Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free

body background-color:black; font-color:red; ; / Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free Google Dork: n/a Date: 03.05.2017 Exploit Author: Marcin Ressel TT: @resselm Vendor Homepage: www.microsoft.com Software Link: n/a Version: 11.0.9600.18638 Tested on:...

WordPress Core < 4.7.4 - Unauthorized Password Reset

============================================= - Discovered by: Dawid Golunski - dawidatlegalhackers.com - https://legalhackers.com - CVE-2017-8295 - Release date: 03.05.2017 - Revision 1.0 - Severity: Medium/High ============================================= Source:...

Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change

!/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 Summary: Serviio is a free media server. It allows you to stream you...

WordPress Core 4.6 - Remote Code Execution

!/bin/bash / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // WordPress 4.6 - Remote Code Execution RCE PoC Exploit CVE-2016-10033 wordpress-rce-exploit.sh ver. 1.0 Discovered and coded by Dawid Golunski @dawidgolunski...

Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation

Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO Summary: Serviio is a free media server. It allows you to stream your media files music, video or images to renderer...

Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution

!/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 Summary: Serviio is a free media server. It allows you to stream your...

Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure

!/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 Summary: Serviio is a free media server. It allows you to stream your...

Zyxel P-660HW-61 Firmware < 3.40(PE.11)C0 Router - Local File Inclusion

Exploit Title: Zyxel P-660HW-61 3.40PE.11C0 - Local File Inclusion Date: 2-05-2017 Exploit Author: ReverseBrain Contact: https://www.twitter.com/ReverseBrain Vendor Homepage: https://www.zyxel.com Software Link: ftp://ftp.zyxel.com/P-660HW-61/firmware/P-660HW-613.40PE.11C0.zip Version: 3.40PE.11C...

Dahua Generation 2/3 - Backdoor Access

!/usr/bin/python2.7 if False: ''' 2017-05-03 Public rerelease of Dahua Backdoor PoC https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py 2017-03-20 With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua / OEM units, where...

Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ghostscript Type Confusion Arbitrary Command Execution', 'Description' = %q This module exploits a type confusion vulnerability in Ghostscript tha...

HideMyAss Pro VPN Client for macOS 3.x - Local Privilege Escalation

Source: https://www.securify.nl/advisory/SFY20170408/localprivilegeescalationvulnerabilityinhidemyassprovpnclientv3xformacos.html Abstract A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macO...

Alerton Webtalk 2.5/3.3 - Multiple Vulnerabilities

''' Security Issues in Alerton Webtalk ================================== Introduction ------------ Vulnerabilities were identified in the Alerton Webtalk Software supplied by Alerton. This software is used for the management of building automation systems. These were discovered during a black bo...

MySQL < 5.6.35 / < 5.7.17 - Integer Overflow

''' Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599poc.py Exploit Title: Remote MySQL DOS Integer Overflow Google Dork: N/A Date: 13th April 2017 Exploit Author: Rodrigo Marcos Vendor Homepage: https://www.mysql.com/ Software Link:...

Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection

Tuleap - Command Injection in Project Wiki CVE: CVE-2017-7981 CVSSv3: 9.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C Versions affected: = 8.3 and = 9.6.99.86 Introduction Tuleap is a Libre suite to plan, track, code and collaborate on software projects. Tuleap helps development...

HideMyAss Pro VPN Client for OS X 2.2.7.0 - Local Privilege Escalation

Source: https://www.securify.nl/advisory/SFY20170402/multiplelocalprivilegeescalationvulnerabilitiesinhidemyassprovpnclientv2xforosx.html Abstract Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper i...

Emby MediaServer 3.2.5 - Directory Traversal

Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability Vendor: Emby LLC Product web page: https://www.emby.media Affected version: 3.2.5 3.1.5 3.1.2 3.1.1 3.1.0 3.0.0 Summary: Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to...

Emby MediaServer 3.2.5 - Password Reset

Emby MediaServer 3.2.5 Password Reset Vulnerability Vendor: Emby LLC Product web page: https://www.emby.media Affected version: 3.2.5 3.1.5 3.1.2 3.1.1 3.1.0 3.0.0 Summary: Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a variety of devices...

Emby MediaServer 3.2.5 - SQL Injection

Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability Vendor: Emby LLC Product web page: https://www.emby.media Affected version: 3.2.5 3.1.5 3.1.2 3.1.1 3.1.0 3.0.0 Summary: Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a...

IrfanView 4.44 - Denial of Service

Exploit Title: Irfanview - OtherExtensions Input Overflow Date: 29-04-2017 Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button Exploit Author: Dreivan Orprecio Version: Irfanview 4.44 Irfanview is vulnerable to overflow in "OtherExtensions" input field Debugging Machine...

Panda Free Antivirus - 'PSKMAD.sys' Denial of Service

/ Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service Date: 2017-04-29 Exploit Author: Peter baris Vendor Homepage: http://www.saptech-erp.com.au Software Link:...

Admidio 3.2.8 - Cross-Site Request Forgery

Exploit Title :Admidio 3.2.8 CSRF to Delete Users Date: 28/April/2017 Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website: http://provensec.com/ Vendor Homepage: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Version: 3.2.8 Tested on: Windows 10 Xamp...

TYPO3 Extension News - SQL Injection

Exploit Title: TYPO3 News Module SQL Injection Vendor Homepage: https://typo3.org/extensions/repository/view/news Exploit Author: Charles FOL Contact: https://twitter.com/ambionics Website: https://www.ambionics.io/blog/typo3-news-module-sqli !/usr/bin/python3 TYPO3 News Module SQL Injection...

Easy File Uploader - Arbitrary File Upload

Exploit Title: Easy File Uploader - Arbitrary File Upload Date: 27/04/2017 Exploit Author: Daniel Godoy Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287 Tested on: GNU/Linux GREETZ: Rodrigo...

Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption

details transition-duration: 61s; function go document.fgColor = "foo"; m.setAttribute"foo", "bar"; document.head.innerHTML = "a"; aaaaaaaaaaaaa !-- =========================================================== The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read...

Simple File Uploader - Arbitrary File Download

Exploit Title: Simple File Uploader - Arbitrary File Download Date: 27/04/2017 Exploit Author: Daniel Godoy Vendor Homepage: https://codecanyon.net/ Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053 Tested on: GNU/Linux...

Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Mercurial Custom hg-ssh Wrapper Remote Code Exec", 'Description' = %q This module takes advantage of custom hg-ssh wrapper implementations that...

Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery

--------------------------------------------------------------- Exploit Title: XSRF Stored Revive Ad Server 4.0.1 Date: 24/04/2017 Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT Vendor Website : https://www.revive-adserver.com/ Software download : https://www.revive-adserver.com/download/...

Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE

Application: Oracle PeopleSoft Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55 Vendor URL: http://oracle.com Bug: XXE Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Nadya Krivdyuk ERPScan Description 1...

Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075 Windows: Dolby Audio X2 Service Elevation of Privilege Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 on a Lenovo P50. Version of the service binary 0.7.2.61 built on 7/18/2016. Class: Elevation of Privilege...

Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution

!/usr/bin/env python -- coding: utf-8 -- By Victor Portal vportal for educational porpouse only This exploit is the python version of the ErraticGopher exploit probably with some modifications. ErraticGopher exploits a memory corruption seems to be a Heap Overflow in the Windows DCE-RPC Call...

Dell Customer Connect 1.3.28.0 - Local Privilege Escalation

Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation Date: 25.04.2017 Software Link: http://www.dell.com/ Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ Category: local 1. Description DCCService.exe is running on autostart as...

WordPress Plugin Car Rental System 2.5 - SQL Injection

Exploit Title: Car Rental System v2.5 Date: 28/03/2017 Exploit Author: TAD GROUP Vendor Homepage: https://www.bestsoftinc.com/ Software Link: https://www.bestsoftinc.com/car-rental-system.html Version: 2.5 Contact: infoattad.group Website: https://tad.group Category: Web Application Exploits 1...

Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection

Application: Oracle E-Business Suite Versions Affected: Oracle EBS 12.2.3 Vendor URL: http://oracle.com Bug: SQL injection Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Dmitry Chastuhin ERPScan Description 1. ADVISORY...

Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227 We have discovered a heap double-free vulnerability in the latest version of VirtualBox 5.1.18, with Guest Additions and more specifically shared folders enabled in the guest operating system. The heap memory corruption take...

Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Microsoft Office Word Malicious Hta Execution", 'Description' = %q This module creates a malicious RTF file that when opened in...

WordPress Plugin KittyCatfish 2.2 - SQL Injection

Exploit Title: KittyCatfish 2.2 Plugin for WordPress - SQL Injection Date: 20/03/2017 Exploit Author: TAD GROUP Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/ Software Link: https://wordpress.org/plugins-wp/kittycatfish/ Version: 2.2 Contact: infoattad.group Website:...

OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution

''' CVE Identifier: CVE-2017-7221 Vendor: OpenText Affected products: OpenText Documentum Content Server all versions Researcher: Andrey B. Panfilov Severity Rating: CVSS v3 Base Score: 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Fix: not available PoC:...

WePresent WiPG-1000 - Command Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'WePresent WiPG-1000 Command Injection', 'Description' = %q This module exploits a command injection vulnerability in an...

Apple Safari - Array concat Memory Corruption

!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1095 There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption. In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handl...

WordPress Plugin Wow Viral Signups 2.1 - SQL Injection

Exploit Title: Wow Viral Signups v2.1 WordPress Plugin SQL Injection Date: 29/03/2017 Exploit Author: TAD GROUP Vendor Homepage: http://wow-company.com/ Software Link: https://wordpress.org/plugins/mwp-viral-signup/ Version: 2.1 Contact: infoattad.group Website: https://tad.group Category: Web...

WordPress Plugin Wow Forms 2.1 - SQL Injection

Exploit Title: Wow Forms v2.1 WordPress Plugin SQL Injection Date: 29/03/2017 Exploit Author: TAD GROUP Vendor Homepage: http://wow-company.com/ Software Link: https://wordpress.org/plugins/mwp-forms/ Version: 2.1 Contact: infoattad.group Website: https://tad.group Category: Web Application...

PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH)

!/usr/bin/python Exploit Title : Private Tunnel VPN Client 2.8 - Local Buffer Overflow SEH Date : 25/04/2017 Exploit Author : Muhann4d Vendor Homepage : https://www.privatetunnel.com Software Link : https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe Affected Versions : 2....

October CMS 1.0.412 - Multiple Vulnerabilities

October CMS v1.0.412 several vulnerabilities Information =========== Name: October CMS v1.0.412 build 412 Homepage: http://octobercms.com Vulnerability: several issues, including PHP code execution Prerequisites: attacker has to be authenticated user with media or asset management permission CVE:...

HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion

Source: https://blogs.securiteam.com/index.php/archives/3087 SSD Advisory – HPE OpenCall Media Platform OCMP Multiple Vulnerabilities Want to get paid for a vulnerability similar to this one? Contact us at: [email protected] Vulnerabilities Summary The following advisory describes Reflected...

LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation

Source: https://blogs.securiteam.com/index.php/archives/3134 Vulnerability Summary The following advisory describes a local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS. Ubuntu is an open source software platform that runs everywhere from IoT devices, the smartphone...

FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery

Exploit Title: XSRF Stored FlySpray 1.0-rc4 XSS2CSRF add admin account Date: 19/04/2017 Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT : https://www.openoffice.org Version: 1.0-rc4 Tested on: Windows 7 x64 SP1 / Kali Linux Description : A vulnerability has been discovered in Flyspray , which ca...

Joomla! Component Myportfolio 3.0.2 - 'pid' SQL Injection

Exploit Title: Joomla Component Myportfolio 3.0.2 - SQL Injection Exploit Author: Persian Hack Team Discovered by : Mojtaba Kazemi Mojtaba MobhaM Home : https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/myportfolio/ Home : http://persian-team.ir/ Telegram...

Flexispy

Flexispy. Papers exploit for Multiple platform / // / / /| |/ / / // \ / // / / / / / / / | / / / / / / / / / / / / / / / / / / | / / / // // / / / // //// //||//////// brought to you by / / / / / / // -/ \ / / // // / / |/ / // / /// // ./,/// ,/ // /, / // // / / / // / / ,/////,/ / /...

LogRhythm Network Monitor - Authentication Bypass / Command Injection

Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE Public Disclosure Date: 24 Apr 2017 Author: Francesco Oddo Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf Software Link: https://logrhythm.com/network-monitor-freemium/ Version:...

SquirrelMail < 1.4.22 - Remote Code Execution

!/bin/bash int='\03394m / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // SquirrelMail = 1.4.23 Remote Code Execution PoC Exploit CVE-2017-7692 SquirrelMailRCEexploit.sh ver. 1.1 Discovered and coded by Dawid Golunski...