Adobe Flash AS2 - textfield.filters Use-After-Free (2)

Adobe Flash AS2 - textfield.filters Use-After-Free 2 Source: https://code.google.com/p/google-security-research/issues/detail?id=342&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id Tracking for https://code.google.com/p/chromium/issues/detail?id=480496 Credit is to bilou,...

up.time 7.5.0 - Superadmin Privilege Escalation

up.time 7.5.0 - Superadmin Privilege Escalation ...

Flash - Uninitialized Stack Variable MPD Parsing Memory Corruption

Flash - Uninitialized Stack Variable MPD Parsing Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=316&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201 Credit...

up.time 7.5.0 - Upload and Execute

up.time 7.5.0 - Upload and Execute up.time 7.5.0 Upload And Execute File Exploit Vendor: Idera Inc. Product web page: http://www.uptimesoftware.com Affected version: 7.5.0 build 16 and 7.4.0 build 13 Summary: The next-generation of IT monitoring software. Desc: up.time suffers from arbitrary...

Adobe Flash - Drawing Methods this Use-After-Free

Adobe Flash - Drawing Methods this Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=388&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id There are use-after frees realated to storing a single pointer this this pointer in several...

Adobe Flash - Overflow in ID3 Tag Parsing

Adobe Flash - Overflow in ID3 Tag Parsing Source: https://code.google.com/p/google-security-research/issues/detail?id=443&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow wi...

Adobe Flash - Out-of-Bounds Read in UTF Conversion

Adobe Flash - Out-of-Bounds Read in UTF Conversion Source: https://code.google.com/p/google-security-research/issues/detail?id=378&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id We've hit the same bug from two different avenues: 1 A report to the Chromium bug tracker:...

Adobe Flash - Heap Buffer Overflow Loading .FLV File with Nellymoser Audio Codec

Adobe Flash - Heap Buffer Overflow Loading .FLV File with Nellymoser Audio Codec Source: https://code.google.com/p/google-security-research/issues/detail?id=425&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id To reproduce, host the attached files appropriately and:...

Adobe Flash - Setting Value Use-After-Free

Adobe Flash - Setting Value Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=360&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a...

Adobe Flash AS2 - DisplacementMapFilter.mapBitmap Use-After-Free (2)

Adobe Flash AS2 - DisplacementMapFilter.mapBitmap Use-After-Free 2 Source: https://code.google.com/p/google-security-research/issues/detail?id=377&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=48723...

Adobe Flash (Linux x64) - Bad Dereference at 0x23c

Adobe Flash Linux x64 - Bad Dereference at 0x23c Source: https://code.google.com/p/google-security-research/issues/detail?id=398&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The attached sample, signalsigsegv7ffff603deef1525268381c02bc3b05c84578ebaeafc02f0.swf, typically...

Adobe Flash - textfield.gridFitType Use-After-Free

Adobe Flash - textfield.gridFitType Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=418&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id There is a use-after-free in the TextField gridFitType setter. A PoC is below: var test =...

PHPfileNavigator 2.3.3 - Cross-Site Request Forgery

PHPfileNavigator 2.3.3 - Cross-Site Request Forgery + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812a.txt Vendor: ================================ pfn.sourceforge.net Product:...

Easy File Management Web Server 5.6 - USERID Remote Buffer Overflow

Easy File Management Web Server 5.6 - USERID Remote Buffer Overflow !/usr/bin/python Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow Version: 5.6 Date: 2015-08-17 Author: Tracy Turben [email protected] Software Link: http://www.efssoft.com/ Tested on:...

FTP Commander 8.02 - Overwrite (SEH)

FTP Commander 8.02 - Overwrite SEH Exploit Title: FTP Commander 'Costum Command' SEH Over-WriteBuffer Overflow. Date: 8/17/2015 Exploit Author: UnN0n Software Vendor : http://www.internet-soft.com/ Software Link: http://www.internet-soft.com/ftpcomm.htm Version: 8.02 Tested on: Windows 7 x3232 BI...

Apple Mac OSX 10.10.5 - XNU Local Privilege Escalation

Apple Mac OSX 10.10.5 - XNU Local Privilege Escalation Source: https://github.com/kpwn/tpwn tpwn cve-2015-???? poc os x 10.10.5 kernel local privilege escalation vulnerability got burned in 10.11 full writeup etason shout out @ unthreadedjb 4 hax Proof of Concept:...

WordPress Plugin WP Symposium 15.1 - Blind SQL Injection

WordPress Plugin WP Symposium 15.1 - Blind SQL Injection Details ================ Software: WP Symposium Version: 15.1 Homepage: https://wordpress.org/plugins/wp-symposium Advisory report:...

Cisco Unified Communications Manager - Multiple Vulnerabilities

Cisco Unified Communications Manager - Multiple Vulnerabilities Vantage Point Security Advisory 2015-001 ======================================== Title: Cisco Unified Communications Manager Multiple Vulnerabilities Vendor: Cisco Vendor URL: http://www.cisco.com/ Versions affected: Summary: ------...

PHPfileNavigator 2.3.3 - Privilege Escalation

PHPfileNavigator 2.3.3 - Privilege Escalation + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812b.txt Vendor: ========================= pfn.sourceforge.net Product:...

vBulletin 4.2.2 - Memcache Remote Code Execution

vBulletin 4.2.2 - Memcache Remote Code Execution vBulletin's memcache setting is vulnerable in certain versionsall before 4.2.2 to an RCE. vBulletin seem to have refused to classify it as a vulnerability or post anything about it, or put anything in the announcements on their website. They say "P...

Magento CE 1.9.0.1 - (Authenticated) Remote Code Execution

Magento CE 1.9.0.1 - Authenticated Remote Code Execution !/usr/bin/python Exploit Title: Magento CE \nExample: python %s http://localhost "uname -a"" sys.exit if lensys.argv != 3: usage Command-line args target = sys.argv1 arg = sys.argv2 Config. username = '' password = '' phpfunction = 'system'...

CodoForum 3.3.1 - Multiple SQL Injections

CodoForum 3.3.1 - Multiple SQL Injections CodoForum 3.3.1: Multiple SQL Injection Vulnerabilities Security Advisory – Curesec Research Team http://blog.curesec.com/article/blog/CodoForum-331-Multiple-SQL-Injection-Vulnerabilities-42.html 1. Introduction Affected Product: CodoForum 3.3.1 Fixed in:...

BigTree CMS 4.2.3 - (Authenticated) SQL Injection

BigTree CMS 4.2.3 - Authenticated SQL Injection BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities Security Advisory – Curesec Research Team Online-Reference: http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-SQL-Injection-Vulnerabilities-39.html 1. Introduction Affected Produc...

PHPfileNavigator 2.3.3 - Cross-Site Scripting

PHPfileNavigator 2.3.3 - Cross-Site Scripting + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt Vendor: ================================ pfn.sourceforge.net Product:...

WordPress Plugin WP Symposium 15.1 - get_album_item.php SQL Injection

WordPress Plugin WP Symposium 15.1 - getalbumitem.php SQL Injection Exploit Title: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability Date: 2015-07-30 Exploit Author: PizzaHatHacker Vendor Homepage: http://www.wpsymposium.com/ Version: ? = version = 15.5.1 Contact:...

Sagemcom F@ST 3864 V2 - Get Admin Password

Sagemcom F@ST 3864 V2 - Get Admin Password !/bin/bash Exploit Title: Sagemcom 3864 V2 get admin password Date 2015-08-15 Author: Cade Bull Software Link: null Tested on: Sagemcom F@ST 3864 V2 Version: 7.253.2F3864V2Optus The sagemcom modem does not authenticate users when requesting pages, only...

MASM321 11 Quick Editor .qeditor 4.0g - .qse File Buffer Overflow (SEH) (ASLR + SafeSEH Bypass)

MASM321 11 Quick Editor .qeditor 4.0g - .qse File Buffer Overflow SEH ASLR + SafeSEH Bypass !/usr/bin/env python Exploit Title: MASM32 quick editor .QSE SEH Based Buffer Overflow ASLR & SAFESEH bypass Date: 2015-08-15 Exploit Author: St0rn Twitter: st0rnpentest Vendor Homepage:...

Nuts CMS - PHP Remote Code Injection Execution

Nuts CMS - PHP Remote Code Injection Execution "cli" die$error0; if$argc "; echo"\nExample: php $argv0 localhost /"; die; ifisset$argv1 && isset$argv2 $host = $argv1; $path = $argv2; $pack = "GET $pathnuts/login.php?r= HTTP/1.0\r\n"; $pack.= "Host: $host\r\n"; $pack.= "Cmd: %s\r\n"; $pack.=...

Apache ActiveMQ 5.11.15.13.2 - Directory Traversal Command Execution

Apache ActiveMQ 5.11.15.13.2 - Directory Traversal Command Execution I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality. I have only been able to reproduce this on Windows, i.e. where...

Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)

Microsoft Windows HTA HTML Application - Remote Code Execution MS14-064 !/usr/bin/php poc'."\n\n"; $reza = socketcreateAFINET, SOCKSTREAM, 0 or die'Failed to create socket!'; socketbind$reza, 0,$port; socketlisten$reza; $msgd = "\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a...

XMPlay 3.8.1.12 - .pls Local Crash (PoC)

XMPlay 3.8.1.12 - .pls Local Crash PoC !/usr/bin/env python Exploit Title: XMPlay .pls Local Crash poc Date: 2015-08-16 Exploit Author: St0rn Twitter: st0rnpentest Vendor Homepage: http://www.un4seen.com/ Software Link: http://www.un4seen.com/download.php?xmplay38 Version: 3.8.1.12 Tested on:...

Microsoft HTML Help Compiler 4.74.8702.0 - Local Overflow (SEH)

Microsoft HTML Help Compiler 4.74.8702.0 - Local Overflow SEH !/usr/bin/env python Exploit Title: Microsoft HTML Help Compiler SEH Based Overflow Date: 2015-08-13 Exploit Author: St0rn Twitter: st0rnpentest Vendor Homepage: www.microsoft.com Software Link:...

Joomla! Component com_memorix - SQL Injection

Joomla! Component commemorix - SQL Injection Exploit Title: Joomla commemorix component SQL Injection vulnerability Date: 13-08-2015 Software Link: N/A Exploit Author: Omar AbuHassan Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960 CVE: N/A Category: webapps Version: All Tested on...

NetKit FTP Client (Ubuntu 14.04) - CrashDenial of Service (PoC)

NetKit FTP Client Ubuntu 14.04 - CrashDenial of Service PoC + Author: TUNISIAN CYBER + Exploit Title: Ubuntu 14.04 NetKit FTP Client Crash/DoS POC + Date: 15-08-2015 + Type: Local Exploits + Tested on: Ubuntu 14.04 Works with other distros 11.04:https://www.exploit-db.com/exploits/17806/ + Twitte...

Mozilla Firefox 39.03 - pdf.js Same Origin Policy

Mozilla Firefox 39.03 - pdf.js Same Origin Policy / Exploit Title: Firefox CVE-2015-4495 Test Run the index.html Make sure the main.js is in the same directory and we should be able to see the directory listing. 3. Solution Upgrade to the latest firefox 39.0.3 / var starttimeout=2000; var...

TOTOLINK Routers - Backdoor Remote Code Execution

TOTOLINK Routers - Backdoor Remote Code Execution Exploit Title: TOTOLINK backdoor and RCE exploit POC Google Dork: N/A Date: Thu Aug 13 07:33:29 MDT 2015 Exploit Author: MadMouse Vendor Homepage: http://www.totolink.net/ Software Link:...

Joomla! Component com_informations - SQL Injection

Joomla! Component cominformations - SQL Injection Exploit Title: Joomla cominformations component SQL Injection vulnerability Date: 13-08-2015 Software Link: N/A Exploit Author: Omar AbuHassan Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960 CVE: N/A Category: webapps Version: All...

Ability FTP Server 2.1.4 - afsmain.exe USER Remote Denial of Service

Ability FTP Server 2.1.4 - afsmain.exe USER Remote Denial of Service !/usr/bin/env python Exploit Title: Ability FTP Server afsmain.exe USER Command Remote Dos Date: 2015-08-15 Exploit Author: St0rn Twitter: st0rnpentest Vendor Homepage: www.codecrafters.com Software Link:...

Security IP Camera Star Vision DVR - Authentication Bypass

Security IP Camera Star Vision DVR - Authentication Bypass Exploit Title: Security IP Camera Star Vision DVR Authentication Bypass Date: 2015-08-13 Exploit Author: Meisam Monsef [email protected] or [email protected] Vendor Homepage: Version: All Versions Exploit : 1 - First, open your Chrome...

Gkplugins Picasaweb - Download File

Gkplugins Picasaweb - Download File Exploit Title: Gkplugins Picasaweb Download File Date : 2015-08-13 Exploit Author : TMT VNhgroup Vendor Homepage: https://gkplugins.com/ Tested on: Windows 7 File ------------------------ $fileout = $GET'f'; -- can you download file $filelength = $GET'l';...

Ability FTP Server 2.1.4 - Admin Panel AUTHCODE Remote Denial of Service

Ability FTP Server 2.1.4 - Admin Panel AUTHCODE Remote Denial of Service !/usr/bin/env python Exploit Title: Ability FTP Server Admin Panel AUTHCODE Command Remote Dos Date: 2015-08-15 Exploit Author: St0rn Twitter: st0rnpentest Vendor Homepage: www.codecrafters.com Software Link:...

Microsoft Windows 8.1 - DCOM DCERPC Local NTLM Reflection Privilege Escalation (MS15-076)

Microsoft Windows 8.1 - DCOM DCERPC Local NTLM Reflection Privilege Escalation MS15-076 Source: https://github.com/monoxgas/Trebuchet Trebuchet MS15-076 CVE-2015-2370 Privilege Escalation Copies a file to any privileged location on disk Compiled with VS2015, precompiled exe in Binary directory...

Joomla! Component com_jem 2.1.4 - Multiple Vulnerabilities

Joomla! Component comjem 2.1.4 - Multiple Vulnerabilities Exploit Title: Joomla Event Manager 2.1.4 - Multiple Vulnerabilities Google Dork: inurl:option=comjem Date: 08-12-2015 Author: Martino Sani Vendor Homepage: www.joomlaeventmanager.net Software Link:...

Google Chrome 43.0 - Certificate MIME Handling Integer Overflow

Google Chrome 43.0 - Certificate MIME Handling Integer Overflow ! /usr/bin/python2 import socket import sys import time kHost = '127.0.0.1' kPort = 443 def bindlisten: s = socket.socketsocket.AFINET, socket.SOCKSTREAM s.setsockoptsocket.SOLSOCKET, socket.SOREUSEADDR, 1 s.setsockoptsocket.SOLSOCKE...

Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection

Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection ============================================= - Release date: 12.08.2015 - Discovered by: Dawid Golunski - Severity: High - CVE-ID: CVE-2015-5161 ============================================= I. VULNERABILITY -------------------------...

Geoserver 2.7.1.1 2.6.4 2.5.5.1 - XML External Entity

Geoserver 2.7.1.1 2.6.4 2.5.5.1 - XML External Entity Exploit Title : GeoServer XXE Date : 11/08/2015 Exploit Author : David Bloom Script - Ping to Sven Claessens, Jacques Villemur and Eric Donners Vendor homepage : http://geoserver.org Software Link : http://geoserver.org/release/stable Version ...

PDF Shaper 3.5 - Local Buffer Overflow (Metasploit)

PDF Shaper 3.5 - Local Buffer Overflow Metasploit This module requires Metabuffer: http://metabuffer.com/download Current source: https://github.com/rapid7/metabuffer-framework require 'msf/core' class Metasploit3 'PDF Shaper Buffer Overflow', 'Description' = %q PDF Shaper is prone to a security...

Microsoft Internet Explorer - CTreeNode::GetCascadedLang Use-After-Free (MS15-079)

Microsoft Internet Explorer - CTreeNode::GetCascadedLang Use-After-Free MS15-079 meta http-equiv="X-UA-Compatible" content="IE=10...

NetServe FTP Client 1.0 - Local Denial of Service

NetServe FTP Client 1.0 - Local Denial of Service Exploit Title: NetServe FTP Client 1.0 DOS Overflow. Date: 8/12/2015 Exploit Author: UnN0n Software Link: http://netserve-ftp-client.en.softonic.com/ Version: Version 1.0.0 Tested on: Windows 7 x6464 BIT Steps to Produce the Crash: 1- Open up...

Microsoft Windows Server 2003 SP2 - TCPIP IOCTL Privilege Escalation (MS14-070)

Microsoft Windows Server 2003 SP2 - TCPIP IOCTL Privilege Escalation MS14-070 / Exploit Title: Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation MS14-070 Date: 2015-08-10 Exploit Author: Tomislav Paskalev Vulnerable Software: Windows 2003 SP2 x86 Windows 2003 SP2 x86-64 Windows 2003 SP2 IA-64...