47904 matches found
TerraMaster F2-420 NAS TOS 3.0.30 - Root Remote Code Execution
Source: https://www.evilsocket.net/2017/05/30/Terramaster-NAS-Unauthenticated-RCE-as-root/ !/usr/bin/python coding: utf8 Exploit: Unauthenticated RCE as root. Vendor: TerraMaster Product: TOS import sys import requests def upload address, port, filename, path = '/usr/www/' : url =...
IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow
Vulnerabilities Summary The following advisory describes six 6 vulnerabilities found in Informix Dynamic Server and Informix Open Admin Tool. IBM Informix Dynamic Server Exceptional, low maintenance online transaction processing OLTP data server for enterprise and workgroup computing. IBM Informi...
Octopus Deploy - (Authenticated) Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' require 'json' class MetasploitModule 'Octopus Deploy Authenticated Code Execution', 'Description' = %q This module can be used to...
Microsoft MsMpEng - Multiple Crashes While Scanning Malformed Files
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1261 A detailed introduction to MsMpEng can be found in issue 1252 , so I will skip the background story here. Through fuzzing, we have discovered a number of ways to crash the service and specifically code in the mpengine.dll...
WordPress Plugin Huge-IT Video Gallery 2.0.4 - SQL Injection
DefenseCode ThunderScan SAST Advisory WordPress Huge-IT Video Gallery Plugin Security Vulnerability Advisory ID: DC-2017-01-009 Advisory Title: WordPress Huge-IT Video Gallery plugin SQL injection vulnerability Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Huge-IT...
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samba isknownpipename Arbitrary Module Load', 'Description' = %q This module triggers an arbitrary shared library load vulnerability in Samba...
CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities
CERIO 11nbg 2.4Ghz High Power Wireless Router pekcmd Rootshell Backdoors Vendor: CERIO Corporation Product web page: http://www.cerio.com.tw Affected version: DT-100G-N fw: Cen-WR-G2H5 v1.0.6 DT-300N fw: Cen-CPE-N2H10A v1.0.14 DT-300N fw: Cen-CPE-N2H10A v1.1.6 CW-300N fw: Cen-CPE-N2H10A v1.0.22...
Home Web Server 1.9.1 (build 164) - Remote Code Execution
Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution Date: 26/05/2017 Exploit Author: Guillaume Kaddouch Twitter: @gkweb76 Blog: https://networkfilter.blogspot.com GitHub: https://github.com/gkweb76/exploits Vendor Homepage: http://downstairs.dnsalias.net/ does not exist...
QWR-1104 Wireless-N Router - Cross-Site Scripting
Exploit Title: Aries QWR-1104 Wireless-N Router Execute JavaScript in Wireless Site Survey page. Date: 26-05-2017 Vendor Homepage : http://www.ariesnetworks.net/ Firmware Version: WRC.253.2.0913 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...
Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1260 MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn't sandboxed. Browsing the list of win32 APIs that the...
Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write
// Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ // // v8 exploit for https://crbug.com/716044 var oobrw = null; var leak = null; var arbrw = null; var code = function return 1; code; class BuggyArray extends Array constructorlen super1; oobrw = new Array1.1, 1.1; leak = new...
JAD Java Decompiler 1.5.8e - Local Buffer Overflow
!/usr/bin/python Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Developed using Exploit Pack - http://exploitpack.com - Tested on: GNU/Linux - Kali 2017.1 Release Description: JAD Java Decompiler 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow vulnerability...
Apple WebKit / Safari 10.0.3(12602.4.8) - 'Editor::Command::execute' Universal Cross-Site Scripting
document-updateLayoutIgnorePendingStylesheets; return mcommand-executemframe, triggeringEvent, msource, parameter; This method is invoked under an |EventQueueScope|. But |updateLayoutIgnorePendingStylesheets| invokes |MediaQueryMatcher::styleResolverChanged| that directly calls |handleEvent| not...
WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting
Sources: https://bugs.chromium.org/p/project-zero/issues/detail?id=1146 https://bugs.chromium.org/p/chromium/issues/detail?id=519558 VULNERABILITY DETAILS From /WebKit/Source/core/dom/ContainerNode.cpp: ---------------- void ContainerNode::parserInsertBeforePassRefPtrWillBeRawPtr newChild, Node&...
Apple WebKit / Safari 10.0.3(12602.4.8) - 'WebCore::FrameView::scheduleRelayout' Use-After-Free
let f = document.body.appendChilddocument.createElement'iframe'; let g = f.contentDocument.body.appendChilddocument.createElement'iframe'; g.contentWindow.onunload = = g.contentWindow.onunload = null; let h = f.contentDocument.body.appendChilddocument.createElement'iframe'; h.contentWindow.onunlo...
Sandboxie 5.18 - Local Denial of Service
author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: Sandboxie version 5.18 local Dos Exploit Date: 2017.05.25 Exploit Author: Greg Priest Version: Sandboxie version 5.18 ... Released on 13 April 2017 Tested on: Windows7 x64 HUN/ENG Professiona...
WebKit - 'enqueuePageshowEvent' / 'enqueuePopstateEvent' Universal Cross-Site Scripting
view-frame.page; frame.tree.appendChildchildFrame-view-frame; childFrame-open; enqueuePageshowEventPageshowEventPersisted; HistoryItem historyItem = frame.loader.history.currentItem; if historyItem && historyItem-stateObject mdocument-enqueuePopstateEventhistoryItem-stateObject;...
WebKit - 'FrameLoader::clear' Stealing Variables via Page Navigation
pageCacheState != Document::InPageCache ... mframe.document-prepareForDestruction; removeFocusedNodeOfSubtreemframe.document; ... mframe.setDocumentnullptr; domWindow; Click anywhere. function createURLdata, type = 'text/html' return URL.createObjectURLnew Blobdata, type: type; window.onclick = =...
Mozilla Firefox < 53 - 'gfxTextRun' Out-of-Bounds Read
.class1 float: left; white-space: pre-line; .class2 border-bottom-style: solid; font-face: Arial; font-size: 7ex; function go menuitem.appendChilddocument.body.firstChild; canvas.toBlobcallback; function callback var s = menu.style; s.setProperty"flex-direction", "row-reverse"; option.scrollBy;...
Mozilla Firefox < 53 - 'ConvolvePixel' Memory Disclosure
/home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2358 2 0x7f8d3fcd397d in alreadyAddRefed mozilla::...
Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1155 Skia bug: https://bugs.chromium.org/p/skia/issues/detail?id=6294 There is a heap overflow in SkARGB32ShaderBlitter::blitH caused by a rounding error in SkEdge::setLine. To trigger the bug Skia needs to be compiled with...
WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting
let xml = let p = document.querySelector'p'; let link = p.appendChilddocument.createElement'link'; link.rel = 'stylesheet'; link.href = 'data:,aaaaazxczxczzxzcz'; let btn = document.body.appendChilddocument.createElement'button'; btn.id = 'btn'; btn.onfocus = = btn.onfocus = null; window.d =...
Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting
url; ... if !allowedToLoadFrameURLurl return; ... bool beforeLoadAllowedLoad = guardedDispatchBeforeLoadEventurl; ... bool success = beforeLoadAllowedLoad && hasValidClassId; if success success = requestObjecturl, serviceType, paramNames, paramValues; ... bool...
Sophos Cyberoam - Cross-site scripting
Exploit Title: Sophos Cyberoam – Cross-site scripting XSS vulnerability Date: 25/05/2017 Exploit Author: Bhadresh Patel Version: = Firmware Version 10.6.4 CVE : CVE-2016-9834 This is an article with video tutorial for Sophos Cyberoam – Cross-site scripting XSS vulnerability...
Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow
author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.SEH Date: 2017.05.24 Exploit Author: Greg Priest Version: Dup Scout Enterprise v9.7.18 Tested on: Windows7 x64 HUN/ENG...
NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion
''' Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion Date: 2017-05-21 Exploit Author: f3ci Vendor Homepage: http://www.netgain-systems.com Software Link: http://www.netgain-systems.com/free-edition-download/ Version: = v7.2.647 build 941 Tested on: Windows...
Samba 3.5.0 - Remote Code Execution
!/usr/bin/env python Title : ETERNALRED Date: 05/24/2017 Exploit Author: steelo Vendor Homepage: https://www.samba.org Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 CVE-2017-7494 import argparse import os.path import sys import tempfile import time from smb.SMBConnection import SMBConnection from smb import...
Apple macOS/iOS - 'CAMediaTimingFunctionBuiltin' NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1175 CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method reads an Int "index" then passes that to builtinfunction mov ebx, edi -- controlled unsigned int mov r14d, ebx lea r15, ZL9functions0 ; functions...
Apple macOS/iOS Kernel - Memory Disclosure Due to Lack of Bounds Checking in netagent Socket Option Handling
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1140 netagentctlsetopt is the setsockopt handler for netagent control sockets. Options of type NETAGENTOPTIONTYPEREGISTER are handled by netagenthandleregistersetopt. Here's the code: static errnot...
Apple macOS/iOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which looks looks to userspac...
VX Search Enterprise 9.5.12 - GET Buffer Overflow (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VX Search Enterprise GET Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in the web interfac...
Apple macOS - Lack of Bounds Checking in HIServices Custom CFObject Serialization Local Privilege Escalation
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1219 HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType; it reads a type field and uses that to index an...
Apple macOS/iOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to...
Apple macOS/iOS - Memory Corruption Due to Bad Bounds Checking in NSCharacterSet Coding for NSKeyedUnarchiver
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1168 The dump today has this list of iOS stuff: https://wikileaks.org/ciav7p1/cms/page13205587.html Reading through this sounded interesting: """ Buffer Overflow caused by deserialization parsing error in Foundation library Sending...
Apple macOS/iOS - 'TIKeyboardLayout initWithCoder:' NSKeyedArchiver Heap Corruption Due to Rounding Error
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1172 Using lldb inside a simple helloworld app for iOS we can see that there are over 600 classes which we could get deserialized for persistance for example. The TextInput framework which is loaded has a class TIKeyboardLayout. Th...
Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution
!/usr/bin/python3 TARGET: AeroHive AP340 HiveOS $cmd"; die; ?" URL of the login page where we will inject our PHP command exec code so it poisons the log file posturl= "/login.php5?version=6.1r2" postfields = "loginauth" : "1", "miniHiveUI" : "1", "userName" : payloadinject, "password" : "1234"...
Apple macOS - '32-bit syscall exit' Kernel Register Leak
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1149 The XNU kernel, when compiled for a x86-64 CPU, can run 32-bit x86 binaries in compatibility mode. 32-bit binaries use partly separate syscall entry and exit paths. To return to userspace, unixsyscall in...
Linux Kernel 4.11 - eBPF Verifier Log Leaks Lower Half of map Pointer
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1251 When the eBPF verifier kernel/bpf/verifier.c runs in verbose mode, it dumps all processed instructions to a user-accessible buffer in human-readable form using printbpfinsn. For instructions with class BPFLD and mode BPFIMM,...
VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142 This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, whic...
Apple macOS - 'stackshot' Raw Frame Pointers
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1164 This is an issue that allows unentitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug. By design, the syscall stacksnapshotwithconfig permits unentitled root to du...
PlaySMS 1.4 - 'import.php' Remote Code Execution
Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php Date: 21-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/ Category: webapps ...
Secure Auditor 3.0 - Directory Traversal
Credits: John Page aka HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt + ISR: ApparitionSec Vendor: ==================== www.secure-bytes.com Product: ===================== Secure Auditor - v3.0 Secure...
KMCIS CaseAware - Cross-Site Scripting
Exploit Title: CaseAware Cross Site Scripting Vulnerability Date: 20th May 2017 Exploit Author: justpentest Vendor Homepage: https://caseaware.com/ Version: All the versions Contact: [email protected] CVE : 2017-5631 Source:...
Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt + ISR: ApparitionSec Vendor: ================ www.mantisbt.org Product: ========= Mantis Bug Tracker 1.3.10 / v2.3.0 MantisBT...
Tecnovision DLX Spot - Authentication Bypass
Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL Injection Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/ Software Link: n/a Version: 1.5.10 Tested on:...
Tecnovision DLX Spot - SSH Backdoor Access
Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password. Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/ Software Link: n/a Version: All known versions...
Tecnovision DLX Spot - Arbitrary File Upload
Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload to RCE Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/ Software Link: n/a Version: 1.5.10 Tested on:...
D-Link DIR-600M Wireless N 150 - Authentication Bypass
Exploit Title: D-Link DIR-600M Wireless N 150 Login Page Bypass Date: 19-05-2017 Software Link: http://www.dlink.co.in/products/?pid=DIR-600M Exploit Author: Touhid M.Shaikh Vendor : www.dlink.com Contact : http://twitter.com/touhidshaikh22 Version: Hardware version: C1 Firmware version: 3.04...
ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass
Title: ManageEngine ServiceDesk Plus Application Compromise Date: 19 May 2017 Researcher: Steven Lackey ByteM3 Product: ServiceDesk Plus http://www.manageengine.com/ Affected Version: 9.0 Other versions could also be affected Fixed Version: Service Pack 9241 – Build 9.2 Vulnerability Impact: High...
Belden Garrettcom 6K/10K Switches - Authentication Bypass / Memory Corruption
Introduction ------------ Vulnerabilities were identified in the Belden GarrettCom 6K and 10KT Magnum series network switches. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that...