VelotiSmart WiFi B-380 Camera - Directory Traversal

Title: Vulnerability in VelotiSmart Wifi - Directory Traversal Date: 12-07-2018 Scope: Directory Traversal Platforms: Unix Author: Miguel Mendez Z Vendor: VelotiSmart Version: B380 CVE: CVE-2018–14064 Vulnerability description ------------------------- - The vulnerability that affects the device ...

Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection

Details ================ Software: Fortify SSC Software Security Center Version: 17.10, 17.20 & 18.10 Homepage: https://www.microfocus.com Advisory report: https://github.com/alt3kx/CVE-2018-12463 CVE: CVE-2018-12463 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12463 CVSS: HIGH...

macOS/iOS - JavaScript Injection Bug in OfficeImporter

QuickLook is a widely used feature in macOS/iOS which allows you to preview various formats such as pdf, docx, pptx, etc. The way it uses to show office files is quite interesting. First it parses the office file and converts it to HTML code using OfficeImport and renders it using WebKit. The...

PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation

!/usr/bin/env python3 PrestaShop = 1.6.1.19 Privilege Escalation Charles Fol 2018-07-10 See https://ambionics.io/blog/prestashop-privilege-escalation The condition for this exploit to work is for an employee to have the same password as a customer. The exploit will yield a valid employee cookie f...

Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)

Linux/ARM - Bind 1234/TCP Shell /bin/sh Shellcode 104 bytes. Shellcode exploit for ARM platform / Copyright © 2017 Odzhan. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1...

Microsoft Enterprise Mode Site List Manager - XML External Entity Injection

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-ENTERPRISE-MODE-SITE-LIST-MANAGER-XXE.txt + ISR: Apparition Security Greetz: indoushka | Eduardo Vendor ============= www.microsoft Product ===========...

Linux (Ubuntu) - Other Users coredumps Can Be Read via setgid Directory and killpriv Bypass

/ Note: I am both sending this bug report to [email protected] and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each other to determine the best place to fix this. I noticed halfdog's old writeup at...

WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting

Exploit Title: Wordpress Plugin Job Manager v4.1.0 Stored Cross Site Scripting Google Dork: N/A Date: 2018-07-15 Exploit Author: Berk Dusunur & Selimcan Ozdemir Vendor Homepage: https://wpjobmanager.com Software Link: https://downloads.wordpress.org/plugin/wp-job-manager.latest-stable.zip Affecte...

G DATA Total Security 25.4.0.3 - Activex Buffer Overflow

'for debugging/custom prolog targetFile = "C:\Program Files\G DATA\TotalSecurity\ASK\GDASpam.dll" prototype = "Function IsBlackListed ByVal strIP As String As Long" memberName = "IsBl...

Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery

Exploit Title: Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery Date: 2018-07-§3 Exploit Author: Ahmethan-Gultekin - t4rkd3vilz Vendor Homepage: https://www.grundig.com/ Software Link: https://play.google.com/store/apps/details?id=arcelik Version: Before Smart Inter@ctive 3.0 Tested on:...

Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload

Exploit Title: Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload Date: 2018-07-13 Shodan Dork: CLR-M20 Exploit Author: Safak Aslan Software Link: http://www.celalink.com Version: 2.7.1.6 CVE: 2018-15137 Authentication Required: No Tested on: Windows Vulnerability Description Due to the Via WebDAV...

Apache CouchDB - Arbitrary Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache CouchDB Arbitrary Command Execution', 'Description' = %q CouchDB administrative users can configure the database server via HTTPS. Some of...

Hadoop YARN ResourceManager - Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Hadoop YARN ResourceManager Unauthenticated Command Execution', 'Description' = %q This module exploits an unauthenticated command execution...

phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'phpMyAdmin Authenticated Remote Code Execution', 'Description' = %q phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which ca...

QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ QNAP Qcenter Virtual Appliance Multiple Vulnerabilities 1. Advisory Information Title: QNAP Qcenter Virtual Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0006 Advisory URL:...

Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Manage Engine Exchange Reporter Plus Unauthenticated RCE', 'Description' = %q This module exploits a remote code execution vulnerability that...

Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Remote Code Execution & Local File Disclosure product: Zeta Producer Desktop CMS vulnerable version: =14.2.1 CVE number: CVE-2018-13981, CVE-2018-13980 impact: critical...

WAGO e!DISPLAY 7300T - Multiple Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Remote code execution via multiple attack vectors product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1 vulnerable version: FW 01 - 01.01.1001 fixed version: FW 02 CVE...

Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/registry' require 'msf/core/exploit/exe'...

Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read

/ BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlagsExtraArg flag which...

Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes

/ It seems that this issue is similar to the issue 1429 MSRC 42111. It might need to refresh the page several times to observe a crash. PoC: / let arr = new Uint32Array1000; for let i = 0; i 0x1000000; i++ for let j = 0; j 1; j++ i--; i++; arri = 0x1234;...

Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions

/ Here's a PoC: / function optstr for let i = 0; i .var s9.var = LdSlot s32s18l53.var s7.var = LdSlot s20s18l51.var s8.var = LdSlot s19s18l52.var s1Object.var = LdA 0x7FFFF47A0000 GlobalObjectObject.var s2.var = LdCAI4 0 0x0.i32 s3.var = LdCAI4 200 0xC8.i32 s4.var = LdCAI4 1 0x1.i32 s5String.var ...

Awk to Perl 1.007-5 - Buffer Overflow (PoC)

Exploit Title: Awk to Perl 1.007-5 - Buffer Overflow PoC Author: Todor Donev Date: 2018-07-11 Software: Linux Awk to Perl Translator '/usr/bin/a2p' Version: 1.007-5 CVE: N/A Tested on: CentOS 6.9, Ubuntu 10 todor@adamantium $ python -c "print 'A' 2070" | a2p /dev/null Segmentation fault...

Dicoogle PACS 2.5.0 - Directory Traversal

Exploit Title: Dicoogle PACS 2.5.0 - Directory Traversal Date: 2018-05-25 Software Link: http://www.dicoogle.com/home Version: Dicoogle PACS 2.5.0-201712291522 Category: webapps Tested on: Windows 2012 R2 Exploit Author: Carlos Avila Contact: http://twitter.com/badboynt 1. Description Dicoogle is...

Instagram-Clone Script 2.0 - Cross-Site Scripting

Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting Date: 2018-07-10 Exploit Author: L0RD Vendor Homepage: https://github.com/yTakkar/Instagram-clone Version: 2.0 CVE: CVE-2018-13849 Tested on: Kali linux POC : Persistent Cross site scripting : vulnerable file : editrequests.php...

IBM QRadar SIEM - Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'securerandom' class MetasploitModule 'IBM QRadar SIEM Unauthenticated Remote Code Execution', 'Description' = %q IBM QRadar SIEM has three vulnerabilities in th...

JavaScript Core - Arbitrary Code Execution

// Load Int library, thanks saelo! load'util.js'; load'int64.js'; // Helpers to convert from float to in a few random places var conva = new ArrayBuffer8; var convf = new Float64Arrayconva; var convi = new Uint32Arrayconva; var convi8 = new Uint8Arrayconva; var floatarrmagic = new...

D-Link DIR601 2.02 - Credential Disclosure

Exploit title: D-Link DIR601 2.02NA - Credential disclosure Date: 2018-07-10 Exploit Author: Richard Rogerson Vendor Homepage: http://ca.dlink.com/ Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601 Version: = 2.02NA Tested on: D-Link DIR601 Firmware 2.02NA Contact:...

Elektronischer Leitz-Ordner 10 - SQL Injection

Title: Elektronischer Leitz-Ordner 10 - SQL Injection Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG Software: https://www.elo.com/en-de/ CVE: N/A Affected Products: ELOenterprise 10 ELO Access Manager = 10.17.120 ELOenterprise 9 ELO Access Manager = 9.17.120 ELOprofessional 10 E...

WolfSight CMS 3.2 - SQL Injection

Exploit Title: WolfSight CMS 3.2 - SQL Injection Google Dork: N/A Date: 2018-07-10 Exploit Author: Berk Dusunur & Zehra Karabiber Vendor Homepage: http://www.wolfsight.com Software Link: http://www.wolfsight.com Version: v3.2 Tested on: Parrot OS / WinApp Server CVE : N/A PoC Sql Injection...

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation

/ Credit @bleidl, this is a slight modification to his original POC https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c For details on how the exploit works, please visit https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html Tested on Ubuntu 16.04 with th...

HP VAN SDN Controller - Root Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HP VAN SDN Controller Root Command Injection', 'Description' = %q This module exploits a hardcoded service token or default credentials in HPE VA...

Tor Browser < 0.3.2.10 - Use After Free (PoC)

Exploit Title: Tor Browser - Use After Free PoC Date: 09.07.2018 Exploit Author: t4rkd3vilz Vendor Homepage: https://www.torproject.org/ Software Link: https://www.torproject.org/download/download-easy.html.en Version: Tor 0.3.2.x before 0.3.2.10 Tested on: Kali Linux CVE : CVE-2018-0491 Run...

Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow

Exploit Title: Stack-based buffer overflow in Activision Infinity Ward Call of Duty Modern Warfare 2 Date: 14-12-2017 Exploit Author: Maurice Heumann Contact: https://twitter.com/momo5502?lang=en Website: https://momo5502.com/ CVE: CVE-2018-10718 Category: webapps 1. Description By sending a...

HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HID discoveryd commandblinkon Unauthenticated RCE', 'Description' = %q This module exploits an unauthenticated remote command execution...

Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)

Exploit Title: Boxoft wav-wma Converter - Local Buffer Overflow SEH Date: 2018-07-08 Software Link: http://www.boxoft.com/wav-to-wma/ Software Version:1.0 Exploit Author: Achilles Target: Windows 7 x64 CVE: Description: A malicious .wav file cause this vulnerability. Category: Local Exploit buffe...

Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting

Author Information Author : Ahmed Elhady Mohamed twitter : @AhmedELhady Date : 01/07/2018 Software Information Affected Software : SeoChecker Umbraco CMS Plug-in Version: version 1.9.2 Software website : https://soetemansoftware.nl/seo-checker Description SeoChecker Umbraco CMS Plug-in version...

Linux/x86 - Kill Process Shellcode (20 bytes)

Linux/x86 - Kill Process Shellcode 20 bytes. Shellcode exploit for Linuxx86 platform / Exploit Title: Kill PID shellcode Date: 07/09/2018 Exploit Author: Nathu Nandwani Platform: Linux/x86 Size: 20 bytes Compile: gcc -fno-stack-protector -z execstack killproc.c -o killproc / include include int...

GitList 0.6.0 - Argument Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "GitList v0.6.0 Argument Injection Vulnerability", 'Description' = %q This module exploits an argument injection vulnerability in GitList v0.6.0...

Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution

!/usr/bin/python -- coding: utf-8 -- from argparse import RawTextHelpFormatter import socket, argparse, subprocess, ssl, os.path HELPMESSAGE = ''' -------------------------------------------------------------------------------------- Developped by bobsecq: [email protected]...

Airties AIR5444TT - Cross-Site Scripting

Exploit Title: Airties AIR5444TT - Cross-Site Scripting Date: 2018-07-06 Exploit Author: Raif Berkay Dincel Vendor Homepage: airties.com Software http://www.airties.com.tr/support/dcenter/ Version: 1.0.0.18 CVE-ID: CVE-2018-8738 Tested on: MacOS High Sierra / Linux Mint / Windows 10 Vulnerable...

PolarisOffice 2017 8 - Remote Code Execution

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/POLARISOFFICE-2017-v8-REMOTE-CODE-EXECUTION.txt + ISR: Apparition Security Vendor: ============= www.polarisoffice.com Product: =========== PolarisOffice 2017 v8 Polaris...

ADB Broadband Gateways / Routers - Privilege Escalation

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Privilege escalation via linux group manipulation product: All ADB Broadband Gateways / Routers based on Epicentro platform vulnerable version: Hardware: ADB P.RG AV4202N...

SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection

Exploit Title: SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection Author: Seren PORSUK Date: 2018-06-28 Type: webapps Platform: PHP CVE= N/A Vendor Homepage : https://www.softexpert.com/solucao/softexpert-excellence-suite/ DETAILS A SQL injection vulnerability in the SoftExpert SE...

VLC media player 2.2.8 - Arbitrary Code Execution (PoC)

Exploit Title: VLC media player 2.2.8 - Arbitrary Code Execution PoC Date: 2018-06-06 Exploit Author: Eugene Ng Vendor Homepage: https://www.videolan.org/vlc/index.html Software Link: http://download.videolan.org/pub/videolan/vlc/2.2.8/win64/vlc-2.2.8-win64.exe Version: 2.2.8 Tested on: Windows 1...

ADB Broadband Gateways / Routers - Local Root Jailbreak

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Local root jailbreak via network file sharing flaw product: All ADB Broadband Gateways / Routers based on Epicentro platform vulnerable version: Hardware: ADB P.RG AV4202...

ADB Broadband Gateways / Routers - Authorization Bypass

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Authorization Bypass product: All ADB Broadband Gateways / Routers based on Epicentro platform vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc...

CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution

Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution Date: 3rd of July, 2018 Exploit Author: Mustafa Hasan @strukt93 Vendor Homepage: http://www.cmsmadesimple.org/ Software Link: http://www.cmsmadesimple.org/downloads/cmsms/ Version: 2.2.5 CVE: CVE-2018-1000094 import requests...

ShopNx - Arbitrary File Upload

Exploit Title: ShopNx - Angular5 Single Page Shopping Cart Application 1 - Arbitrary File Upload Date: 2018-07-03 Exploit Author: L0RD Email: [email protected] Vendor Homepage: http://codenx.com/ Version: 1 CVE: CVE-2018-12519 Tested on: Win 10...

ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution

Exploit Title: ManageEngine Exchange Reporter Plus = 5310 Unauthenticated RCE Date: 28-06-2018 Software Link: https://www.manageengine.com/products/exchange-reports/ Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ YouTube:...