41207 matches found
Axessh 4.2 - Log file name Local Stack-based Buffer Overflow
Axessh 4.2 - Log file name Local Stack-based Buffer Overflow Title: Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow Date: May 23rd, 2019 Author: Uday Mittal https://github.com/yaksas443/YaksasCSC-Lab/ Vendor Homepage: http://www.labf.com Software Link:...
Cyberoam SSLVPN Client 1.3.1.30 - HTTP Proxy Denial of Service (PoC)
Cyberoam SSLVPN Client 1.3.1.30 - HTTP Proxy Denial of Service PoC Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...
Fast AVI MPEG Joiner - License Name Denial of Service (PoC)
Fast AVI MPEG Joiner - License Name Denial of Service PoC Exploit Title: Fast AVI MPEG Joiner Dos Exploit Date: 24.5.2019 Vendor Homepage:http://www.alloksoft.com Software Link: http://www.alloksoft.com/fastavimpegjoiner.exe Exploit Author: Achilles Tested Version: 1.2.0812 Tested on: Windows 7 x...
Cyberoam Transparent Authentication Suite 2.1.2.5 - NetBIOS Name Denial of Service (PoC)
Cyberoam Transparent Authentication Suite 2.1.2.5 - NetBIOS Name Denial of Service PoC Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Softwa...
Cyberoam SSLVPN Client 1.3.1.30 - Connect To Server Denial of Service (PoC)
Cyberoam SSLVPN Client 1.3.1.30 - Connect To Server Denial of Service PoC Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...
Opencart 3.0.3.2 - extensionfeedgoogle_base Denial of Service PoC
Opencart 3.0.3.2 - extensionfeedgooglebase Denial of Service PoC !/bin/bash Opencart PoC exploit, just for test... Tested on store with added more than 1000 products Usage: ./cartkiller.sh storeurl threads sleep Example: ./cartkiller.sh https://storename 50 5 Disclaimer: This or previous programs...
Cyberoam Transparent Authentication Suite 2.1.2.5 - Fully Qualified Domain Name Denial of Service (PoC)
Cyberoam Transparent Authentication Suite 2.1.2.5 - Fully Qualified Domain Name Denial of Service PoC Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage:...
Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption
Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Content Dim ar1&h3000000 Dim ar21000 Dim gremlin addressOfGremlin = &h28281000 Class MyClass Private mValue Public Property Let Valuev mValue = v End Property Public Default Property Get P P = mValue ' Wher...
Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free
Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free Visual Voicemail VVM is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visu...
Microsoft Windows 10 1809 - CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration Privilege Escalation
Microsoft Windows 10 1809 - CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration Privilege Escalation Windows: CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service...
Microsoft Windows 10 (17763.379) - Install DLL
Microsoft Windows 10 17763.379 - Install DLL edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag ...
NetAware 1.20 - Share Name Denial of Service (PoC)
NetAware 1.20 - Share Name Denial of Service PoC -- coding: utf-8 -- Exploit Title: NetAware 1.20 - 'Share Name' Denial of Service PoC Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.infiltration-systems.com Software: http://www.infiltration-systems.com/Files/netaware.zip...
Terminal Services Manager 3.2.1 - Denial of Service
Terminal Services Manager 3.2.1 - Denial of Service -- coding: utf-8 -- Exploit Title: Terminal Services Manager 3.2.1 - Local Buffer Overflow Denial of Service Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://lizardsystems.com Software:...
NetAware 1.20 - Add Block Denial of Service (PoC)
NetAware 1.20 - Add Block Denial of Service PoC -- coding: utf-8 -- Exploit Title: NetAware 1.20 - 'Add Block' Denial of Service PoC Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.infiltration-systems.com Software: http://www.infiltration-systems.com/Files/netaware.zip...
Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)
Microsoft Windows - AppX Deployment Service Local Privilege Escalation 2 There is still a vuln in the code triggered by CVE-2019-0841 The bug that this guy found: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ If you create the following: GetFavDirectory gets the...
Nagios XI 5.6.1 - SQL injection
Nagios XI 5.6.1 - SQL injection Exploit Title: Nagiosxi username sql injection Date: 22/05/2019 Exploit Author: JameelNabbo Website: jameelnabbo.com Vendor Homepage: https://www.nagios.com Software Link: https://www.nagios.com/products/nagios-xi/ Version: xi-5.6.1 Tested on: MacOSX CVE:...
Microsoft Windows (x84x64) - Error Reporting Discretionary Access Control List Local Privilege Escalation
Microsoft Windows x84x64 - Error Reporting Discretionary Access Control List Local Privilege Escalation EDIT: Apparently this was patched earlier this month.. so whatever. Windows Error Reporting Arbitrary DACL write It can take upwards of 15 minutes for the bug to trigger. If it takes too long,...
Microsoft Windows (x86) - Task Scheduler .job Import Arbitrary Discretionary Access Control List Write Local Privilege Escalation
Microsoft Windows x86 - Task Scheduler .job Import Arbitrary Discretionary Access Control List Write Local Privilege Escalation Task Scheduler .job import arbitrary DACL write Tested on: Windows 10 32-bit Bug information: There are two folders for tasks. c:\windows\tasks c:\windows\system32\tasks...
Horde Webmail 5.2.22 - Multiple Vulnerabilities
Horde Webmail 5.2.22 - Multiple Vulnerabilities Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails var url = "http://webmail.victimserver.com/trean/"; var params =...
TapinRadio 2.11.6 - Uername Denial of Service (PoC)
TapinRadio 2.11.6 - Uername Denial of Service PoC Exploit Title: TapinRadio 2.11.6 - 'Uername' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/tapinradiosetupx64.exe Tested...
Microsoft Internet Explorer 11 - Sandbox Escape
Microsoft Internet Explorer 11 - Sandbox Escape Inject into IE11. Will work on other sandboxes that allow the opening of windows filepickers through a broker. You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug. EDB Note Download:...
RarmaRadio 2.72.3 - Username Denial of Service (PoC)
RarmaRadio 2.72.3 - Username Denial of Service PoC Exploit Title: RarmaRadio 2.72.3 - 'Username' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/rarmaradiosetup.exe Tested...
Carel pCOWeb B1.2.1 - Credentials Disclosure
Carel pCOWeb B1.2.1 - Credentials Disclosure Exploit Title: Carel pCOWeb - Unprotected Storage of Credentials Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.carel.com/ Version: Carel pCOWeb all versions prior to B1.2.1 Tested on: It is a proprietary devices:...
Carel pCOWeb B1.2.1 - Cross-Site Scripting
Carel pCOWeb B1.2.1 - Cross-Site Scripting Exploit Title: Carel pCOWeb - Stored XSS Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.carel.com/ Version: Carel pCOWeb all versions prior to B1.2.1 Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-ca...
AUO Solar Data Recorder 1.3.0 - addr Cross-Site Scripting
AUO Solar Data Recorder 1.3.0 - addr Cross-Site Scripting Exploit Title: AUO Solar Data Recorder - Stored XSS Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a proprietary devices...
RarmaRadio 2.72.3 - Server Denial of Service (PoC)
RarmaRadio 2.72.3 - Server Denial of Service PoC Exploit Title: RarmaRadio 2.72.3 - 'Server' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/rarmaradiosetup.exe Tested Version:...
Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting
Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting Date: 2019-05-21 Exploit Author: Enter of VinCSS Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine...
TapinRadio 2.11.6 - Address Denial of Service (PoC)
TapinRadio 2.11.6 - Address Denial of Service PoC Exploit Title: TapinRadio 2.11.6 - 'Address' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/tapinradiosetupx64.exe Tested...
Zoho ManageEngine ServiceDesk Plus 10.5 - Improper Access Restrictions
Zoho ManageEngine ServiceDesk Plus 10.5 - Improper Access Restrictions Exploit Title: Zoho ManageEngine ServiceDesk Plus 10.5 Incorrect Access Control Date: 2019-05-21 Exploit Author: Enter of VinCSS Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho...
BlueStacks 4.80.0.1060 - Denial of Service (PoC)
BlueStacks 4.80.0.1060 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: BlueStacks 4.80.0.1060 - Denial of Service PoC Date: 21/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.bluestacks.com Software: https://www.bluestacks.com/download.html?utmcampaign=bluestacks-4-en...
Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized
Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - Loop-Invariant Code Motion LICM in DFG JIT Leaves Stack Variable Uninitialized While fuzzing JavaScriptCore, I encountered the following modified and commented JavaScript program which crashes jsc from current HEAD and release: // Run with...
Deluge 1.3.15 - URL Denial of Service (PoC)
Deluge 1.3.15 - URL Denial of Service PoC Exploit Title: Deluge 1.3.15 - 'URL' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-20 Vendor Homepage: https://dev.deluge-torrent.org/ Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe...
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities !/usr/bin/env python Author: Simone Quatrini of Pen Test Partners CVEs: 2019-9879, 2019-9880, 2019-9881 Tested on Wordpress 5.1.1 and wp-graphql 0.2.3 https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/ import argpars...
Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution
Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution / Exploit Title: Brocade Network Advisor - Unauthenticated Remote Code Execution Date: 2017-03-29 Exploit Author: Jakub Palaczynski Vendor Homepage: https://www.broadcom.com/ CVE: CVE-2018-6443 Version: Tested on Brocade Netwo...
Apple macOS 10.14.5 iOS 12.3 XNU - Wild-read due to bad cast in stf_ioctl
Apple macOS 10.14.5 iOS 12.3 XNU - Wild-read due to bad cast in stfioctl / Reproduction Tested on macOS 10.14.3: $ clang -o stfwildread stfwildread.cc $ ./stfwildread Explanation SIOCSIFADDR is an ioctl that sets the address of an interface. The stf interface ioctls are handled by the stfioctl...
Oracle CTI Web Service - EBS_ASSET_HISTORY_OPERATIONS XML Entity Injection
Oracle CTI Web Service - EBSASSETHISTORYOPERATIONS XML Entity Injection Exploit Title: Oracle CTI Web Service XML Entity Exp. Exploit Author: omurugur Author Web: https://www.justsecnow.com Author Social: @omurugurrr URL : http://server/EBSASSETHISTORYOPERATIONS As can be seen in the following...
Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register
Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc from current HEAD git commit 3c46422e45fef2de6ff13b66cd45705d63859555 in debug and release build...
TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting
TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting Exploit Title: TL-WR840N v5 00000005 Date: 5/10/2019 Exploit Author: purnendu ghosh Vendor Homepage: https://www.tp-link.com/ Software Link: https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q Category: Hardware...
Deluge 1.3.15 - Webseeds Denial of Service (PoC)
Deluge 1.3.15 - Webseeds Denial of Service PoC Exploit Title: Deluge 1.3.15 - 'Webseeds' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-20 Vendor Homepage: https://dev.deluge-torrent.org/ Software Link:...
Moodle Jmol Filter 6.1 - Directory Traversal Cross-Site Scripting
Moodle Jmol Filter 6.1 - Directory Traversal Cross-Site Scripting Exploit Title: Moodle filterjmol multiple vulnerabilities Directory Traversal and XSS Date: 20 May 2019 Exploit Author: Dionach Ltd Exploit Author Homepage: https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities...
Apple macOS 10.14.5 iOS 12.3 XNU - in6_pcbdetach Stale Pointer Use-After-Free
Apple macOS 10.14.5 iOS 12.3 XNU - in6pcbdetach Stale Pointer Use-After-Free Reproduction Repros on 10.14.3 when run as root. It may need multiple tries to trigger. $ clang -o in6selectsrc in6selectsrc.cc $ while 1; do sudo ./in6selectsrc; done res0: 3 res1: 0 res1.5: -1 // failure expected here...
Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free
Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection GC during its executi...
Huawei eSpace 1.1.11.103 - DLL Hijacking
Huawei eSpace 1.1.11.103 - DLL Hijacking / Huawei eSpace Desktop DLL Hijacking Vulnerability Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC Summary: Create more convenient...
Encrypt PDF 2.3 - Denial of Service (PoC)
Encrypt PDF 2.3 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: Encrypt PDF v2.3 - Denial of Service PoC Date: 19/05/2019 Author: Alejandra Sánchez Vendor Homepage: http://www.verypdf.com Software: http://www.verypdf.com/encryptpdf/encryptpdf.exe Version: 2.3 Tested on: Windows 10 Proo...
Solaris 10 113 (Intel) - dtprintinfo Local Privilege Escalation
Solaris 10 113 Intel - dtprintinfo Local Privilege Escalation / raptordtprintnameintel.c - dtprintinfo 0day, Solaris/Intel Copyright c 2004-2019 Marco Ivaldi 0day buffer overflow in the dtprintinfo1 CDE Print Viewer, leading to local root. Many thanks to Dave Aitel for discovering this...
AbsoluteTelnet 10.16 - License name Denial of Service (PoC)
AbsoluteTelnet 10.16 - License name Denial of Service PoC Exploit Title: AbsoluteTelnet 10.16 - 'License name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-19 Vendor Homepage: https://www.celestialsoftware.net/ Software Link:...
Solaris 789 (SPARC) - dtprintinfo Local Privilege Escalation (2)
Solaris 789 SPARC - dtprintinfo Local Privilege Escalation 2 / raptordtprintnamesparc2.c - dtprintinfo 0day, Solaris/SPARC Copyright c 2004-2019 Marco Ivaldi 0day buffer overflow in the dtprintinfo1 CDE Print Viewer, leading to local root. Many thanks to Dave Aitel for discovering this...
docPrint Pro 8.0 - Denial of Service (PoC)
docPrint Pro 8.0 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: Document Converter docPrint Pro v8.0 - Denial of Service PoC Date: 19/05/2019 Author: Alejandra Sánchez Vendor Homepage: http://www.verypdf.com Software: http://dl.verypdf.net/docprintprosetup.exe Version: 8.0 Tested on:...
Huawei eSpace 1.1.11.103 - ContactsCtrl.dll eSpaceStatusCtrl.dll ActiveX Heap Overflow
Huawei eSpace 1.1.11.103 - ContactsCtrl.dll eSpaceStatusCtrl.dll ActiveX Heap Overflow Huawei eSpace Meeting ContactsCtrl.dll and eSpaceStatusCtrl.dll ActiveX Heap Overflow Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 aka eSpac...
PCL Converter 2.7 - Denial of Service (PoC)
PCL Converter 2.7 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: VeryPDF PCL Converter v2.7 - Denial of Service PoC Date: 19/05/2019 Author: Alejandra Sánchez Vendor Homepage: http://www.verypdf.com Software: http://www.verypdf.com/pcltools/pcl-converter.exe Version: 2.7 Tested on:...