41207 matches found
pfSense 2.1.4 - status_rrd_graph_img.php Command Injection
pfSense 2.1.4 - statusrrdgraphimg.php Command Injection !/usr/bin/env python3 Exploit Title: pfSense = 2.1.3 statusrrdgraphimg.php Command Injection. Date: 2018-01-12 Exploit Author: absolomb Vendor Homepage: https://www.pfsense.org/ Software Link: https://atxfiles.pfsense.org/mirror/downloads/ol...
Flash Operator Panel 2.31.03 - Command Execution
Flash Operator Panel 2.31.03 - Command Execution Document Title: =============== Flash Operator Panel v2.31.03 - Command Execution Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1907 Release Date: ============= 2018-01-08 Vulnerability...
D-Link DNS-343 ShareCenter 1.05 - Command Injection
D-Link DNS-343 ShareCenter 1.05 - Command Injection D-Link DNS-343 ShareCenter Remote Root Vendor: D-Link Product: D-Link DNS-343 ShareCenter Version: = 1.05 Website: http://sharecenter.dlink.com/products/DNS-343 / / / / / / / / / / / / / / / / / / / / / \ / // / // / / / / / / / // / / / /,///...
RISE 1.9 - search SQL Injection
RISE 1.9 - search SQL Injection Exploit Title: RISE Ultimate Project Manager 1.9 - SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 30/12/2017 CVE: CVE-2017-17999 Vendor Homepage: http://fairsketch.com/ Version: 1.9 POST...
SysGauge Server 3.6.18 - Remote Buffer Overflow
SysGauge Server 3.6.18 - Remote Buffer Overflow Exploit Title: SysGauge Server 3.6.18 - Buffer Overflow Exploit Author: Ahmad Mahfouz Description: Sysgauge Server Unauthenticated Remote Buffer Overflow SEH Contact: http://twitter.com/eln1x Date: 12/01/2018 CVE: CVE-2018-5359 Version: 3.6.18 Teste...
Domains Hostings Manager PRO 3.0 - Authentication Bypass
Domains Hostings Manager PRO 3.0 - Authentication Bypass Exploit Title: Domains & Hostings Manager PRO v 3.0 - Authentication Bypass Date: 13.01.2018 Vendor Homepage: http://endavi.com/ Software Buy: https://codecanyon.net/item/advanced-domains-and-hostings-pro-v3-multiuser/10368735 Demo:...
PerfexCRM 1.9.7 - Arbitrary File Upload
PerfexCRM 1.9.7 - Arbitrary File Upload Exploit Title: PerfexCRM 1.9.7 – Unrestricted php5 File upload Exploit Author: Ahmad Mahfouz Description: PerfexCRM 1.9.7 prone to unrestricted file upload that lead to system take over by misconfigured elfinder plugin Contact: http://twitter.com/eln1x Date...
D-Link DNS-325 ShareCenter 1.05B03 - Multiple Vulnerabilities
D-Link DNS-325 ShareCenter 1.05B03 - Multiple Vulnerabilities D-Link DNS-325 ShareCenter Multiple Vulnerabilities Vendor: D-Link Product: D-Link DNS-325 ShareCenter Version: = 1.05B03 Website: http://sharecenter.dlink.com/products/DNS-325 / / / / / / / / / / / / / / / / / / / / / \ / // / // / / ...
Adminer 4.3.1 - Server-Side Request Forgery
Adminer 4.3.1 - Server-Side Request Forgery + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt + ISR: apparition security Vendor: ============== www.adminer.org Product...
ILIAS 5.2.4 - Cross-Site Scripting
ILIAS 5.2.4 - Cross-Site Scripting Exploit Title: Cross Site Scripting in ILIAS CMS 5.2.3 Date: Apr 24, 2017 Software Link: https://www.ilias.de Exploit Author: Florian Kunushevci Contact: https://facebook.com/florianx00 CVE: CVE-2018-5688 Category: webapps 1. Description ILIAS before 5.2.4 has X...
Oracle E-Business Suite 12.1.312.2.x - Open Redirect
Oracle E-Business Suite 12.1.312.2.x - Open Redirect Exploit Title: Oracle E-Business suite Open Redirect Google Dork: inurl:OAHTML/cabo/ Date: April 2017 Exploit Author: author Vendor Homepage: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html Software Link: download li...
ImgHosting 1.5 - Cross-Site Scripting
ImgHosting 1.5 - Cross-Site Scripting Exploit Title: ImgHosting Image Storage System 1.5 - Cross-Site-Scripting Date: 12-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: foxsash.com Version: 1.5 CVE-ID: CVE-2018-5479 ImgHosting – Image Storag...
PyroBatchFTP 3.19 - Buffer Overflow
PyroBatchFTP 3.19 - Buffer Overflow ============================================= MGC ALERT 2018-001 - Original release date: December 22, 2017 - Last revised: January 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 CVSS Base Score =============================================...
Taxi Booking Script 1.0 - Cross-site Scripting
Taxi Booking Script 1.0 - Cross-site Scripting Exploit Title: Taxi Booking Script v1.0 - Cross-site Scripting XSS Date: 11.01.2018 Vendor Homepage: https://www.phpjabbers.com/taxi-booking-script/ Software Link: Demo:...
Xnami 1.0 - Cross-Site Scripting
Xnami 1.0 - Cross-Site Scripting Exploit Title: Xnami Image Sharing - Persistent XSS Vulnerability Google Dork: " Copyright 2017 xnami. " & 2018 Date: 11-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: bizlogicdev.com Version: 1.0 CVE-ID:...
Kentico CMS 11.0 - Buffer Overflow
Kentico CMS 11.0 - Buffer Overflow Document Title: =============== Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=1943 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5282 CVE-ID: =======...
ALLMediaServer 0.95 - Remote Buffer Overflow
ALLMediaServer 0.95 - Remote Buffer Overflow !/usr/bin/python Exploit Title: Stack Buffer Overflow in ALLMediaServer 0.95 Exploit Author: Mario Kartone Ciccarelli Contact: https://twitter.com/Kartone CVE: CVE-2017-17932 Date: 09-01-2018 Thanks to PoC: https://www.exploit-db.com/exploits/43406/...
Microsoft Windows SMB Server (v1v2) - Mount Point Arbitrary Device Open Privilege Escalation
Microsoft Windows SMB Server v1v2 - Mount Point Arbitrary Device Open Privilege Escalation Windows: SMB Server v1 and v2 Mount Point Arbitrary Device Open EoP Platform: Windows 10 1703 and 1709 seems the same on 7 and 8.1 but not extensively tested Class: Elevation of Privilege Summary: The SMB...
macOS - process_policy Stack Leak Through Uninitialized Field
macOS - processpolicy Stack Leak Through Uninitialized Field / The syscall processpolicyscope=PROCPOLICYSCOPEPROCESS, action=PROCPOLICYACTIONGET, policy=PROCPOLICYRESOURCEUSAGE, policysubtype=PROCPOLICYRUSAGECPU, attrp=, targetpid=0, targetthreadid= causes 4 bytes of uninitialized kernel stack...
Microsoft Windows - NTFS OwnerMandatory Label Privilege Bypass
Microsoft Windows - NTFS OwnerMandatory Label Privilege Bypass / Windows: NTFS Owner/Mandatory Label Privilege Bypass EoP Platform: Windows 10 1709 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: When creating a new file on an NTFS drive it’s possible to circumvent...
Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon
Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services...
Seagate Personal Cloud - Multiple Vulnerabilities
Seagate Personal Cloud - Multiple Vulnerabilities SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities Vulnerabilities summary The following advisory describes two 2 unauthenticated command injection vulnerabilities. Seagate Personal Cloud Home Media Storage is “the easiest way to store...
Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation
Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation Windows: NtImpersonateAnonymousToken AC to Non-AC EoP Platform: Windows 10 1703 and 1709 Class: Elevation of Privilege Summary: The check for an AC token when impersonating the anonymous token doesn’t check...
Microsoft Edge Chakra - AppendLeftOverItemsFromEndSegment Out-of-Bounds Read
Microsoft Edge Chakra - AppendLeftOverItemsFromEndSegment Out-of-Bounds Read / Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl. growby = endSeg-length; current = current-GrowByMinrecycler, growby; CopyArraycurrent-elements + endIndex + 1, endSeg-length,...
Transmission - RPC DNS Rebinding
Transmission - RPC DNS Rebinding The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to a web server listening on...
Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation
Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Windows: NtImpersonateAnonymousToken LPAC to Non-LPAC EoP Platform: Windows 10 1703 and 1709 not tested Windows 8.x Class: Elevation of Privilege Summary: When impersonating the anonymous token in an LPAC the...
Muviko 1.1 - SQL Injection
Muviko 1.1 - SQL Injection Exploit Title: Muviko 1.1 - Multiple SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 09/01/2018 CVE: CVE-2017-17970 Vendor Homepage: https://www.muvikoscript.com Version: 1.1 Tested on: Mac OS...
DiskBoss Enterprise 8.8.16 - Remote Buffer Overflow
DiskBoss Enterprise 8.8.16 - Remote Buffer Overflow Exploit Title: DiskBoss = 8.8.16 - Unauthenticated Remote Code Execution Date: 2017-08-27 Exploit Author: Arris Huijgen Vendor Homepage: http://www.diskboss.com/ Software Link: http://www.diskboss.com/setups/diskbossentsetupv8.8.16.exe Version:...
Joomla! Component Easydiscuss 4.0.21 - Cross-Site Scripting
Joomla! Component Easydiscuss 4.0.21 - Cross-Site Scripting Exploit Title: Joomla Plugin Easydiscuss inside the body, everything after the will be executed in the user’s browser. Works with every version up to 4.0.20 2. Proof of Concept Login with permissions to post a message, insert in the body...
Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)
Synology Photostation 6.7.2-3429 - Remote Code Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Synology PhotoStation Multiple Vulnerabilities", 'Description' = %q This modul...
Multiple CPUs - Information Leak Using Speculative Execution
Multiple CPUs - Information Leak Using Speculative Execution == INTRODUCTION == This is a bug report about a CPU security issue that affects processors by Intel, AMD and to some extent ARM. I have written a PoC for this issue that, when executed in userspace on an Intel Xeon CPU E5-1650 v3 machin...
Jungo Windriver 12.5.1 - Local Privilege Escalation
Jungo Windriver 12.5.1 - Local Privilege Escalation // ConsoleApplication1.cpp : Defines the entry point for the console application. // include "stdafx.h" include include define device L"\\.\WINDRVR1251" define SPRAYSIZE 30000 typedef NTSTATUSWINAPI PNtAllocateVirtualMemory HANDLE...
WordPress Plugin Service Finder Booking 3.2 - Local File Disclosure
WordPress Plugin Service Finder Booking 3.2 - Local File Disclosure Exploit Title: Worpress Plugin Service Finder Booking 3.2 - Local File Disclosure Google Dork: N/A Date: 09/01/2018 GMT+7 Exploit Author: telahdihapus Vendor Homepage: https://themeforest.net/user/aonetheme Software Link:...
WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery
WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery Exploit Title: Social Media Widget by Acurax CSRF Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://www.acurax.com/ Software Link:...
WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery
WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery Exploit Title: WordPress Download Manager CSRF Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: https://www.wpdownloadmanager.com/ Software Lin...
WordPress Plugin Events Calendar - event_id SQL Injection
WordPress Plugin Events Calendar - eventid SQL Injection Exploit Title: Wichipi Events Calendar - SQL Injection Date: 09-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: codecanyon.net/user/wachipi Version: 1.0 CVE-ID: CVE-2018-5315 Events...
WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery Privilege Escalation
WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery Privilege Escalation Exploit Title: CMS Tree Page View CSRF, Privilege Escalation Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://eskapism.se/...
Microsoft Edge Chakra JIT - Lowerer::LowerSetConcatStrMultiItem Missing Integer Overflow Check
Microsoft Edge Chakra JIT - Lowerer::LowerSetConcatStrMultiItem Missing Integer Overflow Check / The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings. Here's a snippet of the method. void Lowerer::LowerSetConcatStrMultiItemIR::Instr instr...
D-Link Routers 110412615815 1.03 - service.cgi Arbitrary Code Execution
D-Link Routers 110412615815 1.03 - service.cgi Arbitrary Code Execution !/usr/bin/python Exploit Title: D-Link WAP 615/645/815 .?.?', 'Product Page : .?' def dlinkdetection: try: r = requests.getURL, timeout=10.00 except requests.exceptions.ConnectionError: print "Error: Failed to connect to " +...
Parity Browser 1.6.10 - Bypass Same Origin Policy
Parity Browser 1.6.10 - Bypass Same Origin Policy VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-18016 Version: 0.3 Date: Jun 16th, 2017 Tag: parity same origin policy bypass webproxy token reuse Overview -------- Name: parity Vendor: paritytech References:...
SAP NetWeaver J2EE Engine 7.40 - SQL Injection
SAP NetWeaver J2EE Engine 7.40 - SQL Injection !/usr/bin/env python coding=utf-8 """ Author: Vahagn Vardanyan https://twitter.com/vah13 Bugs: CVE-2016-2386 SQL injection CVE-2016-2388 Information disclosure CVE-2016-1910 Crypto issue Follow HTTP request is a simple PoC for anon time-based SQL...
WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery Privilege Escalation
WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery Privilege Escalation Exploit Title: Admin Menu Tree Page View CSRF, Privilege Escalation Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage:...
Microsoft Windows - nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues) Kernel Stack Memory Disclosure
Microsoft Windows - nt!NtQueryInformationProcess information class 76 QueryProcessEnergyValues Kernel Stack Memory Disclosure / We have discovered that the nt!NtQueryInformationProcess system call invoked with the 76 information class discloses portions of uninitialized kernel stack memory to...
Microsoft Edge Chakra JIT - Escape Analysis Bug
Microsoft Edge Chakra JIT - Escape Analysis Bug / Escape analysis: https://en.wikipedia.org/wiki/Escapeanalysis Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. PoC: / function opt let tmp = ; tmp0 = tmp; return...
Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches
Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches / The optimizations for memory operations may leave empty loops as follows: for let i = 0; i arr.length; i++ arri = 0; Becomes: Memsetarr, 0, arr.length; for let i = 0; i arr.length; i++ // empty! These...
Microsoft Edge Chakra - asm.js Out-of-Bounds Read
Microsoft Edge Chakra - asm.js Out-of-Bounds Read / Here's a snippet of AsmJSByteCodeGenerator::EmitAsmJsFunctionBody. AsmJsVar initSource = nullptr; if decl-sxVar.pnodeInit-nop == knopName AsmJsSymbol initSym = mCompiler-LookupIdentifierdecl-sxVar.pnodeInit-name, mFunction; if...
Microsoft Windows - nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation) Kernel Pool Memory Disclosure
Microsoft Windows - nt!NtQuerySystemInformation information class 138 QueryMemoryTopologyInformation Kernel Pool Memory Disclosure / We have discovered that the nt!NtQuerySystemInformation system call invoked with the 138 information class discloses portions of uninitialized kernel pool memory to...
Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined JavaScript Functions
Microsoft Edge Chakra JIT - OpMaxInAnArray and OpMinInAnArray can Explicitly call User-Defined JavaScript Functions / 1. Call patterns like "Math.max.applyMath, 1, 2, 3, 4, 5" and "Math.max.applyMath, arr" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in the Inline...
Microsoft Office - Composite Moniker Remote Code Execution
Microsoft Office - Composite Moniker Remote Code Execution What? This repo contains a Proof of Concept exploit for CVE-2017-8570, a.k.a the "Composite Moniker" vulnerability. This demonstrates using the Packager.dll trick to drop an sct file into the %TEMP% directory, and then execute it using th...
FiberHome LM53Q1 - Multiple Vulnerabilities
FiberHome LM53Q1 - Multiple Vulnerabilities !/usr/bin/python /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$ | $$/|/| $$ | $$ | $$ | $$ $$ | $$ | $$/ | $$ |/ | $$ | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$...