libjpeg-turbo 1.5.1 - Denial of Service

libjpeg-turbo 1.5.1 - Denial of Service libjpeg-turbo denial of service vulnerability ====================== Author : qflb.wu CVE : CVE-2017-9614 ====================== Introduction: ============= libjpeg-turbo is a JPEG image codec that uses SIMD instructions MMX, SSE2, AVX2, NEON, AltiVec to...

LAME 3.99.5 - Multiple Vulnerabilities

LAME 3.99.5 - Multiple Vulnerabilities LAME multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder. LAME is an educational tool to be used for learning...

VehicleWorkshop - SQL Injection

VehicleWorkshop - SQL Injection Exploit Title: VehicleWorkshop SQL Injection Data: 07.28.2017 Exploit Author: Shahab Shamsi Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop Tested on: Windows Google Dork: N/A ========= Vulnerable Page: ========= /viewvehiclestoremore.php ==========...

FortiOS 5.6.0 - Cross-Site Scripting

FortiOS 5.6.0 - Cross-Site Scripting Title: FortiOS = 5.6.0 Multiple XSS Vulnerabilities Vendor: Fortinet www.fortinet.com CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133 Date: 28.07.2016 Author: Patryk Bogdan @patrykbogdan Affected FortiNet products: CVE-2017-3131 : FortiOS versions 5.4.0 to...

SoundTouch 1.9.2 - Multiple Vulnerabilities

SoundTouch 1.9.2 - Multiple Vulnerabilities SoundTouch multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The...

Joomla! Component CCNewsLetter 2.1.9 - sbid SQL Injection

Joomla! Component CCNewsLetter 2.1.9 - sbid SQL Injection "Joomla Component ccnewsletter 2.1.9 - 'sbid' Parameter SQL Injection" Exploit Title: Joomla Component ccnewsletter 2.1.9 - SQL Injection Date: 07-26-2017 Exploit Author: Shahab Shamsi Vendor Homepage:...

GNU libiberty - Buffer Overflow

GNU libiberty - Buffer Overflow Source: https://gcc.gnu.org/bugzilla/showbug.cgi?id=69687 The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are...

AudioCoder 0.8.46 - Local Buffer Overflow (SEH)

AudioCoder 0.8.46 - Local Buffer Overflow SEH !/usr/bin/python Exploit Title : AudioCoder 0.8.46 Local Buffer Overflow SEH CVE : CVE-2017-8870 Exploit Author : Muhann4d @0xSecured Vendor Homepage : http://www.mediacoderhq.com Vulnerable Software:...

Friends in War Make or Break 1.7 - SQL Injection

Friends in War Make or Break 1.7 - SQL Injection Exploit Title: Friends in War Make or Break 1.7 SQL Injection Dork: N/A Date: 26.07.2017 Vendor : http://software.friendsinwar.com/ Software: http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 Demo: http://localhost/PATH/ Version: 1.7...

Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)

Friends in War Make or Break 1.7 - Cross-Site Request Forgery Change Admin Password Friends in War Make or Break 1.7 - Unauthenticated admin password change Url: http://software.friendsinwar.com/ http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 Author: shinnai mail:...

Microsoft Windows - .LNK Shortcut File Code Execution (Metasploit)

Microsoft Windows - .LNK Shortcut File Code Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LNK Remote Code Execution Vulnerability', 'Description' = %q This module exploits...

WordPress Plugin Ads Pro 3.4 - Cross-Site Scripting SQL Injection

WordPress Plugin Ads Pro 3.4 - Cross-Site Scripting SQL Injection Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager = 5.0.12 AND time-based blind Payload: bsaprostats=1&[email protected]&bsaproid=xx AND S...

WebKit JSC - arrayProtoFuncSplice Uninitialized Memory Reference

WebKit JSC - arrayProtoFuncSplice Uninitialized Memory Reference lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if UNLIKELY!result throwOutOfMemoryErrorexec, scope; return encodedJSValue; // The result can have an ArrayStorage indexing type...

WebKit JSC - JSObject::putInlineSlow JSValue::putToPrimitive Universal Cross-Site Scripting

WebKit JSC - JSObject::putInlineSlow JSValue::putToPrimitive Universal Cross-Site Scripting let f = document.body.appendChilddocument.createElement'iframe'; let loc = f.contentWindow.location; f.onload = = let a = 1.2; a.proto.proto = f.contentWindow; a'test' = toString: function...

WebKit JSC - ObjectPatternNode::appendEntry Stack Use-After-Free

WebKit JSC - ObjectPatternNode::appendEntry Stack Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256 Here's a snippet of ObjectPatternNode::appendEntry. void appendEntryconst JSTokenLocation&, ExpressionNode propertyExpression, DestructuringPatternNode pattern,...

WebKit JSC - DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry) Incorrect Scope Register Handling

WebKit JSC - DFG::ByteCodeParser::flushInlineStackEntry inlineStackEntry Incorrect Scope Register Handling scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry-mcodeBlock| may have an incorrect offset in the stack layout phase...

WebKit JSC - ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handling

WebKit JSC - ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handling op == PhantomNewArrayWithSpread || candidate-op == PhantomSpread ... if argumentCountIncludingThis limit storeArgumentCountIncludingThisargumentCountIncludingThis; // store arguments ... node-remove; node-origin.exit...

WebKit JSC - JSArray::appendMemcpy Uninitialized Memory Copy

WebKit JSC - JSArray::appendMemcpy Uninitialized Memory Copy indexingType; if type == ArrayWithUndecided && copyType != NonArray if copyType == ArrayWithInt32 convertUndecidedToInt32vm; else if copyType == ArrayWithDouble convertUndecidedToDoublevm; else if copyType == ArrayWithContiguous...

Friends in War Make or Break 1.7 - Authentication Bypass

Friends in War Make or Break 1.7 - Authentication Bypass x Type: Admin login bypass via SQLi x Vendor: http://software.friendsinwar.com/ x Script Name: Make or Break x Script Version: 1.7 x Script DL: http://software.friendsinwar.com/downloads.php?catid=2&fileid=9 x Author: Anarchy Angel x Mail:...

WebKit - WebCore::Node::nextSibling Use-After-Free

WebKit - WebCore::Node::nextSibling Use-After-Free function freememory var a; forvar i=0;i !-- ================================================================= ASan log: ================================================================= ==29516==ERROR: AddressSanitizer: heap-use-after-free on...

Nitro Pro PDF - Multiple Vulnerabilities

Nitro Pro PDF - Multiple Vulnerabilities Vulnerabilities Summary The following advisory describes three vulnerabilities found in Nitro / Nitro Pro PDF. Nitro Pro is the PDF reader and editor that does everything you will ever need to do with PDF files. The powerful but snappy editor lets you chan...

WebKit - WebCore::AccessibilityNodeObject::textUnderElement Use-After-Free

WebKit - WebCore::AccessibilityNodeObject::textUnderElement Use-After-Free function go li.hidden = true; dir.setAttribute"aria-labeledby", "map"; !-- ================================================================= ASan log: =================================================================...

WebKit - WebCore::RenderSearchField::addSearchResult Heap Buffer Overflow

WebKit - WebCore::RenderSearchField::addSearchResult Heap Buffer Overflow function go i.value = "1"; i.type = "search"; f.submit; ::buffer /Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0x2694d46 1 0x116496bed in WTF::Vector::end...

WebKit - WebCore::RenderObject with Accessibility Enabled Use-After-Free

WebKit - WebCore::RenderObject with Accessibility Enabled Use-After-Free link text-transform: lowercase; link::first-letter border-spacing: 1em; function go dt.appendChildlink; var s = link.style; s.setProperty"display", "table-column-group"; s.setProperty"-webkit-appearance", "menulist-button";...

WebKit - WebCore::InputType::element Use-After-Free (1)

WebKit - WebCore::InputType::element Use-After-Free 1 var runcount = 0; function go runcount++; ifruncount 2 return; i.type = "foo"; i.select; i.type = "search"; document.onsearch = document.body.onload; document.execCommand"insertHTML", false, ""; !--...

CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution

CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution / PK5001Z CenturyLink Router/Modem remote root exploit / / oxagast / Marshall Whittaker / / marshall@likon:/Code/pk5001zpwn: gcc pk5001z00pin.c -o pk5001z00pin / / marshall@likon:/Code/pk5001zpwn: ./pk5001z00pin / / PK5001Z CenturyLink...

REDDOXX Appliance Build 2032 2.0.625 - Arbitrary File Disclosure

REDDOXX Appliance Build 2032 2.0.625 - Arbitrary File Disclosure Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated...

MAWK 1.3.3-17 - Local Buffer Overflow

MAWK 1.3.3-17 - Local Buffer Overflow !/usr/bin/python Developed using Exploit Pack - http://exploitpack.com - Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Tested on: GNU/Linux - Kali 2017.1 Release Description: MAWK AWK Interpreter 1.3.3-17 and prior is prone to a stack-based...

ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)

ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution Metasploit Exploit Title: ManageEngine Desktop Central 10 Build 100087 RCE Date: 24-07-2017 Software Link: https://www.manageengine.com/products/desktop-central/ Exploit Author: Kacper Szurek Contact:...

WebKit - WebCore::getCachedWrapper Use-After-Free

WebKit - WebCore::getCachedWrapper Use-After-Free function freememory var a; forvar i=0;i ::get const /Users/projectzero/webki...

PaulShop - SQL Injection Cross-Site Scripting

PaulShop - SQL Injection Cross-Site Scripting Exploit Title: PaulShop CMS - Sql Injection and stored XSS Date: 07/23/2017 Exploit Author: BTIS Team http://www.btis.vn Vendor Homepage: https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714 Version: 03/27/2017 Tested on:...

WebKit - WebCore::Node::getFlag Use-After-Free

WebKit - WebCore::Node::getFlag Use-After-Free -webkit-flow-into: textarea; function freememory var a; forvar i=0;i foo !-- ================================================================= ASan log: ================================================================= ==29717==ERROR: AddressSanitize...

Linux Kernel - BadIRET Local Privilege Escalation

Linux Kernel - BadIRET Local Privilege Escalation CVE-2014-9322 PoC for Linux kernel CVE-2014-9322 a.k.a BadIRET proof of concept for Linux kernel. This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls. Raw Linux Threads via System Calls Usa...

REDDOXX Appliance Build 2032 2.0.625 - Remote Command Execution

REDDOXX Appliance Build 2032 2.0.625 - Remote Command Execution Advisory: Remote Command Execution as root in REDDOXX Appliance RedTeam Pentesting discovered a remote command execution vulnerability in the REDDOXX appliance software, which allows attackers to execute arbitrary command with root...

Microsoft Internet Explorer - mshtml.dll Remote Code Execution (MS17-007)

Microsoft Internet Explorer - mshtml.dll Remote Code Execution MS17-007 .class1 float: left; column-count: 5; .class2 column-span: all; columns: 1px; table border-spacing: 0px; var baseleakedaddr = ""; function infoleak var textarea = document.getElementById"textarea"; var frame =...

WebKit - WebCore::AccessibilityRenderObject::handleAriaExpandedChanged Use-After-Free

WebKit - WebCore::AccessibilityRenderObject::handleAriaExpandedChanged Use-After-Free div visibility: collapse function eventhandler document.execCommand"bold", false; img.style.removeProperty"-webkit-appearance"; img.setAttribute"aria-expanded", "false"; aaa !--...

NEC UNIVERGE UM4730 11.8 - SQL Injection

NEC UNIVERGE UM4730 11.8 - SQL Injection Exploit Title: NEC UNIVERGE UM4730 11.8 SQL injection Vulnerbility: SQL injection login bypass Date: 15-12-2016 Exploit Author: b0x41s Author web: https://www.xrayit.nl Vendor Homepage: https://www.nec-enterprise.com Category: webapps Version: 11.6.0.31...

Virtual Postage (VPA) - Man In The Middle Remote Code Execution

Virtual Postage VPA - Man In The Middle Remote Code Execution Exploit Title: Virtual Postage VPA - Remote Code Execution via MITM Date: 20/Jul/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a2.virtualpostage.com http://archive.is/EdtJT Software Link: N/A...

Docker Daemon - Unprotected TCP Socket

Docker Daemon - Unprotected TCP Socket Exploit Title: Docker Daemon - Unprotected TCP Socket Date: 20-07-2017 Exploit Author: Martin Pizala Vendor Homepage: https://www.docker.com Software Link: https://www.docker.com/get-docker Version: Since 0.4.7 2013-06-28 feature: mount host directories Test...

VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass

VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass Exploit Title: IP Camera VACRON VIG-US731VE Date: 2017-07-18 Exploit Author: anonymous Vendor Homepage: www.vacron.com Version: V1.0.18-09-B727 1. doesn't require credentials to fetch snapshot like this:...

Joomla! Component JoomRecipe 1.0.4 - search_author SQL Injection

Joomla! Component JoomRecipe 1.0.4 - searchauthor SQL Injection Exploit Title: Joomla JoomRecipe 1.0.4 Component - Blind SQL Injection Vulnerability Date: 20.07.2017 Exploit Author: Teng Vendor Homepage: http://joomboost.com/ Software Link:...

SKILLS.com.au Industry App - Man In The Middle Remote Code Execution

SKILLS.com.au Industry App - Man In The Middle Remote Code Execution Exploit Title: SKILLS.com.au Industry App - Remote Code Execution via MITM Date: 20/Jul/17 Exploit Author: MaXe Vendor Homepage: https://play.google.com/store/apps/details?id=a3.skills.com http://archive.is/NRlNP Software Link:...

WordPress Plugin IBPS Online Exam 1.0 - SQL Injection Cross-Site Scripting

WordPress Plugin IBPS Online Exam 1.0 - SQL Injection Cross-Site Scripting Exploit Title: IBPS Online Exam Plugin for WordPress v1.0 - XSS SQLi Date: 2017-07-11 Exploit Author: 8bitsec Vendor Homepage: https://elfemo.com/demo/server2/order2032/ Software Link:...

Tilde CMS 1.01 - Multiple Vulnerabilities

Tilde CMS 1.01 - Multiple Vulnerabilities Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities Date: July 7th, 2017 Exploit Authors: Paolo Forte, Raffaele Forte Vendor Homepage: http://www.tildenetwork.com/ Version: Tilde CMS 1.0.1 Tested on: Ubuntu 12.04, PHP 5.3.10 I. INTRODUCTION...

Sonicwall 8.1.0.2-14sv - sitecustomization.cgi Command Injection (Metasploit)

Sonicwall 8.1.0.2-14sv - sitecustomization.cgi Command Injection Metasploit Exploit Title: Sonicwall importlogo/sitecustomization CGI Remote Command Injection Vulnerablity Date: 12/25/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link:...

Oracle E-Business Suite 12.x - Server-Side Request Forgery

Oracle E-Business Suite 12.x - Server-Side Request Forgery...

Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)

Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation MS17-017 E-DB Note: + Source: https://github.com/sensepost/gdi-palettes-exp + Binary: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42432.exe include include include include //From...

Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection

Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection Sonicwall Secure Remote Access SRA - Command Injection Vulnerabilities Vendor: Sonicwall Dell Product: Secure Remote Access SRA Version: 8.1.0.2-14sv Platform: Embedded Linux Discovery: Russell Sanford of Critical Start...

Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)

Netscaler SD-WAN 9.1.2.26.561201 - Command Injection Metasploit Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity Date: 02/20/2017 Exploit Author: xort @ Critical Start Vendor Homepage: www.citrix.com Software Link: https://www.citrix.com/downloads/cloudbridg...

Sonicwall 8.1.0.6-21sv - gencsr.cgi Command Injection (Metasploit)

Sonicwall 8.1.0.6-21sv - gencsr.cgi Command Injection Metasploit Exploit Title: Sonicwall gencsr CGI Remote Command Injection Vulnerablity Date: 12/24/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link: sonicwall.com/products/sra-virtual-appliance Version:...