TrendMicro OfficeScan XG 11.0 - Change Prevention Bypass

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-v11.0-UNAUTHORIZED-CHANGE-PREVENTION-SERVICE-BYPASS.txt + ISR: Apparition Security Greetz: indoushka|Eduardo|Dirty0tis Vendor: =============...

Gnome Web (Epiphany) < 3.28.2.1 - Denial of Service

Title: Gnome Web/Epiphany Browser libephymain.so in GNOME WEB/Epiphany PoC: b1tch3z = window.open"https://www.google.com", "bl1ngbl1ng", "width=250,height=250"; b1tch3z.document.write"ua b1tch3z"; // https://github.com/undergroundagency // https://github.com/ldpreload Video PoC:...

Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)

Linux/ARM - Egghunter 0x50905090 + execve'/bin/sh' Shellcode 60 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - Memsafe egghunter 0x50905090 + execve"/bin/sh". Null free shellcode 60 bytes Date: 2018-06-06 Tested: armv7l Raspberry Pi v3 and armv6l Raspberry Pi Zero W Author: rtmcx ...

WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access

There is a missing check in VP9 frame processing that could lead to memory corruption. In the file videocoding/rtpframereferencefinder.cc, the function RtpFrameReferenceFinder::ManageFrameVp9 fetches the GofInfo based on a picidx parsed from the incoming packet header. If the incoming frame is of...

Splunk < 7.0.1 - Information Disclosure

Exploit Title: Splunk 7.0.1 - Information Disclosure Date: 2018-05-23 Exploit Author: KoF2002 Vendor Homepage: https://www.splunk.com/ Version: 6.2.3 - 7.01 MAYBE ALL VERSION AFFECTED Tested on: Linux OS CVE : CVE-2018-11409 Splunk through 6.2.3 7.0.1 allows information disclosure by appending...

WebKit - Use-After-Free when Resuming Generator

!-- In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling: var state = this.@generatorState; and set by calling: generator.@generatorState...

Google Chrome - Integer Overflow when Processing WebAssembly Locals

/ When v8 decodes the locals of a function, it performs a check: if count + typelist-size kV8MaxWasmFunctionLocals decoder-errordecoder-pc - 1, "local count too large"; return false; On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function...

WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access

There is a missing check in VP9 frame processing that could lead to memory corruption. In the file videocoding/rtpframereferencefinder.cc, the function RtpFrameReferenceFinder::MissingRequiredFrameVp9 contains the following code: sizet temporalidx = info.gof-temporalidxgofidx; ... for sizet l = 0...

WebKit - WebAssembly Compilation Info Leak

arrayBufferView-vector : staticcastarrayBuffer-impl-data; If the source buffer is a view DataView or TypedArray, arrayBufferView-vector is returned. The vector method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the...

Monstra CMS < 3.0.4 - Cross-Site Scripting (1)

Title: Monstra CMS www.target.com' url = input'Target : ' print' Required admin's PHPSESSID.' PHPSESSID = input'PHPSESSID : ' pagename = input'Pagename : ' script = input'Script : ' target = 'http://' + url + '/admin/index.php?id=pages&action=addpage' cookie = 'PHPSESSID':PHPSESSID data =...

WordPress Plugin Contact Form Maker 1.12.20 - SQL Injection

Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection Date: 2018-06-07 Author: Neven Biruski Software: WordPress Contact Form Maker plugin Software link: https://wordpress.org/plugins/contact-form-maker/ Version: 1.12.20 and below The easiest way to reproduce the SQL injection...

Ftp Server 1.32 - Credential Disclosure

Exploit Title: Ftp Server 1.32 - Credential Disclosure Date: 2018-05-29 Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver Version: 1.32 Android App Vendor: The Olive Tree Exploit Author: ManhNho CVE: N/A Category: Mobile Apps Tested on: Android 4.4 Descriptio...

WordPress Plugin Form Maker 1.12.24 - SQL Injection

Title: WordPress Form Maker Plugin 1.12.24 - SQL Injection Date: 2018-06-07 Author: Neven Biruski Software: WordPress Form Maker plugin https://wordpress.org/plugins/form-maker/ Version: 1.12.24 and below Vendor Status: Vendor contacted, update released The easiest way to reproduce the SQL...

WampServer 3.0.6 - Cross-Site Request Forgery

Exploit Title: WampServer 3.0.6 - Cross-Site Request Forgery Date: 2018-06-11 Exploit Author: L0RD Software Link: https://ufile.io/gpqh9 Vendor Homepage: http://www.wampserver.com/en/ Version: 3.0.6 - 64bit Tested on: Win 10 Description : An issue was discovered in WampServer 3.0.6 which allows a...

Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver

/ nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when only one is held. Note that the repro forks a child which give the nvAccelerator a...

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP

mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for AFINET: if dst-safamily == AFINET && dst-salen !=...

Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist

/ getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. When allocating a kernel buffer to serialize the attr list to there's the following comment: / Allocate a target buffer for attribute results. Note that since we won't ever copy out more than the caller...

PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow

Description: ------------ The latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at: phpstreamurlwraphttpex /home/weilei/php-7.2.2/ext/standard/httpfopenwrapper.c:723 if tmplinetmplinelen - 1 == '\n' --tmplinelen; if...

Canon MF210/MF220 - Authenticaton Bypass

Canon MF210/MF220 - Authenticaton Bypass. CVE-2018-11711. Webapps exploit for Hardware platform Exploit Title: Incorrect Access Control in Canon MF210 & MF220 Series Date: 4.6.2018 Exploit Author: Huy Kha Vendor Homepage: http://global.canon.com Software Link: Website Version: MF210 & MF20 Series...

Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass

Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass. CVE-2018-11692. Webapps exploit for Hardware platform Exploit Title: Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C Date: 3.6.2018 Exploit Author: Huy Kha Vendor Homepage: http://global.canon.com Software Link:...

Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)

Exploit Title : Jenkins mailer plugin \ '+table'covermessage'+'' s = smtplib.SMTPtable'smtpserver' s.starttls s.logintable'lid', table'lpw' s.sendmailmsg'From', msg'To', msg.asstring def urlset : url = strinput"Jenkins Server's UR...

10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)

Exploit Title : 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow SEH Exploit Author : Hashim Jawad - ihack4falafel Vendor Homepage : https://www.10-strike.com/ Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe Tested on : Windows ...

10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)

Exploit Title: 10-Strike Network Scanner 3.0 - Local Buffer Overflow SEH Exploit Author: Hashim Jawad - ihack4falafel Date: 2018-06-05 Vendor Homepage: https://www.10-strike.com/ Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe Tested on: Windows XP Professional ...

Pagekit < 1.0.13 - Cross-Site Scripting Code Generator

Title: Pagekit ' + code + '' f = openname, 'w+' f.writecode f.close if name == 'main': print''' / \ \ / / | | \ / / | / / | | / / | || | | | \ \ / /| | | | | | |/ \ | | | | ' | || | | | \ V / | ||/ /| || | | || | | | | | | / || ||/||/ |||/ / || Author : DEEPIN2Junseo Lee''' print' enter...

Clone2GO Video converter 2.8.2 - Buffer Overflow

!/usr/bin/python ---------------------------------------------------------------------------------------------------------------------- Exploit Title : Clone 2 GO Video converter 2.8.2 Unicode Buffer Overflow Remote Code Execution Exploit Author : Gokul Babu Organisation : Arridae Infosec P.V Ltd...

WebKitGTK+ < 2.21.3 - Crash (PoC)

Title: WebKitGTK+ win = window.open"sleeponesecond.php", "WIN"; window.open"https://www.paypal.com", "WIN"; win.document.execCommand'Stop'; win.document.write"Spoofed URL"; win.document.close; Backtrace using fedora 27: 0 WTF::StringImpl::rawHash at...

10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)

Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow SEH Exploit Author: Hashim Jawad - ihack4falafelx Date: 2018-06-05 Vendor Homepage: https://www.10-strike.com/ Vulnerable Software:...

MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting

Exploit Title: MyBB Recent Threads Plugin v1.0 - Cross-Site Scripting Date: 6/2/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=842 Version: 1.0 Tested on: Ubuntu 18.04 CVE: CVE-2018-11715 1. Description: Creates a page...

Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption

ext4 can store data for small regular files as "inline data", meaning that the data is stored inside the corresponding inode instead of in separate blocks. Inline data is stored in two places: The first 60 bytes go in the iblock field in the inode which normally contains a list of blocks instead,...

WebKit - not_number defineProperties UAF (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WebKit notnumber defineProperties UAF', 'Description' = %q This module exploits a UAF vulnerability in WebKit's JavaScriptCore library. , 'Licens...

CyberArk < 10 - Memory Disclosure

Exploit Title: CyberArk 10 - Memory Disclosure Date: 2018-06-04 Exploit Author: Thomas Zuk Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ Version: 9.7 and 10 Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10...

SearchBlox 8.6.7 - XML External Entity Injection

Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity OOB-XXE Exploit Author: Ahmet GUREL, Canberk BOLAT Software Link: https://www.searchblox.com/ Version: = SearchBlox Version 8.6.7 Platform: Java Tested on: Windows CVE: CVE-2018-11586 1. DETAILS An XML External Entity attack is a typ...

EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting

Exploit Title: EMS Master Calendar alert'XSS'xyz...

Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule 'Windows UAC Protection Bypass Via Slui File Handler Hijack', 'Description' =...

Brother HL Series Printers 1.15 - Cross-Site Scripting

Exploit Title: XSS at Brother HL series printers Date: 30.05.2018 Exploit Author: Huy Kha Vendor Homepage: http://support.brother.com Software Link: Website Version: Brother HL series printers. Tested on: Mozilla FireFox Reflected XSS Payload : "--!" Description : Starting searching for printers...

Zip-n-Go 4.9 - Buffer Overflow (SEH)

!/usr/bin/python ---------------------------------------------------------------------------------------------------------- Exploit Title : Zip-n-Go v4.9 - Local Buffer Overflow SEH Exploit Author : Hashim Jawad - @ihack4falafel Vendor Homepage : http://mc1soft.com/index.shtml Vulnerable Software...

GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)

Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability add admin Date: 2018-06-02 Exploit Author: xichao Vendor Homepage: https://github.com/GreenCMS/GreenCMS Software Link: https://github.com/GreenCMS/GreenCMS Version: v2.3.0603 CVE : CVE-2018-11671 An issue was discovered in GreenCMS v2.3.0603...

Smartshop 1 - Cross-Site Request Forgery

Exploit Title: Smartshop 1 - Cross site request forgery Date: 2018-06-02 Exploit Author: L0RD or [email protected] Software Link: https://github.com/smakosh/Smartshop/archive/master.zip Vendor Homepage: https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website Version...

GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution

Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability get webshell Date: 2018-06-02 Exploit Author: xichao Vendor Homepage: https://github.com/GreenCMS/GreenCMS Software Link: https://github.com/GreenCMS/GreenCMS Version: v2.3.0603 CVE : CVE-2018-11670 An issue was discovered in GreenCMS v2.3.0603...

Smartshop 1 - 'id' SQL Injection

Exploit Title: Smartshop 1 - SQL Injection Date: 2018-06-02 Exploit Author: L0RD or [email protected] Software Link: https://github.com/smakosh/Smartshop/archive/master.zip Vendor Homepage: https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website Version: 1 Tested on...

Epiphany 3.28.2.1 - Denial of Service

Summary: ephy-session.c in libephymain.so in GNOME Web aka Epiphany through 3.28.2.1 allows remote attackers to cause a denial of service application crash via JavaScript code that triggers access to a NULL URL, as demonstrated by a crafted window.open call, CVE-2018-11396 was assigned to this...

Git < 2.17.1 - Remote Code Execution

Git Vendor Homepage: https://github.com/git/git CVE: CVE-2018-11235 Version: =2.17.1 Tested on Kali Linux P0C: Create two files: pwned.sh: the file which will contain our commands to be executed commit.sh the fole which contain a normal build with a bit of calls to our pwned.sh file add the...

Grid Pro Big Data 1.0 - SQL Injection

Exploit Title: Grid Pro Big Data 1.0 - 'test.php' SQL Injection Dork: N/A Date: 30.05.2018 Exploit Author: Kağan Çapar Vendor Homepage: https://codecanyon.net/item/grid-pro-big-data-table-view-data-grid-with-sort-search-and-filter-for-large-mysql-tables/20395348 Version: 1.0 Category: Webapps...

PHP Dashboards NEW 5.5 - &#039;email&#039; SQL Injection

Exploit Title: PHP Dashboards NEW v5.5 - 'Login' SQL Injection Dork: N/A Date: 31.05.2018 Exploit Author: Kağan Çapar Contact: [email protected] Vendor Homepage: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104 Version: 5.5 Category: Webapps Tested on: Kali...

Linux/x86 - EggHunter + access() Shellcode (38 bytes)

Linux/x86 - EggHunter + access Shellcode 38 bytes. Shellcode exploit for Linuxx86 platform / ; Filename: egghunter.nasm ; Author: Paolo Perego ; Website: https://codiceinsicuro.it ; Blog post: https://codiceinsicuro.it/slae/ ; Twitter: @thesp0nge ; SLAE-ID: 1217 ; Purpose: This is the first stage...

Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion

/ function optw, arr arr0 = 1.1; let res = w.event; arr0 = 2.3023e-320; return res; let arr = 1.1; for let i = 0; i ::EntrySimpleObjectSlotGetter 00007fffd5cf3d50 // w.event 000001a880001235 48ffd0 call rax 000001a880001238 488b8e30bdf0ff mov rcx,qword ptr rsi-0F42D0h 000001a88000123f f2480f10415...

TAC Xenta 511/911 - Directory Traversal

Exploit Title: TAC Xenta 511 and 911 Credentials Disclosure Date: 25.05.2018 Exploit Author: Marek Cybul Vendor Homepage: https://download.schneider-electric.com/files?pFileName=TACXenta911SDS-XENTA911.pdf Version: 5.17 Schneider Electric TAC Xenta 911 and 511 PLCs Directory traversal in help...

Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)

Linux/ARM - Egghunter + /bin/sh Shellcode 32 bytes. Shellcode exploit for ARM platform / Linux/ARM Raspberry Pi - Egghunter + /bin/sh Shellcode 32 bytes ------------------------------ // If your shellcode in higer address, use following egghunter. pi@raspberrypi: $ cat egghunter-higher.s .section...

New STAR 2.1 - SQL Injection / Cross-Site Scripting

Exploit Title: New STAR 2.1 - SQL Injection / Cross-Site Scripting Dork: N/A Date: 30.05.2018 Exploit Author: Kağan Çapar Contact: [email protected] Vendor Homepage: https://codecanyon.net/item/new-star-listen-youtube-music/7486113 Version: 2.1 Category: Webapps Tested on: Kali Linux Descripti...

Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)

Linux/x86 - Bind 4444/TCP Shell Shellcode 105 bytes. Shellcode exploit for Linuxx86 platform / ; Filename: tcpbindshellcodelight.nasm ; Author: Paolo Perego ; Website: https://codiceinsicuro.it ; Twitter: @thesp0nge ; SLAE-ID: 1217 ; Purpose: binds on TCP port 4444 and spawn a shell on incoming...