D-Link DGL5500 - HNAP Buffer Overflow

D-Link DGL5500 - HNAP Buffer Overflow Advisory Information Title: DGL5500 Un-Authenticated Buffer overflow in HNAP functionality Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been discussed with the vendor and vendor...

Kaspersky AntiVirus - Certificate Handling Directory Traversal

Kaspersky AntiVirus - Certificate Handling Directory Traversal Source: https://code.google.com/p/google-security-research/issues/detail?id=539 When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. I observed that the naming pattern is...

D-Link DIR-880L - Multiple Buffer Overflow Vulnerabilities

D-Link DIR-880L - Multiple Buffer Overflow Vulnerabilities Advisory Information Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities. Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been discussed...

Kaspersky AntiVirus - .ZIP File Format Use-After-Free

Kaspersky AntiVirus - .ZIP File Format Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=521 Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on an...

D-Link DIR-601 - Command Injection

D-Link DIR-601 - Command Injection Advisory Information Title: DIR-601 Command injection in ping functionality Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they...

CF Image Host 1.65 - Cross-Site Request Forgery

CF Image Host 1.65 - Cross-Site Request Forgery input type="text" name="changesett...

ClipperCMS 1.3.0 - Code Execution

ClipperCMS 1.3.0 - Code Execution !/usr/local/bin/python Exploit for ClipperCMS 1.3.0 Code Execution vulnerability An account is required with rights to file upload eg a user in the Admin, Publisher, or Editor role The server must parse htaccess files for this exploit to work. Curesec GmbH...

XCart 5.2.6 - Code Execution

XCart 5.2.6 - Code Execution !/usr/local/bin/python Exploit for XCart 5.2.6 Code Execution vulnerability An admin account is required to use this exploit Curesec GmbH import sys import re import requests requires requests lib if lensys.argv != 4: exit"usage: python " + sys.argv0 + "...

D-Link DIR-816L Wireless Router - Cross-Site Request Forgery

D-Link DIR-816L Wireless Router - Cross-Site Request Forgery ---------------------------------------------------------------------------------------------- Title: ==== D-link wireless router DIR-816L – Cross-Site Request Forgery CSRF vulnerability Credit: ====== Name: Bhadresh Patel...

D-Link DIR-815 DIR-850L - SSDP Command Injection

D-Link DIR-815 DIR-850L - SSDP Command Injection Advisory Information Title: SSDP command injection using UDP for a lot of Dlink routers including DIR-815, DIR-850L Vendors contacted: William Brown Dlink Release mode: Released CVE: None Note: All these security issues have been discussed with the...

TECO JN5 L510-DriveLink 1.482 - .lf5 Overwrite Buffer Overflow (SEH)

TECO JN5 L510-DriveLink 1.482 - .lf5 Overwrite Buffer Overflow SEH !/usr/bin/perl TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit Vendor: TECO Electric and Machinery Co., Ltd. Product web page: http://www.teco-group.eu Download:...

Microsoft Windows Kernel - win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow (MS15-115)

Microsoft Windows Kernel - win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow MS15-115 Source: https://code.google.com/p/google-security-research/issues/detail?id=507 We have observed a number of Windows kernel crashes in the win32k.sys driver while processing...

foobar2000 1.3.9 - .pls .m3u .m3u8 Local Crash (PoC)

foobar2000 1.3.9 - .pls .m3u .m3u8 Local Crash PoC Exploit Title: foobar2000 1.3.9 .pls; .m3u; .m3u8 Local Crash PoC Date: 11-15-2015 Exploit Author: Antonio Z. Vendor Homepage: http://www.foobar2000.org/ Software Link:...

VideoLAN VLC Media Player Web Interface 2.2.1 - Metadata Title Cross-Site Scripting

VideoLAN VLC Media Player Web Interface 2.2.1 - Metadata Title Cross-Site Scripting Andrea Sindoni - @invictus1306 XSS vulnerability via metadata 1. Introduction Affected Product: VLC 2.2.1 / WEB INTERFACE Vulnerability Type: XSS 2. Vulnerability Description XSS vulnerability via metadata title 3...

foobar2000 1.3.9 - .asx Local Crash (PoC)

foobar2000 1.3.9 - .asx Local Crash PoC Exploit Title: foobar2000 1.3.9 .asx Local Crash PoC Date: 11-15-2015 Exploit Author: Antonio Z. Vendor Homepage: http://www.foobar2000.org/ Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000v1.3.9.exe Version: 1.3....

D-Link DIR-815 - Multiple Vulnerabilities

D-Link DIR-815 - Multiple Vulnerabilities Advisory Information Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been discuss...

D-Link DIR-817LW - Multiple Vulnerabilities

D-Link DIR-817LW - Multiple Vulnerabilities Advisory Information Title: DIR-817LW Buffer overflows and Command injection in authentication and HNAP functionalities Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been...

b374k 3.2.32.8 (Web Shell) - Cross-Site Request Forgery Command Injection

b374k 3.2.32.8 Web Shell - Cross-Site Request Forgery Command Injection + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-B374K-CSRF-CMD-INJECTION.txt Vendor: ============================================ github.com/b374k/b374k...

R-Scripts Vacation Rental Script 7R - Multiple Vulnerabilities

R-Scripts Vacation Rental Script 7R - Multiple Vulnerabilities R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities Vendor: R-Scripts Product web page: http://www.r-scripts.com Affected version: 7R Summary: PHP Vacation Rental Script is the best solution for your vacation rentals online...

Sam Spade 1.14 - S-Lang Command Field Overflow (SEH)

Sam Spade 1.14 - S-Lang Command Field Overflow SEH !/usr/bin/env python Exploit Title : Sam Spade 1.14 S-Lang Command Field SEH Overflow Crash PoC Discovery by : Nipun Jaswal Email : [email protected] Discovery Date : 12/11/2015 Vendor Homepage : http://samspade.org Software Link :...

TACK 1.07 - Local Stack Buffer Overflow

TACK 1.07 - Local Stack Buffer Overflow Exploit Author: Juan Sacco - http://www.exploitpack.com Program: tack - Terminal action checker Tested on: GNU/Linux - Kali Linux 2.0 x86 Description: TACK v1.07 and prior is prone to a stack-based buffer overflow vulnerability because the application fails...

FBZX 2.10 - Local Stack Buffer Overflow

FBZX 2.10 - Local Stack Buffer Overflow Exploit Author: Juan Sacco - http://www.exploitpack.com Program: fbzx - ZX Spectrum Emulator for X Tested on: GNU/Linux - Kali Linux 2.0 x86 Description: FBZX v2.10 and prior is prone to a stack-based buffer overflow vulnerability because the application...

WordPress Plugin WP Fastest Cache 0.8.4.8 - Blind SQL Injection

WordPress Plugin WP Fastest Cache 0.8.4.8 - Blind SQL Injection Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection Date: 11-11-2015 Software Link: https://wordpress.org/plugins/wp-fastest-cache/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website:...

Jenkins 1.633 - Credential Recovery

Jenkins 1.633 - Credential Recovery Exploit Title: Jenkins Unauthenticated Credential Recovery Disclosure Date: 10/14/2015 Response Date: 10/14/2015 Response: "Recommend this be rejected as a vulnerability." Full report including response: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html...

YesWiki 0.2 - template Directory Traversal

YesWiki 0.2 - template Directory Traversal Exploit Title: YESWIKI 0.2 - Path Traversal template param Date: 2015-11-10 Exploit Author: HaHwul Exploit Author Blog: http://www.codeblack.net Vendor Homepage: http://yeswiki.net Software Link: https://github.com/YesWiki/yeswiki Version: yeswiki 0.2...

Huawei HG630a HG630a-50 - Default SSH Admin Password on ADSL Modems

Huawei HG630a HG630a-50 - Default SSH Admin Password on ADSL Modems Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems Date: 10.11.2015 Exploit Author: Murat Sahin @murtshn Vendor Homepage: Huawei Version: HG630a and HG630a-50 Tested on: linux,windows Adsl modems...

Arris TG1682G Modem - Persistent Cross-Site Scripting

Arris TG1682G Modem - Persistent Cross-Site Scripting Unauth Stored CSRF/XSS - Xfinity Modem alert1" /...

FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap Out-of-Bounds Read

FreeType 2.6.1 - TrueType ttsbitdecoderloadbitaligned Heap Out-of-Bounds Read Source: https://code.google.com/p/google-security-research/issues/detail?id=614 The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of...

POP Peeper 4.0.1 - Overwrite (SEH)

POP Peeper 4.0.1 - Overwrite SEH ''' Exploit Title: POP Peeper SEH Over-write. Date: 9/14/2015 Exploit Author: UnN0n Software Link: http://www.esumsoft.com/download Version: v4.0.1 Tested on: Windows 7 x8632 BIT DUMP: ''' EAX 00000000 ECX 20203029 EDX 77C5660D ntdll.77C5660D EBX 00000000 ESP...

TestLink 1.9.14 - Cross-Site Request Forgery

TestLink 1.9.14 - Cross-Site Request Forgery Information ================================= Name: CSRF Vulnerability in TestLink 1.9.14 Affected Software: TestLink Affected Versions: 1.9.14 and possibly below Vendor Homepage: http://testlink.org/ Severity: High Status: Fixed Vulnerability Type:...

eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution Denial of Service)

eBay Magento CE 1.9.2.1 - Unrestricted Cron Script Code Execution Denial of Service Exploit Title: eBay Magento CE = 1.9.2.1 Unrestricted Cron Script Potential Code Execution / DoS Date: 06.11.2015 Exploit Author: Dawid Golunski Vendor Homepage: http://magento.com Version: eBay Magento CE = 1.9.2...

Google AdWords 6.2.0 API client libraries - XML eXternal Entity Injection

Google AdWords 6.2.0 API client libraries - XML eXternal Entity Injection Date: 06.11.2015 Exploit Author: Dawid Golunski Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries Software Link: https://github.com/googleads/googleads-php-lib Version: Google AdWords API clien...

QNap QVR Client 5.1.0.11290 - Crash (PoC)

QNap QVR Client 5.1.0.11290 - Crash PoC !/usr/bin/env python -- coding: utf-8 -- Exploit Title : QNap QVR Client 5.1.0.11290 Crash PoC Discovery by : Luis Martínez Email : [email protected] Discovery Date : 05/11/2015 Vendor Homepage: http://www.qnapsecurity.com/n/en/ Software Link :...

Google AdWords API PHP client library 6.2.0 - Arbitrary PHP Code Execution

Google AdWords API PHP client library 6.2.0 - Arbitrary PHP Code Execution Date: 06.11.2015 Title: Google AdWords API PHP client library = 6.2.0 Arbitrary PHP Code Execution Exploit Author: Dawid Golunski Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries Software Lin...

SolarWinds Log and Event ManagerTrigeo SIM 6.1.0 - Remote Command Execution

SolarWinds Log and Event ManagerTrigeo SIM 6.1.0 - Remote Command Execution Requirements: Python 2.7 netcat Tested on: Ubuntu 14.04 LTS Vulnerable Appliance Version: 6.1.0 Download: http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v6.1.0-Evaluation-VMware.exe Instructions: Th...

WordPress Plugin My Calendar 2.4.10 - Multiple Vulnerabilities

WordPress Plugin My Calendar 2.4.10 - Multiple Vulnerabilities Exploit TItle: My Calendar 2.4.10 CSRF and XSS Exploit Author : Mysticism Ahn Sung Jun Date : 2015-11-06 Vendor Homepage : http://wordpress.org/plugins/my-calendar Software Link :...

NXFilter 3.0.3 - Multiple Cross-Site Scripting Vulnerabilities

NXFilter 3.0.3 - Multiple Cross-Site Scripting Vulnerabilities + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-XSS.txt Vendor: ================================ www.nxfilter.org/p2/ Product: ================================...

NXFilter 3.0.3 - Cross-Site Request Forgery

NXFilter 3.0.3 - Cross-Site Request Forgery + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-CSRF.txt Vendor: ================================ www.nxfilter.org/p2/ Product: ================================ NXFilter v3.0.3...

vBulletin 5.1.x - Remote Code Execution

vBulletin 5.1.x - Remote Code Execution Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit Date: Nov 4th, 2015 Exploit Author: hhjj Vendor Homepage: http://www.vbulletin.com/ Version: 5.1.x Tested on: Debian CVE : I did not discover this exploit, leaked from the IoT. Build the...

OpenSSL - Alternative Chains Certificate Forgery

OpenSSL - Alternative Chains Certificate Forgery !/usr/bin/env ruby encoding: ASCII-8BIT By Ramon de C Valle. This work is dedicated to the public domain. require 'openssl' require 'optparse' require 'socket' Version = 0, 0, 1 Release = nil class String def hexdumpstream=$stdout 0.stepbytesize - ...

JSSE - SKIP-TLS

JSSE - SKIP-TLS !/usr/bin/env ruby encoding: ASCII-8BIT By Ramon de C Valle. This work is dedicated to the public domain. require 'openssl' require 'optparse' require 'socket' Version = 0, 0, 1 Release = nil def prfsecret, label, seed if secret.empty? s1 = s2 = '' else length = secret.length 1.0 ...

FreeType 2.6.1 - TrueType tt_cmap14_validate Parsing Heap Out-of-Bounds Reads

FreeType 2.6.1 - TrueType ttcmap14validate Parsing Heap Out-of-Bounds Reads Source: https://code.google.com/p/google-security-research/issues/detail?id=602 The following heap-based out-of-bounds memory reads have been encountered in FreeType, in the handling of the "cmap" format 14 SFNT table. Th...

Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash

Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash Source: https://code.google.com/p/google-security-research/issues/detail?id=497 Loading the bitmap bmpmemset.bmp can cause a crash due to a memset writing out of bounds. I/DEBUG 2961: pid: 12383, tid: 12549, name: thread-pool-1...

Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption

Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=499 The attached files cause memory corruption when they are scanned by the face recognition library in android.media.process. From faces-art.bm...

Python 2.7 - array.fromstring Method Use-After-Free

Python 2.7 - array.fromstring Method Use-After-Free Title: Python 2.7 array.fromstring Use After Free Credit: John Leitch [email protected] Url1: http://autosectools.com/Page/Python-array-fromstring-Use-After-Free Url2: http://bugs.python.org/issue24613 Resolution: Fixed The Python 2.7...

Python 2.7 - strop.replace() Method Integer Overflow

Python 2.7 - strop.replace Method Integer Overflow Title: Python 2.7 strop.replace Integer Overflow Credit: John Leitch [email protected] Url1: http://autosectools.com/Page/Python-strop-replace-Integer-Overflow Url2: http://bugs.python.org/issue24708 Resolution: Fixed The Python 2.7...

Gold MP4 Player - .swf Local Overflow

Gold MP4 Player - .swf Local Overflow !/usr/bin/python EXPLOIT TITLE: GOLD PLAYER Local Exploit AUTHOR: Vivek Mahajan - C3p70r Credits: Gabor Seljan Date of Testing: 30 October 2015 Download Link : http://download.cnet.com/GoldMP4Player/3000-21394-10967424.html Tested On : Windows 8.1 Pro and...

Python 3.3 3.5 - product_setstate() Out-of-Bounds Read

Python 3.3 3.5 - productsetstate Out-of-Bounds Read Title: Python 3.3 - 3.5 productsetstate Out-of-bounds Read Credit: John Leitch [email protected], Bryce Darling [email protected] Url1: http://autosectools.com/Page/Python-productsetstate-Out-of-bounds-Read Url2:...

Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash

Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash Source: https://code.google.com/p/google-security-research/issues/detail?id=498 The attached jpg, upsample.jpg can cause memory corruption when media scanning occurs F/libc 8600: Fatal signal 11 SIGSEGV, code 1, fault addr 0x206e6f69747562 in...

Python 2.7 hotshot Module - pack_string Heap Buffer Overflow (PoC)

Python 2.7 hotshot Module - packstring Heap Buffer Overflow PoC Title: Python 2.7 hotshot packstring Heap Buffer Overflow Credit: John Leitch [email protected] Url1: http://autosectools.com/Page/Python-hotshot-packstring-Heap-Buffer-Overflow Url2: http://bugs.python.org/issue24481 Resolution:...