x.org/ Platform: AIX Version: X Window System Version 7.1.1 Fileset: X11.base.rte 7.1.5.32 Tested on: AIX 7.1 6.x t...
Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass
Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Date: 2018-11-27 Exploit Author: Luca.Chiou Vendor Homepage: https://www.rockwellautomation.com/ Version: 1408-EM3A-ENT B Tested on: It is a proprietary devices:...
Emacs - movemail Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Emacs movemail Privilege Escalation', 'Description' = %q This module exploits a SUID installation of the Emacs movemail utility to run a command ...
DomainMOD 4.11.01 - Custom Domain Fields Cross-Site Scripting
Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-22 Exploit Author: Mohammed Abdul Raheem Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE : CVE-2018-19750 A Stored Cross-site...
HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "HP Intelligent Management Java Deserialization RCE", 'Description' = %q This vulnerability allows remote attackers to execute arbitrary code on...
Wireshark - 'find_signature' Heap Out-of-Bounds Read
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file": --- cut --- ==35788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0000e4400 at pc...
Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption
The following crash due to a stack-based out-of-bounds memory access can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file": Attached are three files which trigger the crash. --- cut --- ==25039==ERROR:...
PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure
Exploit Title: PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure Date: 2018-11-28 Exploit Author: paragonsec @ Critical Start Vendor Homepage: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migrationtool Software Link:...
Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting
Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting Date: 2018-11-27 Exploit Author: Luca.Chiou Vendor Homepage: https://www.rockwellautomation.com/ Version: 1408-EM3A-ENT B Tested on: It is a proprietary devices:...
CyberArk 9.7 - Memory Disclosure
Exploit Title: CyberArk 9.7 - Memory Disclosure Date: 2018-06-04 Exploit Author: Thomas Zuk @Freakazoidile Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ Version: 9.7 and 10 Tested on: Windows 2008, Windows 2012, Windows 7, Windo...