Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)

Linux/x86 - chmod 777 /etc/sudoers Shellcode 36 bytes. Shellcode exploit for Linuxx86 platform / Description ; Title : chmod 777 /etc/sudoers - Shellcode ; Author : Hashim Jawad ; Website : ihack4falafel.com ; Twitter : @ihack4falafel ; SLAE ID : SLAE-1115 ; Purpose : chmod /etc/sudoers permissio...

Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linksys WVBR0-25 User-Agent Command Execution', 'Description' = %q The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless...

Multiple CPUs - 'Spectre' Information Disclosure

/ EDB Note: - https://spectreattack.com/ - https://spectreattack.com/spectre.pdf - https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html / include include include ifdef MSCVER include / for rdtscp and clflush / pragma optimize"gt",on else include / for rdtscp a...

Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation

""" Kingsoft Antivirus/Internet Security 9+ Kernel Stack Buffer Overflow Privilege Escalation Vulnerability Anti-Virus: http://www.kingsoft.co/downloads/kav/KAV100720ENUDOWN33102010.rar Internet Security: http://www.kingsoft.co/downloads/kis/kis.rar Summary: ======== This vulnerability allows loc...

Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution

!/usr/bin/env python -- coding: utf-8 -- Exploit Title: Weblogic wls-wsat Component Deserialization RCE Date Authored: Jan 3, 2018 Date Announced: 10/19/2017 Exploit Author: Kevin Kirsche d3c3pt10n Exploit Github: https://github.com/kkirsche/CVE-2017-10271 Exploit is based off of POC by Luffin fr...

EMC xPression 4.5SP1 Patch 13 - 'model.jobHistoryId' SQL Injection

Title: EMC xDashboard - SQL Injection Vulnerability Author: Pawel Gocyla Date: 02 January 2018 CVE: CVE-2017-14960 Affected Software: ================== EMC xPression v4.5SP1 Patch 13 Probably other versions are also vulnerable. SQL Injection Vulnerability: ============================== This...

WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass / SQL Injection

Exploit Title: Smart Google Code Inserter 3.5 - Auth Bypass/SQLi Google Dork: inurl:wp-content/plugins/smart-google-code-inserter/ Date: 26-Nov-17 Exploit Author: Benjamin Lim Vendor Homepage: http://oturia.com/ Software Link: https://wordpress.org/plugins/smart-google-code-inserter/ Version: 3.4...

WDMyCloud < 2.30.165 - Multiple Vulnerabilities

WDMyCloud Multiple Vulnerabilities Vendor: Western Digital Product: WDMyCloud Version: = 2.30.165 Website: https://www.wdc.com/products/network-attached-storage.html / / / / / / / / / / / / / / / / / / / / / \ / // / // / / / / / / / // / / / /,/// // /// // GulfTech Research and Development...

D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access

DNS-320L ShareCenter Backdoor Vendor: D-Link Product: DNS-320L ShareCenter Version: = 1.06 -- Table of contents 00 - Introduction 00.1 Background 01 - Hard coded backdoor 01.1 - Vulnerable code analysis 01.2 - Remote exp...

Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Cambium ePMP1000 'getchart' Shell via Command Injection v3.1-3.5-RC7", 'Description' = % This module exploits an OS Command Injection vulnerabilit...

HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution", 'Description' = %q This module exploits a remote command execution...

Apple macOS - IOHIDSystem Kernel Read/Write

Sources: https://siguza.github.io/IOHIDeous/ https://github.com/Siguza/IOHIDeous/ IOHIDeous A macOS kernel exploit based on an IOHIDFamily 0day. Write-up here: https://siguza.github.io/IOHIDeous/ Notice The prefetch timing attack I'm using for hid for some reason doesn't work on High Sierra 10.13...

Cambium ePMP1000 - 'ping' Shell via Command Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Cambium ePMP1000 'ping' Shell via Command Injection up to v2.5", 'Description' = % This module exploits an OS Command Injection vulnerability in...

PHP Melody 2.7.1 - 'playlist' SQL Injection

Exploit Title: PHP Melody v2.7.1 - SQL Injection Date: 30/12/2017 Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Vendor Homepage: http://www.phpsugar.com/ Buy http://www.phpsugar.com/phpmelodyorder.html Version: 2.7.1 Tested on: Mac OS SQL Injection Type: time-based blind...

D3DGear 5.00 Build 2175 - Buffer Overflow (PoC)

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: D3DGear 5.00 Build 2175 - Buffer Overflow Date: 07-11-2017 Vulnerable Software: D3DGear 5.00 Build 2175 Vendor Homepage: http://www.d3dgear.com/ Version: 5.00 Build 2175 Software Link: http://www.d3dgear.com/products.htm Tested O...

NetTransport 2.96L - Remote Buffer Overflow (DEP Bypass)

!/usr/bin/python Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L DEP Bypass CVE: CVE-2017-17968 Date: 28-12-2017 Software Link: http://xi-soft.com/downloads/NXSetupx86.zip Exploit Author: Author: Aloyce J. Makalanga Contact: https://twitter.com/aloycemjr Vendor...

ALLMediaServer 0.95 - Remote Buffer Overflow (Metasploit)

require 'msf/core' class Metasploit4 'ALLMediaServer 0.95 Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in ALLMediaServer 0.95. The vulnerability is caused due to a boundary error within the handling of HTTP request. , 'License' = MSFLICENSE, 'Author' = 'Anurag...

Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery

Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution Vendor: Telesquare Co., Ltd. Product web page: http://www.telesquare.co.kr Affected version: FwVer: SDT-CS3B1, sw version 1.2.0 LteVer: ML300S5XEA41090 1 0.1.0 Modem model: PM-L300S Summary: We introduce SDT-CS3B1 LTE router which ...

SysGauge Server 3.6.18 - Denial of Service

Exploit Title: SysGauge Server 3.6.18 - DOS Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: hhttp://www.sysgauge.com/setups/sysgaugesrvsetupv3.6.18.exe Version: v3.6.18 Category; Windows Remote DOS CVE: CVE-2017-15667 Author Homepage: www.unixawy.com Description: SysGauge Server...

Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure

Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak Vendor: Telesquare Co., Ltd. Product web page: http://www.telesquare.co.kr Affected version: FwVer: SDT-CS3B1, sw version 1.2.0 LteVer: ML300S5XEA41090 1 0.1.0 Modem model: PM-L300S Summary: We introduce SDT-CS3B1 LTE...

Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure

Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure Vendor: Electronics for Imaging, Inc. Product web page: http://www.efi.com Affected version: EFI Fiery Controller SW2.0 Xerox DocuColor 260, 250, 242 Summary: Drive production profitability with Fiery servers and workflow...

Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'NamedObj ' Kernel Loader

PS4 4.05 Kernel Exploit --- Summary In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does...

SAP BusinessObjects launch pad - Server-Side Request Forgery

Exploit Title: SAP BusinessObjects launch pad SSRF Date: 2017-11-8 Exploit Author: Ahmad Mahfouz Category: Webapps Author Homepage: www.unixawy.com Description: Design Error in SAP BusinessObjects launch pad leads to SSRF attack !/usr/bin/env python SAP BusinessObjects launch pad SSRF Timing Atta...

ALLMediaServer 0.95 - Buffer Overflow (PoC)

Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier CVE: CVE-2017-17932 Date: 27-12-2017 Exploit Author: Aloyce J. Makalanga Contact: https://twitter.com/aloycemjr Vendor Homepage: http://www.allmediaserver.org/ Category: webapps Attack Type: Remote Impact: Code execution...

DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)

Exploit Title: DotNetNuke DreamSlider Arbitrary File Download Date: 23/01/2014 Author: Glafkos Charalambous Version: 01.01.02 Vendor: DreamSlider Vendor URL: http://www.dreamslider.com/ Google Dork: inurl:/DesktopModules/DreamSlider/ CVE: Description DotNetNuke DreamSlider Module prior to version...

Easy!Appointments 1.2.1 - Cross-Site Scripting

Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities Vendor: Alex Tselegidis Product web page: http://www.easyappointments.org Affected version: 1.2.1 Summary: Easy!Appointments is a highly customizable web application that allows your customers to book appointments with you via the web...

Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service

!/usr/bin/env python Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service Vendor: Telesquare Co., Ltd. Product web page: http://www.telesquare.co.kr Affected version: FwVer: SDT-CS3B1, sw version 1.2.0 LteVer: ML300S5XEA41090 1 0.1.0 Modem model: PM-L300S Summary: We introduce...

COMTREND ADSL Router CT-5367 - Remote Code Execution

COMTREND ADSL Router CT-5367 - Remote Code Execution. Remote exploit for Hardware platform Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute Date: 11-12-2017 Exploit Author: TnMch Software Link : null Type : HardWare Risk of use : High Type to use : Remote 1. Description A...

SilverStripe CMS 3.6.2 - CSV Excel Macro Injection

Exploit Title: SilverStripe CMS - 3.6.2 CSV Excel Macro Injection Vendor Homepage: https://www.silverstripe.org/ Software Link: https://www.silverstripe.org/download Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince Category: web...

Biometric Shift Employee Management System 3.0 - Local File Disclosure

Exploit Title: Biometric Shift Employee Management System 3.0 - Local File Download Dork: N/A Date: 24.12.2017 Vendor Homepage: https://www.shiftsystems.net/ Software Link: https://codecanyon.net/item/white-label-shift-employee-management-system/21061908 Version: 3.0 Category: Webapps Tested on:...

Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation

RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Ubiquiti UniFi Video Windows Vendor URL: https://www.ubnt.com Type: Improper Handling of Insufficient Permissions or Privileges CWE-280 Date found: 2016-05-24 Date published: 2017-12-20 CVSS...

GetGo Download Manager 5.3.0.2712 - Buffer Overflow

Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 CVE: CVE-2017-17849 Date: 22-12-2017 Tested on Windows 10 32 bits Exploit Author: Aloyce J. Makalanga Contact: https://twitter.com/aloycemjr Software Link: http://www.getgosoft.com/getgodm/ Category: webapps Attack...

Trustwave SWG 11.8.0.27 - SSH Unauthorized Access

Vulnerability Summary The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27. Trustwave Secure Web Gateway SWG “provides distributed enterprises effective real-time protection...

Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution

import requests import sys urlin = sys.argv1 payloadurl = urlin + "/wls-wsat/CoordinatorPortType" payloadheader = 'content-type': 'text/xml' def payloadcommand commandin: htmlescapetable = "&": "&", '"': """, "'": "'", "": "", ""+"".joinhtmlescapetable.getc, c for c in commandin+"" payload1 = " \...

Joomla! Component JEXTN FAQ Pro 4.0.0 - 'id' SQL Injection

Exploit Title: Joomla! Component JEXTN FAQ Pro 4.0.0 - SQL Injection Dork: N/A Date: 24.12.2017 Vendor Homepage: http://jextn.com/ Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/faq/jextn-faq-pro/ Version: 4.0.0 Category: Webapps Tested on:...

Sendroid < 6.5.0 - SQL Injection

Exploit Title: Sendroid - Bulk SMS Portal, Marketing Script 5.0.0 - 6.5.0 - SQL Injection Google Dork: "welcome to SMS portal" Date: 22/12/2017 Exploit Author: Onwuka Gideon Contact: http://twitter.com/@gideononwuka Vendor Homepage: http://ynetinteractive.com/ Software Buy:...

Huawei Router HG532 - Arbitrary Command Execution

import threading, sys, time, random, socket, re, os, struct, array, requests from requests.auth import HTTPDigestAuth ips = opensys.argv1, "r".readlines cmd = "" Your MIPS SSHD rm = "\n \n \n $" + cmd + "\n$echo HUAWEIUPNP\n\n \n " class exploitthreading.Thread: def init self, ip:...

Iopsys Router - 'dhcp' Remote Code Execution

!/usr/bin/python import json import sys import subprocess import socket import os from time import sleep from websocket import createconnection def ubusAuthhost, username, password: ws = createconnection"ws://" + host, header = "Sec-WebSocket-Protocol: ubus-json" req =...

Vitek - Remote Command Execution / Information Disclosure (PoC)

STX Subject: Vitek RCE and Information Disclosure and possible other OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 22, 2017 Full Disclosure: 0-day heap: Executable + Non-ASLR stack...

Samsung Internet Browser - SOP Bypass (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samsung Internet Browser SOP Bypass', 'Description' = %q This module takes advantage of a Same-Origin Policy SOP bypass vulnerability in the...

Conarc iChannel - Improper Access Restrictions

Exploit Title: Conarc iChannel - Unauthenticated Access/Default Webserver Misconfiguration allows for compromise of server Date: 2017-12-19 Exploit Author: Information Paradox CVE : CVE-2017-17759 https://affectedserver/wc.dll?wwMaintEditConfig The customized webserver used by iChannel is based o...

Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1456 We have discovered that it is possible to disclose addresses of kernel-mode Paged Pool allocations via a race-condition in the implementation of the NtQueryVirtualMemory system call information class 2,...

Ability Mail Server 3.3.2 - Cross-Site Scripting

Exploit Title: Ability Mail Server 3.3.2 Persistent Cross Site Scripting XSS CVE: CVE-2017-17752 Date: 19-12-2017 Software Link: http://download.codecrafters.com/ams3.exe Exploit Author: Aloyce J. Makalanga Contact: https://twitter.com/aloycemjr Vendor Homepage: http://www.codecrafters.com...

BEIMS ContractorWeb 5.18.0.0 - SQL Injection

Exploit Title: SQL Injection Date: 18 December, 2017 Exploit Author: Rajwinder Singh Vendor Homepage: http://www.beims.com/products/ Software Link: http://www.beims.com/optional-modules/ccw Version: BEIMS ContractorWeb .NET System 5.18.0.0 CVE : 2017-17721 Vulnerability Details:...

Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free

var o1 = toJSON:function alert'o1'; return o2; var o2 = toJSON:function alert'o2'; CollectGarbage; return 'x'; JSON.stringifyo1; g df8.e48: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This exception may be expected and handled...

Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow

var vars = new Array100; var arr = new Array1000; forvar i=1;i !-- ========================================= Technical details: Array.sort is implemented in JsArraySort which, depending if a comparison function was specified or not, calls JsArrayStringHeapSort or JsArrayFunctionHeapSort. These...

BrightSign Digital Signage - Multiple Vulnerablities

Exploit Title: BrightSign Digital Signage Multiple Vulnerabilities Date: 12/15/17 Exploit Author: [email protected] Vectors: XSS, Directory Traversal, File Modification, Information Leakage The BrightSign Digital Signage 4k242 device Firmware 6.2.63 and below suffers from multiple...

Ichano AtHome IP Cameras - Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes three 3 vulnerabilities found in Ichano IP Cameras. AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute....

Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Tuleap 9.6 Second-Order PHP Object Injection', 'Description' = %q This module exploits a Second-Order PHP Object Injection vulnerability in Tulea...

Jenkins - XStream Groovy classpath Deserialization (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jenkins XStream Groovy classpath Deserialization Vulnerability', 'Description' = %q This module exploits CVE-2016-0792 a vulnerability in Jenkins...