47904 matches found
iBall Baton iB-WRA150N - DNS Change
!/bin/bash iBall Baton iB-WRA150N Unauthenticated Remote DNS Change Exploit Copyright 2016 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once modified,...
WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock
range.mmaxBound range.mmaxBound = data.maddend; range.mmaxOrigin = node-origin.semantic; else if data.maddend origin.semantic; ... The problem is that the check |data.maddend range.mmaxBound| is a signed comparison. PoC: -- function f let arr = new Uint32Array10; for let i = 0; i 0x100000; i++...
WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions
switchToSlowPutArrayStoragevm; = MINSPARSEARRAYINDEX || structurevm-holesMustForwardToPrototypevm return nullptr; Structure resultStructure = exec.lexicalGlobalObject-arrayStruct...
WebKit JSC - 'Intl.getCanonicalLocales' Heap Buffer Overflow
arrayStorage; storage-msparseMap.clear; storage-mindexBias = 0; storage-mnumValuesInVector = 0; return butterfly; It allocates a fixed sizeBASEARRAYSTORAGEVECTORLEN of memory without caring about |initialLength|. So a BOF occurs in the following iteration. EncodedJSValue JSCHOSTCALL...
IBM Informix Dynamic Server - Code Injection / Remote Code Execution
!/usr/local/bin/python """ IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability 0DAY Bonus: free XXE bug included! Download: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=swg-informixfpd&SPKG=dl&lang=enUS&cp=UTF-8&dlmethod=http Twitter:...
WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices
lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if !result return JSValue::encodethrowOutOfMemoryErrorexec, scope; for unsigned k = 0; k initializeIndexvm, k, v; ... |JSArray::tryCreateForInitializationPrivate| will return an uninitialized...
Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)
Linux/x86 - XOR encoded execve/bin/sh setuid0 setgid0 Shellcode 66 bytes. Shellcode exploit for Linx86 platform ;Title: Linux/x86 - 66 byte - execve/bin/sh - setuid0 - setgid0 - XOR encrypted ;Author: nullparasite ;Contact: [email protected] ;Category: Shellcode ;Architecture: Linux x86...
Linux/x86_64 - execve("/bin/sh") Shellcode (24 bytes)
Linux/x8664 - execve"/bin/sh" Shellcode 24 bytes. Shellcode exploit for Linx86-64 platform / ;Category: Shellcode ;Title: GNU/Linux x8664 - execve /bin/sh ;Author: m4n3dw0lf ;Github: https://github.com/m4n3dw0lf ;Date: 14/06/2017 ;Architecture: Linux x8664 ;Tested on : 1 SMP Debian 4.9.18-1...
Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow (DEP Bypass)
!/usr/bin/python Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow DEP Bypass with ROP Exploit Author: bl4ck h4ck3r Software Link: http://www.sharing-file.com/efssetup.exe Version: Easy File Sharing Web Server v7.2 Tested on: Windows XP SP2, Windows 2008 R2 x64 import socke...
Joomla! Component JoomRecipe 1.0.3 - SQL Injection
Exploit Title: Joomla! Component JoomRecipe 1.0.3 - SQL Injection Dork: N/A Date: 15.06.2017 Vendor : http://joomboost.com/ Software: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/ Demo: http://demo-joomrecipe.joomboost.com/ Version: 1.0.3 Author:...
VX Search Enterprise 9.7.18 - Local Buffer Overflow
import os import struct author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln. Date: 2017.06.15 Exploit Author: Greg Priest Version: VX Search Enterprise v9.7.18 Tested on: Windows7...
Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation
/ Author: bee13oy BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus 11.1.2253 Source: https://github.com/bee13oy/AVKernelVulns/tree/master/Avast/aswSnxBSoD2ZDI-16-681 There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl...
Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation
/ E-DB Note: http://www.openwall.com/lists/oss-security/2017/05/30/16 E-DB Note: http://seclists.org/oss-sec/2017/q2/470 LinuxsudoCVE-2017-1000367.c Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public...
KBVault MySQL 0.16a - Arbitrary File Upload
Exploit Title: KBVault MySQL v0.16a - Unauthenticated File Upload to Run Code Google Dork: inurl:"FileExplorer/Explorer.aspx" Date: 2017-06-14 Exploit Author: Fatih Emiral Vendor Homepage: http://kbvaultmysql.codeplex.com/ Software Link: http://kbvaultmysql.codeplex.com/downloads/get/858806...
Google Chrome - V8 Private Property Arbitrary Code Execution
// Source: https://github.com/secmob/pwnfest2016/ function exploit function tohexnum return num0.toString16; function intarraytodoubleintarr var uBuf = new Uint32Array2; var dBuf = new Float64ArrayuBuf.buffer; uBuf0=intarr0; uBuf1=intarr1; return dBuf0; function strtodoublestr//leng of str must b...
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
Create a bind shell on an unpatched OfficeJet 8210 Write a script to profile.d and reboot the device. When it comes back online then nc to port 1270. easysnmp instructions: sudo apt-get install libsnmp-dev pip install easysnmp import socket import sys from easysnmp import snmpset profiledscript =...
LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1206 Missing bounds-checking in AVI stream parsing When parsing AVI files, CAVIFileParser uses the stream count from the AVI header to allocate backing storage for storing metadata about the streams member variable maStream. Howeve...
LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222 There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check that the size of the copy is smaller than the size of the source buffer, resulting in an out-of-bounds heap read. The vulnerable code appears to b...
LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221 Similar to the previously reported issue 1206 , when parsing AVI files the CAVIFileParser object contains a fixed-size array of what appears to be pointer/length pairs, used I suppose to store the data for each stream. This is...
Easy MOV Converter 1.4.24 - 'Enter User Name' Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title: Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow SEH Date: 13-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: Easy MOV Converter Vendor Homepage: http://www.divxtodvd.net/ Version: 1.4.24 Software Link:...
Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow
!/usr/bin/python Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow Author : Touhid M.Shaikh Date : 12 June, 2017 Contact: [email protected] Version: 7.2 category: Remote Exploit Tested on: Windows XP SP3 EN Version 5.1.2600 """ Description What is Easy File Sharing Web Server 7....
Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow
!/usr/bin/python Exploit Title: Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow Date: 12-06-2017 Exploit Author: abatchy17 -- @abatchy17 Vulnerable Software: Disk Pulse v9.7.26 Freeware, Pro, Ultimate Vendor Homepage: http://www.diskpulse.com/ Version: 9.7.14 Software Link:...
GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference
Source: https://bugzilla.gnome.org/showbug.cgi?id=775120 The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl. ASAN stack trace: ================================================================= ==32545==ERROR: AddressSanitizer: SE...
Real Estate Classifieds Script - SQL Injection
Exploit Title: Real Estate Classifieds Script - SQL Injection Dork: N/A Date: 12.06.2017 Vendor : http://www.easyrealestatescript.com/ Software: http://www.easyrealestatescript.com/demo.html Demo: http://www.easyrealestatescript.com/demo.html Version: N/A Author: EziBilisim Author Web:...
WordPress Plugin WP Jobs < 1.5 - SQL Injection
Exploit Title: WordPress Plugin WP Jobs 1.5 - SQL Injection Date: 11-06-2017 Exploit Author: Dimitrios Tsagkarakis Website: dtsa.eu Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/ Vendor Homepage: http://www.intensewp.com/ Version: 1.4 CVE : CVE-2017-9603 Category: webapps 1...
Logpoint < 5.6.4 - Root Remote Code Execution
Exploit Title: Unauthenticated remote root code execution on logpoint 5.6.4 Date: 11/06/17 Exploit Author: agix Vendor Homepage: https://www.logpoint.com Version: logpoint 5.6.4 Tested on: 5.6.2 Vendor contact 19/04 Exploit details sent to the vendor 24/04 Patch in test mode 05/05 Patch release t...
Easy File Sharing Web Server 7.2 - Authentication Bypass
Exploit Title: EFS Web Server 7.2 Authentication Bypass Date: 11-06-2017 Software Link: http://www.sharing-file.com/efssetup.exe Software Version : 7.2 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/ Description Video PoC and Article...
DiskBoss 8.0.16 - 'Input Directory' Local Buffer Overflow
!/usr/bin/python Exploit Title: DiskBoss v8.0.16 - Local Buffer Overflow Date: 11-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: DiskBoss v8.0.16 Freeware, Pro and Ultimate Vendor Homepage: http://www.disksorter.com/ Version: 8.0.16 Software Link:...
Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow
!/usr/bin/python Exploit Title: Sync Breeze v9.7.26 - Local Buffer Overflow Date: 11-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: Sync Breeze v9.7.26 Freeware, Pro and Ultimate Vendor Homepage: http://www.syncbreeze.com Version: 9.7.26 Software Link:...
VMware vSphere Data Protection 5.x/6.x - Java Deserialization
!/usr/bin/env python import socket import sys import ssl def getHeader: return '\x4a\x52\x4d\x49\x00\x02\x4b' def payload: cmd = sys.argv4 cmdlen = lencmd data2 =...
Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow
!/usr/bin/python Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow Date: 10-06-2017 Exploit Author: abatchy17 -- @abatchy17 Vulnerable Software: DiskSorter v9.7.14 Vendor Homepage: http://www.disksorter.com/ Version: 9.7.14 Software Link:...
eCom Cart 1.3 - SQL Injection
Exploit Title: eCom Cart 1.3 Exploit Google Dork: inurl:"/pdetails/11" 11 is variable Date: 10.06.2017 Exploit Author: Alperen Eymen Ozcan & Batuhan Camci Vendor Homepage: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007 Software Link:...
PaulShop - SQL Injection
Exploit Title: PaulShop CMS = 2017-03-25 Sql Injection Date: 10-06-2017 Exploit Author: Se0pHpHack3r Vendor Homepage: https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714 Version: 2017-03-25 1. Description SQL Injection on Shipping Cost page in Cart, with "country" & "weigh...
nuevoMailer 6.0 - SQL Injection
Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection Exploit Author: ALEH BOITSAU Google Dork: inurl:/inc/rdr.php? Date: 2017-06-09 Vendor Homepage: https://www.nuevomailer.com/ Version: 6.0 and earlier Tested on: Linux CVE: CVE-2017-9730 Description: SQL injection...
Nuevomailer < 6.0 - SQL Injection
Exploit Title: Nuevo mailer version = 6.0 SQL Injection Exploit Author: ALEH BOITSAU Google Dork: inurl:/inc/rdr.php? Date: 2017-06-09 Vendor Homepage: https://www.nuevomailer.com/ Version: 6.0 and below Tested on: Linux Vulnerable script: rdr.php Vulnerable parameter: r PoC:...
EFS Easy Chat Server 3.1 - Password Reset
Exploit Title: Easy Chat Server Remote Password Reset Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Pre-Auth Remote Password Reset Severity: Critical...
EFS Easy Chat Server 3.1 - Remote Buffer Overflow (SEH)
Exploit Title: Easy Chat Server User Registeration Buffer Overflow SEH Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Buffer Overflow Severity: Critical Tested on: Windows XP Sp3 Eng...
Mapscrn 2.03 - Local Buffer Overflow (PoC)
Developed using Exploit Pack - http://exploitpack.com - Tested on: GNU/Linux - Kali 2017.1 Release Description: Mapscrn Part of setfont 2.0.3 The mapscrn command loads a user defined output character mapping table into the console driver. The console driver may be later put into use user-defined...
Uniview NVR - Password Disclosure
Uniview NVR remote passwords disclosure Author: B1t The Uniview NVR web application does not enforce authorizations on the main.cgi file when requesting json data. It says that you can do anything without authentication, however you must know the request structure. In addition, the users' passwor...
Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1223 One way processes in userspace that offer mach services check whether they should perform an action on behalf of a client from which they have received a message is by checking whether the sender possesses a certain...
IPFire 2.19 - Remote Code Execution
Title : IPFire 2.19 Firewall Post-Auth RCE Date : 09/06/2017 Author : 0x09AL https://twitter.com/0x09AL Tested on: IPFire 2.19 x8664 - Core Update 110 Vendor : http://www.ipfire.org/ Software : http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x8664-full-core110.iso...
libquicktime 1.2.4 - Denial of Service
libquicktime multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime file...
libcroco 0.6.12 - Denial of Service
libcroco multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= Libcroco is a standalone css2 parsing and manipulation library. The parser provides a low level event driven SAC like api and a css object model like api. Libcroco provides a CSS2...
Apple macOS - Disk Arbitration Daemon Race Condition
!/bin/bash Sources: https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc if ! security authorize system.volume.internal.mount &/dev/null; then echo 2&1 "Cannot acquire system.volume.internal.mount right. This wil...
EFS Easy Chat Server 3.1 - Password Disclosure
Exploit Title: Easy Chat Server Remote Password Disclosure Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Pre-Auth Remote Password Disclosure Severity: Critical...
IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities
Vulnerabilities Summary The following advisory describe three 3 vulnerabilities found in IDERA Uptime Monitor version 7.8. “IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and services across multiple platforms running on-premise,...
Microsoft Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule 'Windows UAC Protection Bypass Via FodHelper Registry Key', 'Description' = %q...
VMware Workstation 12 Pro - Denial of Service
/ Title: NULL pointer dereference vulnerability in vstor2 driver VMware Workstation Pro/Player CVE: 2017-4916 VMSA-2017-0009 Author: Borja Merino @BorjaMerino Date: May 18, 2017 Tested on: Windows 10 Pro and Windows 7 Pro SP1 with VMware® Workstation 12 Pro 12.5.5 build-5234757 Affected: VMware...
Craft CMS 2.6 - Cross-Site Scripting
Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload Date: 2017-06-08 Exploit Author: Ahsan Tahir Vendor Homepage: https://craftcms.com Software Link: http://download.craftcdn.com/craft/2.6/2.6.2981/Craft-2.6.2981.zip Version: 2.6 Tested on: Kali Linux 2.0 | Windows 8.1...
Net Monitor for Employees Pro < 5.3.4 - Unquoted Service Path Privilege Escalation
Exploit Title: Unquoted Service Path Privilege Escalation - Net Monitor for Employees Pro gmail.com, saeid Nsecurity.org Linkedin: https://www.linkedin.com/in/saeidatabaki Vendor Homepage: http://networklookout.com/ Version: sc qc "Net Monitor for Employees Agent" SC QueryServiceConfig SUCCESS...