Microsoft Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)

Microsoft Windows 7 - win32k Bitmap Use-After-Free MS16-062 1 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=746 The attached PoC triggers a blue screen on Windows 7 with special pool enabled on win32k.sys . A reference to the bitmap object still exists in the device context...

Bomgar Remote Support - Code Execution (Metasploit)

Bomgar Remote Support - Code Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Bomgar Remote Support Unauthenticated Code Execution', 'Description' = %q This...

Oracle Orakill.exe 11.2.0 - Buffer Overflow (PoC)

Oracle Orakill.exe 11.2.0 - Buffer Overflow PoC ''' + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-ORAKILL.EXE-BUFFER-OVERFLOW.txt + ISR: apparitionsec Vendor: ============== www.oracle.com Product: ===================...

WordPress Plugin Social Stream 1.5.15 - wp_options Overwrite

WordPress Plugin Social Stream 1.5.15 - wpoptions Overwrite Vendor Homepage: Software Link: http://codecanyon.net/item/wordpress-social-stream/2201708?srank=15 Version: 1.5.15 Tested on: Debian 8, PHP 5.6.17-3 Type: Authenticated wpoptions overwrite Time line: Found 14-May-2016, Vendor notified...

Grid Gallery 1.0 - Admin Panel Authentication Bypass

Grid Gallery 1.0 - Admin Panel Authentication Bypass ======================================================================================================= Grid Gallery 1.0 Admin panel Authentication bypass Description : An Attackers are able to completely compromise the web application built up...

Easy RM to MP3 Converter 2.7.3.700 - .m3u File (Universal ASLR + DEP Bypass)

Easy RM to MP3 Converter 2.7.3.700 - .m3u File Universal ASLR + DEP Bypass Exploit Title: Easy RM to MP3 Converter 2.7.3.700 .m3u File BoF Exploit with Universal DEP+ASLR bypass Date: 2016-06-12 Exploit Author: Csaba Fitzl Vendor Homepage: N/A Software Link:...

Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator Invalid Read

Foxit PDF Reader 1.0.1.0925 - CFXWideString::operator Invalid Read Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745 We have identified the following crash due to an invalid read in Foxit PDF Reader version 1.0.1.0925 for Linux 64-bit, when started with a specially crafted PDF...

Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read

Foxit PDF Reader 1.0.1.0925 - CPDFDIBSource::TranslateScanline24bpp Out-of-Bounds Read Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=744 We have identified the following crash due to an out-of-bounds read in Foxit PDF Reader version 1.0.1.0925 for Linux 64-bit, when started wi...

iSQL 1.0 - isql_main.c Buffer Overflow (PoC)

iSQL 1.0 - isqlmain.c Buffer Overflow PoC !/bin/ruby Exploit Title: iSQLRL 1.0 - Buffer Overflowisqlmain.c Date: 2016-06-13 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: https://github.com/roselone/iSQL Software Link: https://github.com/roselone/iSQL/archive/master.z...

Foxit PDF Reader 1.0.1.0925 - kdu_core::kdu_codestream::get_subsampling Memory Corruption

Foxit PDF Reader 1.0.1.0925 - kducore::kducodestream::getsubsampling Memory Corruption Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=743 We have identified the following memory corruption vulnerability in Foxit PDF Reader version 1.0.1.0925 for Linux 64-bit, when started with ...

iSQL 1.0 - Command Injection

iSQL 1.0 - Command Injection !/bin/ruby Exploit Title: iSQLRL 1.0 - Shell Command Injection Date: 2016-06-13 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: https://github.com/roselone/iSQL Software Link: https://github.com/roselone/iSQL/archive/master.zip Version: 1.0...

FRticket Ticket System - Persistent Cross-Site Scripting

FRticket Ticket System - Persistent Cross-Site Scripting Exploit Title: FRticket - Ticket System - Stored XSS Google Dork: if applicable Date: 11.06.2016 Exploit Author: Hamit ABİŞ Vendor Homepage: http://codecanyon.net/item/frticket-ticket-system/16539836 Version: v1 About Get the world’s most...

Viart Shopping Cart 5.0 - Cross-Site Request Forgery Arbitrary File Upload

Viart Shopping Cart 5.0 - Cross-Site Request Forgery Arbitrary File Upload function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST", "http://localhost/admin/adminfmuploadfiles.php", true; xhr.setRequestHeader"Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8";...

Foxit PDF Reader 1.0.1.0925 - CFX_BaseSegmentedArray::IterateIndex Memory Corruption

Foxit PDF Reader 1.0.1.0925 - CFXBaseSegmentedArray::IterateIndex Memory Corruption Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=742 We have identified the following memory corruption vulnerability in Foxit PDF Reader version 1.0.1.0925 for Linux 64-bit, when started with a...

Dream Gallery 2.0 - Admin Panel Authentication Bypass

Dream Gallery 2.0 - Admin Panel Authentication Bypass ======================================================================================================= Dream Gallery 2.0 Admin panel Authentication bypass Description : An Attackers are able to completely compromise the web application built...

Joomla! Component com_payplans 3.3.6 - SQL Injection

Joomla! Component compayplans 3.3.6 - SQL Injection Exploit Title : Joomla compayplans - SQL Injection Exploit Author : Persian Hack Team Vendor Homepage : http://extensions.joomla.org/extension/payplans Category: Webapps Tested on: Win Version: 3.3.6 Date: 2016/06/08 PoC: groupid Parameter...

Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap Memory Corruption

Foxit PDF Reader 1.0.1.0925 - CPDFStreamContentParser::CPDFStreamContentParser Heap Memory Corruption Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=741 We have identified the following memory corruption vulnerability in Foxit PDF Reader version 1.0.1.0925 for Linux 64-bit, whe...

Zabbix 2.2 3.0.3 - API JSON-RPC Remote Code Execution

Zabbix 2.2 3.0.3 - API JSON-RPC Remote Code Execution !/usr/bin/env python -- coding: utf-8 -- Exploit Title: Zabbix RCE with API JSON-RPC Date: 06-06-2016 Exploit Author: Alexander Gurin Vendor Homepage: http://www.zabbix.com Software Link: http://www.zabbix.com/download.php Version: 2.2 - 3.0.3...

Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext

Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=783 The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway : We...

Matrix42 Remote Control Host 3.20.0031 - Unquoted Path Privilege Escalation

Matrix42 Remote Control Host 3.20.0031 - Unquoted Path Privilege Escalation Exploit Title: Matrix42 Remote Control Host - Unquoted Path Privilege Escalation Date: 06-05-2016 Exploit Author: Roland C. Redl Vendor Homepage: https://www.matrix42.com/ Software Link: n/a Version: 3.20.0031 Tested on:...

Poison Ivy 2.1.x (C2 Server) - Remote Buffer Overflow (Metasploit)

Poison Ivy 2.1.x C2 Server - Remote Buffer Overflow Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Poison Ivy 2.1.x C2 Buffer Overflow', 'Description' = %q This...

Armadito Antimalware - Backdoor AccessBypass

Armadito Antimalware - Backdoor AccessBypass / Exploit Title : Armadito antimalware - Backdoor/Bypass Date : 07-06-2016 DD-MM-YYYY Exploit Author : Ax. Vendor Homepage : http://www.teclib-edition.com/teclib-products/armadito-antivirus/ Software Link : https://github.com/41434944/armadito-av Versi...

Apple Mac OSX Kernel - NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value

Apple Mac OSX Kernel - NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=777 Pretty much all the external methods of CoreCaptureUserClient call CoreCaptureUserClient::stashGet passing an attacker controlled...

miniMySQLAdmin 1.1.3 - Cross-Site Request Forgery (SQL Execution)

miniMySQLAdmin 1.1.3 - Cross-Site Request Forgery SQL Execution document.forms.csrfpoc.submit; select from user order by User asc limit 20 Host User % exploituser1 --...

Apple Mac OSX iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient

Apple Mac OSX iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732 This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a...

Apple Mac OSX Kernel - Out-of-Bounds Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type

Apple Mac OSX Kernel - Out-of-Bounds Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=774 The IOHIDFamily function IOHIDDevice::handleReportWithTime takes at attacker controlled unchecked IOHIDReportType...

Apple Mac OSX Kernel - Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext

Apple Mac OSX Kernel - Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=784 The method nvCommandQueue::GetHandleIndex doesn't check whether this+0x5b8 is non-null before using it. We can race a call to...

Apple Mac OSX Kernel - GeForce GPU Driver Stack Buffer Overflow

Apple Mac OSX Kernel - GeForce GPU Driver Stack Buffer Overflow / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=724 nvAPIClient::Escape is the sole external method of nvAcclerator userclient type 0x2a0. It implements its own method and parameter demuxing using the struct-in...

Apple Mac OSX Kernel - Null Pointer Dereference in IOAudioEngine

Apple Mac OSX Kernel - Null Pointer Dereference in IOAudioEngine / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=776 IOAudioEngineUserClient::closeClient sets the audioEngine member pointer to NULL IOReturn IOAudioEngineUserClient::closeClient audioDebugIOLog3, "+...

Apple Mac OSX Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2

Apple Mac OSX Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=772 In IOAccelContext2::clientMemoryForType the lockbusy/unlockbusy should be extended to cover all the code setting up shared memory type 2. At the...

Dell OpenManage Server Administrator 8.3 - XML External Entity

Dell OpenManage Server Administrator 8.3 - XML External Entity !/usr/bin/ruby Exploit Title: Dell OpenManage Server Administrator 8.3 XXE Date: June 9, 2016 Exploit Author: hantwister Vendor Homepage:...

phpMyFAQ 2.9.0 - Persistent Cross-Site Scripting

phpMyFAQ 2.9.0 - Persistent Cross-Site Scripting Exploit Title: phpMyFAQ 2.9.0 Stored XSS Date: 09-06-2016 Software Link: http://www.phpmyfaq.de/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website: http://security.szurek.pl/ Category: webapps 1. Description PHP...

Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::page_off_resource

Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::pageoffresource / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=778 IOAccelerator external method IOAccelSharedUserClient2::pageoffresource uses the pointer at this+0x100 without checking if it's NULL. A seri...

Mobiketa 1.0 - Cross-Site Request Forgery (Add Admin)

Mobiketa 1.0 - Cross-Site Request Forgery Add Admin -- + Contact: http://twitter.com/muratyilmazlarr --...

Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl

Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. ...

Riot Games League of Legends - Insecure File Permissions Privilege Escalation

Riot Games League of Legends - Insecure File Permissions Privilege Escalation ------------------------------------------------------------------------------------ Exploit Title: Riot Games League of Legends Insecure File Permissions Privilege Escalation Date: 03/06/16 Exploit Author: Cyril...

Google Android - systembinsdcard Stack Buffer Overflow (PoC)

Google Android - systembinsdcard Stack Buffer Overflow PoC Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=798 Android: Stack-buffer-overflow in /system/bin/sdcard There's an integer overflow issue in getnodepathlocked, which results in a buffer overflow. For all of the calling...

Microsoft Word (WindowsOSX) - Crash (PoC)

Microsoft Word WindowsOSX - Crash PoC Source: https://twitter.com/halsten/status/740380171694280704 Win/Mac MSFT Word 0day POC having 3 different forced triggers. Happy exploitation! Let Word recover it, its essential, and then you can trigger the bug afterwards in 3 ways, Save, Close/Save, chang...

Drale DBTableViewer 100123 - Blind SQL Injection

Drale DBTableViewer 100123 - Blind SQL Injection Drale DBTableViewer v100123 - Blind SQL Injection Exploit Title: drale DBTableViewer - SQL InjectionBlind/Error Base Date: 2016-06-08 Exploit Author: HaHwul Exploit Author Blog: www.hahwul.com Vendor Homepage: http://drale.com/ Software Link:...

League of Legends Screensaver - Unquoted Service Path Privilege Escalation

League of Legends Screensaver - Unquoted Service Path Privilege Escalation Exploit Title: League of Legends Screensaver Unquoted Service Paths Conditional Privilege Escalation. CVE-ID: NA Date: 13/04/2016 Exploit Author: Vincent Yiu Contact: [email protected] Vendor Homepage:...

League of Legends Screensaver - Insecure File Permissions Privilege Escalation

League of Legends Screensaver - Insecure File Permissions Privilege Escalation Exploit Title: League of Legends Screensaver Insecure File Permissions Privilege Escalation CVE-ID: NA Date: 13/04/2016 Exploit Author: Vincent Yiu Contact: [email protected] Vendor Homepage:...

Cisco EPC 3928 - Multiple Vulnerabilities

Cisco EPC 3928 - Multiple Vulnerabilities Title: Cisco EPC 3928 Multiple Vulnerabilities Vendor: http://www.cisco.com/ Vulnerable Versions: Cisco Model EPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway CVE References: CVE-2015-6401 / CVE-2015-6402 / CVE-2016-1328 / CVE-2016-1336 / CVE-2016-1337...

Electroweb Online Examination System 1.0 - SQL Injection

Electroweb Online Examination System 1.0 - SQL Injection Exploit Title: Online examination system 1.0 - SQL Injection Google Dork: inurl:showtest.php?subid= Date: 2016/06/05 Exploit Author: Ali Ghanbari Vendor Homepage: http://www.onlinefreeprojectdownload.com Sofware Link :...

WordPress Plugin Double Opt-In for Download 2.0.9 - SQL Injection

WordPress Plugin Double Opt-In for Download 2.0.9 - SQL Injection Exploit Title: Double Opt-In for Download 2.0.9 Sql Injection Date: 06-06-2016 Software Link: https://wordpress.org/plugins/double-opt-in-for-download/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website:...

ArticleSetup 1.00 - Cross-Site Request Forgery (Change Admin Password)

ArticleSetup 1.00 - Cross-Site Request Forgery Change Admin Password...

WordPress Plugin WP Mobile Detector 3.5 - Arbitrary File Upload

WordPress Plugin WP Mobile Detector 3.5 - Arbitrary File Upload Exploit Title: WP Mobile Detector =3.5 Arbitrary File upload Google Dork: inurl: /wp-includes/plugins/wp-mobile-detector Date: 1-06-2015 Exploit Author: Aaditya Purani Author Details: https://aadityapurani.com Vendor:...

rConfig 3.1.1 - Local File Inclusion

rConfig 3.1.1 - Local File Inclusion Title =================== rConfig, the open source network device configuration management tool, Vulnerable to Local File Inclusion Summary =================== rConfig, the open source network device configuration management tool, is vulnerable to local file...

Apache Continuum 1.4.2 - Multiple Vulnerabilities

Apache Continuum 1.4.2 - Multiple Vulnerabilities Exploit Title: Unauthenticated command injection - Apache Continuum Google Dork: inurl::8080/continuum/ Date: 04/06/2016 Exploit Author: David Shanahan @cyberpunksec Contact: http://www.procheckup.com/ Vendor Homepage: https://continuum.apache.org...

Dream Gallery 1.0 - Cross-Site Request Forgery (Add Admin)

Dream Gallery 1.0 - Cross-Site Request Forgery Add Admin...

WordPress Theme Uncode 1.3.1 - Arbitrary File Upload

WordPress Theme Uncode 1.3.1 - Arbitrary File Upload Vendor Homepage: Software Link: http://themeforest.net/item/uncode-creative-multiuse-wordpress-theme/13373220 Version: 1.3.0 possible 1.3.1 Tested on: Debian 8, PHP 5.6.17-3 Type: RCE, Arbirary file UPLOAD, Low Authenticated Time line: Found...