Easy MOV Converter 1.4.24 - 'Enter User Name' Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title: Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow SEH Date: 13-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: Easy MOV Converter Vendor Homepage: http://www.divxtodvd.net/ Version: 1.4.24 Software Link:...

GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference

Source: https://bugzilla.gnome.org/showbug.cgi?id=775120 The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl. ASAN stack trace: ================================================================= ==32545==ERROR: AddressSanitizer: SE...

Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow

!/usr/bin/python Exploit Title: Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow Date: 12-06-2017 Exploit Author: abatchy17 -- @abatchy17 Vulnerable Software: Disk Pulse v9.7.26 Freeware, Pro, Ultimate Vendor Homepage: http://www.diskpulse.com/ Version: 9.7.14 Software Link:...

Real Estate Classifieds Script - SQL Injection

Exploit Title: Real Estate Classifieds Script - SQL Injection Dork: N/A Date: 12.06.2017 Vendor : http://www.easyrealestatescript.com/ Software: http://www.easyrealestatescript.com/demo.html Demo: http://www.easyrealestatescript.com/demo.html Version: N/A Author: EziBilisim Author Web:...

Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow

!/usr/bin/python Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow Author : Touhid M.Shaikh Date : 12 June, 2017 Contact: [email protected] Version: 7.2 category: Remote Exploit Tested on: Windows XP SP3 EN Version 5.1.2600 """ Description What is Easy File Sharing Web Server 7....

Easy File Sharing Web Server 7.2 - Authentication Bypass

Exploit Title: EFS Web Server 7.2 Authentication Bypass Date: 11-06-2017 Software Link: http://www.sharing-file.com/efssetup.exe Software Version : 7.2 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/ Description Video PoC and Article...

Logpoint < 5.6.4 - Root Remote Code Execution

Exploit Title: Unauthenticated remote root code execution on logpoint 5.6.4 Date: 11/06/17 Exploit Author: agix Vendor Homepage: https://www.logpoint.com Version: logpoint 5.6.4 Tested on: 5.6.2 Vendor contact 19/04 Exploit details sent to the vendor 24/04 Patch in test mode 05/05 Patch release t...

DiskBoss 8.0.16 - 'Input Directory' Local Buffer Overflow

!/usr/bin/python Exploit Title: DiskBoss v8.0.16 - Local Buffer Overflow Date: 11-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: DiskBoss v8.0.16 Freeware, Pro and Ultimate Vendor Homepage: http://www.disksorter.com/ Version: 8.0.16 Software Link:...

WordPress Plugin WP Jobs < 1.5 - SQL Injection

Exploit Title: WordPress Plugin WP Jobs 1.5 - SQL Injection Date: 11-06-2017 Exploit Author: Dimitrios Tsagkarakis Website: dtsa.eu Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/ Vendor Homepage: http://www.intensewp.com/ Version: 1.4 CVE : CVE-2017-9603 Category: webapps 1...

Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow

!/usr/bin/python Exploit Title: Sync Breeze v9.7.26 - Local Buffer Overflow Date: 11-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: Sync Breeze v9.7.26 Freeware, Pro and Ultimate Vendor Homepage: http://www.syncbreeze.com Version: 9.7.26 Software Link:...

PaulShop - SQL Injection

Exploit Title: PaulShop CMS = 2017-03-25 Sql Injection Date: 10-06-2017 Exploit Author: Se0pHpHack3r Vendor Homepage: https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714 Version: 2017-03-25 1. Description SQL Injection on Shipping Cost page in Cart, with "country" & "weigh...

Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow

!/usr/bin/python Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow Date: 10-06-2017 Exploit Author: abatchy17 -- @abatchy17 Vulnerable Software: DiskSorter v9.7.14 Vendor Homepage: http://www.disksorter.com/ Version: 9.7.14 Software Link:...

VMware vSphere Data Protection 5.x/6.x - Java Deserialization

!/usr/bin/env python import socket import sys import ssl def getHeader: return '\x4a\x52\x4d\x49\x00\x02\x4b' def payload: cmd = sys.argv4 cmdlen = lencmd data2 =...

eCom Cart 1.3 - SQL Injection

Exploit Title: eCom Cart 1.3 Exploit Google Dork: inurl:"/pdetails/11" 11 is variable Date: 10.06.2017 Exploit Author: Alperen Eymen Ozcan & Batuhan Camci Vendor Homepage: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007 Software Link:...

Apple macOS - Disk Arbitration Daemon Race Condition

!/bin/bash Sources: https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc if ! security authorize system.volume.internal.mount &/dev/null; then echo 2&1 "Cannot acquire system.volume.internal.mount right. This wil...

EFS Easy Chat Server 3.1 - Password Disclosure

Exploit Title: Easy Chat Server Remote Password Disclosure Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Pre-Auth Remote Password Disclosure Severity: Critical...

Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1223 One way processes in userspace that offer mach services check whether they should perform an action on behalf of a client from which they have received a message is by checking whether the sender possesses a certain...

Mapscrn 2.03 - Local Buffer Overflow (PoC)

Developed using Exploit Pack - http://exploitpack.com - Tested on: GNU/Linux - Kali 2017.1 Release Description: Mapscrn Part of setfont 2.0.3 The mapscrn command loads a user defined output character mapping table into the console driver. The console driver may be later put into use user-defined...

EFS Easy Chat Server 3.1 - Remote Buffer Overflow (SEH)

Exploit Title: Easy Chat Server User Registeration Buffer Overflow SEH Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Buffer Overflow Severity: Critical Tested on: Windows XP Sp3 Eng...

Uniview NVR - Password Disclosure

Uniview NVR remote passwords disclosure Author: B1t The Uniview NVR web application does not enforce authorizations on the main.cgi file when requesting json data. It says that you can do anything without authentication, however you must know the request structure. In addition, the users' passwor...

Nuevomailer < 6.0 - SQL Injection

Exploit Title: Nuevo mailer version = 6.0 SQL Injection Exploit Author: ALEH BOITSAU Google Dork: inurl:/inc/rdr.php? Date: 2017-06-09 Vendor Homepage: https://www.nuevomailer.com/ Version: 6.0 and below Tested on: Linux Vulnerable script: rdr.php Vulnerable parameter: r PoC:...

EFS Easy Chat Server 3.1 - Password Reset

Exploit Title: Easy Chat Server Remote Password Reset Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Pre-Auth Remote Password Reset Severity: Critical...

libquicktime 1.2.4 - Denial of Service

libquicktime multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime file...

libcroco 0.6.12 - Denial of Service

libcroco multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= Libcroco is a standalone css2 parsing and manipulation library. The parser provides a low level event driven SAC like api and a css object model like api. Libcroco provides a CSS2...

IPFire 2.19 - Remote Code Execution

Title : IPFire 2.19 Firewall Post-Auth RCE Date : 09/06/2017 Author : 0x09AL https://twitter.com/0x09AL Tested on: IPFire 2.19 x8664 - Core Update 110 Vendor : http://www.ipfire.org/ Software : http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x8664-full-core110.iso...

nuevoMailer 6.0 - SQL Injection

Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection Exploit Author: ALEH BOITSAU Google Dork: inurl:/inc/rdr.php? Date: 2017-06-09 Vendor Homepage: https://www.nuevomailer.com/ Version: 6.0 and earlier Tested on: Linux CVE: CVE-2017-9730 Description: SQL injection...

Microsoft Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule 'Windows UAC Protection Bypass Via FodHelper Registry Key', 'Description' = %q...

VMware Workstation 12 Pro - Denial of Service

/ Title: NULL pointer dereference vulnerability in vstor2 driver VMware Workstation Pro/Player CVE: 2017-4916 VMSA-2017-0009 Author: Borja Merino @BorjaMerino Date: May 18, 2017 Tested on: Windows 10 Pro and Windows 7 Pro SP1 with VMware® Workstation 12 Pro 12.5.5 build-5234757 Affected: VMware...

IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describe three 3 vulnerabilities found in IDERA Uptime Monitor version 7.8. “IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and services across multiple platforms running on-premise,...

Craft CMS 2.6 - Cross-Site Scripting

Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload Date: 2017-06-08 Exploit Author: Ahsan Tahir Vendor Homepage: https://craftcms.com Software Link: http://download.craftcdn.com/craft/2.6/2.6.2981/Craft-2.6.2981.zip Version: 2.6 Tested on: Kali Linux 2.0 | Windows 8.1...

Net Monitor for Employees Pro < 5.3.4 - Unquoted Service Path Privilege Escalation

Exploit Title: Unquoted Service Path Privilege Escalation - Net Monitor for Employees Pro gmail.com, saeid Nsecurity.org Linkedin: https://www.linkedin.com/in/saeidatabaki Vendor Homepage: http://networklookout.com/ Version: sc qc "Net Monitor for Employees Agent" SC QueryServiceConfig SUCCESS...

Linux Kernel - 'ping' Local Denial of Service

// Source: https://raw.githubusercontent.com/danieljiang0415/androidkernelcrashpoc/master/panic.c include include include include static int sockfd = 0; static struct sockaddrin addr = 0; void fuzzvoid param while1 addr.sinfamily = 0;//rand%42; printf"sinfamily1 = %08lx\n", addr.sinfamily;...

Robert 0.5 - Multiple Vulnerabilities

Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory traversal & SQLi Date: 07/06/2017 Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT Vendor website :http://robert.polosson.com/ Download link : https://github.com/RobertManager/robert/archive/master.zip Live demo :...

DC/OS Marathon UI - Docker (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DC/OS Marathon UI Docker Exploit', 'Description' = %q Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the...

Xavier 2.4 - SQL Injection

Document Title: =============== Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2076 Release Date: ============= 2017-06-06 Vulnerability Laboratory ID VL-ID: ==================================== 20...

Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting

Exploit Title: GravCMS Core Admin Plugin v1.4.2 - Persistent Cross-Site Scripting Date: 2017-06-07 Exploit Author: Ahsan Tahir Vendor Homepage: https://getgrav.org/ Software Link: https://getgrav.org/download/core/grav-admin/1.2.4 Version: 1.4.2 Tested on: Kali Linux 2.0 | Windows 8.1 Email:...

Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service

/ Source: https://bugzilla.novell.com/showbug.cgi?id=1034862 QA REPRODUCER: gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils ./CVE-2017-7472 will run the kernel out of memory / include include int main for ;; keyctlsetreqkeykeyringKEYREQKEYDEFLTHREADKEYRING;...

PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption

Source: https://www.chiark.greenend.org.uk/sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not...

Artifex MuPDF - Null Pointer Dereference

Source: https://bugs.ghostscript.com/showbug.cgi?id=697500 POC to trigger null pointer dereference mutool After some fuzz testing I found a crashing test case. Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642 To reproduce: mutool convert -F cbz nullptrfzpaintpixmapwithmask -o /dev/null ASAN:...

Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution

Sources: https://phoenhex.re/2017-06-02/arrayspread https://github.com/phoenhex/files/blob/master/exploits/spread-overflow JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal in slowpathspread. As such, roughly 4 billion JSValues will have to be allocated,...

Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure

X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions:...

WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting

DefenseCode WebScanner DAST Advisory WordPress Tribulant Newsletters Plugin Multiple Security Vulnerabilities Advisory ID: DC-2017-01-012 Advisory Title: WordPress Tribulant Newsletters Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress...

Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution

!/usr/bin/python -- coding: utf-8 -- import requests import random import base64 upperAlpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" lowerAlpha = "abcdefghijklmnopqrstuvwxyz" numerals = "0123456789" allchars = chr for in xrange0x00, 0xFF + 0x01 def randbaselength, bad, chars: '''generate a random string wi...

Subsonic 6.1.1 - Cross-Site Request Forgery

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-PASSWORD-RESET-CSRF.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media streaming...

Kronos Telestaff < 2.92EU29 - SQL Injection

Software: Kronos Telestaff Web Application Version: compare timing with device=stdbrowser&action=doLogin&user='ifDBNAME'TELESTAFF'waitfor%20delay'00%3a00%3a12';--&pwd=&code= PoC 2 - Execute Code Remotely example inject benign code e.g. ping a remote systems ?php $cmdtoexecute = strToHex"pi...

Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media streaming...

Subsonic 6.1.1 - Server-Side Request Forgery

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-SERVER-SIDE-REQUEST-FORGERY.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media...

Wireshark 2.2.0 < 2.2.12 - ROS Dissector Denial of Service

Source: https://bugs.wireshark.org/bugzilla/showbug.cgi?id=13637 Build Information: TShark Wireshark 2.3.0 v2.3.0rc0-3235-gd97ce76161 Copyright 1998-2017 Gerald Combs and contributors. License GPLv2+: GNU GPL version 2 or later This is free software; see the source for copying conditions. There i...

Subsonic 6.1.1 - XML External Entity Injection

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media streaming...

Linux/x86-64 - /bin/sh Shellcode (31 bytes)

Linux/x86-64 - /bin/sh Shellcode 31 bytes. Shellcode exploit for Linx86-64 platform / ;Title: Linux/x86-64 - /bin/sh Shellcode ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x8664 ;Description: This shellcode baased on "JMP CALL POP"...