Cyberoam Transparent Authentication Suite 2.1.2.5 - Fully Qualified Domain Name Denial of Service (PoC)

Cyberoam Transparent Authentication Suite 2.1.2.5 - Fully Qualified Domain Name Denial of Service PoC Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage:...

Cyberoam General Authentication Client 2.1.2.7 - Server Address Denial of Service (PoC)

Cyberoam General Authentication Client 2.1.2.7 - Server Address Denial of Service PoC Exploit Title: Cyberoam General Authentication Client 2.1.2.7 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...

Cyberoam Transparent Authentication Suite 2.1.2.5 - NetBIOS Name Denial of Service (PoC)

Cyberoam Transparent Authentication Suite 2.1.2.5 - NetBIOS Name Denial of Service PoC Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Softwa...

Cyberoam SSLVPN Client 1.3.1.30 - HTTP Proxy Denial of Service (PoC)

Cyberoam SSLVPN Client 1.3.1.30 - HTTP Proxy Denial of Service PoC Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...

Fast AVI MPEG Joiner - License Name Denial of Service (PoC)

Fast AVI MPEG Joiner - License Name Denial of Service PoC Exploit Title: Fast AVI MPEG Joiner Dos Exploit Date: 24.5.2019 Vendor Homepage:http://www.alloksoft.com Software Link: http://www.alloksoft.com/fastavimpegjoiner.exe Exploit Author: Achilles Tested Version: 1.2.0812 Tested on: Windows 7 x...

Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption

Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Content Dim ar1&h3000000 Dim ar21000 Dim gremlin addressOfGremlin = &h28281000 Class MyClass Private mValue Public Property Let Valuev mValue = v End Property Public Default Property Get P P = mValue ' Wher...

Cyberoam SSLVPN Client 1.3.1.30 - Connect To Server Denial of Service (PoC)

Cyberoam SSLVPN Client 1.3.1.30 - Connect To Server Denial of Service PoC Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-23 Vendor Homepage: https://www.cyberoam.com Software Link:...

Axessh 4.2 - Log file name Local Stack-based Buffer Overflow

Axessh 4.2 - Log file name Local Stack-based Buffer Overflow Title: Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow Date: May 23rd, 2019 Author: Uday Mittal https://github.com/yaksas443/YaksasCSC-Lab/ Vendor Homepage: http://www.labf.com Software Link:...

NetAware 1.20 - Add Block Denial of Service (PoC)

NetAware 1.20 - Add Block Denial of Service PoC -- coding: utf-8 -- Exploit Title: NetAware 1.20 - 'Add Block' Denial of Service PoC Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.infiltration-systems.com Software: http://www.infiltration-systems.com/Files/netaware.zip...

Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free

Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free Visual Voicemail VVM is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visu...

Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)

Microsoft Windows - AppX Deployment Service Local Privilege Escalation 2 There is still a vuln in the code triggered by CVE-2019-0841 The bug that this guy found: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ If you create the following: GetFavDirectory gets the...

Microsoft Windows 10 1809 - CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration Privilege Escalation

Microsoft Windows 10 1809 - CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration Privilege Escalation Windows: CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service...

NetAware 1.20 - Share Name Denial of Service (PoC)

NetAware 1.20 - Share Name Denial of Service PoC -- coding: utf-8 -- Exploit Title: NetAware 1.20 - 'Share Name' Denial of Service PoC Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.infiltration-systems.com Software: http://www.infiltration-systems.com/Files/netaware.zip...

Nagios XI 5.6.1 - SQL injection

Nagios XI 5.6.1 - SQL injection Exploit Title: Nagiosxi username sql injection Date: 22/05/2019 Exploit Author: JameelNabbo Website: jameelnabbo.com Vendor Homepage: https://www.nagios.com Software Link: https://www.nagios.com/products/nagios-xi/ Version: xi-5.6.1 Tested on: MacOSX CVE:...

Terminal Services Manager 3.2.1 - Denial of Service

Terminal Services Manager 3.2.1 - Denial of Service -- coding: utf-8 -- Exploit Title: Terminal Services Manager 3.2.1 - Local Buffer Overflow Denial of Service Date: 22/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://lizardsystems.com Software:...

Microsoft Windows 10 (17763.379) - Install DLL

Microsoft Windows 10 17763.379 - Install DLL edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag ...

AUO Solar Data Recorder 1.3.0 - addr Cross-Site Scripting

AUO Solar Data Recorder 1.3.0 - addr Cross-Site Scripting Exploit Title: AUO Solar Data Recorder - Stored XSS Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a proprietary devices...

Microsoft Windows (x84x64) - Error Reporting Discretionary Access Control List Local Privilege Escalation

Microsoft Windows x84x64 - Error Reporting Discretionary Access Control List Local Privilege Escalation EDIT: Apparently this was patched earlier this month.. so whatever. Windows Error Reporting Arbitrary DACL write It can take upwards of 15 minutes for the bug to trigger. If it takes too long,...

Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting

Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting Date: 2019-05-21 Exploit Author: Enter of VinCSS Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho ManageEngine...

Microsoft Windows (x86) - Task Scheduler .job Import Arbitrary Discretionary Access Control List Write Local Privilege Escalation

Microsoft Windows x86 - Task Scheduler .job Import Arbitrary Discretionary Access Control List Write Local Privilege Escalation Task Scheduler .job import arbitrary DACL write Tested on: Windows 10 32-bit Bug information: There are two folders for tasks. c:\windows\tasks c:\windows\system32\tasks...

RarmaRadio 2.72.3 - Username Denial of Service (PoC)

RarmaRadio 2.72.3 - Username Denial of Service PoC Exploit Title: RarmaRadio 2.72.3 - 'Username' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/rarmaradiosetup.exe Tested...

BlueStacks 4.80.0.1060 - Denial of Service (PoC)

BlueStacks 4.80.0.1060 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: BlueStacks 4.80.0.1060 - Denial of Service PoC Date: 21/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.bluestacks.com Software: https://www.bluestacks.com/download.html?utmcampaign=bluestacks-4-en...

TapinRadio 2.11.6 - Uername Denial of Service (PoC)

TapinRadio 2.11.6 - Uername Denial of Service PoC Exploit Title: TapinRadio 2.11.6 - 'Uername' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/tapinradiosetupx64.exe Tested...

Microsoft Internet Explorer 11 - Sandbox Escape

Microsoft Internet Explorer 11 - Sandbox Escape Inject into IE11. Will work on other sandboxes that allow the opening of windows filepickers through a broker. You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug. EDB Note Download:...

TapinRadio 2.11.6 - Address Denial of Service (PoC)

TapinRadio 2.11.6 - Address Denial of Service PoC Exploit Title: TapinRadio 2.11.6 - 'Address' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/tapinradiosetupx64.exe Tested...

Carel pCOWeb B1.2.1 - Cross-Site Scripting

Carel pCOWeb B1.2.1 - Cross-Site Scripting Exploit Title: Carel pCOWeb - Stored XSS Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.carel.com/ Version: Carel pCOWeb all versions prior to B1.2.1 Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-ca...

Zoho ManageEngine ServiceDesk Plus 10.5 - Improper Access Restrictions

Zoho ManageEngine ServiceDesk Plus 10.5 - Improper Access Restrictions Exploit Title: Zoho ManageEngine ServiceDesk Plus 10.5 Incorrect Access Control Date: 2019-05-21 Exploit Author: Enter of VinCSS Vingroup Vendor Homepage: https://www.manageengine.com/products/service-desk Version: Zoho...

RarmaRadio 2.72.3 - Server Denial of Service (PoC)

RarmaRadio 2.72.3 - Server Denial of Service PoC Exploit Title: RarmaRadio 2.72.3 - 'Server' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-21 Vendor Homepage: http://www.raimersoft.com/ Software Link: www.raimersoft.com/downloads/rarmaradiosetup.exe Tested Version:...

Carel pCOWeb B1.2.1 - Credentials Disclosure

Carel pCOWeb B1.2.1 - Credentials Disclosure Exploit Title: Carel pCOWeb - Unprotected Storage of Credentials Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.carel.com/ Version: Carel pCOWeb all versions prior to B1.2.1 Tested on: It is a proprietary devices:...

Horde Webmail 5.2.22 - Multiple Vulnerabilities

Horde Webmail 5.2.22 - Multiple Vulnerabilities Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails var url = "http://webmail.victimserver.com/trean/"; var params =...

Oracle CTI Web Service - EBS_ASSET_HISTORY_OPERATIONS XML Entity Injection

Oracle CTI Web Service - EBSASSETHISTORYOPERATIONS XML Entity Injection Exploit Title: Oracle CTI Web Service XML Entity Exp. Exploit Author: omurugur Author Web: https://www.justsecnow.com Author Social: @omurugurrr URL : http://server/EBSASSETHISTORYOPERATIONS As can be seen in the following...

Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized

Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - Loop-Invariant Code Motion LICM in DFG JIT Leaves Stack Variable Uninitialized While fuzzing JavaScriptCore, I encountered the following modified and commented JavaScript program which crashes jsc from current HEAD and release: // Run with...

Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free

Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection GC during its executi...

Deluge 1.3.15 - URL Denial of Service (PoC)

Deluge 1.3.15 - URL Denial of Service PoC Exploit Title: Deluge 1.3.15 - 'URL' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-20 Vendor Homepage: https://dev.deluge-torrent.org/ Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe...

WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities

WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities !/usr/bin/env python Author: Simone Quatrini of Pen Test Partners CVEs: 2019-9879, 2019-9880, 2019-9881 Tested on Wordpress 5.1.1 and wp-graphql 0.2.3 https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/ import argpars...

TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting

TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting Exploit Title: TL-WR840N v5 00000005 Date: 5/10/2019 Exploit Author: purnendu ghosh Vendor Homepage: https://www.tp-link.com/ Software Link: https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q Category: Hardware...

Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution

Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution / Exploit Title: Brocade Network Advisor - Unauthenticated Remote Code Execution Date: 2017-03-29 Exploit Author: Jakub Palaczynski Vendor Homepage: https://www.broadcom.com/ CVE: CVE-2018-6443 Version: Tested on Brocade Netwo...

Moodle Jmol Filter 6.1 - Directory Traversal Cross-Site Scripting

Moodle Jmol Filter 6.1 - Directory Traversal Cross-Site Scripting Exploit Title: Moodle filterjmol multiple vulnerabilities Directory Traversal and XSS Date: 20 May 2019 Exploit Author: Dionach Ltd Exploit Author Homepage: https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities...

Apple macOS 10.14.5 iOS 12.3 XNU - in6_pcbdetach Stale Pointer Use-After-Free

Apple macOS 10.14.5 iOS 12.3 XNU - in6pcbdetach Stale Pointer Use-After-Free Reproduction Repros on 10.14.3 when run as root. It may need multiple tries to trigger. $ clang -o in6selectsrc in6selectsrc.cc $ while 1; do sudo ./in6selectsrc; done res0: 3 res1: 0 res1.5: -1 // failure expected here...

Deluge 1.3.15 - Webseeds Denial of Service (PoC)

Deluge 1.3.15 - Webseeds Denial of Service PoC Exploit Title: Deluge 1.3.15 - 'Webseeds' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-20 Vendor Homepage: https://dev.deluge-torrent.org/ Software Link:...

Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register

Apple macOS 10.14.5 iOS 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc from current HEAD git commit 3c46422e45fef2de6ff13b66cd45705d63859555 in debug and release build...

Apple macOS 10.14.5 iOS 12.3 XNU - Wild-read due to bad cast in stf_ioctl

Apple macOS 10.14.5 iOS 12.3 XNU - Wild-read due to bad cast in stfioctl / Reproduction Tested on macOS 10.14.3: $ clang -o stfwildread stfwildread.cc $ ./stfwildread Explanation SIOCSIFADDR is an ioctl that sets the address of an interface. The stf interface ioctls are handled by the stfioctl...

BulletProof FTP Server 2019.0.0.50 - Storage-Path Denial of Service (PoC)

BulletProof FTP Server 2019.0.0.50 - Storage-Path Denial of Service PoC Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-18 Vendor Homepage: http://bpftpserver.com/ Software Link:...

Huawei eSpace 1.1.11.103 - DLL Hijacking

Huawei eSpace 1.1.11.103 - DLL Hijacking / Huawei eSpace Desktop DLL Hijacking Vulnerability Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC Summary: Create more convenient...

PCL Converter 2.7 - Denial of Service (PoC)

PCL Converter 2.7 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: VeryPDF PCL Converter v2.7 - Denial of Service PoC Date: 19/05/2019 Author: Alejandra Sánchez Vendor Homepage: http://www.verypdf.com Software: http://www.verypdf.com/pcltools/pcl-converter.exe Version: 2.7 Tested on:...

AbsoluteTelnet 10.16 - License name Denial of Service (PoC)

AbsoluteTelnet 10.16 - License name Denial of Service PoC Exploit Title: AbsoluteTelnet 10.16 - 'License name' Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-05-19 Vendor Homepage: https://www.celestialsoftware.net/ Software Link:...

Huawei eSpace 1.1.11.103 - ContactsCtrl.dll eSpaceStatusCtrl.dll ActiveX Heap Overflow

Huawei eSpace 1.1.11.103 - ContactsCtrl.dll eSpaceStatusCtrl.dll ActiveX Heap Overflow Huawei eSpace Meeting ContactsCtrl.dll and eSpaceStatusCtrl.dll ActiveX Heap Overflow Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 aka eSpac...

Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow

Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 aka eSpace ECS, eSpace Desktop,...

Encrypt PDF 2.3 - Denial of Service (PoC)

Encrypt PDF 2.3 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: Encrypt PDF v2.3 - Denial of Service PoC Date: 19/05/2019 Author: Alejandra Sánchez Vendor Homepage: http://www.verypdf.com Software: http://www.verypdf.com/encryptpdf/encryptpdf.exe Version: 2.3 Tested on: Windows 10 Proo...

Solaris 789 (SPARC) - dtprintinfo Local Privilege Escalation (2)

Solaris 789 SPARC - dtprintinfo Local Privilege Escalation 2 / raptordtprintnamesparc2.c - dtprintinfo 0day, Solaris/SPARC Copyright c 2004-2019 Marco Ivaldi 0day buffer overflow in the dtprintinfo1 CDE Print Viewer, leading to local root. Many thanks to Dave Aitel for discovering this...