47904 matches found
Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution
!/usr/bin/python """ Lepide Auditor Suite createdb Web Console Database Injection Remote Code Execution Vulnerability Vendor: http://www.lepide.com/ File: lepideauditorsuite.zip SHA1: 3c003200408add04308c04e3e0ae03b7774e4120 Download: http://www.lepide.com/lepideauditor/download.html Analysis:...
GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "GoAutoDial 3.3 Authentication Bypass / Command Injection", 'Description' = %q This module exploits a SQL injection flaw in the login functionality...
Joomla! 3.7 - SQL Injection
--==Mannu joomla SQL Injection exploiter by Team Indishell==-- body font-family: Tahoma; color: white; background: 333333; input border : solid 2px ; border-color : black; BACKGROUND-COLOR: 444444; font: 8pt Verdana; color: white; submit BORDER: buttonhighlight 2px outset; BACKGROUND-COLOR: Black...
WordPress Plugin WatuPRO 5.5.1 - SQL Injection
Exploit Title: SQL Injection In WatuPRO WordPress Plugin to Create Exams, Tests and Quizzes Exploit Author: Manich Koomsusi Date: 03-07-2017 Software: WatuPRO Version: 5.5.1 Website: http://calendarscripts.info/watupro/ Tested on: WordPress 4.7.5 Software Link:...
OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution
Exploit Title: OpenDreamBox 2.0.0 - Plugin WebAdmin RCE Shodan Dork: "DreamBox" 200 ok" Date: 07/03/17 Exploit Author: Jonatas Fil Vendor Homepage: https://www.dreamboxupdate.com Software Link: https://www.dreamboxupdate.com/opendreambox/2.0.0 Version: 2.0.0 Vulnerabilty: Remote Command Execution...
Zookeeper 3.5.2 Client - Denial of Service
!/usr/bin/python Exploit Title: Zookeeper Client Denial Of Service Port 2181 Date: 2/7/2017 Exploit Author: Brandon Dennis Email: [email protected] Software Link: http://zookeeper.apache.org/releases.htmldownload Zookeeper Version: 3.5.2 Tested on: Windows 2008 R2, Windows 2012 R2 x64 & x86...
Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download
!/usr/bin/python2 -- coding:utf-8 -- ''' GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright C 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public Licens...
Odoo CRM 10.0 - Code Execution
Vulnerability Summary The following advisory describe arbitrary Python code execution found in Odoo CRM version 10.0 Odoo is a suite of open source business apps that cover all your company needs: CRM, eCommerce, accounting, inventory, point of sale, project management, etc. Odoo’s unique value...
LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1226 There are three variants of the below crash, all of which stemming from an unbound copy into a fixed size stack buffer allocated in the function ASFParser::SetMetaData, used as an argument to each of the three calls to the...
Google Chrome - Out-of-Bounds Access in RegExp Stubs
There is an out-of-bounds access in RegExp.prototype.exec and RegExp.prototype.test. The code defined in BranchIfFastRegExp checks whether a regular expression object has the default map, however, it is possible to alter the map after this check has been performed. This can cause inline fields,...
eVestigator Forensic PenTester - Man In The Middle Remote Code Execution
Exploit Title: eVestigator Forensic PenTester v1 - Remote Code Execution via MITM Date: 30/Jun/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=penetrationtest.eVestigator.com Software Link: See APK archive websites Screenshot: Refer to...
Humax HG100R 2.0.6 - Backup File Download
coding: utf-8 Exploit Title: Humax Backup file download Date: 29/06/2017 Exploit Author: gambler Vendor Homepage: http://humaxdigital.com Version: VER 2.0.6 Tested on: OSX Linux CVE : CVE-2017-7315 import sys import base64 import shodan import requests import subprocess def banner: print ''' ██░ ...
Australian Education App - Remote Code Execution
Exploit Title: Australian Education App - Remote Code Execution Date: 30/Jun/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser2.com Software Link: See APK archive websites Screenshot: Refer to https://www.youtube.com/watch?v=DCz0OqJzBI...
BestSafe Browser - Man In The Middle Remote Code Execution
Exploit Title: BestSafe Browser FREE NoAds - Remote Code Execution Date: 30/Jun/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser.com Software Link: See APK archive websites Screenshot: Refer to https://www.youtube.com/watch?v=VXNVzjsH0As...
Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/ndmpsocket' require 'openssl' require 'xdr' class MetasploitModule 'Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free',...
ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ActiveMQ web shell upload', 'Description' = %q The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to uplo...
FreeBSD - 'FGPU' Stack Clash (PoC)
/ FreeBSDCVE-2017-FGPU.c for CVE-2017-1084 please compile with -O0 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License,...
FreeBSD - 'setrlimit' Stack Clash (PoC)
/ FreeBSDCVE-2017-1085.c Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or at your option any later version. This...
FreeBSD - 'FGPE' Stack Clash (PoC)
/ FreeBSDCVE-2017-FGPE.c for CVE-2017-1084 please compile with -O0 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License,...
NetBSD - 'Stack Clash' (PoC)
/ NetBSDCVE-2017-1000375.c please compile with -O0 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or at your opti...
Linux Kernel - 'offset2lib' Stack Clash
/ Linuxoffset2lib.c for CVE-2017-1000370 and CVE-2017-1000371 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or a...
Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation
/ Solarisrsh.c for CVE-2017-3630, CVE-2017-3629, CVE-2017-3631 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or ...
OpenBSD - 'at Stack Clash' Local Privilege Escalation
/ OpenBSDat.c for CVE-2017-1000373 Copyright c 2017 Qualys, Inc. slowsort adapted from lib/libc/stdlib/qsort.c: Copyright c 1992, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted...
Easy File Sharing Web Server 7.2 - Unrestricted File Upload
2017/6/15 Chako EFS Web Server 7.2 Unrestricted File Upload Vendor Homepage: http://www.sharing-file.com Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe Version: Easy File Sharing Web Server 7.2 Tested on: WinXP SP3 EFS Web Server 7.2 allows unauthoriz...
Flat Assembler 1.7.21 - Local Buffer Overflow
!/usr/bin/python Developed using Exploit Pack - http://exploitpack.com - Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Tested on: GNU/Linux - Kali 2017.1 Release What is FASM? Flat assembler is a fast, self-compilable assembly language compiler for the x86 and x86-64 architectur...
Kaspersky Anti-Virus File Server 8.0.3.297 - Multiple Vulnerabilities
Advisory Information Title: Kaspersky Anti-Virus File Server Multiple Vulnerabilities Advisory ID: CORE-2017-0003 Advisory URL: http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities Date published: 2017-06-28 Date of last update: 2017-06-28 Vendors...
Easy File Sharing Web Server 7.2 - Account Import Local Buffer Overflow (SEH)
!/usr/bin/python 2017/6/17 Chako EFS Web Server 7.2 - Local Buffer OverflowSEH Tested on: Windows XP SP3 EN DEP Off Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe Description: When importing a large user account file on to EFS Web Server 7.2 will...
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
/ Linuxldsodynamic.c for CVE-2017-1000366, CVE-2017-1000371 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or at...
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation
/ Linuxldsohwcap64.c for CVE-2017-1000366, CVE-2017-1000379 Copyright C 2017 Qualys, Inc. myimportanthwcaps adapted from elf/dl-hwcaps.c, part of the GNU C Library: Copyright C 2012-2017 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under t...
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation
/ Linuxldsohwcap.c for CVE-2017-1000366, CVE-2017-1000370 Copyright C 2017 Qualys, Inc. myimportanthwcaps adapted from elf/dl-hwcaps.c, part of the GNU C Library: Copyright C 2012-2017 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the...
Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2 In issue 1260 I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if...
GLPI 0.90.4 - SQL Injection
Exploit Title: Multiple SQL injection vulnerabilities in GLPI 0.90.4 Date: 2016/09/09 Exploit Author: Eric CARTER in/ericcarterengineer - CS c-s.fr Vendor Homepage: http://glpi-project.org Software Link: http://glpi-project.org/spip.php?article3 Version: 0.90.4 Tested on: GLPI 0.90.4 running on a...
WordPress Plugin Ultimate Product Catalogue 4.2.2 - SQL Injection
Exploit Title: Ultimate Product Catalogue 4.2.2 Sql Injection – Plugin WordPress – Sql Injection Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/ Contact:...
Easy File Sharing Web Server 7.2 - GET 'PassWD' Remote Buffer Overflow (SEH)
!/usr/bin/python Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP Request PassWD Buffer Overflow SEH Date: 19 June 2017 Exploit Author: clubjk Author Contact: [email protected] Vendor Homepage: http://www.sharing-file.com Software Link:...
Linux/x86 - Bind Shell Shellcode (75 bytes)
Linux/x86 - Bind Shell Shellcode 75 bytes. Shellcode exploit for Linx86 platform / Architecture : x86 OS : Linux Author : wetw0rk ID : SLAE-958 Shellcode Size : 75 bytes Bind Port : 4444 Description : A linux/x86 bind shell via /bin/sh. Created by analysing msfvenom; original payload was 78 bytes...
IBM DB2 9.7/10.1/10.5/11.1 - Command Line Processor Buffer Overflow
''' DefenseCode Security Advisory IBM DB2 Command Line Processor Buffer Overflow Advisory ID: DC-2017-04-002 Advisory Title: IBM DB2 Command Line Processor Buffer Overflow Advisory URL: http://www.defensecode.com/advisories/IBMDB2CommandLineProcessorBufferOverflow.pdf Software: IBM DB2 Version:...
Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Symantec Messaging Gateway Remote Code Execution", 'Description' = %q This module exploits the command injection vulnerability of Symantec Messagi...
Eltek SmartPack - Backdoor Account
Eltek SmartPack - Backdoor Account Author: Saeed reza Zamanian penetrationtest @ Linkedin Product: Eltek SmartPack Vendor: http://www.eltek.com/ Product Link : http://www.eltek.com/detailproducts.epl?k1=25507&id=1123846 About Product: The Smartpack controller is a powerful and cost-effective...
LAME 3.99.5 - 'III_dequantize_sample' Stack Buffer Overflow
Description: lame is a high quality MPEG Audio Layer III MP3 encoder licensed under the LGPL. Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and...
Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/http' require "base64" class MetasploitModule "Netgear DGN2200 dnslookup.cgi Command Injection", 'Description' = %q This module exploits a command injection...
LAME 3.99.5 - 'II_step_one' Buffer Overflow
Description: lame is a high quality MPEG Audio Layer III MP3 encoder licensed under the LGPL. Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and...
NTFS 3.1 - Master File Table Denial of Service
Y0U HAVE BEEN EXPL0ITED!...
JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)
!/usr/bin/python Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Developed using Exploit Pack - http://exploitpack.com - Tested on: GNU/Linux - Kali 2017.1 Release Description: JAD Java Decompiler 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow vulnerability...
Adobe Flash - ATF Parser Heap Corruption
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1216 The attached file causes heap corruption in the ATF parser. To reproduce the issue, copy atffree.atf and LoadImage.swf to a server, and visit http://127.0.0.1/LoadImage.swf?img=atffree.png. Proof of Concept:...
Adobe Flash - Image Decoding Out-of-Bounds Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1215 The attached png file causes an out-of-bounds read when being decoded by flash. To reproduce the issue, put LoadImage.swf and read1.png on a server, and visit: http://127.0.0.1/LoadImage.swf=read1.png Proof of Concept:...
unrar 5.40 - 'VMSF_DELTA' Filter Arbitrary Memory Write
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&desc=6 It appears that the VMSFDELTA memory corruption that was reported to Sophos AV in 2012 and fixed there was actually inherited from upstream unrar. For unknown reasons the information did not reach upstream rar or was...
Microsoft Edge - 'CssParser::RecordProperty' Type Confusion
function go window.addEventListener"DOMAttrModified", undefined; m.style.cssText = "clip-path: urlfoo;"; !-- ========================================= Preliminary analysis: The crash happens inside CAttrArray::PrivateFindInl. Rcx this pointer is supposed to point to a CAttrArray but it actually...
Microsoft Windows - 'nt!NtQueryInformationWorkerFactory (WorkerFactoryBasicInformation)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1214&desc=2 We have discovered that the nt!NtQueryInformationWorkerFactory system call called with the WorkerFactoryBasicInformation 7 information class discloses portions of uninitialized kernel stack memory to user-mode clients...
Adobe Flash - AVC Edge Processing Out-of-Bounds Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1212 The attached file causes an out-of-bounds read in avc edge processing. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42247.zip...
Microsoft Windows - 'USP10!otlSinglePosLookup::getCoverageTable' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1203 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlSinglePosLookup::getCoverageTable function, while trying to display text using a corrupted TTF font file: --- 7f0.488: Access violation -...