TL-WR720N 150Mbps Wireless N Router - Cross-Site Request Forgery

TL-WR720N 150Mbps Wireless N Router - Cross-Site Request Forgery / Exploit Title: TL-WR720N 150Mbps Wireless N Router - CSRF Date: 21-3-2018 Exploit Author: Mans van Someren Vendor Homepage: https://www.tp-link.com/ Software Link: https://static.tp-link.com/resources/software/TL-WR720NV1130719.zi...

Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 170109) - Access Control Bypass

Hikvision IP Camera versions 5.2.0 - 5.3.9 Builds 140721 170109 - Access Control Bypass Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 Builds: 140721 - 170109 Backdoor Date: 15-03-2018 Vendor Homepage: http://www.hikvision.com/en/ Exploit Author: Matamorphosis Category: Web Apps...

XenForo 2 - CSS Loader Denial of Service

XenForo 2 - CSS Loader Denial of Service Exploit Title: XenForo CSS Loader DoS Google Dork: intext:"Forum software by XenForo™" inurl:css.php ext:php Date: 22-03-18 Exploit Author: LockedByte Vendor Homepage: https://xenforo.com/ Software Link: https://xenforo.com/help/installation/ Version:...

Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion

Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion Product: Site Editor Wordpress Plugin - https://wordpress.org/plugins/site-editor/ Vendor: Site Editor Tested version: 1.1.1 CVE ID: CVE-2018-7422 CVE description A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1...

MyBB Plugin Last Users Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting

MyBB Plugin Last Users Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting Exploit Title: MyBB Last User's Threads in Profile Plugin v1.2 - Persistent XSS Date: 3/19/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atprotonmail.com Software Link:...

Dell EMC NetWorker - Denial of Service

Dell EMC NetWorker - Denial of Service ''' Exploit Title: Dell EMC NetWorker DoS PoC Date: 18.03.2018 Exploit Author: Marek Cybul Vendor Homepage: https://www.emc.com/data-protection/networker.htm Versions: Dell EMC NetWorker versions prior to 9.2.1.1 Dell EMC NetWorker versions prior to 9.1.1.6...

Allok Quicktime to AVI MPEG DVD Converter 4.6.1217 - Stack-Based Buffer Overflow

Allok Quicktime to AVI MPEG DVD Converter 4.6.1217 - Stack-Based Buffer Overflow SWAMI KARUPASAMI THUNAI Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability Windows XP SP3 Date: 06-03-2018 Exploit Author: Mohan Ravichandran & Velayutham Selvaraj Organization : TwinTech Solutions...

Easy CD DVD Copy 1.3.24 - Local Buffer Overflow (SEH)

Easy CD DVD Copy 1.3.24 - Local Buffer Overflow SEH !/usr/bin/python Exploit Title : Easy CD DVD Copy v1.3.24 - Local Buffer Overflow SEH Exploit Author : Hashim Jawad Twitter : @ihack4falafel Author Website : ihack4falafel.com Vendor Homepage : http://www.divxtodvd.net/index.htm Vulnerable...

Linux Kernel 4.15.4 - show_floppy KASLR Address Leak

Linux Kernel 4.15.4 - showfloppy KASLR Address Leak include include include include include include include include include include static int driveselectorint head return head 2; void fdrecalibrateint fd struct floppyrawcmd rawcmd; int tmp; rawcmd.flags = FDRAWINTR; rawcmd.cmdcount = 2; // set u...

Cisco node-jos 0.11.0 - Re-sign Tokens

Cisco node-jos 0.11.0 - Re-sign Tokens !/usr/bin/env python3 import base64 from urllib.parse import quoteplus import rsa import sys zi0Black ''' EDB Note: This has been updated https://github.com/offensive-security/exploitdb/pull/139 POC of CVE-2018-0114 Cisco node-jose = 8 return b::-1 def...

Microsoft Windows Kernel - NtQueryInformationThread(ThreadBasicInformation) 64-bit Stack Memory Disclosure

Microsoft Windows Kernel - NtQueryInformationThreadThreadBasicInformation 64-bit Stack Memory Disclosure / We have discovered that the nt!NtQueryInformationThread system call invoked with the 0 information class ThreadBasicInformation discloses portions of uninitialized kernel stack memory to...

Microsoft Windows - Desktop Bridge Virtual Registry Arbitrary File ReadWrite Privilege Escalation

Microsoft Windows - Desktop Bridge Virtual Registry Arbitrary File ReadWrite Privilege Escalation Windows: Windows: Desktop Bridge Virtual Registry Arbitrary File Read/Write EoP Platform: Windows 1709 not tested earlier version Class: Elevation of Privilege Summary: The handling of the virtual...

Microsoft Windows Kernel - NtQueryVirtualMemory(MemoryMappedFilenameInformation) 64-bit Pool Memory Disclosure

Microsoft Windows Kernel - NtQueryVirtualMemoryMemoryMappedFilenameInformation 64-bit Pool Memory Disclosure / We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memor...

Intelbras Telefone IP TIP200 LITE - Local File Disclosure

Intelbras Telefone IP TIP200 LITE - Local File Disclosure Exploit Title: INTELBRAS TELEFONE IP TIP200/200 LITE Local File Include Google Dork: Date: 16/03/2018 Exploit Author: Matheus Goncalves - anhax0r Vendor Homepage: https://www.facebook.com/anhaxteam/ Software Link: Version: 60.0.75.29...

Kamailio 5.1.1 5.1.0 5.0.0 - Off-by-One Heap Overflow

Kamailio 5.1.1 5.1.0 5.0.0 - Off-by-One Heap Overflow ''' Off-by-one heap overflow in Kamailio - Authors: - Alfred Farrugia - Sandro Gauci - Fixed versions: Kamailio v5.1.2, v5.0.6 and v4.4.7 - References: no CVE assigned yet - Enable Security Advisory: - Tested vulnerable versions: 5.1.1, 5.1.0,...

Microsoft Windows - Desktop Bridge VFS Privilege Escalation

Microsoft Windows - Desktop Bridge VFS Privilege Escalation Windows: Windows: Desktop Bridge VFS EoP Platform: Windows 1709 not tested earlier version Class: Elevation of Privilege Summary: The handling of the VFS for desktop bridge applications can allow an application to create virtual files in...

Vehicle Sales Management System - Multiple Vulnerabilities

Vehicle Sales Management System - Multiple Vulnerabilities Exploit Title: VSMS Multiple Vulnerabilities Google Dork: N/A Date: 16-3-2018 Exploit Author: Sing Vendor Homepage: https://sourceforge.net/projects/vsms-php/?source=typredirect Software Link:...

Coship RT3052 Wireless Router - Persistent Cross-Site Scripting

Coship RT3052 Wireless Router - Persistent Cross-Site Scripting Exploit Title: Coship RT3052 Wireless Router - Persistent Cross Site Scripting XSS Date: 2018-03-18 Exploit Author: Sayan Chatterjee Vendor Homepage: http://en.coship.com/ Category: Hardware Wifi Router Version: 4.0.0.48 Tested on:...

Microsoft Windows Kernel - nt!NtWaitForDebugEvent 64-bit Stack Memory Disclosure

Microsoft Windows Kernel - nt!NtWaitForDebugEvent 64-bit Stack Memory Disclosure / We have discovered that the nt!NtWaitForDebugEvent system call discloses portions of uninitialized kernel stack memory to user-mode clients, on 64-bit versions of Windows 7 to Windows 10. The output buffer, and the...

Microsoft Windows Kernel - nt!KiDispatchException 64-bit Stack Memory Disclosure

Microsoft Windows Kernel - nt!KiDispatchException 64-bit Stack Memory Disclosure / We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a EXCEPTIONRECORD structure to user-mode memory while passing execution to a user-mode exception handler. The...

Microsoft Windows - Desktop Bridge Virtual Registry NtLoadKey Arbitrary File ReadWrite Privilege Escalation

Microsoft Windows - Desktop Bridge Virtual Registry NtLoadKey Arbitrary File ReadWrite Privilege Escalation Windows: Desktop Bridge Virtual Registry NtLoadKey Arbitrary File Read/Write EoP Platform: Windows 1703 version 1709 seems to have fixed this bug Class: Elevation of Privilege Summary: The...

OpenSSH 6.6 SFTP - Command Execution

OpenSSH 6.6 SFTP - Command Execution OpenSSH 8 else 32 print "+ bit libc mapped @ -, path: ".formatBITS, addr0, addr1, path libcbase = intaddr0, 16 libcpath = path if "stack" in line: addr = addr.split"-" saddrstart = intaddr0, 16 saddrend = intaddr1, 16 print "+ Stack mapped @ -".formataddr0, ad...

Internet Explorer - RegExp.lastMatch Memory Disclosure

Internet Explorer - RegExp.lastMatch Memory Disclosure / There is a vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. PoC: ========================================= / functio...

Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation

Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation / Google software updater ships with Chrome on MacOS and installs a root service com.google.Keystone.Daemon.UpdateEngine which lives here:...

Contec Smart Home 4.15 - Unauthorized Password Reset

Contec Smart Home 4.15 - Unauthorized Password Reset Title : Contec smart home 4.15 Unauthorized Password Reset Shodan Dork : "content/smarthome.php" Vendor Homepage : http://contec.co.il Tested on : Google Chrome Tested version : 4.15 Date : 2018-03-14 Author : Z3ro0ne Contact :...

Linux Kernel 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation

Linux Kernel 4.4.0-116 Ubuntu 16.04.4 - Local Privilege Escalation / Ubuntu 16.04.4 kernel priv esc all credits to @bleidl - vnik / // Tested on: // 4.4.0-116-generic 140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x8664 // if different kernel adjust CRED offset + check kernel stack size include...

Unitrends UEB 10.0 - Root Remote Code Execution

Unitrends UEB 10.0 - Root Remote Code Execution Exploit Title: Unauthenticated root RCE for Unitrends UEB 10.0 Date: 10/17/2017 Exploit Authors: Cale Smith, Benny Husted, Jared Arave Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 Vendor...

Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution

Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution CVE-2016-2819 and ASM.JS JIT-Spray "use strict" var Exploit = function this.asmjs = new Asmjs this.heap = new Heap Exploit.prototype.go = function / target address of fake node object / var nodetargetaddr = 0x5a500000 / target address of...

Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution

Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution 46.0.1 -- CVE-2016-1960 and ASM.JS JIT-Spray "use strict" var Exploit = function this.asmjs = new Asmjs this.heap = new Heap Exploit.prototype.go = function / target address of fake node object / var nodetargetaddr = 0x20200000 / target...

Android DRM Services - Buffer Overflow

Android DRM Services - Buffer Overflow include include include include include include include include include include using namespace android; static sp getCrypto sp sm = defaultServiceManager; sp binder = sm-getServiceString16"media.drm"; sp service = interfacecastbinder; if service == NULL...

WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting

WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting XSS Date: 25-02-2018 Exploit Author : Stefan Broeder Contact : https://twitter.com/stefanbroeder Vendor Homepage: https://snapcreek.com/ Software Link:...

MikroTik RouterOS 6.41.36.42rc27 - SMB Buffer Overflow

MikroTik RouterOS 6.41.36.42rc27 - SMB Buffer Overflow !/usr/bin/env python import socket import struct import sys import telnetlib NETBIOSSESSIONMESSAGE = "\x00" NETBIOSSESSIONREQUEST = "\x81" NETBIOSSESSIONFLAGS = "\x00" trick from http://shell-storm.org/shellcode/files/shellcode-881.php will...

Spring Data REST 2.6.9 (Ingalls SR9) 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

Spring Data REST 2.6.9 Ingalls SR9 3.0.1 Kay SR1 - PATCH Request Remote Code Execution // Exploit Title: RCE in PATCH requests in Spring Data REST // Date: 2018-03-10 // Exploit Author: Antonio Francesco Sardella // Vendor Homepage: https://pivotal.io/ // Software Link:...

Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)

Microsoft Windows Kernel 7 x86 - Local Privilege Escalation MS17-017...

SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution

SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution !/usr/bin/env python import argparse import urllib import requests, random from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning...

SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities

SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple Critical Vulnerabilities product: SecurEnvoy SecurMail vulnerable version: 9.1.501 fixed version: 9.2.501...

Tuleap 9.17.99.189 - Blind SQL Injection

Tuleap 9.17.99.189 - Blind SQL Injection =============================================================================== title: Tuleap SQL Injection case id: CM-2018-01 product: Tuleap version 9.17.99.189 vulnerability type: Blind SQL injection - time based severity: High found: 2018-02-24 by:...

SC 7.16 - Stack-Based Buffer Overflow

SC 7.16 - Stack-Based Buffer Overflow Exploit Author: Juan Sacco - http://www.exploitpack.com Bug found using Exploit Pack - Local fuzzer feature. Tested on: GNU/Linux - Kali Linux Filename: pool/main/s/sc/sc7.16-4+b2i386.deb Description: SC v7.16 is prone to a basic stack-based buffer overflow...

Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials

Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass Vendor: Prisma Industriale S.r.l. Product web page: https://www.prismaindustriale.com Affected version: 1.0 Rev 21, EPROM 202FWSAM ?? Summary: Web...

MikroTik RouterOS 6.38.4 (MIPSBE) - Chimay Red Stack Clash Remote Code Execution

MikroTik RouterOS 6.38.4 MIPSBE - Chimay Red Stack Clash Remote Code Execution !/usr/bin/env python3 Mikrotik Chimay Red Stack Clash Exploit by BigNerd95 Tested on RouterOS 6.38.4 mipsbe using a CRS109 Used tools: pwndbg, rasm2, mipsrop for IDA I used ropper only to automatically find gadgets ASL...

ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution

ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution Exploit Title: Arbitrary Code Execution Google Dork: N/A Date: 03-07-2018 Exploit Author: Clutchisback1 Vendor Homepage: https://www.acl.com Software Link: https://www.acl.com/products/acl-analytics/ Version: 11.x - 13.0.0.579 Tested on:...

TextPattern 4.6.2 - qty SQL Injection

TextPattern 4.6.2 - qty SQL Injection ============================================= MGC ALERT 2018-002 - Original release date: February 12, 2018 - Last revised: March 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 CVSS Base Score - CVE-ID: CVE-2018-7474...

DEWESoft X3 SP1 (64-bit) - Remote Command Execution

DEWESoft X3 SP1 64-bit - Remote Command Execution + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt + ISR: Apparition Security Vendor: ============= www.dewesoft.com Product:...

Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow

Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability Windows XP SP3 Date: 06-03-2018 Exploit Author: Mohan Ravichandran & Velayutham Selvaraj Organization : TwinTech Solutions Vulnerable Software: Allok Video...

ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)

ManageEngine Applications Manager 13.5 - Remote Code Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Applications Manager Remote Code Execution", 'Description' ...

Advantech WebAccess 8.3 - Directory Traversal Remote Code Execution

Advantech WebAccess 8.3 - Directory Traversal Remote Code Execution !/usr/bin/python2.7 Exploit Title: Advantech WebAccess 8.3 webvrpcs Directory Traversal RCE Vulnerability Date: 03-11-2018 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.advantech.com Software Link:...

MikroTik RouterOS 6.38.4 (x86) - Chimay Red Stack Clash Remote Code Execution

MikroTik RouterOS 6.38.4 x86 - Chimay Red Stack Clash Remote Code Execution !/usr/bin/env python2 Mikrotik Chimay Red Stack Clash Exploit by wsxarcher based on BigNerd95 POC tested on RouterOS 6.38.4 x86 ASLR enabled on libs only DEP enabled import socket, time, sys, struct from pwn import import...

Sony Playstation 4 (PS4) 4.55 5.50 - WebKit Code Execution (PoC)

Sony Playstation 4 PS4 4.55 5.50 - WebKit Code Execution PoC window.didload = 0; window.didpost = 0; window.onload = function window.didload = 1; if window.didpost == 1 window.stage2; window.postExpl = function window.didpost = 1; if window.didload == 1 window.stage2; function makeid var text = "...

Bacula-Web 8.0.0-rc2 - SQL Injection

Bacula-Web 8.0.0-rc2 - SQL Injection Exploit Title: Multiple SQL injection vulnerabilities in Bacula-Web Date: 2018-03-07 Software Link: http://bacula-web.org/ Exploit Author: Gustavo Sorondo Contact: http://twitter.com/iampuky Website: http://cintainfinita.com/ CVE: CVE-2017-15367 Category:...

WebLog Expert Enterprise 9.4 - Authentication Bypass

WebLog Expert Enterprise 9.4 - Authentication Bypass + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-AUTHENTICATION-BYPASS.txt + ISR: Apparition Security Vendor: ========...