Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 3fb8.2ac4: Access violation - code c0000005 first...

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 2728.1fa8: Access violation - code...

Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure

Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure -----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the...

Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList

Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList -----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the...

Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1

Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1 -----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the...

NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String

NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String There is an info leak when decoding the SGBigUTF8String class using SGBigUTF8String initWithCoder:. This class initializes the string using SGBigUTF8String initWithUTF8DataNullTerminated: even though there is no guarantee the bytes provide...

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 50a8.4100: Access violation - code...

Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities

Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities The msctf subsystem is part of the Text Services Framework, The TSF manages things like input methods, keyboard layouts, text processing and so on. There are two main components, the ctfmon server and the msctf client. The...

D-Link DIR-600M - Authentication Bypass (Metasploit)

D-Link DIR-600M - Authentication Bypass Metasploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control', 'Description' = %q This module...

WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery

WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5 Google Dork: inurl:"/wp-content/plugins/download-manager Date: 24 may, 2019 Exploit Author: Princy Edward Exploit Author Blog :...

Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)

Agent Tesla Botnet - Arbitrary Code Execution Metasploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Tesla Agent Remote Code Execution", 'Description' = %q This module exploits the command...

TortoiseSVN 1.12.1 - Remote Code Execution

TortoiseSVN 1.12.1 - Remote Code Execution Document Title: =============== TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2188 Product:...

SugarCRM Enterprise 9.0.0 - Cross-Site Scripting

SugarCRM Enterprise 9.0.0 - Cross-Site Scripting Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise Google Dork: N/A Date: 11.08.2019 Exploit Author: Ilca Lucian Florin Vendor Homepage: https://www.sugarcrm.com Version: 9.0.0 Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76...

ManageEngine opManager 12.3.150 - Authenticated Code Execution

ManageEngine opManager 12.3.150 - Authenticated Code Execution !/usr/bin/env python3 Exploit Title: ManageEngine opManager Authenticated Code Execution Google Dork: N/A Date: 08/13/2019 Exploit Author: @kindredsec Vendor Homepage: https://www.manageengine.com/ Software Link:...

Windows PowerShell - Unsanitized Filename Command Execution

Windows PowerShell - Unsanitized Filename Command Execution ''' + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt + ISR: Apparition Security Vendor...

ABC2MTEX 1.6.1 - Command Line Stack Overflow

ABC2MTEX 1.6.1 - Command Line Stack Overflow Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow Date: 2019-08-13 Exploit Author: Carter Yagemann Vendor Homepage: https://abcnotation.com/abc2mtex/ Software Link:...

Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion

Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion / Author : Abdelhamid Naceri Discovered On : 13/08/2019 Description : An Elevation Of Privileges Exist when the microsoft AppXSvc Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file...

Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - customfields.php SQL Injection

Joomla! Component JS Jobs comjsjobs 1.2.5 - customfields.php SQL Injection Exploit Title: Joomla! component comjsjobs - 'customfields.php' SQL Injection Dork: inurl:"index.php?option=comjsjobs" Date: 13.08.19 Exploit Author: qw3rTyTy Vendor Homepage: https://www.joomsky.com/ Software Link:...

Agent Tesla Botnet - Arbitrary Code Execution

Agent Tesla Botnet - Arbitrary Code Execution import requests import argparse import base64 Agent Tesla C2 RCE by prsecurity For research purposes only. Don't pwn what you don't own. def getargs: parser = argparse.ArgumentParser prog="agentteslasploit.py", formatterclass=lambda prog:...

AZORult Botnet - SQL Injection

AZORult Botnet - SQL Injection import requests import argparse import base64 Azorult 3.3.1 C2 SQLi by prsecurity For research purposes only. Don't pwn what you don't own. change GUID and XOR key to specific beacon, can be extracted from a sample guid =...

ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)

ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine OpManager v12.4x - Unauthenticated Remote Command...

Mitsubishi Electric smartRTU INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell

Mitsubishi Electric smartRTU INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell !/usr/bin/python Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection Date: 29 June 2019 Exploit Author: @xerubus | mogozobo.com Vendor Homepage:...

Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution

Ghidra Linux 9.0.4 - .gar Arbitrary Code Execution import os import inspect import argparse import shutil from shutil import copyfile print"" print"" print"" print"" print"------------------CVE-2019-13623----------------" print"" print"" print""...

UNA 10.0.0 RC1 - polyglot.php Persistent Cross-Site Scripting

UNA 10.0.0 RC1 - polyglot.php Persistent Cross-Site Scripting Exploit Title: UNA - 10.0.0-RC1 stored XSS vuln. Date: 2019 08 10 Exploit Author: Greg.Priest Vendor Homepage: https://una.io/ Software Link: https://github.com/unaio/una/tree/master/studio Version: UNA - 10.0.0-RC1 Tested on:...

ManageEngine Application Manager 14.2 - Privilege Escalation Remote Command Execution (Metasploit)

ManageEngine Application Manager 14.2 - Privilege Escalation Remote Command Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Application Manager v14.2 - Privileg...

Linux - Use-After-Free Reads in show_numa_stats()

Linux - Use-After-Free Reads in shownumastats / On NUMA systems, the Linux fair scheduler tracks information related to NUMA faults in taskstruct::numafaults and taskstruct::numagroup. Both of these have broken object lifetimes. Since commit 82727018b0d3 "sched/numa: Call tasknumafree from...

osTicket 1.12 - Persistent Cross-Site Scripting

osTicket 1.12 - Persistent Cross-Site Scripting Exploit Title: osTicket-v1.12 Stored XSS Vendor Homepage: https://osticket.com/ Software Link: https://osticket.com/download/ Exploit Author: Aishwarya Iyer Contact: https://twitter.com/aish9524 Website: https://about.me/aishiyer Category: webapps...

Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - ticketreply.php SQL Injection

Joomla! Component JS Support Ticket comjssupportticket 1.1.6 - ticketreply.php SQL Injection Exploit Title: Joomla! component comjssupportticket - Authenticated SQL Injection Dork: inurl:"index.php?option=comjssupportticket" Date: 10.08.19 Exploit Author: qw3rTyTy Vendor Homepage:...

Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)

Webmin 1.920 - Unauthenticated Remote Code Execution Metasploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Webmin 1.920 Unauthenticated RCE', 'Description' = %q This module exploits a...

ManageEngine OpManager 12.4x - Privilege Escalation Remote Command Execution (Metasploit)

ManageEngine OpManager 12.4x - Privilege Escalation Remote Command Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine OpManager 12.4x - Privilege Escalation / Remo...

osTicket 1.12 - Persistent Cross-Site Scripting via File Upload

osTicket 1.12 - Persistent Cross-Site Scripting via File Upload Exploit Title: osTicket-v1.12 Stored XSS via File Upload Vendor Homepage: https://osticket.com/ Software Link: https://osticket.com/download/ Exploit Author: Aishwarya Iyer Contact: https://twitter.com/aish9524 Website:...

Steam Windows Client - Local Privilege Escalation

Steam Windows Client - Local Privilege Escalation $SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" $MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" $RegDir = "C:\Windows\Temp\RegLN.exe" $PayDir = "C:\Windows\Temp\payload.exe" $Payload = "c:\windows\system32\cmd.exe /c...

VxWorks 6.8 - TCP Urgent Pointer 0 Integer Underflow

VxWorks 6.8 - TCP Urgent Pointer 0 Integer Underflow Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability Discovered By: Armis Security PoC Author: Zhou Yu twitter: @504137480 Vendor Homepage: https://www.windriver.com Tested on: VxWorks 6.8 CVE: CVE-2019-12255 More...

Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - cities.php SQL Injection

Joomla! Component JS Jobs comjsjobs 1.2.5 - cities.php SQL Injection Exploit Title: Joomla! component comjsjobs - SQL Injection Dork: inurl:"index.php?option=comjsjobs" Date: 11.08.19 Exploit Author: qw3rTyTy Vendor Homepage: https://www.joomsky.com/ Software Link:...

BSI Advance Hotel Booking System 2.0 - booking_details.php Persistent Cross-Site Scripting

BSI Advance Hotel Booking System 2.0 - bookingdetails.php Persistent Cross-Site Scripting Exploit Title:BSI Advance Hotel Booking System Persistent XSS Google Dork: intext:Hotel Booking System v2.0 © 2008 - 2012 Copyright Best Soft Inc Date: Wed Jun 4 2014 Exploit Author: Angelo Ruwantha Vendor...

WebKit - UXSS via XSLT and Nested Document Replacements

WebKit - UXSS via XSLT and Nested Document Replacements VULNERABILITY DETAILS https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cppL66 Ref XSLTProcessor::createDocumentFromSourceconst String& sourceString, const String& sourceEncoding, const String& sourceMIMEType, Nod...

Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - ticket.php Arbitrary File Deletion

Joomla! Component JS Support Ticket comjssupportticket 1.1.6 - ticket.php Arbitrary File Deletion Exploit Title: Joomla! component comjssupportticket - Authenticated Arbitrary File Deletion Dork: inurl:"index.php?option=comjssupportticket" Date: 10.08.19 Exploit Author: qw3rTyTy Vendor Homepage:...

Mitsubishi Electric smartRTU INEA ME-RTU - Unauthenticated Configuration Download

Mitsubishi Electric smartRTU INEA ME-RTU - Unauthenticated Configuration Download !/usr/bin/python Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download Date: 29 June 2019 Exploit Author: @xerubus | mogozobo.com Vendor Homepage:...

osTicket 1.12 - Formula Injection

osTicket 1.12 - Formula Injection Exploit Title: osTicket-v1.12 Formula Injection Vendor Homepage: https://osticket.com/ Software Link: https://osticket.com/download/ Exploit Author: Aishwarya Iyer Contact: https://twitter.com/aish9524 Website: https://about.me/aishiyer Category: webapps CVE:...

Cisco Adaptive Security Appliance - Path Traversal (Metasploit)

Cisco Adaptive Security Appliance - Path Traversal Metasploit require 'msf/core' class MetasploitModule "Cisco Adaptive Security Appliance - Path Traversal", 'Description' = %q Cisco Adaptive Security Appliance - Path Traversal CVE-2018-0296 A security vulnerability in Cisco ASA that would allow ...

Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download

Joomla! Component JS Support Ticket component comjssupportticket 1.1.5 - Arbitrary File Download Exploit Title: Joomla! component comjssupportticket - Arbitrary File Download Dork: inurl:"index.php?option=comjssupportticket" Date: 08.08.19 Exploit Author: qw3rTyTy Vendor Homepage:...

Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)

Daily Expense Manager 1.0 - Cross-Site Request Forgery Delete Income Exploit Title: Daily Expense Manager - CSRF Delete Income Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: August 8, 2019 Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager...

Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection

Joomla! Component JS Support Ticket component comjssupportticket 1.1.5 - SQL Injection Exploit Title: Joomla! component comjssupportticket - SQL Injection Dork: inurl:"index.php?option=comjssupportticket" Date: 08.08.19 Exploit Author: qw3rTyTy Vendor Homepage: https://www.joomsky.com/ Software...

Aptana Jaxer 1.0.3.4547 - Local File inclusion

Aptana Jaxer 1.0.3.4547 - Local File inclusion Exploit Title: Aptana Jaxer Remote Local File inclusion Date: 8/8/2019 Exploit Author: Steph Jensen Vendor Homepage: http://www.jaxer.org Version: 1.0.3.4547 Tested on: Linux CVE : CVE-2019-14312 Aptana Jaxer 1.0.3.4547 is vulnerable to a local file...

Adive Framework 2.0.7 - Cross-Site Request Forgery

Adive Framework 2.0.7 - Cross-Site Request Forgery Exploit Title: Adive Framework 2.0.7 – Cross-Site Request Forgery CSRF Date:02/08/2019. Exploit Author: Pablo Santiago Vendor Homepage: https://adive.es Software Link: https://github.com/ferdinandmartin/adive-php7 Version: 2.0.7 Tested on: Window...

Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)

Baldr Botnet Panel - Arbitrary Code Execution Metasploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/http' class MetasploitModule "Baldr Botnet Panel Shell Upload Exploit", 'Description' = %q This...

Open-School 3.0 Community Edition 2.3 - Cross-Site Scripting

Open-School 3.0 Community Edition 2.3 - Cross-Site Scripting Exploit Title: title Date: 2019 08 06 Exploit Author: Greg.Priest Vendor Homepage: https://open-school.org/ Software Link: Version: Open-School 3.0/Community Edition 2.3 Tested on: Windows/Linux CVE : CVE-2019-14696 Open-School 3.0, and...

Google Chrome 74.0.3729.0 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability

Google Chrome 74.0.3729.0 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability iterating&iteratinglisteners, true; for auto& listenerref : availabilitylisteners auto listener = listenerref.get; if !listener-urls.Containsurl continue; auto screenavailabilit...

WordPress Plugin JoomSport 3.3 - SQL Injection

WordPress Plugin JoomSport 3.3 - SQL Injection Exploit Title: JoomSport 3.3 – for Sports - SQL injection Google Dork: intext:powered by JoomSport - sport WordPress plugin Date:29/07/2019. Exploit Author: Pablo Santiago Vendor Homepage: https://beardev.com/ Software Link:...

ARMBot Botnet - Arbitrary Code Execution

ARMBot Botnet - Arbitrary Code Execution import requests URL = "http://127.0.0.1/ARMBot/upload.php" r = requests.postURL, data = "file":"../publichtml/lol/../.s.phtml", need some trickery for each server ; "data":"PD9waHAgZWNobyAxOyA/Pg==", "message":"Bobr Dobr" ,...