39001 matches found
Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Exploit
Exploit for windows platform in category dos / poc Windows: NtImpersonateAnonymousToken LPAC to Non-LPAC EoP Platform: Windows 10 1703 and 1709 not tested Windows 8.x Class: Elevation of Privilege Summary: When impersonating the anonymous token in an LPAC the WIN://NOAPPALLPKG security attribute ...
Microsoft Windows - NTFS Owner/Mandatory Label Privilege Bypass Exploit
Exploit for windows platform in category dos / poc / Windows: NTFS Owner/Mandatory Label Privilege Bypass EoP Platform: Windows 10 1709 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: When creating a new file on an NTFS drive it’s possible to circumvent security checks...
SAP NetWeaver J2EE Engine 7.40 - SQL Injection Exploit
Exploit for multiple platform in category web applications !/usr/bin/env python coding=utf-8 """ Author: Vahagn Vardanyan https://twitter.com/vah13 Bugs: CVE-2016-2386 SQL injection CVE-2016-2388 Information disclosure CVE-2016-1910 Crypto issue Follow HTTP request is a simple PoC for anon...
Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping Vulnerability
Exploit for multiple platform in category local exploits VuNote ============ Author: Version: 0.2 Date: Nov 25th, 2015 Tag: python smtplib starttls stripping mitm Overview -------- Name: python Vendor: python software foundation References: https://www.python.org/ 1 Version: 2.7.11, 3.4.4, 3.5.1...
Microsoft Windows SMB Server (v1 and v2) - Mount Point Arbitrary Device Open Privilege Escalation Ex
Exploit for windows platform in category dos / poc Windows: SMB Server v1 and v2 Mount Point Arbitrary Device Open EoP Platform: Windows 10 1703 and 1709 seems the same on 7 and 8.1 but not extensively tested Class: Elevation of Privilege Summary: The SMB server driver srv.sys and srv2.sys don't...
Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation Exploit
Exploit for windows platform in category dos / poc Windows: NtImpersonateAnonymousToken AC to Non-AC EoP Platform: Windows 10 1703 and 1709 Class: Elevation of Privilege Summary: The check for an AC token when impersonating the anonymous token doesn’t check impersonation token’s security level...
FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes)
/ FreeBSD shellcode that binds /bin/sh to port 41254 Assembly code and explanation will be released on safemode.org soon. Written by zillion zillion at safemode.org / char shellcode = "\xeb\x64\x5e\x31\xc0\x88\x46\x07\x6a\x06\x6a\x01\x6a\x02\xb0"...
Linux/x86 - execve /bin/dash Shellcode (30 bytes)
/ Description ; Title : exec /bin/dash - Shellcode ; Author : Hashim Jawad ; Website : ihack4falafel.com ; Twitter : @ihack4falafel ; SLAE ID : SLAE-1115 ; Purpose : spawn /bin/dash shell ; OS : Linux ; Arch : x86 ; Size : 30 bytes dash.nasm global start section .text start: ; push NULL into the...
WordPress Download Manager 2.9.60 Plugin - Cross-Site Request Forgery Vulnerability
Exploit for php platform in category web applications Exploit Title: WordPress Download Manager CSRF Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: https://www.wpdownloadmanager.com/ Software Link: https://wordpress.org/plugins/download-manager...
WordPress Admin Menu Tree Page View 2.6.9 Plugin - Cross-Site Request Forgery / Privilege Escalation
Exploit for php platform in category web applications Exploit Title: Admin Menu Tree Page View CSRF, Privilege Escalation Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://eskapism.se/ Software Link:...
Joomla Easydiscuss Component < 4.0.21 - Cross-Site Scripting Vulnerability
Exploit for php platform in category web applications Exploit Title: Joomla Plugin Easydiscuss inside the body, everything after the will be executed in the user’s browser. Works with every version up to 4.0.20 2. Proof of Concept Login with permissions to post a message, insert in the body and a...
Multiple CPUs - Information Leak Using Speculative Execution Exploit
Exploit for hardware platform in category dos / poc == INTRODUCTION == This is a bug report about a CPU security issue that affects processors by Intel, AMD and to some extent ARM. I have written a PoC for this issue that, when executed in userspace on an Intel Xeon CPU E5-1650 v3 machine with a...
Yawcam 0.6.0 Directory Traversal Vulnerability
Exploit for windows platform in category remote exploits Directory traversal vulnerability in Yawcam webcam server ========================================================= Overview -------- Affected Versions: Yawcam 0.2.6 through 0.6.0 Patched Versions: Yawcam 0.6.1 Vendor: Yawcam Vendor URL:...
Synology Photostation 6.7.2-3429 - Remote Code Execution Exploit
Exploit for php platform in category web applications This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Synology PhotoStation Multiple Vulnerabilities", 'Description' = %q This module exploits...
WordPress Social Media Widget by Acurax 3.2.5 Plugin - Cross-Site Request Forgery Vulnerability
Exploit for php platform in category web applications Exploit Title: Social Media Widget by Acurax CSRF Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://www.acurax.com/ Software Link:...
Microsoft Edge Chakra JIT - Lowerer::LowerSetConcatStrMultiItem Missing Integer Overflow Check
Exploit for windows platform in category dos / poc / The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings. Here's a snippet of the method. void Lowerer::LowerSetConcatStrMultiItemIR::Instr instr ... IR::IndirOpnd dstLength =...
BSD/x86 - setreuid(geteuid(), geteuid()) + execve(/bin/sh) Shellcode (36 bytes)
/ bsd/x86 setreuid/exec shellcode setreuidgeteuid, geteuid and execve"/bin/sh", "/bin/sh", 0 shellcode based on hkpco's setreuid/exec shellcode for linux Tested on FreeBSD / include include char shellcode = "\x31\xc0\xb0\x19\x50\xcd\x80\x50" "\x50\x31\xc0\xb0\x7e\x50\xcd\x80" // setreuidgeteuid,...
Muviko 1.1 - SQL Injection Vulnerability
Exploit for php platform in category web applications Exploit Title: Muviko 1.1 - Multiple SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 09/01/2018 CVE: CVE-2017-17970 Vendor Homepage: https://www.muvikoscript.com Version: 1.1 Tested on: Mac OS...
WordPress CMS Tree Page View 1.4 Plugin - Cross-Site Request Forgery / Privilege Escalation Exploit
Exploit for php platform in category web applications Exploit Title: CMS Tree Page View CSRF, Privilege Escalation Discovery Date: 2017-12-12 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://eskapism.se/ Software Link:...
Alpha - /bin/sh Shellcode (80 bytes)
/ Lamont Granquist email protected email protected / int rawcode = 0x2230fec4, / subq $16,0x13c,$17 2000/ 0x47ff0412, / clr $18 2000/ 0x42509532, / subq $18, 0x84 2000/ 0x239fffff, / xor $18, 0xffffffff, $18 / 0x4b84169c, 0x465c0812, 0xb2510134, / stl $18, 0x134$172000/ 0x265cff98, / lda $18,...
Alpha - setuid() Shellcode (156 bytes)
char shellcode= "\x30\x15\xd9\x43" / subq $30,200,$16 / "\x11\x74\xf0\x47" / bis $31,0x83,$17 / "\x12\x14\x02\x42" / addq $16,16,$18 / "\xfc\xff\x32\xb2" / stl $17,-4$18 / "\x12\x94\x09\x42" / addq $16,76,$18 / "\xfc\xff\x32\xb2" / stl $17,-4$18 / "\xff\x47\x3f\x26" / ldah $17,0x47ff$31 /...
Alpha - execve() Shellcode (112 bytes)
char shellcode= "\x30\x15\xd9\x43" / subq $30,200,$16 / / $16 = $30 - 200 / $16 must have the shellcode address. However, before / / the bsr instruction, $16 can't have the address. / / This instruction just store the meaningless address. / / The all instruction before bsr are meaningless. /...
Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
/ Title: Linux/x86 - execve/bin/sh Polymorphic Shellcode 53 bytes Date: 10-Jan-2018 Exploit Author: Debashis Pal SLAE-1122 Tested on: i686 GNU/Linux '//bin/sh' = 0x68732f6e 0x69622f2f polymorphic.nasm global start section .text start: add esi, 0x30 ;junk xor ecx, ecx mul ecx mov dword esp-4, ecx...
WordPress Events Calendar Plugin - event_id SQL Injection Vulnerability
Exploit for php platform in category web applications Exploit Title: Wichipi Events Calendar - SQL Injection Date: 09-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: codecanyon.net/user/wachipi Version: 1.0 CVE-ID: CVE-2018-5315 Events...
HPE iMC dbman RestartDB Unauthenticated Remote Command Execution Exploit
This Metasploit module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance OpCode 10008, however the instance ...
HPE iMC dbman RestoreDBase Unauthenticated Remote Command Execution Exploit
This Metasploit module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database OpCode 10007, however the database connectio...
Worpress Service Finder Booking < 3.2 Plugin - Local File Disclosure Vulnerability
Exploit for php platform in category web applications Exploit Title: Worpress Plugin Service Finder Booking 3.2 - Local File Disclosure Google Dork: N/A Date: 09/01/2018 GMT+7 Exploit Author: telahdihapus Vendor Homepage: https://themeforest.net/user/aonetheme Software Link:...
DiskBoss Enterprise 8.8.16 - Buffer Overflow Exploit
Exploit for windows platform in category remote exploits Exploit Title: DiskBoss = 8.8.16 - Unauthenticated Remote Code Execution Date: 2017-08-27 Exploit Author: Arris Huijgen Vendor Homepage: http://www.diskboss.com/ Software Link: http://www.diskboss.com/setups/diskbossentsetupv8.8.16.exe...
Microsoft Edge Chakra JIT - Escape Analysis Bug Exploit
Exploit for windows platform in category dos / poc / Escape analysis: https://en.wikipedia.org/wiki/Escapeanalysis Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. PoC: / function opt let tmp = ; tmp0 = tmp;...
Commvault Communications Service (cvd) - Command Injection Exploit
Exploit for windows platform in category remote exploits This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Commvault Communications Service cvd Command...
Microsoft Windows - Local XPS Print Spooler Sandbox Escape Exploit
Exploit for windows platform in category local exploits Windows: Local XPS Print Spooler Sandbox Escape Platform: Windows 10 1703 and 1709 not tested Windows 7 or 8.x Class: Elevation of Privilege Summary: The local print spooler can be abused to create an arbitrary file from a low privilege...
Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches
Exploit for windows platform in category dos / poc / The optimizations for memory operations may leave empty loops as follows: for let i = 0; i arr.length; i++ arri = 0; Becomes: Memsetarr, 0, arr.length; for let i = 0; i arr.length; i++ // empty! These empty loops will be removed by...
Microsoft Windows - nt!NtQuerySystemInformation (information class 138, QueryMemoryTopologyInformati
Exploit for windows platform in category dos / poc / We have discovered that the nt!NtQuerySystemInformation system call invoked with the 138 information class discloses portions of uninitialized kernel pool memory to user-mode clients. The specific information class is handled by an internal...
Microsoft Edge Chakra asm.js Out-of-Bounds Read Exploit
Exploit for windows platform in category dos / poc / Here's a snippet of AsmJSByteCodeGenerator::EmitAsmJsFunctionBody. AsmJsVar initSource = nullptr; if decl-sxVar.pnodeInit-nop == knopName AsmJsSymbol initSym = mCompiler-LookupIdentifierdecl-sxVar.pnodeInit-name, mFunction; if...
Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined Jav
Exploit for windows platform in category dos / poc / 1. Call patterns like "Math.max.applyMath, 1, 2, 3, 4, 5" and "Math.max.applyMath, arr" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in the Inline Phase. 2. The method takes the original method "Math.max" as the...
Android - Inter-Process munmap due to Race Condition in ashmem Exploit
Exploit for Android platform in category dos / poc The MemoryIntArray class allows processes to share an in-memory array of integers backed by an "ashmem" file descriptor. As the class implements the Parcelable interface, it can be inserted into a Parcel, and optionally placed in a Bundle and...
Microsoft Windows - nt!NtQueryInformationProcess (information class 76, QueryProcessEnergyValues) Ke
Exploit for windows platform in category dos / poc / We have discovered that the nt!NtQueryInformationProcess system call invoked with the 76 information class discloses portions of uninitialized kernel stack memory to user-mode clients. The specific information class is handled by an internal...
Disk Pulse Enterprise 10.1.18 - Denial of Service Exploit
Exploit for windows platform in category remote exploits Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS, Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http://www.diskpulse.com/setups/diskpulsesrvsetupv10.1.18.exe Version: v10.1.18 Category; Windows Remote DOS CVE:...
FiberHome LM53Q1 - Multiple Vulnerabilities
Exploit for hardware platform in category web applications !/usr/bin/python Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities Exploit Author: Ibad Shah Vendor Homepage: www.fiberhome.com Version: VH519R05C01S38 Tested on: Linux Platform : Hardware CVE : CVE-2017-16885, CVE-2017-16886,...
Sync Breeze Enterprise 10.1.16 - Denial of Service Exploit
Exploit for windows platform in category dos / poc Exploit Title: Sync Breeze Enterprise Server v10.1.16 - Denial of Service Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http://www.syncbreeze.com/setups/syncbreezesrvsetupv10.1.16.exe Version: v10.1.16 Category; Windows Remote DOS...
VX Search Enterprise 10.1.12 - Denial of Service Exploit
Exploit for windows platform in category dos / poc Exploit Title: VX Search Enterprise Server v10.1.12 - Denial of Service Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http://www.vxsearch.com/setups/vxsearchsrvsetupv10.1.12.exe Version: v10.1.12 Category; Windows Remote DOS CVE:...
WordPress LearnDash 2.5.3 Plugin - Arbitrary File Upload Vulnerability
Exploit for php platform in category web applications Exploit Title: WordPress LearnDash 2.5.3 Unauthenticated Arbitrary File Upload Date: 07-01-2018 Vendor Homepage: https://www.learndash.com/ Vendor Changelog: https://www.learndash.com/changelog/ Version: 2.5.3 Exploit Author: NinTechNet Author...
Vanilla < 2.1.5 - Cross-Site Request Forgery Vulnerability
Exploit for php platform in category web applications Exploit Title: CSRF vulnerabilities in Vanilla Forums below 2.1.5-CVE-2017-1000432 Google Dork: NA Date: 7/1/2018 Contact: https://twitter.com/anandm47 website: https://anandtechzone.blogspot.in Exploit Author: Anand Meyyappan Vendor Homepage:...
BarcodeWiz ActiveX Control < 6.7 - Buffer Overflow (PoC) Vulnerability
Exploit for windows platform in category dos / poc + Credits: John Page aka hyp3rlinx Vendor: ================= www.barcodewiz.com Product: ============= BarcodeWiz ActiveX Control 6.7 BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto...
Synology DiskStation Manager (DSM) < 6.1.3-15152 - forget_passwd.cgi User Enumeration
Exploit for cgi platform in category web applications Exploit Title: Synology DiskStation Manager DSM 6.1.3-15152 - 'forgetpasswd.cgi' User Enumeration Date: 01/05/2018 Exploit Author: Steve Kaun Vendor Homepage: https://www.synology.com Version: Before 6.1.3-15152 CVE : CVE-2017-9554 Previously...
DiskBoss Enterprise 8.5.12 - Denial of Service Exploit
Exploit for windows platform in category dos / poc Exploit Title: DiskBoss Enterprise Server 8.5.12 - Denial of Service Date: 2017-10-20 Exploit Author: Ahmad Mahfouz Software Link: http:///www.diskboss.com/setups/diskbosssrvsetupv8.5.12.exe Version: v10.1.16 Category; Windows Remote DOS CVE:...
Oracle WebLogic < 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution Exploit
Exploit for multiple platform in category remote exploits !/usr/bin/env python -- coding: utf-8 -- Exploit Title: Weblogic wls-wsat Component Deserialization RCE Date Authored: Jan 3, 2018 Date Announced: 10/19/2017 Exploit Author: Kevin Kirsche d3c3pt10n Exploit Github:...
D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access Vulnerability
Exploit for hardware platform in category web applications DNS-320L ShareCenter Backdoor Vendor: D-Link Product: DNS-320L ShareCenter Version: = 1.06 -- Table of contents 00 - Introduction 00.1 Background 01 - Hard coded...
Joomla VMap 1.9.2 SQL Injection Vulnerability
Exploit for php platform in category web applications Title: Joomla! VMap 1.9.2 - SQL injection Credit: Bilal KARDADOU Vendor: https://www.wdmtech.com URL: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/vmap/ Product: 'Joomla! VMap 1.9.2' Developer: WDMtech...
Western Digital WDMyCloud 2.30.165 Multiple Vulnerabilities
WDMyCloud versions 2.30.165 and below suffer from file upload, hard coded backdoor, command injection, cross site request forgery, denial of service, and information disclosure vulnerabilities. WDMyCloud = 2.30.165 Multiple Vulnerabilities Released Date: 2018-01-04 Last Modified: 2017-06-11 Compa...