47904 matches found
TextPattern 4.6.2 - 'qty' SQL Injection
============================================= MGC ALERT 2018-002 - Original release date: February 12, 2018 - Last revised: March 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 CVSS Base Score - CVE-ID: CVE-2018-7474 ============================================= I...
Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' class MetasploitModule 'Eclipse Equinoxe OSGi Console Command Execution', 'Description' = %q Exploit Eclipse Equinoxe OSGi Open Service Gateway initiati...
Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution
!/usr/bin/python2.7 Exploit Title: Advantech WebAccess 8.3 webvrpcs Directory Traversal RCE Vulnerability Date: 03-11-2018 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.advantech.com Software Link:...
SC 7.16 - Stack-Based Buffer Overflow
Exploit Author: Juan Sacco - http://www.exploitpack.com Bug found using Exploit Pack - Local fuzzer feature. Tested on: GNU/Linux - Kali Linux Filename: pool/main/s/sc/sc7.16-4+b2i386.deb Description: SC v7.16 is prone to a basic stack-based buffer overflow vulnerability because the application...
Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow
Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability Windows XP SP3 Date: 06-03-2018 Exploit Author: Mohan Ravichandran & Velayutham Selvaraj Organization : TwinTech Solutions Vulnerable Software: Allok Video Converter Vendor Homepage: http://www.alloksoft.com Version: 4.6.1217...
Sony Playstation 4 (PS4) 4.55 < 5.50 - WebKit Code Execution (PoC)
window.didload = 0; window.didpost = 0; window.onload = function window.didload = 1; if window.didpost == 1 window.stage2; window.postExpl = function window.didpost = 1; if window.didload == 1 window.stage2; function makeid var text = ""; var possible =...
Bacula-Web < 8.0.0-rc2 - SQL Injection
Exploit Title: Multiple SQL injection vulnerabilities in Bacula-Web Date: 2018-03-07 Software Link: http://bacula-web.org/ Exploit Author: Gustavo Sorondo Contact: http://twitter.com/iampuky Website: http://cintainfinita.com/ CVE: CVE-2017-15367 Category: webapps 1. Description Bacula-web before...
WebLog Expert Enterprise 9.4 - Denial of Service
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: ======= www.weblogexpert.com Product: ========= WebLog Expert Web Server...
WebLog Expert Enterprise 9.4 - Authentication Bypass
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-AUTHENTICATION-BYPASS.txt + ISR: Apparition Security Vendor: ======== www.weblogexpert.com Product: ======== WebLog Expert Web Server...
Memcached 1.5.5 - 'Memcrashed ' Insufficient Control of Network Message Volume Denial of Service With Shodan API
-- coding: utf8 -- !/usr/bin/python Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44265.zip import sys, os, time, shodan from pathlib import Path from scapy.all import from contextlib import contextmanager starttime=time.time @contextmanager def...
Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection
Exploit Title: Redaxo CMS Addon MyEvents SQL Injection Backend Date: 01.03.2018 Exploit Author: h0n1gsp3cht Vendor Homepage: http://www.github.com/wende60/myevents Version: 2.2.1 Last Version Tested on: LinuxMint More: Login Required GET Vuln Code + redaxo/src/addons/myevents/pages/eventadd.php...
antMan 0.9.0c - Authentication Bypass
Exploit Title: antMan and the password to a url-encoded linefeed %0a, we can force the authentication script to produce return values not anticipated by the developer. To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:...
Softros Network Time System Server 2.3.4 - Denial of Service
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SOFTROS-NETWORK-TIME-SYSTEM-SERVER-v2.3.4-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: ============= www.softros.com https://nts.softros.com/downloads/ Product:...
Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read
/ In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the example code would be generated as follows: Code: functi...
Chrome V8 JIT - 'GetSpecializationContext' Type Confusion
PoC: function optarg = = arg let tmp = opt.x; // LdaNamedProperty for ;; arg; yield; function inner tmp; break; for let i = 0; i arg; this; , opt let tmp = arg.x; for ;; arg; yield; tmp = inner tmp; ; for let i = 0; i 10000; i++ opt; What happened: 1. The LdaNamedProperty operation "opt.x" was...
Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is "null"
/ I think this commit has introduced the bug. https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/F2 According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null". The following check has to...
Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField, IrOpcode::kStoreElement Optimization Bug
/ I think this commit has introduced the bugs: https://chromium.googlesource.com/v8/v8/+/c22ca7f73ba92f22d0cd29b06bb2944a545a8d3e%5E%21/F0 Here's a snippet. case IrOpcode::kStoreField: FieldAccess access = FieldAccessOfnode-op; Node valuenode = node-InputAt1; NodeInfo inputinfo = GetInfovaluenode...
Bravo Tejari Web Portal - Cross-Site Request Forgery
Exploit Title: Bravo Tejari Web Portal-CSRF CVE-ID: CVE-2018-7216 Vulnerability Type: Cross Site Request Forgery CSRF Vendor of Product: Tejari Affected Product Code Base: Bravo Solution Affected Component: Web Interface Management. Attack Type: Local - Authenticated Impact: Unauthorised Access...
Netgear - 'TelnetEnable' Magic Packet (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'NETGEAR TelnetEnable', 'Description' = %q This module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root...
Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation
KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service Advisory ID: KL-001-2018-007 Publication Date: 2018.03.02 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt 1...
Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow Date: 02-22-2018 Vulnerable Software: Dup Scout Enterprise v10.5.12 Vendor Homepage: http://www.dupscout.com Version: 10.5.12 Software Link:...
Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (2)
Written by Alex Conrey Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44254.zip This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, eithe...
ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions
ActivePDF Toolkit 8.1.0 multiple RCE Introduction ============ The ActivePDF Toolkit is a Windows library which enhances business processes to stamp, stitch, merge, form-fill, add digital signatures, barcodes to PDF. Both .NET and native APIs are provided. Amongst many other operations, this...
Suricata < 4.0.4 - IDS Detection Bypass
----------------------------------------------------- Vulnerability Type: Detection Bypass Affected Product: Suricata Vulnerable version: SYN Seq=0 Ack= 0 - Evil Server Client ACK Seq=1 Ack= 84 - Evil Server Client - PSH, ACK Seq=1 Ack= 84 - Evil Server IDS signature checks for tcp stream or http...
Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit
!/usr/bin/perl Title: Xion 1.0.125 .m3u File Local SEH-based Unicode The “Venetian” Exploit Vulnerability Type: Execute Code, Overflow UTF-16LE buffer, Memory corruption Date: Feb 18, 2018 Author: James Anderson synthetic Original Advisory: http://www.exploit-db.com/exploits/14517 hadji samir...
ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: OS command injection, arbitrary file upload & SQL injection product: ClipBucket vulnerable version: 4.0.0 - Release 4902 fixed version: 4.0.0 - Release 4902 CVE number: -...
Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (1)
/ memcached-PoC memcached Proof of Concept Amplification via spoofed source UDP packets. Repo includes source code for PoC and approximately 17,000 AMP hosts. memcached.c - Source code https://pastebin.com/raw/ZiUeinae memecache-amp-03-05-2018-rd.list - List of memcached servers as of 03-05-2018...
D-Link DIR-600M Wireless - Cross-Site Scripting
Exploit Title: D-Link DIR-600M Wireless - Persistent Cross Site Scripting Date: 11.02.2018 Vendor Homepage: http://www.dlink.co.in Hardware Link: http://www.dlink.co.in/products/?pid=DIR-600M Category: Hardware Exploit Author: Prasenjit Kanti Paul Web: http://hack2rule.wordpress.com/ Hardware...
uWSGI < 2.0.17 - Directory Traversal
Exploit Title: uWSGI PHP Plugin Directory Traversal Date: 01-03-2018 Exploit Author: Marios Nicolaides - RUNESEC Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC Vendor Homepage: https://uwsgi-docs.readthedocs.io Affected Software: uWSGI PHP Plugin before 2.0.17 Tested on: uWSGI 2.0.12...
antMan < 0.9.1a - Authentication Bypass
Exploit Title: antMan and the password to a url-encoded linefeed %0a, we can force the authentication script to produce return values not anticipated by the developer. To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:...
IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: IrfanView 4.50 Email PlugIn - Local Buffer Overflow SEH Unicode Date: 02-07-2018 Vulnerable Software: IrfanView 4.50 Email PlugIn Vendor Homepage: http://www.irfanview.com/ Version: 4.50 Software Link:...
SEGGER embOS/IP FTP Server 3.22 - Denial of Service
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SEGGER-embOS-FTP-SERVER-v3.22-FTP-COMMANDS-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: ============= www.segger.com Product: =========== embOS/IP FTP Server v3.22...
DualDesk 20 - 'Proxy.exe' Denial of Service
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: =============== www.dualdesk.com Product: =========== DualDesk v20 DualDesk is powerful, easy to use...
IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow SEH Date: 02-07-2018 Vulnerable Software: IrfanView 4.44 Email PlugIn Vendor Homepage: http://www.irfanview.com/ Version: 4.44 Software Link:...
TestLink Open Source Test Management < 1.9.16 - Remote Code Execution
Title: TestLink Open Source Test Management comment out skip-networking as well as bind-address if any present in my.cnf i.e change line skip-netw...
iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow
author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title:iSumsoft Local Buffer Overflow Vuln. 0daySEH Date: 2018.03.02 Exploit Author: Greg Priest Version: iSumsoft ZIP Password Refixer Version 3.1.1 Tested on: Windows7 x64 HUN/ENG Professional '''...
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039)
include include include include pragma commentlib, "psapi.lib" define POCDEBUG 0 if POCDEBUG == 1 define POCDEBUGBREAK getchar elif POCDEBUG == 2 define POCDEBUGBREAK DebugBreak else define POCDEBUGBREAK endif static HBITMAP hBmpHunted = NULL; static HBITMAP hBmpExtend = NULL; static DWORD...
Routers2 2.24 - Cross-Site Scripting
Exploit Title: Routers2 2.24 - Reflected Cross-Site Scripting Date: 18-01-18 Vendor Homepage: http://www.steveshipway.org/software/ Software Link: https://github.com/sshipway/routers2 Version: 2.24 CVE: CVE-2018-6193 Platform: Perl Category: webapps Exploit Author: Lorenzo Di Fuccia Contact:...
Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption
// // main.m // bluetoothdPoC // // Created by Rani Idan. // Copyright © 2018 zLabs. All rights reserved. // import "AppDelegate.h" include extern kernreturnt bootstraplookupmachportt bs, const char servicename, machportt service; / When hijacking session between bluetoothd and client, add callba...
Joomla! Component K2 2.8.0 - Arbitrary File Download
Joomla! Component K2 2.8.0 - Arbitrary File Download. CVE-2018-7482. Webapps exploit for PHP platform Exploit Title: Joomla! Component K2 2.8.0 - Arbitrary File Download Dork: N/A Date: 26.02.2018 Vendor Homepage: http://www.joomlaworks.net/ Software Link:...
CMS Made Simple 2.1.6 - Remote Code Execution
Exploit Title: CMS Made Simple 2.1.6 - Remote Code Execution Date: 2018-02-26 Exploit Author: Keerati T. Vendor Homepage: http://www.cmsmadesimple.org/ Software Link: http://s3.amazonaws.com/cmsms/downloads/13570/cmsms-2. 1.6-install.zip Version: 2.1.6 CVE: CVE-2018-7448 Tested on: Linux...
Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)
PS4 5.01 WebKit Exploit PoC =========================== Based on: - CVE-2017-7005 - PegaSwitch Copyright 2017 ReSwitched Team - 4.0x exploit by qwertyoruiopz This exploit supports 5.01 maybe others! Installation ============ 1. Install the latest version of node from nodejs.org 2. Clone this...
netek 0.8.2 - Denial of Service
Exploit Title : netek 0.8.2 FTP Denial of Service Test on : windowsXPs3 + windows 7 software Link :https://sourceforge.net/projects/netek.berlios/ version : 0.8.2 author : Lawrence Amer site : lawrenceamer.me affected product uses default port 30817 , it can be chnaged also !/bin/python import...
Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption
''' SUBSCRIBE message with a large Accept value causes stack corruption - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip - Tested vulnerable versions: 15.2.0, 13.19.0, 14.7.5, 13.11.2 - References: AST-2018-004, CVE-2018-7284 - Advisory UR...
GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: GetGo Download Manager 5.3.0.2712 - Remote Buffer Overflow SEH Date: 02-24-2018 Vulnerable Software: GetGo Download Manager 5.3.0.2712 Vendor Homepage: http://www.getgosoft.com/ Version: 5.3.0.2712 Software Link:...
MyBB My Arcade Plugin 1.3 - Cross-Site Scripting
Exploit Title: MyBB My Arcade Plugin v1.3 - Persistent XSS Date: 2/21/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atprotonmail.com Software Link: https://community.mybb.com/mods.php?action=view&pid=411 Version: 1.3 Tested on: Ubuntu 17.10 1. Description: The My Arcade plugin adds ...
School Management Script 3.0.4 - Authentication Bypass
Exploit Title: SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4. Date: 26/02/2018 Exploit Author: Samiran Santra Vendor Homepage: https://www.phpscriptsmall.com Software Link: https://www.phpscriptsmall.com/product/school-management-system Version: v3.0.4 Tested on: Windows...
Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service
''' Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip - References: AST-2018-003 - Enable Security Advisory: - Vendor Advisory: - Timeline: - Issue reported to vendor:...
Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service
Exploit Title: Microsoft Windows SMB Client Null Pointer Dereference Denial of Service Date: 26/02/2018 Exploit Author: Nabeel Ahmed Version: SMBv3 Tested on: Windows 8.1 x86, Windows Server 2012 R2 x64 CVE : CVE-2018-0833 import SocketServer from binascii import unhexlify payload =...
Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service
''' Segmentation fault occurs in Asterisk with an invalid SDP media format description - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip - References: AST-2018-002 - Enable Security Advisory: - Vendor Advisory: - Tested vulnerable versions:...