Microsoft Windows - 'win32k!NtGdiExtGetObjectW' Kernel Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1178 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory in Windows 7-10 through the win32k!NtGdiExtGetObjectW system call accessible via a documented GetObject API function to user-mo...

Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_LAYOUT_EX' Kernel partmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159 We have discovered that the handler of the IOCTLDISKGETDRIVELAYOUTEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached...

Microsoft Windows - 'IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS' volmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1154 We have discovered that the handler of the IOCTLVOLUMEGETVOLUMEDISKEXTENTS IOCTL in volmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Window...

Microsoft Windows - 'nt!NtNotifyChangeDirectoryFile' Kernel Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1169 We have discovered that the nt!NtNotifyChangeDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Windows 10 32-bit workstation,...

Microsoft Windows - 'win32k!NtGdiGetOutlineTextMetricsInternalW' Kernel Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1144 The win32k!NtGdiGetOutlineTextMetricsInternalW system call corresponds to the documented GetOutlineTextMetrics API function 1, and is responsible for returning information about the outline text metrics associated with a...

PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution

!/usr/bin/python Exploit Title: RCE for PHPMailer 5.2.20 with Exim MTA Date: 16/06/2017 Exploit Author: @phacktul Software Link: https://github.com/PHPMailer/PHPMailer Version: 5.2.20 Tested on: Debian x86/x64 CVE : CVE-2016-10033,CVE-2016-10074,CVE-2016-10034,CVE-2016-10045 @phacktul -...

Microsoft Windows - '0x224000 IOCTL (WmiQueryAllData)' Kernel WMIDataDevice Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1152 We have discovered that the handler of the 0x224000 IOCTL corresponding to the WmiQueryAllData functionality implemented by the \.\WMIDataDevice device in ntoskrnl.exe as dispatched by the nt!WmipIoControl routine discloses...

Microsoft Windows - 'nt!NtQueryVolumeInformationFile (FileFsVolumeInformation)' Kernel Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1166 We have discovered that the nt!NtQueryVolumeInformationFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Windows 10 32-bit workstation...

Microsoft Windows - 'nt!KiDispatchException' Kernel Stack Memory Disclosure in Exception Handling

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1177 According to our tests, the generic exception dispatching code present in the Windows kernel Windows 7-10 discloses portions of uninitialized kernel stack memory to user-mode clients via the CONTEXT structure set up for the...

Microsoft Windows - 'IOCTL 0x390400, operation code 0x00020000' Kernel KsecDD Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1147 We have discovered that the IOCTL sent to the \Device\KsecDD device by the BCryptOpenAlgorithmProvider documented API returns some uninitialized pool memory in the output buffer. Let's consider the following input data for t...

Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_GEOMETRY_EX' Kernel partmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1156&desc=2 We have discovered that the handler of the IOCTLDISKGETDRIVEGEOMETRYEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test...

Microsoft Windows - 'win32k!NtGdiEnumFonts' Kernel Pool Memory Disclosure

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1153 We have discovered that the win32k!NtGdiEnumFonts system call handler discloses very large portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached proof-of-concept progra...

Microsoft Windows - 'IOCTL_MOUNTMGR_QUERY_POINTS' Kernel Mountmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1150&desc=2 We have discovered that the handler of the IOCTLMOUNTMGRQUERYPOINTS IOCTL in mountmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test...

SpyCamLizard 1.230 - Remote Buffer Overflow

!/usr/bin/python Exploit Title: SpyCamLizard v1.230 Remote Buffer Overflow SafeSEH Bypass Date: 20-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: SpyCamLizard Vendor Homepage: http://www.spycamlizard.com/ Version: 1.230 Software Link:...

Freeware Advanced Audio Coder (FAAC) 1.28 - Denial of Service

Freeware Advanced Audio Coder FAAC multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= FAAC is an encoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part 3 standards and known as Advanced Audio Coding AAC. This...

Linux/x86 - Reverse UDP Shellcode (668 bytes)

Linux/x86 - Reverse UDP Shellcode 668 bytes. Shellcode exploit for Linx86 platform ; SLAE-X ; thanks to writesup from previou students : ; assignment: 2. create a reverse shell ; originality: using UDP instead TCP ; usage : sudo ncat -lup 53 on the receiving end ; warning, this shellcode might...

BOA Web Server 0.94.14rc21 - Arbitrary File Access

BOA Web Server 0.94.14 - Access to arbitrary files as privileges Title: Vulnerability in BOA Webserver 0.94.14 Date: 20-06-2017 Status: Vendor contacted, patch available Scope: Arbitrary file access Platforms: Unix Author: Miguel Mendez Z Vendor Homepage: http://www.boa.org Version: Boa Webserver...

GNU binutils - 'decode_pseudodbg_assert_0' Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21586 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - 'bfd_get_string' Stack Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21581 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - 'rx_decode_opcode' Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21587 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - 'ieee_object_p' Stack Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21582 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

WonderCMS 2.1.0 - Cross-Site Request Forgery

document.forms0.submit; !-- Disclosure Timeline: --------------------- 2017-06-16: Vulnerability found. 2017-06-17: Reported to vendor. 2017-06-17: Vendor responded and send a new version for test in it. 2017-06-17: Test new version and vulernability patched successfully. 2017-06-18: Vendor...

GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21595 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

Sophos XG Firewall 16.05.4 MR-4 - Path Traversal

Vulnerabilities Summary The following advisory describe two 2 vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4. Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-n...

GNU binutils - 'disassemble_bytes' Heap Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21580 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

GNU binutils - 'print_insn_score16' Buffer Overflow

Source: https://sourceware.org/bugzilla/showbug.cgi?id=21576 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...

D-Link DSL-2640B ADSL Router - 'dnscfg' Remote DNS Change

!/bin/bash D-Link ADSL DSL-2640B GE1.07 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...

Beetel BCM96338 Router - DNS Change

!/bin/bash Beetel BCM96338 ADSL Router Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...

Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Easy File Sharing HTTP Server 7.2 POST Buffer Overflow', 'Description' = %q This module exploits a POST buffer overflow in the Easy File Sharing F...

D-Link DSL-2640U - DNS Change

!/bin/bash D-Link ADSL DSL-2640U IM1.00 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...

UTstarcom WA3002G4 - DNS Change

!/bin/bash UTstarcom WA3002G4 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once modified,...

iBall Baton iB-WRA150N - DNS Change

!/bin/bash iBall Baton iB-WRA150N Unauthenticated Remote DNS Change Exploit Copyright 2016 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once modified,...

WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices

lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if !result return JSValue::encodethrowOutOfMemoryErrorexec, scope; for unsigned k = 0; k initializeIndexvm, k, v; ... |JSArray::tryCreateForInitializationPrivate| will return an uninitialized...

WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock

range.mmaxBound range.mmaxBound = data.maddend; range.mmaxOrigin = node-origin.semantic; else if data.maddend origin.semantic; ... The problem is that the check |data.maddend range.mmaxBound| is a signed comparison. PoC: -- function f let arr = new Uint32Array10; for let i = 0; i 0x100000; i++...

WebKit JSC - 'Intl.getCanonicalLocales' Heap Buffer Overflow

arrayStorage; storage-msparseMap.clear; storage-mindexBias = 0; storage-mnumValuesInVector = 0; return butterfly; It allocates a fixed sizeBASEARRAYSTORAGEVECTORLEN of memory without caring about |initialLength|. So a BOF occurs in the following iteration. EncodedJSValue JSCHOSTCALL...

IBM Informix Dynamic Server - Code Injection / Remote Code Execution

!/usr/local/bin/python """ IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability 0DAY Bonus: free XXE bug included! Download: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=swg-informixfpd&SPKG=dl&lang=enUS&cp=UTF-8&dlmethod=http Twitter:...

WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions

switchToSlowPutArrayStoragevm; = MINSPARSEARRAYINDEX || structurevm-holesMustForwardToPrototypevm return nullptr; Structure resultStructure = exec.lexicalGlobalObject-arrayStruct...

Linux/x86_64 - execve("/bin/sh") Shellcode (24 bytes)

Linux/x8664 - execve"/bin/sh" Shellcode 24 bytes. Shellcode exploit for Linx86-64 platform / ;Category: Shellcode ;Title: GNU/Linux x8664 - execve /bin/sh ;Author: m4n3dw0lf ;Github: https://github.com/m4n3dw0lf ;Date: 14/06/2017 ;Architecture: Linux x8664 ;Tested on : 1 SMP Debian 4.9.18-1...

Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation

/ Author: bee13oy BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus 11.1.2253 Source: https://github.com/bee13oy/AVKernelVulns/tree/master/Avast/aswSnxBSoD2ZDI-16-681 There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl...

Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)

Linux/x86 - XOR encoded execve/bin/sh setuid0 setgid0 Shellcode 66 bytes. Shellcode exploit for Linx86 platform ;Title: Linux/x86 - 66 byte - execve/bin/sh - setuid0 - setgid0 - XOR encrypted ;Author: nullparasite ;Contact: [email protected] ;Category: Shellcode ;Architecture: Linux x86...

VX Search Enterprise 9.7.18 - Local Buffer Overflow

import os import struct author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln. Date: 2017.06.15 Exploit Author: Greg Priest Version: VX Search Enterprise v9.7.18 Tested on: Windows7...

Joomla! Component JoomRecipe 1.0.3 - SQL Injection

Exploit Title: Joomla! Component JoomRecipe 1.0.3 - SQL Injection Dork: N/A Date: 15.06.2017 Vendor : http://joomboost.com/ Software: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/ Demo: http://demo-joomrecipe.joomboost.com/ Version: 1.0.3 Author:...

Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow (DEP Bypass)

!/usr/bin/python Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow DEP Bypass with ROP Exploit Author: bl4ck h4ck3r Software Link: http://www.sharing-file.com/efssetup.exe Version: Easy File Sharing Web Server v7.2 Tested on: Windows XP SP2, Windows 2008 R2 x64 import socke...

HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution

Create a bind shell on an unpatched OfficeJet 8210 Write a script to profile.d and reboot the device. When it comes back online then nc to port 1270. easysnmp instructions: sudo apt-get install libsnmp-dev pip install easysnmp import socket import sys from easysnmp import snmpset profiledscript =...

Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation

/ E-DB Note: http://www.openwall.com/lists/oss-security/2017/05/30/16 E-DB Note: http://seclists.org/oss-sec/2017/q2/470 LinuxsudoCVE-2017-1000367.c Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public...

Google Chrome - V8 Private Property Arbitrary Code Execution

// Source: https://github.com/secmob/pwnfest2016/ function exploit function tohexnum return num0.toString16; function intarraytodoubleintarr var uBuf = new Uint32Array2; var dBuf = new Float64ArrayuBuf.buffer; uBuf0=intarr0; uBuf1=intarr1; return dBuf0; function strtodoublestr//leng of str must b...

KBVault MySQL 0.16a - Arbitrary File Upload

Exploit Title: KBVault MySQL v0.16a - Unauthenticated File Upload to Run Code Google Dork: inurl:"FileExplorer/Explorer.aspx" Date: 2017-06-14 Exploit Author: Fatih Emiral Vendor Homepage: http://kbvaultmysql.codeplex.com/ Software Link: http://kbvaultmysql.codeplex.com/downloads/get/858806...

LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222 There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check that the size of the copy is smaller than the size of the source buffer, resulting in an out-of-bounds heap read. The vulnerable code appears to b...

LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221 Similar to the previously reported issue 1206 , when parsing AVI files the CAVIFileParser object contains a fixed-size array of what appears to be pointer/length pairs, used I suppose to store the data for each stream. This is...

LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1206 Missing bounds-checking in AVI stream parsing When parsing AVI files, CAVIFileParser uses the stream count from the AVI header to allocate backing storage for storing metadata about the streams member variable maStream. Howeve...