BIND 9.10.5 - Unquoted Service Path Privilege Escalation

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt + ISR: ApparitionSec Vendor: =========== www.isc.org Product: =========== BIND9 v9.10.5 x86 / x64 BIND is open source software that enables you...

DNSTracer 1.8.1 - Buffer Overflow (PoC)

Exploit Title: DNSTracer Stack-based Buffer Overflow CVE: CVE-2017-9430 CWE: CWE-119 Exploit Author: Hosein Askari FarazPajohan Vendor HomePage: http://www.mavetju.org Version : 1.8.1 Tested on: Parrot OS Date: 04-06-2017 Category: Application Author Mail : [email protected] Description:...

Wireshark 2.2.6 - IPv6 Dissector Denial of Service

Build Information: TShark Wireshark 2.3.0 v2.3.0rc0-3369-g2e2ba64b72 Copyright 1998-2017 Gerald Combs and contributors. License GPLv2+: GNU GPL version 2 or later This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A...

Parallels Desktop - Virtual Machine Escape

Title: Parallels Desktop - Virtual Machine Escape + Product: Parallels + Vendor: http://www.parallels.com/products/desktop/ + Affected Versions: All Version Author : Mohammad Reza Espargham Linkedin : https://ir.linkedin.com/in/rezasp E-Mail : meatrezadotes , reza.esparghamatgmaildotcom Website :...

WordPress Plugin Event List < 0.7.8 - SQL Injection

Exploit Title: WordPress Plugin Event List = 0.7.8 - SQL Injection Date: 04-06-2017 Exploit Author: Dimitrios Tsagkarakis Website: dtsa.eu Software Link: https://wordpress.org/plugins/event-list/ Version: 0.7.8 CVE : CVE-2017-9429 Category: webapps 1. Description: SQL injection vulnerability in t...

EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution

!/usr/bin/env python coding: utf8 EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution Vendor: EnGenius Technologies Inc. Product web page: https://www.engeniustech.com Affected version: ESR300 1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28 ESR350 1.4.11, 1.4.9,...

WordPress Plugin WP-Testimonials < 3.4.1 - SQL Injection

Exploit Title: WP-Testimonials 3.4.1 Union Based SQL Injection Date: 03-06-2017 Exploit Author: Dimitrios Tsagkarakis Website: dtsa.eu Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/ Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/ Version: 3.4.1...

Joomla! Component Payage 2.05 - 'aid' SQL Injection

Exploit Title: Joomla Payage 2.05 - SQL Injection Exploit Author: Persian Hack Team Discovered by : Mojtaba MobhaM Mojtaba Kazemi Vendor Home : https://extensions.joomla.org/extensions/extension/e-commerce/payment-systems/payage/ My Home : http://persian-team.ir/ Google Dork :...

Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC)

!/usr/bin/python Exploit Title: DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC Date: 25 May 2017 Exploit Author: n3ckD Vendor Homepage: http://www.disksorter.com/ Software Link: http://www.disksorter.com/setups/disksortersetupv9.7.14.exe Version: Disk Sorter v9.7.14 32-Bit Teste...

HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution

Vulnerability Summary The following advisory describes a Stack Buffer Overflow vulnerability found in HPE Intelligent Management Center version v7.2 E0403P10 Enterprise, this vulnerability leads to an exploitable remote code execution. HPE Intelligent Management Center iMC delivers comprehensive...

Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection

Software: Sungard eTRAKiT3 Version: 3.2.1.17 and possibly lower CVE: CVE-2016-6566 https://www.kb.cert.org/vuls/id/846103 Vulnerable Component: Login page Description ================ The login form is vulnerable to blind SQL injection by an unauthenticated user. Vulnerabilities ================...

reiserfstune 3.6.25 - Local Buffer Overflow

Title: reiserfstune 3.6.25 – Local Buffer Overflow + Credits / Discovery: Nassim Asrir + Author Contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ + Author Company: Henceforth + CVE: N/A - Download -...

WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1165 Here's a snippet of JSObject::ensureLength. bool WARNUNUSEDRETURN ensureLengthVM& vm, unsigned length ASSERTlength vectorLength publicLength setPublicLengthlength; return result; |setPublicLength| is called whether...

WebKit - 'Element::setAttributeNodeNS' Use-After-Free

Element::setAttributeNodeNSAttr& attrNode ... setAttributeInternalindex, attrNode.qualifiedName, attrNode.value, NotInSynchronizationOfLazyAttribute; attrNode.attachToElementthis; treeScope.adoptIfNeededattrNode; ensureAttrNodeListForElementthis.append&attrNode; return WTFMoveoldAttrNode;...

CMS Web-Gooroo < 1.141 - Multiple Vulnerabilities

Exploit Title: CMS Web-Gooroo getmegaadmin; 2d626704807d4c5be1b46e85c4070fec - mayhem 2967a371178d713d3898957dd44786af - no success in bruteforce, though... 3. Full path disclosure Almost any file, because of lack of input validation and overall bad design. CMS log file besides DB log location wi...

WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting

Click anywhere... function createURLdata, type = 'text/html' return URL.createObjectURLnew Blobdata, type: type; function navigatew, url let a = w.document.createElement'a'; a.href = url; a.click; window.onclick = = window.w = open'about:blank', 'w', 'width=500, height=500'; let i0 =...

WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting

tree.parent; Frame openerFrame = mframe-loader.opener; Frame ownerFrame = parentFrame; if !ownerFrame ownerFrame = openerFrame; if !ownerFrame didFailToInitializeSecurityOrigin; return; ... setCookieURLownerFrame-document-cookieURL; // We alias the SecurityOrigins to match Firefox, see Bug 15313 ...

WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1173 When a super expression is used in an arrow function, the following code, which generates bytecode, is called. if needsToUpdateArrowFunctionContext && !codeBlock-isArrowFunction bool canReuseLexicalEnvironment =...

WebKit - 'Document::prepareForDestruction' / 'CachedFrame' Universal Cross-Site Scripting

Click anywhere. function createURLdata, type = 'text/html' return URL.createObjectURLnew Blobdata, type: type; function waitForcheck, cb let it = setInterval = if check clearIntervalit; cb; , 10; window.onclick = = window.onclick = null; w = opencreateURL'', '', 'width=500, height=500'; w.onload ...

Riverbed SteelHead VCX 9.6.0a - Arbitrary File Read

Exploit title : Arbitry file reading by authenticated users on Riverbed SteelHead VCX Vendor: Riverbed Author: Gregory DRAPERI Date: 03/2017 Software Link: https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html Version: SteelHead VCX VCX255U x8664...

OV3 Online Administration 3.0 - SQL Injection

OV3 Online Administration 3.0 Multiple Unauthenticated SQL Injection Vulnerabilities Vendor: novaCapta Software & Consulting GmbH Product web page: http://www.meacon.de Affected version: 3.0 Summary: With the decision to use the OV3 as a platform for your data management, the course is set for...

Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting

Exploit Title: Piwigo plugin Facetag , Persistent XSS Date: 31-05-2017 Extension Version: 0.0.3 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=845 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...

OV3 Online Administration 3.0 - Remote Code Execution

!-- OV3 Online Administration 3.0 Authenticated Code Execution Vendor: novaCapta Software & Consulting GmbH Product web page: http://www.meacon.de Affected version: 3.0 Summary: With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and...

OV3 Online Administration 3.0 - Directory Traversal

OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit Vendor: novaCapta Software & Consulting GmbH Product web page: http://www.meacon.de Affected version: 3.0 Summary: With the decision to use the OV3 as a platform for your data management, the course is set for...

TerraMaster F2-420 NAS TOS 3.0.30 - Root Remote Code Execution

Source: https://www.evilsocket.net/2017/05/30/Terramaster-NAS-Unauthenticated-RCE-as-root/ !/usr/bin/python coding: utf8 Exploit: Unauthenticated RCE as root. Vendor: TerraMaster Product: TOS import sys import requests def upload address, port, filename, path = '/usr/www/' : url =...

Piwigo Plugin Facetag 0.0.3 - SQL Injection

Exploit Title: Facetag Extension in Piwigo, Multiple SQL injection Date: 30-05-2017 Extension Version: 0.0.3 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=845 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh2...

Microsoft MsMpEng - Use-After-Free via Saved Callers

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259 In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState objectrcx+158h in 64-bit. But the garbage collector doesn't mark this saved value. So it results in a UAF. Unlike in our test environmentLinux, it...

Microsoft MsMpEng - Remote Use-After-Free Due to Design Issue in GC Engine

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1258 MsMpEng's JS engine uses garbage collection to manage the lifetime of Javascript objects. During mark and sweep the GC roots the vectors representing the JS stack as well as a few other hardcoded objects, traversing reachable...

IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow

Vulnerabilities Summary The following advisory describes six 6 vulnerabilities found in Informix Dynamic Server and Informix Open Admin Tool. IBM Informix Dynamic Server Exceptional, low maintenance online transaction processing OLTP data server for enterprise and workgroup computing. IBM Informi...

uc-http Daemon - Local File Inclusion / Directory Traversal

''' | \ | \ | | | | | | / \ | | | |/ / | |/ / | | | | | | | | | / / | | | / | / | | | | | | | | | | | | | | | |\ \ \ / / // / | | | /\ | | | | | / / / / / | | | \ | | / | | | / \ | | | | | \ | | | | \ \ / / | | | | | \ --. | | | / / | | | | | |/ / | | | | \ V / | | | . | --. \ | | | |...

KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution

Vulnerability Summary KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster VLM deployed on Hyper­V, VMWare, on bare metal or in the...

TiEmu 2.08 - Local Buffer Overflow

!/usr/bin/python Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Developed using Exploit Pack - http://exploitpack.com - Tested on: Windows 7 32 bits Description: TiEmu Texas Instrument Emulator 2.08 and prior is prone to a stack-based buffer overflow vulnerability because the...

Trend Micro Deep Security 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution

The following advisory describes three 3 vulnerabilities found in Trend Micro Deep Security version 6.5. “The Trend Micro Hybrid Cloud Security solution, powered by XGen security, delivers a blend of cross­-generational threat defense techniques that have been optimized to protect physical,...

Octopus Deploy - (Authenticated) Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' require 'json' class MetasploitModule 'Octopus Deploy Authenticated Code Execution', 'Description' = %q This module can be used to...

WordPress Plugin Huge-IT Video Gallery 2.0.4 - SQL Injection

DefenseCode ThunderScan SAST Advisory WordPress Huge-IT Video Gallery Plugin Security Vulnerability Advisory ID: DC-2017-01-009 Advisory Title: WordPress Huge-IT Video Gallery plugin SQL injection vulnerability Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Huge-IT...

Microsoft MsMpEng - Multiple Crashes While Scanning Malformed Files

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1261 A detailed introduction to MsMpEng can be found in issue 1252 , so I will skip the background story here. Through fuzzing, we have discovered a number of ways to crash the service and specifically code in the mpengine.dll...

Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samba isknownpipename Arbitrary Module Load', 'Description' = %q This module triggers an arbitrary shared library load vulnerability in Samba...

CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities

CERIO 11nbg 2.4Ghz High Power Wireless Router pekcmd Rootshell Backdoors Vendor: CERIO Corporation Product web page: http://www.cerio.com.tw Affected version: DT-100G-N fw: Cen-WR-G2H5 v1.0.6 DT-300N fw: Cen-CPE-N2H10A v1.0.14 DT-300N fw: Cen-CPE-N2H10A v1.1.6 CW-300N fw: Cen-CPE-N2H10A v1.0.22...

Home Web Server 1.9.1 (build 164) - Remote Code Execution

Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution Date: 26/05/2017 Exploit Author: Guillaume Kaddouch Twitter: @gkweb76 Blog: https://networkfilter.blogspot.com GitHub: https://github.com/gkweb76/exploits Vendor Homepage: http://downstairs.dnsalias.net/ does not exist...

Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write

// Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ // // v8 exploit for https://crbug.com/716044 var oobrw = null; var leak = null; var arbrw = null; var code = function return 1; code; class BuggyArray extends Array constructorlen super1; oobrw = new Array1.1, 1.1; leak = new...

Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1260 MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn't sandboxed. Browsing the list of win32 APIs that the...

QWR-1104 Wireless-N Router - Cross-Site Scripting

Exploit Title: Aries QWR-1104 Wireless-N Router Execute JavaScript in Wireless Site Survey page. Date: 26-05-2017 Vendor Homepage : http://www.ariesnetworks.net/ Firmware Version: WRC.253.2.0913 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...

JAD Java Decompiler 1.5.8e - Local Buffer Overflow

!/usr/bin/python Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Developed using Exploit Pack - http://exploitpack.com - Tested on: GNU/Linux - Kali 2017.1 Release Description: JAD Java Decompiler 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow vulnerability...

WebKit - 'enqueuePageshowEvent' / 'enqueuePopstateEvent' Universal Cross-Site Scripting

view-frame.page; frame.tree.appendChildchildFrame-view-frame; childFrame-open; enqueuePageshowEventPageshowEventPersisted; HistoryItem historyItem = frame.loader.history.currentItem; if historyItem && historyItem-stateObject mdocument-enqueuePopstateEventhistoryItem-stateObject;...

Sophos Cyberoam - Cross-site scripting

Exploit Title: Sophos Cyberoam – Cross-site scripting XSS vulnerability Date: 25/05/2017 Exploit Author: Bhadresh Patel Version: = Firmware Version 10.6.4 CVE : CVE-2016-9834 This is an article with video tutorial for Sophos Cyberoam – Cross-site scripting XSS vulnerability...

Apple WebKit / Safari 10.0.3(12602.4.8) - 'WebCore::FrameView::scheduleRelayout' Use-After-Free

let f = document.body.appendChilddocument.createElement'iframe'; let g = f.contentDocument.body.appendChilddocument.createElement'iframe'; g.contentWindow.onunload = = g.contentWindow.onunload = null; let h = f.contentDocument.body.appendChilddocument.createElement'iframe'; h.contentWindow.onunlo...

Mozilla Firefox < 53 - 'ConvolvePixel' Memory Disclosure

/home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2358 2 0x7f8d3fcd397d in alreadyAddRefed mozilla::...

Mozilla Firefox < 53 - 'gfxTextRun' Out-of-Bounds Read

.class1 float: left; white-space: pre-line; .class2 border-bottom-style: solid; font-face: Arial; font-size: 7ex; function go menuitem.appendChilddocument.body.firstChild; canvas.toBlobcallback; function callback var s = menu.style; s.setProperty"flex-direction", "row-reverse"; option.scrollBy;...

Apple WebKit / Safari 10.0.3(12602.4.8) - 'Editor::Command::execute' Universal Cross-Site Scripting

document-updateLayoutIgnorePendingStylesheets; return mcommand-executemframe, triggeringEvent, msource, parameter; This method is invoked under an |EventQueueScope|. But |updateLayoutIgnorePendingStylesheets| invokes |MediaQueryMatcher::styleResolverChanged| that directly calls |handleEvent| not...

Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1155 Skia bug: https://bugs.chromium.org/p/skia/issues/detail?id=6294 There is a heap overflow in SkARGB32ShaderBlitter::blitH caused by a rounding error in SkEdge::setLine. To trigger the bug Skia needs to be compiled with...