freeFTP 1.0.8 - 'PASS' Remote Buffer Overflow

Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow Date: 2019-09-01 Author: Chet Manly Software Link: https://download.cnet.com/FreeFTP/3000-21604-10047242.html Version: 1.0.8 CVE: N/A from ftplib import FTP buf = "" buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49" buf +=...

CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation

Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation Date: 2019-01-30 Exploit Author: Jakub Palaczynski Vendor Homepage: https://www.checkpoint.com/ Version: Check Point Endpoint Security VPN = E80.87 Build 986009514 Version: Check Point ZoneAlarm =...

LabCollector 5.423 - SQL Injection

Exploit Title: LabCollector Laboratory Information System 5.423 - Multiples SQL Injection Date: 09/09/2019 Software Links/Project: https://www.labcollector.com/clientarea/downloads.php Version: LabCollector Laboratory Information System 5.423 Exploit Author: Carlos Avila Category: webapps Tested...

Android - Binder Driver Use-After-Free

The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm and possibly others: There is a use-after-free of the wait member in the binderthread struct in the binder driver at /drivers/android/binder.c. As described in the upstream commit:...

mintinstall 7.9.9 - Code Execution

Exploit Title: mintinstall aka Software Manager object injection Date: 10/02/2019 Exploit Author: Andhrimnirr Vendor Homepage: https://www.linuxmint.com/ Software Link: mintinstall aka Software Manager Version: 7.9.9 Tested on: Linux Mint CVE : CVE-2019-17080 import os import sys def...

PHP 7.0 < 7.3 (Unix) - 'gc' disable_functions Bypass

= 0; $j-- $address = 8; return $out; function write&$str, $p, $v, $n = 8 $i = 0; for$i = 0; $i = 8; function leak$addr, $p = 0, $s = 8 global $abc, $helper; write$abc, 0x68, $addr + $p - 0x10; $leak = strlen$helper-a; if$s != 8 $leak %= 2 $s 8 - 1; return $leak; function parseelf$base $etype =...

AnchorCMS < 0.12.3a - Information Disclosure

Exploit Title: Information disclosure MySQL password in error log Date: 2/10/2019 Exploit Author: Tijme Gommers https://twitter.com/finnwea/ Vendor Homepage: https://anchorcms.com/ Software Link: https://github.com/anchorcms/anchor-cms/releases Version: 0.12.3a Tested on: Linux CVE : CVE-2018-725...

Detrix EDMS 1.2.3.1505 - SQL Injection

!/usr/bin/php / Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit Google Dork: Date: Jul 2019 Exploit Author: Burov Konstantin Vendor Homepage: forum.detrix.kz Software Link:...

DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DOUBLEPULSAR Payload Execution and Neutralization', 'Description' = %q This module executes a Metasploit payload against the Equation Group's...

WebKit - User-agent Shadow root Leak in WebCore::ReplacementFragment::ReplacementFragment

ReplacementFragment::insertFragmentForTestRenderingNode rootEditableElement auto holder = createDefaultParagraphElementdocument; holder-appendChildmfragment; rootEditableElement-appendChildholder; // 2 document.updateLayoutIgnorePendingStylesheets; return holder;...

DameWare Remote Support 12.1.0.34 - Buffer Overflow (SEH)

!/usr/bin/env python Author: Xavi Beltran Contact: [email protected] Exploit Development: https://xavibel.com/2019/08/31/seh-based-local-buffer-overflow-dameware-remote-support-v-12-1-0-34/ Date: 14/7/2019 Description: SEH based Buffer Overflow DameWare Remote Support V. 12.1.0.34 Tools...

DotNetNuke < 9.4.0 - Cross-Site Scripting

Exploit Title: Stored Cross-Site Scripting in DotNetNuke DNN Version before 9.4.0 Exploit Description : This exploit will add a superuser to target DNN website. Exploit Condition : Successful exploitation occurs when an admin user visits a notification page. Exploit Author: MAYASEVEN CVE :...

WebKit - Universal XSS Using Cached Pages

VULNERABILITY DETAILS void FrameLoader::detachChildren ... SubframeLoadingDisabler subframeLoadingDisablermframe.document; // 1 Vector, 16 childrenToDetach; childrenToDetach.reserveInitialCapacitymframe.tree.childCount; for Frame child = mframe.tree.lastChild; child; child =...

WebKit - Universal XSS in WebCore::command

frame = document-frame; if !frame || frame-document != document // 1 return Editor::Command; document-updateStyleIfNeeded; // 2 return frame-editor.commandcommandName, userInterface ? CommandFromDOMWithUserInterface : CommandFromDOM; bool Document::execCommandconst String& commandName, bool...

WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads

VULNERABILITY DETAILS void DocumentWriter::replaceDocumentconst String& source, Document ownerDocument ... beginmframe-document-url, true, ownerDocument; // 1 // begin might fire an unload event, which will result in a situation where no new document has been attached, // and the old document has...

DotNetNuke 9.3.2 - Cross-Site Scripting

/ Exploit Title: "Display Name" Stored Unauthenticated XSS in DNN v9.3.2 Date: 4th of July, 2019 Exploit Author: Semen Alexandrovich Lyhin Vendor Homepage: https://www.dnnsoftware.com/ Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases Version: v9.3.2 CVE : CVE-2019-13293 A...

kic 2.4a - Denial of Service

Exploit Title: Ciftokic 2.4a - DoS Buffer Overflow Date: September 30, 2019 Exploit Author: @JosueEncinar Software Link: http://launchpad.net/ubuntu/+source/kic/2.4a-1 Version: 2.4a Tested on: Ubuntu 18.04 ''' If we check the ciftokic.c file on line 52 we see the following code: char CIFFile81,...

Cisco Small Business 220 Series - Multiple Vulnerabilities

!/usr/bin/python2.7 """ Subject Realtek Managed Switch Controller RTL83xx PoC 2019 bashis https://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller Brief description 1. Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o...

TheSystem 1.0 - Command Injection

Exploit Title: thesystem Command Injection Author: Sadik Cetin Discovery Date: 2019-09-28 Vendor Homepage: https://github.com/kostasmitroglou/thesystem | https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem |...

thesystem 1.0 - Cross-Site Scripting

Exploit Title: thesystem Persistent XSS Author: Anıl Baran Yelken Discovery Date: 2019-09-28 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A Type: Webapps Description:...

GoAhead 2.5.0 - Host Header Injection

Exploit Title: GoAhead Web server HTTP Header Injection. Shodan Query: Server: Goahead Discovered Date: 05/07/2019 Exploit Author: Ramikan Vendor Homepage: https://www.embedthis.com/goahead/ Affected Version: 2.5.0 may be others. Tested On Version: 2.5.0 in Cisco Switches and Net Gear routers...

WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion

!/usr/bin/env ruby Exploit Title: WordPress Arforms - 3.7.1 CVE ID: CVE-2019-16902 Date: 2019-09-27 Exploit Author: Ahmad Almorabea Author Website: http://almorabea.net Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt Software Link:...

phpIPAM 1.4 - SQL Injection

!/usr/bin/env python3 Exploit Title: phpIPAM Custom Field Filter SQL Injection Exploit Announcement Date: September 16, 2019 5:18 AM Exploit Creation Date: September 27, 2019 Exploit Author: Kevin Kirsche Vendor Homepage: https://phpipam.net Software Link:...

vBulletin 5.x - Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'vBulletin 5.x 0day pre-quth RCE exploit', 'Description' = %q vBulletin 5.x 0day pre-auth RCE exploit. This should work on all versions from 5.0.0...

PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass

= 8; public function str2ptr&$str, $p = 0, $s = 8 $address = 0; for$j = $s-1; $j = 0; $j-- $address = 8; return $out; unable to leak ro segments public function leak1$addr global $spl1; $this-write$this-abc, 8, $addr - 0x10; return strlengetclass$spl1; the real deal public function leak2$addr, $p...

thesystem App 1.0 - Persistent Cross-Site Scripting

Exploit Title: thesystem App 1.0 - Persistent Cross-Site Scripting Author: İsmail Güngör Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A...

Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)

Title: Mobatek MobaXterm 12.1 - Buffer Overflow SEH Author: Xavi Beltran Date: 2019-08-31 Vendor: xavibel.com Vedor Page: https://mobaxterm.mobatek.net/download.html Software Link: https://download.mobatek.net/1112019010310554/MobaXtermPortablev11.1.zip Exploit Development process:...

WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting

Exploit Title: WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting Google Dork: inurl:/wp-content/themes/zoner/ Date: 2019-09-24 Exploit Author: m0ze Vendor Homepage: https://fruitfulcode.com/ Software Link:...

V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download

Title: V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download Date: 2019-09-27 Author: LiquidWorm Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. Product web page: https://www.vsolcn.com Affected version: V2.03.62RIPv6 V2.03.54R V2.03.52R V2.03.49 V2.03.47 V2.03.4...

thesystem App 1.0 - 'server_name' SQL Injection

Exploit Title: thesystem 1.0 - 'servername' SQL Injection Author: Sadik Cetin Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A Description:...

V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation

Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation Author: LiquidWorm Discovery Date: 2019-09-26 Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. Product web page: https://www.vsolcn.com Tested on: GoAhead-Webs Advisory ID: ZSL-2019-5538 Advisory URL:...

thesystem App 1.0 - 'username' SQL Injection

Exploit Title: thesystem App 1.0 - 'username' SQL Injection Author: Anıl Baran Yelken Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A...

V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery

Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery Author: LiquidWorm Discovery Date: 2019-09-26 Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. Product web page: https://www.vsolcn.com Tested on: GoAhead-Webs Advisory ID: ZSL-2019-5536 Advisory URL:...

InoERP 0.7.2 - Persistent Cross-Site Scripting

Exploit Title: InoERP 0.7.2 - Persistent Cross-Site Scripting Google Dork: None Date: 2019-09-14 Exploit Author: strider Vendor: http://inoideas.org/ Software Link: https://github.com/inoerp/inoERP Version: 0.7.2 Tested on: Debian 10 Buster x64 / Kali Linux CVE : None...

citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection

Exploit Title: citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection Author: Cakes Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/citecodecrashers/Pic-A-Point Software Link: https://github.com/citecodecrashers/Pic-A-Point/archive/master.zip Tested Version: 1.1 Tested on O...

all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting

Exploit Title: all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting Google Dork: inurl:"\wp-content\plugins\all-in-one-seo-pack" Date: 2019-06-13 Exploit Author: Unk9vvN Vendor Homepage: https://semperplugins.com/all-in-one-seo-pack-pro-version Software Link:...

Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting

Exploit Title: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting Google Dork: N/A Date: 2019-06-11 Exploit Author: Unk9vvN Vendor Homepage: https://duplicate-post.lopo.it/ Software Link: https://wordpress.org/plugins/duplicate-post/ Version: 3.2.3 Tested on: Kali Linux CVE: N/A Description...

Chamillo LMS 1.11.8 - Arbitrary File Upload

Exploit Title: Chamillo LMS 1.11.8 - Arbitrary File Upload Google Dork: "powered by chamilo" Date: 2018-10-05 Exploit Author: Sohel Yousef jellyfish security team Software Link: https://chamilo.org/en/download/ Version: Chamilo 1.11.8 or lower to 1.8 Category: webapps 1. Description Any registere...

inoERP 4.15 - 'download' SQL Injection

Exploit Title: inoERP 4.15 - 'download' SQL Injection Date: 2019-09-13 Exploit Author: Semen Alexandrovich Lyhin Vendor Homepage: http://inoideas.org/ Version: 4.15 CVE: N/A A malicious query can be sent in base64 encoding to unserialize function. It can be deserialized without any sanitization...

YzmCMS 5.3 - 'Host' Header Injection

Exploit Title: YzmCMS 5.3 - 'Host' Header Injection Exploit Author: Debashis Pal Vendor Homepage: http://www.yzmcms.com/ Source: https://github.com/yzmcms/yzmcms Version: YzmCMS V5.3 CVE : N/A Tested on: Windows 7 SP164bit,XAMPP: 7.3.9 About YzmCMS ============== YzmCMS is a lightweight open sour...

WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting

Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting Date: 2019-09-10 Exploit Author: strider Software Link: https://github.com/anttiviljami/wp-server-log-viewer Version: 1.0 Tested on: Debian 10 Buster x64 / Kali Linux CVE : None...

NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution

Exploit Title: NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution Date: 2019-09-13 Exploit Author: Semen Alexandrovich Lyhin Vendor Homepage: https://www.npmjs.com/package/gitlabhook Version: 0.0.17 Tested on: Kali Linux 2, Windows 10. CVE : CVE-2019-5485 !/usr/bin/python import...

ABRT - sosreport Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ABRT sosreport Privilege Escalation', 'Description' = %q This module attempts to gain root privileges on RHEL systems with a vulnerable version o...

SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service

Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service Date: 2019-20-09 Exploit Author: Emilio Revelo Vendor Homepage: http://www.nsauditor.com/ Software Link : http://www.nsauditor.com/downloads/spotiesetup.exe Tested on: Windows 10 Pro x64 es Version: 2.9.5...

Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting

Exploit Title: Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistent Cross-Site Scripting Author: Davide Cioccia Discovery Date: 2019-09-25 Vendor Homepage: https://www.microsoft.com Software Link:...

iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds

When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects. It then calls the appropriate initWithCoder: on the allocated object. If initWithCoder: or any method it calls decodes the same object,...

Microsoft Windows cryptoapi - SymCrypt Modular Inverse Algorithm Denial of Service

There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric. I've been able to construct an X.509 certificate that triggers the bug. I've found that...

Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection

Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection Date: 23/09/2018 Author: Nassim Asrir Vendor Homepage: https://www.pfsense.org/ Contact: [email protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/ CVE: CVE-2019-16701 Tested On: Windows 1064bit | Pfsense 2.3.4 / 2.4.4-...

DeviceViewer 3.12.0.1 - 'creating user' Denial of Service

!/usr/bin/python Exploit Title: DeviceViewer 3.12.0.1 - 'creating user' DOS buffer overflow Date: 9/23/2019 Exploit Author: x00pwn Vendor Homepage: http://www.sricam.com/ Software Link: http://download.sricam.com/Manual/DeviceViewer.exe Version: v3.12.0.1 Tested on: Windows 7 Steps to reproduce: ...

File Sharing Wizard 1.5.0 - POST SEH Overflow

import socket from struct import Exploit Title: File sharing wizard 'post' remote SEH overflow Date: 9/23/2019 Exploit Author: x00pwn Software Link: https://file-sharing-wizard.soft112.com/ Version: 1.5.0 Tested on: Windows 7 CVE : CVE-2019-16724 File-sharing-wizard-seh...