47904 matches found
Apple Safari - Array concat Memory Corruption
!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1095 There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption. In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handl...
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution
!/usr/bin/env python -- coding: utf-8 -- By Victor Portal vportal for educational porpouse only This exploit is the python version of the ErraticGopher exploit probably with some modifications. ErraticGopher exploits a memory corruption seems to be a Heap Overflow in the Windows DCE-RPC Call...
October CMS 1.0.412 - Multiple Vulnerabilities
October CMS v1.0.412 several vulnerabilities Information =========== Name: October CMS v1.0.412 build 412 Homepage: http://octobercms.com Vulnerability: several issues, including PHP code execution Prerequisites: attacker has to be authenticated user with media or asset management permission CVE:...
Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075 Windows: Dolby Audio X2 Service Elevation of Privilege Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 on a Lenovo P50. Version of the service binary 0.7.2.61 built on 7/18/2016. Class: Elevation of Privilege...
Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227 We have discovered a heap double-free vulnerability in the latest version of VirtualBox 5.1.18, with Guest Additions and more specifically shared folders enabled in the guest operating system. The heap memory corruption take...
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Microsoft Office Word Malicious Hta Execution", 'Description' = %q This module creates a malicious RTF file that when opened in...
PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH)
!/usr/bin/python Exploit Title : Private Tunnel VPN Client 2.8 - Local Buffer Overflow SEH Date : 25/04/2017 Exploit Author : Muhann4d Vendor Homepage : https://www.privatetunnel.com Software Link : https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe Affected Versions : 2....
Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE
Application: Oracle PeopleSoft Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55 Vendor URL: http://oracle.com Bug: XXE Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Nadya Krivdyuk ERPScan Description 1...
WordPress Plugin Wow Viral Signups 2.1 - SQL Injection
Exploit Title: Wow Viral Signups v2.1 WordPress Plugin SQL Injection Date: 29/03/2017 Exploit Author: TAD GROUP Vendor Homepage: http://wow-company.com/ Software Link: https://wordpress.org/plugins/mwp-viral-signup/ Version: 2.1 Contact: infoattad.group Website: https://tad.group Category: Web...
WordPress Plugin Car Rental System 2.5 - SQL Injection
Exploit Title: Car Rental System v2.5 Date: 28/03/2017 Exploit Author: TAD GROUP Vendor Homepage: https://www.bestsoftinc.com/ Software Link: https://www.bestsoftinc.com/car-rental-system.html Version: 2.5 Contact: infoattad.group Website: https://tad.group Category: Web Application Exploits 1...
WordPress Plugin KittyCatfish 2.2 - SQL Injection
Exploit Title: KittyCatfish 2.2 Plugin for WordPress - SQL Injection Date: 20/03/2017 Exploit Author: TAD GROUP Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/ Software Link: https://wordpress.org/plugins-wp/kittycatfish/ Version: 2.2 Contact: infoattad.group Website:...
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation
Source: https://blogs.securiteam.com/index.php/archives/3134 Vulnerability Summary The following advisory describes a local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS. Ubuntu is an open source software platform that runs everywhere from IoT devices, the smartphone...
FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery
Exploit Title: XSRF Stored FlySpray 1.0-rc4 XSS2CSRF add admin account Date: 19/04/2017 Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT : https://www.openoffice.org Version: 1.0-rc4 Tested on: Windows 7 x64 SP1 / Kali Linux Description : A vulnerability has been discovered in Flyspray , which ca...
Dell Customer Connect 1.3.28.0 - Local Privilege Escalation
Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation Date: 25.04.2017 Software Link: http://www.dell.com/ Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ Category: local 1. Description DCCService.exe is running on autostart as...
HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion
Source: https://blogs.securiteam.com/index.php/archives/3087 SSD Advisory – HPE OpenCall Media Platform OCMP Multiple Vulnerabilities Want to get paid for a vulnerability similar to this one? Contact us at: [email protected] Vulnerabilities Summary The following advisory describes Reflected...
Flexispy
Flexispy. Papers exploit for Multiple platform / // / / /| |/ / / // \ / // / / / / / / / | / / / / / / / / / / / / / / / / / / | / / / // // / / / // //// //||//////// brought to you by / / / / / / // -/ \ / / // // / / |/ / // / /// // ./,/// ,/ // /, / // // / / / // / / ,/////,/ / /...
Joomla! Component Myportfolio 3.0.2 - 'pid' SQL Injection
Exploit Title: Joomla Component Myportfolio 3.0.2 - SQL Injection Exploit Author: Persian Hack Team Discovered by : Mojtaba Kazemi Mojtaba MobhaM Home : https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/myportfolio/ Home : http://persian-team.ir/ Telegram...
LogRhythm Network Monitor - Authentication Bypass / Command Injection
Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE Public Disclosure Date: 24 Apr 2017 Author: Francesco Oddo Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf Software Link: https://logrhythm.com/network-monitor-freemium/ Version:...
SquirrelMail < 1.4.22 - Remote Code Execution
!/bin/bash int='\03394m / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // SquirrelMail = 1.4.23 Remote Code Execution PoC Exploit CVE-2017-7692 SquirrelMailRCEexploit.sh ver. 1.1 Discovered and coded by Dawid Golunski...
Linux/x86 - Egg-hunter Shellcode (18 bytes)
Linux/x86 - Egg-hunter Shellcode 18 bytes. Shellcode exploit for Linx86 platform // Description: a 18 bytes egg hunter on contigous memory segments // // You are free to do whatever you want of this shellcode // // @phacktul / global start section .text start: mov eax, start ; we set a valid .tex...
Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1136 This is a vulnerability that affects VirtualBox VMs that use a virtio network adapter which is a non-standard configuration. It permits the guest kernel to write up to 4GB of controlled data out of bounds in the trusted userla...
Oracle VM VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1091 This bug report describes two separate issues that, when combined, allow any user on a Linux host system on which VirtualBox is installed to gain code execution in the kernel. Since I'm not sure which one of these issues cross...
Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1086 There is a vulnerability in VirtualBox that permits an attacker with root privileges in a virtual machine with a NAT network interface to corrupt the memory of the userspace host process and leak memory contents from the...
Microsoft Windows 10 - Runtime Broker ClipboardBroker Privilege Escalation
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1079 Windows: Runtime Broker ClipboardBroker EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 Class: Elevation of Privilege Summary: The Runtime Broker’s Clipboard Broker allows any low IL/AppContainer such as Edge or I...
Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1093 Windows: IEETWCollector Arbitrary Directory/File Deletion EoP Platform: Windows 10 10586 not tested on anything else Class: Elevation of Privilege Summary: When cleaning up an ETW session the IEETWCollector service deletes i...
Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'operationSpreadGeneric' Universal Cross-Site Scripting
'use strict'; function spreada return ...a; let arr = Object.create1, 2, 3, 4; for let i = 0; i f.onload = null; try spreadf.contentWindow; catch e e.constructor.constructor'alertlocation'; ; f.src = 'https://abc.xyz/';...
Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote Code Execution Summary: Accessing a compromised WMI serve...
Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting
jsCallee // newTarget may be an InternalFunction if we were called from Reflect.construct. JSFunction targetFunction = jsDynamicCastnewTarget; if LIKELYtargetFunction ... return targetFunction-rareDatavm-createInternalFunctionAllocationStructureFromBasevm, prototype, baseClass; ... else ... retur...
Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1103 VirtualBox: Windows Process COM Injection EoP Platform: VirtualBox v5.0.32 r112930 x64 Tested on Windows 10 Class: Elevation of Privilege Summary: The process hardening implemented by the VirtualBox driver can be circumvented ...
Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1141 This is another way to escalate from an unprivileged userspace process into the VirtualBox process, which has an open file descriptor to the privileged device /dev/vboxdrv and can use that to compromise the host kernel. The...
Dmitry 1.3a - Local Buffer Overflow (PoC)
Exploit Title: DmitryDeepmagic Information Gathering Tool Local Stack Buffer Overflow CVE: CVE-2017-7938 CWE: CWE-119 Exploit Author: Hosein Askari FarazPajohan Vendor HomePage: http://mor-pah.net/software/dmitry-deepmagic-information-gathering-tool/ Version : 1.3a Unix Exploit Tested on: Parrot ...
Huawei HG532n - Command Injection (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'base64' class MetasploitModule 'Huawei HG532n Command Injection', 'Description' = %q This module exploits a command injection vulnerability in...
Microsoft Word - '.RTF' Remote Code Execution
!/usr/bin/env python ''' Exploit toolkit CVE-2017-0199 - v4.0 https://github.com/bhdresh/CVE-2017-0199 Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41894.zip ''' import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile from random import randin...
pinfo 0.6.9 - Local Buffer Overflow (PoC)
Title: pinfo v0.6.9 - Local Buffer Overflow Author: Nassim Asrir Researcher at: Henceforth Author contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ CVE: N/A Download $ apt-get install pinfo POC For any Question or discussion about this vuln:...
Tenable Appliance < 4.5 - Root Remote Code Execution
!/bin/bash : ' According to http://static.tenable.com/proddocs/upgradeappliance.html they fixed two security vulnerabilities in the web interface in release 4.5 so I guess previous version are also vulnerable. Exploit Title: Unauthenticated remote root code execution on Tenable Appliance Date:...
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework auxiliary/scanner/smb/smbms17010 require 'msf/core' class MetasploitModule 'MS17-010 SMB RCE Detection', 'Description' = %q Uses information disclosure to determine if...
WinSCP 5.9.4 - 'LIST' Denial of Service (Metasploit)
Exploit Title: WinSCP 5.9.4 - LIST Command Denial of service Crush application Date: 4-4-2017 mm.dd.yy Exploit Author: M.Ibrahim [email protected] E-Mail: vulnbug gmail.com Vendor Home Page: https://winscp.net/eng/index.php Vendor download link: https://winscp.net/download/WinSCP-5.9.4-Setup.exe...
Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt + ISR: ApparitionSec Vendor: ================ www.mantisbt.org Product: ================== Mantis Bug Tracker v1.3.0 /...
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation
/ Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation Author: Nassim Asrir Researcher at: Henceforth Author contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ The full Research: https://www.facebook.com/asrirnassim/ CVE: CVE-2017-7874 Exp first of all we need...
Mozilla Firefox - Address Bar Spoofing
location=URL.createObjectURLnew Blob'Not Googleiflocation.href.indexOf"google"==-1location.pathname="https://www.google.com/"elsedocument.title="Google Search"', type: 'text/html'...
Concrete5 CMS 8.1.0 - 'Host' Header Injection
Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txt + ISR: ApparitionSec Vendor: ================== www.concrete5.org Product: ================ concrete5 v8.1.0 concrete5 is an...
VirusChaser 8.0 - Local Buffer Overflow (SEH)
Exploit Title: Virus Chaser 8.0 - Scanner component, SEH Overflow Date: 14 April 2017 Exploit Author: 0x41Li [email protected] Vendor Homepage: https://www.viruschaser.com/ Software Link: https://www.viruschaser.com/download/VC80b32Setup.zip Tested on: Windows 7 Universal import os from struct...
Linux/x86-64 - execve("/bin/sh") Shellcode (31 bytes)
Linux/x86-64 - execve"/bin/sh" Shellcode 31 bytes. Shellcode exploit for Linx86-64 platform Hi, This time I wanna to submit a shellcode whose length is 31Bytes , It's tested on Linux x86-64 ;=========================================================== ===================== ; The MIT License ; ;...
Microsoft Windows Kernel - 'win32k.sys' Multiple 'NtGdiGetDIBitsInternal' System Call
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1078 We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool...
Adobe Creative Cloud Desktop Application < 4.0.0.185 - Local Privilege Escalation
Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-CREATIVE-CLOUD-PRIVILEGE-ESCALATION.txt + ISR: apparitionSec Vendor: ============== www.adobe.com Product: ======================================== Adobe Creative Cloud...
Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'AlienVault USM/OSSIM API Command Execution', 'Description' = %q This module exploits an unauthenticated command injection in...
Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1192 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 indirectly through the win32k!NtUserPaintMenuBar system call, or more specifically,...
GNS3 Mac OS-X 1.5.2 - 'ubridge' Local Privilege Escalation
!/bin/sh GNS-3 Mac OS-X LPE local root exploit ===================================== GNS-3 on OS-X bundles the "ubridge" binary as a setuid root file. This file can be used to read arbitary files using "-f" arguement but also as it runs as root can also write arbitrary files with "pcapfile"...
agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting
!-- Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt Advisory ID: SYSS-2017-005 Product: agorum core Pro Manufacturer: agorum Software GmbH Affected Versions: 7.8.1.4-251 Tested Versions: 7.8.1.4-251 Vulnerability Type: Persistent Cross-Site Scripting...
agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery
!-- Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt Advisory ID: SYSS-2017-008 Product: agorum core Pro Manufacturer: agorum Software GmbH Affected Versions: 7.8.1.4-251 Tested Versions: 7.8.1.4-251 Vulnerability Type: Cross-Site Request Forgery CWE-352...