41207 matches found
DCMTK 3.6.0 storescp - Stack Buffer Overflow
DCMTK 3.6.0 storescp - Stack Buffer Overflow !/usr/bin/env python -- coding: utf8 -- DCMTK storescp DICOM storage C-STORE SCP Remote Stack Buffer Overflow Vendor: OFFIS e. V. Product web page: http://www.dcmtk.org Affected version: = 3.6.0 Not affected: DCMTK-3.6.120160216 -...
Nagios 4.2.4 - Local Privilege Escalation
Nagios 4.2.4 - Local Privilege Escalation !/bin/bash Source: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html Nagios Core 4.2.4 Root Privilege Escalation PoC Exploit nagios-root-privesc.sh ver. 1.0 CVE-2016-9566 Discovered and coded by: Dawid Golunski...
Nagios 4.2.2 - Arbitrary Code Execution
Nagios 4.2.2 - Arbitrary Code Execution !/usr/bin/env python Source: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html intro = """\03394m Nagios Core 4.2.0 Curl Command Injection / Code Execution PoC Exploit CVE-2016-9565 nagioscmdinjection.py ver...
Netcore Netis Routers - UDP Backdoor Access
Netcore Netis Routers - UDP Backdoor Access !/usr/bin/python -- coding: utf8 -- NETCORE / NETDIS UDP 53413 BACKDOOR https://netisscan.shadowserver.org/ http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/ https://www.seebug.org/vuldb/ssvid-90227 impor...
Microsoft Internet Explorer 9 - IEFRAME CMarkup::RemovePointerPos Use-After-Free (MS13-055)
Microsoft Internet Explorer 9 - IEFRAME CMarkup::RemovePointerPos Use-After-Free MS13-055 document.addEventListener"load", function document.documentElement.removeNodetrue; , true; document.addEventListener"DOMNodeRemoved", function document.write""; , true; !-- Time-line Sometime in...
Microsoft Internet Explorer 9 - MSHTML CMarkup::ReloadInCompatView Use-After-Free
Microsoft Internet Explorer 9 - MSHTML CMarkup::ReloadInCompatView Use-After-Free document.designMode = "on"; !-- Details By switching the a document's designMode property to on in a deferred script, MSIE 9 can be made to reload a web page using CMarkup::ReloadInCompatView. This method...
Nidesoft MP3 Converter 2.6.18 - Local Buffer Overflow (SEH)
Nidesoft MP3 Converter 2.6.18 - Local Buffer Overflow SEH !python Exploit title: MP3 converter v 2.6.18 License code SEH exploit Date: 2016-12-15 Vendor homepage: http://www.nidesoft.com/mp3-converter.html Download: http://www.nidesoft.com/downloads/mp3-converter.exe Tested on: Win7 SP1 Author:...
APT - Repository Signing Bypass via Memory Allocation Failure
APT - Repository Signing Bypass via Memory Allocation Failure Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 == Vulnerability == When apt-get updates a repository that uses an InRelease file clearsigned Release files, this file is processed as follows: First, the InRelease...
Apport 2.x (Ubuntu Desktop 12.10 16.04) - Local Code Execution
Apport 2.x Ubuntu Desktop 12.10 16.04 - Local Code Execution Both of these issues were reported to the Apport maintainers and a fix was released on 2016-12-14. The CrashDB code injection issue can be tracked with CVE-2016-9949 and the path traversal bug with CVE-2016-9950. An additional problem...
Adobe Animate 15.2.1.95 - Memory Corruption
Adobe Animate 15.2.1.95 - Memory Corruption + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-ANIMATE-MEMORY-CORRUPTION-VULNERABILITY.txt + ISR: ApparitionSec Vendor: ============= www.adobe.com Products:...
Samsung Devices KNOX Extensions - OTP TrustZone Trustlet Stack Buffer Overflow
Samsung Devices KNOX Extensions - OTP TrustZone Trustlet Stack Buffer Overflow / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=938 As a part of the KNOX extensions available on Samsung devices, Samsung provides a TrustZone trustlet which allows the generation of OTP tokens. Th...
Samsung Devices KNOX Extensions - OTP Service Heap Overflow
Samsung Devices KNOX Extensions - OTP Service Heap Overflow / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=935 As a part of the KNOX extensions available on Samsung devices, Samsung provides a new service which allows the generation of OTP tokens. The tokens themselves are...
TP-LINK TD-W8151N - Denial of Service
TP-LINK TD-W8151N - Denial of Service Exploit Title: TP-LINK TD-W8151N - Denial of Service Date: 2016-12-13 Exploit Author: Persian Hack Team Discovered by : Mojtaba MobhaM Home : http://persian-team.ir/ Tested on: Windows AND Linux Demo : https://www.youtube.com/watch?v=WrGgHvhiCGg POC : flagFre...
Joomla! Component DT Register - cat SQL Injection
Joomla! Component DT Register - cat SQL Injection Title: SQL injection in Joomla extension DT Register Credit: Elar Lang / https://security.elarlang.eu Vulnerability: SQL injection Vulnerable version: before 3.1.12 Joomla 3.x / 2.8.18 Joomla 2.5 CVE: pending Full Disclosure URL:...
Google Chrome (Fedora 25 Ubuntu 16.04) - tracker-extract gnome-video-thumbnailer + totem Drive-By Download
Google Chrome Fedora 25 Ubuntu 16.04 - tracker-extract gnome-video-thumbnailer + totem Drive-By Download Source: https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html Overview Full reliable 0day drive-by exploit against Fedora 25 + Google Chrome, by breaking out...
McAfee Virus Scan Enterprise for Linux 1.9.2 2.0.2 - Remote Code Execution
McAfee Virus Scan Enterprise for Linux 1.9.2 2.0.2 - Remote Code Execution ''' Source: https://nation.state.actor/mcafee.html Vulnerabilities CVE-2016-8016: Remote Unauthenticated File Existence Test CVE-2016-8017: Remote Unauthenticated File Read with Constraints CVE-2016-8018: No Cross-Site...
Microsoft Internet Explorer 9 - IEFRAME CSelectionInteractButtonBehavior::_UpdateButtonLocation Use-After-Free (MS13-047)
Microsoft Internet Explorer 9 - IEFRAME CSelectionInteractButtonBehavior::UpdateButtonLocation Use-After-Free MS13-047 function go document.execCommand'SelectAll'; document.execCommand'superscript'; setTimeoutfunction oSupElement=document.getElementsByTagName'sup'0;...
Apache 2.4.23 mod_http2 - Denial of Service
Apache 2.4.23 modhttp2 - Denial of Service !/usr/bin/python """ source : http://seclists.org/bugtraq/2016/Dec/3 The modhttp2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote...
Serva 3.0.0 - HTTP Server Denial of Service
Serva 3.0.0 - HTTP Server Denial of Service !/usr/bin/env python Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit Vendor: Patrick Masotta Product web page: http://www.vercot.com Affected version: 3.0.0.1001 Community, Pro, 32/64bit Summary: Serva is a light 3 MB, yet powerful...
WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery
WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery alert1" input type="text" name="el0"...
Sophos Web Appliance 4.2.1.3 - blockunblock Remote Command Injection (Metasploit)
Sophos Web Appliance 4.2.1.3 - blockunblock Remote Command Injection Metasploit Exploit Title: Sophos Web Appliance UnBlock/Block-IP Remote Command Injection Vulnerablity Date: 12/12/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sophos.com Software Link:...
iOS 10.1.x - Certificate File Memory Corruption
iOS 10.1.x - Certificate File Memory Corruption Source: https://cxsecurity.com/issue/WLB-2016110046 iOS 10.1.x Remote memory corruption through certificate file Credit: Maksymilian Arciemowicz from https://cxsecurity.com...
Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)
Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection Metasploit Exploit Title: Sophos Web Appliance diagnostictools wget Remote Command Injection Vulnerablity Date: 12/12/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sophos.com Software Link:...
ARG-W4 ADSL Router - Multiple Vulnerabilities
ARG-W4 ADSL Router - Multiple Vulnerabilities Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities Date: 2016-12-11 Exploit Author: Persian Hack Team Discovered by : Mojtaba MobhaM Tested on: Windows AND Linux Exploit Demo : http://persian-team.ir/showthread.php?tid=196 1 - Denial of...
NETGEAR R7000 - Cross-Site Scripting
NETGEAR R7000 - Cross-Site Scripting Exploit Title: Netgear R7000 - XSS via. DHCP hostname Date: 11-12-2016 Exploit Author: Vincent Yiu Contact: https://twitter.com/vysecurity Vendor Homepage: https://www.netgear.com/ Category: Hardware / WebApp Version: V1.0.7.21.1.93 + LATEST to date...
OpenSSL 1.1.0a1.1.0b - Denial of Service
OpenSSL 1.1.0a1.1.0b - Denial of Service Exploit Title: OpenSSL 1.1.0a & 1.1.0b Heap Overflow Remote DOS vulnerability Date: 11-12-2016 Software Link: https://www.openssl.org/source/old/1.1.0/ Exploit Author: Silverfox Contact: http://twitter.com/Silverfox Website: https://www.silverf0x00.com/ CV...
EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation
EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation Title: EasyPHP Devserver Insecure File Permissions Privilege Escalation Application: EasyPHP Devserver Versions Affected: 16.1 Vendor URL: http://www.easyphp.org/ Discovered by: Ashiyane Digital Security Team Micle Tested o...
10-Strike Network File Search Pro 2.3 - Local Buffer Overflow (SEH)
10-Strike Network File Search Pro 2.3 - Local Buffer Overflow SEH !python Exploit title: 10-Strike Network File Search Pro 2.3 Registration code SEH exploit Date: 2016-12-10 Vendor homepage: https://www.10-strike.com/network-file-search/help/pro.shtml Download:...
D-Link DI-524 - Cross-Site Request Forgery
D-Link DI-524 - Cross-Site Request Forgery Title: D-Link DI-524 - Cross-Site-Request-Forgery Vulnerability Credit: Felipe Soares de Souza Date: 09/12/2016 Vendor: D-Link Product: D-Link DI-524 Wireless 150 Product link: https://dlink.com.br/produto/di-524150 Version: Firmware 9.01 1- Reboot the...
Splunk Enterprise 6.4.3 - Server-Side Request Forgery
Splunk Enterprise 6.4.3 - Server-Side Request Forgery ''' , , . '.' '. ', . , '. , .', , / / / \ \ ==/ /\ \ / / \ / \ / / | \ \ Y Y \ / /| / \ /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. Splunk Enterprise Server-Side Request Forgery Affected versions: Splunk Enterprise = 6.4.3...
Microsoft Internet Explorer 9 - MSHTML CDispNode::InsertSiblingNode Use-After-Free (MS13-037) (1)
Microsoft Internet Explorer 9 - MSHTML CDispNode::InsertSiblingNode Use-After-Free MS13-037 1 window.onload=functionlocation.reload;; text .float float:left; .zoom zoom:3000%; .border::first-letter...
Microsoft Internet Explorer 9 - MSHTML CElement::HasFlag Memory Corruption
Microsoft Internet Explorer 9 - MSHTML CElement::HasFlag Memory Corruption // First tag can be any inline but must NOT be closed yet // Second tag can be anything that's not inline. // "text1" can be anything document.write'text1'; // The tree is in good shape. show"DOM Tree after first write",...
Roundcube 1.2.2 - Remote Code Execution
Roundcube 1.2.2 - Remote Code Execution Roundcube 1.2.2: Command Execution via Email ============================================ You can find the online version of the advisory here: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ Found by Robin Peraglie with RIPS...
Microsoft Internet Explorer 9 - MSHTML CDispNode::InsertSiblingNode Use-After-Free (MS13-037) (2)
Microsoft Internet Explorer 9 - MSHTML CDispNode::InsertSiblingNode Use-After-Free MS13-037 2 !-- Source: http://blog.skylined.nl/20161208001.html Synopsis A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this...
Cisco Unified Communications Manager 789 - Directory Traversal
Cisco Unified Communications Manager 789 - Directory Traversal Exploit Title: Cisco Unified Communications Manager Administrative Web Interface Directory traversal CVE-2013-5528 Date: 7th December 2016 Exploit Author: justpentest Vendor Homepage: https://software.cisco.com/ Software Link:...
OpenSSH 7.2 - Denial of Service
OpenSSH 7.2 - Denial of Service Title : OpenSSH before 7.3 Crypt CPU Consumption DoS Vulnerability Author : Kashinath T [email protected] www.secpod.com Vendor : http://www.openssh.com/ Software : http://www.openssh.com/ Version : OpenSSH before 7.3 Tested on : Ubuntu 16.04 LTS, Centos 7 CVE ...
Dual DHCP DNS Server 7.29 - Denial of Service
Dual DHCP DNS Server 7.29 - Denial of Service Title : Dual DHCP DNS Server 7.29 Buffer Overflow Dos Date : 07/12/2016 Author : R-73eN Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 32bit Vendor : http://dhcp-dns-server.sourceforge.net/ Software :...
TP-LINK TD-W8951ND - Denial of Service
TP-LINK TD-W8951ND - Denial of Service Exploit Title: TP-LINK TD-W8951ND - Denial of Service Date: 2016-12-07 Exploit Author: Persian Hack Team Discovered by : Mojtaba MobhaM Tested on: Windows AND Linux Demo Construction : https://youtu.be/7mvrW3mtVE !/usr/bin/python import urllib...
NETGEAR R7000 - Command Injection
NETGEAR R7000 - Command Injection Exploit Title: Netgear R7000 - Command Injection Date: 6-12-2016 Exploit Author: Acew0rm Contact: https://twitter.com/Acew0rm1 Vendor Homepage: https://www.netgear.com/ Category: Hardware Version: V1.0.7.21.1.93 -Vulnerability An unauthenticated user can inject...
Microsoft Windows 10 (x86x64) - WLAN AutoConfig Denial of Service (PoC)
Microsoft Windows 10 x86x64 - WLAN AutoConfig Denial of Service PoC !/usr/bin/python wlanautoconfig-poc.py Windows WLAN AutoConfig Named Pipe POC Jeremy Brown jbrown3264/gmail Dec 2016 wifinetworkmanager.dll!FatalErrorchar const ,unsigned long,char const , ... AsyncPipe::ReadCompletedCallbackvoid...
Microsoft Edge - CMarkup::EnsureDeleteCFState Use-After-Free (MS15-125)
Microsoft Edge - CMarkup::EnsureDeleteCFState Use-After-Free MS15-125 Source: http://blog.skylined.nl/20161201001.html Synopsis A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I cannot speculat...
Google Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index
Google Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=932 The code in IOMXNodeInstance.cpp that handles enableNativeBuffers uses portindex without validation, leading to writing the dword value 0 or 1 at an attacke...
Microsoft Edge - JSON.parse Info Leak
Microsoft Edge - JSON.parse Info Leak var once = false; var a = 1; function f if!once a = new Array1, 2, 3; this2 = a; once = true; //alert"f " + this; return ; JSON.parse"1, 2, 4, 5", f; var n = new Numbera0; n = n 1; var s = n.toString16; n = new Numbera1; n = n 1; s = s + n.toString16; n.lengt...
AbanteCart 1.2.7 - Cross-Site Scripting
AbanteCart 1.2.7 - Cross-Site Scripting Exploit Title: AbanteCart 1.2.7 Stored XSS Date: 06-12-2016 Software Link: http://www.abantecart.com/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website: http://security.szurek.pl/ Category: webapps 1. Description By default all...
Microsoft PowerShell - XML External Entity Injection
Microsoft PowerShell - XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-POWERSHELL-XML-EXTERNAL-ENTITY.txt + ISR: ApparitionSec Vendor: ================= www.microsoft.com Product:...
Linux Kernel 4.4.0 (Ubuntu 14.0416.04 x86-64) - AF_PACKET Race Condition Privilege Escalation
Linux Kernel 4.4.0 Ubuntu 14.0416.04 x86-64 - AFPACKET Race Condition Privilege Escalation / chocoboroot.c linux AFPACKET race condition exploit exploit for Ubuntu 16.04 x8664 vroom vroom ============================== user@ubuntu:$ uname -a Linux ubuntu 4.4.0-51-generic 72-Ubuntu SMP Thu Nov 24...
Edge SkateShop - Authentication bypass
Edge SkateShop - Authentication bypass Exploit Title: Edge SkateShop Authentication Bypass Date: 6/12/2016 Exploit Author: Delilah Vendor HomePage: http://www.sourcecodester.com/php/10964/basic-shopping-cartphpmysql.html Software Link:...
Microsoft Internet Explorer 9 - jscript9 JavaScriptStackWalker Memory Corruption (MS15-056)
Microsoft Internet Explorer 9 - jscript9 JavaScriptStackWalker Memory Corruption MS15-056 var oWindow = window.open"about:blank"; oWindow.execScript'window.oURIError = new URIError;oURIError.name = oURIError;' try "" + oWindow.oURIError; catche try "" + oWindow.oURIError; catche...
Microsoft Internet Explorer 9 - CDoc::ExecuteScriptUri Use-After-Free (MS13-009)
Microsoft Internet Explorer 9 - CDoc::ExecuteScriptUri Use-After-Free MS13-009 window.open"Repro.xml", "iframe"; setTimeoutfunction window.open'javascript:voidlocation.href = "about:blank";', "iframe"; , 1000; Description This is the first security vulnerability I sold to ZDI after I quit my j...
Google Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap
Google Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=928 Bitmap objects can be passed between processes by flattening them to a Parcel in one process and un-flattening them in another. In order...