47904 matches found
Biometric Shift Employee Management System 3.0 - Local File Disclosure
Exploit Title: Biometric Shift Employee Management System 3.0 - Local File Download Dork: N/A Date: 24.12.2017 Vendor Homepage: https://www.shiftsystems.net/ Software Link: https://codecanyon.net/item/white-label-shift-employee-management-system/21061908 Version: 3.0 Category: Webapps Tested on:...
Sendroid < 6.5.0 - SQL Injection
Exploit Title: Sendroid - Bulk SMS Portal, Marketing Script 5.0.0 - 6.5.0 - SQL Injection Google Dork: "welcome to SMS portal" Date: 22/12/2017 Exploit Author: Onwuka Gideon Contact: http://twitter.com/@gideononwuka Vendor Homepage: http://ynetinteractive.com/ Software Buy:...
GetGo Download Manager 5.3.0.2712 - Buffer Overflow
Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 CVE: CVE-2017-17849 Date: 22-12-2017 Tested on Windows 10 32 bits Exploit Author: Aloyce J. Makalanga Contact: https://twitter.com/aloycemjr Software Link: http://www.getgosoft.com/getgodm/ Category: webapps Attack...
Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation
RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Ubiquiti UniFi Video Windows Vendor URL: https://www.ubnt.com Type: Improper Handling of Insufficient Permissions or Privileges CWE-280 Date found: 2016-05-24 Date published: 2017-12-20 CVSS...
Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution
import requests import sys urlin = sys.argv1 payloadurl = urlin + "/wls-wsat/CoordinatorPortType" payloadheader = 'content-type': 'text/xml' def payloadcommand commandin: htmlescapetable = "&": "&", '"': """, "'": "'", "": "", ""+"".joinhtmlescapetable.getc, c for c in commandin+"" payload1 = " \...
Huawei Router HG532 - Arbitrary Command Execution
import threading, sys, time, random, socket, re, os, struct, array, requests from requests.auth import HTTPDigestAuth ips = opensys.argv1, "r".readlines cmd = "" Your MIPS SSHD rm = "\n \n \n $" + cmd + "\n$echo HUAWEIUPNP\n\n \n " class exploitthreading.Thread: def init self, ip:...
Iopsys Router - 'dhcp' Remote Code Execution
!/usr/bin/python import json import sys import subprocess import socket import os from time import sleep from websocket import createconnection def ubusAuthhost, username, password: ws = createconnection"ws://" + host, header = "Sec-WebSocket-Protocol: ubus-json" req =...
Vitek - Remote Command Execution / Information Disclosure (PoC)
STX Subject: Vitek RCE and Information Disclosure and possible other OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 22, 2017 Full Disclosure: 0-day heap: Executable + Non-ASLR stack...
Conarc iChannel - Improper Access Restrictions
Exploit Title: Conarc iChannel - Unauthenticated Access/Default Webserver Misconfiguration allows for compromise of server Date: 2017-12-19 Exploit Author: Information Paradox CVE : CVE-2017-17759 https://affectedserver/wc.dll?wwMaintEditConfig The customized webserver used by iChannel is based o...
Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1456 We have discovered that it is possible to disclose addresses of kernel-mode Paged Pool allocations via a race-condition in the implementation of the NtQueryVirtualMemory system call information class 2,...
BEIMS ContractorWeb 5.18.0.0 - SQL Injection
Exploit Title: SQL Injection Date: 18 December, 2017 Exploit Author: Rajwinder Singh Vendor Homepage: http://www.beims.com/products/ Software Link: http://www.beims.com/optional-modules/ccw Version: BEIMS ContractorWeb .NET System 5.18.0.0 CVE : 2017-17721 Vulnerability Details:...
Ability Mail Server 3.3.2 - Cross-Site Scripting
Exploit Title: Ability Mail Server 3.3.2 Persistent Cross Site Scripting XSS CVE: CVE-2017-17752 Date: 19-12-2017 Software Link: http://download.codecrafters.com/ams3.exe Exploit Author: Aloyce J. Makalanga Contact: https://twitter.com/aloycemjr Vendor Homepage: http://www.codecrafters.com...
Samsung Internet Browser - SOP Bypass (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samsung Internet Browser SOP Bypass', 'Description' = %q This module takes advantage of a Same-Origin Policy SOP bypass vulnerability in the...
Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)
Linux/x64 - Custom Encoded XOR + Polymorphic + execve/bin/sh Shellcode Generator. Shellcode exploit for Generator platform !/usr/bin/python from random import randint encoded = "" encoded2 = "" badchars = 0x00 shellcode = "\x90" +...
Ichano AtHome IP Cameras - Multiple Vulnerabilities
Vulnerabilities Summary The following advisory describes three 3 vulnerabilities found in Ichano IP Cameras. AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute....
Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free
var vars = new Array100; forvar i=0;i !-- ============================================ PoC for WPAD might require page heap to trigger the crash: ============================================ function FindProxyForURLurl,...
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jenkins XStream Groovy classpath Deserialization Vulnerability', 'Description' = %q This module exploits CVE-2016-0792 a vulnerability in Jenkins...
Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable
var x = new URIErrornew Array, undefined, undefined; String.prototype.localeCompare.callx, new Date0, 0, 0, 0, 0, 0, undefined; Array.prototype.slice.call1; !-- ============================================ Technical details: The issue is in jscript!JsArraySlice Array.prototype.slice.call in the P...
Intel Content Protection HECI Service - Type Confusion Privilege Escalation
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1358 Intel Content Protection HECI Service Type Confusion EoP Platform: Tested on Windows 10, service version 9.0.2.117 Class: Elevation of Privilege Summary: The Intel Content Protection HECI Service exposes a DCOM object to all...
Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read
function go var r= new RegExpArray100.join''; ''.searchr; alertRegExp.lastParen; go; r rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063 rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0 rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148 r8=00000000130f9210...
Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free
var o1 = toJSON:function alert'o1'; return o2; var o2 = toJSON:function alert'o2'; CollectGarbage; return 'x'; JSON.stringifyo1; g df8.e48: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This exception may be expected and handled...
BrightSign Digital Signage - Multiple Vulnerablities
Exploit Title: BrightSign Digital Signage Multiple Vulnerabilities Date: 12/15/17 Exploit Author: [email protected] Vectors: XSS, Directory Traversal, File Modification, Information Leakage The BrightSign Digital Signage 4k242 device Firmware 6.2.63 and below suffers from multiple...
Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control
Trend Micro Smart Protection Server Multiple Vulnerabilities 1. Advisory Information Title:: Trend Micro Smart Protection Server Multiple Vulnerabilities Advisory ID: CORE-2017-0008 Advisory URL: http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities...
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Tuleap 9.6 Second-Order PHP Object Injection', 'Description' = %q This module exploits a Second-Order PHP Object Injection vulnerability in Tulea...
Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD
var s = 'a'; forvar i=0;i !-- ============================================...
Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow
var vars = new Array100; var arr = new Array1000; forvar i=1;i !-- ========================================= Technical details: Array.sort is implemented in JsArraySort which, depending if a comparison function was specified or not, calls JsArrayStringHeapSort or JsArrayFunctionHeapSort. These...
Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection
Exploit Title: Joomla! Component NextGen Editor 2.1.0 - SQL Injection Dork: N/A Date: 19.12.2017 Vendor Homepage: hhttp://nextgeneditor.com/ Software Link: https://extensions.joomla.org/extension/nextgen-editor/ Software Download:...
Joomla! Component Guru Pro - 'promocode' SQL Injection
Exploit Title: Joomla! Component Guru Pro 'promocode'- SQL Injection Dork: N/A Date: 17.12.2017 Vendor Homepage: https://www.ijoomla.com/ Software Link: https://www.ijoomla.com/component/digistore/products/47-joomla-add-ons/119-guru-pro/189?Itemid=189 Version: N/A Category: Webapps Tested on:...
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution
!/usr/bin/python GoAhead httpd/2.5 to 3.6.5 LDPRELOAD remote code execution exploit EDB Note: Payloads https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43360.zip EDB Note: Source https://www.elttam.com.au/blog/goahead/ EDB Note: Source...
Joomla! Component My Projects 2.0 - SQL Injection
Exploit Title: Joomla! Component My Projects 2.0 - SQL Injection Dork: N/A Date: 18.12.2017 Vendor Homepage: http://www.gegabyte.org/ Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/my-projects/ Version: 2.0 Category: Webapps Tested on:...
Outlook for Android - Attachment Download Directory Traversal
''' There is a directory traversal issue in attachment downloads in Outlook for Android. There is no path sanitization on the attachment filename in the app. If the email account is a Hotmail account, this will be sanitized by the server, but for other accounts it will not be. This allows a file ...
Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow (PoC)
CONVISO-17-002 - Zoom Linux Client Stack-based Buffer Overflow Vulnerability 1. Advisory Information Conviso Advisory ID: CONVISO-17-002 CVE ID: CVE-2017-15048 CVSS v2: 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P Date: 2017-10-01 2. Affected Components Zoom client for Linux, version 2.0.106600.0904...
CDex 1.96 - Buffer Overflow (PoC)
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: CDex 1.96 - Local Stack Buffer Overflow Date: 17-12-2017 Vulnerable Software: CDex 1.96 Unicode Build Vendor Homepage: http://cdex.mu/ Version: v1.96 Software Link: http://cdex.mu/?q=download Tested On: Windows 7 x32 PoC: generat...
Zoom Linux Client 2.0.106600.0904 - Command Injection
CONVISO-17-003 - Zoom Linux Client Command Injection Vulnerability RCE 1. Advisory Information Conviso Advisory ID: CONVISO-17-003 CVE ID: CVE-2017-15049 CVSS v2: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C Date: 2017-10-01 2. Affected Components Zoom client for Linux, version 2.0.106600.0904 zoomamd64.deb...
Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HEAD', :uri = '/web/', :pattern = /Apache/ include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initializeinfo=...
Joomla! Component User Bench 1.0 - 'userid' SQL Injection
Exploit Title: Joomla! Component User Bench 1.0 - SQL Injection Dork: N/A Date: 18.12.2017 Vendor Homepage: http://www.gegabyte.org/ Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/user-bench/ Version: 1.0 Category: Webapps Tested on:...
Joomla! Component JB Visa 1.0 - 'visatype' SQL Injection
Exploit Title: Joomla! Component JB Visa 1.0 - SQL Injection Dork: N/A Date: 17.12.2017 Vendor Homepage: http://joombooking.com/ Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jb-visa/ Version: 1.0 Category: Webapps Tested on:...
Ciuis CRM 1.0.7 - SQL Injection
Exploit Title: Ciuis CRM v 1.0.7 Sql Injection Google Dork: if applicable Date: 12/15/2017 Exploit Author: Zahid Abbasi Contact: http://twitter.com/zahidsec Website: http://zahidabbasi.com Vendor Homepage: http://ciuis.com/ Software Link: https://codecanyon.net/item/ciuis-crm/20473489 Version:...
Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection
Exploit Title: Cells Blog 3.5 - SQL Injection Dork: N/A Date: 16.12.2017 Vendor Homepage: http://www.cells.tw/ Software Link: http://www.cells.tw/cells/ Version: 3.5 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsan Sencan Author Web: http://ihsan.net Author Social:...
Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution
Exploit Title: Monstra CMS - 3.0.4 RCE Vendor Homepage: http://monstra.org/ Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince Category: webapps Platfor...
Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode
Linux/x64 - Custom Encoded XOR + execve/bin/sh Shellcode. Shellcode exploit for Linuxx86-64 platform global start section .text start: jmp findaddress ; jmp short by default decoder: ; Get the address of the string pop rdi push rdi pop rbx ; get the first byte and bruteforce till you get the toke...
Linux kernel < 4.10.15 - Race Condition Privilege Escalation
/ PoC for CVE-2017-10661, triggers UAF with KASan enabled in kernel 4.10 / include include include include include include include include include include include include include include include include include define RACETIME 1000000 int fd; int fddumb; int count=0; void listaddthreadvoid arg in...
Movie Guide 2.0 - SQL Injection
Exploit Title: Movie Guide 2.0 - SQL Injection Dork: N/A Date: 15.12.2017 Vendor Homepage: http://applebitemedia.com/ Software Link: http://applebitemedia.com/amwdl/AMMovieGuide.tar.gz Version: 2.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsan Sencan Author Web:...
Sync Breeze 10.2.12 - Denial of Service
============================================= MGC ALERT 2017-007 - Original release date: November 30, 2017 - Last revised: December 14, 2017 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 CVSS Base Score - CVE-ID: CVE-2017-17088 ============================================= I...
ITGuard-Manager 0.0.0.1 - Remote Code Execution
Vulnerability Title: ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution Author: Nassim Asrir Contact: [email protected] / @asrirnassim CVE: Waiting ... CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P Vendor: http://www.innotube.co...
Multiple OEM - 'nsd' Remote Stack Format String (PoC)
STX Subject: Remote Stack Format String in 'nsd' binary from multiple OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 14, 2017 Full Disclosure: 0-Day - PoC - 1 $ curl...
Linksys WVBR0 - 'User-Agent' Remote Command Injection
!/usr/bin/python -- coding: utf-8 -- Author: Nixawk CVE-2017-17411 Linksys WVBR0 25 Command Injection """ $ python2.7 exploit-CVE-2017-17411.py Usage: python exploit-CVE-2017-17411.py $ python2.7 exploit-CVE-2017-17411.py http://example.com/ + Target is exploitable by CVE-2017-17411 """ import...
Palo Alto Networks Firewalls - Root Remote Code Execution
This is a public advisory for CVE-2017-15944 which is a remote root code execution bug in Palo Alto Networks firewalls. Three separate bugs can be used together to remotely execute commands as root through the web management interface without authentication on: PAN-OS 6.1.18 and earlier, PAN-OS...
Dup Scout Enterprise - 'Login' Buffer Overflow (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Dup Scout Enterprise Login Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in Dup Scout Enterprise 10.0.18. The...
pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Clickjacking Vulnerability In CSRF Error Page pfSense', 'Description' = %q This module exploits a Clickjacking vulnerability in pfSense 'Yorick...