FFmpeg Heap Overflow vulnerability (CVE-2016-10190)

作者：bird@tsrc 1. 前言 FFmpeg是一个著名的处理音视频的开源项目，使用者众多。2016年末paulcher发现FFmpeg三个堆溢出漏洞分别为CVE-2016-10190、CVE-2016-10191以及CVE-2016-10192。本文详细分析了CVE-2016-10190，是二进制安全入门学习堆溢出一个不错的案例。 调试环境： 1. FFmpeg版本：3.2.1按照https://trac.ffmpeg.org/wiki/CompilationGuide/Ubuntu1编译 2. 操作系统：Ubuntu 16.04 x64 2. 漏洞分析...

Wordpress Plugin Photo Gallery v3. 0 - arbitrary File Download

Vulnerability title: Wordpress Plugin Photo Gallery v3. 0 - arbitrary File Download Vulnerability type: arbitrary File Download Vulnerability impact: Photo Gallery v3. 0 Vulnerabilities exist in the url: http://localhost/PLUGINPATH/macdownload.php Vulnerability details:...

Firefox Integer overflow leading to a buffer overflow in nsScriptLoadHandler (CVE-2016-9066)

This post will explore how CVE-2016-9066, a simple but quite interesting from an exploitation perspective vulnerability in Firefox, can be exploited to gain code execution. tl;dr an integer overflow in the code responsible for loading script tags leads to an out-of-bounds write past the end of an...

Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free (CVE-2017-0070)

Content source:https://bugs. chromium. org/p/project-zero/issues/detail? id=1043 I noticed that some javascript getters behave what. My test code: var whitelist = "closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"; var f = document...

PHPCMS 'phpcms\modules\member\index.php 'the presence of any of the password reset vulnerability

No description provided by source...

RoundCube Webmail mail <1.0.5 body stored XSS（CVE-2015-1433）

RoundCube Webmail is a foreign use of a wide an open source php e-mail system, the meaning is still quite large. roundcube webmail official website: , download the latest version. /program/lib/Roundcube/rcubewashtml.php this file is actually a rich text filter class class rcubewashtml it. roundcu...

Microsoft Internet Explorer and Edge Spoofing Vulnerability (CVE-2017-0012)

Details source: http://bobao.360.cn/learning/detail/3612.html parent. window. opener. location can make open his window location jump to the other domain name, in an attempt to use cross-domain when I first discovered this problem, here is what I found the problem when the test code. parent...

Microsoft Edge read:// urlhandler Information Disclosure Vulnerability (CVE-2017-0065 )

This exploit was reported to Microsoft and I was acknowledged for doing so. The exploit has been patched on March 14th 2017 under names cve-2017-0065 and MS17-007 and will not work if related patches are applied. Sourcecode is provided for educational purposes only. General This exploit requires...

Undocumented Backdoor Account in DBLTek GoIP

Trustwave recently reported a remotely exploitable issue in the Telnet administrative interface of numerous DblTek branded devices. The issue permits a remote attacker to gain a shell with root privileges on the affected device due to a vendor backdoor in the authentication procedure. The Telnet...

PCAUSA Rawether for Windows local privilege escalation

Rawether for Windows is a framework that facilitates communication between an application and the NDIS miniport driver. It’s produced by a company named Printing Communications Assoc., Inc. PCAUSA, which seems to be no longer operating. Company websites can be still reached through web.archive.or...

fastjson < 1.2.24 remote code execution vulnerability

No description provided by source...

GitHub Enterprise Remote Code Execution via Marshal

pEveryone uses GitHub. If you have huge amount of green paper or you are very paranoid about your code, you can run your own GitHub. For $2,500 USD per 10 user years you get GitHub Enterprise: A virtual machine containing a fully-featured GitHub instance. Despite a few edge cases that are handled...

Goahead webserver <= 2.1.8-path bypass-sensitive File Download vulnerability

1 Introduction Goahead webserver is an embedded OpenSource server that can be build on a lot of systems CE, Ecos, GNU/Linux, Lynx, MacOS, NW, QNX4, VXWORKS, Win32 and others. It is supported by a lot of companies that use it for their projects and it is also used like "base" for other webservers,...

Nlance - Freelance Marketplace Software v2.2 - SQL Injection

Nlance - Freelance Marketplace Software v2. 2 - SQL Injection Nlance - Freelance Marketplace Software v2. 2, The presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can be directly used Google Dork: N/A...

Roundcube mail body of the stored cross site Vulnerability(CVE-2017-6820)

Author: Badcode, sebao know Chong Yu 404 security lab Date: 2017-03-17 0x00 vulnerability overview 1. Vulnerability description Roundcube is a widely used open source e-mail program, in the globe there are many organizations and companies are in use. On the server to successfully install...

Adobe Flash Heap Overflow in ATF Planar Decompression (CVE-2017-2934)

The attached file causes heap corruption when decompressing a planar block. To reproduce the issue, but both attached files on a server and visit: http://127.0.0.1/LoadImage.swf?img=planar1.atf Attachment: planar1. atf LoadImage. swf...

Adobe Flash: Out-of-Bounds Read in Metadata Parsing（CVE-2017-2931）

The attached file causes an out-of-bounds read when its metadata is parsed Attachment: meta. swf...

Adobe Flash: Use-after-free in MovieClip attach init object (CVE-2017-2932)

The attached file causes a use-after-free in attaching a MovieClip and applying the init object. Attachment: init. swf...

Adobe Flash: Heap overflow in ATF Thumbnailing (CVE-2017-2933)

The attached file causes an overflow in heap thumbnailing. To reproduce, place both attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=thumb2.atf Attachment: thumb2. atf LoadImage. swf...

Adobe Flash: Heap overflow in AVC header slicing（CVE-2017-2935）

There is a heap overflow in the AVC header slicing. To reproduce the issue, put the attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=slice.flv. Attachment: slice. flv LoadImage. swf...

Thailand Government Sites CMS data.php parameter id SQL injection vulnerability

No description provided by source...

MS17-012：Windows COM Session Moniker EoP（CVE-2017-0100）

Description: The COM session moniker allows a user to specify the interactive session that’s to be used when a DCOM object is registered with an AppID with RunAs of “Interactive User”. As switching sessions is not something a normal user can do you’d assume that this would be only accessible to...

Microsoft Edge Fetch API allows setting of arbitrary request headers (CVE-2017-0140)

Introduction The Fetch API provides an interface for fetching resources including across the network. It will seem familiar to anyone who has used XMLHttpRequest, but the Fetch API provides a more powerful and flexible feature set. Starting in EdgeHTML 14, which ships with Windows 10 Anniversary...

D-Link DIR-816L (Wireless Router) - Cross-Site Request Forgery (CVE-2015-5999)

1 User login to DIR-816L wireless router 2 User visits the attacker's malicious web page attacker.html 3 attacker.html exploits CSRF vulnerability and changes the admin account password PoC video link: http://youtu.be/UBdR2sUc8Wg Exploit code attacker.html:...

Joomla! Component Guesser v1.0.4 - SQL Injection

Joomla! Component Guesser v1. 0. 4 - SQL Injection Joomla! Component Guesser v1. 0. 4, There is parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can be directly used Google Dork: inurl:index. php? option=comguesser...

ohocms province_city.php sql injection vulnerability

No description provided by source...

Google Nexus 9 Unauthorized Access to FIQ Debugger（CVE-2017-0510）

Nexus 9 allows unauthorized access to the FIQ debugger via its headphones jack. This allows for sensitive information theft, via malicious headphones, out of any process. Moreover it allows the adversary to reboot the device into HBOOT, which may aid in further exploitation such as accessing...

WebKit memory corruption vulnerability(CVE-2016-4657 )

Can be used for: CVE-2016-4657 Nintendo Switch Node Server Quick node.js server for the WebKit exploit. The virus can be modified in exploit.js Installing and Running cd npm i sudo node server.js Server runs on port 80 needs root unless specified otherwise. Route conntest.nintendowifi.net to your...

ohocms_viewcode.php arbitrary file read vulnerability

No description provided by source...

ohocms getjwj.php sql injection vulnerability

No description provided by source...

ohocms jg_city.php sql injection vulnerability

No description provided by source...

ohocms custom_design.php code execution vulnerability

No description provided by source...

ohocms set_border_color.php a remote command execution vulnerability

No description provided by source...

ohocms design_edittheme2. php file write vulnerability

No description provided by source...

ohocms province_city1.php sql injection vulnerability

No description provided by source...

ohocms edittheme1.php code execution vulnerability

No description provided by source...

ohocms getsyscat.php sql注入漏洞

No description provided by source...

ohocms catid_save.php sql injection vulnerability

No description provided by source...

Drupal 7.x Services module unserialize() to RCE

Upon auditing Drupal's Services module, the Ambionics team came accross an insecure use of unserialize. The exploitation of the vulnerability allowed for privilege escalation, SQL injection and, finally, remote code execution. Services module Services is a "standardized solution for building API'...

Epiceditor – Cross-Site Scripting（CVE-2017-6589）

EpicEditor Introduction EpicEditor is an embeddable JavaScript Markdown editor with split fullscreen editing, live previewing, automatic draft saving, offline support, and more. For developers, it offers a robust API, can be easily themed, and allows you to swap out the bundled Markdown parser wi...

Cross site scripting vulnerability in django-epiceditor（CVE-2017-6591）

Introduction django-epiceditor A django app that allows the easy addition of EpicEditor markdown editor to a django form field, whether in a custom app or the Django Admin. The project url: https://pypi.python.org/pypi/django-epiceditor Environment django==1.10.6 django-epiceditor==0.2.3...

ASUSWRT - Multiple Vulnerabilities

ASUSWRT is a wireless router operating system that powers many routers produced by ASUS. Multiple exploitable vulnerabilities could be identified in the current version of ASUSWRT. Published: 08 Mar 2017 Affected routers: - RT-AC53 3.0.0.4.380.6038 ---------- Cross-Site Scripting XSS Component:...

Linux kernel local privilege escalation flaw in n_hdlc（CVE-2017-2636）

This article discloses the exploitation of CVE-2017-2636, which is a race condition in the nhdlc Linux kernel driver drivers/tty/nhdlc.c. The described exploit gains root privileges bypassing Supervisor Mode Execution Protection SMEP. This driver provides HDLC serial line discipline and comes as ...

Cross Site Scripting injection vulnerability in SANADATA SanaCMS 7.3

Cross-site scripting XSS vulnerability in /sanadata/seo/index.asp in SANADATA SanaCMS 7.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter. Vendor HomePage: https://www.sanadata.com/ Version : 7.3 Dork : intext:"SANADATA | SanaCMS 7.3" Tested on:Firefox...

The Wireless IP Camera (P2P) WIFICAM Multiple vulnerabilities

Product Description The Wireless IP Camera P2P WIFICAM is a Chinese web camera which allows to stream remotely. Vulnerabilities Summary The Wireless IP Camera P2 WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras...

WordPress audio playlist functionality is affected by Cross-Site Scripting

Abstract Two Cross-Site Scripting vulnerabilities exists in the playlist functionality of WordPress. These issues can be exploited by convincing an Editor or Administrator into uploading a malicious MP3 file. Once uploaded the issues can be triggered by a Contributor or higher using the playlist...

NETGEAR DGN2200 Remote Command Execution

0x00 summary NETGEAR DGN2200 router ping. the cgi script does not have to enter parameters for authentication, the result can be constructed in a specific request to perform system command. 0x01 details Through the capture, the parameters will be pingIPAddr the IP address back add;cmdto perform a...

Joomla! Component Spinner 360 v1.3.0 - SQL Injection

Joomla! Component Spinner 360 v1. 3. 0 - SQL Injection Joomla! Component Spinner 360 v1. 3. 0, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, if you turn off the error display can ...

Larice Club readnews.php parameter id SQL injection vulnerability

No description provided by source. !/usr/bin/env python coding: utf-8 from pocsuite.api.request import req from pocsuite.api.poc import register from pocsuite.api.poc import Output, POCBase import re import random import hashlib class TestPOCPOCBase: vulID = '1' ssvid version = '1.0' author =...

VMPanel cybervm log on at the parameters the username reflected XSS vulnerability

0x01 vulnerability profile VMPanel is a powerful Web-based service VMware Esx/Esxi control panel, the user can remotely create or delete the virtual machine. Official website: http://cybervm.com/ VMPanel in the login page the user name input box because the filter is not strict, resulting in XSS...