47904 matches found
Jenkins < 1.650 - Java Deserialization
import random import string from decimal import Decimal import requests from requests.exceptions import RequestException Exploit Title: Jenkins CVE-2016-0792 Deserialization Remote Exploit Google Dork: intitle: "Dashboard Jenkins" + "Manage Jenkins" Date: 30-07-2017 Exploit Author: Janusz Piechów...
Fortinet FortiOS < 5.6.0 - Cross-Site Scripting
Title: FortiOS = 5.6.0 Multiple XSS Vulnerabilities Vendor: Fortinet www.fortinet.com CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133 Date: 28.07.2016 Author: Patryk Bogdan @patrykbogdan Affected FortiNet products: CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0 CVE-2017-3132 : FortiOS versions...
LAME 3.99.5 - Multiple Vulnerabilities
LAME multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder. LAME is an educational tool to be used for learning about MP3 encoding. The goal of the LAME...
VehicleWorkshop - SQL Injection
Exploit Title: VehicleWorkshop SQL Injection Data: 07.28.2017 Exploit Author: Shahab Shamsi Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop Tested on: Windows Google Dork: N/A ========= Vulnerable Page: ========= /viewvehiclestoremore.php ========== Vulnerable Source: ==========...
libjpeg-turbo 1.5.1 - Denial of Service
libjpeg-turbo denial of service vulnerability ====================== Author : qflb.wu CVE : CVE-2017-9614 ====================== Introduction: ============= libjpeg-turbo is a JPEG image codec that uses SIMD instructions MMX, SSE2, AVX2, NEON, AltiVec to accelerate baseline JPEG compression and...
SoundTouch 1.9.2 - Multiple Vulnerabilities
SoundTouch multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The library additionally supports estimating...
GNU libiberty - Buffer Overflow
Source: https://gcc.gnu.org/bugzilla/showbug.cgi?id=69687 The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary. objdump -x...
Joomla! Component CCNewsLetter 2.1.9 - 'sbid' SQL Injection
"Joomla Component ccnewsletter 2.1.9 - 'sbid' Parameter SQL Injection" Exploit Title: Joomla Component ccnewsletter 2.1.9 - SQL Injection Date: 07-26-2017 Exploit Author: Shahab Shamsi Vendor Homepage: https://extensions.joomla.org/extension/ccnewsletter/ Version: = 2.1.9 Final Version Tested on:...
MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)
MediaCoder 0.8.48.5888 - Local Buffer Overflow SEH. CVE-2017-8869. Local exploit for Windows platform !/usr/bin/python Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow SEH CVE : CVE-2017-8869 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable...
Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LNK Remote Code Execution Vulnerability', 'Description' = %q This module exploits a vulnerability in the handling of Windows Shortcut files .LNK...
AudioCoder 0.8.46 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title : AudioCoder 0.8.46 Local Buffer Overflow SEH CVE : CVE-2017-8870 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable Software:...
Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)
Friends in War Make or Break 1.7 - Unauthenticated admin password change Url: http://software.friendsinwar.com/ http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 Author: shinnai mail: shinnaiatautisticidotorg site: http://www.shinnai.altervista.org/...
Friends in War Make or Break 1.7 - SQL Injection
Exploit Title: Friends in War Make or Break 1.7 SQL Injection Dork: N/A Date: 26.07.2017 Vendor : http://software.friendsinwar.com/ Software: http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 Demo: http://localhost/PATH/ Version: 1.7 Author: Ihsan Sencan SQL Injection/Exploit :...
Friends in War Make or Break 1.7 - Authentication Bypass
x Type: Admin login bypass via SQLi x Vendor: http://software.friendsinwar.com/ x Script Name: Make or Break x Script Version: 1.7 x Script DL: http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 x Author: Anarchy Angel x Mail: anarchydotang31@gmaildotcom x More info:...
WordPress Plugin Ads Pro < 3.4 - Cross-Site Scripting / SQL Injection
Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager = 5.0.12 AND time-based blind Payload: bsaprostats=1&[email protected]&bsaproid=xx AND SLEEP5 Credits & Author...
WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256 Here's a snippet of ObjectPatternNode::appendEntry. void appendEntryconst JSTokenLocation&, ExpressionNode propertyExpression, DestructuringPatternNode pattern, ExpressionNode defaultValue, BindingType bindingType...
WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling
scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry-mcodeBlock| may have an incorrect offset in the stack layout phase. PoC: -- function f function eval'1'; f; ; throw 1; f;...
WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy
indexingType; if type == ArrayWithUndecided && copyType != NonArray if copyType == ArrayWithInt32 convertUndecidedToInt32vm; else if copyType == ArrayWithDouble convertUndecidedToDoublevm; else if copyType == ArrayWithContiguous convertUndecidedToContiguousvm; else ASSERTcopyType ==...
WebKit JSC - 'ArgumentsEliminationPhase::transform' Incorrect LoadVarargs Handling
op == PhantomNewArrayWithSpread || candidate-op == PhantomSpread ... if argumentCountIncludingThis limit storeArgumentCountIncludingThisargumentCountIncludingThis; // store arguments ... node-remove; node-origin.exitOK = canExit; break; Whether or not the "argumentCountIncludingThis limit"...
WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting
let f = document.body.appendChilddocument.createElement'iframe'; let loc = f.contentWindow.location; f.onload = = let a = 1.2; a.proto.proto = f.contentWindow; a'test' = toString: function arguments.callee.caller.constructor'alertlocation'; ; ; f.src = 'data:text/html,' +...
WebKit JSC - 'arrayProtoFuncSplice' Uninitialized Memory Reference
lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if UNLIKELY!result throwOutOfMemoryErrorexec, scope; return encodedJSValue; // The result can have an ArrayStorage indexing type if we're having a bad time. bool isArrayStorage =...
Linux Kernel - 'BadIRET' Local Privilege Escalation
CVE-2014-9322 PoC for Linux kernel CVE-2014-9322 a.k.a BadIRET proof of concept for Linux kernel. This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls. Raw Linux Threads via System Calls Usage $ make badiret.elf is an ELF executable...
Nitro Pro PDF - Multiple Vulnerabilities
Vulnerabilities Summary The following advisory describes three vulnerabilities found in Nitro / Nitro Pro PDF. Nitro Pro is the PDF reader and editor that does everything you will ever need to do with PDF files. The powerful but snappy editor lets you change PDF documents with ease, and comes wit...
vBulletin 5.1.2 < 5.1.9 - Unserialize Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'vBulletin 5.1.2 Unserialize Code Execution', 'Description' = %q This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to...
ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)
Exploit Title: ManageEngine Desktop Central 10 Build 100087 RCE Date: 24-07-2017 Software Link: https://www.manageengine.com/products/desktop-central/ Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ CVE: CVE-2017-11346 Category: remote ...
WebKit - 'WebCore::RenderObject' with Accessibility Enabled Use-After-Free
link text-transform: lowercase; link::first-letter border-spacing: 1em; function go dt.appendChildlink; var s = link.style; s.setProperty"display", "table-column-group"; s.setProperty"-webkit-appearance", "menulist-button"; function eventhandler dir.setAttribute"aria-labeledby", "meta";...
IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IPFire proxy.cgi RCE', 'Description' = %q IPFire, a free linux based open source firewall distribution, version 'h00die ', module '0x09AL'...
REDDOXX Appliance Build 2032 / 2.0.625 - Remote Command Execution
Advisory: Remote Command Execution as root in REDDOXX Appliance RedTeam Pentesting discovered a remote command execution vulnerability in the REDDOXX appliance software, which allows attackers to execute arbitrary command with root privileges while unauthenticated. Details ======= Product: REDDOX...
WebKit - 'WebCore::InputType::element' Use-After-Free (1)
var runcount = 0; function go runcount++; ifruncount 2 return; i.type = "foo"; i.select; i.type = "search"; document.onsearch = document.body.onload; document.execCommand"insertHTML", false, ""; !-- ================================================================= ASan log:...
WebKit - 'WebCore::AccessibilityRenderObject::handleAriaExpandedChanged' Use-After-Free
div visibility: collapse function eventhandler document.execCommand"bold", false; img.style.removeProperty"-webkit-appearance"; img.setAttribute"aria-expanded", "false"; aaa !-- ================================================================= ASan log:...
WebKit - 'WebCore::Node::nextSibling' Use-After-Free
function freememory var a; forvar i=0;i !-- ================================================================= ASan log: ================================================================= ==29516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b7070 at pc 0x0001111c843b bp...
WebKit - 'WebCore::RenderSearchField::addSearchResult' Heap Buffer Overflow
function go i.value = "1"; i.type = "search"; f.submit; ::buffer /Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0x2694d46 1 0x116496bed in WTF::Vector::end...
PaulShop - SQL Injection / Cross-Site Scripting
Exploit Title: PaulShop CMS - Sql Injection and stored XSS Date: 07/23/2017 Exploit Author: BTIS Team http://www.btis.vn Vendor Homepage: https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714 Version: 03/27/2017 Tested on: Apache/2.4.7 Ubuntu Contact: [email protected] Can no...
WebKit - 'WebCore::Node::getFlag' Use-After-Free
-webkit-flow-into: textarea; function freememory var a; forvar i=0;i foo !-- ================================================================= ASan log: ================================================================= ==29717==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000053b3...
MAWK 1.3.3-17 - Local Buffer Overflow
!/usr/bin/python Developed using Exploit Pack - http://exploitpack.com - Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Tested on: GNU/Linux - Kali 2017.1 Release Description: MAWK AWK Interpreter 1.3.3-17 and prior is prone to a stack-based buffer overflow vulnerability because...
CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution
/ PK5001Z CenturyLink Router/Modem remote root exploit / / oxagast / Marshall Whittaker / / marshall@likon:/Code/pk5001zpwn: gcc pk5001z00pin.c -o pk5001z00pin / / marshall@likon:/Code/pk5001zpwn: ./pk5001z00pin / / PK5001Z CenturyLink Router remote root 0day / / Enjoy! / / --oxagast / /...
Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
.class1 float: left; column-count: 5; .class2 column-span: all; columns: 1px; table border-spacing: 0px; var baseleakedaddr = ""; function infoleak var textarea = document.getElementById"textarea"; var frame = document.createElement"iframe"; textarea.appendChildframe;...
Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/local/windowskernel' require 'rex' require 'metasm' class MetasploitModule 'Razer Synapse rzpnk.sys ZwOpenProcess', 'Description' = %q A...
WebKit - 'WebCore::AccessibilityNodeObject::textUnderElement' Use-After-Free
function go li.hidden = true; dir.setAttribute"aria-labeledby", "map"; !-- ================================================================= ASan log: ================================================================= ==728==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000908a0 at...
VICIdial 2.9 RC 1 < 2.13 RC1 - 'user_authorization' Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VICIdial userauthorization Unauthenticated Command Execution', 'Description' = %q This module exploits a vulnerability in VICIdial versions 2.9 R...
WebKit - 'WebCore::getCachedWrapper' Use-After-Free
function freememory var a; forvar i=0;i ::get const /Users/projectzero/web...
REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure
Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to list directory contents and download arbitrary file...
NEC UNIVERGE UM4730 < 11.8 - SQL Injection
Exploit Title: NEC UNIVERGE UM4730 11.8 SQL injection Vulnerbility: SQL injection login bypass Date: 15-12-2016 Exploit Author: b0x41s Author web: https://www.xrayit.nl Vendor Homepage: https://www.nec-enterprise.com Category: webapps Version: 11.6.0.31 Tested on: Windows server 2008 Description:...
Docker Daemon - Unprotected TCP Socket
Exploit Title: Docker Daemon - Unprotected TCP Socket Date: 20-07-2017 Exploit Author: Martin Pizala Vendor Homepage: https://www.docker.com Software Link: https://www.docker.com/get-docker Version: Since 0.4.7 2013-06-28 feature: mount host directories Tested on: Docker CE 17.06.0-ce and Docker...
VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass
Exploit Title: IP Camera VACRON VIG-US731VE Date: 2017-07-18 Exploit Author: anonymous Vendor Homepage: www.vacron.com Version: V1.0.18-09-B727 1. doesn't require credentials to fetch snapshot like this: http://192.168.0.200/ipcam/jpeg 2. allows "viewer" level user to fetch any camera setting, eg...
Tilde CMS 1.01 - Multiple Vulnerabilities
Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities Date: July 7th, 2017 Exploit Authors: Paolo Forte, Raffaele Forte Vendor Homepage: http://www.tildenetwork.com/ Version: Tilde CMS 1.0.1 Tested on: Ubuntu 12.04, PHP 5.3.10 I. INTRODUCTION...
SKILLS.com.au Industry App - Man In The Middle Remote Code Execution
Exploit Title: SKILLS.com.au Industry App - Remote Code Execution via MITM Date: 20/Jul/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a3.skills.com http://archive.is/NRlNP Software Link: N/A Screenshot: N/A Version: 1.0 Tested on: Android 4.1.0 Google APIs...
WordPress Plugin IBPS Online Exam 1.0 - SQL Injection / Cross-Site Scripting
Exploit Title: IBPS Online Exam Plugin for WordPress v1.0 - XSS SQLi Date: 2017-07-11 Exploit Author: 8bitsec Vendor Homepage: https://elfemo.com/demo/server2/order2032/ Software Link: https://codecanyon.net/item/ibps-online-exam-plugin-for-wordpress/20028534 Version: 1.0 Tested on: Kali Linux 2....
Virtual Postage (VPA) - Man In The Middle Remote Code Execution
Exploit Title: Virtual Postage VPA - Remote Code Execution via MITM Date: 20/Jul/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a2.virtualpostage.com http://archive.is/EdtJT Software Link: N/A Screenshot: N/A Version: 1.0 Tested on: Android 4.1.0 Google API...
Joomla! Component JoomRecipe 1.0.4 - 'search_author' SQL Injection
Exploit Title: Joomla JoomRecipe 1.0.4 Component - Blind SQL Injection Vulnerability Date: 20.07.2017 Exploit Author: Teng Vendor Homepage: http://joomboost.com/ Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/ Version: 1.0.4 Platform:...