Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation

KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service Advisory ID: KL-001-2018-007 Publication Date: 2018.03.02 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt 1...

Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (2)

Written by Alex Conrey Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44254.zip This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, eithe...

Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (1)

/ memcached-PoC memcached Proof of Concept Amplification via spoofed source UDP packets. Repo includes source code for PoC and approximately 17,000 AMP hosts. memcached.c - Source code https://pastebin.com/raw/ZiUeinae memecache-amp-03-05-2018-rd.list - List of memcached servers as of 03-05-2018...

Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit

!/usr/bin/perl Title: Xion 1.0.125 .m3u File Local SEH-based Unicode The “Venetian” Exploit Vulnerability Type: Execute Code, Overflow UTF-16LE buffer, Memory corruption Date: Feb 18, 2018 Author: James Anderson synthetic Original Advisory: http://www.exploit-db.com/exploits/14517 hadji samir...

Netgear - 'TelnetEnable' Magic Packet (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'NETGEAR TelnetEnable', 'Description' = %q This module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root...

Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow Date: 02-22-2018 Vulnerable Software: Dup Scout Enterprise v10.5.12 Vendor Homepage: http://www.dupscout.com Version: 10.5.12 Software Link:...

Suricata < 4.0.4 - IDS Detection Bypass

----------------------------------------------------- Vulnerability Type: Detection Bypass Affected Product: Suricata Vulnerable version: SYN Seq=0 Ack= 0 - Evil Server Client ACK Seq=1 Ack= 84 - Evil Server Client - PSH, ACK Seq=1 Ack= 84 - Evil Server IDS signature checks for tcp stream or http...

ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions

ActivePDF Toolkit 8.1.0 multiple RCE Introduction ============ The ActivePDF Toolkit is a Windows library which enhances business processes to stamp, stitch, merge, form-fill, add digital signatures, barcodes to PDF. Both .NET and native APIs are provided. Amongst many other operations, this...

DualDesk 20 - 'Proxy.exe' Denial of Service

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: =============== www.dualdesk.com Product: =========== DualDesk v20 DualDesk is powerful, easy to use...

iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow

author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title:iSumsoft Local Buffer Overflow Vuln. 0daySEH Date: 2018.03.02 Exploit Author: Greg Priest Version: iSumsoft ZIP Password Refixer Version 3.1.1 Tested on: Windows7 x64 HUN/ENG Professional '''...

D-Link DIR-600M Wireless - Cross-Site Scripting

Exploit Title: D-Link DIR-600M Wireless - Persistent Cross Site Scripting Date: 11.02.2018 Vendor Homepage: http://www.dlink.co.in Hardware Link: http://www.dlink.co.in/products/?pid=DIR-600M Category: Hardware Exploit Author: Prasenjit Kanti Paul Web: http://hack2rule.wordpress.com/ Hardware...

TestLink Open Source Test Management < 1.9.16 - Remote Code Execution

Title: TestLink Open Source Test Management comment out skip-networking as well as bind-address if any present in my.cnf i.e change line skip-netw...

antMan < 0.9.1a - Authentication Bypass

Exploit Title: antMan and the password to a url-encoded linefeed %0a, we can force the authentication script to produce return values not anticipated by the developer. To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:...

IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow SEH Date: 02-07-2018 Vulnerable Software: IrfanView 4.44 Email PlugIn Vendor Homepage: http://www.irfanview.com/ Version: 4.44 Software Link:...

uWSGI < 2.0.17 - Directory Traversal

Exploit Title: uWSGI PHP Plugin Directory Traversal Date: 01-03-2018 Exploit Author: Marios Nicolaides - RUNESEC Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC Vendor Homepage: https://uwsgi-docs.readthedocs.io Affected Software: uWSGI PHP Plugin before 2.0.17 Tested on: uWSGI 2.0.12...

IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: IrfanView 4.50 Email PlugIn - Local Buffer Overflow SEH Unicode Date: 02-07-2018 Vulnerable Software: IrfanView 4.50 Email PlugIn Vendor Homepage: http://www.irfanview.com/ Version: 4.50 Software Link:...

SEGGER embOS/IP FTP Server 3.22 - Denial of Service

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SEGGER-embOS-FTP-SERVER-v3.22-FTP-COMMANDS-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: ============= www.segger.com Product: =========== embOS/IP FTP Server v3.22...

Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039)

include include include include pragma commentlib, "psapi.lib" define POCDEBUG 0 if POCDEBUG == 1 define POCDEBUGBREAK getchar elif POCDEBUG == 2 define POCDEBUGBREAK DebugBreak else define POCDEBUGBREAK endif static HBITMAP hBmpHunted = NULL; static HBITMAP hBmpExtend = NULL; static DWORD...

Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption

// // main.m // bluetoothdPoC // // Created by Rani Idan. // Copyright © 2018 zLabs. All rights reserved. // import "AppDelegate.h" include extern kernreturnt bootstraplookupmachportt bs, const char servicename, machportt service; / When hijacking session between bluetoothd and client, add callba...

Routers2 2.24 - Cross-Site Scripting

Exploit Title: Routers2 2.24 - Reflected Cross-Site Scripting Date: 18-01-18 Vendor Homepage: http://www.steveshipway.org/software/ Software Link: https://github.com/sshipway/routers2 Version: 2.24 CVE: CVE-2018-6193 Platform: Perl Category: webapps Exploit Author: Lorenzo Di Fuccia Contact:...

Joomla! Component K2 2.8.0 - Arbitrary File Download

Joomla! Component K2 2.8.0 - Arbitrary File Download. CVE-2018-7482. Webapps exploit for PHP platform Exploit Title: Joomla! Component K2 2.8.0 - Arbitrary File Download Dork: N/A Date: 26.02.2018 Vendor Homepage: http://www.joomlaworks.net/ Software Link:...

CMS Made Simple 2.1.6 - Remote Code Execution

Exploit Title: CMS Made Simple 2.1.6 - Remote Code Execution Date: 2018-02-26 Exploit Author: Keerati T. Vendor Homepage: http://www.cmsmadesimple.org/ Software Link: http://s3.amazonaws.com/cmsms/downloads/13570/cmsms-2. 1.6-install.zip Version: 2.1.6 CVE: CVE-2018-7448 Tested on: Linux...

Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service

Exploit Title: Microsoft Windows SMB Client Null Pointer Dereference Denial of Service Date: 26/02/2018 Exploit Author: Nabeel Ahmed Version: SMBv3 Tested on: Windows 8.1 x86, Windows Server 2012 R2 x64 CVE : CVE-2018-0833 import SocketServer from binascii import unhexlify payload =...

Schools Alert Management Script 2.0.2 - Authentication Bypass

Schools Alert Management Script 2.0.2 - Authentication Bypass. CVE-2018-6859. Webapps exploit for PHP platform Exploit Title: Schools Alert Management Script - 2.0.2 - Authentication Bypass Date: 07.02.2018 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link:...

Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55

PS4 4.55 Kernel Exploit --- Summary In this project you will find a full implementation of the "bpf" kernel exploit for the PlayStation 4 on 4.55. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not...

GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: GetGo Download Manager 5.3.0.2712 - Remote Buffer Overflow SEH Date: 02-24-2018 Vulnerable Software: GetGo Download Manager 5.3.0.2712 Vendor Homepage: http://www.getgosoft.com/ Version: 5.3.0.2712 Software Link:...

MyBB My Arcade Plugin 1.3 - Cross-Site Scripting

Exploit Title: MyBB My Arcade Plugin v1.3 - Persistent XSS Date: 2/21/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atprotonmail.com Software Link: https://community.mybb.com/mods.php?action=view&pid=411 Version: 1.3 Tested on: Ubuntu 17.10 1. Description: The My Arcade plugin adds ...

School Management Script 3.0.4 - Authentication Bypass

Exploit Title: SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4. Date: 26/02/2018 Exploit Author: Samiran Santra Vendor Homepage: https://www.phpscriptsmall.com Software Link: https://www.phpscriptsmall.com/product/school-management-system Version: v3.0.4 Tested on: Windows...

Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)

PS4 5.01 WebKit Exploit PoC =========================== Based on: - CVE-2017-7005 - PegaSwitch Copyright 2017 ReSwitched Team - 4.0x exploit by qwertyoruiopz This exploit supports 5.01 maybe others! Installation ============ 1. Install the latest version of node from nodejs.org 2. Clone this...

netek 0.8.2 - Denial of Service

Exploit Title : netek 0.8.2 FTP Denial of Service Test on : windowsXPs3 + windows 7 software Link :https://sourceforge.net/projects/netek.berlios/ version : 0.8.2 author : Lawrence Amer site : lawrenceamer.me affected product uses default port 30817 , it can be chnaged also !/bin/python import...

Chrome V8 - 'TranslatedState::MaterializeCapturedObjectAt' Type Confusion

/ Here'a snippet of TranslatedState::MaterializeCapturedObjectAt. case JSSETKEYVALUEITERATORTYPE: case JSSETVALUEITERATORTYPE: Handle object = Handle::cast isolate-factory-NewJSObjectFromMapmap, NOTTENURED; Handle properties = materializer.FieldAtvalueindex; Handle elements =...

Chrome V8 - 'PropertyArray' Integer Overflow

/ Here's a snippet of the MigrateFastToFast function which is used to create a new PropertyArray object. int numberoffields = newmap-NumberOfFields; int inobject = newmap-GetInObjectProperties; int unused = newmap-UnusedPropertyFields; ... int totalsize = numberoffields + unused; int external =...

Concrete5 CMS < 8.3.0 - Username / Comments Enumeration

!/usr/bin/env python3 Concrete5 8.3 vulnerable to Authorization Bypass Through User-Controlled Key IDOR CVE-2017-18195 Chapman R3naissance Schleiss from queue import Queue from threading import Thread from bs4 import BeautifulSoup from tabulate import tabulate import argparse import requests impo...

Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service

''' Segmentation fault occurs in Asterisk with an invalid SDP media format description - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip - References: AST-2018-002 - Enable Security Advisory: - Vendor Advisory: - Tested vulnerable versions:...

Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service

''' Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip installed with --with-pjproject-bundled - References: AST-2018-005, CVE-2018-7286 - Enable Securi...

Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service

''' Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip - References: AST-2018-003 - Enable Security Advisory: - Vendor Advisory: - Timeline: - Issue reported to vendor:...

Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption

''' SUBSCRIBE message with a large Accept value causes stack corruption - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip - Tested vulnerable versions: 15.2.0, 13.19.0, 14.7.5, 13.11.2 - References: AST-2018-004, CVE-2018-7284 - Advisory UR...

Transmission - Integer Overflows Parsing Torrent Files

I took a look at torrent file parsing in libtransmission, there are a few integer overflows because the trnew/trnew0 allocation wrappers don't handle overflow. define trnewstructtype, nstructs \ structtype trmalloc sizeof structtype sizetnstructs define trnew0structtype, nstructs \ structtype...

Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)

function stage4 function mallocsz var backing = new Uint8Array1000+sz; window.nogc.pushbacking; var ptr = p.read8p.leakvalbacking.add320x10; ptr.backing = backing; return ptr; function malloc32sz var backing = new Uint8Array0x1000+sz4; window.nogc.pushbacking; var ptr =...

Disk Savvy Enterprise 10.4.18 - Stack-Based Buffer Overflow (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Disk Savvy Enterprise v10.4.18', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in Disk Savvy Enterprise...

CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CloudMe Sync v1.10.9', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in CloudMe Sync v1.10.9 client...

AsusWRT LAN - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'AsusWRT LAN Unauthenticated Remote Code Execution', 'Description' = %q The HTTP server in AsusWRT has a flaw where it allows an unauthenticated...

Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record

Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite the free version of WiFi Baby Monitor. Although the premium version offered users the ability to specify a password to be used in the pairing process, the...

Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record

Papenmeier WiFi Baby Monitor Free & Lite 2.02.2 - Remote Audio Record. CVE-2018-7661. Remote exploit for Android platform Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite the free version of WiFi Baby...

Alibaba Clone Script 1.0.2 - Cross-Site Scripting

Alibaba Clone Script 1.0.2 - Cross-Site Scripting. CVE-2018-6867. Webapps exploit for PHP platform Exploit Title: Alibaba Clone Script 1.0.2 – Stored XSS Date: 09.02.2018 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/alibaba-clone/ Category...

Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload

Exploit Title: Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload Dork: N/A Date: 22.02.2018 Vendor Homepage: https://www.christianwebministries.org/ Software Link: https://extensions.joomla.org/extensions/extension/living/religion/proclaim/ Software Download:...

Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Trend Micro Email Encryption Gateway Multiple Vulnerabilities 1. Advisory Information Title: Trend Micro Email Encryption Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0006 Advisory URL:...

Parallels Remote Application Server 15.5 - Path Traversal

Exploit Title: Parallels Remote Application Server RAS 15.5 Path Traversal Date: 22-02-2018 Exploit Author: Nicolas Markitanis - RUNESEC Reviewers: Simon Loizides and Marios Nicolaides - RUNESEC Vendor Homepage: https://www.parallels.com/ Affected: Parallels Remote Application Server RAS 15.5 Bui...

NoMachine &lt; 6.0.80 (x86) - &#039;nxfuse&#039; Privilege Escalation

include “stdafx.h” include define DEVICE L”\\.\nxfs-709fd562-36b5-48c6-9952-302da6218061″ define DEVICE2 L”\\.\nxfs-net-709fd562-36b5-48c6-9952-302da6218061709fd562-36b5-48c6-9952-302da6218061” define IOCTL 0x00222014 define IOCTL2 0x00222030 define OUTSIZE 0x90 define INSIZE 0x10 define...

Joomla! Component PrayerCenter 3.0.2 - &#039;sessionid&#039; SQL Injection

Exploit Title: Joomla! Component PrayerCenter 3.0.2 - SQL Injection Dork: N/A Date: 22.02.2018 Vendor Homepage: http://www.mlwebtechnologies.com/ Software Link: https://extensions.joomla.org/extensions/extension/living/religion/prayercenter/ Software Download:...