47904 matches found
SpyCamLizard 1.230 - Denial of Service
import socket import sys author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: SpyCamLizard SC liz v1.230 Remote Buffer Overflow ZeroDay Date: 2017.03.22 Exploit Author: Greg Priest Version: SpyCamLizard v1.230 Tested on: Windows7 x64 HUN/ENG...
Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)
!/usr/bin/env python Exploit Title: DiskSorter Enterprise 9.5.12 - 'GET' Remote buffer overflow SEH Date: 2017-03-22 Exploit Author: Daniel Teixeira Author Homepage: www.danielteixeira.com Vendor Homepage: http://www.disksorter.com Software Link:...
GLink Word Link Script 1.2.3 - SQL Injection
Exploit Title: GLink Word Link Script v1.2.3 - SQL Injection Google Dork: N/A Date: 22.03.2017 Vendor Homepage: http://www.tufat.com/ Software: http://www.tufat.com/wp-content/uploads/sites/4/2015/zips/script131.zip Demo: http://www.tufat.com/glink-word-link-script/ Version: 1.2.3 Tested on: Win7...
Joomla! Component Extra Search 2.2.8 - 'establename' SQL Injection
Exploit Title: Joomla! Component Extra Search v2.2.8 - SQL Injection Google Dork: N/A Date: 21.03.2017 Vendor Homepage: http://www.joomlaboat.com/ Software: http://www.joomlaboat.com/extra-search Demo: http://www.joomlaboat.com/ Version: 2.2.8 Tested on: Win7 x64, Kali Linux x64 Exploit Author:...
Microsoft Windows - Uniscribe Font Processing Heap Out-of-Bounds Read/Write in 'USP10!AssignGlyphTypes' (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1023 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!AssignGlyphTypes function, while trying to display text using a corrupted font file: --- 58d0.5ae4: Access violation - code c0000005 first...
Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption Around 'USP10!BuildFSM' (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1029 We have encountered a number of crashes in the Windows Uniscribe user-mode library, while trying to display text using a corrupted font file. While crashes in this specific family take various shapes and forms, they all occur ...
Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption in 'USP10!otlCacheManager::GlyphsSubstituted' (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1025 We have encountered a crash in the Windows Uniscribe user-mode library, in the memset function called by USP10!otlCacheManager::GlyphsSubstituted, while trying to display text using a corrupted font file: --- 449c.6338: Access...
Microsoft Windows - 'USP10!otlList::insertAt' Uniscribe Font Processing Heap Buffer Overflow (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1022 We have encountered a crash in the Windows Uniscribe user-mode library, in the memmove function called by USP10!otlList::insertAt, while trying to display text using a corrupted font file: --- 4b44.24a8: Access violation - cod...
Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1019 We have encountered a crash in the Windows Uniscribe user-mode library, in the usp10!otlChainRuleSetTable::rule function, while trying to display text using a corrupted TTF font file: --- 4464.11b4: Access violation - code...
Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)
function run var textarea = document.getElementById"textarea"; var frame = document.createElement"iframe"; textarea.appendChildframe; frame.contentDocument.onreadystatechange = eventhandler; form.reset; function eventhandler document.getElementById"textarea".defaultValue = "foo"; alert"Text value...
Microsoft Windows - Uniscribe Heap Out-of-Bounds Read in 'USP10!ScriptApplyLogicalWidth' Triggered via EMF (MS17-013)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1053 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ScriptApplyLogicalWidth function, while trying to display a malformed EMF file: --- 920c.9190: Access violation - code c0000005 first chance...
Google Nest Cam 5.2.1 - Buffer Overflow Conditions Over Bluetooth LE
Exploit Title: Google Nest Cam - Multiple Buffer Overflow Conditions Over Bluetooth LE Reported to Google: October 26, 2016 Public Disclosure: March 17, 2017 Exploit Author: Jason Doyle @jasondoyle Vendor Homepage: https://nest.com/ Affected: Dropcam, Dropcam Pro, Nest Cam Indoor/Outdoor models ...
Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection
Exploit Title: Joomla! Component jCart for OpenCart v2.0 - SQL Injection Google Dork: N/A Date: 20.03.2017 Vendor Homepage: http://soft-php.com Software: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/jcart-for-opencart/ Demo: http://demos.soft-php.com/jcart...
Joomla! Component JooCart 2.x - 'product_id' SQL Injection
Exploit Title: Joomla! Component JooCart Joomla OpenCart Integration v2.x - SQL Injection Google Dork: N/A Date: 20.03.2017 Vendor Homepage: http://soft-php.com Software: https://www.opencart.com/index.php?route=marketplace/extension/info&extensionid=4478 Demo: http://demo.soft-php.com Version: 2...
Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption in 'USP10!MergeLigRecords' (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1026&desc=2 We have encountered a crash in the Windows Uniscribe user-mode library, in the memcpy function called by USP10!MergeLigRecords, while trying to display text using a corrupted font file: --- 2bd0.637c: Access violation -...
Microsoft Windows - Uniscribe Font Processing Buffer Overflow in 'USP10!FillAlternatesList' (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1030 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!FillAlternatesList function, while trying to request a list of alternate glyphs for a specific glyph in a corrupted font file: --- 4bfc.c60:...
Microsoft Windows - Uniscribe Font Processing Multiple Heap Out-of-Bounds and Wild Reads (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1031 Through fuzzing, we have discovered a number of different crashes in the Windows Uniscribe user-mode library, while trying to display text using a corrupted font file or calling documented Uniscribe API functions against such...
ExtraPuTTY 0.29-RC2 - Denial of Service
Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt + ISR: ApparitionSec Vendor: ================== www.extraputty.com Product: ====================== ExtraPuTTY - v029RC2 hash:...
Microsoft GDI+ - 'gdiplus!GetRECTSForPlayback' Out-of-Bounds Read (MS17-013)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1042 We have encountered a crash in the Windows GDI+ library, in the gdiplus!GetRECTSForPlayback function, while trying to display a malformed EMF+ image file: --- 6be8.6f1c: Access violation - code c0000005 first chance First chan...
Microsoft Color Management Module 'icm32.dll' - 'icm32!LHCalc3toX_Di16_Do16_Lut8_G32' Out-of-Bounds Read (MS17-013)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054 We have encountered a crash in the Windows Color Management library icm32.dll, in the icm32!LHCalc3toXDi16Do16Lut8G32 function, while trying to translate colors based on a malformed color profile file: --- 61e4.8620: Access...
Microsoft Color Management Module 'icm32.dll' - 'icm32!Fill_ushort_ELUTs_from_lut16Tag' Out-of-Bounds Read (MS17-013)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1052 We have encountered a crash in the Windows Color Management library icm32.dll, in the icm32!FillushortELUTsfromlut16Tag function, while trying to display a TIFF image with a malformed embedded color profile: --- 7c1c.93b0:...
Microsoft Windows - Uniscribe Font Processing Heap Out-of-Bounds Write in 'USP10!UpdateGlyphFlags' (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1028 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!UpdateGlyphFlags function, while trying to display text using a corrupted font file: --- 5268.3b50: Access violation - code c0000005 first...
Microsoft Windows - Uniscribe Font Processing Heap Buffer Overflow in 'USP10!ttoGetTableData' (MS17-011)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1027 We have encountered a crash in the Windows Uniscribe user-mode library, in an unnamed function called by USP10!ttoGetTableData, while trying to display text using a corrupted font file: --- 46ac.5f40: Access violation - code...
Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=993 We have encountered Windows kernel crashes in the internal nt!nt!HvpGetBinMemAlloc and nt!ExpFindAndRemoveTagBigPages functions while loading corrupted registry hive files. We believe both crashes to be caused by the same bug...
Mozilla Firefox - 'table' Use-After-Free
body display: table function freememory try fuzzPriv.forceGC; catcherr alert'Please install domFuzzLite3'; function go var s = document.getSelection; window.find"1",true,false,true,false; s.modify"extend","forward","line"; document.body.appenddocument.createElement"table"; freememory uZ1CqnaASOkr...
D-Link DGS-1510 - Multiple Vulnerabilities
================ get-user-info.py ================ import re import os.path import urllib2 import base64 import gzip import zlib from StringIO import StringIO from io import BytesIO def makerequests: """Calls request functions sequentially.""" response = None responseText = None...
phplist 3.2.6 - SQL Injection
Introduction Affected Product: phplist 3.2.6 Fixed in: 3.3.1 Fixed Version Link: https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/download Vendor Website: https://www.phplist.org/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor:...
Linux/x86 - File Reader Shellcode (54 Bytes)
Linux/x86 - File Reader Shellcode 54 Bytes. Shellcode exploit for Linx86 platform ;================================================================================ ; The MIT License ; ; Copyright c ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of this software...
FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow
print ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: FTPShell Server 6.56 ChangePassword DEP off BufferOverflow 0Day Date: 2017.03.19 Exploit Author: Greg Priest Version: FTPShell Server 6.56 Tested on: Windows7 x64 HUN/ENG Enterprise ''' overflow...
HttpServer 1.0 - Directory Traversal
Exploit Title: HttpServer 1.0 DolinaySoft Directory Traversal Date: 2017-03-19 Exploit Author: malwrforensics Software Link: http://www.softpedia.com/get/Internet/Servers/WEB-Servers/HttpServer.shtmldownload Version: 1.0 Tested on: Windows Exploiting this issue will allow an attacker to view...
Secure Download Links - 'dc' SQL Injection
Exploit Title: Secure Download Links - SQL Injection Google Dork: N/A Date: 19.03.2017 Vendor Homepage: http://sixthlife.net/ Software: http://sixthlife.net/product/secure-download-links/ Demo: http://www.satyamtechnologies.net/secdown/example.php Version: N/A Tested on: Win7 x64, Kali Linux x64...
Omegle Clone - SQL Injection
Exploit Title: Omegle Clone - SQL Injection Google Dork: N/A Date: 18.03.2017 Vendor Homepage: http://turnkeycentral.com/ Software: http://www.turnkeycentral.com/scripts/omegle-clone/ Demo: http://demo.turnkeycentral.com/omegleclone/ Version: N/A Tested on: Win7 x64, Kali Linux x64 Exploit Author...
DIGISOL DG-HR1400 1.00.02 Wireless Router - Privilege Escalation
Title: ====== Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router. CVE Details: ============ CVE-2017-6896 Reference: ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896 https://vuldb.com/sv/?id.97954...
iFdate Social Dating Script 2.0 - SQL Injection
Exploit Title: iFdate Social Dating Script v2.0 - SQL Injection Google Dork: N/A Date: 18.03.2017 Vendor Homepage: http://turnkeycentral.com/ Software: http://turnkeycentral.com/scripts/social-dating-script/ Demo: http://demo.turnkeycentral.com/ifdate/index.php Version: 2.0 Tested on: Win7 x64,...
Linux/x86 - Bind Shell Shellcode (42 bytes)
Linux/x86 - Bind Shell Shellcode 42 bytes. Shellcode exploit for Linx86 platform / SuperSmallBindShell 2 x86 Date: 17.03.2017 This shellcode will listen on random port and show you how deep the rabbit hole goes Please note that ports below 1024 require high privileges to bind! Shellcode Author:...
Linux/x86 - Encoded exceve("/bin/sh") Shellcode (44 Bytes)
Linux/x86 - Encoded exceve"/bin/sh" Shellcode 44 Bytes. Shellcode exploit for Linx86 platform ;================================================================================ ; The MIT License ; ; Copyright c ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of...
FTPShell Client 6.53 - 'Session name' Local Buffer Overflow
print ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: FTPShell Client 6.53 Session name BufferOverflow Date: 2017.03.17 Exploit Author: Greg Priest Version: FTPShell Client 6.53 Tested on: Windows7 x64 HUN/ENG Professional ''' a = "A" 460 b =...
AXIS Communications - Cross-Site Scripting / Content Injection
0RWELLL4BS security advisory olsa-2015-8258 PGP: 79A6CCC0 @orwelllabs Advisory Information ==================== - Title: ImagePath Resource Injection/Open script editor - Vendor: AXIS Communications - Research and Advisory: Orwelllabs - Class: Improper Input Validation CWE-20 - CVE Name:...
Departmental Store Management System 1.2 - SQL Injection
Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection Google Dork: N/A Date: 17.03.2017 Vendor Homepage: http://webstarslab.com Software : http://webstarslab.com/products/pasal-departmental-store-management-system/ Demo:...
Cisco IOS 12.2 < 12.4 / 15.0 < 15.6 - Security Association Negotiation Request Device Memory
!/usr/bin/python -- coding: utf8 -- import socket from scapy.all import --------------------------- Requirements: $ sudo pip install scapy --------------------------- conf.verb = 0 RCVSIZE = 2548 TIMEOUT = 6 payload = '5\xc7\x07\xdf\xed\xef\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x02' payload +=...
SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "SolarWind LEM Default SSH Password Remote Code Execution", 'Description' = %q This module exploits the default credentials of SolarWind LEM. A men...
AXIS (Multiple Products) - Cross-Site Request Forgery
0RWELLL4BS security advisory olsa-CVE-2015-8255 PGP: 79A6CCC0 @orwelllabs Advisory Information ==================== - Title: Cross-Site Request Forgery - Vendor: AXIS Communications - Research and Advisory: Orwelllabs - Class: Session Management control CWE-352 - CVE Name: CVE-2015-8255 - Affecte...
Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution
SSD Advisory – Oracle Knowledge Management XXE Leading to a RCE Vulnerability Summary The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1. By enabling searches across a wide variety of sources, Oracle's InQuira knowledge management products...
CommVault Edge 11 SP6 - Stack Buffer Overflow (PoC)
import socket import binascii import time import struct s = socket.socketsocket.AFINET, socket.SOCKSTREAM s.settimeout1 s.connect"10.101.0.85", 8400 def srp=None, r=None: if p: print "sending %d bytes: %s " % lenp/2,p payl = binascii.a2bhexp s.sendpayl if r: data = s.recv10242 print "received %d...
Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection
Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt + ISR: ApparitionSec Vendor: ================= www.microsoft.com Product: ================= Windows DVD Maker...
Cobbler 2.8.0 - (Authenticated) Remote Code Execution
!/usr/bin/python """ Exploit title: Cobbler 2.8.x Authenticated RCE. Author: Dolev Farhi Contact: dolevf at protonmail.com @hack6tence Date: 03-16-2017 Vendor homepage: cobbler.github.io Software version: v.2.5.160805 Software Description ===================== Cobbler is a Linux installation serv...
Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free
f.onload = null; for var x in window if whitelist.indexOfx != -1 continue; try window.lookupGetterx.callf.contentWindow; logx; catch e ; f.src = "https://abc.xyz/"; document.body.appendChildf; And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JI...
WordPress Plugin Membership Simplified 1.58 - Arbitrary File Download
import requests import string import random from urlparse import urlparse print "---------------------------------------------------------------------" print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir...
Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow (PoC)
Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow + Credits / Discovery: Nassim Asrir + Author Contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ + Author Company: Henceforth + CVE: CVE-2017-6880 Vendor: ===============...
ASUS PCE-AC56 WLAN Card Utilities (PCAUSA Rawether Windows 10 x64) - Local Privilege Escalation
ASUS PCE-AC56 WLAN Card Utilities PCAUSA Rawether Windows 10 x64 - Local Privilege Escalation. Local exploit for Winx86-64 platform Rawether for Windows is a framework that facilitates communication between an application and the NDIS miniport driver. Itâs produced by a company named Printing...