Apple macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1108 SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox. it falls through to calling: ifnetresetorderorderedindices, ifo-ifocount where orderedindicies points to...

Maian Uploader 4.0 - 'user' SQL Injection

Exploit Title: Maian Uploader Script v4.0 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maianuploader.com/?dl=yes Demo: http://www.maiansoftware.com/demos/uploader/ Version: 4.0 Tested on: Win7 x64, Kali Linux x64 Exploit...

Apple WebKit - 'FormSubmission::create' Use-After-Free

function go object.name = "foo"; input.autofocus = true; output.appendChildinput; form.submit; function eventhandler forvar i=0;i a !-- ================================================================= Preliminary analysis: The bug is in FormSubmission::create. This function traverses the vector ...

Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting

globalObject-vm, callback JSC::JSObject callback return mcallback.get; JSDOMGlobalObject globalObject return JSC::jsCastmcallback-globalObject; JSC::JSValue invokeCallbackJSC::MarkedArgumentBuffer& args, CallbackType callbackType, JSC::PropertyName functionName, NakedPtr& returnedException return...

Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1061 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without...

Apple macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125 The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: case BIOCSBLEN: / uint / if d-bdbif != 0 error = EINVAL; else uint size; bcopyaddr, &size, sizeof size; if size bpfmaxbufsize size = bpfmaxbufsize; else ...

Apple macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111 SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the ifnetorderedhead linked list of interfaces. SIOCSIFORDER clears the existing list and allows userspace to specify an array of interface indexes...

Apache Tomcat 6/7/8/9 - Information Disclosure

Exploit Title:Apache Tomcat CVE-2016-6816 Security Bypass Vulnerability Date: 4th March 2017 Exploit Author: justpentest Vendor Homepage: tomcat.apache.org Version: Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6, 8.0.0.RC1 through 8.0.38, 7.0.0 through 7.0.72 and 6.0.0 through 6.0....

Apple WebKit - 'table' Use-After-Free

-webkit-border-image: urlfoo 1 5 1 63 repeat; -webkit-flow-into: foo function eventhandler var a; document.execCommand"selectAll", false; output.slot = "foo"; table.deleteCaption; //trigger garbage collector forvar i=0;i foo !-- ================================================================= AS...

Apple WebKit 10.0.2 (12602.3.12.0.1, r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion

exec.argument0; if !stream return throwArgumentTypeErrorexec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream"; JSValue jsFunction = stream-get&exec, Identifier::fromString&exec, "getReader"; let rs = new ReadableStream; let cons = rs.getReader.constructor; rs.getReader =...

Apple macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1069 MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability Selector 0x710 of IntelFBClientControl ends up in AppleIntelCapriController::getDisplayPipeCapability. This...

Apple macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1071 Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it uses to...

Maian Survey 1.1 - 'survey' SQL Injection

Exploit Title: Maian Survey v1.1 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maiansurvey.com/?dl=yes Demo: http://www.maiansoftware.com/demos/survey/ Version: 1.1 Tested on: Win7 x64, Kali Linux x64 Exploit Author: Ihsan...

Maian Greetings 2.1 - 'cat' SQL Injection

Exploit Title: Maian Greetings v2.1 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maiangreetings.com/?dl=yes Demo: http://www.maiansoftware.com/demos/greetings/ Version: 2.1 Tested on: Win7 x64, Kali Linux x64 Exploit Author:...

GeoMoose < 2.9.2 - Directory Traversal

Exploit Title: GeoMoose = 2.9.2 Local File Disclosure Exploit Author: Sander 'dsc' Ferdinand Date: 2017-03-4 Version: = 2.9.2 Blog: https://ced.pwned.systems/advisories-geomoose-local-file-disclosure-2-9-2.html Vendor Homepage: geomoose.org Reported: 4-3-2017 Vendor response:...

Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)

Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS Date: April 3, 2017 Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd Contact: chrisdhebertatgmail.com Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138 Version: CAS 1.3 prior to 1.3.7.4 ...

Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection

!/usr/bin/env python2 import telnetlib import re import random import string Split string into chunks, of which each is /var/a' - 1 completed = temp = re.split'\n', script for content in temp: if lencontent != 0: for s in re.split' ', content: if ' ' in s: s = '\x20' if '\n' in s: s = '\n' else:...

Bluecoat ASG 6.6/CAS 1.3 - Local Privilege Escalation (Metasploit)

Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS Date: April 3, 2017 Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd Contact: chrisdhebertatgmail.com Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138 Version: CAS 1.3 prior to 1.3.7.4 ...

BackBox OS - Denial of Service

//Exploited By Hosein Askari include include include include include ifdef FPASS include endif include include include include ifndef USEBSD define USEBSD endif ifndef FAVORBSD define FAVORBSD endif include include include include include include ifdef LINUX define FIXx htonsx else define FIXx x...

Linux Kernel (PonyOS 4.0) - 'fluttershy' LD_LIBRARY_PATH Local Privilege Escalation

!/usr/bin/python PonyOS 4.0 has added several improvements over previous releases including support for setuid binaries and dynamic libraries. The run-time linker does not sanitize environment variables when running setuid files allowing for local root exploitation through manipulated...

Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection

Exploit Title: Zyxel, EMG2926 /expert/maintenance/diagnostic/nslookup?nslookupbutton=nslookupbutton&pingip=google.ca%3b%20cat%20/etc/passwd&serverip= HTTP/1.1 Host: 192.168.0.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10124 AppleWebKit/537.36 KHTML, like Geck...

Pixie 1.0.4 - Arbitrary File Upload

Exploit Title: File Extension Filter Bypass in File Manager Pixie 1.0.4 With Low Privilege Google Dork: no Date: 02-April-2017 Exploit Author: @runggareksya, @dvnrcy, @dickysofficial Vendor Homepage: http://www.getpixie.co.uk Software Link:...

Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)

For Xbox-SystemOS version: 10.0.14393.2152 rs1xboxrel1610 161208-1218 fre, 12/14/2016 Other versions will most likely need modifications to the script. Credits: - https://github.com/theori-io/chakra-2016-11 - https://bugs.chromium.org/p/project-zero/issues/detail?id=952 -...

Linux/ARM - execve("/bin/sh", NULL, 0) Shellcode (34 bytes)

Linux/ARM - execve"/bin/sh", NULL, 0 Shellcode 34 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - execve"/bin/sh", NULL, 0 - 34 bytes Date: 2017-03-31 Tested: armv7l Author: Jonathan 'dummys' Borgeaud - twitter: @dummys1337 fapperz.org Shellcode ARM without 0x20, 0x0a and 0x00...

Membership Formula - 'order' SQL Injection

Exploit Title: Membership Formula - Best Membership Site PHP Script - SQL Injection Google Dork: N/A Date: 31.03.2017 Vendor Homepage: http://www.zeescripts.com/ Software: http://www.zeescripts.com/store/membership-formula-v1.0-best-membership-site-php-script.html Demo:...

Splunk Enterprise - Information Disclosure

Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt + ISR: ApparitionSec Vendor: =============== www.splunk.com Product: ================== Splunk Enterprise Splunk provides the leading...

Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1083 When sending ool memory via |machmsg| with |deallocate| flag or |MACHMSGVIRTUALCOPY| flag, |machmsg| performs moving the memory to the destination process instead of copying it. But it doesn't consider the memory entry objec...

Sync Breeze Enterprise 9.5.16 - 'Import Command' Local Buffer Overflow

!/usr/bin/env python Exploit Title: Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow SEH Date: 2017-03-29 Exploit Author: Daniel Teixeira Author Homepage: www.danielteixeira.com Vendor Homepage: http://www.syncbreeze.com Software Link:...

Opensource Classified Ads Script - 'keyword' SQL Injection

Exploit Title: Opensource Classified Ads Script - SQL Injection Google Dork: N/A Date: 29.03.2017 Vendor Homepage: http://www.2daybiz.com/ Software: http://www.professionalclassifiedscript.com/downloads/opensource-classified-ads-script-2/ Demo: http://198.38.86.159/classic/ Version: N/A Tested on...

DiskBoss Enterprise 7.8.16 - 'Import Command' Local Buffer Overflow

!/usr/bin/env python Exploit Title: DiskBoss Enterprise v7.8.16 - 'Import Command' Buffer Overflow Date: 2017-03-29 Exploit Author: Daniel Teixeira Author Homepage: www.danielteixeira.com Vendor Homepage: http://www.diskboss.com Software Link:...

EyesOfNetwork (EON) 5.1 - SQL Injection

Exploit Title: EyesOfNetwork EON 5.1 Unauthenticated SQL Injection in eonweb leading to remote root Google Dork: intitle:EyesOfNetwork intext:"sponsored by AXIANS" Date: 29/03/2017 Exploit Author: Dany Bach Vendor Homepage: https://www.eyesofnetwork.com/ Software Link:...

Linux/x86 - execve(/bin/sh") Shellcode (19 bytes)

Linux/x86 - execve/bin/sh" Shellcode 19 bytes. Shellcode exploit for Linx86 platform ;================================================================================ ; The MIT License ; ; Copyright c ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of this...

Disk Sorter Enterprise 9.5.12 - 'Import Command' Local Buffer Overflow

!/usr/bin/env python Exploit Title: DiskSorter Enterprise 9.5.12 - 'Import Command' Buffer Overflow SEH Date: 2017-03-29 Exploit Author: Daniel Teixeira Author Homepage: www.danielteixeira.com Vendor Homepage: http://www.disksorter.com Software Link:...

Sync Breeze Enterprise 9.5.16 - 'GET' Remote Buffer Overflow (SEH)

!/usr/bin/env python Exploit Title: Sync Breeze Enterprise v9.5.16 - Remote buffer overflow SEH Date: 2017-03-29 Exploit Author: Daniel Teixeira Vendor Homepage: http://syncbreeze.com Software Link: http://www.syncbreeze.com/setups/syncbreezeentsetupv9.5.16.exe Version: 9.5.16 Tested on: Windows ...

Linux/x86-64 - execve("/bin/sh") Shellcode (21 Bytes)

Linux/x86-64 - execve"/bin/sh" Shellcode 21 Bytes. Shellcode exploit for Linx86-64 platform ;================================================================================ ; The MIT License ; ; Copyright c ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of thi...

Microsoft Outlook - HTML Email Denial of Service

Source: https://justhaifei1.blogspot.ca/2017/03/an-interesting-outlook-bug.html When you send this email to someone, when he/she just read the email, Outlook will crash. MSRC told me that they think it's a non-exploitable bug and it seems that they are not going to fix it in near future, I'm...

DzSoft PHP Editor 4.2.7 - File Enumeration

Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/DZSOFT-v4.2.7-PHP-EDITOR-FILE-ENUMERATION.txt + ISR: ApparitionSec Vendor: ============== www.dzsoft.com Product: ========================= DzSoft PHP Editor v4.2.7 DzSoft PHP...

VX Search Enterprise 9.5.12 - 'Verify Email' Buffer Overflow

author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: VX Search Enterprise v9.5.12 email verify exploit Date: 2017.03.28 Exploit Author: Greg Priest Version: VX Search Enterprise v9.5.12 Tested on: Windows7 x64 HUN/ENG Professional ''' import...

Intermec PM43 Industrial Printer - Local Privilege Escalation

TITLE: Intermec Industrial Printers Local root with Busybox jailbreak Date: March 28th, 2017 Author: Bourbon Jean-marie kmkz from AKERVA company | @kmkzsecurity Product Homepage: http://www.intermec.com/products/prtrpm43a/ Firmware download: http://www.intermec.com/products/prtrpm43a/downloads.as...

MikroTik RouterBoard 6.38.5 - Denial of Service

!/usr/local/bin/perl use Socket; $srchost =3D $ARGV0;=20 $srcport =3D $ARGV1;=20 $dsthost =3D $ARGV2;=20 $dstport =3D $ARGV3;=20 if!defined $srchost or !defined $srcport or !defined $dsthost or !defin= ed $dstport=20 =09 =09print "Usage: $0 \n"; =09exit; =20 else=20 =09 =09main; =20 sub main=20...

Apple Safari - 'DateTimeFormat.format' Type Confusion

var date = new DateDate.UTC2012, 11, 20, 3, 0, 0; var i = new Intl.DateTimeFormat; //printi; var q; function f //print"in f"; //printf.caller; q = f.caller; return 10; try i.formatvalueOf : f; catche //print"problem"; //printq; q.call0x77777777;...

Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode

var q; function g //print"in g"; //printarguments.caller; //printg.caller; q = g.caller; //printg.caller; return 7; var a = 1, 2, 3; Object.defineProperty Array.prototype, "1", get : g ; var a = 1, 2, 3;...

Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow

Title: Disk Sorter Server v9.5.12 - Local Stack-based buffer overflow + Credits / Discovery: Nassim Asrir + Author Email: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ + Author Company: Henceforth + CVE: N/A Vendor: =============== http://www.disksorter.com/ Download:...

inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation

=== FOXMOLE - Security Advisory 2017-01-25 === inoERP - Multiple Issues Affected Versions ================= inoERP 0.6.1 Issue Overview ============== Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation Technical Risk: critical Likelihood of...

Github Enterprise - Default Session Secret and Deserialization (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Github Enterprise Default Session Secret And Deserialization Vulnerability", 'Description' = %q This module exploits two securi...

Professional Bus Booking Script - 'hid_Busid' SQL Injection

Exploit Title: Professional Bus Booking Script - SQL Injection Google Dork: N/A Date: 27.03.2017 Vendor Homepage: http://travelbookingscript.com/ Software: http://travelbookingscript.com/professional-bus-booking-script.html Demo: http://travelbookingscript.com/demo/professional/ Version: N/A Test...

Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)

=begin Description Nuxeo Platform is a content management system for enterprises CMS. It embeds an Apache Tomcat server, and can be managed through a web interface. One of its features allows authenticated users to import files to the platform. By crafting the upload request with a specific...

Apple Safari - Out-of-Bounds Read when Calling Bound Function

var ba; function s alert"in s"; ba = this; function g alert"in g"; return 7; funct...

Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow

''' Description:Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services IIS 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: http://" in a PROPFIND request, as...

QNAP QTS < 4.2.4 - Domain Privilege Escalation

QNAP QTS Domain Privilege Escalation Vulnerability Name Sensitive Data Exposure in QNAP QTS Systems Affected QNAP QTS NAS all model and all versions 4.2.4 Severity High 7.9/10 Impact CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L Vendor http://www.qnap.com/ Advisory...