SoftNAS Cloud < 4.0.3 - OS Command Injection

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SoftNAS Cloud OS Command Injection 1. Advisory Information Title: SoftNAS Cloud OS Command Injection Advisory ID: CORE-2018-0009 Advisory URL: http://www.coresecurity.com/advisories/softnas-cloud-OS-command-injection Date...

Axis Network Camera - .srv to parhand Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Axis Network Camera .srv to parhand RCE', 'Description' = %q This module exploits an auth bypass in .srv functionality and a command injection in...

QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)

Exploit Title: QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service PoC Discovery by: Luis Martínez Discovery Date: 2018-07-26 Vendor Homepage: https://www.qnapsecurity.com/n/en/ Software Link : http://download.qnap.com/Surveillance/QVRClient/Qmon5.1.1.30070.zip Tested Version: 5.1.1.30070...

Online Trade 1 - Information Disclosure

Exploit Title: Online Trade 1 - Information Disclosure Exploit Author: Dhamotharan Date: 2018-07-17 Vendor Homepage: https://codecanyon.net/item/online-trade-online-forex-and-cryptocurrency-investment-system/21987193?srank=14 CVE : CVE-2018-14328 Version: 1 Tested on: Kali Linux Description :...

Core FTP 2.0 - 'XRMD' Denial of Service (PoC)

Exploit Title: Core FTP 2.0 - 'XRMD' Denial of Service PoC Date: 2018-07-24 Exploit Author: Erik David Martin Vendor Homepage: http://www.coreftp.com/ Software Link: http://www.coreftp.com/server/download/CoreFTPServer.exe Version: Version 2.0, build 653, 32-bit Tested on: Windows XP Professional...

Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)

Exploit Title:​​ Kirby CMS 2.5.12 - Cross-Site Request Forgery Delete Page Date: 2018-07-22 Exploit Author: Zaran Shaikh Version: 2.5.12 CVE: NA Category: Web Application 1. Description The application allows malicious HTTP requests to be sent in order to trick a user into adding/ deleting web...

Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)

Exploit Title: Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery Admin Bypass Date: 2018-07-25 Software Link: https://world.trivum-shop.de https://world.trivum-shop.de/ Version: 9.34 build 13381 - 12.07.18 Category: hardware, webapps Tested on: V8.76 - SNR 8604.26 - C4 Professional...

GetGo Download Manager 6.2.1.3200 - Denial of Service (PoC)

Exploit Title: GetGo Download Manager 6.2.1.3200 - Buffer Overflow Denial of Service Date: 2018-07-25 Exploit Author: Nathu Nandwani Website: http://nandtech.co CVE: CVE-2017-17849 Tested On: Windows 7 x86, Windows 10 x64 Details The downloader feature of GetGo Download Manager is vulnerable to a...

10-Strike LANState 8.8 - Local Buffer Overflow (SEH)

Exploit Title: 10-Strike LANState 8.8 - Local Buffer Overflow SEH Date: 2018-07-24 Exploit Author: absolomb Vendor Homepage: https://www.10-strike.com/products.shtml Software Link: https://www.10-strike.com/lanstate/download.shtml Version 8.8 Tested on: Windows 7 SP 1 x86 Open LANState, File -...

10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)

Title: 10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow SEH Date: 2018-07-24 Exploit Author: absolomb Vendor Homepage: https://www.10-strike.com/products.shtml Software Link: https://www.10-strike.com/bandwidth-monitor/download.shtml Run script, open up generated txt file and copy to...

Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "MicroFocus Secure Messaging Gateway Remote Code Execution", 'Description' = %q This module exploits a SQL injection and command injection...

Nagios Core 4.4.1 - Denial of Service

Exploit Title: Nagios Core Multiple Local Denial of Service Date: 2018-07-09 Exploit Author: Fakhri Zulkifli @d0lph1n98 Vendor Homepage: https://www.nagios.org/ Software Link: https://www.nagios.org/downloads/nagios-core/ Version: 4.4.1 and earlier Tested on: 4.4.1 qhcore, qhhelp, and qhecho in...

D-link DAP-1360 - Path Traversal / Cross-Site Scripting

Exploit Title: D-Link DAP-1360 File path traversal and Cross site scriptingreflected can lead to Authentication Bypass easily. Date: 20-07-2018 Exploit Author: r3m0t3nu11 Contact : http://twitter.com/r3m0t3nu11 Vendor : www.dlink.com Version: Hardware version: F1 Firmware version: 6.O5 Tested...

Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: Splinterware System Scheduler Pro 5.12 - Local Buffer Overflow SEH Date: 07-21-18 Vulnerable Software: System Scheduler Pro 5.12 Vendor Homepage: https://www.splinterware.com Version: 5.12 Software Link:...

Davolink DVW 3200 Router - Password Disclosure

Exploit Title: Davolink DVW 3200 Router - Password Disclosure Google Dork: N/A Zoomeye dork : https://www.zoomeye.org/searchResult?q=%22var%20userpasswd%22%20%2Bapp%3A%22DAVOLINK%20GAPD-7000%20WAP%20httpd%22 Date: 2018-07-13 Exploit Author: Ankit Anubhav Vendor Homepage: www.davolink.co.kr Softwa...

Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes)

Linux/x86 - Bind 4444/TCP Shell /bin/sh + IPv6 Shellcode 100 bytes. Shellcode exploit for Linuxx86 platform Title: Linux/x86 - Bind 4444/TCP Shell + IPv6 Shellcode 100 bytes Length : 100bytes Author: Kartik Durg Write-up Link: https://iamroot.blog/2018/07/17/0x1-shellbindtcpipv6-linux-x86/ Tested...

Microsoft Windows - 'dnslint.exe' Drive-By Download

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DNSLINT.EXE-FORCED-DRIVE-BY-DOWNLOAD.txt + ISR: Apparition Security Greetz: indoushka | Eduardo Vendor ================= www.microsoft.com Product ===========...

Microsoft Windows Speech Recognition - Buffer Overflow (PoC)

Title: Windows Speech Recognition- Buffer Overflow Author: Nassim Asrir Contact: [email protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/ Vendor: https://www.microsoft.com/ About Windows Speech Recognition: ================================= Windows Speech Recognition lets you...

Synology DiskStation Manager 4.1 - Directory Traversal

Exploit Title: Synology DiskStation Manager 4.1 - Directory Traversal Google Dork: N/A Date: 2018-07-21 Exploit Author: Berk Dusunur Vendor Homepage: https://www.synology.com Software Link: https://www.synology.com Version: v4.1 Tested on: Parrot OS CVE : N/A PoC...

Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)

Exploit Title: Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery Reboot Router Date: 2018-07-21 Exploit Author: Nathu Nandwani Website: http://nandtech.co CVE: CVE-2015-5996 Description: The router is vulnerable to a cross-site request forgery attacker. If an administrator is...

NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution

Exploit Title: NUUO NVR Unauthenticated Remote Code Execution Exploit Author: Berk Dusunur Google Dork: N/A Date: 2018-07-21 Vendor Homepage: http://www.nuuo.com/ Software Link: http://www.nuuo.com/ Affected Version: v2016 Tested on: Parrot OS CVE : N/A Proof Of Concept GET...

Splinterware System Scheduler Pro 5.12 - Privilege Escalation

Exploit Title: Splinterware System Scheduler Pro 5.12 - Privilege Escalation Exploit Author: bzyo Twitter: @bzyo Date: 2018-07-21 Vulnerable Software: System Scheduler Pro 5.12 Vendor Homepage: https://www.splinterware.com Version: 5.12 Tested Windows 7 SP1 x86 CVE: N/A Description: Splinterware...

Kirby CMS 2.5.12 - Cross-Site Scripting

Exploit Title:​​ Kirby CMS 2.5.12 - Cross-Site Scripting Date: 2018-07-22 Exploit Author: Zaran Shaikh Version: ​2.5.12 CVE : ​NA Category: ​Web Application Description The application allows user injected payload which can lead to Stored Cross Site Scripting. Proof of Concept 1. Visit the...

GeoVision GV-SNVR0811 - Directory Traversal

Exploit Title: GeoVision GV-SNVR0811 Directory Traversal Exploit Author: Berk Dusunur Google Dork: N/A Type: Hardware Date: 2018-07-21 Vendor Homepage: http://www.geovision.com.tw/product/GV-SNVR0811 Software Link: http://www.geovision.com.tw/product/GV-SNVR0811 Affected Version: N/A Tested on:...

Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation

!/usr/bin/python import json import sys import subprocess import socket import os from websocket import createconnection def ubusAuthhost, username, password: ws = createconnection"ws://" + host, header = "Sec-WebSocket-Protocol: ubus-json" req = json.dumps"jsonrpc":"2.0","method":"call",...

Touchpad / Trivum WebTouch Setup 2.53 build 13163 - Authentication Bypass

Exploit Title: Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 - Unauthorized Authentication Reset Date: 2018-07-20 Software Link: https://world.trivum-shop.de Version: 2.56 build 13381 - 12-07-2018 Category: webapps Tested on: Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6...

MSVOD 10 - 'cid' SQL Injection

Exploit Title: MSVOD V10 ¡V SQL Injection Google Dork: inurl:"images/lists?cid=13" Date: 2018/07/17 Exploit Author: Hzllaga Vendor Homepage: http://www.msvod.cc/ Version: MSVOD V10 CVE : CVE-2018-14418 Reference : https://www.wtfsec.org/2583/msvod-v10-sql-injection/ Payload:...

TP-Link TL-WR840N - Denial of Service

Exploit Title:- TP-Link Wireless N Router WR840N - Buffer Overflow Date:- 2018-07-16 Vendor Homepage:- https://www.tp-link.com/ Hardware Link:- https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q Version:- TP-Link Wireless N Router WR840N Category:- Hardware Exploit...

Google Chrome - Swiftshader Texture Allocation Integer Overflow

There's a remotely triggerable memory corruption issue in SwiftShader that's reachable from WebGL, resulting from an integer overflow issue. In the GPU process there is validation on the sizes passed to texture creation functions to ensure that they shouldn't cause overflow. However, in the...

MyBB New Threads Plugin 1.1 - Cross-Site Scripting

Exploit Title: MyBB New Threads Plugin - Cross-Site Scripting Date: 7/16/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=1143 Version: 1.1 Tested on: Ubuntu 18.04 CVE: CVE-2018-14392 1. Description: New Threads is a plugi...

WordPress Plugin All In One Favicon 4.6 - (Authenticated) Cross-Site Scripting

Exploit Title: WordPress Plugin All In One Favicon = 4.6 - Authenticated Multiple XSS Persistent Date: 2018-07-10 Exploit Author: Javier Olmedo Website: https://hackpuntes.com/ Vendor Homepage: http://www.techotronic.de/ Software Link: https://wordpress.org/plugins/all-in-one-favicon/ Version/s:...

Google Chrome - SwiftShader OpenGL Texture Bindings Reference Count Leak

getRenderTarget; if!renderTarget ERR"Failed to retrieve the render target."; return errorGLOUTOFMEMORY; ifimagelevel imagelevel-release; imagelevel = egl::Image::createthis, width, height, internalformat; if!imagelevel return errorGLOUTOFMEMORY; ifwidth != 0 && height != 0 sw::SliceRect...

Google Chrome - Swiftshader Blitting Floating-Point Precision Errors

getInternalFormat == FORMATNULL return; ifblitReactorsource, sourceRect, dest, destRect, options return; SliceRectF sRect = sourceRect; SliceRect dRect = destRect; bool flipX = destRect.x0 destRect.x1; bool flipY = destRect.y0 destRect.y1; ifflipX swapdRect.x0, dRect.x1; swapsRect.x0, sRect.x1;...

Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux BPF Sign Extension Local Privilege Escalation', 'Description' = %q Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter BPF whi...

FTP2FTP 1.0 - Arbitrary File Download

Exploit Title: FTP2FTP 1.0 - Arbitrary File Download Dork: N/A Date: 18.07.2018 Exploit Author: Özkan Mustafa Akkuş AkkuS Vendor Homepage: https://codecanyon.net/item/ftp2ftp-server-to-server-file-transfer-php-script/21972395 Version: 1.0 Category: Webapps Tested on: Kali linux Description : The...

Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection

Exploit Title: Smart SMS & Email Manager v3.3 - SQL Injection Google Dork: N/A Date: 17.07.2018 Exploit Author: Özkan Mustafa Akkuş AkkuS Vendor Homepage: https://codecanyon.net/item/smart-sms-email-manager-ssem/14817919 Version: 3.3 Tested on: Kali linux...

Open-AudIT Community 2.1.1 - Cross-Site Scripting

Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability Google Dork:NA Exploit Author: Ranjeet Jaiswal Vendor Homepage: https://opmantek.com/ Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x8664- release2.2.1.exe Affected Version: 2.1.1 Category: WebApps Tested on...

HomeMatic Zentrale CCU2 - Remote Code Execution

Exploit Title: HomeMatic Zentrale CCU2 Unauthenticated RCE Date: 16-07-2018 Software Link: https://www.homematic.com/ Exploit Author: Kacper Szurek - ESET Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ YouTube: https://www.youtube.com/c/KacperSzurek Category: remot...

Modx Revolution < 2.6.4 - Remote Code Execution

Exploit Title: Modx Revolution ' if requests.get target + '/connectors/system/phpthumb.php', verify=verify.statuscode != 404: printFore.GREEN + '/connectors/system/phpthumb.php - found' url = target + '/connectors/system/phpthumb.php' payload = 'ctx': 'web', 'cachefilename': '../../payload.php'...

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 R...

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 R...

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1....

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Cross-Site Request Forgery

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0...

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1....

Linux/x64 - Reverse (::1:1337/TCP) + IPv6 + Password (pwnd) Shellcode (115 bytes)

Linux/x64 - Reverse ::1:1337/TCP + IPv6 + Password pwnd Shellcode 115 bytes. Shellcode exploit for Linuxx86-64 platform / ; Title : Reverse Shell IPv6 with Password - Shellcode ; Author : Hashim Jawad @ihack4falafel ; OS : Linux kali 4.15.0-kali2-amd64 1 SMP Debian 4.15.11-1kali1 2018-03-21 x8664...

Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Nanopool Claymore Dual Miner APIs RCE', 'Description' = %q This module takes advantage of miner remote...

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 R...

QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "QNAP Q'Center changepasswd Command Execution", 'Description' = %q This module exploits a command injection vulnerability in the changepasswd API...

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 Re...

PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation

!/usr/bin/env python3 PrestaShop = 1.6.1.19 AES Rijndael / opensslencrypt Cookie Read Charles Fol See https://ambionics.io/blog/prestashop-privilege-escalation This POC will reveal the content of an employee's cookie. By modifying it one can read/write any PrestaShop cookie. It is a simple paddin...