Google Chrome M72 - FileWriterImpl Use-After-Free

Google Chrome M72 - FileWriterImpl Use-After-Free There's a use-after-free in the implementation of the FileWriter component of the mojo bindings for the filesystem API. The browser-process side of this API is defined in...

WordPress Core 5.0 - Remote Code Execution

WordPress Core 5.0 - Remote Code Execution var wpnonce = ''; var ajaxnonce = ''; var wpattachedfile = ''; var imgurl = ''; var postajaxdata = ''; var postid = 0; var cmd = '?php phpinfo;/'; var cmdlen = cmd.length var payload = '\xff\xd8\xff\xed\x004Photoshop...

macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image

macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected agains...

Google Chrome M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost

Google Chrome M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost There's an object-lifetime issue in the browser process in the handling of P2PSocketDispatcherHost binding in parallel with OnBloatedRenderer event handling. In RenderProcessHostImpl, we have a uniquep...

TransMac 12.3 - Denial of Service (PoC)

TransMac 12.3 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: TransMac 12.3 - 'Volume name' Denial of Service PoC Date: 27/02/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.acutesystems.com/ Software Link: https://www.acutesystems.com/tmac/tmsetup.exe Version: 12.3 Tested...

FTP Server 1.32 - Denial of Service

FTP Server 1.32 - Denial of Service !/usr/bin/env python coding: utf-8 Author: Marcelo Vázquez aka s4vitar FTP Server 1.32 Remote Denial of Service DoS Exploit Title: FTP Server 1.32 Remote Denial of Service DoS Date: 2019-02-26 Exploit Author: Marcelo Vázquez aka s4vitar Vendor: The Olive Tree...

Usermin 1.750 - Remote Command Execution (Metasploit)

Usermin 1.750 - Remote Command Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'uri' class MetasploitModule 'Usermin 1.750 - Remote Command Execution', 'Description' = %q...

Simple Online Hotel Reservation System - Cross-Site Request Forgery (Delete Admin)

Simple Online Hotel Reservation System - Cross-Site Request Forgery Delete Admin Exploit Title: Simple Online Hotel Reservation System - Cross-Site Request Forgery Delete Admin Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: February 25, 2019 Vendor Homepage:...

Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)

Feng Office 3.7.0.5 - Remote Command Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'uri' class MetasploitModule 'Feng Office 3.7.0.5 - Unauthenticated Remote Command...

Simple Online Hotel Reservation System - Cross-Site Request Forgery (Add Admin)

Simple Online Hotel Reservation System - Cross-Site Request Forgery Add Admin Exploit Title: Simple Online Hotel Reservation System - Cross-Site Request Forgery Add Admin Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: February 25, 2019 Vendor Homepage:...

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

Alcatel-Lucent Nokia GPON I-240W-Q - Buffer Overflow !/usr/bin/python3 import argparse import requests import urllib.parse import binascii import re def runtarget: """ Execute exploitation """ We're using CVE-2018-10561 and/or it's extension in order to exploit this Authenticated RCE in usbForm...

Joomla! Component J2Store 3.3.7 - SQL Injection

Joomla! Component J2Store 3.3.7 - SQL Injection Exploit Title: J2Store Plugin for Joomla! 3.3.6 - SQL Injection Date: 19/02/2019 Author: Andrei Conache Twitter: @andreiconache Contact: andrei.conacheatprotonmail.com Software Link: https://www.j2store.org Version: 3.x-3.3.6 Tested on: Linux CVE:...

Simple Online Hotel Reservation System - SQL Injection

Simple Online Hotel Reservation System - SQL Injection Exploit Title: Simple Online Hotel Reservation System - SQL Injection / Authentication Bypass Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: February 25, 2019 Vendor Homepage: https://code-projects.org/...

WebKitGTK 2.23.90 WebKitGTK+ 2.22.6 - Denial of Service

WebKitGTK 2.23.90 WebKitGTK+ 2.22.6 - Denial of Service Exploit Title: Buffer overflow Date: 27-02-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: https://webkit.org/ Software Link: https://gitlab.gnome.org/GNOME/epiphany Version: 2.23.90 Tested on: Linux 4.15.0-38-generic CVE: CVE-2019-8375...

PHP 7.2 - imagecolormatch() Out of Band Heap Write

PHP 7.2 - imagecolormatch Out of Band Heap Write &c= Example: GET/POST /exploit.php?f=0x7fe83d1bb480&c=id++/dev/shm/titi Target: PHP 7.2.x Tested on: PHP 7.2.12 / buf = unsigned long safeemallocsizeofunsigned long, 5 im2-colorsTotal, 0; for x=0; xsx; x++ for y=0; ysy; y++ color = im2-pixelsyx; rg...

Drupal 8.6.9 - REST Module Remote Code Execution

Drupal 8.6.9 - REST Module Remote Code Execution !/usr/bin/env python3 CVE-2019-6340 Drupal = 8.6.9 REST services RCE PoC 2019 @leonjza Technical details for this exploit is available at: https://www.drupal.org/sa-core-2019-003 https://www.ambionics.io/blog/drupal8-rce...

PHP Ecommerce Script 2.0.6 - Cross-Site Scripting SQL Injection

PHP Ecommerce Script 2.0.6 - Cross-Site Scripting SQL Injection Exploit Title: PHP Ecommerce Script 2.0.6 - Cross Site Scripting / SQL Injection Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: February 22, 2019 Vendor Homepage: http://www.phpscriptsmall.com/...

zzzphp CMS 1.6.1 - Remote Code Execution

zzzphp CMS 1.6.1 - Remote Code Execution Exploit Title: dynamic code evaluation of zzzphp cms 1.6.1 Google Dork: intext:"2015-2019 zzcms.com" Date: 24/02/2019 Exploit Author: Yang Chenglong Vendor Homepage: http://www.zzzcms.com/index.html Software Link: http://115.29.55.18/zzzphp.zip Version:...

Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)

Xlight FTP Server 3.9.1 - Buffer Overflow PoC Exploit Title: Xlight 3.9.1 FTP Server SEH Overwrite Google Dork: N/A Date: 2019-02-24 Exploit Author: Logan Whitmire Vendor Homepage: https://www.xlightftpd.com/index.htm Software Link: https://www.xlightftpd.com/download/xlight.zip Version: 3.9.1...

Advance Gift Shop Pro Script 2.0.3 - SQL Injection

Advance Gift Shop Pro Script 2.0.3 - SQL Injection Exploit Title: Advance Gift Shop Pro Script 2.0.3 - SQL Injection Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: February 21, 2019 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link :...

News Website Script 2.0.5 - SQL Injection

News Website Script 2.0.5 - SQL Injection Exploit Title: News Website Script 2.0.5 - SQL Injection Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: February 22, 2019 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link :...

Jenkins Plugin Script Security 1.49Declarative 1.3.4Groovy 2.60 - Remote Code Execution

Jenkins Plugin Script Security 1.49Declarative 1.3.4Groovy 2.60 - Remote Code Execution !/usr/bin/env python Exploit Title : jenkins-preauth-rce-exploit.py Date : 02/23/2019 Authors : wetw0rk & 0xtavian Vendor Homepage : https://jenkins.oi Software Link : https://jenkins.io/download/ Tested on :...

Drupal 8.6.10 8.5.11 - REST Module Remote Code Execution

Drupal 8.6.10 8.5.11 - REST Module Remote Code Execution Analyzing the patch By diffing Drupal 8.6.9 and 8.6.10, we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait. This trait provides the checkForSerializedStrings method, which in short...

Teracue ENC-400 - Command Injection Missing Authentication

Teracue ENC-400 - Command Injection Missing Authentication Introduction ============ Multiple vulnerabilities were identified within the Teracue ENC-400, including pre-authenticated remote code authentication. While the vendor has released updated firmware after these issues were identified, they...

WinRAR 5.61 - Path Traversal

WinRAR 5.61 - Path Traversal !/usr/bin/env python3 import os import re import zlib import binascii The archive filename you want rarfilename = "test.rar" The evil file you want to run evilfilename = "calc.exe" The decompression path you want, such shown below targetfilename =...

Micro Focus Filr 3.4.0.217 - Path Traversal Local Privilege Escalation

Micro Focus Filr 3.4.0.217 - Path Traversal Local Privilege Escalation SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Micro Focus Filr Multiple Vulnerabilities 1. Advisory Information Title: Micro Focus Filr Multiple Vulnerabilities Advisory ID: SAUTH-2019-0001 Advisory URL:...

Quest NetVault Backup Server 11.4.5 - Process Manager Service SQL Injection Remote Code Execution

Quest NetVault Backup Server 11.4.5 - Process Manager Service SQL Injection Remote Code Execution Exploit Title: Quest NetVault Backup Server 11.4.5 Process Manager Service SQL Injection Remote Code Execution Vulnerability ZDI-17-982 Date: 2-21-2019 Exploit Author: credit goes to rgod for finding...

WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter

WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter / https://github.com/WebKit/webkit/blob/3fff8c40c665a09de5e3ede46fc35908f69353c3/Source/JavaScriptCore/runtime/Lookup.hL392 if value.attributes & PropertyAttribute::PropertyCallback...

AirDrop 2.0 - Denial of Service (DoS)

AirDrop 2.0 - Denial of Service DoS include include include include include include include include include include include // // Author: Marcelo Vázquez aka s4vitar // AirDrop 2.0 Remote Denial of Service DoS // // Exploit Title: AirDrop 2.0 Remote Denial of Service DoS // Date: 2019-02-21 //...

RealTerm Serial Terminal 2.0.0.70 - Echo Port Buffer Overflow (SEH)

RealTerm Serial Terminal 2.0.0.70 - Echo Port Buffer Overflow SEH Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - SEH Date: 21.02.2019 Exploit Author: Matteo Malvica Vendor Homepage: https://realterm.sourceforge.io/ Software Link:...

EI-Tube 3 - SQL Injection

EI-Tube 3 - SQL Injection Exploit Title: PHP EI-Tube Script - Sql Injection Date: 2019-02-21 Exploit Author: Meisam Monsef - [email protected] Vendor Homepage: https://codecanyon.net/item/eitube-youtube-api-v3-site-builder/22722912?srank=17 Version: 3 Tested on: ubuntu special thanks : Alireza...

MikroTik RouterOS 6.43.12 (stable) 6.42.12 (long-term) - Firewall and NAT Bypass

MikroTik RouterOS 6.43.12 stable 6.42.12 long-term - Firewall and NAT Bypass CVE-2019-3924 A remote, unauthenticated attacker can proxy traffic through RouterOS via probes sent to the agent binary. This PoC demonstrates how to exploit a LAN host from the WAN. A video demonstrating the attack can ...

Memu Play 6.0.7 - Privilege Escalation

Memu Play 6.0.7 - Privilege Escalation Exploit Title: Memu Play 6.0.7 - Privilege Escalation PoC Date: 20/02/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.memuplay.com/ Software Link: https://www.memuplay.com/download-en.php?filename=Memu-Setup&from=officialrelease Version: 6.0.7...

ScreenStream 3.0.15 - Denial of Service

ScreenStream 3.0.15 - Denial of Service !/usr/bin/python coding: utf-8 Author: Marcelo Vázquez aka s4vitar ScreenStream 3.0.15 Remote Denial of Service DoS Exploit Title: ScreenStream 3.0.15 Remote Denial of Service DoS Date: 2019-02-21 Exploit Author: Marcelo Vázquez aka s4vitar Vendor Homepage:...

Virtual VCR Max .0a - .vcr Buffer Overflow (PoC)

Virtual VCR Max .0a - .vcr Buffer Overflow PoC !/usr/bin/python Exploit Title: VirtualVCR-Max .0a Overflow PoC Google Dork: N/A Date: 21/02/2019 Exploit Author: Wade Guest Vendor Homepage: http://virtualvcr.sourceforge.net/ Software Link: https://sourceforge.net/projects/virtualvcr/ Version: Max...

C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection

C4G Basic Laboratory Information System BLIS 3.4 - SQL Injection Exploit Title: C4G Basic Laboratory Information System BLIS 3.4 - Multiples SQL Injection Date: 01/31/2019 Software Links/Project: https://github.com/C4G/BLIS | http://blis.cc.gatech.edu/index.php Version: C4G Basic Laboratory...

Valentina Studio 9.0.5 Linux - Host Buffer Overflow (PoC)

Valentina Studio 9.0.5 Linux - Host Buffer Overflow PoC -- coding: utf-8 -- Exploit Title: Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow PoC Date: 20/02/2019 Author: Alejandra Sánchez Vendor Homepage: https://valentina-db.com/en/ Software Link:...

MatrixSSL 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates

MatrixSSL 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates I happened to notice that a public X.509 certificate testcase for CVE-2014-1569 caused a stack buffer overflow in MatrixSSL. I cleaned up the testcase a bit, to make a better demonstration. You can test it with the certValidate...

HotelDruid 2.3 - Cross-Site Scripting

HotelDruid 2.3 - Cross-Site Scripting =========================================================================================== Exploit Title: Hoteldruid 2.3 - 'nsextt' XSS Injection CVE: CVE-2019-8937 Date: 18-02-2019 Exploit Author: Mehmet EMIROGLU Vendor Homepage:...

WinRAR 5.61 - .lng Denial of Service

WinRAR 5.61 - .lng Denial of Service Exploit Title: WinRAR 5.61 - Denial of Service Author: Kağan Çapar Discovery Date: 2019-02-20 Software Link: https://win-rar.com/predownload.html?spV=true&subD=true&f=wrar561tr.exe Vendor Homepage : https://www.win-rar.com Tested Version: 5.61 32 Bit Tested on...

FaceTime - Texture Processing Memory Corruption

FaceTime - Texture Processing Memory Corruption There is a memory corruption issue that occurs when processing a malformed RTP video stream in FaceTime. It appears to be related to processing textures. thread 7, stop reason = EXCBADACCESS code=EXCI386GPFLT frame 0: 0x00007fff56baaa92...

FTPShell Server 6.83 - Account name to ban Denial of Service (PoC)

FTPShell Server 6.83 - Account name to ban Denial of Service PoC Exploit Title: FTPShell Server 6.83 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2018-02-20 Vendor Homepage: http://www.ftpshell.com/index.htm Software Link: http://www.ftpshell.com/downloadserver.htm Teste...

Android Kernel 4.8 - ptrace seccomp Filter Bypass

Android Kernel 4.8 - ptrace seccomp Filter Bypass / The seccomp.2 manpage http://man7.org/linux/man-pages/man2/seccomp.2.html documents: Before kernel 4.8, the seccomp check will not be run again after the tracer is notified. This means that, on older ker‐ nels, seccomp-based sandboxes must not...

Zuz Music 2.1 - zuzconsole___contact Persistent Cross-Site Scripting

Zuz Music 2.1 - zuzconsolecontact Persistent Cross-Site Scripting Exploit Title: Zuz Music 2.1 - 'zuzconsole/contact ' Persistent Cross-site Scripting Google Dork: N/A Date: 14 Feb 2019 Exploit Author: Deyaa Muhammad Author EMail: contact at deyaa.me Author Blog: http://deyaa.me Vendor Homepage:...

Find a Place CMS Directory 1.5 - assetsexternaldata_2.php cate SQL Injection

Find a Place CMS Directory 1.5 - assetsexternaldata2.php cate SQL Injection Exploit Title: Find a Place CMS Directory 1.5 - 'assets/external/data2.php cate' SQL Injection Google Dork: inurl:"assets/external/data.php" Date: 14 Feb 2019 Exploit Author: Deyaa Muhammad Author EMail: contact at deyaa....

Ask Expert Script 3.0.5 - Cross Site Scripting SQL Injection

Ask Expert Script 3.0.5 - Cross Site Scripting SQL Injection Exploit Title: Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection Exploit Author: Mr Winst0n Author E-mail: [email protected] Discovery Date: February 19, 2019 Vendor Homepage: http://www.phpscriptsmall.com/ Software...

NetSetMan 4.7.1 - Workgroup Denial of Service (PoC)

NetSetMan 4.7.1 - Workgroup Denial of Service PoC Exploit Title: NetSetMan 4.7.1 'Workgroup' - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2018-02-17 Vendor Homepage: https://www.netsetman.com/ Software Link: https://www.netsetman.com/netsetman.exe Tested Version: 4.7.1...

XAMPP 5.6.8 - SQL Injection Persistent Cross-Site Scripting

XAMPP 5.6.8 - SQL Injection Persistent Cross-Site Scripting !-- Exploit Title: Cross Site Scripting in XAMPP 5.6.8 and previous Date: 17-02-2019 Exploit Author: Rafael Pedrero Vendor Homepage: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/ Software Link:...

eDirectory - SQL Injection

eDirectory - SQL Injection Exploit Title: Admin auth bypass, SQLi and File Disclosure Google Dork: no defacers please ! Date: March 2019 reported to vendor without response :D Exploit Author: Efren Diaz Author contact: https://twitter.com/elefr3n Vendor Homepage: https://www.edirectory.com/...

Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal Cross-Site Scripting

Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal Cross-Site Scripting !-- Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone Date: 31-01-2019 Exploit Author: Rafael Pedrero Vendor Homepage: https://www.manage...