47904 matches found
Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)
Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow PoC Date: 5-19-17 Exploit Author: Chance Johnson [email protected] Vendor Homepage: http://www.surething.com/ Software Link: http://www.surething.com/disclabeler Version: 6.2.138.0 Tested on: Windows 7 x64 / Windows 10 Usage: Ope...
SAP Business One for Android 1.2.3 - XML External Entity Injection
Exploit Title: Blind XXE XML External Entityin SAP Date of Disclosure: 17/05/2017 Author: Ravindra Singh Rathore Vendor Homepage: https://www.sap.com/products/business-one.html Product - SAP Business One Android Application Version - 1.2.3 Security Note: 2378065 CVE - CVE-2016-6256 CVSS - 6.5 XXE...
Joomla! 3.7.0 - 'com_fields' SQL Injection
Exploit Title: Joomla 3.7.0 - Sql Injection Date: 05-19-2017 Exploit Author: Mateus Lino Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html Vendor Homepage: https://www.joomla.org/ Version: = 3.7.0 Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux...
Oracle PeopleSoft - Server-Side Request Forgery
Application: Oracle PeopleSoft Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2 Vendor URL: http://oracle.com Bugs: SSRF Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Roman Shalymov...
PlaySMS 1.4 - Remote Code Execution
Exploit Title: PlaySMS 1.4 Remote Code Execution to Poisoning admin log Date: 19-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/ Category: webapps 1. Description Remote...
KDE 4/5 - 'KAuth' Local Privilege Escalation
// cc -Wall smb0k.c -pedantic -std=c11 // // smb4k PoC, also demonstrating broader scope of a generic kde // authentication bypass vulnerability // // C 2017 Sebastian Krahmer // define POSIXCSOURCE 200112L include include include include include include include include include void dieconst char...
Oracle PeopleSoft Enterprise PeopleTools < 8.55 - Remote Code Execution Via Blind XML External Entity
!/usr/bin/python3 Oracle PeopleSoft SYSTEM RCE https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce cf 2017-05-17 import requests import urllib.parse import re import string import random import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning...
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
!/usr/bin/python from impacket import smb, ntlm from struct import pack import sys import socket ''' EternalBlue exploit for Windows 8 and 2012 by sleepya The exploit might FAIL and CRASH a target system depended on what is overwritten The exploit support only x64 target EDB Note: Shellcode - x64...
Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution
!/usr/bin/python3 Oracle PeopleSoft SYSTEM RCE https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce cf 2017-05-17 import requests import urllib.parse import re import string import random import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning...
INFOR EAM 11.0 Build 201410 - Persistent Cross-Site Scripting via Comment Fields
Stored XSS in INFOR EAM V11.0 Build 201410 via comment fields ------------------- Assigned CVE: CVE-2017-7953 Reproduction steps: ------------------- 1. Log in with your EAM account 2. Go to the jobs page 3. Click on a record and open its page 4. Go to "Comments" tab 4. Click the add new comment...
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress PHPMailer Host Header Command Injection', 'Description' = %q This module exploits a command injection vulnerability in WordPress version...
Apple iOS < 10.3.2 - Notifications API Denial of Service
Exploit Title: Apple iOS 10.3.2 - Notifications API Denial of Service Date: 05-15-2017 Exploit Author: Sem Voigtländer @OxFEEDFACE, Vincent Desmurs @vincedes3 and Joseph Shenton Vendor Homepage: https://apple.com Software Link: https://support.apple.com/en-us/HT207798 Version: iOS 10.3.2 Tested o...
Adobe Flash - Out-of-Bounds Read in Getting TextField Width
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1211 The attached swf causes an out-of-bounds read in getting the width of a TextField. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42019.zip...
Serviio Media Server - checkStreamUrl Command Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule /Restlet-Framework/ include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initializeinfo = superupdateinfoinfo, 'Name' =...
Adobe Flash - AVC Deblocking Out-of-Bounds Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1171 The attached swf triggers an out-of-bounds read in AVC deblocking. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42017.zip...
Dup Scout Enterprise 9.5.14 - GET Buffer Overflow (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Dup Scout Enterprise GET Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability ...
Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112 Windows: Running Object Table Register ROTFLAGSALLOWANYCLIENT EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: By setting an appropriate AppID it’s possible for a...
Adobe Flash - Margin Handling Heap Corruption
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1174 The attached fuzzed swf causes a crash due to heap corruption when processing the margins of a rich text field. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42018.zip...
Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1107 Windows: COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 Class: Elevation of Privilege Summary: When accessing an OOP COM object using IRemUnknown2 the local...
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
!/usr/bin/python from impacket import smb from struct import pack import sys import socket ''' EternalBlue exploit for Windows 7/2008 by sleepya The exploit might FAIL and CRASH a target system depended on what is overwritten EDB Note: Shellcode - x64...
Mozilla Firefox 50 < 55 - Stack Overflow Denial of Service
function done var x = ''; for i=0; i'; var uri = 'data:image/svg+xml,' + x; var i = new Image; i.src = uri; !-- Visiting https://bugzilla.mozilla.org/attachment.cgi?id=8817075 may likely crash your browser tab. Debug Information: ============== ff4.1108: Stack overflow - code c00000fd first chanc...
INFOR EAM 11.0 Build 201410 - 'filtervalue' SQL Injection
SQL injection in INFOR EAM V11.0 Build 201410 search fields web/base/.. via filtervalue parameter ------------------- Assigned CVE: CVE-2017-7952 Reproduction steps: ------------------- 1. Log in with your EAM account 2. Go to any page with a search or filter field in it for example...
BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "BuilderEngine Arbitrary File Upload Vulnerability and execution", 'Description' = %q This module exploits a vulnerability found in BuilderEngine...
Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 We have discovered that the handler of the nt!NtTraceControl system call specifically the EtwpSetProviderTraitsUm functionality, opcode 0x1E discloses portions of uninitialized pool memory to user-mode clients on Windows 10...
Mailcow 0.14 - Cross-Site Request Forgery
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MAILCOW-v0.14-CSRF-PASSWORD-RESET-ADD-ADMIN.txt + ISR: ApparitionSec Vendor: ============= mailcow.email mailcow.github.io Product: =========== The integrated mailcow UI...
Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Quest Privilege Manager pmmasterd Buffer Overflow', 'Description' = %q This modules exploits a buffer overflow in the Quest Privilege Manager, a...
Microsoft Windows 7 Kernel - 'win32k!xxxClientLpkDrawTextEx' Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1182 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other platforms untested indirectly through the win32k!NtUserCreateWindowEx system call...
LabF nfsAxe 3.7 FTP Client - Remote Buffer Overflow (SEH)
!/usr/bin/python print "LabF nfsAxe 3.7 FTP Client Buffer Overflow SEH" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Tested on Windows Vista x86 import socket import sys badchars \x00\x10\x0a buf = "" buf +=...
Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys / tcpip.sys
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1127 We have identified two related bugs in Windows kernel code responsible for implementing the bind socket function, specifically in the afd!AfdBind and tcpip!TcpBindEndpoint routines. They both can lead to reading beyond the...
Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes Token
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1145 We have observed on Windows 7 32-bit that for unclear reasons, the kernel-mode structure containing the default DACL of system processes' tokens lsass.exe, services.exe, ... has 8 uninitialized bytes at the end, as the size ...
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload
Exploit Title: PlaySMS 1.4 Code Execution using $filename and Unrestricted File Upload in sendfromfile.php Date: 14-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/...
Larson VizEx Reader 9.7.5 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title : Larson VizEx Reader 9.7.5 - Local Buffer Overflow SEH Date : 14/05/2017 Exploit Author : Muhann4d CVE : CVE-2017-8927 Vendor Homepage : http://www.cgmlarson.com/ Software Link : http://download.freedownloadmanager.org/Windows-PC/Larson-VizEx-Reader/FREE-9.7.5.html...
Halliburton LogView Pro 10.0.1 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title : Halliburton LogView Pro 10.0.1 - Local Buffer Overflow SEH Date : 2017-05-14 Exploit Author : Muhann4d CVE : CVE-2017-8926 Vendor Homepage : http://www.halliburton.com Software Link :...
Dive Assistant Template Builder 8.0 - XML External Entity Injection
Exploit Title: Dive Assistant - Template Builder XXE Injection + Date: 12-05-2017 + Exploit Author: Trent Gordon + Vendor Homepage: http://www.blackwave.com/ + Software Link: http://www.diveassistant.com/Products/DiveAssistantDesktop/index.aspx + Version: 8.0 + Tested on: Windows 7 SP1, Windows...
MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service
VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798 Version: 0.6 Date: May 1st, 2017 Tag: miniupnpc getHTTPResponse chunked encoding integer signedness error Overview -------- Name: miniupnpc Vendor: Thomas Bernard References: http://miniupnp.free.fr/ 1...
Vanilla Forums < 2.3 - Remote Code Execution
!/bin/bash / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // Vanilla Forums = 2.3 Remote Code Execution RCE PoC Exploit 0day Core version no plugins, default config. CVE-2016-10033 RCE CVE-2016-10073 Header Injection...
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation
// A proof-of-concept local root exploit for CVE-2017-7308. // Includes a SMEP & SMAP bypass. // Tested on 4.8.0-41-generic Ubuntu kernel. // https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308 // // Usage: // user@ubuntu:$ uname -a // Linux ubuntu 4.8.0-41-generic 4416.04.1-Ubuntu...
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule ' Microsoft IIS WebDav ScStoragePathFromUrl Overflow', 'Description' = %q Buffer overflow in the ScStoragePathFromUrl function in the WebDAV servic...
OpenVPN 2.4.0 - Denial of Service
!/usr/bin/env python3 ''' $ ./dosserver.py & $ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf ... Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from AFINET192.168.149.1:64249, sid=9a6c48a6 1467f5e1 Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Assertion failed at...
Cisco DPC3928 Router - Arbitrary File Disclosure
Vulnerability Summary The following advisory describes an arbitrary file disclosure vulnerability found in Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway. The Cisco DPC3928AD DOCSIS is a home wireless router that is currently "Out of support" but is provided by ISPs world wide. Credit An...
CMS Made Simple 2.1.6 - Multiple Vulnerabilities
Title: CMSMS 2.1.6 Multiple Vulnerabilities Date: 10-05-2017 Tested on: Windows 8 64-bit Exploit Author: Osanda Malith Jayathissa @OsandaMalith Original write-up: https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/ CVE: CVE-2017-8912 Remote Code Execution...
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Date and time of release: May, 9 2017 - 13:00PM Found this and more exploits on my open source security project: http://www.exploitpack.com MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Tested on:...
Intel Active Management Technology - System Privileges
!/usr/bin/python -- coding: utf-8 -- Author: Nixawk CVE-2017-5689 = dork="Server: IntelR Active Management Technology" port:"16992", ports= 623, 664, 16992, 16993, 16994, 16995 products= Active Management Technology AMT, Intel Standard Manageability ISM, Intel Small Business Technology SBT versio...
QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass
Exploit QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication Bypass Date: 10.05.2017 Software Link: https://www.qnap.com Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ Category: web 1. Description $COOKIESTATIONSID is not...
Gongwalker API Manager 1.1 - Cross-Site Request Forgery
Exploit Title: gongwalker API Manager v1.1 - CSRFAdd/Delete/Edit API Date: 2017-05-10 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: https://github.com/gongwalker/ApiManager Software Link: https://github.com/gongwalker/ApiManager.git Version: v1.1 Tested on: Debian...
BanManager WebUI 1.5.8 - PHP Code Injection
BanManager WebUI 1.5.8 - PHP Code Injection & Stored XSS Exploit Title: BanManager WebUI - PHP Code Injection & Stored XSS Date: 2017-05-10 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: https://github.com/BanManagement/BanManager-WebUI Software Link:...
SAP SAPCAR 721.510 - Heap Buffer Overflow
''' Source: https://www.coresecurity.com/advisories/sap-sapcar-heap-based-buffer-overflow-vulnerability 1. Advisory Information Title: SAP SAPCAR Heap Based Buffer Overflow Vulnerability Advisory ID: CORE-2017-0001 Advisory URL:...
Oracle GoldenGate 12.1.2.0.0 - Remote Code Execution
!/usr/bin/env python Sources: https://silentsignal.hu/docs/S2OracleGoldenGateGOLDENSHOWER.py https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/ GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal Tested with: Version 12.1.2.0.0 17185003...
wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One
TALOS-2017-0293 WOLFSSL LIBRARY X509 CERTIFICATE TEXT PARSING CODE EXECUTION VULNERABILITY MAY 8, 2017 CVE-2017-2800 SUMMARY An exploitable off-by-one write vulnerability exists in the x509 certificate parsing functionality of wolfSSL library versions up to 3.10.2. A specially crafted x509...
I, Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple vulnerabilities product: I, Librarian PDF manager vulnerable version: =4.6 & 4.7 fixed version: 4.8 CVE number: - impact: Critical homepage:...