47904 matches found
Microsoft Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File
We have encountered a Windows kernel crash in memcpy called by nt!MiParseImageLoadConfig while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE | LOADLIBRARYASIMAGERESOURCE. An example crash log generated after triggering th...
Microsoft Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File
We have encountered a Windows kernel crash in memcpy called by nt!MiRelocateImage while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE | LOADLIBRARYASIMAGERESOURCE. An example crash log generated after triggering the bug i...
Microsoft Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File
We have encountered a Windows kernel crash in CI!CipFixImageType while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE | LOADLIBRARYASIMAGERESOURCE. An example crash log generated after triggering the bug is shown below: --...
Microsoft Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File
We have encountered a Windows kernel crash in nt!MiOffsetToProtos while trying to load a malformed PE image into the process address space as a data file i.e. LoadLibraryExLOADLIBRARYASDATAFILE | LOADLIBRARYASIMAGERESOURCE. An example crash log generated after triggering the bug is shown below: -...
Microsoft Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter
We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example crash log excerpt generated after triggering the bug is shown below: --- cut --- Fatal System Error: 0x00000050...
TP-Link TL-WR1043ND 2 - Authentication Bypass
Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass Date: 2019-06-20 Exploit Author: Uriel Kosayev Vendor Homepage: https://www.tp-link.com Version: TL-WR1043ND V2 Tested on: TL-WR1043ND V2 CVE : CVE-2019-6971 CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971 import requests ascii...
ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP Bypass) (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow DEP", 'Description' = %q This module exploits a stack buffer overfl...
SMA Solar Technology AG Sunny WebBox device - 1.6 - Cross-Site Request Forgery
Exploit Title: SMA Solar Technology AG Sunny WebBox device - 1.6 - Cross-Site Request Forgery Date: 2019-10-08 Exploit Author: Borja Merino and Eduardo Villaverde Vendor Homepage: https://www.sma.de Version: Firmware Version 1.6 and prior Tested on: Sunny WebBox SMA Solar Device Firmware Version...
XNU - Remote Double-Free via Data Race in IPComp Input Path
=== Summary === This report describes a bug in the XNU implementation of the IPComp protocol https://tools.ietf.org/html/rfc3173. This bug can be remotely triggered by an attacker who is able to send traffic to a macOS system iOS AFAIK isn't affected over two network interfaces at the same time...
Foscam Video Management System 1.1.6.6 - 'UID' Denial of Service (PoC)
Exploit Title: Foscam Video Management System 1.1.6.6 - 'UID' Denial of Service PoC Author: Alessandro Magnosi Date: 2019-10-09 Vendor Homepage: https://www.foscam.com/ Software Link : https://www.foscam.com/downloads/appsoftware.html?id=5 Tested Version: 1.1.6.6 Vulnerability Type: Denial of...
DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow DEP Bypass Date: 08/10/2019 Exploit Author: Alessandro Magnosi Vendor Homepage: http://www.sricam.com/ Software Link: http://download.sricam.com/Manual/DeviceViewer.exe Version: v3.12.0.1 Exploit type: Local Tested on:...
DeviceViewer 3.12.0.1 - Arbitrary Password Change
Exploit Title: DeviceViewer 3.12.0.1 - Arbitrary Password Change Date: 2019-09-10 Exploit Author: Alessandro Magnosi Vendor Homepage: http://www.sricam.com/ Software Link: http://download.sricam.com/Manual/DeviceViewer.exe Version: v3.12.0.1 Tested on: Windows 7 !/usr/bin/python Steps to reproduc...
Zabbix 4.4 - Authentication Bypass
Exploit Title: Zabbix 4.4 - Authentication Bypass Date: 2019-10-06 Exploit Author: Todor Donev Software Link: https://www.zabbix.com/download Version: Zabbix 4.4 Tested on: Linux Apache/2 PHP/7.2 Zabbix Initializing the browser Referer = User-Agent = Opera/9.61 Macintosh; Intel Mac OS X; U; de...
CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation
Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation Date: 2019-01-30 Exploit Author: Jakub Palaczynski Vendor Homepage: https://www.checkpoint.com/ Version: Check Point Endpoint Security VPN = E80.87 Build 986009514 Version: Check Point ZoneAlarm =...
freeFTP 1.0.8 - 'PASS' Remote Buffer Overflow
Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow Date: 2019-09-01 Author: Chet Manly Software Link: https://download.cnet.com/FreeFTP/3000-21604-10047242.html Version: 1.0.8 CVE: N/A from ftplib import FTP buf = "" buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49" buf +=...
IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload
Exploit Title: IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload Date: 2018-12-11 Exploit Authors: Jakub Palaczynski Vendor Homepage: https://www.ibm.com/ Version: IBM Bigfix Platform Software Add Software" menu. Here user needs to choose upload via URL option as only this one is vulnerable. U...
Joomla! 3.4.6 - 'configuration.php' Remote Code Execution
Exploit Title: Joomla 3.4.6 - 'configuration.php' Remote Code Execution Google Dork: N/A Date: 2019-10-02 Exploit Author: Alessandro Groppo @Hacktive Security Vendor Homepage: https//www.joomla.it/ Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6 Version: 3.0.0 -- 3.4.6 Tested on:...
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting Date: 2019-10-07 Author: Min Ko Ko Creatigon Vendor Homepage: https://subrion.org/ CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225 Website : https://l33thacker.com Description : Allows XSS via the panel/members/ Username, Full...
ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)
Exploit Title: ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow DEP Google Dork: N/A Date: 2019-10-06 Exploit Author: max7253 Vendor Homepage: http://www.mini-stream.net/ Software Link: https://www.exploit-db.com/apps/f4da5b43ca4b035aae55dfa68daa67c9-ASXtoMP3Converter.exe Version:...
Zabbix 4.2 - Authentication Bypass
Exploit Title: Zabbix 4.2 - Authentication Bypass Date: 2019-10-06 Exploit Author: Milad Khoshdel Software Link: https://www.zabbix.com/download Version: Zabbix 2.x , 3.x , 4.x Tested on latest version Zabbix 4.2 Tested on: Linux Apache/2 PHP/7.2 Google Dork: inurl:zabbix/zabbix.php =========...
logrotten 3.15.1 - Privilege Escalation
Exploit Title: logrotten 3.15.1 - Privilege Escalation Date: 2019-10-04 Exploit Author: Wolfgang Hotwagner Vendor Homepage: https://github.com/logrotate/logrotate Software Link: https://github.com/logrotate/logrotate/releases/tag/3.15.1 Version: all versions through 3.15.1 Tested on: Debian...
vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution
?php / --------------------------------------------------------------------- vBulletin = 5.5.4 updateAvatar Remote Code Execution Vulnerability --------------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................:...
Android - Binder Driver Use-After-Free
The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm and possibly others: There is a use-after-free of the wait member in the binderthread struct in the binder driver at /drivers/android/binder.c. As described in the upstream commit:...
LabCollector 5.423 - SQL Injection
Exploit Title: LabCollector Laboratory Information System 5.423 - Multiples SQL Injection Date: 09/09/2019 Software Links/Project: https://www.labcollector.com/clientarea/downloads.php Version: LabCollector Laboratory Information System 5.423 Exploit Author: Carlos Avila Category: webapps Tested...
PHP 7.0 < 7.3 (Unix) - 'gc' disable_functions Bypass
= 0; $j-- $address = 8; return $out; function write&$str, $p, $v, $n = 8 $i = 0; for$i = 0; $i = 8; function leak$addr, $p = 0, $s = 8 global $abc, $helper; write$abc, 0x68, $addr + $p - 0x10; $leak = strlen$helper-a; if$s != 8 $leak %= 2 $s 8 - 1; return $leak; function parseelf$base $etype =...
mintinstall 7.9.9 - Code Execution
Exploit Title: mintinstall aka Software Manager object injection Date: 10/02/2019 Exploit Author: Andhrimnirr Vendor Homepage: https://www.linuxmint.com/ Software Link: mintinstall aka Software Manager Version: 7.9.9 Tested on: Linux Mint CVE : CVE-2019-17080 import os import sys def...
AnchorCMS < 0.12.3a - Information Disclosure
Exploit Title: Information disclosure MySQL password in error log Date: 2/10/2019 Exploit Author: Tijme Gommers https://twitter.com/finnwea/ Vendor Homepage: https://anchorcms.com/ Software Link: https://github.com/anchorcms/anchor-cms/releases Version: 0.12.3a Tested on: Linux CVE : CVE-2018-725...
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DOUBLEPULSAR Payload Execution and Neutralization', 'Description' = %q This module executes a Metasploit payload against the Equation Group's...
Detrix EDMS 1.2.3.1505 - SQL Injection
!/usr/bin/php / Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit Google Dork: Date: Jul 2019 Exploit Author: Burov Konstantin Vendor Homepage: forum.detrix.kz Software Link:...
DameWare Remote Support 12.1.0.34 - Buffer Overflow (SEH)
!/usr/bin/env python Author: Xavi Beltran Contact: [email protected] Exploit Development: https://xavibel.com/2019/08/31/seh-based-local-buffer-overflow-dameware-remote-support-v-12-1-0-34/ Date: 14/7/2019 Description: SEH based Buffer Overflow DameWare Remote Support V. 12.1.0.34 Tools...
DotNetNuke < 9.4.0 - Cross-Site Scripting
Exploit Title: Stored Cross-Site Scripting in DotNetNuke DNN Version before 9.4.0 Exploit Description : This exploit will add a superuser to target DNN website. Exploit Condition : Successful exploitation occurs when an admin user visits a notification page. Exploit Author: MAYASEVEN CVE :...
WebKit - Universal XSS in WebCore::command
frame = document-frame; if !frame || frame-document != document // 1 return Editor::Command; document-updateStyleIfNeeded; // 2 return frame-editor.commandcommandName, userInterface ? CommandFromDOMWithUserInterface : CommandFromDOM; bool Document::execCommandconst String& commandName, bool...
WebKit - Universal XSS Using Cached Pages
VULNERABILITY DETAILS void FrameLoader::detachChildren ... SubframeLoadingDisabler subframeLoadingDisablermframe.document; // 1 Vector, 16 childrenToDetach; childrenToDetach.reserveInitialCapacitymframe.tree.childCount; for Frame child = mframe.tree.lastChild; child; child =...
DotNetNuke 9.3.2 - Cross-Site Scripting
/ Exploit Title: "Display Name" Stored Unauthenticated XSS in DNN v9.3.2 Date: 4th of July, 2019 Exploit Author: Semen Alexandrovich Lyhin Vendor Homepage: https://www.dnnsoftware.com/ Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases Version: v9.3.2 CVE : CVE-2019-13293 A...
WebKit - User-agent Shadow root Leak in WebCore::ReplacementFragment::ReplacementFragment
ReplacementFragment::insertFragmentForTestRenderingNode rootEditableElement auto holder = createDefaultParagraphElementdocument; holder-appendChildmfragment; rootEditableElement-appendChildholder; // 2 document.updateLayoutIgnorePendingStylesheets; return holder;...
WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads
VULNERABILITY DETAILS void DocumentWriter::replaceDocumentconst String& source, Document ownerDocument ... beginmframe-document-url, true, ownerDocument; // 1 // begin might fire an unload event, which will result in a situation where no new document has been attached, // and the old document has...
kic 2.4a - Denial of Service
Exploit Title: Ciftokic 2.4a - DoS Buffer Overflow Date: September 30, 2019 Exploit Author: @JosueEncinar Software Link: http://launchpad.net/ubuntu/+source/kic/2.4a-1 Version: 2.4a Tested on: Ubuntu 18.04 ''' If we check the ciftokic.c file on line 52 we see the following code: char CIFFile81,...
WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion
!/usr/bin/env ruby Exploit Title: WordPress Arforms - 3.7.1 CVE ID: CVE-2019-16902 Date: 2019-09-27 Exploit Author: Ahmad Almorabea Author Website: http://almorabea.net Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt Software Link:...
GoAhead 2.5.0 - Host Header Injection
Exploit Title: GoAhead Web server HTTP Header Injection. Shodan Query: Server: Goahead Discovered Date: 05/07/2019 Exploit Author: Ramikan Vendor Homepage: https://www.embedthis.com/goahead/ Affected Version: 2.5.0 may be others. Tested On Version: 2.5.0 in Cisco Switches and Net Gear routers...
TheSystem 1.0 - Command Injection
Exploit Title: thesystem Command Injection Author: Sadik Cetin Discovery Date: 2019-09-28 Vendor Homepage: https://github.com/kostasmitroglou/thesystem | https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem |...
vBulletin 5.x - Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'vBulletin 5.x 0day pre-quth RCE exploit', 'Description' = %q vBulletin 5.x 0day pre-auth RCE exploit. This should work on all versions from 5.0.0...
thesystem 1.0 - Cross-Site Scripting
Exploit Title: thesystem Persistent XSS Author: Anıl Baran Yelken Discovery Date: 2019-09-28 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A Type: Webapps Description:...
phpIPAM 1.4 - SQL Injection
!/usr/bin/env python3 Exploit Title: phpIPAM Custom Field Filter SQL Injection Exploit Announcement Date: September 16, 2019 5:18 AM Exploit Creation Date: September 27, 2019 Exploit Author: Kevin Kirsche Vendor Homepage: https://phpipam.net Software Link:...
Cisco Small Business 220 Series - Multiple Vulnerabilities
!/usr/bin/python2.7 """ Subject Realtek Managed Switch Controller RTL83xx PoC 2019 bashis https://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller Brief description 1. Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o...
PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass
= 8; public function str2ptr&$str, $p = 0, $s = 8 $address = 0; for$j = $s-1; $j = 0; $j-- $address = 8; return $out; unable to leak ro segments public function leak1$addr global $spl1; $this-write$this-abc, 8, $addr - 0x10; return strlengetclass$spl1; the real deal public function leak2$addr, $p...
V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download
Title: V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download Date: 2019-09-27 Author: LiquidWorm Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. Product web page: https://www.vsolcn.com Affected version: V2.03.62RIPv6 V2.03.54R V2.03.52R V2.03.49 V2.03.47 V2.03.4...
thesystem App 1.0 - 'server_name' SQL Injection
Exploit Title: thesystem 1.0 - 'servername' SQL Injection Author: Sadik Cetin Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A Description:...
V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation
Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation Author: LiquidWorm Discovery Date: 2019-09-26 Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. Product web page: https://www.vsolcn.com Tested on: GoAhead-Webs Advisory ID: ZSL-2019-5538 Advisory URL:...
thesystem App 1.0 - Persistent Cross-Site Scripting
Exploit Title: thesystem App 1.0 - Persistent Cross-Site Scripting Author: İsmail Güngör Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A...
thesystem App 1.0 - 'username' SQL Injection
Exploit Title: thesystem App 1.0 - 'username' SQL Injection Author: Anıl Baran Yelken Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A...