41207 matches found
Freefloat FTP Server 1.0 - DIR Remote Buffer Overflow
Freefloat FTP Server 1.0 - DIR Remote Buffer Overflow import socket import sys import os print ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: FreefloatFTPserver1.0dircommandremotecodeexploit Date: 2016.11.02 Exploit Author: Greg Priest Version:...
Microsoft Internet Explorer 9 - MSHTML CAttrArray Use-After-Free (MS14-056)
Microsoft Internet Explorer 9 - MSHTML CAttrArray Use-After-Free MS14-056 oTextArea = document.createElement'textarea'; oTextArea.dataSrc = 1; oTextArea.id = 1; oTextArea.innerHTML = 1; oTextArea.onvolumechange = 1; oTextArea.style.setProperty'list-style', "url"; !-- Analysis The CAttrArray objec...
Microsoft Internet Explorer 11 - MSHTML CView::CalculateImageImmunity Use-After-Free
Microsoft Internet Explorer 11 - MSHTML CView::CalculateImageImmunity Use-After-Free var oDocumentFragment = document.createDocumentFragment, oElement = document.createElement'x'; oDocumentFragment.appendChildoElement; oElement.style.listStyleImage = "urlx"; oDocumentFragment.removeChildoElement;...
Alienvault OSSIMUSM 5.3.1 - SQL Injection
Alienvault OSSIMUSM 5.3.1 - SQL Injection Details ======= Product: Alienvault OSSIM/USM Vulnerability: SQL Injection Author: Peter Lapp, lappsec gmail com CVE: CVE-2016-8582 Vulnerable Versions: =5.3.1 Fixed Version: 5.3.2 Vulnerability Details ===================== A SQL injection vulnerability...
Alienvault OSSIMUSM 5.3.1 - Persistent Cross-Site Scripting
Alienvault OSSIMUSM 5.3.1 - Persistent Cross-Site Scripting Details ======= Product: Alienvault OSSIM/USM Vulnerability: Stored XSS Author: Peter Lapp, lappsec gmail com CVE: CVE-2016-8581 CVSS: 3.5 Vulnerable Versions: Current Sessions. POC === The POC uses jQuery to send all session IDs on the...
Alienvault OSSIMUSM 5.3.1 - PHP Object Injection
Alienvault OSSIMUSM 5.3.1 - PHP Object Injection Details ======= Product: Alienvault OSSIM/USM Vulnerability: PHP Object Injection Author: Peter Lapp, lappsec gmail com CVE: CVE-2016-8580 Vulnerable Versions: =5.3.1 Fixed Version: 5.3.2 Vulnerability Details ===================== A PHP object...
Freefloat FTP Server 1.0 - ABOR Remote Buffer Overflow
Freefloat FTP Server 1.0 - ABOR Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: FreeFloat FTP Server BoF ABOR Command Date: 29/10/2016 Exploit Author: Ger Software Link: http://www.freefloat.com/software/freefloatftpserver.zip Version: 1.0 Tested on: Windows XP...
Freefloat FTP Server 1.0 - RMD Remote Buffer Overflow
Freefloat FTP Server 1.0 - RMD Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- import socket Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command Date: 29 Octubre 2016 Exploit Author: Karri93 Software Link: http://www.freefloat.com/software/freefloatftpserver.zip Versio...
My Little Forum 2.3.7 - Multiple Vulnerabilities
My Little Forum 2.3.7 - Multiple Vulnerabilities Title: ====== My Little Forum 2.3.7 - Multiple Vulnerability Product & Service Introduction: =============================== My little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view tree...
KarjaSoft Sami FTP Server 2.0.2 - USERPASS Remote Buffer Overflow (SEH)
KarjaSoft Sami FTP Server 2.0.2 - USERPASS Remote Buffer Overflow SEH /usr/bin/python -- Coding: utf-8 -- Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd Date: 2016-01-11 Exploit Author: n30m1nd Vendor Homepage: http://www.karjasoft.com/ Software Link:...
Freefloat FTP Server 1.0 - HOST Remote Buffer Overflow
Freefloat FTP Server 1.0 - HOST Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit Date: 30/10/2016 Exploit Author: Cybernetic Software Link: http://www.freefloat.com/software/freefloatftpserver.zip Version: 1.0...
Memcached 1.4.33 - Crash (PoC)
Memcached 1.4.33 - Crash PoC Source: http://paper.seebug.org/95/ import struct import socket import sys MEMCACHEDREQUESTMAGIC = "\x80" OPCODEPREPENDQ = "\x1a" keylen = struct.pack"!H",0xfa extralen = "\x00" datatype = "\x00" vbucket = "\x00\x00" bodylen = struct.pack"!I",0 opaque =...
School Registration and Fee System - Authentication Bypass
School Registration and Fee System - Authentication Bypass Exploit Title.............. School Registration and Fee System Auth Bypass Google Dork................ N/A Date....................... 01/11/2016 Exploit Author............. opt1lc Vendor Homepage...
Freefloat FTP Server 1.0 - RENAME Remote Buffer Overflow
Freefloat FTP Server 1.0 - RENAME Remote Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title: FreeFloat FTP Server RENAME Command Buffer Overflow Exploit Date: 29/10/2016 Exploit Author: Eagleblack Software Link: http://www.freefloat.com/software/freefloatftpserver.zip Version:...
MySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - mysql System User Privilege Escalation Race Condition
MySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - mysql System User Privilege Escalation Race Condition / Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c...
MySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - root System User Privilege Escalation
MySQL MariaDB PerconaDB 5.5.x5.6.x5.7.x - root System User Privilege Escalation !/bin/bash -p Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh MySQL / MariaDB / PerconaDB ...
Memcached 1.4.33 - Add (PoC)
Memcached 1.4.33 - Add PoC Source: http://paper.seebug.org/95/ import struct import socket import sys MEMCACHEDREQUESTMAGIC = "\x80" OPCODEADD = "\x02" keylen = struct.pack"!H",0xfa extralen = "\x08" datatype = "\x00" vbucket = "\x00\x00" bodylen = struct.pack"!I",0xffffffd0 opaque =...
Memcached 1.4.33 - sasl (PoC)
Memcached 1.4.33 - sasl PoC Source: http://paper.seebug.org/95/ import struct import socket import sys MEMCACHEDREQUESTMAGIC = "\x80" OPCODESET = "\x21" keylen = struct.pack"!H",32 bodylen = struct.pack"!I",1 packet = MEMCACHEDREQUESTMAGIC + OPCODESET + keylen + bodylen2 + "A"1000 if lensys.argv ...
freeFTPd 1.0.8 - mkd Denial of Service
freeFTPd 1.0.8 - mkd Denial of Service from ftplib import FTP print ''' ,;'++';, '++++++++++++++++; .+++++++++++++++++++++++' ;++++++: :++++++: '++++' , +. :; . .'++++; :++++, '+ +.+.++':+:+ +: + :++++, ++++, + ++.++':+.+ +:'.+. :++++ ,+++; + +:':++',++,++.+:+ +, '+++. '+++ ++ ;+ ,+:'; ,: ;;+++...
NVIDIA Driver - Missing Bounds Check in Escape 0x70000d5
NVIDIA Driver - Missing Bounds Check in Escape 0x70000d5 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944 The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks: ... if gsavedsize escape-size = gsavedsize; if unsigned intgsavedsize 0 do v5 = v2++; escape-datav5 =...
NVIDIA Driver - No Bounds Checking in Escape 0x7000170
NVIDIA Driver - No Bounds Checking in Escape 0x7000170 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936 The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size input escape data, and relies on a user provided size as the upper bound for writin...
S9Y Serendipity 2.0.4 - Cross-Site Scripting
S9Y Serendipity 2.0.4 - Cross-Site Scripting ======================================== Title: Serendipity-2.0.4 latest version - Stored Cross Site Scripting Application: Serendipity Class: Sensitive Information disclosure Versions Affected: alert'Meryem ExploitDB' HTTP Request POST...
Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow (PoC)
Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow PoC Exploit Title: Micro Focus Rumba function vuln // 272 Junk Data // 272 + "\x43\x43\x43\x43" = EDX = 43434343 // // If we change the edx to an address that point to a valid address // We will have control over EIP // 0x20302228 // Overwrite...
NVIDIA Driver - NvStreamKms PsSetCreateProcessNotifyRoutineEx Local Stack Buffer Overflow Callback Local Privilege Escalation
NVIDIA Driver - NvStreamKms PsSetCreateProcessNotifyRoutineEx Local Stack Buffer Overflow Callback Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=918 The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process creation...
Apple OS XiOS Kernel - IOSurface Use-After-Free
Apple OS XiOS Kernel - IOSurface Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831 IOSurfaceRootUserClient stores a task struct pointer passed in via IOServiceOpen in the field at +0xf0 without taking a reference. By killing the corrisponding task we can free th...
Rumba FTP Client 4.x - Remote Stack Buffer Overflow (SEH)
Rumba FTP Client 4.x - Remote Stack Buffer Overflow SEH Exploit Title: Rumba FTP 4.x Client Stackoverflow SEH Date: 29-10-2016 Exploit Author: Umit Aksu Vendor Homepage: http://community.microfocus.com/microfocus/mainframesolutions/rumba/w/knowledgebase/28731.rumba-ftp-4-x-security-update.aspx...
Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free
Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 When you create a new IOKit user client from userspace you call: kernreturnt IOServiceOpen ioservicet service, taskportt owningTask, uint32t type, ioconnectt connect ;...
NVIDIA Driver - UVMLiteController ioctl Handling Unchecked InputOutput Lengths Privilege Escalation
NVIDIA Driver - UVMLiteController ioctl Handling Unchecked InputOutput Lengths Privilege Escalation / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=880 The \.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles...
NVIDIA Driver - Missing Bounds Check in Escape 0x100009a
NVIDIA Driver - Missing Bounds Check in Escape 0x100009a Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=942 The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks: case 0x100009A: ... size0 = escapedata-size1; ... size1 = 2 - escapedata-unknown size2;...
Apple OS XiOS - mach_ports_register Multiple Memory Safety s
Apple OS XiOS - machportsregister Multiple Memory Safety s Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882 machportsregister is a kernel task port MIG method. It's defined in MIG like this: routine machportsregister targettask : taskt; initportset : machportarrayt = ^array o...
NVIDIA Driver - Incorrect Bounds Check in Escape 0x70001b2
NVIDIA Driver - Incorrect Bounds Check in Escape 0x70001b2 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=940 The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its variable size input. void sub8C4304... ... // escape-size is controlled by the user. if...
NVIDIA Driver - Unchecked User-Provided Pointer in Escape 0x5000027
NVIDIA Driver - Unchecked User-Provided Pointer in Escape 0x5000027 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=937 The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer, but does no checks on it before using it. ... DWORD userptr = escape5000027data-userpt...
NVIDIA Driver - Escape 0x100010b Missing Bounds Check
NVIDIA Driver - Escape 0x100010b Missing Bounds Check Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=927 The DxgkDdiEscape handler for escape code 0x100010b looks like: char escape100010bNvMiniportDeviceContext miniportcontext, HANDLE handle, unsigned int idx PVOID Object; if...
NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x600000D
NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x600000D Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=911 The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided pointer as the destination for a memcpy call. This leads to kernel memory...
PCMan FTP Server 2.0.7 - DELETE Remote Buffer Overflow
PCMan FTP Server 2.0.7 - DELETE Remote Buffer Overflow from ftplib import FTP print ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: PCmanftpddeletecommandremotecodeexploitWin7x64HUNENG Date: 2016.10.31 Exploit Author: Greg Priest Version: Pcmanftp...
NVIDIA Driver - No Bounds Checking in Escape 0x7000194
NVIDIA Driver - No Bounds Checking in Escape 0x7000194 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=895 The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the user provided lengths it receives. When these lengths are passed to memcpy, overreads and memory...
NVIDIA Driver - Escape Code Leaks Uninitialised ExAllocatePoolWithTag Memory to Userspace
NVIDIA Driver - Escape Code Leaks Uninitialised ExAllocatePoolWithTag Memory to Userspace Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=892 The handler for the DxgkDdiEscape escape code 0x70000D4 has the following pseudocode: void fastcall escape70000D4NvMiniportDeviceContext...
Apple macOS 10.12 - task_t Local Privilege Escalation
Apple macOS 10.12 - taskt Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many very...
NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9
NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947 The escape handler for 0x10000e9 lacks bounds checks, and passes a user specified size as the size to memcpy, resulting in a stack buffer overflow: bool...
NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x700010d
NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x700010d Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=894 The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the destination for a memcpy call, without doing any checks on said pointer...
NVIDIA Driver - Stack Buffer Overflow in Escape 0x7000014
NVIDIA Driver - Stack Buffer Overflow in Escape 0x7000014 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=946 There is a missing bounds check in inner loop of the escape handler for 0x7000014 that leads to a stack buffer overflow: ... for DWORD i = 0; numdata; ++i ... // size is...
Micro Focus Rumba 9.4 - Local Denial of Service
Micro Focus Rumba 9.4 - Local Denial of Service Exploit Title: Micro Focus Rumba 9.4 Multiple Local Stack-overflow Date: 29-10-2016 Exploit Author: Umit Aksu Vendor Homepage: http://www.microfocus.com/ Software Link:...
InfraPower PPS-02-S Q213V1 - Authentication Bypass
InfraPower PPS-02-S Q213V1 - Authentication Bypass InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 Firmware: V2395S Fixed version: Q216V3 Firmware: IPD-02-FW-v03 Summary:...
InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference
InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 Firmware: V2395S Fixed version: Q216V3...
InfraPower PPS-02-S Q213V1 - Multiple Cross-Site Scripting Vulnerabilities
InfraPower PPS-02-S Q213V1 - Multiple Cross-Site Scripting Vulnerabilities InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 Firmware: V2395S Fixed version: Q216V3 Firmware:...
InfraPower PPS-02-S Q213V1 - Local File Disclosure
InfraPower PPS-02-S Q213V1 - Local File Disclosure InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 Firmware: V2395S Fixed version: Q216V3 Firmware: IPD-02-FW-v03 Summary:...
InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials
InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 Firmware: V2395S Fixed version: Q216V3 Firmware: IPD-02-FW-v03...
InfraPower PPS-02-S Q213V1 - Remote Command Execution
InfraPower PPS-02-S Q213V1 - Remote Command Execution InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 Firmware: V2395S Fixed version: Q216V3 Firmware:...
InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery
InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 Firmware: V2395S Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI...
GNU GTypist 2.9.5-2 - Local Buffer Overflow
GNU GTypist 2.9.5-2 - Local Buffer Overflow Exploit developed using Exploit Pack v6.5 Exploit Author: Juan Sacco - http://www.exploitpack.com - [email protected] Program affected: GNU Typist Affected value: ARG0 Version: 2.9.5-2 Tested and developed under: Kali Linux 2.0 x86 -...