Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution

function asmjsmodule "use asm"; / huge jitted nop sled / function payloadcode var val = 0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0...

FTPGetter 5.89.0.85 - Remote Buffer Overflow (SEH)

!/usr/bin/python Exploit Title: FTPGetter 5.89.0.85 Remote SEH Buffer Overflow Date: 07/14/2017 Exploit Author: Paul Purcell Contact: ptpxploit at gmail Vendor Homepage: https://www.ftpgetter.com/ Vulnerable Version Download: Available for 30 days here: https://ufile.io/2celn I can upload again...

WDTV Live SMP 2.03.20 - Remote Password Reset

WDTV Live SMP Remote Password Reset Vulnerability Date: Jul 14 2017 Author: sw1tch Demo: https://www.sw1tch.net/2017/07/12/wdtv-live-smb-exploit/ Description: A simple remotely exploitable web application vulnerability for the WDTV Live Streaming Media Player and possibly other WDTV systems...

Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download

Dasan Networks GPON ONT WiFi Router H64X Series System Config Download Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Models: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 3.02p2-1141 2.77p1-1125 2.77-1115 2.76-9999...

OrientDB - Code Execution

Vulnerability Summary The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code. OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable,...

CyberArk Viewfinity 5.5.10.95 - Local Privilege Escalation

Exploit Title: Privilege Escalation via CyberArk Viewfinity 8. This will spawn a new CMD prompt. Verify you are now Administrator by typing in "net sess...

Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery

Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Model: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 3.03p1-1145 3.03-1144-01 3.02p2-1141...

Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation

Dasan Networks GPON ONT WiFi Router H64X Series Privilege Escalation Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Model: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 2.77-1115 2.76-9999 2.76-1101 2.67-1070 2.45-10...

Dasan Networks GPON ONT WiFi Router H64X Series - Authentication Bypass

Dasan Networks GPON ONT WiFi Router H64X Series Authentication Bypass Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Model: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 2.76-9999 2.76-1101 2.67-1070 2.45-1045 Summar...

360 Total Security - Local Privilege Escalation

Vulnerability Summary The following advisory describes an Privileged Escalation vulnerability found in 360 Total Security. 360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats. Whether you are shopping online, downloading files or chatting with yo...

WordPress Plugin Sabai Discuss - Cross-Site Scripting

Exploit Title: Sabai Discuss Wordpress Plugin Stored XSS vulnerability Exploit Author: Hesam Bazvand Contact: https://www.facebook.com/hesam.king73 Software demo : https://sabaidiscuss.com/ Tested on: Windows 7 / Kali Linux Category: WebApps Dork : User Your Mind ! :D Video Demo :...

Skype for Business 2016 - Cross-Site Scripting

Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements: Originating machine needs Lync 2013 SDK installed as well a...

NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection

Exploit Title: NfSen/AlienVault remote root exploit command injection in customfmt parameter Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1bpo80+1all. Previous versions are also likely to be affected. Version: AlienVault USM/OSSIM 4.3.1 Date: 2017-07-10 Vendor Homepage: http://nfsen.sourceforge.net/...

DataTaker DT80 dEX 1.50.012 - Information Disclosure

Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure + Credits / Discovery: Nassim Asrir + Author Contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ + Author Company: Henceforth + CVE: CVE-2017-11165 Vendor: ===============...

Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

!/usr/bin/python from impacket import smb, smbconnection from mysmb import MYSMB from struct import pack, unpack, unpackfrom import sys import socket import time ''' MS17-010 exploit for Windows 2000 and later by sleepya EDB Note: mysmb.py can be found here...

Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)

Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Sarix Enhanced - Model: IME219 Firmware: 2.1.2.0.8280-A0.0 Sarix Enhanced - Model: IME119 Firmware: 2.1.2.0.8280-A0.0 Sarix - Model:...

NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation

Exploit Title: Local root exploit affecting NfSen = 1.3.7, AlienVault USM/OSSIM = 5.3.6 Version: NfSen 1.3.7 Version: AlienVault 5.3.6 Date: 2017-07-10 Vendor Homepage: http://nfsen.sourceforge.net/ Vendor Homepage: http://www.alienvault.com/ Software Link:...

Pelco VideoXpert 1.12.105 - Information Disclosure

Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: 2.0.41 1.14.7 1.12.105 Summary: VideoXpert is a video management solution designed for scalability, fitting the needs surveillanc...

Pelco Sarix/Spectra Cameras - Remote Code Execution

Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Sarix Enhanced - Model: IME219 Firmware: 2.1.2.0.8280-A0.0 Sarix Enhanced - Model: IME119 Firmware: 2.1.2.0.8280-A0.0 Sarix - Model:...

NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection

Exploit Title: NfSen/AlienVault remote root exploit IPC query command injection Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1bpo80+1all. Previous versions are also likely to be affected. Version: AlienVault 5.3.4 Date: 2017-07-10 Vendor Homepage: http://nfsen.sourceforge.net/ Vendor Homepage:...

Pelco VideoXpert 1.12.105 - Local Privilege Escalation

Schneider Electric Pelco VideoXpert Privilege Escalations Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Core Software 1.12.105 Media Gateway Software 1.12.26 Exports 1.12 Summary: VideoXpert is a video management solution designed for scalability, fitting...

Pelco VideoXpert 1.12.105 - Directory Traversal

Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: 2.0.41 1.14.7 1.12.105 Summary: VideoXpert is a video management solution designed for scalability, fitting the needs surveillance...

Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting

Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Sarix Enhanced - Model: IME219 Firmware: 2.1.2.0.8280-A0.0 Sarix Enhanced - Model: IME119 Firmware: 2.1.2.0.8280-A0.0 Sarix - Model:...

Easy File Sharing Web Server 7.2 - GET 'PassWD' Remote Buffer Overflow (DEP Bypass)

!/usr/bin/python Exploit Title: Easy File Sharing Web Server 7.2 - GET Buffer Overflow DEP Bypass with ROP Date: 8 July 2017 Exploit Author: Sungchul Park Author Contact: [email protected] Vendor Homepage: http://www.sharing-file.com Software Link: http://www.sharing-file.com/efssetup.exe Versio...

Firefox 54.0.1 - Denial of Service

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/FIREFOX-v54.0.1-DENIAL-OF-SERVICE.txt + ISR: ApparitionSec Vendor: =============== www.mozilla.org Product: =============== Firefox v54.0.1 Vulnerability Type:...

Yaws 1.91 - Remote File Disclosure

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt + ISR: ApparitionSec Vendor: ========== yaws.hyber.org Product: =========== Yaws v1.91 Yet Another Web Server...

Counter Strike: Condition Zero - '.BSP' Map File Code Execution

!/usr/bin/env python Counter Strike: Condition Zero BSP map exploit By @DigitalCold Jun 11, 2017 E-DB Note: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42325.zip bsp-exploit-source.zip from binascii import hexlify, unhexlify from struct import pack, unpack...

Apache Struts 2.3.x Showcase - Remote Code Execution

!/usr/bin/python -- coding: utf-8 -- Just a demo for CVE-2017-9791 import requests def exploiturl, cmd: print"+ command: %s" % cmd payload = "%" payload += "[email protected]@DEFAULTMEMBERACCESS." payload += "memberAccess?memberAccess=dm:" payload +=...

LibTIFF - 'tif_dirwrite.c' Denial of Service

Source: http://bugzilla.maptools.org/showbug.cgi?id=2712 Triggered by "./tiffset POC1" $ ./tiffset POC1 TIFFReadDirectory: Warning, Unknown field with tag 302 0x12e encountered. TIFFReadDirectory: Warning, Unknown field with tag 61961 0xf209 encountered. poc3: AdobeDeflate compression support is...

LibTIFF - 'tif_jbig.c' Denial of Service

Source: http://bugzilla.maptools.org/showbug.cgi?id=2706 Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC” Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC” The asan debug information is below: $./tiff2ps $POC ================================================================= ==26627==ERROR:...

LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read

Source: http://bugzilla.maptools.org/showbug.cgi?id=2693 On 4.0.7: tiffsplit $FILE ==2007== Invalid read of size 4 ==2007== at 0x40CD1A: TIFFVGetField tifdir.c:1072 ==2007== by 0x41B2C5: TIFFVGetField tifdir.c:1198 ==2007== by 0x41B2C5: TIFFGetField tifdir.c:1182 ==2007== by 0x404CCF: tiffcp...

GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "GoAutoDial 3.3 Authentication Bypass / Command Injection", 'Description' = %q This module exploits a SQL injection flaw in the login functionality...

Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution

!/usr/bin/python """ Lepide Auditor Suite createdb Web Console Database Injection Remote Code Execution Vulnerability Vendor: http://www.lepide.com/ File: lepideauditorsuite.zip SHA1: 3c003200408add04308c04e3e0ae03b7774e4120 Download: http://www.lepide.com/lepideauditor/download.html Analysis:...

Joomla! 3.7 - SQL Injection

--==Mannu joomla SQL Injection exploiter by Team Indishell==-- body font-family: Tahoma; color: white; background: 333333; input border : solid 2px ; border-color : black; BACKGROUND-COLOR: 444444; font: 8pt Verdana; color: white; submit BORDER: buttonhighlight 2px outset; BACKGROUND-COLOR: Black...

WordPress Plugin WatuPRO 5.5.1 - SQL Injection

Exploit Title: SQL Injection In WatuPRO WordPress Plugin to Create Exams, Tests and Quizzes Exploit Author: Manich Koomsusi Date: 03-07-2017 Software: WatuPRO Version: 5.5.1 Website: http://calendarscripts.info/watupro/ Tested on: WordPress 4.7.5 Software Link:...

OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution

Exploit Title: OpenDreamBox 2.0.0 - Plugin WebAdmin RCE Shodan Dork: "DreamBox" 200 ok" Date: 07/03/17 Exploit Author: Jonatas Fil Vendor Homepage: https://www.dreamboxupdate.com Software Link: https://www.dreamboxupdate.com/opendreambox/2.0.0 Version: 2.0.0 Vulnerabilty: Remote Command Execution...

Zookeeper 3.5.2 Client - Denial of Service

!/usr/bin/python Exploit Title: Zookeeper Client Denial Of Service Port 2181 Date: 2/7/2017 Exploit Author: Brandon Dennis Email: [email protected] Software Link: http://zookeeper.apache.org/releases.htmldownload Zookeeper Version: 3.5.2 Tested on: Windows 2008 R2, Windows 2012 R2 x64 & x86...

Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download

!/usr/bin/python2 -- coding:utf-8 -- ''' GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright C 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public Licens...

Australian Education App - Remote Code Execution

Exploit Title: Australian Education App - Remote Code Execution Date: 30/Jun/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser2.com Software Link: See APK archive websites Screenshot: Refer to https://www.youtube.com/watch?v=DCz0OqJzBI...

Odoo CRM 10.0 - Code Execution

Vulnerability Summary The following advisory describe arbitrary Python code execution found in Odoo CRM version 10.0 Odoo is a suite of open source business apps that cover all your company needs: CRM, eCommerce, accounting, inventory, point of sale, project management, etc. Odoo’s unique value...

eVestigator Forensic PenTester - Man In The Middle Remote Code Execution

Exploit Title: eVestigator Forensic PenTester v1 - Remote Code Execution via MITM Date: 30/Jun/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=penetrationtest.eVestigator.com Software Link: See APK archive websites Screenshot: Refer to...

Google Chrome - Out-of-Bounds Access in RegExp Stubs

There is an out-of-bounds access in RegExp.prototype.exec and RegExp.prototype.test. The code defined in BranchIfFastRegExp checks whether a regular expression object has the default map, however, it is possible to alter the map after this check has been performed. This can cause inline fields,...

BestSafe Browser - Man In The Middle Remote Code Execution

Exploit Title: BestSafe Browser FREE NoAds - Remote Code Execution Date: 30/Jun/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser.com Software Link: See APK archive websites Screenshot: Refer to https://www.youtube.com/watch?v=VXNVzjsH0As...

LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1226 There are three variants of the below crash, all of which stemming from an unbound copy into a fixed size stack buffer allocated in the function ASFParser::SetMetaData, used as an argument to each of the three calls to the...

Humax HG100R 2.0.6 - Backup File Download

coding: utf-8 Exploit Title: Humax Backup file download Date: 29/06/2017 Exploit Author: gambler Vendor Homepage: http://humaxdigital.com Version: VER 2.0.6 Tested on: OSX Linux CVE : CVE-2017-7315 import sys import base64 import shodan import requests import subprocess def banner: print ''' ██░ ...

Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/ndmpsocket' require 'openssl' require 'xdr' class MetasploitModule 'Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free',...

ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ActiveMQ web shell upload', 'Description' = %q The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to uplo...

FreeBSD - 'FGPE' Stack Clash (PoC)

/ FreeBSDCVE-2017-FGPE.c for CVE-2017-1084 please compile with -O0 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License,...

Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation

/ Linuxldsodynamic.c for CVE-2017-1000366, CVE-2017-1000371 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or at...

OpenBSD - 'at Stack Clash' Local Privilege Escalation

/ OpenBSDat.c for CVE-2017-1000373 Copyright c 2017 Qualys, Inc. slowsort adapted from lib/libc/stdlib/qsort.c: Copyright c 1992, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted...