47904 matches found
Crypttech CryptoLog - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Crypttech CryptoLog Remote Code Execution", 'Description' = %q This module exploits the sql injection and command injection vulnerability of...
LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102 In both of the following functions mkvparser::AudioTrack::AudioTrackmkvparser::Segment, mkvparser::Track::Info const&, long long, long long mkvparser::VideoTrack::VideoTrackmkvparser::Segment, mkvparser::Track::Info const&, lo...
I, Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple vulnerabilities product: I, Librarian PDF manager vulnerable version: =4.6 & 4.7 fixed version: 4.8 CVE number: - impact: Critical homepage:...
LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117 Failure to initialise pointers in mkvparser::Tracks constructor The constructor mkvparser::Tracks::Tracks doesn't handle parsing failures correctly. If we look at the function, it makes allocations in two places; the first whe...
Personify360 7.5.2/7.6.1 - Improper Access Restrictions
Exploit Title: Access and read and create vendor / API credentials in plaintext Date: 3/29/2017 Exploit Author: Pesach Zirkind Vendor Homepage: https://personifycorp.com/ Version: 7.5.2 - 7.6.1 Tested on: Windows all versions CVE : CVE-2017-7312 Category: webapps 1. Description Any website visito...
wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One
TALOS-2017-0293 WOLFSSL LIBRARY X509 CERTIFICATE TEXT PARSING CODE EXECUTION VULNERABILITY MAY 8, 2017 CVE-2017-2800 SUMMARY An exploitable off-by-one write vulnerability exists in the x509 certificate parsing functionality of wolfSSL library versions up to 3.10.2. A specially crafted x509...
LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflow
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1124 There are multiple paths in mkvparser::Block::Block... that result in heap buffer overflows. See attached for sample files that trigger the overflow conditions - these will not reliably crash the process, since the overflows a...
Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)
Linux/x86-64 - Reverse Shell Shellcode IPv6 113 bytes. Shellcode exploit for Linx86-64 platform BITS 64 ; reverse ip6 tcp shell ; size = 113 bytes depends of ip addr, default is ::1 ; nullbytes free depends only on ip addr, ; you could always and the ip add to remove ; the nulls like i did with t...
Linux/x86 - Disable ASLR Shellcode (80 bytes)
Linux/x86 - Disable ASLR Shellcode 80 bytes. Shellcode exploit for Linx86 platform / Linux/x86 setuid-disable-aslr.c by @abatchy17 - abatchy.com Shellcode size: 80 bytes SLAE-885 section .text global start start: ; ; setruid0,0 ; xor ecx,ecx mov ebx,ecx push 0x46 pop eax int 0x80 ; ;...
MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow SEH CVE : CVE-2017-8869 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable Software: http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe Vulnerable Version...
Gemalto SmartDiag Diagnosis Tool < 2.5 - Local Buffer Overflow (SEH)
Exploit Title: Gemalto SmartDiag Diagnosis Tool = v2.5 - Buffer Overflow - SEH Overwrite Date: 16-03-2017 Software Link: http://support.gemalto.com/index.php?id=downloadtools Exploit Author: Majid Alqabandi Contact: https://www.linkedin.com/in/majidalqabandi/ CVE: CVE-2017-6953 Category: Local -...
Xen 64bit PV Guest - pagetable use-after-type-change Breakout
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1231 This is a bug in Xen that permits an attacker with control over the kernel of a 64bit X86 PV guest to write arbitrary entries into a live top-level pagetable. To prevent PV guests from doing things like mapping live pagetables...
RPCBind / libtirpc - Denial of Service
!/usr/bin/ruby Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb By Guido Vranken https://guidovranken.wordpress.com/ Thanks to Sean Verity for writing an exploit in Ruby for an earlier vulnerability:...
Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure
Exploit title: Sitecore CMS v8.2 multiple vulnerabilities Product: Sitecore Version: 8.2, Rev: 161221, Date: 21st December, 2016 Date: 05-05-2017 Author: Usman Saeed Email: [email protected] Vendor Homepage: http://www.sitecore.net/ Disclaimer: Everything mentioned below is for educational puposes...
Technicolor DPC3928SL - SNMP Authentication Bypass
!/usr/bin/python -- coding: utf-8 -- StringBleed - CVE-2017-5135 author = "Nixawk" funcs = 'generatesnmpcommunitystr', 'generatesnmpprotopayload', 'sendsnmprequest', 'readsnmpcommunitystr', 'readsnmpvarbindstr', 'snmplogin', 'snmpstringbleed' import struct import uuid import socket import time...
WordPress Plugin WebDorado Gallery 1.3.29 - SQL Injection
Source: http://www.defensecode.com/advisories/DC-2017-02-011WordPressWebDoradoGalleryPluginAdvisory.pdf DefenseCode ThunderScan SAST Advisory WordPress WebDorado Gallery Plugin - SQL Injection Vulnerability Advisory ID: DC-2017-02-011 Software: WordPress WebDorado Gallery Plugin Software Language...
CloudBees Jenkins 2.32.1 - Java Deserialization
Source: https://blogs.securiteam.com/index.php/archives/3171 Vulnerability Details Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent. The vulnerability can be found in the implementation of a bidirectional communicati...
ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities
CVE-2017-6086 Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15 Product Description ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL licen...
Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free
function makecompiledfunction function targetx return x5 + x - xx; // Call only once so that function gets compiled with low level interpreter // but none of the optimizing JITs target0; return target; function pwn var haxs = new Array0x100; for var i = 0; i 0x100; ++i haxsi = new Uint8Array0x100...
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change
!/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 Summary: Serviio is a free media server. It allows you to stream you...
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution
!/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 Summary: Serviio is a free media server. It allows you to stream your...
Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free
body background-color:black; font-color:red; ; / Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free Google Dork: n/a Date: 03.05.2017 Exploit Author: Marcin Ressel TT: @resselm Vendor Homepage: www.microsoft.com Software Link: n/a Version: 11.0.9600.18638 Tested on:...
Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation
Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO Summary: Serviio is a free media server. It allows you to stream your media files music, video or images to renderer...
WordPress Core 4.6 - Remote Code Execution
!/bin/bash / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // WordPress 4.6 - Remote Code Execution RCE PoC Exploit CVE-2016-10033 wordpress-rce-exploit.sh ver. 1.0 Discovered and coded by Dawid Golunski @dawidgolunski...
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure
!/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 Summary: Serviio is a free media server. It allows you to stream your...
WordPress Core < 4.7.4 - Unauthorized Password Reset
============================================= - Discovered by: Dawid Golunski - dawidatlegalhackers.com - https://legalhackers.com - CVE-2017-8295 - Release date: 03.05.2017 - Revision 1.0 - Severity: Medium/High ============================================= Source:...
Zyxel P-660HW-61 Firmware < 3.40(PE.11)C0 Router - Local File Inclusion
Exploit Title: Zyxel P-660HW-61 3.40PE.11C0 - Local File Inclusion Date: 2-05-2017 Exploit Author: ReverseBrain Contact: https://www.twitter.com/ReverseBrain Vendor Homepage: https://www.zyxel.com Software Link: ftp://ftp.zyxel.com/P-660HW-61/firmware/P-660HW-613.40PE.11C0.zip Version: 3.40PE.11C...
Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ghostscript Type Confusion Arbitrary Command Execution', 'Description' = %q This module exploits a type confusion vulnerability in Ghostscript tha...
Dahua Generation 2/3 - Backdoor Access
!/usr/bin/python2.7 if False: ''' 2017-05-03 Public rerelease of Dahua Backdoor PoC https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py 2017-03-20 With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua / OEM units, where...
MySQL < 5.6.35 / < 5.7.17 - Integer Overflow
''' Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599poc.py Exploit Title: Remote MySQL DOS Integer Overflow Google Dork: N/A Date: 13th April 2017 Exploit Author: Rodrigo Marcos Vendor Homepage: https://www.mysql.com/ Software Link:...
Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection
Tuleap - Command Injection in Project Wiki CVE: CVE-2017-7981 CVSSv3: 9.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C Versions affected: = 8.3 and = 9.6.99.86 Introduction Tuleap is a Libre suite to plan, track, code and collaborate on software projects. Tuleap helps development...
HideMyAss Pro VPN Client for OS X 2.2.7.0 - Local Privilege Escalation
Source: https://www.securify.nl/advisory/SFY20170402/multiplelocalprivilegeescalationvulnerabilitiesinhidemyassprovpnclientv2xforosx.html Abstract Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper i...
HideMyAss Pro VPN Client for macOS 3.x - Local Privilege Escalation
Source: https://www.securify.nl/advisory/SFY20170408/localprivilegeescalationvulnerabilityinhidemyassprovpnclientv3xformacos.html Abstract A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macO...
Alerton Webtalk 2.5/3.3 - Multiple Vulnerabilities
''' Security Issues in Alerton Webtalk ================================== Introduction ------------ Vulnerabilities were identified in the Alerton Webtalk Software supplied by Alerton. This software is used for the management of building automation systems. These were discovered during a black bo...
Emby MediaServer 3.2.5 - Directory Traversal
Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability Vendor: Emby LLC Product web page: https://www.emby.media Affected version: 3.2.5 3.1.5 3.1.2 3.1.1 3.1.0 3.0.0 Summary: Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to...
Emby MediaServer 3.2.5 - Password Reset
Emby MediaServer 3.2.5 Password Reset Vulnerability Vendor: Emby LLC Product web page: https://www.emby.media Affected version: 3.2.5 3.1.5 3.1.2 3.1.1 3.1.0 3.0.0 Summary: Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a variety of devices...
Emby MediaServer 3.2.5 - SQL Injection
Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability Vendor: Emby LLC Product web page: https://www.emby.media Affected version: 3.2.5 3.1.5 3.1.2 3.1.1 3.1.0 3.0.0 Summary: Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a...
IrfanView 4.44 - Denial of Service
Exploit Title: Irfanview - OtherExtensions Input Overflow Date: 29-04-2017 Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button Exploit Author: Dreivan Orprecio Version: Irfanview 4.44 Irfanview is vulnerable to overflow in "OtherExtensions" input field Debugging Machine...
Panda Free Antivirus - 'PSKMAD.sys' Denial of Service
/ Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service Date: 2017-04-29 Exploit Author: Peter baris Vendor Homepage: http://www.saptech-erp.com.au Software Link:...
Admidio 3.2.8 - Cross-Site Request Forgery
Exploit Title :Admidio 3.2.8 CSRF to Delete Users Date: 28/April/2017 Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website: http://provensec.com/ Vendor Homepage: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Version: 3.2.8 Tested on: Windows 10 Xamp...
Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Mercurial Custom hg-ssh Wrapper Remote Code Exec", 'Description' = %q This module takes advantage of custom hg-ssh wrapper implementations that...
Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption
details transition-duration: 61s; function go document.fgColor = "foo"; m.setAttribute"foo", "bar"; document.head.innerHTML = "a"; aaaaaaaaaaaaa !-- =========================================================== The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read...
TYPO3 Extension News - SQL Injection
Exploit Title: TYPO3 News Module SQL Injection Vendor Homepage: https://typo3.org/extensions/repository/view/news Exploit Author: Charles FOL Contact: https://twitter.com/ambionics Website: https://www.ambionics.io/blog/typo3-news-module-sqli !/usr/bin/python3 TYPO3 News Module SQL Injection...
Easy File Uploader - Arbitrary File Upload
Exploit Title: Easy File Uploader - Arbitrary File Upload Date: 27/04/2017 Exploit Author: Daniel Godoy Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287 Tested on: GNU/Linux GREETZ: Rodrigo...
Simple File Uploader - Arbitrary File Download
Exploit Title: Simple File Uploader - Arbitrary File Download Date: 27/04/2017 Exploit Author: Daniel Godoy Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053 Tested on: GNU/Linux...
Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery
--------------------------------------------------------------- Exploit Title: XSRF Stored Revive Ad Server 4.0.1 Date: 24/04/2017 Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT Vendor Website : https://www.revive-adserver.com/ Software download : https://www.revive-adserver.com/download/...
WordPress Plugin Wow Forms 2.1 - SQL Injection
Exploit Title: Wow Forms v2.1 WordPress Plugin SQL Injection Date: 29/03/2017 Exploit Author: TAD GROUP Vendor Homepage: http://wow-company.com/ Software Link: https://wordpress.org/plugins/mwp-forms/ Version: 2.1 Contact: infoattad.group Website: https://tad.group Category: Web Application...
OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution
''' CVE Identifier: CVE-2017-7221 Vendor: OpenText Affected products: OpenText Documentum Content Server all versions Researcher: Andrey B. Panfilov Severity Rating: CVSS v3 Base Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Fix: not available PoC:...
WePresent WiPG-1000 - Command Injection (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'WePresent WiPG-1000 Command Injection', 'Description' = %q This module exploits a command injection vulnerability in an...
Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection
Application: Oracle E-Business Suite Versions Affected: Oracle EBS 12.2.3 Vendor URL: http://oracle.com Bug: SQL injection Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Dmitry Chastuhin ERPScan Description 1. ADVISORY...