47904 matches found
Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)
Linux/x8664 - Reverse Shell 192.168.1.8:4444 Shellcode 104 bytes. Shellcode exploit for Linx86-64 platform / ;Category: Shellcode ;Title: GNU/Linux x8664 - Reverse Shell Shellcode ;Author: m4n3dw0lf ;Github: https://github.com/m4n3dw0lf ;Date: 18/07/2017 ;Architecture: Linux x8664 ;Tested on: 1 S...
Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection
POST /cgi-bin/login.cgi?redirect=/ HTTP/1.1 Host: 10.242.129.149 Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0 Connection: close Referer: https://10.242.129.149/cgi-bin/login.cgi?redirect=/ Cookie: CAKEPHP=sleep 10 Content-Type...
Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)
Exploit Title: Sonicwall gencsr CGI Remote Command Injection Vulnerablity Date: 12/24/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link: sonicwall.com/products/sra-virtual-appliance Version: 8.1.0.6-21sv Tested on: 8.1.0.2-14sv CVE : awaiting cve vuln:...
Oracle E-Business Suite 12.x - Server-Side Request Forgery
Exploit Title: Oracle E-Business Suite - Server Side Request Forgery Date: 19 July 2017 Exploit Author: Sarath Nair aka AceNeon13 Contact: @AceNeon13 Greetings: Raj3sh.tv, Deepu.tv Vendor Homepage: www.oracle.com Software Link:...
Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017)
E-DB Note: + Source: https://github.com/sensepost/gdi-palettes-exp + Binary: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42432.exe include include include include //From http://stackoverflow.com/a/26414236 this defines the details of the NtAllocateVirtualMemor...
Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection
Sonicwall Secure Remote Access SRA - Command Injection Vulnerabilities Vendor: Sonicwall Dell Product: Secure Remote Access SRA Version: 8.1.0.2-14sv Platform: Embedded Linux Discovery: Russell Sanford of Critical Start www.CriticalStart.com CVE: cve-2016-9682 Tested against version 8.1.0.2-14sv ...
Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity Date: 02/20/2017 Exploit Author: xort @ Critical Start Vendor Homepage: www.citrix.com Software Link: https://www.citrix.com/downloads/cloudbridge/ Version: 9.1.2.26.561201 Tested on: 9.1.2.26.561201 OS...
Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)
Exploit Title: Sonicwall importlogo/sitecustomization CGI Remote Command Injection Vulnerablity Date: 12/25/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link: sonicwall.com/products/sra-virtual-appliance Version: 8.1.0.2-14sv Tested on: 8.1.0.2-14sv CVE :...
Microsoft Windows Kernel - 'IOCTL 0x120007 NsiGetParameter' nsiproxy/netio Pool Memory Disclosure
/ We have discovered that the handler of the 0x120007 IOCTL in nsiproxy.sys \.\Nsi device discloses portions of uninitialized pool memory to user-mode clients, likely due to output structure alignment holes. On our test Windows 7 32-bit workstation, an example layout of the output buffer is as...
PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting
Summary ======= 1. Missing access control CVE-2017-11356 2. Multiple cross-site scripting CVE-2017-11355 Vendor ====== "Pegasystems Inc. is the leader in software for customer engagement and operational excellence. Pega’s adaptive, cloud-architected software – built on its unified Pega® Platform ...
Barracuda Load Balancer Firmware < 6.0.1.006 - Remote Command Injection (Metasploit)
Exploit Title: Barracuda Load Balancer Firmware 'Barracuda Load Balancer Firmware %q This module exploits a remote command execution vulnerability in the Barracuda Load Balancer Firmware Version = v6.0.1.006 2016-08-19 by exploiting a vulnerability in the web administration interface. By sending ...
Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)
Exploit Title: Sophos Web Appliance reporting JSON trafficType Remote Command Injection Vulnerablity Date: 01/28/2017 Exploit Author: xort @ Critical Start Vendor Homepage: www.sophos.com Software Link: sophos.com/en-us/products/secure-web-gateway.aspx Version: 4.3.0.2 Tested on: 4.3.0.2 CVE :...
Microsoft Internet Explorer 11.0.9600.18617 - 'CMarkup::DestroySplayTree' Memory Corruption
element. The bug was confirmed on IE Version 11.0.9600.18617 Update Version 11.0.40 running on Windows 7 64-bit. I was unable to reproduce it on Windows 10. PoC: ========================================== -- function go setTimeout"window.location.reload",100;...
Microsoft Internet Explorer 11.1066.14393.0 - VBScript Arithmetic Functions Type Confusion
PvarGetArithVal; VAR arithv2 = v2-PvarGetArithVal; int resulttype = resultlookuptablev1-vartypev2-vartype; ifresulttype == 10 RaiseError...; ifresulttype == 2 ... else ifresulttype == 3 ... else ifresulttype == 4 ... v1-vartype = resulttype; where the logic for VAR::PvarGetArithVal is roughly VAR...
Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Privilege Escalation
I'm a big fan of Hashicorp but this is an awful bug to have in software of their calibre. Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to protect their proprietary ruby code. It does this by turning the ruby code into bytecode and executing it directly. Unfortunately...
Belkin F7D7601 NetCam - Multiple Vulnerabilities
Exploit Title: Belkin NetCam F7D7601 | Remote Command Execution Date: 17/07/17 Exploit Author: Wadeek Vendor Homepage: http://www.belkin.com/ Tested on: Belkin NetCam F7D7601 WeMoNetCamWW2.00.10684.PVT ================================================ UnsetupMode == 0 Hard-coded password admin:adm...
Geneko Routers - Path Traversal
Vulnerability Summary The following advisory describes a Unauthenticated Path Traversal vulnerability found in Geneko GWR routers series. Geneko GWG is compact and cost effective communications solution that provides cellular capabilities for fixed and mobile applications such as data acquisition...
Orangescrum 1.6.1 - Multiple Vulnerabilities
Exploit Title: Orangescrum 1.6.1 Multiple Vulnerabilities Google Dork: NA Date: July 9 2017 Exploit Author: [email protected] Author blog : cupuzone.wordpress.com Vendor Homepage: https://www.orangescrum.org/ Software Link: https://www.orangescrum.org/free-download Version: 1.6.1 Tested on:...
Apple Mac OS X + Safari - Local Javascript Quarantine Bypass
Title: Mac OS X Local Javascript Quarantine Bypass Product: Mac OS X Version: 10.12, 10.11, 10.10 and probably prior Vendor: apple.com Type: DOM Based XSS Risk level: 3 / 5 Credits: [email protected] CVE: N/A Vendor notification: 2017-07-15 Vendor fix: 2017-09-25 Public...
WDTV Live SMP 2.03.20 - Remote Password Reset
WDTV Live SMP Remote Password Reset Vulnerability Date: Jul 14 2017 Author: sw1tch Demo: https://www.sw1tch.net/2017/07/12/wdtv-live-smb-exploit/ Description: A simple remotely exploitable web application vulnerability for the WDTV Live Streaming Media Player and possibly other WDTV systems...
FTPGetter 5.89.0.85 - Remote Buffer Overflow (SEH)
!/usr/bin/python Exploit Title: FTPGetter 5.89.0.85 Remote SEH Buffer Overflow Date: 07/14/2017 Exploit Author: Paul Purcell Contact: ptpxploit at gmail Vendor Homepage: https://www.ftpgetter.com/ Vulnerable Version Download: Available for 30 days here: https://ufile.io/2celn I can upload again...
Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution
function asmjsmodule "use asm"; / huge jitted nop sled / function payloadcode var val = 0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0; val = val + 0xa8909090|0...
OrientDB - Code Execution
Vulnerability Summary The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code. OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable,...
Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download
Dasan Networks GPON ONT WiFi Router H64X Series System Config Download Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Models: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 3.02p2-1141 2.77p1-1125 2.77-1115 2.76-9999...
Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation
Dasan Networks GPON ONT WiFi Router H64X Series Privilege Escalation Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Model: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 2.77-1115 2.76-9999 2.76-1101 2.67-1070 2.45-10...
Dasan Networks GPON ONT WiFi Router H64X Series - Authentication Bypass
Dasan Networks GPON ONT WiFi Router H64X Series Authentication Bypass Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Model: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 2.76-9999 2.76-1101 2.67-1070 2.45-1045 Summar...
Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery
Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Model: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 3.03p1-1145 3.03-1144-01 3.02p2-1141...
CyberArk Viewfinity 5.5.10.95 - Local Privilege Escalation
Exploit Title: Privilege Escalation via CyberArk Viewfinity 8. This will spawn a new CMD prompt. Verify you are now Administrator by typing in "net sess...
360 Total Security - Local Privilege Escalation
Vulnerability Summary The following advisory describes an Privileged Escalation vulnerability found in 360 Total Security. 360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats. Whether you are shopping online, downloading files or chatting with yo...
WordPress Plugin Sabai Discuss - Cross-Site Scripting
Exploit Title: Sabai Discuss Wordpress Plugin Stored XSS vulnerability Exploit Author: Hesam Bazvand Contact: https://www.facebook.com/hesam.king73 Software demo : https://sabaidiscuss.com/ Tested on: Windows 7 / Kali Linux Category: WebApps Dork : User Your Mind ! :D Video Demo :...
Skype for Business 2016 - Cross-Site Scripting
Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements: Originating machine needs Lync 2013 SDK installed as well a...
NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection
Exploit Title: NfSen/AlienVault remote root exploit command injection in customfmt parameter Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1bpo80+1all. Previous versions are also likely to be affected. Version: AlienVault USM/OSSIM 4.3.1 Date: 2017-07-10 Vendor Homepage: http://nfsen.sourceforge.net/...
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
!/usr/bin/python from impacket import smb, smbconnection from mysmb import MYSMB from struct import pack, unpack, unpackfrom import sys import socket import time ''' MS17-010 exploit for Windows 2000 and later by sleepya EDB Note: mysmb.py can be found here...
DataTaker DT80 dEX 1.50.012 - Information Disclosure
Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure + Credits / Discovery: Nassim Asrir + Author Contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ + Author Company: Henceforth + CVE: CVE-2017-11165 Vendor: ===============...
Pelco VideoXpert 1.12.105 - Information Disclosure
Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: 2.0.41 1.14.7 1.12.105 Summary: VideoXpert is a video management solution designed for scalability, fitting the needs surveillanc...
Pelco VideoXpert 1.12.105 - Directory Traversal
Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: 2.0.41 1.14.7 1.12.105 Summary: VideoXpert is a video management solution designed for scalability, fitting the needs surveillance...
Pelco VideoXpert 1.12.105 - Local Privilege Escalation
Schneider Electric Pelco VideoXpert Privilege Escalations Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Core Software 1.12.105 Media Gateway Software 1.12.26 Exports 1.12 Summary: VideoXpert is a video management solution designed for scalability, fitting...
Pelco Sarix/Spectra Cameras - Remote Code Execution
Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Sarix Enhanced - Model: IME219 Firmware: 2.1.2.0.8280-A0.0 Sarix Enhanced - Model: IME119 Firmware: 2.1.2.0.8280-A0.0 Sarix - Model:...
NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection
Exploit Title: NfSen/AlienVault remote root exploit IPC query command injection Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1bpo80+1all. Previous versions are also likely to be affected. Version: AlienVault 5.3.4 Date: 2017-07-10 Vendor Homepage: http://nfsen.sourceforge.net/ Vendor Homepage:...
Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Sarix Enhanced - Model: IME219 Firmware: 2.1.2.0.8280-A0.0 Sarix Enhanced - Model: IME119 Firmware: 2.1.2.0.8280-A0.0 Sarix - Model:...
Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)
Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: Sarix Enhanced - Model: IME219 Firmware: 2.1.2.0.8280-A0.0 Sarix Enhanced - Model: IME119 Firmware: 2.1.2.0.8280-A0.0 Sarix - Model:...
NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation
Exploit Title: Local root exploit affecting NfSen = 1.3.7, AlienVault USM/OSSIM = 5.3.6 Version: NfSen 1.3.7 Version: AlienVault 5.3.6 Date: 2017-07-10 Vendor Homepage: http://nfsen.sourceforge.net/ Vendor Homepage: http://www.alienvault.com/ Software Link:...
Easy File Sharing Web Server 7.2 - GET 'PassWD' Remote Buffer Overflow (DEP Bypass)
!/usr/bin/python Exploit Title: Easy File Sharing Web Server 7.2 - GET Buffer Overflow DEP Bypass with ROP Date: 8 July 2017 Exploit Author: Sungchul Park Author Contact: [email protected] Vendor Homepage: http://www.sharing-file.com Software Link: http://www.sharing-file.com/efssetup.exe Versio...
Counter Strike: Condition Zero - '.BSP' Map File Code Execution
!/usr/bin/env python Counter Strike: Condition Zero BSP map exploit By @DigitalCold Jun 11, 2017 E-DB Note: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42325.zip bsp-exploit-source.zip from binascii import hexlify, unhexlify from struct import pack, unpack...
Firefox 54.0.1 - Denial of Service
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/FIREFOX-v54.0.1-DENIAL-OF-SERVICE.txt + ISR: ApparitionSec Vendor: =============== www.mozilla.org Product: =============== Firefox v54.0.1 Vulnerability Type:...
Apache Struts 2.3.x Showcase - Remote Code Execution
!/usr/bin/python -- coding: utf-8 -- Just a demo for CVE-2017-9791 import requests def exploiturl, cmd: print"+ command: %s" % cmd payload = "%" payload += "[email protected]@DEFAULTMEMBERACCESS." payload += "memberAccess?memberAccess=dm:" payload +=...
Yaws 1.91 - Remote File Disclosure
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt + ISR: ApparitionSec Vendor: ========== yaws.hyber.org Product: =========== Yaws v1.91 Yet Another Web Server...
LibTIFF - 'tif_dirwrite.c' Denial of Service
Source: http://bugzilla.maptools.org/showbug.cgi?id=2712 Triggered by "./tiffset POC1" $ ./tiffset POC1 TIFFReadDirectory: Warning, Unknown field with tag 302 0x12e encountered. TIFFReadDirectory: Warning, Unknown field with tag 61961 0xf209 encountered. poc3: AdobeDeflate compression support is...
LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read
Source: http://bugzilla.maptools.org/showbug.cgi?id=2693 On 4.0.7: tiffsplit $FILE ==2007== Invalid read of size 4 ==2007== at 0x40CD1A: TIFFVGetField tifdir.c:1072 ==2007== by 0x41B2C5: TIFFVGetField tifdir.c:1198 ==2007== by 0x41B2C5: TIFFGetField tifdir.c:1182 ==2007== by 0x404CCF: tiffcp...
LibTIFF - 'tif_jbig.c' Denial of Service
Source: http://bugzilla.maptools.org/showbug.cgi?id=2706 Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC” Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC” The asan debug information is below: $./tiff2ps $POC ================================================================= ==26627==ERROR:...