Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)

Microsoft Windows - SMB Remote Code Execution Scanner MS17-010 Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework auxiliary/scanner/smb/smbms17010 require 'msf/core' class MetasploitModule 'MS17-010 SMB RCE...

Mantis Bug Tracker 1.3.02.3.0 - Password Reset

Mantis Bug Tracker 1.3.02.3.0 - Password Reset + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt + ISR: ApparitionSec Vendor: ================ www.mantisbt.org Product...

WinSCP 5.9.4 - LIST Denial of Service (Metasploit)

WinSCP 5.9.4 - LIST Denial of Service Metasploit Exploit Title: WinSCP 5.9.4 - LIST Command Denial of service Crush application Date: 4-4-2017 mm.dd.yy Exploit Author: M.Ibrahim [email protected] E-Mail: vulnbug gmail.com Vendor Home Page: https://winscp.net/eng/index.php Vendor download link:...

Linux Kernel 4.8.0 UDEV 232 - Local Privilege Escalation

Linux Kernel 4.8.0 UDEV 232 - Local Privilege Escalation / Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation Author: Nassim Asrir Researcher at: Henceforth Author contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/ The full Research:...

VirusChaser 8.0 - Local Buffer Overflow (SEH)

VirusChaser 8.0 - Local Buffer Overflow SEH Exploit Title: Virus Chaser 8.0 - Scanner component, SEH Overflow Date: 14 April 2017 Exploit Author: 0x41Li [email protected] Vendor Homepage: https://www.viruschaser.com/ Software Link: https://www.viruschaser.com/download/VC80b32Setup.zip Tested on:...

Mozilla Firefox - Address Bar Spoofing

Mozilla Firefox - Address Bar Spoofing location=URL.createObjectURLnew Blob'Not Googleiflocation.href.indexOf"google"==-1location.pathname="https://www.google.com/"elsedocument.title="Google Search"', type: 'text/html'...

Concrete5 CMS 8.1.0 - Host Header Injection

Concrete5 CMS 8.1.0 - Host Header Injection + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txt + ISR: ApparitionSec Vendor: ================== www.concrete5.org Product:...

Microsoft Windows Kernel - win32k.sys Multiple NtGdiGetDIBitsInternal System Call

Microsoft Windows Kernel - win32k.sys Multiple NtGdiGetDIBitsInternal System Call Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1078 We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in...

GNS3 Mac OS-X 1.5.2 - ubridge Local Privilege Escalation

GNS3 Mac OS-X 1.5.2 - ubridge Local Privilege Escalation !/bin/sh GNS-3 Mac OS-X LPE local root exploit ===================================== GNS-3 on OS-X bundles the "ubridge" binary as a setuid root file. This file can be used to read arbitary files using "-f" arguement but also as it runs as...

agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting

agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting !-- Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt Advisory ID: SYSS-2017-005 Product: agorum core Pro Manufacturer: agorum Software GmbH Affected Versions: 7.8.1.4-251 Tested Versions:...

Alienvault OSSIMUSM 5.3.45.3.5 - Remote Command Execution (Metasploit)

Alienvault OSSIMUSM 5.3.45.3.5 - Remote Command Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'AlienVault USM/OSSIM API Command Execution', 'Description'...

Microsoft Windows Kernel - win32kfull!SfnINLPUAHDRAWMENUITEM Stack Memory Disclosure

Microsoft Windows Kernel - win32kfull!SfnINLPUAHDRAWMENUITEM Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1192 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10...

Adobe Creative Cloud Desktop Application 4.0.0.185 - Local Privilege Escalation

Adobe Creative Cloud Desktop Application 4.0.0.185 - Local Privilege Escalation + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-CREATIVE-CLOUD-PRIVILEGE-ESCALATION.txt + ISR: apparitionSec Vendor: ==============...

agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery

agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery !-- Source: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt Advisory ID: SYSS-2017-008 Product: agorum core Pro Manufacturer: agorum Software GmbH Affected Versions: 7.8.1.4-251 Tested Versions: 7.8.1.4-25...

Solaris 7 11 (SPARCx86) - EXTREMEPARR dtappgather Privilege Escalation

Solaris 7 11 SPARCx86 - EXTREMEPARR dtappgather Privilege Escalation !/bin/ksh Exploit PoC reverse engineered from EXTREMEPARR which provides local root on Solaris 7 - 11 x86 & SPARC. Uses a environment variable of setuid binary dtappgather to manipulate file permissions and create a user owned...

Cisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution

Cisco Catalyst 2960 IOS 12.255SE11 - ROCEM Remote Code Execution !/usr/bin/python Exploit Title: Cisco Catalyst 2960 - Buffer Overflow Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ Date: 04.10.2017 Exploit Author: https://twitter.com/artkond Vendor Homepage...

Cisco Catalyst 2960 IOS 12.2(55)SE1 - ROCEM Remote Code Execution

Cisco Catalyst 2960 IOS 12.255SE1 - ROCEM Remote Code Execution !/usr/bin/python Author: Artem Kondratenko @artkond import socket import sys from time import sleep setcredless = True if lensys.argv 3: print sys.argv0 + ' host --set/--unset' sys.exit elif sys.argv2 == '--unset': setcredless = Fals...

Horde Groupware Webmail 345 - Multiple Remote Code Executions

Horde Groupware Webmail 345 - Multiple Remote Code Executions Source: https://blogs.securiteam.com/index.php/archives/3107 Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in Horde Groupware Webmail. Horde Groupware Webmail Edition is a free, enterprise ready,...

Xen - Broken Check in memory_exchange() Permits PV Guest Breakout

Xen - Broken Check in memoryexchange Permits PV Guest Breakout Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1184 This bug report describes a vulnerability in memoryexchange that permits PV guest kernels to write to an arbitrary virtual address with hypervisor privileges. The...

WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection

WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection ============================================= MGC ALERT 2017-003 - Original release date: April 06, 2017 - Last revised: April 10, 2017 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 CVSS Base Score...

Proxifier for Mac 2.18 - Multiple Vulnerabilities

Proxifier for Mac 2.18 - Multiple Vulnerabilities Source: https://www.securify.nl/advisory/SFY20170401/multiplelocalprivilegeescalationvulnerabilitiesinproxifierformac.html Abstract Multiple local privileges escalation vulnerabilities were found in the KLoader binary that ships with Proxifier...

Social Directory Script 2.0 - SQL Injection

Social Directory Script 2.0 - SQL Injection Exploit Title: Social Directory Script 2.0 - SQL Injection Google Dork: N/A Date: 11.04.2017 Vendor Homepage: http://www.phponly.com/ Software: http://www.phponly.com/Social-Directory.html Demo: http://www.phponly.com/demo/link/ Version: 2.0 Tested on:...

MyClassifiedScript 5.1 - SQL Injection

MyClassifiedScript 5.1 - SQL Injection Exploit Title: Classified Portal Software 5.1 - SQL Injection Google Dork: N/A Date: 11.04.2017 Vendor Homepage: http://www.myclassifiedscript.com/ Software: http://www.myclassifiedscript.com/demo.html Demo: http://www.clpage.com/ Version: 5.1 Tested on: Win...

MyBB 1.8.11 - email MyCode Cross-Site Scripting

MyBB 1.8.11 - email MyCode Cross-Site Scripting Description: ============ product:MyBB Homepage:https://mybb.com/ vulnerable version:1.8.11 Severity:High risk =============== Proof of Concept: ============= 1.post a thread or reply any thread ,write: email=2"onmouseover="alertdocument.locationhov...

Apple WebKit Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross-Site Scripting

Apple WebKit Safari 10.0.3 12602.4.8 - Synchronous Page Load Universal Cross-Site Scripting URL scriptURL; URL url; if protocolIsJavaScripturlString scriptURL = completeURLurlString; // completeURL encodes the URL. url = blankURL; else url = completeURLurlString; if shouldConvertInvalidURLsToBlan...

Apple WebKit - JSC::B3::Procedure::resetReachability Use-After-Free

Apple WebKit - JSC::B3::Procedure::resetReachability Use-After-Free function for var i = 0; i 1000000; ++i const v = Array & 1 ? v : 1; typeof o = 'object'; ; !-- Asan Log: ================================================================= ==32191==ERROR: AddressSanitizer: heap-use-after-free on...

FAQ Script 3.1.3 - category_id SQL Injection

FAQ Script 3.1.3 - categoryid SQL Injection Exploit Title: FAQ Script 3.1.3 - SQL Injection Google Dork: N/A Date: 11.04.2017 Vendor Homepage: http://www.phponly.com/ Software: http://www.phponly.com/faq.html Demo: http://www.phponly.com/demo/faq/ Version: 3.1.3 Tested on: Win7 x64, Kali Linux x6...

Proxifier for Mac 2.172.18 - Privesc Escalation

Proxifier for Mac 2.172.18 - Privesc Escalation Source: https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html Proxifier 2.18 also 2.17 and possibly some earlier version ships with a KLoader binary which it installs suid root the first time Proxifier is run. This...

Apple WebKit Safari 10.0.3 (12602.4.8) - Universal Cross-Site Scripting via a Focus Event and a Link Element

Apple WebKit Safari 10.0.3 12602.4.8 - Universal Cross-Site Scripting via a Focus Event and a Link Element child = mfirstChild removeBetweennullptr, child-nextSibling, child; notifyChildNodeRemovedthis, child; If the location hash value is set, the page will give focus to the associated element...

Brother MFC-J6520DW - Authentication Bypass Password Change

Brother MFC-J6520DW - Authentication Bypass Password Change ASCII hex -- md5 e.g. AuthCookie=c243a9ee18a9327bfd419f31e75e71c7 for 'test' password This information can be used to crack current password from exported cookie. Fix: Minimize network access to Brother MFC device or disable HTTPS...

MyBB smilie Module 1.8.11 - pathfolder Directory Traversal

MyBB smilie Module 1.8.11 - pathfolder Directory Traversal Description: ============ product: MyBB Homepage: https://mybb.com/ vulnerable version: input'pathfolder'; Line 327 $dir = @opendirMYBBROOT.$path; if we input "pathfolder" to "../../bypass/smile",Directory Traversal success! ============...

Apple WebKit - Document::adoptNode Use-After-Free

Apple WebKit - Document::adoptNode Use-After-Free var s = document.body.appendChilddocument.createElement'script'; s.type = '0'; s.textContent = 'document.body.appendChildparent.i0'; var i0 = s.appendChilddocument.createElement'iframe'; s.type = ''; var f =...

Apple WebKit - JSC::SymbolTableEntry::isWatchable Heap Buffer Overflow

Apple WebKit - JSC::SymbolTableEntry::isWatchable Heap Buffer Overflow function x = 0 var a; function arguments function b var g = 1; a5; f; g; ; , unsigned int, unsigned int webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fcc73 4...

Quest Privilege Manager 6.0.0 - Arbitrary File Write

Quest Privilege Manager 6.0.0 - Arbitrary File Write !/usr/bin/env python2 """ Exploit Title: Quest Privilege Manager pmmasterd Arbitrary File Write Date: 10/Mar/2017 Exploit Author: m0t Vendor Homepage: https://www.quest.com/products/privilege-manager-for-unix/ Version: 6.0.0-27, 6.0.0-50 Tested...

Moxa MX AOPC-Server 1.5 - XML External Entity Injection

Moxa MX AOPC-Server 1.5 - XML External Entity Injection + Credits: John Page AKA HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MX-AOPC-SERVER-v1.5-XML-EXTERNAL-ENTITY.txt + ISR: ApparitionSec Vendor: ============ www.moxa.com Product:...

Moxa MXview 2.8 - Denial of Service

Moxa MXview 2.8 - Denial of Service + Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-DENIAL-OF-SERVICE.txt + ISR: ApparitionSec Vendor: ============ www.moxa.com Product: =========== MXView v2.8 Download:...

Moxa MXview 2.8 - Private Key Disclosure

Moxa MXview 2.8 - Private Key Disclosure + Credits: John Page AKA HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-REMOTE-PRIVATE-KEY-DISCLOSURE.txt + ISR: APPARITIONSEC Vendor: ============ www.moxa.com Product: =========== MXvie...

Jobscript4Web 4.5 - Authentication Bypass

Jobscript4Web 4.5 - Authentication Bypass ---------------- Title = Jobscript4Web 4.5 - Authentication Bypass Date = 8/4/2017 Soft = http://www.jobscript4web.com/index.html liVE Demo = http://www.simplejobs.co.in/soft4u --------------- AutHor = TurkCyberArmy --------------- Bizler Turk siber ordus...

Sony Playstation 4 (PS4) 3.50 4.07 - WebKit Code Execution (PoC)

Sony Playstation 4 PS4 3.50 4.07 - WebKit Code Execution PoC PS4 4.0x Code Execution ============== This repo is my edit of the 4.0x webkit exploit released by qwertyoruiopz. The edit re-organizes, comments, and adds portability across 3.50 - 4.07 3.50, 3.55, 3.70, 4.00, and of course 4.06/4.07...

Shopping Cart Template - item SQL Injection

Shopping Cart Template - item SQL Injection Exploit Title: Shopping Cart Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/templates/shoppingcart/index.htm Demo:...

My Gaming Ladder Combo System 7.5 - SQL Injection

My Gaming Ladder Combo System 7.5 - SQL Injection Exploit Title: My Gaming Ladder Combo System 7.5 - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: http://www.mygamingladder.com/ Software: http://www.mygamingladder.com/demos.shtml Demo: http://www.mygamingladder.com/upgrade/comb...

WordPress Plugin WHIZZ 1.1.1 - Cross-Site Request Forgery

WordPress Plugin WHIZZ 1.1.1 - Cross-Site Request Forgery ====== Software: WordPress WHIZZ Version: active or disactive plugins: Mitigations ================ Disable the plugin until a new version is released that fixes this bug. FIX: ========== https://wordpress.org/plugins/whizz/ 1.1.1...

WordPress Plugin CopySafe Web Protect 2.6 - Cross-Site Request Forgery

WordPress Plugin CopySafe Web Protect 2.6 - Cross-Site Request Forgery 2.6 realease --...

Calendar Template 2.0 - editid1 SQL Injection

Calendar Template 2.0 - editid1 SQL Injection Exploit Title: Calendar v2.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/templates/calendar/index.htm Demo:...

e107 CMS 2.1.4 - Cross-Site Request Forgery

e107 CMS 2.1.4 - Cross-Site Request Forgery...

Ladder System 6.0 - faqid SQL Injection

Ladder System 6.0 - faqid SQL Injection Exploit Title: My Gaming Ladder System 6.0 - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: http://www.mygamingladder.com/ Software: http://www.mygamingladder.com/ladder.shtml Demo: http://www.ladder.tf2.co.za/ Version: 6.0 Tested on: Win7...

Invoice Template - hash SQL Injection

Invoice Template - hash SQL Injection Exploit Title: Invoice Template v1.0 for PHPRunner/ASPRunnerPro/ASPRunner.NET. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/invoice Demo:...

Intellinet NFC-30IR Camera - Multiple Vulnerabilities

Intellinet NFC-30IR Camera - Multiple Vulnerabilities Bitcrack Cyber Security - BitLabs Advisory http://www.bitcrack.net Multiple Vulnerabilities in Intellinet NFC-30IR Network Cameras ADVISORY -------- Title: Local File Inclusion in CGI-SCRIPT & Hard-Coded Manufacturer Backdoor Advisory ID:...

Adobe (Multiple Products) - XML Injection File Content Disclosure

Adobe Multiple Products - XML Injection File Content Disclosure !/bin/bash Exploit Title: Adobe XML Injection file content disclosure Date: 07-04-2017 Exploit Author: Thomas Sluyter Website: https://www.kilala.nl Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html...

Survey Template 1.1 - masterkey1 SQL Injection

Survey Template 1.1 - masterkey1 SQL Injection Exploit Title: Survey Template v1.1 for ASPRunnerPro,PHPRunner. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/marketplace/productsview.php?editid1=3 Demo:...