CometChat < 6.2.0 BETA 1 - Local File Inclusion

Exploit Title: CometChat Vendor Homepage: https://cometchat.com/ Version: 6.2.0 BETA 1 Tested on: Ubuntu Linux 14.04 -------------------------------------------------------------------------------------- In versions of CometChat before version v6.2.0 BETA 1 a bug existed which allowed any...

Ayukov NFTP FTP Client < 2.0 - Remote Buffer Overflow

!/usr/bin/env python coding: utf-8 Description: The vulnerability was discovered during a vulnerability research lecture. This is meant to be a PoC. Exploit Title: Ayukov NFTP FTP Client - Buffer Overflow Date: 2017-10-21 Exploit Author: Berk Cem Göksel Contact: twitter.com/berkcgoksel ||...

ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service

!/usr/bin/env python coding: utf-8 Description: The vulnerability was discovered during a vulnerability research lecture. Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2 and earlier allows remote attackers to waste CPU resources memory consumption via unspecified vectors...

Sync Breeze Enterprise 10.1.16 - 'POST' Remote Buffer Overflow

!/usr/bin/python import socket try: print "\nSending evil buffer..." shellcode = "\xba\x31\x13\x39\xe4\xdb\xd3\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" "\x52\x31\x56\x12\x03\x56\x12\x83\xdf\xef\xdb\x11\xe3\xf8\x9e" "\xda\x1b\xf9\xfe\x53\xfe\xc8\x3e\x07\x8b\x7b\x8f\x43\xd9\x77"...

Mozilla Firefox < 55 - Denial of Service

Exploit Title: Mozilla Firefox Firefox Lockout Vulnerability"; //Content to be forcibly viewed echo ""; //End echo "setTimeout"location.href ='".$location."';",10000;"; ? Solution: Update to version 55 https://www.mozilla.org/en-US/firefox/55.0/releasenotes/ Mozilla Foundation Security Advisory:...

Axis SSI - Remote Command Execution / Read Files

STX Subject: SSI Remote Execute and Read Files Researcher: bashis August 2016 Release date: October, 2017 Old stuff that I've forgotten, fixed Q3/2016 by Axis Attack Vector: Remote Authentication: Anonymous no credentials needed Conditions: The cam must be configure to allow anonymous view Execut...

Microsoft Game Definition File Editor 6.3.9600 - XML External Entity Injection

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-GAME-DEFINITION-FILE-MAKER-v6.3.9600-XML-EXTERNAL-ENTITY.txt + ISR: ApparitionSec Vendor: ================= www.microsoft.com Product: =========== GDFMaker...

Xen - Pagetable De-typing Unbounded Recursion

Xen allows pagetables of the same level to map each other as readonly in PV domains. This is useful if a guest wants to use the self-referential pagetable trick for easy access to pagetables by mapped virtual address. When cleaning up a pagetable after the last typed reference to it has been...

Check_MK 1.2.8p25 - Information Disclosure

ADVISORY INFORMATION ======================= Product: Checkmk Vendor URL: https://mathias-kettner.de/checkmk.html Type: Race Condition CWE-362 Date found: 2017-09-21 Date published: 2017-10-18 CVSSv3 Score: 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE: CVE-2017-14955 2. CREDITS...

Linksys E Series - Multiple Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple vulnerabilities product: Linksys E series, see "Vulnerable / tested versions" vulnerable version: see "Vulnerable / tested versions" fixed version: no public fix...

Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple vulnerabilities product: Afian AB FileRun vulnerable version: 2017.03.18 fixed version: 2017.09.18 impact: critical homepage: https://www.filerun.com |...

Career Portal 1.0 - SQL Injection

Exploit Title: Career Portal v1.0 - SQL Injection Date: 2017-10-17 Exploit Author: 8bitsec Vendor Homepage: https://codecanyon.net/item/career-portal-online-job-search-script/20767278 Software Link: https://codecanyon.net/item/career-portal-online-job-search-script/20767278 Version: 1.0 Tested on...

Shadowsocks - Log File Command Execution

X41 D-Sec GmbH Security Advisory: X41-2017-008 Multiple Vulnerabilities in Shadowsocks ======================================= Overview -------- Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Vendor: Shadowsocks Vendor URL:...

TP-Link WR940N - (Authenticated) Remote Code

import urllib2 import base64 import hashlib from optparse import import sys import urllibbanner = "\n" "WR940N Authenticated Remote Code Exploit\n" "This exploit will open a bind shell on the remote target\n" "The port is 31337, you can change that in the code if you wish\n" "This exploit require...

OpenText Documentum Content Server - Arbitrary File Download Privilege Escalation

!/usr/bin/env python Opentext Documentum Content Server formerly known as EMC Documentum Content Server does not properly validate input of PUTFILE RPC-command which allows any authenticated user to hijack arbitrary file from Content Server filesystem, because some files on Content Server...

OpenText Documentum Content Server - Privilege Escalation

!/usr/bin/env python Opentext Documentum Content Server formerly known as EMC Documentum Content Server contains following design gap, which allows authenticated user to gain privileges of superuser: Content Server allows to upload content using batches TAR archives, when unpacking TAR archives...

Apple iOS 10.2 (14C92) - Remote Code Execution

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1317c3 The exploit achieves R/W access to the host's physical memory. This exploit has been tested on the iPhone 7, iOS 10.2 14C92. To run the exploit against different devices or versions, the symbols must be adjusted. The attache...

OpenText Documentum Content Server - 'dmr_content' Privilege Escalation

!/usr/bin/env python Opentext Documentum Content Server formerly known as EMC Documentum Content Server contains following design gap, which allows authenticated user to gain privileges of superuser: Content Server stores information about uploaded files in dmrcontent objects, which are queryable...

Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1328 Windows: WLDP/MSHTML CLSID UMCI Bypass Platform: Windows 10 S thought should be anything with UMCI Class: Security Feature Bypass Summary: The enlightened lockdown policy check for COM Class instantiation can be bypassed in...

WordPress Plugin Car Park Booking - SQL Injection

Exploit Title: Wordpress Plugin Car Park Booking - SQL Injection Date: 2017-10-17 Exploit Author: 8bitsec Vendor Homepage: https://codecanyon.net/item/car-park-booking-wordpress-plugin/20284035 Software Link: https://codecanyon.net/item/car-park-booking-wordpress-plugin/20284035 Version: 13 Octob...

Linux Kernel - 'AF_PACKET' Use-After-Free (2)

Vulnerabilities summary The following advisory describes a use-after-free vulnerability found in Linux Kernel’s implementation of AFPACKET that can lead to privilege escalation. AFPACKET sockets “allow users to send or receive packets on the device driver level. This for example lets them to...

Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)

.class1 float: left; column-count: 5; .class2 column-span: all; columns: 1px; table border-spacing: 0px; var ntdllBase = ""; function infoleak var textarea = document.getElementById"textarea"; var frame = document.createElement"iframe"; textarea.appendChildframe;...

Microsoft Windows - 'nt!NtQueryObject (ObjectNameInformation)' Kernel Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1303&desc=2 We have discovered that the nt!NtQueryObject syscall handler discloses portions of uninitialized pool memory to user-mode clients when the following conditions are met: a It is invoked with the ObjectNameInformation...

Tomcat - Remote Code Execution via JSP Upload Bypass (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Tomcat RCE via JSP Upload Bypass', 'Description' = %q This module uploads a jsp payload and executes it. , 'Author' = 'peewpw', 'License' =...

Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution

First Vulnerability: XML External Entity Expansion deftype=xmlparser Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure. Starting from version 5.1 Solr supports "xml" query parser in the search query. The problem is that lucene x...

Linux Kernel - 'AF_PACKET' Use-After-Free (1)

/ Source: https://blogs.securiteam.com/index.php/archives/3484 Vulnerabilities summary The following advisory describes a use-after-free vulnerability found in Linux Kernel’s implementation of AFPACKET that can lead to privilege escalation. AFPACKET sockets “allow users to send or receive packets...

shadowsocks-libev 3.1.0 - Command Execution

X41 D-Sec GmbH Security Advisory: X41-2017-010 Command Execution in Shadowsocks-libev ====================================== Overview -------- Severity Rating: High Confirmed Affected Versions: 3.1.0 Confirmed Patched Versions: N/A Vendor: Shadowsocks Vendor URL:...

Microsoft Edge Chakra - 'StackScriptFunction::BoxState::Box' Accesses to Uninitialized Pointers (Denial of Service)

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1338 Here's a snippet of the method that interprets a javascript function's bytecode. Js::Var Js::InterpreterStackFrame::INTERPRETERLOOPNAME PROBESTACKscriptContext, Js::Constants::MinStackInterpreter; closureInitDone...

OpenText Documentum Content Server - Arbitrary File Download

!/usr/bin/env python Opentext Documentum Content Server formerly known as EMC Documentum Content Server contains following design gap, which allows authenticated user to download arbitrary content files regardless attacker's repository permissions: when authenticated user upload content to...

Squid Analysis Report Generator 2.3.10 - Remote Code Execution

Exploit Title: RCE/Arbitrary file write in Squid Analysis Report Generator SARG Google Dork: inurl:sarg-php Date: 01 September 2017 Exploit Author: Pavel Suprunyuk Vendor Homepage: https://sourceforge.net/projects/sarg/ Software Link: https://sourceforge.net/projects/sarg/ Version: Tested on...

Microsoft Edge Chakra JIT - 'RegexHelper::StringReplace' Must Call the Callback Function with Updating ImplicitCallFlags

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1334 The "String.prototype.replace" method can be inlined in the JIT process. So in the method, all the calls which may break the JIT assumptions must be invoked with updating "ImplicitCallFlags". But "RegexHelper::StringReplace"...

Microsoft Edge Chakra JIT - Incorrect GenerateBailOut Calling Patterns

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1333 Bailout: "ChakraCore’s background JIT compiler generates highly optimized JIT’ed code based upon the data and infers likely usage patterns based on the profile data collected by the interpreter. Given the dynamic nature of...

Ikraus Anti Virus 2.16.7 - Remote Code Execution

Vulnerability summary The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7. KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent...

Windows x64 - API Hooking Shellcode (117 bytes)

Windows x64 - API Hooking Shellcode 117 bytes. Shellcode exploit for Winx86-64 platform / Title : Windows x64 API Hooking Shellcode Author : Roziul Hasan Khan Shifat Size : 117 bytes Date : 16/10/2017 Email : [email protected] Tested On : Windows 7 Ultimate x64 / / This Shellcode hooks...

Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation

/ CVE-2017-7533 inotfiy linux kernel vulnerability. $ gcc -o exploit exploit.c -lpthread $./exploit Listening for events. Listening for events. alloclen : 50 longname="testdir/bbbb32103210321032100��1����" handleevents event-name : b, event-len : 16 Detected overwrite!!! callrename done. alloclen...

3CX Phone System 15.5.3554.1 - Directory Traversal

Title: ====== 3CX Phone System - Authenticated Directory Traversal Author: ======= Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG CVE-ID: ======= CVE-2017-15359 Risk Information: ================= CVSS Base Score: 6.8 CVSS Vector: CVSS3AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Timeline:...

Webmin 1.850 - Multiple Vulnerabilities

SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3430 + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WEBMIN-v1.850-REMOTE-COMMAND-EXECUTION.txt + ISR: ApparitionSec Vulnerability summary The following...

Chrome 35.0.1916.153 - Sandbox Escape / Command Execution

Sandbox escape Chrome exploit. Allows the execution of local binaries, read/write functions and exfiltration of Chrome OAuth tokens to remote server. More info: https://bugs.chromium.org/p/chromium/issues/detail?id=386988 Download:...

Logitech Media Server - Cross-Site Scripting

Exploit Title: DOM Based Cross Site Scripting XSS - Logitech Media Server Shodan Dork: Logitech Media Server Date: 14/10/2017 Exploit Author: Thiago "THX" Sena Vendor Homepage: https://www.logitech.com Tested on: windows 10 CVE : CVE-2017-15687 ----------------------------------------------- PoC:...

TYPO3 Extension Restler 1.7.0 - Local File Disclosure

Exploit Title: Typo3 Restler Extension - Local File Disclosure Date: 2017-10-13 Exploit Author: CrashBandicot @dosperl Vendor Homepage: https://www.aoe.com/ Software Link: https://extensions.typo3.org/extension/restler/ Tested on : MsWin Version: 1.7.0 last Vulnerability File : getsource.php 3...

FiberHome - Directory Traversal

Vulnerability Summary The following advisory describes a directory traversal vulnerability found in FiberHome routers. FiberHome Technologies Group “was established in 1974. After continuous and intensive development for over 40 years, its business has been extended to R&D, manufacturing, marketi...

AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery

ADVISORY INFORMATION ======================= Product: AlienVault USM Vendor URL: https://www.alienvault.com Type: Cross-Site Request Forgery CWE-253 Date found: 2017-09-22 Date published: 2017-10-13 CVSSv3 Score: 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE: CVE-2017-14956 2. CREDITS...

phpMyFAQ 2.9.8 - Cross-Site Scripting (2)

Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vendor Homepage: http://www.phpmyfaq.de/ Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip Exploit Author: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince Category: webapps CVE: CVE-2017-1461...

Sync Breeze Enterprise 10.1.16 - Remote Buffer Overflow (SEH) (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'SyncBreeze v10.1.16 SEH GET Overflow', 'Description' = %q There exists an unauthenticated SEH based vulnerability in the HTTP...

E-Sic Software livre CMS - 'q' SQL Injection

Exploit Title: E-Sic Software livre CMS - Blind SQL Injection Date: 12/10/2017 Exploit Author: Guilherme Assmann Vendor Homepage: https://softwarepublico.gov.br/ Version: 1.0 Tested on: kali linux, windows 7, 8.1, 10 - Firefox Download...

E-Sic Software livre CMS - 'cpfcnpj' SQL Injection

Exploit Title: E-Sic Software livre CMS - Sql Injection Date: 12/10/2017 Exploit Author: Elber Tavares fireshellsecurity.team/ Vendor Homepage: https://softwarepublico.gov.br/ Version: 1.0 Tested on: kali linux, windows 7, 8.1, 10 - Firefox Download:...

OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting

Exploit Title: OctoberCMS 1.0.425 aka Build 425 Stored XSS Vendor Homepage: https://octobercms.com/ Software Link: https://octobercms.com/download Exploit Author: Ishaq Mohammed https://www.exploit-db.com/author/?a=9086 Contact: https://twitter.com/securityprince Website:...

TP-Link TL-MR3220 - Cross-Site Scripting

Exploit Title: Vulnerability Xss - TP-LINK TL-MR3220 Date: 12/10/2017 Exploit Author: Thiago "THX" Sena Vendor Homepage: http://www.tp-link.com.br Version: TL-MR3220 Tested on: Windows 10 CVE : CVE-2017-15291 Vulnerabilty: Cross-site scripting XSS in TP-LINK TL-MR3220 cve:...

Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes)

Linux/x86 - execve/bin/sh Polymorphic Shellcode 30 bytes. Shellcode exploit for Linx86 platform / Title: Linux/x86 - Polymorphic execve /bin/sh x86 shellcode - 30 bytes Author: Manuel Mancera @sinkmanu Tested on: Linux 3.16.0-4-586 1 Debian 3.16.43-2+deb8u2 2017-06-26 i686 GNU/Linux...

E-Sic Software livre CMS - Autentication Bypass

Exploit Title: E-Sic Software livre CMS - Autentication Bypass Date: 12/10/2017 Exploit Author: Elber Tavares Vendor Homepage: https://softwarepublico.gov.br/ Version: 1.0 Tested on: kali linux, windows 7, 8.1, 10 - Firefox Download...