41207 matches found
Microsoft Windows 7 Kernel - win32k!xxxClientLpkDrawTextEx Stack Memory Disclosure
Microsoft Windows 7 Kernel - win32k!xxxClientLpkDrawTextEx Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1182 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other...
Microsoft Windows 10 Kernel - nt!NtTraceControl (EtwpSetProviderTraits) Pool Memory Disclosure
Microsoft Windows 10 Kernel - nt!NtTraceControl EtwpSetProviderTraits Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 We have discovered that the handler of the nt!NtTraceControl system call specifically the EtwpSetProviderTraitsUm functionality,...
Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes Token
Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes Token / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1145 We have observed on Windows 7 32-bit that for unclear reasons, the kernel-mode structure containing the default DACL ...
V5Y12UGoz90P6kZ
A Remote Browser's Agent XSS is a piece of software that allows a remote "operator" to control a browser as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "XSS" software is usually associated with criminal or malicious activity...
Microsoft-Windows---'SrvOs2FeaToNt'-SMB-Remote-Code-Execution-(MS17-010)-
Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt and when the logic is not correct it leads to a cross-border copy. The vulnerabili...
Halliburton LogView Pro 10.0.1 - Local Buffer Overflow (SEH)
Halliburton LogView Pro 10.0.1 - Local Buffer Overflow SEH !/usr/bin/python Exploit Title : Halliburton LogView Pro 10.0.1 - Local Buffer Overflow SEH Date : 2017-05-14 Exploit Author : Muhann4d CVE : CVE-2017-8926 Vendor Homepage : http://www.halliburton.com Software Link :...
PlaySMS 1.4 - sendfromfile.php Remote Code Execution Unrestricted File Upload
PlaySMS 1.4 - sendfromfile.php Remote Code Execution Unrestricted File Upload Exploit Title: PlaySMS 1.4 Code Execution using $filename and Unrestricted File Upload in sendfromfile.php Date: 14-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh...
Larson VizEx Reader 9.7.5 - Local Buffer Overflow (SEH)
Larson VizEx Reader 9.7.5 - Local Buffer Overflow SEH !/usr/bin/python Exploit Title : Larson VizEx Reader 9.7.5 - Local Buffer Overflow SEH Date : 14/05/2017 Exploit Author : Muhann4d CVE : CVE-2017-8927 Vendor Homepage : http://www.cgmlarson.com/ Software Link :...
Dive Assistant Template Builder 8.0 - XML External Entity Injection
Dive Assistant Template Builder 8.0 - XML External Entity Injection + Exploit Title: Dive Assistant - Template Builder XXE Injection + Date: 12-05-2017 + Exploit Author: Trent Gordon + Vendor Homepage: http://www.blackwave.com/ + Software Link:...
Vanilla Forums 2.3 - Remote Code Execution
Vanilla Forums 2.3 - Remote Code Execution !/bin/bash / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // Vanilla Forums = 2.3 Remote Code Execution RCE PoC Exploit 0day Core version no plugins, default config...
OpenVPN 2.4.0 - Denial of Service
OpenVPN 2.4.0 - Denial of Service !/usr/bin/env python3 ''' $ ./dosserver.py & $ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf ... Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from AFINET192.168.149.1:64249, sid=9a6c48a6 1467f5e1 Fri Feb 24 10:19:19 2017...
MiniUPnP MiniUPnPc 2.0 - Remote Denial of Service
MiniUPnP MiniUPnPc 2.0 - Remote Denial of Service VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798 Version: 0.6 Date: May 1st, 2017 Tag: miniupnpc getHTTPResponse chunked encoding integer signedness error Overview -------- Name: miniupnpc Vendor: Thomas...
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation
Linux Kernel 4.8.0-41-generic Ubuntu - Packet Socket Local Privilege Escalation // A proof-of-concept local root exploit for CVE-2017-7308. // Includes a SMEP & SMAP bypass. // Tested on 4.8.0-41-generic Ubuntu kernel. // https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308 // //...
CMS Made Simple 2.1.6 - Multiple Vulnerabilities
CMS Made Simple 2.1.6 - Multiple Vulnerabilities Title: CMSMS 2.1.6 Multiple Vulnerabilities Date: 10-05-2017 Tested on: Windows 8 64-bit Exploit Author: Osanda Malith Jayathissa @OsandaMalith Original write-up: https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/ CVE:...
Intel Active Management Technology - System Privileges
Intel Active Management Technology - System Privileges !/usr/bin/python -- coding: utf-8 -- Author: Nixawk CVE-2017-5689 = dork="Server: IntelR Active Management Technology" port:"16992", ports= 623, 664, 16992, 16993, 16994, 16995 products= Active Management Technology AMT, Intel Standard...
Microsoft Windows Server 2008 R2 (x64) - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010)
Microsoft Windows Server 2008 R2 x64 - SrvOs2FeaToNt SMB Remote Code Execution MS17-010 Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Date and time of release: May, 9 2017 - 13:00PM Found this and more exploits on my open source security project: http://www.exploitpack.com...
QNAP PhotoStation 5.2.4 MusicStation 4.8.4 - Authentication Bypass
QNAP PhotoStation 5.2.4 MusicStation 4.8.4 - Authentication Bypass Exploit QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication Bypass Date: 10.05.2017 Software Link: https://www.qnap.com Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website:...
SAP SAPCAR 721.510 - Heap Buffer Overflow
SAP SAPCAR 721.510 - Heap Buffer Overflow ''' Source: https://www.coresecurity.com/advisories/sap-sapcar-heap-based-buffer-overflow-vulnerability 1. Advisory Information Title: SAP SAPCAR Heap Based Buffer Overflow Vulnerability Advisory ID: CORE-2017-0001 Advisory URL:...
BanManager WebUI 1.5.8 - PHP Code Injection
BanManager WebUI 1.5.8 - PHP Code Injection BanManager WebUI 1.5.8 - PHP Code Injection & Stored XSS Exploit Title: BanManager WebUI - PHP Code Injection & Stored XSS Date: 2017-05-10 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage:...
Cisco DPC3928 Router - Arbitrary File Disclosure
Cisco DPC3928 Router - Arbitrary File Disclosure Vulnerability Summary The following advisory describes an arbitrary file disclosure vulnerability found in Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway. The Cisco DPC3928AD DOCSIS is a home wireless router that is currently "Out of support" but ...
Gongwalker API Manager 1.1 - Cross-Site Request Forgery
Gongwalker API Manager 1.1 - Cross-Site Request Forgery Exploit Title: gongwalker API Manager v1.1 - CSRFAdd/Delete/Edit API Date: 2017-05-10 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: https://github.com/gongwalker/ApiManager Software Link:...
Oracle GoldenGate 12.1.2.0.0 - Remote Code Execution
Oracle GoldenGate 12.1.2.0.0 - Remote Code Execution !/usr/bin/env python Sources: https://silentsignal.hu/docs/S2OracleGoldenGateGOLDENSHOWER.py https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/ GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal Tested with: Versio...
LG G4 MRA58K - liblg_parser_mkv.so Bad Allocation Calls
LG G4 MRA58K - liblgparsermkv.so Bad Allocation Calls Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102 In both of the following functions mkvparser::AudioTrack::AudioTrackmkvparser::Segment, mkvparser::Track::Info const&, long long, long long...
LG G4 MRA58K - mkvparser::Tracks constructor Failure to Initialise Pointers
LG G4 MRA58K - mkvparser::Tracks constructor Failure to Initialise Pointers Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117 Failure to initialise pointers in mkvparser::Tracks constructor The constructor mkvparser::Tracks::Tracks doesn't handle parsing failures correctly. I...
LG G4 MRA58K - mkvparser::Block::Block Heap Buffer Overflow
LG G4 MRA58K - mkvparser::Block::Block Heap Buffer Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1124 There are multiple paths in mkvparser::Block::Block... that result in heap buffer overflows. See attached for sample files that trigger the overflow conditions - thes...
Crypttech CryptoLog - Remote Code Execution (Metasploit)
Crypttech CryptoLog - Remote Code Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Crypttech CryptoLog Remote Code Execution", 'Description' = %q This module exploits the sql...
Personify360 7.5.27.6.1 - Improper Database Schema Access Restrictions
Personify360 7.5.27.6.1 - Improper Database Schema Access Restrictions Exploit Title: Discover all tables and columns in database when creating new customer role Date: 3/29/2017 Exploit Author: Pesach Zirkind Vendor Homepage: https://personifycorp.com/ Version: 7.5.2 - 7.6.1 Tested on: Windows al...
wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One
wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One TALOS-2017-0293 WOLFSSL LIBRARY X509 CERTIFICATE TEXT PARSING CODE EXECUTION VULNERABILITY MAY 8, 2017 CVE-2017-2800 SUMMARY An exploitable off-by-one write vulnerability exists in the x509 certificate parsing functionality of wolfSSL...
I_ Librarian 4.64.7 - Command Injection Server Side Request Forgery Directory Enumeration Cross-Site Scripting
I Librarian 4.64.7 - Command Injection Server Side Request Forgery Directory Enumeration Cross-Site Scripting SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple vulnerabilities product: I, Librarian PDF manager...
Personify360 7.5.27.6.1 - Improper Access Restrictions
Personify360 7.5.27.6.1 - Improper Access Restrictions Exploit Title: Access and read and create vendor / API credentials in plaintext Date: 3/29/2017 Exploit Author: Pesach Zirkind Vendor Homepage: https://personifycorp.com/ Version: 7.5.2 - 7.6.1 Tested on: Windows all versions CVE :...
Microsoft Security Essentials SCEP (Microsoft Windows 88.110 Windows Server) - MsMpEng Remote Type Confusion
Microsoft Security Essentials SCEP Microsoft Windows 88.110 Windows Server - MsMpEng Remote Type Confusion Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012,...
Xen 64bit PV Guest - pagetable use-after-type-change Breakout
Xen 64bit PV Guest - pagetable use-after-type-change Breakout Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1231 This is a bug in Xen that permits an attacker with control over the kernel of a 64bit X86 PV guest to write arbitrary entries into a live top-level pagetable. To...
MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)
MediaCoder 0.8.48.5888 - Local Buffer Overflow SEH !/usr/bin/python Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow SEH CVE : CVE-2017-8869 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable Software:...
RPCBind libtirpc - Denial of Service
RPCBind libtirpc - Denial of Service !/usr/bin/ruby Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb By Guido Vranken https://guidovranken.wordpress.com/ Thanks to Sean Verity for writing an exploit in Ruby for an earlier...
Gemalto SmartDiag Diagnosis Tool 2.5 - Local Buffer Overflow (SEH)
Gemalto SmartDiag Diagnosis Tool 2.5 - Local Buffer Overflow SEH Exploit Title: Gemalto SmartDiag Diagnosis Tool = v2.5 - Buffer Overflow - SEH Overwrite Date: 16-03-2017 Software Link: http://support.gemalto.com/index.php?id=downloadtools Exploit Author: Majid Alqabandi Contact:...
ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities
ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities CVE-2017-6086 Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15 Product Description ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source...
WordPress Plugin WebDorado Gallery 1.3.29 - SQL Injection
WordPress Plugin WebDorado Gallery 1.3.29 - SQL Injection Source: http://www.defensecode.com/advisories/DC-2017-02-011WordPressWebDoradoGalleryPluginAdvisory.pdf DefenseCode ThunderScan SAST Advisory WordPress WebDorado Gallery Plugin - SQL Injection Vulnerability Advisory ID: DC-2017-02-011...
Technicolor DPC3928SL - SNMP Authentication Bypass
Technicolor DPC3928SL - SNMP Authentication Bypass !/usr/bin/python -- coding: utf-8 -- StringBleed - CVE-2017-5135 author = "Nixawk" funcs = 'generatesnmpcommunitystr', 'generatesnmpprotopayload', 'sendsnmprequest', 'readsnmpcommunitystr', 'readsnmpvarbindstr', 'snmplogin', 'snmpstringbleed'...
Sitecore CMS 8.2 - Cross-Site Scripting Arbitrary File Disclosure
Sitecore CMS 8.2 - Cross-Site Scripting Arbitrary File Disclosure Exploit title: Sitecore CMS v8.2 multiple vulnerabilities Product: Sitecore Version: 8.2, Rev: 161221, Date: 21st December, 2016 Date: 05-05-2017 Author: Usman Saeed Email: [email protected] Vendor Homepage: http://www.sitecore.net/...
CloudBees Jenkins 2.32.1 - Java Deserialization
CloudBees Jenkins 2.32.1 - Java Deserialization Source: https://blogs.securiteam.com/index.php/archives/3171 Vulnerability Details Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent. The vulnerability can be found in t...
Apple Safari 10.0.3 - JSC::CachedCall Use-After-Free
Apple Safari 10.0.3 - JSC::CachedCall Use-After-Free function makecompiledfunction function targetx return x5 + x - xx; // Call only once so that function gets compiled with low level interpreter // but none of the optimizing JITs target0; return target; function pwn var haxs = new Array0x100; fo...
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution !/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1,...
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure !/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0,...
Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation
Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO Summary: Serviio is a free media server. It...
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change
Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change !/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change Vendor: Petr Nejedly | Six Lines Ltd Product web page: http://www.serviio.org Affected version: 1.8.0.0 PRO, 1.7.1,...
WordPress 4.7.4 - Unauthorized Password Reset
WordPress 4.7.4 - Unauthorized Password Reset ============================================= - Discovered by: Dawid Golunski - dawidatlegalhackers.com - https://legalhackers.com - CVE-2017-8295 - Release date: 03.05.2017 - Revision 1.0 - Severity: Medium/High...
WordPress 4.6 - Remote Code Execution
WordPress 4.6 - Remote Code Execution !/bin/bash / / / / / / / / / / / / / / / / / / // / / / /// / / / / // / // / // / / / / // / // , / / / ///, /,// // //,///||// // // WordPress 4.6 - Remote Code Execution RCE PoC Exploit CVE-2016-10033 wordpress-rce-exploit.sh ver. 1.0 Discovered and...
Microsoft Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free
Microsoft Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free body background-color:black; font-color:red; ; / Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free Google Dork: n/a Date: 03.05.2017 Exploit Author: Marcin Ressel TT: @resselm Vendor Homepage:...
Zyxel P-660HW-61 Firmware 3.40(PE.11)C0 Router - Local File Inclusion
Zyxel P-660HW-61 Firmware 3.40PE.11C0 Router - Local File Inclusion Exploit Title: Zyxel P-660HW-61 3.40PE.11C0 - Local File Inclusion Date: 2-05-2017 Exploit Author: ReverseBrain Contact: https://www.twitter.com/ReverseBrain Vendor Homepage: https://www.zyxel.com Software Link:...
Dahua Generation 23 - Backdoor Access
Dahua Generation 23 - Backdoor Access !/usr/bin/python2.7 if False: ''' 2017-05-03 Public rerelease of Dahua Backdoor PoC https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py 2017-03-20 With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1...