Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall

/ Commit 3a4d44b61625 "ntp: Move adjtimex related compat syscalls to native counterparts" removed the memset in compatgettimex. Since then, the compat adjtimex syscall can invoke doadjtimex with an uninitialized -tai. If doadjtimex doesn't write to -tai e.g. because the arguments are invalid,...

Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution', 'Description' = %q This module exploits a remote code execution vulnerability in t...

NodAPS 4.0 - SQL injection / Cross-Site Request Forgery

Exploit Title: Online Booking system - NodAPS 4.0 - 'search' SQL injection / Cross-Site Request Forgery Date: 2018-05-16 Exploit Author: Borna nematzadeh L0RD Vendor Homepage: https://codecanyon.net/item/appointment-management-system-nodaps/16197805?srank=1535 Version: 4.0 Tested on: windows...

Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery

Exploit Title: Powerlogic Schneider Electric IONXXXX Series - Cross-Site Request Forgery Date: 2018-05-17 Exploit Author: t4rkd3vilz Vendor Homepage: http://www.schneider-electric.com/ Version: ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, PM5XXX series. Tested o...

Jenkins CLI - HTTP Java Deserialization (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule Msf::Exploit::Remote Rank = ExcellentRanking STAGE1 =...

Intelbras NCLOUD 300 1.0 - Authentication bypass

coding: utf-8 Exploit Title: Intelbras NCloud Authentication bypass Date: 16/05/2018 Exploit Author: Pedro Aguiar - [email protected] Vendor Homepage: http://www.intelbras.com.br/ Software Link: http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/roteadores/ncloud Version: 1.0 Test...

SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass

Exploit Title: SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass Date: 2018-05-17 Exploit Author: L0RD Vendor Homepage: https://codecanyon.net/item/supercom-online-shopping-ecommerce-cart/17085987?srank=1442 Version: 1...

Nanopool Claymore Dual Miner 7.3 - Remote Code Execution

Exploit Title: Nanopool Claymore Dual Miner = 7.3 Remote Code Execution Date: 2018/02/09 Exploit Author: ReverseBrain Vendor Homepage: https://nanopool.org/ Software Link: https://github.com/nanopool/Claymore-Dual-Miner Version: 7.3 and later Tested on: Windows, Linux CVE : 2018-1000049 Suppose t...

Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation

Windows: Token Trust SID Access Check Bypass EOP Platform: Windows 10 1709 also tested current build of RS4 Class: Elevation of Privilege Summary: A token’s trust SID isn’t reset when setting a token after process creation allowing a user process to bypass access checks for trust labels...

WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery

Press submit on a page containing the following HTML snippet: alert1" !-- In a real attack, the form can be made to autosubmit so the victim only has to follow a link. Mitigations ================ Upgrade to version 1.2.9 or later. Disclosure policy ================ dxw believes in respon...

MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery

Exploit Title: MyBB Admin Notes Plugin - CSRF Date: 2018-05-14 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=1106 Version: 1.1 Tested on: Ubuntu 18.04 1. Description: The plugin allows administrators to save notes...

VirtueMart 3.1.14 - Persistent Cross-Site Scripting

Exploit Title: VirtueMart 3.1.14 - Persistent Cross-Site Scripting Date: 2018-02-25 Software Link: http://virtuemart.net/ Exploit Author: Mattia Furlani CVE: CVE-2018-7465 Category: webapps 1. Description An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the admin area...

Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery

Exploit Title: Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery Date: 2018-05-15 Exploit Author: L0RD Vendor Homepage: https://codecanyon.net/item/horse-market-sell-rent-portal/14174352?srank=1725 CVE: N/A Version: 1.5.7 Tested on: Kali linux Details: Horse Market Sell &...

Rockwell Scada System 27.011 - Cross-Site Scripting

Exploit Title: Rockwell Scada System - Cross-Site Scripting Date: 2018-05-16 Exploit Author: t4rkd3vilz Vendor Homepage: https://rockwellautomation.com/ Software Link: http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?famID=4 Version: 1769-L16ER-BB1B, Version 27.011 and...

Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting

Exploit Title: Multiplayer BlackJack - Online Casino Game 2.5 - Persistent Cross-Site scripting Date: 2018-05-16 Exploit Author: L0RD Vendor Homepage: https://codecanyon.net/item/multiplayer-blackjack-online-casino-game/15411706?srank=1628 CVE: N/A Version: 2.5 Description : Multiplayer BlackJack...

Libuser - 'roothelper' Local Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Libuser roothelper Privilege Escalation', 'Description' = %q This module attempts to gain root privileges on Red Hat based Linux systems, includi...

WhatsApp 2.18.31 - Memory Corruption

!/usr/bin/env python -- coding: utf-8 -- Exploit Author: Juan Sacco at Exploit Pack - http://www.exploitpack.com This vulnerability has been discovered and exploited using Exploit Pack - Framework Tested on: iPhone 5/6s/X iOS 10 and 11.3 Latest release of iOS at the date of writing this code...

totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery

Date: 14.05.2018 Introduction: ------------- The totemomail Encryption Gateway protects email communication with any external partner by encryption. It doesn't matter whether you exchange emails with technically savvy communication partners or with those who have neither an appropriate...

Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution

''' Any authenticated user can modify the configuration for it in a way which allows them to read and append to any file as root. This leads to information disclosure and remote code execution. This vulnerability has been assigned the CVE ID: CVE-2018-10123. This PoC requires Python 3.6 and a...

RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: XXE & XSS vulnerabilities product: RSA Authentication Manager vulnerable version: 8.2.1.4.0-build1394922, 8.3 P1 fixed version: 8.3 P1 and later CVE number: CVE-2018-1247...

Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (96 Bytes)

Linux/x86 - Reverse 127.0.0.1:4444/TCP Shell /bin/sh Shellcode 96 Bytes. Shellcode exploit for Linuxx86 platform / ; Title: Linux/x86 - TCP reverse shell ; Author: Paolo Perego ; Website: https://codiceinsicuro.it ; Blog post: https://codiceinsicuro.it/slae/assignment-2-create-a-reverse-shellcode...

XATABoost 1.0.0 - SQL Injection

Exploit Title: XATABoost CMS Sql Injection Google Dork: inurl:php?id= Powered by XATABOOST Date: 02.01.2018 Exploit Author: MgThuraMoeMyint Vendor Homepage: http://www2.xataboost.com Version: 1.0.0 Tested on: Kali Linux SQL Injection Type: Union Based Example URL:...

2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service

Exploit Title: BSOD by IOCTL 0x8000200D in 2345NsProtect.sys of 2345 Security Guard 3.7 Date: 20180513 Exploit Author: anhkgg Vendor Homepage: http://safe.2345.cc/ Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafev3.7.0.9345.exe Version: v3.7 REQUIRED Tested on: Windows X64 CVE : CVE-2018-...

Monstra CMS 3.0.4 - Remote Code Execution

Monstra CMS 3.0.4 - Remote Code Execution. CVE-2018-9037. Webapps exploit for PHP platform Exploit Title: Monstra CMS 3.0.4 Upload Plugin Remote code execution CVE-2018-9037 Date: 2018-05-14 Exploit Author: Jameel Nabbo Vendor Homepage: https://github.com/monstra-cms/monstra Software Link:...

Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution

!/usr/bin/env python -- coding: utf-8 -- Tested in Windows Server 2003 SP2 ES - Only works when RRAS service is enabled. The exploited vulnerability is an arbitraty pointer deference affecting the dwVarID field of the MIBOPAQUEQUERY structure. dwVarID sent by the client is used as a pointer to an...

WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting

Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability Date: 2018-4-23 Exploit Author: jiguang [email protected] Vendor Homepage: https://github.com/wuzhicms/wuzhicms Software Link: https://github.com/wuzhicms/wuzhicms Version: 4.1.0 CVE: CVE-2018-10313 An issue was discovered in WUZHI CMS 4.1.0...

WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting

Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability Date: 2018-4-23 Exploit Author: jiguang [email protected] Vendor Homepage: https://github.com/wuzhicms/wuzhicms Software Link: https://github.com/wuzhicms/wuzhicms Version: 4.1.0 CVE: CVE-2018-10311 An issue was discovered in WUZHI CMS 4.1.0...

2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service

Exploit Title: BSOD by IOCTL 0x002220e0 in 2345BdPcSafe.sys of 2345 Security Guard 3.7 Date: 20180509 Exploit Author: anhkgg Vendor Homepage: http://safe.2345.cc/ Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafev3.7.0.9345.exe Version: v3.7 REQUIRED Tested on: Windows X64 CVE : CVE-2018-...

Open-AudIT Community 2.2.0 - Cross-Site Scripting

Exploit Title: Open-AudIT Community - 2.2.0 – Cross-Site Scripting Exploit Author: Tejesh Kolisetty Vendor Homepage: https://opmantek.com/ Software Link: https://opmantek.com/network-tools-download/ Affected Version: 2.2.0 Category: WebApps Tested on: Win7 Professional CVE : CVE-2018-10314 1...

EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection

Exploit Title: EMC RecoverPoint 4.3 - Admin CLI Command Injection Version: RecoverPoint prior to 5.1.1 RecoverPoint for VMs prior to 5.0.1.3 Date: 2018-05-11 Exploit Author: Paul Taylor Github: https://github.com/bao7uo Tested on: RecoverPoint for VMs 4.3, RecoverPoint 4.4.SP1.P1 CVE: CVE-2018-11...

Open-AudIT Professional - 2.1.1 - Cross-Site Scripting

Exploit Title: Open-AudIT Professional 2.1.1 – Multiple Cross-Site Scripting Exploit Author: Tejesh Kolisetty Vendor Homepage: https://opmantek.com/ Software Link: https://opmantek.com/network-tools-download/ Affected Version: 2.1.1 Category: WebApps Tested on: Win7 Professional CVE : CVE-2018-91...

MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting

Exploit Title: MyBB Latest Posts on Profile Plugin v1.1 - Cross-Site Scripting Date: 4/20/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=914 Version: 1.1 Tested on: Ubuntu 17.10 CVE: CVE-2018-10580 1...

Fastweb FASTGate 0.00.47 - Cross-Site Request Forgery

Exploit Title: Fastweb FASTgate 0.00.47 CSRF Date: 09-05-2018 Exploit Authors: Raffaele Sabato Contact: https://twitter.com/syrion89 Vendor: Fastweb Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/ Version: 0.00.47 CVE: CVE-2018-6023 I DESCRIPTION...

Mantis Bug Tracker 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mantis manageprojpage PHP Code Execution', 'Description' = %q Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote Code...

Linux/x86 - Read /etc/passwd Shellcode (62 bytes)

Linux/x86 - Read /etc/passwd Shellcode 62 bytes. Shellcode exploit for Linuxx86 platform / ; Title : Linux/x86 - Read /etc/passwd Shellcode 62 bytes ; Date : May, 2018 ; Author : Nuno Freitas ; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-polymorphing-shellcodes/ ; Twitter :...

ModbusPal 1.6b - XML External Entity Injection

Exploit Title: ModbusPal XXE Injection + Date: 05-08-2018 + Exploit Author: Trent Gordon + Vendor Homepage: http://modbuspal.sourceforge.net/ + Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files + Version: 1.6b + Tested on: Ubuntu 16.04 with Java 1.8.0151...

Dell Touchpad - 'ApMsgFwd.exe' Denial of Service

/ Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service Author: Souhail Hammou Vendor Homepage: https://www.alps.com/ Tested on : Alps Pointing-device Driver 10.1.101.207 CVE: CVE-2018-10828 / include include include / Details: ========== ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad...

Microsoft Windows FxCop 10/12 - XML External Entity Injection

Exploit Title: Microsoft Windows FxCop 10/12 - XML External Entity Injection Date: 2018-03-15 Exploit Author: Debashis Pal Vendor Homepage: www.microsoft.com Version: Microsoft Windows "FxCop" v10-12 CVE : N/A Greetz: indoushka|Eduardo|Dirty0tis Security Issue: ================ FxCop is vulnerabl...

Allok Video Splitter 3.1.12.17 - Denial of Service

Exploit Title: Allok Video Splitter 3.1.1217 Date: 2018-05-09 Exploit Author: Achilles Vendor Homepage: http://www.alloksoft.com/ Vulnerable Software: http://www.alloksoft.com/allokvsplitter.exe Tested on OS: Windows 7 64-bit DE Steps to reproduce: Copy the contents of the file Evil.txt and paste...

Linux/x86 - Bind (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)

Linux/x86 - Bind 9443/TCP Shell + fork + Null-Free Shellcode 113 bytes. Shellcode exploit for Linuxx86 platform / Title: Linux x86 TCP Bind Shell + fork - 113 bytes NULL Free Author: Amine Kanane Student-ID: SLAE - 1203 Desc: Listen for a connection on Local Port 9443 and spawn a command shell Th...

PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PlaySMS import.php Authenticated CSV File Upload Code Execution', 'Description' = %q This module exploits an authenticated file upload remote cod...

PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution', 'Description' = %q This module exploits a code injection vulnerability...

Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Palo Alto Networks readSessionVarsFromFile Session Corruption', 'Description' = %q This module exploits a chain of vulnerabilities in Palo Alto...

2345 Security Guard 3.7 - '2345NetFirewall.sys' Denial of Service

/ Exploit Title: 2345 Security Guard 3.7 - Denial of Service Date: 2018-05-08 Exploit Author: anhkgg Vendor Homepage: http://safe.2345.cc/ Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafev3.7.0.9345.exe Version: v3.7 Tested on: Windows 7 x86 CVE : CVE-2018-10809 BSOD caused of...

FTPShell Client 6.7 - Buffer Overflow

-- coding: utf-8 -- Exploit Title: FTPShell Client 6.7 - Remote Buffer Overflow Date: 2018-01-03 Exploit Author: Sebastián Castro @r4wd3r Vendor Homepage: http://www.ftpshell.com/index.htm Software Link: http://www.ftpshell.com/download.htm Version: 6.7 Tested on: Windows Server 2008 R2 x64,...

GNU wget - Cookie Injection

GNU Wget Cookie Injection CVE-2018-0494 ========================================= The latest version of this advisory is available at: https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt Overview -------- GNU Wget is susceptible to a malicious web server injecting arbitrary cookies to th...

Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)

Linux/x86 - execve/bin/sh + NOT Encoded Shellcode 27 bytes. Shellcode exploit for Linuxx86 platform / ; Title : Execve /bin/sh Shellcode encoded with NOT ; Date : May, 2018 ; Author : Nuno Freitas ; Twitter : @nunof11 ; SLAE ID : SLAE-1112 ; Size : 27 bytes ; Tested on : i686 GNU/Linux section...

HWiNFO 5.82-3410 - Denial of Service

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: HWiNFO 5.82-3410 - Denial of Service Date: 05-04-18 Vulnerable Software: HWiNFO 5.82-3410 Vendor Homepage: https://www.hwinfo.com/ Version: 5.82-3410 Software Link: https://www.hwinfo.com/files/hwi582.exe Tested On: Windows 7 x86...

WordPress Plugin User Role Editor < 4.25 - Privilege Escalation

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress User Role Editor Plugin Privilege Escalation', 'Description' = %q The WordPress User Role Editor plugin prior to v4.25, is lacking an...

DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)

Exploit Title: DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow SEH Date: 2018-05-04 Exploit Author: Youssef mami Vendor Homepage: https://www.devicelock.com/freeware.html/ Version: 5.72 CVE : CVE-2018-10655 Security Issue: DeviceLock Plug and Play Auditor "DLPnpAuditor.exe" is...