LG MRA58K - ASFParser::ParseHeaderExtensionObjects Missing Bounds-Checking

LG MRA58K - ASFParser::ParseHeaderExtensionObjects Missing Bounds-Checking Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222 There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check that the size of the copy is smaller than the size of the source buffer...

LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free

LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221 Similar to the previously reported issue 1206 , when parsing AVI files the CAVIFileParser object contains a fixed-size array of what...

LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing

LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1206 Missing bounds-checking in AVI stream parsing When parsing AVI files, CAVIFileParser uses the stream count from the AVI header to allocate backing storage for storing...

Easy MOV Converter 1.4.24 - Enter User Name Local Buffer Overflow (SEH)

Easy MOV Converter 1.4.24 - Enter User Name Local Buffer Overflow SEH !/usr/bin/python Exploit Title: Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow SEH Date: 13-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: Easy MOV Converter Vendor Homepage:...

Disk Pulse 9.7.26 - Add Directory Local Buffer Overflow

Disk Pulse 9.7.26 - Add Directory Local Buffer Overflow !/usr/bin/python Exploit Title: Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow Date: 12-06-2017 Exploit Author: abatchy17 -- @abatchy17 Vulnerable Software: Disk Pulse v9.7.26 Freeware, Pro, Ultimate Vendor Homepage:...

GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference

GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference Source: https://bugzilla.gnome.org/showbug.cgi?id=775120 The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl. ASAN stack trace:...

Easy File Sharing Web Server 7.2 - POST Remote Buffer Overflow

Easy File Sharing Web Server 7.2 - POST Remote Buffer Overflow !/usr/bin/python Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow Author : Touhid M.Shaikh Date : 12 June, 2017 Contact: [email protected] Version: 7.2 category: Remote Exploit Tested on: Windows XP SP3 EN Version...

Real Estate Classifieds Script - SQL Injection

Real Estate Classifieds Script - SQL Injection Exploit Title: Real Estate Classifieds Script - SQL Injection Dork: N/A Date: 12.06.2017 Vendor : http://www.easyrealestatescript.com/ Software: http://www.easyrealestatescript.com/demo.html Demo: http://www.easyrealestatescript.com/demo.html Version...

Easy File Sharing Web Server 7.2 - Authentication Bypass

Easy File Sharing Web Server 7.2 - Authentication Bypass Exploit Title: EFS Web Server 7.2 Authentication Bypass Date: 11-06-2017 Software Link: http://www.sharing-file.com/efssetup.exe Software Version : 7.2 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...

WordPress Plugin WP Jobs 1.5 - SQL Injection

WordPress Plugin WP Jobs 1.5 - SQL Injection Exploit Title: WordPress Plugin WP Jobs 1.5 - SQL Injection Date: 11-06-2017 Exploit Author: Dimitrios Tsagkarakis Website: dtsa.eu Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/ Vendor Homepage: http://www.intensewp.com/ Version: 1.4 CVE ...

DiskBoss 8.0.16 - Input Directory Local Buffer Overflow

DiskBoss 8.0.16 - Input Directory Local Buffer Overflow !/usr/bin/python Exploit Title: DiskBoss v8.0.16 - Local Buffer Overflow Date: 11-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: DiskBoss v8.0.16 Freeware, Pro and Ultimate Vendor Homepage:...

Sync Breeze 9.7.26 - Add Exclude Directory Local Buffer Overflow

Sync Breeze 9.7.26 - Add Exclude Directory Local Buffer Overflow !/usr/bin/python Exploit Title: Sync Breeze v9.7.26 - Local Buffer Overflow Date: 11-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: Sync Breeze v9.7.26 Freeware, Pro and Ultimate Vendor Homepage:...

Logpoint 5.6.4 - Root Remote Code Execution

Logpoint 5.6.4 - Root Remote Code Execution Exploit Title: Unauthenticated remote root code execution on logpoint 5.6.4 Date: 11/06/17 Exploit Author: agix Vendor Homepage: https://www.logpoint.com Version: logpoint 5.6.4 Tested on: 5.6.2 Vendor contact 19/04 Exploit details sent to the vendor...

eCom Cart 1.3 - SQL Injection

eCom Cart 1.3 - SQL Injection Exploit Title: eCom Cart 1.3 Exploit Google Dork: inurl:"/pdetails/11" 11 is variable Date: 10.06.2017 Exploit Author: Alperen Eymen Ozcan & Batuhan Camci Vendor Homepage: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007 Software Link:...

VMware vSphere Data Protection 5.x6.x - Java Deserialization

VMware vSphere Data Protection 5.x6.x - Java Deserialization !/usr/bin/env python import socket import sys import ssl def getHeader: return '\x4a\x52\x4d\x49\x00\x02\x4b' def payload: cmd = sys.argv4 cmdlen = lencmd data2 =...

PaulShop - SQL Injection

PaulShop - SQL Injection Exploit Title: PaulShop CMS = 2017-03-25 Sql Injection Date: 10-06-2017 Exploit Author: Se0pHpHack3r Vendor Homepage: https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714 Version: 2017-03-25 1. Description SQL Injection on Shipping Cost page in Cart...

Disk Sorter 9.7.14 - Input Directory Local Buffer Overflow

Disk Sorter 9.7.14 - Input Directory Local Buffer Overflow !/usr/bin/python Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow Date: 10-06-2017 Exploit Author: abatchy17 -- @abatchy17 Vulnerable Software: DiskSorter v9.7.14 Vendor Homepage: http://www.disksorter.com/ Version: 9.7.14 Softwa...

Nuevomailer 6.0 - SQL Injection

Nuevomailer 6.0 - SQL Injection Exploit Title: Nuevo mailer version = 6.0 SQL Injection Exploit Author: ALEH BOITSAU Google Dork: inurl:/inc/rdr.php? Date: 2017-06-09 Vendor Homepage: https://www.nuevomailer.com/ Version: 6.0 and below Tested on: Linux Vulnerable script: rdr.php Vulnerable...

Apple macOS - Disk Arbitration Daemon Race Condition

Apple macOS - Disk Arbitration Daemon Race Condition !/bin/bash Sources: https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc if ! security authorize system.volume.internal.mount &/dev/null; then echo 2&1 "Cannot...

EFS Easy Chat Server 3.1 - Remote Buffer Overflow (SEH)

EFS Easy Chat Server 3.1 - Remote Buffer Overflow SEH Exploit Title: Easy Chat Server User Registeration Buffer Overflow SEH Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Buffer Overflow...

libcroco 0.6.12 - Denial of Service

libcroco 0.6.12 - Denial of Service libcroco multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= Libcroco is a standalone css2 parsing and manipulation library. The parser provides a low level event driven SAC like api and a css object model like...

nuevoMailer 6.0 - SQL Injection

nuevoMailer 6.0 - SQL Injection Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection Exploit Author: ALEH BOITSAU Google Dork: inurl:/inc/rdr.php? Date: 2017-06-09 Vendor Homepage: https://www.nuevomailer.com/ Version: 6.0 and earlier Tested on: Linux CVE: CVE-2017-9730...

Mapscrn 2.03 - Local Buffer Overflow (PoC)

Mapscrn 2.03 - Local Buffer Overflow PoC Developed using Exploit Pack - http://exploitpack.com - Tested on: GNU/Linux - Kali 2017.1 Release Description: Mapscrn Part of setfont 2.0.3 The mapscrn command loads a user defined output character mapping table into the console driver. The console drive...

EFS Easy Chat Server 3.1 - Password Disclosure

EFS Easy Chat Server 3.1 - Password Disclosure Exploit Title: Easy Chat Server Remote Password Disclosure Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Pre-Auth Remote Password Disclosure...

EFS Easy Chat Server 3.1 - Password Reset

EFS Easy Chat Server 3.1 - Password Reset Exploit Title: Easy Chat Server Remote Password Reset Date: 09/10/2017 Software Link: http://echatserver.com/ecssetup.exe Exploit Author: Aitezaz Mohsin Vulnerable Version: v2.0 to v3.1 Vulnerability Type: Pre-Auth Remote Password Reset Severity: Critical...

libquicktime 1.2.4 - Denial of Service

libquicktime 1.2.4 - Denial of Service libquicktime multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used f...

Uniview NVR - Password Disclosure

Uniview NVR - Password Disclosure Uniview NVR remote passwords disclosure Author: B1t The Uniview NVR web application does not enforce authorizations on the main.cgi file when requesting json data. It says that you can do anything without authentication, however you must know the request structur...

IPFire 2.19 - Remote Code Execution

IPFire 2.19 - Remote Code Execution Title : IPFire 2.19 Firewall Post-Auth RCE Date : 09/06/2017 Author : 0x09AL https://twitter.com/0x09AL Tested on: IPFire 2.19 x8664 - Core Update 110 Vendor : http://www.ipfire.org/ Software :...

Apple macOS 10.12.3 iOS 10.3.2 - Userspace Entitlement Checking Race Condition

Apple macOS 10.12.3 iOS 10.3.2 - Userspace Entitlement Checking Race Condition / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1223 One way processes in userspace that offer mach services check whether they should perform an action on behalf of a client from which they have...

Net Monitor for Employees Pro 5.3.4 - Unquoted Service Path Privilege Escalation

Net Monitor for Employees Pro 5.3.4 - Unquoted Service Path Privilege Escalation Exploit Title: Unquoted Service Path Privilege Escalation - Net Monitor for Employees Pro gmail.com, saeid Nsecurity.org Linkedin: https://www.linkedin.com/in/saeidatabaki Vendor Homepage: http://networklookout.com/...

Craft CMS 2.6 - Cross-Site Scripting

Craft CMS 2.6 - Cross-Site Scripting Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload Date: 2017-06-08 Exploit Author: Ahsan Tahir Vendor Homepage: https://craftcms.com Software Link: http://download.craftcdn.com/craft/2.6/2.6.2981/Craft-2.6.2981.zip Version: 2.6 Teste...

IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities

IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities Vulnerabilities Summary The following advisory describe three 3 vulnerabilities found in IDERA Uptime Monitor version 7.8. “IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and...

VMware Workstation 12 Pro - Denial of Service

VMware Workstation 12 Pro - Denial of Service / Title: NULL pointer dereference vulnerability in vstor2 driver VMware Workstation Pro/Player CVE: 2017-4916 VMSA-2017-0009 Author: Borja Merino @BorjaMerino Date: May 18, 2017 Tested on: Windows 10 Pro and Windows 7 Pro SP1 with VMware® Workstation ...

Robert 0.5 - Multiple Vulnerabilities

Robert 0.5 - Multiple Vulnerabilities Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory traversal & SQLi Date: 07/06/2017 Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT Vendor website :http://robert.polosson.com/ Download link :...

Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting

Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting Exploit Title: GravCMS Core Admin Plugin v1.4.2 - Persistent Cross-Site Scripting Date: 2017-06-07 Exploit Author: Ahsan Tahir Vendor Homepage: https://getgrav.org/ Software Link: https://getgrav.org/download/core/grav-admin/1.2.4 Version: 1.4.2...

Linux Kernel 4.10.13 - keyctl_set_reqkey_keyring Local Denial of Service

Linux Kernel 4.10.13 - keyctlsetreqkeykeyring Local Denial of Service / Source: https://bugzilla.novell.com/showbug.cgi?id=1034862 QA REPRODUCER: gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils ./CVE-2017-7472 will run the kernel out of memory / include include int main for ;;...

Linux Kernel - ping Local Denial of Service

Linux Kernel - ping Local Denial of Service // Source: https://raw.githubusercontent.com/danieljiang0415/androidkernelcrashpoc/master/panic.c include include include include static int sockfd = 0; static struct sockaddrin addr = 0; void fuzzvoid param while1 addr.sinfamily = 0;//rand%42;...

Artifex MuPDF - Null Pointer Dereference

Artifex MuPDF - Null Pointer Dereference Source: https://bugs.ghostscript.com/showbug.cgi?id=697500 POC to trigger null pointer dereference mutool After some fuzz testing I found a crashing test case. Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642 To reproduce: mutool convert -F cbz...

PuTTY 0.68 - ssh_agent_channel_data Integer Overflow Heap Corruption

PuTTY 0.68 - sshagentchanneldata Integer Overflow Heap Corruption Source: https://www.chiark.greenend.org.uk/sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections class: vulnerability: This is a...

Xavier 2.4 - SQL Injection

Xavier 2.4 - SQL Injection Document Title: =============== Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2076 Release Date: ============= 2017-06-06 Vulnerability Laboratory ID VL-ID:...

Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution

Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution !/usr/bin/python -- coding: utf-8 -- import requests import random import base64 upperAlpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" lowerAlpha = "abcdefghijklmnopqrstuvwxyz" numerals = "0123456789" allchars = chr for in...

Peplink Balance Routers 7.0.0-build1904 - SQL Injection Cross-Site Scripting Information Disclosure

Peplink Balance Routers 7.0.0-build1904 - SQL Injection Cross-Site Scripting Information Disclosure X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions:...

WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure Cross-Site Scripting

WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure Cross-Site Scripting DefenseCode WebScanner DAST Advisory WordPress Tribulant Newsletters Plugin Multiple Security Vulnerabilities Advisory ID: DC-2017-01-012 Advisory Title: WordPress Tribulant Newsletters Plugin Multiple...

Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution

Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution Sources: https://phoenhex.re/2017-06-02/arrayspread https://github.com/phoenhex/files/blob/master/exploits/spread-overflow JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal in...

Subsonic 6.1.1 - Cross-Site Request Forgery Cross-Site Scripting

Subsonic 6.1.1 - Cross-Site Request Forgery Cross-Site Scripting + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product:...

Kronos Telestaff 2.92EU29 - SQL Injection

Kronos Telestaff 2.92EU29 - SQL Injection Software: Kronos Telestaff Web Application Version: compare timing with device=stdbrowser&action=doLogin&user='ifDBNAME'TELESTAFF'waitfor%20delay'00%3a00%3a12';--&pwd=&code= PoC 2 - Execute Code Remotely example inject benign code e.g. ping a remote syste...

Wireshark 2.2.0 2.2.12 - ROS Dissector Denial of Service

Wireshark 2.2.0 2.2.12 - ROS Dissector Denial of Service Source: https://bugs.wireshark.org/bugzilla/showbug.cgi?id=13637 Build Information: TShark Wireshark 2.3.0 v2.3.0rc0-3235-gd97ce76161 Copyright 1998-2017 Gerald Combs and contributors. License GPLv2+: GNU GPL version 2 or later This is free...

DNSTracer 1.8.1 - Buffer Overflow (PoC)

DNSTracer 1.8.1 - Buffer Overflow PoC Exploit Title: DNSTracer Stack-based Buffer Overflow CVE: CVE-2017-9430 CWE: CWE-119 Exploit Author: Hosein Askari FarazPajohan Vendor HomePage: http://www.mavetju.org Version : 1.8.1 Tested on: Parrot OS Date: 04-06-2017 Category: Application Author Mail :...

BIND 9.10.5 - Unquoted Service Path Privilege Escalation

BIND 9.10.5 - Unquoted Service Path Privilege Escalation + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt + ISR: ApparitionSec Vendor: =========== www.isc.org Product: =========== BIND9 v9.10...

Subsonic 6.1.1 - Cross-Site Request Forgery

Subsonic 6.1.1 - Cross-Site Request Forgery + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-PASSWORD-RESET-CSRF.txt + ISR: ApparitionSec Vendor: ================ www.subsonic.org Product: =============== subson...