Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer

Linux Kernel 4.8 Ubuntu 16.04 - Leak sctp Kernel Pointer / Exploit Title: Linux Kernel 4.8 Ubuntu 16.04 - Leak sctp kernel pointer Google Dork: - Date: 2018-11-20 Exploit Author: Jinbum Park Vendor Homepage: - Software Link: - Version: Linux Kernel 4.8 Ubuntu 16.04 Tested on: 4.8.0-36-generic...

xorg-x11-server 1.20.3 - modulepath Local Privilege Escalation

xorg-x11-server 1.20.3 - modulepath Local Privilege Escalation !/bin/sh raptorxorgy - xorg-x11-server LPE via modulepath switch Copyright c 2018 Marco Ivaldi A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X...

VBScript - OLEAUT32!VariantClear and scrrun!VBADictionary::put_Item Use-After-Free

VBScript - OLEAUT32!VariantClear and scrrun!VBADictionary::putItem Use-After-Free Class class2 Private Sub ClassTerminate var17.RemoveAll End Sub End Class Set var17 = CreateObject"Scripting.Dictionary" Set var17.Item"foo" = new class2 var17.Item"foo" = 1 !--...

Schneider Electric PLC - Session Calculation Authentication Bypass

Schneider Electric PLC - Session Calculation Authentication Bypass ! /usr/bin/env python ''' Copyright 2018 Photubiasc Exploit Title: Schneider Session Calculation - CVE-2017-6026 Date: 2018-09-30 Exploit Author: Deneut Tijl Vendor Homepage: www.schneider-electric.com Software Link:...

PhpSpreadsheet 1.5.0 - XML External Entity (XXE)

PhpSpreadsheet 1.5.0 - XML External Entity XXE Product Description PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc. Vulnerabilities List One vulnerability...

HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)

HTML5 Video Player 1.2.5 - Buffer Overflow Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'HTML5 Video Player 1.2.5 - Buffer Overflow SEH', 'Description' = %q This modul...

WebKit JSC JIT - JSPropertyNameEnumerator Type Confusion

WebKit JSC JIT - JSPropertyNameEnumerator Type Confusion / When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every getbyi...

WebKit JIT - ByteCodeParser::handleIntrinsicCall Type Confusion

WebKit JIT - ByteCodeParser::handleIntrinsicCall Type Confusion / case ArrayPushIntrinsic: ... if staticcastargumentCountIncludingThis = MINSPARSEARRAYINDEX return false; ArrayMode arrayMode = getArrayModemcurrentInstructionOPCODELENGTHopcall - 2.u.arrayProfile, Array::Write; ... This code always...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object / This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding...

Arm Whois 3.11 - Buffer Overflow (ASLR)

Arm Whois 3.11 - Buffer Overflow ASLR...

MariaDB Client 10.1.26 - Denial of Service (PoC)

MariaDB Client 10.1.26 - Denial of Service PoC Exploit Title: MariaDB Client 10.1.26 - Denial of Service PoC Google Dork: None Date: 2018-11-16 Exploit Author: strider Software Link: https://github.com/MariaDB/server Version: mysql Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu x8664 usin...

WordPress Plugins Easy Testimonials 3.2 - Cross-Site Scripting

WordPress Plugins Easy Testimonials 3.2 - Cross-Site Scripting Exploit Title: Wordpress Plugins Easy Testimonials 3.2 - Cross-Site Scripting Date: 2018-11-23 Exploit Author: Endust Vendor Homepage: https://wordpress.org/plugins/easy-testimonials/ Software Link:...

No-Cms 1.0 - order_by SQL Injection

No-Cms 1.0 - orderby SQL Injection Exploit Title: No-Cms 1.0 - 'orderby' SQL Injection Date: 2018-11-28 Exploit Author: Loading Kura Kura Vendor Homepage: https://github.com/goFrendiAsgard/No-CMS Software Link: https://codeload.github.com/goFrendiAsgard/No-CMS/zip/master Tested on: Win10/Kali Lin...

ELBA5 5.8.0 - Remote Code Execution

ELBA5 5.8.0 - Remote Code Execution Exploit Title: ELBA5 5.8.0 - Remote Code Execution Date: 2018-11-16 Exploit Author: Florian Bogner Vendor Homepage: https://www.elba.at Vulnerable Software:...

Ticketly 1.0 - kind_id SQL Injection

Ticketly 1.0 - kindid SQL Injection Exploit Title: Ticketly 1.0 – Multiple SQL Injection Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-11-19 Google Dork: N/A Vendor: Abisoft https://abisoftgt.net Software Link:...

Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal

Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal Exploit Title: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal Date: 2018-11-17 Exploit Author: numan türle Vendor Homepage: https://www.zyxel.com/ Software Link:...

Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials

Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials Exploit Title: Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials Google Dork: intitle:"ricoh myprint" "Copyright Ricoh. All Rights Reserved" Date: 2018-11-19 Exploit Author: Hodorsec Vendor Homepage: https://www.ricoh.com Software Link:...

Linux Kernel 4.15.x 4.19.2 - map_write() CAP_SYS_ADMIN Local Privilege Escalation (ldpreload Method)

Linux Kernel 4.15.x 4.19.2 - mapwrite CAPSYSADMIN Local Privilege Escalation ldpreload Method !/bin/sh EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47166.zip wrapper for Jann Horn's exploit for CVE-2018-18955 uses ld.so.preload technique --...

Linux Kernel 4.15.x 4.19.2 - map_write() CAP_SYS_ADMIN Local Privilege Escalation (cron Method)

Linux Kernel 4.15.x 4.19.2 - mapwrite CAPSYSADMIN Local Privilege Escalation cron Method !/bin/sh EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47164.zip wrapper for Jann Horn's exploit for CVE-2018-18955 uses crontab technique ---...

WebOfisi E-Ticaret V4 - urun SQL Injection

WebOfisi E-Ticaret V4 - urun SQL Injection Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection Date: 2018-11-21 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.web-ofisi.com Software Demo: http://demobul.net/eticaretv4/ Software Link:...

Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)

Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery Add Admin Title: Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery Add Admin Author: Gjoko 'LiquidWorm' Krstic @zeroscience Exploit Date: 2018-11-17 Vendor: Synaccess Networks Inc. Product web page:...

WordPress CherryFramework Themes 3.1.4 - Backup File Download

WordPress CherryFramework Themes 3.1.4 - Backup File Download Exploit Title: Wordpress CherryFramework Themes 3.1.4 - Backup File Download Google Dork: inurl:/wp-content/themes/CherryFramework Date: 2018-11-17 Exploit Author: b1p0l4r Vendor Homepage: http://www.cherryframework.com/ Software Link:...

Ticketly 1.0 - name SQL Injection

Ticketly 1.0 - name SQL Injection Exploit Title: Ticketly 1.0 – 'name' SQL Injection Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-11-19 Google Dork: N/A Vendor: Abisoft https://abisoftgt.net Software Link:...

Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)

Ticketly 1.0 - Cross-Site Request Forgery Add Admin Exploit Title: Ticketly 1.0 - Cross-Site Request Forgery Add Admin Exploit Author: Javier Olmedo Website: https://hackpuntes.com Date: 2018-11-19 Google Dork: N/A Vendor: Abisoft https://abisoftgt.net Software Link:...

Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege Master Platform: Windows 10 1803 not tested earlier, although code looks similar on Win8+ Class: Elevation of Privilege Note, this is the master issue report for th...

Apple macOS 10.13 - workq_kernreturn Denial of Service (PoC)

Apple macOS 10.13 - workqkernreturn Denial of Service PoC / Exploit Title: MacOS 10.13 - 'workqkernreturn' Denial of Service PoC Date: 2018-07-30 Exploit Author: Fabiano Anemone Vendor Homepage: https://www.apple.com/ Version: iOS 11.4.1 / MacOS 10.13.6 Tested on: iOS / MacOS CVE: Not assigned...

HTML Video Player 1.2.5 - Buffer-Overflow (SEH)

HTML Video Player 1.2.5 - Buffer-Overflow SEH...

ImageMagick - Memory Leak

ImageMagick - Memory Leak !/bin/bash help echo "Usage poc generator: basename $0 gen WIDTHxHEIGHT NAME.xbm minimal" echo " Example gen: basename $0 gen 512x512 poc.xbm" echo "Usage result recovery: basename $0 recover SAVEDPREVIEW.png|jpeg|gif|etc" echo " Example recovery: basename $0 recover...

XMPlay 3.8.3 - .m3u Denial of Service (PoC)

XMPlay 3.8.3 - .m3u Denial of Service PoC Exploit Title: XMPlay 3.8.3 - '.m3u' Denial of Service PoC Date: 2018-11-18 Exploit Author: s7acktrac3 Vendor Homepage: https://www.xmplay.com/ Software Link: https://support.xmplay.com/filesview.php?fileid=676 Version: 3.8.3 latest Tested on: Windows...

Microsoft Edge Chakra - OP_Memset Type Confusion

Microsoft Edge Chakra - OPMemset Type Confusion / Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it doesn't check the "value" argument to OPMemset. This c...

Warranty Tracking System 11.06.3 - txtCustomerCode SQL Injection

Warranty Tracking System 11.06.3 - txtCustomerCode SQL Injection Exploit Title: Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage: http://warrantytrack.org/ Software Link:...

Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)

Easy Outlook Express Recovery 2.0 - Denial of Service PoC Exploit Title: Easy Outlook Express Recovery 2.0 - Denial of Service PoC Dork: N/A Date: 2018-11-15 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.munsoft.com/EasyOutlookExpressRecovery/ Software Link:...

DomainMOD 4.11.01 - raid Cross-Site Scripting

DomainMOD 4.11.01 - raid Cross-Site Scripting Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting Date: 2018-11-09 Exploit Author: Dawood Ansar Vendor Homepage: domainmod https://domainmod.org/ Software Link: domainmod https://github.com/domainmod/domainmod Version: v4.09.03 to v4.11.01 CVE :...

Mumsoft Easy Software 2.0 - Denial of Service (PoC)

Mumsoft Easy Software 2.0 - Denial of Service PoC Exploit Title: Mumsoft Easy Software 2.0 - Denial of Service PoC Dork: N/A Date: 2018-11-15 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.munsoft.com/EasyRARRecovery/ Software Link:...

Linux - Broken uidgid Mapping for Nested User Namespaces

Linux - Broken uidgid Mapping for Nested User Namespaces commit 6397fac4915a "userns: bump idmap limits to 340" increases the number of possible uid/gid mappings that a namespace can have from 5 to 340. This is implemented by switching to a different data structure if the number of mappings excee...

Helpdezk 1.1.1 - Arbitrary File Upload

Helpdezk 1.1.1 - Arbitrary File Upload Exploit Title: Helpdezk 1.1.1 - Arbitrary File Upload Dork: N/A Date: 2018-11-13 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.helpdezk.org/ Software Link: https://netcologne.dl.sourceforge.net/project/helpdezk/helpdezk-1.1.1.zip Version: 1.1.1...

Net-Billetterie 2.9 - login SQL Injection

Net-Billetterie 2.9 - login SQL Injection Exploit Title: Net-Billetterie 2.9 - 'login' SQL Injection Dork: N/A Date: 2018-11-13 Exploit Author: Ihsan Sencan Vendor Homepage: http://net-billetterie.tuxfamily.org/ Software Link:...

Simple E-Document 1.31 - username SQL Injection

Simple E-Document 1.31 - username SQL Injection Exploit Title: Simple E-Document 1.31 - 'username' SQL Injection Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage:...

Notepad3 1.0.2.350 - Denial of Service (PoC)

Notepad3 1.0.2.350 - Denial of Service PoC Exploit Title: Notepad3 1.0.2.350 - Denial of Service PoC Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.rizonesoft.com/ Software Link:...

PHP-Proxy 5.1.0 - Local File Inclusion

PHP-Proxy 5.1.0 - Local File Inclusion Exploit Title: PHP-Proxy 5.1.0 - Local File Inclusion Date: 2018-11-13 Exploit Author: Ameer Pornillos Contact: https://ethicalhackers.club Vendor Homepage: https://www.php-proxy.com/ Software Link: https://www.php-proxy.com/download/php-proxy.zip Version:...

2-Plan Team 1.0.4 - Arbitrary File Upload

2-Plan Team 1.0.4 - Arbitrary File Upload Exploit Title: 2-Plan Team 1.0.4 - Arbitrary File Upload Dork: N/A Date: 2018-11-15 Exploit Author: Ihsan Sencan Vendor Homepage: http://2-plan.com/ Software Link: https://datapacket.dl.sourceforge.net/project/to-plan-team/1.1.0/2-plan-team.tgz Version:...

PHP Mass Mail 1.0 - Arbitrary File Upload

PHP Mass Mail 1.0 - Arbitrary File Upload Exploit Title: PHP Mass Mail 1.0 - Arbitrary File Upload Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage: https://phpmassmail.sourceforge.io/ Software Link:...

WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting

WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting Exploit Title: Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting Date: 2018-11-15 Exploit Author: MTK Vendor Homepage: https://ninjaforms.com Softwae Link: https://wordpress.org/plugins/ninja-forms/ Version: Up to V3.3.17 Tested...

Kordil EDMS 2.2.60rc3 - Arbitrary File Upload

Kordil EDMS 2.2.60rc3 - Arbitrary File Upload Exploit Title: Kordil EDMS 2.2.60rc3 - Arbitrary File Upload Dork: N/A Date: 2018-11-13 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.kordil.net/ Software Link:...

Galaxy Forces MMORPG 0.5.8 - type SQL Injection

Galaxy Forces MMORPG 0.5.8 - type SQL Injection Exploit Title: Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage: http://galaxy.alyx.pl/ Software Link:...

BitZoom 1.0 - rollno SQL Injection

BitZoom 1.0 - rollno SQL Injection Exploit Title: BitZoom 1.0 - 'rollno' SQL Injection Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage: https://bitzoom.sourceforge.io/ Software Link: https://excellmedia.dl.sourceforge.net/project/bitzoom/bitzoom-master.zip Version: 1.0...

Meneame English Pligg 5.8 - search SQL Injection

Meneame English Pligg 5.8 - search SQL Injection Exploit Title: Meneame English Pligg 5.8 - 'search' SQL Injection Dork: N/A Date: 2018-11-13 Exploit Author: Ihsan Sencan Vendor Homepage: https://sourceforge.net/projects/meneame-english/ Software Link:...

EverSync 0.5 - Arbitrary File Download

EverSync 0.5 - Arbitrary File Download Exploit Title: EverSync 0.5 - Arbitrary File Download Dork: N/A Date: 2018-11-14 Exploit Author: Ihsan Sencan Vendor Homepage: https://phpmassmail.sourceforge.io/ Software Link:...

Precurio Intranet Portal 2.0 - Cross-Site Request Forgery (Add Admin)

Precurio Intranet Portal 2.0 - Cross-Site Request Forgery Add Admin Exploit Title: Precurio Intranet Portal 2.0 - Cross-Site Request Forgery Add Admin Dork: N/A Date: 2018-11-12 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.precurio.org Software Link:...

iServiceOnline 1.0 - r SQL Injection

iServiceOnline 1.0 - r SQL Injection Exploit Title: iServiceOnline 1.0 - 'r' SQL Injection Dork: N/A Date: 2018-11-12 Exploit Author: Ihsan Sencan Vendor Homepage: https://sourceforge.net/projects/iserviceonline/ Software Link:...