QuantaStor Software Defined Storage 4.3.1 - Multiple Vulnerabilities

QuantaStor Software Defined Storage 4.3.1 - Multiple Vulnerabilities 1. --- Advisory details --- Title: QuantaStor Software Define Storage mmultiple vulnerabilities Advisory ID: VVVSEC-2017-6943 Advisory URL: http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt Date published:...

LiveInvoices 1.0 - SQL Injection

LiveInvoices 1.0 - SQL Injection Exploit Title: LiveInvoices 1.0 - SQL Injection Dork: N/A Date: 18.08.2017 Vendor Homepage : http://livecrm.co/ Software Link: https://codecanyon.net/item/liveinvoices-complete-invoicing-system-crm/20243375 Demo: http://liveinvoices.livecrm.co/livecrm/web/ Version...

Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution

Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution This is an advisory for CVE-2017-6327 which is an unauthenticated remote code execution flaw in the web interface of Symantec Messaging Gateway prior to and including version 10.6.3-2, which can be used to execute commands as roo...

iTech Business Networking Script 8.26 - SQL Injection

iTech Business Networking Script 8.26 - SQL Injection Exploit Title: iTech Business Networking Script 8.26 - SQL Injection Dork: N/A Date: 18.08.2017 Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/business-networking-script/ Demo:...

Food Ordering Script 1.0 - SQL Injection

Food Ordering Script 1.0 - SQL Injection Exploit Title: Food Ordering Script 1.0 - SQL Injection Dork: N/A Date: 17.08.2017 Vendor Homepage : http://www.earthtechnology.co.in/ourproducts.html Software Link: https://www.foodorderingscript.com/ Demo: https://www.foodorderingscript.com/demo-new/...

Microsoft Edge Chakra - Heap Buffer Overflow

Microsoft Edge Chakra - Heap Buffer Overflow IsCoroutine ... else InterpreterStackFrame::Setup setupfunction, args; sizet varAllocCount = setup.GetAllocationVarCount; //printf"varAllocCount: %d%X\r\n", varAllocCount, varAllocCount; sizet varSizeInBytes = varAllocCount sizeofVar; // // Allocate a...

Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3

Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter 3 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-320; function main let a = 1.1, 2.2; let b = new Uint32Array100; for let i = 0; i a0 = ; return 0; ; a0.toString; main; // Tested on...

Microsoft Edge Chakra - NULL Pointer Dereference

Microsoft Edge Chakra - NULL Pointer Dereference spreadIndices = nullptr // This function emits the arguments for a call. // ArgOut's with uses immediately following defs. EmitArgListStartthisLocation, byteCodeGenerator, funcInfo, callSiteId; Js::RegSlot evalLocation = Js::Constants::NoRegister; ...

Microsoft Edge Chakra - EmitNew Integer Overflow

Microsoft Edge Chakra - EmitNew Integer Overflow sxCall.argCount; argCount++; // include "this" BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArgumentspnode-sxCall.pnodeArgs, &fSideEffectArgs; AssertargCount == tmpCount; if argCount != Js::ArgSlotargCount Js::Throw::OutOfMemory;...

Microsoft Edge Chakra - Uninitialized Arguments (1)

Microsoft Edge Chakra - Uninitialized Arguments 1 ParseNodePtr Parser::ParseVariableDeclaration tokens declarationType, charcountt ichMin, BOOL fAllowIn/ = TRUE/, BOOL pfForInOk/ = nullptr/, BOOL singleDefOnly/ = FALSE/, BOOL allowInit/ = TRUE/, BOOL isTopVarParse/ = TRUE/, BOOL isFor/ = FALSE/,...

Microsoft Edge Chakra - chakra!Js::GlobalObject Integer overflow

Microsoft Edge Chakra - chakra!Js::GlobalObject Integer overflow = 0; AnalysisAssertscriptContext; if scriptContext-GetThreadContext-EvalDisabled throw Js::EvalDisabledException; ifdef PROFILEEXEC scriptContext-ProfileBeginJs::EvalCompilePhase; endif void frameAddr = nullptr;...

Adobe Flash - Invoke Accesses Trait Out-of-Bounds

Adobe Flash - Invoke Accesses Trait Out-of-Bounds Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1320 The attached fuzzed swf file causes the traits of an ActionScript object to be accessed out of bounds. This can probably lead to exploitable type confusion. Proof of Concept:...

Microsoft Edge Chakra - JavascriptFunction::EntryCall Fails to Handle CallInfo Properly

Microsoft Edge Chakra - JavascriptFunction::EntryCall Fails to Handle CallInfo Properly GetScriptContext, Js::Constants::MinStackDefault; RUNTIMEARGUMENTSargs, callInfo; ScriptContext scriptContext = function-GetScriptContext; Assert!callInfo.Flags & CallFlagsNew; /// /// Check Argument0 has...

Microsoft Edge Chakra - EmitAssignment uses the this Register Without Initializing

Microsoft Edge Chakra - EmitAssignment uses the this Register Without Initializing 000c ProfiledLdEnvSlot R4 = 13 Line 28: super.a = 1; Col 13: ^ 0018 LdHomeObjProto R8 R4 001d ProfiledStSuperFld R8.this=R5 = R3 0 0025 LdUndef R0 Line 29: Col 9: ^ 0027 Ret PoC: -- class Parent ; class Child exten...

Photogallery Project 1.0 - SQL Injection

Photogallery Project 1.0 - SQL Injection Exploit Title: Photogallery Project 1.0 - Multiple Vulnerabilities Dork: N/A Date: 17.08.2017 Vendor Homepage : http://surajkumar.in/ Software Link: http://surajkumar.in/product/photogallery-project-in-php/ Demo: http://surajkumar.in/ Version: 1.0 Category...

Microsoft Edge - Out-of-Bounds Access when Fetching Source

Microsoft Edge - Out-of-Bounds Access when Fetching Source // The attached JavaScript file causes an out-of-bounds access of the source buffer when fetching the source for one of the functions during delayed compilation. The out-of-bounds value is then treated as the pointer to the source. This i...

MyDoomScanner 1.00 - Local Buffer Overflow (PoC)

MyDoomScanner 1.00 - Local Buffer Overflow PoC !/usr/bin/python Exploit Title : MyDoomScanner1.00 Hostname/IP Field SEH Overwrite POC Discovery by : Anurag Srivastava Email : [email protected] Discovery Date : 17/08/2017 Software Link :...

Microsoft Edge Chakra - TryUndeleteProperty Incorrect Usage (Denial of Service)

Microsoft Edge Chakra - TryUndeleteProperty Incorrect Usage Denial of Service ::NoSlots return false; propertyIndex = deletedPropertyIndex; deletedPropertyIndex = staticcastTaggedInt::ToInt32object-GetSlotdeletedPropertyIndex; return true; bool...

Microsoft Edge Chakra - PreVisitCatch Missing Call

Microsoft Edge Chakra - PreVisitCatch Missing Call root-sxFnc.pnodeVars; pnode; pnode = pnode-sxVar.pnodeNext Symbol sym = pnode-sxVar.sym; if sym != nullptr && !pnode-sxVar.isBlockScopeFncDeclVar && sym-GetIsBlockVar if sym-GetIsCatch || pnode-nop == knopVarDecl && sym-GetIsBlockVar ... sym =...

Microsoft Edge Chakra - InterpreterStackFrame::ProcessLinkFailedAsmJsModule Incorrect Usage of PushPopFrameHelper (Denial of Service)

Microsoft Edge Chakra - InterpreterStackFrame::ProcessLinkFailedAsmJsModule Incorrect Usage of PushPopFrameHelper Denial of Service GetScriptContext-GetThreadContext-GetLeafInterpreterFrame; GetLoopHeaderinterpreterFrame-GetCurrentLoopNum; GetCurrentLoopNum == -1 ... PoC: -- function asmModule 'u...

Online Quiz Project 1.0 - SQL Injection

Online Quiz Project 1.0 - SQL Injection Exploit Title: Online Quiz Project 1.0 - Multiple Vulnerabilities Dork: N/A Date: 17.08.2017 Vendor Homepage : http://surajkumar.in/ Software Link: http://surajkumar.in/product/online-quiz-project-php/ Demo: http://surajkumar.in/ Version: 1.0 Category:...

Doctor Patient Project 1.0 - SQL Injection

Doctor Patient Project 1.0 - SQL Injection Exploit Title: Doctor Patient Project 1.0 - Multiple Vulnerabilities Dork: N/A Date: 17.08.2017 Vendor Homepage : http://surajkumar.in/ Software Link: http://surajkumar.in/product/doctor-patient-project-php/ Demo: http://surajkumar.in/ Version: 1.0...

Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2

Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter 2 a0 = ; return 0; ; a0.toString; main; I just changed "var b = new Uint32Array100;" to "var b = new Uint32Array0;", and it worked well. PoC: -- 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-32...

Microsoft Edge Chakra - Buffer Overflow

Microsoft Edge Chakra - Buffer Overflow sxCall.argCount; //pnode-sxCall.argCount=0xFFFF argCount++; // include "this" //overflow!!!! argCount==0 BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArgumentspnode-sxCall.pnodeArgs, &fSideEffectArgs; AssertargCount == tmpCount; if argCount !=...

Microsoft Edge Chakra - InterpreterStackFrame::ProcessLinkFailedAsmJsModule Incorrectly Re-parses

Microsoft Edge Chakra - InterpreterStackFrame::ProcessLinkFailedAsmJsModule Incorrectly Re-parses GetOriginalEntryPoint : nullptr; if this-pCurrentFunction && this-pCurrentFunction-IsFunctionParsed Assertthis-pCurrentFunction-StartInDocument == pnode-ichMin; pCurrentFunction" is the consturctor,...

Microsoft Edge Chakra - JavascriptArray::ConcatArgs Type Confusion

Microsoft Edge Chakra - JavascriptArray::ConcatArgs Type Confusion void JavascriptArray::ConcatArgsRecyclableObject pDestObj, TypeId remoteTypeIds, Js::Arguments& args, ScriptContext scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength...

Microsoft Edge Chakra - Uninitialized Arguments (2)

Microsoft Edge Chakra - Uninitialized Arguments 2 void Parser::ParseFncFormalsParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags ... if IsES6DestructuringEnabled && IsPossiblePatternStart ... // Instead of passing the STFormal all the way on many methods, it seems it is better to...

RPi Cam Control 6.3.14 - Multiple Vulnerabilities

RPi Cam Control 6.3.14 - Multiple Vulnerabilities Exploit Title: RPi Cam Control = v6.3.14 RCE Multiple Vulnerabilities - preview.php Date: 16/08/2017 Exploit Author: Alexander Korznikov Vendor Homepage: https://github.com/silvanmelchior/RPiCamWebInterface Software Link:...

Apple macOS Sierra 10.12.3 - IOFireWireFamily-null-deref FireWire Port Denial of Service

Apple macOS Sierra 10.12.3 - IOFireWireFamily-null-deref FireWire Port Denial of Service / IOFireWireFamily-null-deref.c Brandon Azad NULL pointer dereference in IOFireWireUserClient::setAsyncRefIsochChannelForceStop. Download:...

Microsoft Edge 38.14393.1066.0 - CInputDateTimeScrollerElement::_SelectValueInternal Out-of-Bounds Read

Microsoft Edge 38.14393.1066.0 - CInputDateTimeScrollerElement::SelectValueInternal Out-of-Bounds Read input:focus transform: scale10; UpdateSelectedthis-arrayatoffset0xB8this-indexatoffset0xD4.ptratindex0, ...; ... The problem is that the index in the PoC has unsigned 32-bit value of 0xffffffff,...

ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode)

ALLPlayer 7.4 - Local Buffer Overflow SEH Unicode !/usr/bin/python Exploit Title: ALL Player v7.4 SEH Buffer Overflow Unicode Version: 7.4 Date: 15-08-2017 Exploit Author: f3ci Tested on: Windows 7 SP1 x86 head = "http://" seh = "\x0f\x47" 0x0047000f nseh = "\x61\x41" popad align junk = "\x41" 30...

Internet Download Manager 6.28 Build 17 - Local Buffer Overflow (SEH Unicode)

Internet Download Manager 6.28 Build 17 - Local Buffer Overflow SEH Unicode !/usr/bin/python Exploit Title: Internet Download Manager 6.28 Build 17 - 'Find file' SEH Buffer Overflow Unicode Date: 14-06-2017 Exploit Author: f3ci Tested on: Windows 7 SP1 x86 How to exploit: Open IDM - Downloads -...

AdvanDate iCupid Dating Software 12.2 - SQL Injection

AdvanDate iCupid Dating Software 12.2 - SQL Injection Exploit Title: iCupid Dating Software 12.2 - SQL Injection Dork: N/A Date: 15.08.2017 Vendor Homepage : https://www.advandate.com/ Software Link: https://www.advandate.com/dating-software-features/ Demo: https://demo.advandate.com/ Version: 12...

ClipBucket 2.8.3 - Multiple Vulnerabilities

ClipBucket 2.8.3 - Multiple Vulnerabilities @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title ClipBucket 2.8.3 - Multiple Vulnerabilities .:. Google Dorks .:. "Forged by ClipBucket" inurl:viewcollection.php?cid= .:. Date: August 15, 2017 .:...

Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting

Quali CloudShell 7.1.0.6508 Patch 6 - Persistent Cross-Site Scripting Vulnerability type: Multiple Stored Cross Site Scripting Vendor: Quali Product: CloudShell Affected version: v7.1.0.6508 Patch 6 Patched version: v8 and up Credit: Benjamin Lee CVE ID: CVE-2017-9767...

RPi Cam Control 6.3.14 - Remote Command Execution

RPi Cam Control 6.3.14 - Remote Command Execution RPi Cam Control = v6.3.14 RCE preview.php Multiple Vulnerabilities A web interface for the RPi Cam Vendor github: https://github.com/silvanmelchior/RPiCamWebInterface Date 16/08/2017 Discovered by @nopernik https://www.linkedin.com/in/nopernik...

Xamarin Studio for Mac 6.2.1 (build 3) 6.3 (build 863) - Local Privilege Escalation

Xamarin Studio for Mac 6.2.1 build 3 6.3 build 863 - Local Privilege Escalation Source: https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html Abstract Xamarin Studio is an Integrated Development Environment IDE use...

Tomabo MP4 Converter 3.19.15 - Denial of Service

Tomabo MP4 Converter 3.19.15 - Denial of Service !/usr/bin/python Exploit Title: Tomabo MP4 Converter DOS Date: 13/08/17 Exploit Author: Andy Bowden Vendor Homepage: http://www.tomabo.com/ Software Link: http://www.tomabo.com/mp4-converter/index.html Version: 3.19.15 Tested on: Windows 7 x86 CVE ...

Linux Kernel 4.4.0-83 4.8.0-58 (Ubuntu 14.0416.04) - Local Privilege Escalation (KASLR SMEP)

Linux Kernel 4.4.0-83 4.8.0-58 Ubuntu 14.0416.04 - Local Privilege Escalation KASLR SMEP // A proof-of-concept local root exploit for CVE-2017-1000112. // Includes KASLR and SMEP bypasses. No SMAP bypass. // Tested on Ubuntu trusty 4.4.0- and Ubuntu xenial 4-8-0- kernels. // // EDB Note: Also...

AirMaster 3000M - Multiple Vulnerabilities

AirMaster 3000M - Multiple Vulnerabilities ?php Exploit Title: AirMaster 3000M multiple Vulnerabilities Date: 2017/08/12 Exploit Author: Koorosh Ghorbani Author Homepage: http://8thbit.net/ Vendor Homepage: http://mobinnet.ir/ Software Version: V2.0.1B1044 Web Server: GoAhead-Webs/2.5.0...

RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)

RealTime RWR-3G-100 Router - Cross-Site Request Forgery Change Admin Password !-- CHANGE...

DeWorkshop 1.0 - SQL Injection

DeWorkshop 1.0 - SQL Injection Exploit Title: De-Workshop - Auto Workshop Portal 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737 Demo: https://demo.sarutech.com/deworkshop/...

De-Tutor 1.0 - SQL Injection

De-Tutor 1.0 - SQL Injection Exploit Title: De-Tutor - Private Tutoring and Admission Processing 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/detutor-private-tutoring-and-admission-processing/19053430 Demo:...

De-Journal 1.0 - SQL Injection

De-Journal 1.0 - SQL Injection Exploit Title: De-Journal - Academic Journal and Peer Review System 1.0 - SQL Injection Dork: N/A Date: 11.08.2017 Vendor Homepage : https://sarutech.com/ Software Link: https://codecanyon.net/item/dejournal-academic-journal-and-peer-review-system/19533981 Demo:...

GIF Collection 2.0 - SQL Injection

GIF Collection 2.0 - SQL Injection Exploit Title: GIF Collection 2.0 - SQL Injection Dork: N/A Date: 10.08.2017 Vendor Homepage : http://www.scriptfolder.com/ Software Link: http://www.scriptfolder.com/scriptfolder-gif-collection-2-0/ Demo: http://gif2.scriptfolder.com/ Version: 2.0 Category:...

Red-Gate SQL Monitor 3.10 4.2 - Authentication Bypass

Red-Gate SQL Monitor 3.10 4.2 - Authentication Bypass Exploit Title: Red-Gate SQL Monitor authentication bypass Version: Redgate SQL Monitor before 3.10 and 4.x before 4.2 Date: 2017-08-10 Red-Gate made a security announcement and publicly released the fixed version more than two years before thi...

Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting

Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting Exploit Title: Piwigo plugin User Tag , Persistent XSS Date: 10 Aug, 2017 Extension Version: 0.9.0 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=441 Exploit Author: Touhid M.Shaikh...

Microsoft Edge 38.14393.1066.0 - textarea.defaultValue Memory Disclosure

Microsoft Edge 38.14393.1066.0 - textarea.defaultValue Memory Disclosure var n = 0; function go document.addEventListener"DOMNodeRemoved", eventhandler; eventhandler; function eventhandler n++; ifn==5 return; //prevent going into an infinite recursion t.defaultValue = "aaaaaaaaaaaaaaaaaaaa";...

ImageBay 1.0 - SQL Injection

ImageBay 1.0 - SQL Injection Exploit Title: ImageBay 1.0 - SQL Injection Dork: N/A Date: 10.08.2017 Vendor Homepage : http://www.scriptfolder.com/ Software Link: http://www.scriptfolder.com/imagebay-publish-or-share-photography-and-pictures/ Demo: http://imagebay.scriptfolder.com/ Version: 1.0...

NoMachine 5.3.9 - Local Privilege Escalation

NoMachine 5.3.9 - Local Privilege Escalation """ Exploit Title: NoMachine LPE - Local Privilege Escalation Date: 09/08/2017 Exploit Author: Daniele Linguaglossa Vendor Homepage: https://www.nomachine.com Software Link: https://www.nomachine.com Version: 5.3.9 Tested on: OSX CVE : CVE-2017-12763...