Adobe Flash - Out-of-Bounds Read when Placing Object

Adobe Flash - Out-of-Bounds Read when Placing Object Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=794 There is an out of bounds read when placing a corrupt image. This issue might be exploitable, depending on what is read. A PoC is attached. To reproduce issue, put both files...

Adobe Flash - Heap Overflow in ATF Processing Image Reading

Adobe Flash - Heap Overflow in ATF Processing Image Reading Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=789 There is a large heap overflow in reading an ATF image to a Bitmap object. To reproduce the issue, load the attach file '4' using LoadImage.swf as follows:...

Adobe Flash - JXR Processing Out-of-Bounds Read

Adobe Flash - JXR Processing Out-of-Bounds Read Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=791 There is an out-of-bounds read in JXR processing. This issue is probably not exploitable, but could be used an an information leak. To reproduce the issue, load the attach file '8...

Adobe Flash - Type Confusion in FileReference Constructor

Adobe Flash - Type Confusion in FileReference Constructor Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=799 There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If ...

SAP xMII 15.0 - Directory Traversal

SAP xMII 15.0 - Directory Traversal Application: SAP xMII Versions Affected: SAP MII 15.0 Vendor URL: http://SAP.com Bugs: Directory traversal Sent: 29.07.2015 Reported: 29.07.2015 Vendor response: 30.07.2015 Date of Public Advisory: 09.02.2016 Reference: SAP Security Note 2230978 Author: Dmitry...

Cisco ASA Software 8.x9.x - IKEv1 IKEv2 Buffer Overflow

Cisco ASA Software 8.x9.x - IKEv1 IKEv2 Buffer Overflow !/usr/bin/env python2.7 import socket import sys import struct import string import random import time Spawns a reverse cisco CLI cliShellcode = "\x60\xc7\x02\x90\x67\xb9\x09\x8b\x45\xf8\x8b\x40\x5c\x8b\x40\x04"...

Adobe Flash - SetNative Use-After-Free

Adobe Flash - SetNative Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=800 There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free....

Adobe Flash - Overflow in Processing Raw 565 Textures

Adobe Flash - Overflow in Processing Raw 565 Textures Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=792 There is an overflow in the processing of raw 565 textures in ATF processing. To reproduce the issue, load the attach file '70' using LoadImage.swf as follows:...

Adobe Flash - .MP4 Stack Corruption

Adobe Flash - .MP4 Stack Corruption Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=760 The attached mp4 file causes stack corruption in flash. To load, put LoadMP42.swf on a server and load http://127.0.0.1/LoadMP42.swf?file=t.mp4. Proof of Concept:...

Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)

Meteocontrol WEB’log - Admin Password Disclosure Metasploit Exploit Title: Meteocontrol WEB'log - Extract Admin password Discovered by: Karn Ganeshen Vendor Homepage: http://www.meteocontrol.com/en/ Versions Reported: All Meteocontrol WEB'log versions CVE-ID: CVE-2016-2296 Meteocontrol WEB'log -...

Microsoft Windows - gdi32.dll Multiple EMF COMMENT_MULTIFORMATS Record Handling (MS16-055)

Microsoft Windows - gdi32.dll Multiple EMF COMMENTMULTIFORMATS Record Handling MS16-055 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=729 There are two programming errors in the implementation of the COMMENTMULTIFORMATS record in EMF files, as found in the user-mode gdi32.dll...

Microsoft Windows - gdi32.dll Multiple EMF CREATECOLORSPACEW Record Handling (MS16-055)

Microsoft Windows - gdi32.dll Multiple EMF CREATECOLORSPACEW Record Handling MS16-055 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=722 There are multiple programming errors in the implementation of the CREATECOLORSPACEW record in EMF files, as found in the user-mode gdi32.dll...

CakePHP Framework 3.2.4 - IP Spoofing

CakePHP Framework 3.2.4 - IP Spoofing ============================================= - Release date: 12.05.2016 - Discovered by: Dawid Golunski - Severity: Medium ============================================= I. VULNERABILITY ------------------------- CakePHP Framework = 3.2.4 IP Spoofing...

Microsoft Excel 2010 - Crash (PoC) (2)

Microsoft Excel 2010 - Crash PoC 2 Microsoft Office is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application. ---------------------------------------------------------------------- Found : 11.05.2016 More: http://HauntIT.blogspot.com...

Multiples Nexon Games - Unquoted Path Privilege Escalation

Multiples Nexon Games - Unquoted Path Privilege Escalation ----------------------------------------------------------------------------------------------------------------- Exploit Title: Multiples Nexon Games - Privilege Escalation Unquoted path vulnerabilities Date: 13/05/2016 Exploit Author :...

Apple OS X 10.10.5 - rootsh Local Privilege Escalation

Apple OS X 10.10.5 - rootsh Local Privilege Escalation rootsh rootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build 14F27. It exploits CVE-2016-1758 and CVE-2016-1828, two vulnerabilities in XNU that were patched in OS X El Capitan 10.11.4 and 10.11.5. rootsh will not work ...

Web2py 2.14.5 - Multiple Vulnerabilities

Web2py 2.14.5 - Multiple Vulnerabilities Title - Web2py 2.14.5 Multiple Vulnerabilities LFI,XSS,CSRF Exploit Title : Web2py 2.14.5 Multiple Vulnerabilities LFI, XSS,CSRF Reported Date : 2-April-2016 Fixed Date : 4-April-2016 Exploit Author : Narendra Bhati -...

Web Interface for DNSmasq Mikrotik - SQL Injection

Web Interface for DNSmasq Mikrotik - SQL Injection / + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/DNSDHCP-WEB-INTERFACE-SQL-INJECTION.txt + ISR: apparitionsec Vendor: ==================== tmcdos / sourceforge Product:...

Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation

Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation ----------------------------------------------------------------------------------------------------------------- Exploit Title: Hex : Shard of Fate 1.0.1.026 - Privilege Escalation Unquoted path vulnerability Date: 15/05/2016...

eXtplorer 2.1.9 - .ZIP Directory Traversal

eXtplorer 2.1.9 - .ZIP Directory Traversal / + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt + ISR: apparitionsec Vendor: ============== extplorer.net Product: ==================...

runAV mod_security - Arbitrary Command Execution

runAV modsecurity - Arbitrary Command Execution Title : runAV modsecurity Remote Command Execution Date : 13/05/2016 Author : R-73eN Tested on : modsecurity with runAV Linux 4.2.0-30-generic 36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux Software :...

NRSS Reader 0.3.9 - Local Stack Overflow

NRSS Reader 0.3.9 - Local Stack Overflow Exploit developed using Exploit Pack v5.4 Exploit Author: Juan Sacco - http://www.exploitpack.com - [email protected] Program affected: NRSS RSS Reader Version: 0.3.9-1 Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org Program...

Wireshark - AirPDcapDecryptWPABroadcastKey Heap Out-of-Bounds Read (2)

Wireshark - AirPDcapDecryptWPABroadcastKey Heap Out-of-Bounds Read 2 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740 The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to...

Trend Micro - CoreServiceShell.exe Multiple HTTP s

Trend Micro - CoreServiceShell.exe Multiple HTTP s Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775 The main component of Trend Micro Antivirus is CoreServiceShell.exe, which runs as NT AUTHORITY\SYSTEM. The CoreServiceShell includes an HTTP daemon, which is used for...

WordPress Plugin Q and A (Focus Plus) FAQ 1.3.9.7 - Multiple Vulnerabilities

WordPress Plugin Q and A Focus Plus FAQ 1.3.9.7 - Multiple Vulnerabilities Exploit Title: WordPress Q and A Focus Plus FAQ Full Path Disclosure and SQL Injection Google Dork: inurl:"wp-content/plugins/q-and-a" Date: 12-05-2016 Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/...

WordPress Plugin Huge-IT Image Gallery 1.8.9 - Multiple Vulnerabilities

WordPress Plugin Huge-IT Image Gallery 1.8.9 - Multiple Vulnerabilities Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection Google Dork: inurl:"wp-content/plugins/gallery-images/" Date: 12-05-2016 Software Link: https://fr.wordpress.org/plugins/gallery-images/...

Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)

Microsoft Windows Media Center - .MCL File Processing Remote Code Execution MS16-059 Exploit Title: Microsoft Windows Media Center .MCL File Processing Remote Code Execution Vulnerability MS16-059 Date: May 11th, 2016 Exploit Author: Eduardo Braun Prado Vendor Homepage : http://www.microsoft.com...

Intuit QuickBooks Desktop 2007 2016 - Arbitrary Code Execution

Intuit QuickBooks Desktop 2007 2016 - Arbitrary Code Execution + Credits: Maxim Tomashevich from Thegrideon Software + Website: https://www.thegrideon.com/ + Details: https://www.thegrideon.com/qb-internals-sql.html Vendor: --------------------- www.intuit.com www.intuit.ca www.intuit.co.uk...

FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation

FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation ----------------------------------- Exploit Title: Filezilla 3.17.0.0 windows installer Privileges Escalation via unquoted path vulnerability Date: 08/05/2016 Exploit Author: Cyril Vallicari Vendor Homepage:...

Google Android Broadcom Wi-Fi Driver - Memory Corruption

Google Android Broadcom Wi-Fi Driver - Memory Corruption / Copyright C 2016 by AbdSec Core Team This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, ...

CIScan 1.00 - HostnameIP Field Overwrite (SEH) (PoC)

CIScan 1.00 - HostnameIP Field Overwrite SEH PoC !/usr/bin/python Exploit Title : CIScanv1.00 Hostname/IP Field SEH Overwrite POC Discovery by : Nipun Jaswal Email : [email protected] Discovery Date : 11/05/2016 Software Link : http://www.mcafee.com/us/downloads/free-tools/ciscan.aspx Tested...

Ipswitch WS_FTP LE 12.3 - Search field Overwrite (SEH) (PoC)

Ipswitch WSFTP LE 12.3 - Search field Overwrite SEH PoC !/usr/bin/python Author: Zahid Adeel Author Email: [email protected] Title: Ipswitch WSFTP LE 12.3 - Search field SEH Overwrite POC Vendor Homepage: http://www.wsftple.com/ Software Link: http://www.wsftple.com/download.aspx Version: L...

MediaInfo 0.7.61 - Crash (PoC)

MediaInfo 0.7.61 - Crash PoC !/usr/bin/perl -w Title : Windows Media Player MediaInfo v0.7.61 - Buffer Overflow Exploit Tested on Windows 7 / Server 2008 Download Link : https://sourceforge.net/projects/mediainfo/files/binary/mediainfo-gui/0.7.61/ Author : Mohammad Reza Espargham Linkedin :...

JVC HDRs Net (Multiple Cameras) - Multiple Vulnerabilities

JVC HDRs Net Multiple Cameras - Multiple Vulnerabilities | | | | \ |\ \ \ / - | | | | - /| //||||,|.// www.orwelllabs.com security advisory olsa-2016-04-01 Adivisory Information +++++++++++++++++++++++ + Title: JVC Multiple Products Multiple Vulnerabilities + Vendor: JVC Professional Video +...

Nfdump Nfcapd 1.6.14 - Multiple Vulnerabilities

Nfdump Nfcapd 1.6.14 - Multiple Vulnerabilities , , . '.' '. ', . , '. , .', , / / / \ \ ==/ /\ \ / / \ / \ / / | \ \ Y Y \ / /| / \ /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. Nfdump Nfcapd Multiple Vulnerabilities Affected Versions: Nfdump = 1.6.14 PDF:...

Core FTP Server 32-bit Build 587 - Heap Overflow

Core FTP Server 32-bit Build 587 - Heap Overflow -- coding: cp1252 -- Exploit Title: Core FTP Server 32-bit - Build 587 Heap Overflow Date: 05/10/2016 Exploit Author: Paul Purcell Contact: ptpxploit at gmail Vendor Homepage: http://www.coreftp.com/ Vulnerable Version Download:...

Adobe Reader DC 15.010.20060 - Memory Corruption

Adobe Reader DC 15.010.20060 - Memory Corruption Title: Adobe Reader DC = 15.010.20060 - Memory corruption Application: Adobe Reader DC Version: 15.010.20060 and earlier versions Platform: Windows and Macintosh Software Link: https://acrobat.adobe.com/ca/fr/acrobat/pdf-reader.html Date: May 10,...

Ajaxel CMS 8.0 - Multiple Vulnerabilities

Ajaxel CMS 8.0 - Multiple Vulnerabilities Ajaxel CMS 8.0 Multiple Vulnerabilities Vendor: Ajaxel Product web page: http://www.ajaxel.com Affected version: 8.0 and below Summary: Ajaxel CMS is very simple ajaxified CMS and framework for any project needs. Desc: Ajaxel CMS version 8.0 and below...

ZeewaysCMS - Multiple Vulnerabilities

ZeewaysCMS - Multiple Vulnerabilities ZeewaysCMS Multiple Vulnerabilities Software - ZeewaysCMS Vendor Product Description - ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates, Individuals or any kind of Business needs. - Site:...

Dell SonicWALL Scrutinizer 11.0.1 - setUserSkindeleteTab SQL Injection Remote Code Execution

Dell SonicWALL Scrutinizer 11.0.1 - setUserSkindeleteTab SQL Injection Remote Code Execution !/usr/local/bin/python """ Dell SonicWall Scrutinizer Summary: ======== This exploits an pre-auth SQL Injection in the login.php script within an update statement to steal session data. You could also ste...

i.FTP 2.21 - Host Address URL Field (SEH)

i.FTP 2.21 - Host Address URL Field SEH !/usr/bin/python Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit Date: 3-5-2016 Exploit Author: Tantaryu MING Vendor Homepage: http://www.memecode.com/iftp.php Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe Version: 2.21...

RPCScan 2.03 - HostnameIP Field Overwrite (SEH) (PoC)

RPCScan 2.03 - HostnameIP Field Overwrite SEH PoC !/usr/bin/python Exploit Title : RPCScan v2.03 Hostname/IP Field SEH Overwrite POC Discovery by : Nipun Jaswal Email : [email protected] Discovery Date : 08/05/2016 Vendor Homepage : http://samspade.org Software Link :...

ASUS Memory Mapping Driver (ASMMAPASMMAP64) - Physical Memory ReadWrite

ASUS Memory Mapping Driver ASMMAPASMMAP64 - Physical Memory ReadWrite / Source: http://rol.im/asux/ ASUS Memory Mapping Driver ASMMAP/ASMMAP64: Physical Memory Read/Write PoC by slipstream/RoL - https://twitter.com/TheWack0lian - http://rol.im/chat/ The ASUS "Generic Function Service" includes a...

Certec EDV atvise SCADA Server 2.5.9 - Local Privilege Escalation

Certec EDV atvise SCADA Server 2.5.9 - Local Privilege Escalation Certec EDV atvise SCADA server 2.5.9 Privilege Escalation Vulnerability Vendor: Certec EDV GmbH Product web page: http://www.atvise.com Affected version: 2.5.9 Summary: atvise scada is based on newest technologies and standards:...

Microsoft Windows 7 - WebDAV Local Privilege Escalation (MS16-016) (2)

Microsoft Windows 7 - WebDAV Local Privilege Escalation MS16-016 2 Exploit Title: WebDAV Elevation of Privilege Vulnerability MS16-2 Date: 8/5/2016 Exploit Author: hex0r Version:WebDAV on Windows 7 84x CVE : CVE-2016-0051 Intro: Credits go to koczkatama for coding a PoC, however if you run this...

CIScan 1.00 - HostnameIP Field Crash (PoC)

CIScan 1.00 - HostnameIP Field Crash PoC !/usr/bin/env python -- coding: utf-8 -- Exploit Title : CIScanv1.00 Hostname/IP Field Local BoF PoC Discovery by : Irving Aguilar Email : [email protected] Discovery Date : 05.05.2016 Software Link :...

Adobe Flash - MovieClip.duplicateMovieClip Use-After-Free

Adobe Flash - MovieClip.duplicateMovieClip Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=759 There is a use-after-free in MovieClip.duplicateMovieClip.If an action associated with the MovieClip frees the clip provided as the initObject parameter to the call, it...

ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities

ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities SPSA-2016-02/ManageEngine ApplicationsManager------------------------------ SECURITY ADVISORY: SPSA-2016-02/ManageEngine Applications Manager Build No: 12700 Affected Software: ManageEngine Applications Manager Build No: 127...

RPCScan 2.03 - HostnameIP Field Crash (PoC)

RPCScan 2.03 - HostnameIP Field Crash PoC !/usr/bin/env python -- coding: utf-8 -- Exploit Title : RPCScan v2.03 Hostname/IP Field Local BoF PoC Discovery by : Irving Aguilar Email : [email protected] Discovery Date : 05.05.2016 Software Link :...

Adobe Flash (Multiple Scripts) - Use-After-Free When Rendering Displays (2)

Adobe Flash Multiple Scripts - Use-After-Free When Rendering Displays 2 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=719 There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note th...