MyBB 1.8.6 - Cross-Site Scripting

MyBB 1.8.6 - Cross-Site Scripting Security Advisory - Curesec Research Team 1. Introduction Affected Product: MyBB 1.8.6 Fixed in: 1.8.7 Fixed Version Link: http://resources.mybb.com/downloads/mybb1807.zip Vendor Website: http://www.mybb.com/ Vulnerability Type: XSS Remote Exploitable: Yes Report...

Microsoft Internet Explorer 11109 - MSHTML PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)

Microsoft Internet Explorer 11109 - MSHTML PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read MS16-104 // This Po­C attempts to exploit a memory disclosure bug in Microsoft Internet // Explorer 11. On x64 systems, this should cause an access violation when // run with page-heap...

4Images 1.7.13 - SQL Injection

4Images 1.7.13 - SQL Injection vulnerable app : 4images query$sql; Input parameter orderby is not sanitized before being passed to the sql query which lead to sql injection flaw POC GET...

VBScript 5.8.7600.163855.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read

VBScript 5.8.7600.163855.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read !-- Source: http://blog.skylined.nl/20161108001.html Synopsis A specially crafted script can cause the VBScript engine to read data beyond a memory block for use as a regular expression. An attacker that is able to...

Microsoft Windows Kernel - win32k Denial of Service (MS16-135)

Microsoft Windows Kernel - win32k Denial of Service MS16-135 / Source: https://github.com/tinysec/public/tree/master/CVE-2016-7255 Full Proof of Concept: https://github.com/tinysec/public/tree/master/CVE-2016-7255...

Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)

Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference MS16-137 MS16-137: LSASS Remote Memory Corruption Advisory Title: LSASS SMB NTLM Exchange Remote Memory Corruption Version: 1.0 Issue type: Null Pointer Dereference Authentication: Pre-Authenticated Affected vendor: Microsoft...

e107 CMS 2.1.2 - Privilege Escalation

e107 CMS 2.1.2 - Privilege Escalation Exploit Title: e107 CMS 2.1.2 Privilege Escalation Date: 09-11-2016 Software Link: http://e107.org/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website: http://security.szurek.pl/ Category: webapps 1. Description Datas from...

Adobe Connect 9.5.7 - Cross-Site Scripting

Adobe Connect 9.5.7 - Cross-Site Scripting Document Title: =============== Adobe Connect & Desktop v9.5.7 - Persistent Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1838 Security ID: PSIRT-5180 Bulletin:...

NETGEAR JNR1010 ADSL Router - (Authenticated) Remote File Disclosure

NETGEAR JNR1010 ADSL Router - Authenticated Remote File Disclosure !/bin/sh NETGEAR ADSL ROUTER JNR1010 1.0.0.16 Authenticated Remote File Disclosure Hardware Version: JNR1010 Firmware Version: 1.0.0.16 GUI Language Version: 1.0.0.16 Copyright 2016 c Todor Donev https://www.ethical-hacker.org/...

NETGEAR WNR500WNR612v3JNR1010JNR2010 ADSL Router - (Authenticated) Remote File Disclosure

NETGEAR WNR500WNR612v3JNR1010JNR2010 ADSL Router - Authenticated Remote File Disclosure !/bin/sh NETGEAR ADSL ROUTER Authenticated Remote File Disclosure Hardware Version: WNR500 / WNR612v3 / JNR1010 / JNR2010 Firmware Version: 1.0.7.2 / 1.0.0.9 / 1.0.0.32 / 1.0.0.20 Copyright 2016 c Todor Donev...

MOVISTAR BHS_RTA ADSL Router - Remote File Disclosure

MOVISTAR BHSRTA ADSL Router - Remote File Disclosure !/bin/sh MOVISTAR ADSL ROUTER BHSRTA BHSRTAC0019 Remote File Disclosure Vendor: OBSERVA Model: BHSRTA Software: BHSRTACO019 Firmware: 09/08/2012-10:23:25 Copyright 2016 c Todor Donev https://www.ethical-hacker.org/...

Avira Antivirus 15.0.21.86 - .zip Directory Traversal Command Execution

Avira Antivirus 15.0.21.86 - .zip Directory Traversal Command Execution Title : Avira Antivirus = 15.0.21.86 Command Execution SYSTEM Date : 08/11/2016 Author : R-73eN Tested on: Avira Antivirus 15.0.21.86 in Windows 7 Vendor : https://www.avira.com/ Disclosure Timeline: 2016-06-28 - Reported to...

WordPress Plugin WassUp Real Time Analytics 1.9 - Persistent Cross-Site Scripting

WordPress Plugin WassUp Real Time Analytics 1.9 - Persistent Cross-Site Scripting Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptinginwassuprealtimeanalyticswordpressplugin.html Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin Abstract A stored...

Microsoft Windows Server 20082012 - LDAP RootDSE Netlogon Denial of Service

Microsoft Windows Server 20082012 - LDAP RootDSE Netlogon Denial of Service !/usr/bin/perl MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon CLDAP "AD Ping" query reflection DoS PoC Copyright 2016 c Todor Donev Varna, Bulgaria [email protected]...

D-Link DSL-2730U2750U2750E ADSL Router - Remote File Disclosure

D-Link DSL-2730U2750U2750E ADSL Router - Remote File Disclosure !/bin/sh D-Link ADSL ROUTER DSL-2730U IN1.02 Remote File Disclosure Modem Name: DSL-2730U/DSL-2750E Time and Date: 2012-05-23 09:51:16 HardwareVersion: U1 Firmware Version: IN1.02/SEA1.04/SEA1.07 Copyright 2016 c Todor Donev...

Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)

Eir D1000 Wireless Router - WAN Side Remote Command Injection Metasploit =begin Exploit Title: Eir D1000 Wireless Router - WAN Side Remote Command Injection Date: 7th November 2016 Exploit Author: Kenzo Website: https://devicereversing.wordpress.com Tested on Firmware version: 2.00AADU.520150909...

PLANET ADSL Router AND-4101 - Remote File Disclosure

PLANET ADSL Router AND-4101 - Remote File Disclosure !/bin/sh PLANET ADSL ROUTER AND-4101 v1.8 Remote File Disclosure Modem Name: ADN-4101 HardwareVersion: ADN-4101 SoftwareVersion: V1.8 Firmware Version: V1.8 Copyright 2016 c Todor Donev https://www.ethical-hacker.org/...

WordPress Plugin 404 to 301 2.2.8 - Persistent Cross-Site Scripting

WordPress Plugin 404 to 301 2.2.8 - Persistent Cross-Site Scripting Source: https://sumofpwn.nl/advisory/2016/storedcrosssitescriptingvulnerabilityin404to301wordpressplugin.html Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin Abstract A stored Cross-Site Scripting...

NodCMS - PHP Code Execution

NodCMS - PHP Code Execution !-- HTTP Request http://localhost/nodcms-master/admin/editlangfile/1/en POST /nodcms-master/admin/editlangfile/1/en HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 10.0; rv:49.0 Gecko/20100101 Firefox/49.0 Accept:...

Sophos Web Appliance 4.2.1.3 - Remote Code Execution

Sophos Web Appliance 4.2.1.3 - Remote Code Execution KL-001-2016-009 : Sophos Web Appliance Remote Code Execution Title: Sophos Web Appliance Remote Code Execution Advisory ID: KL-001-2016-009 Publication Date: 2016.11.03 Publication URL:...

Acoem 01dB CUBEDUO Smart Noise Monitor - Password Change

Acoem 01dB CUBEDUO Smart Noise Monitor - Password Change !/bin/sh Acoem 01dB CUBE Smart Noise Monitoring Terminal Remote Password Change HW version: LIS001A Application FW: 2.34 Metrology FW: 2.10 Modem FW: 12.00.005 / 08.01.108 Copyright 2016 c Todor Donev https://www.ethical-hacker.org/...

Microsoft Internet Explorer 9 - MSHTML CPtsTextParaclient::CountApes Out-of-Bounds Read

Microsoft Internet Explorer 9 - MSHTML CPtsTextParaclient::CountApes Out-of-Bounds Read oElement1 position: absolute; oElement2:after position: relative; content: counterx; onload = function oElement1 = document.createElement'oElement1'; document.documentElement.appendChildoElement1; oElement2 =...

Piwik 2.16.0 - layout PHP Object Injection

Piwik 2.16.0 - layout PHP Object Injection --------------------------------------------------------------- Piwik checkTokenInUrl; 213. 214. $layout = Common::unsanitizeInputValueCommon::getRequestVar'layout'; 215. $layout = striptags$layout; 216. $idDashboard = Common::getRequestVar'idDashboard',...

Microsoft Internet Explorer 891011 IIS CScript.exeWScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080MS14-084)

Microsoft Internet Explorer 891011 IIS CScript.exeWScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory MS14-080MS14-084 !-- Source: http://blog.skylined.nl/20161107001.html Synopsis A specially crafted script can cause the VBScript engine to access data before initializing it. An...

Schoolhos CMS 2.29 - kelas SQL Injection

Schoolhos CMS 2.29 - kelas SQL Injection Document Title: =============== Schoolhos CMS v2.29 - kelas Data Siswa SQL Injection Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1931 Release Date: ============= 2016-11-07 Vulnerability Laborato...

SweetRice 1.5.1 - Arbitrary File Upload

SweetRice 1.5.1 - Arbitrary File Upload /usr/bin/python -- Coding: utf-8 -- Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload Exploit Author: Ashiyane Digital Security Team Date: 03-11-2016 Vendor: http://www.basic-cms.org/ Software Link:...

SweetRice 1.5.1 - Backup Disclosure

SweetRice 1.5.1 - Backup Disclosure Title: SweetRice 1.5.1 - Backup Disclosure Application: SweetRice Versions Affected: 1.5.1 Vendor URL: http://www.basic-cms.org/ Software URL: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip Discovered by: Ashiyane Digital Security Team Tested on: Windo...

IBM AIX 5.36.17.17.2 - lquerylv Local Privilege Escalation

IBM AIX 5.36.17.17.2 - lquerylv Local Privilege Escalation !/usr/bin/sh AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset 7100-04 This exploit takes advantage of known issues with debugging functions within the AIX linker library. We are taking advantage of known...

PCMan FTP Server 2.0.7 - NLST Remote Buffer Overflow

PCMan FTP Server 2.0.7 - NLST Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- import socket Exploit Title: PCMan FTP Server 2.0 Buffer Overflow NLST command Date: 03/11/16 Exploit Author: Karri93 Version: 2.0 Tested on: Windows XP Profesional SP3 Spanish x86 CVE: N/A Shellcode...

BolinTech DreamFTP Server 1.02 - RETR Remote Buffer Overflow

BolinTech DreamFTP Server 1.02 - RETR Remote Buffer Overflow import socket import os import sys print ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: DreamFTPServer1.0.2RETRcommandformatstringremotecodevuln Date: 2016.11.04 Exploit Author: Greg...

PCMan FTP Server 2.0.7 - SITE CHMOD Remote Buffer Overflow

PCMan FTP Server 2.0.7 - SITE CHMOD Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: PCMan FTP Server 2.0 BoF SITE CHMOD Command Date: 04/11/2016 Exploit Author: Luis Noriega Tested on: Windows XP Profesional V. 5.1 Service Pack 3 CVE : n/a import socket shellcode wi...

IBM AIX 6.17.17.2.0.2 - lsmcode Local Privilege Escalation

IBM AIX 6.17.17.2.0.2 - lsmcode Local Privilege Escalation !/usr/bin/sh AIX lsmcode local root exploit. Affected: AIX 6.1/7.1/7.2.0.2 Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ lqueryroot.sh by @hxmonsegur 2016 //RSL...

Freefloat FTP Server 1.0 - SITE ZONE Remote Buffer Overflow

Freefloat FTP Server 1.0 - SITE ZONE Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: FreeFloat FTP Server BoF SITE ZONE Command Date: 04/11/2016 Exploit Author: Luis Noriega Software Link: http://www.freefloat.com/software/freefloatftpserver.zip Version: 1.0 Tested...

PCMan FTP Server 2.0.7 - PORT Remote Buffer Overflow

PCMan FTP Server 2.0.7 - PORT Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: PCMan FTP Server 2.0 PORT Command BoF Exploit Author: Pablo González Date: 4/11/2016 Software: PCMan 2.0 Tested on: Windows XP Profesional SP3 Spanish x86 import socket print "Creating...

sNews 1.7.1 - Arbitrary File Upload

sNews 1.7.1 - Arbitrary File Upload Exploit Title : Snews CMS upload sheller Author : Ashiyane Digital Security Team Google Dork : "This site is powered by sNews" Date : 04/11/2016 Type : webapps Platform : PHP Vendor Homepage : http://snewscms.com/ Software link :...

SweetRice 1.5.1 - Arbitrary File Download

SweetRice 1.5.1 - Arbitrary File Download /usr/bin/python -- Coding: utf-8 -- Exploit Title: SweetRice 1.5.1 - Local File Inclusion Exploit Author: Ashiyane Digital Security Team Date: 03-11-2016 Vendor: http://www.basic-cms.org/ Software Link:...

WinaXe 7.7 FTP client - Remote Buffer Overflow

WinaXe 7.7 FTP client - Remote Buffer Overflow + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt + ISR: Apparition Security Vendor: ============ www.labf.com Product:...

ETchat 3.7 - Cross-Site Request Forgery

ETchat 3.7 - Cross-Site Request Forgery Exploit Title: ETchatpersian version CMS Xsrf vulnerability Exploit Author: Hesam Bazvand Contact: https://www.facebook.com/hesam.king73 Software Link: http://dl.20script.ir/script/chat/et-chat-3.7-Persianwww.20script.ir.zip Tested on: Windows 7 / Kali Linu...

nodCMS - Cross-Site Request Forgery

nodCMS - Cross-Site Request Forgery Exploit Title : nodcms Cross Site Request Forgery Author : Ashiyane Digital Security Team Google Dork : - Date : 29/10/2016 Type : webapps Platform : PHP Vendor Homepage : http://www.nodcms.com/en Software link :...

Rapid PHP Editor 14.1 - Remote Command Execution

Rapid PHP Editor 14.1 - Remote Command Execution + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/RAPID-PHP-EDITOR-REMOTE-CMD-EXEC.txt + ISR: Apparition Security Vendor: ====================== www.rapidphpeditor.com Produc...

PCMan FTP Server 2.0.7 - ACCT Remote Buffer Overflow

PCMan FTP Server 2.0.7 - ACCT Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: PCMan FTP Server 2.0 ACCT Command Buffer Overflow Exploit Date: 3/11/2016 Exploit Author: Cybernetic Version: 2.0 Tested on: Windows XP Profesional SP3 ESP x86 CVE : N/A import socket, os,...

Axessh 4.2 - Denial of Service

Axessh 4.2 - Denial of Service + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt + ISR: ApparitionSec Vendor: ============ www.labf.com Product: ============= Axessh 4.2.2 Axessh is a SSH client...

Redaxo 5.2.0 - Cross-Site Request Forgery

Redaxo 5.2.0 - Cross-Site Request Forgery Exploit Title : redaxo CMS CSRFAdd Admin Author : Ashiyane Digital Security Team Google Dork : intitle:Login · REDAXO Date : 1/11/2016 Type : webapps Platform : PHP Vendor Homepage : http://www.redaxo.org/ Software link...

SweetRice 1.5.1 - Cross-Site Request Forgery PHP Code Execution

SweetRice 1.5.1 - Cross-Site Request Forgery PHP Code Execution Hacked '; phpinfo; Code You Can Customize Exploit For Your Self . Exploit : -- Hacked '; phpinfo;? /textarea...

sNews 1.7.1 - Cross-Site Request Forgery

sNews 1.7.1 - Cross-Site Request Forgery Exploit Title : Snews CMS Cross Site Request Forgery Author : Ashiyane Digital Security Team Google Dork : "This site is powered by sNews" Date : 1/11/2016 Type : webapps Platform : PHP Vendor Homepage : http://snewscms.com/ Software link :...

PCMan FTP Server 2.0.7 - UMASK Remote Buffer Overflow

PCMan FTP Server 2.0.7 - UMASK Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: PCMan's FTP Server 2.0.7 UMASK Command Buffer Overflow Exploit Date: 1/11/2016 Exploit Author: Eagleblack Tested on: Windows XP Profesional SP3 Spanish version x86 CVE : N/A import socket...

SunellSecurity NVR Camera - Denial of Service

SunellSecurity NVR Camera - Denial of Service Exploit Title: SunellSecurity NVR / Cams - Buffer overflow in CGI Date: 11.2.2016 Exploit Author: qwsj Vendor Homepage: https://github.com/qwsj Version: 1.6.08-09 / 2.0.06-08 Tested on: Windows / Linux Bug in CGI scrypt's for develop. Web service buff...

LifeSize Room 5.0.9 - Multiple Vulnerabilities

LifeSize Room 5.0.9 - Multiple Vulnerabilities Source: https://github.com/XiphosResearch/exploits/tree/master/deathsize LifeSize Room 5.0.9, remote config disclosure, code execution & local privilege escalation Ultimately the Lifesize Room products have fundamentally flawed firmware, many similar...

SweetRice 1.5.1 - Cross-Site Request Forgery

SweetRice 1.5.1 - Cross-Site Request Forgery document.forms0.submit;...

Citrix ReceiverReceiver Desktop Lock 4.5 - Authentication Bypass

Citrix ReceiverReceiver Desktop Lock 4.5 - Authentication Bypass thel3l Title: Citrix Receiver/Receiver Desktop Lock 4.5 Incorrect Access Control CVE: CVE-2016-9111 Date of Discovery: October 27 2016 Exploit Author: Rithwik Jayasimha Author Homepage/Contact: https://thel3l.me Vendor Name: Citrix...