Результаты поиска

Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal # Exploit Title: Oracle Hospitality Simphony (MICROS) directory traversal # Date: 30.01.2018 # Exploit Author: Dmitry Chastuhin (https://twitter.com/_chipik) # Vendor Homepage: http://www.oracle.com/ # Version: 2.7, 2.8 and...

Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation #define _GNU_SOURCE #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/wait.h> #include...

Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank =...

WebKit - 'detachWrapper' Use-After-Free <!-- There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of Revision 225572 on OSX. The PoC is attached. Preliminary Analysis: SVGPropertyTearOff keeps a pointer to a SVG property in m_value. When...

WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free <!-- There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of Revision 225572 on OSX. PoC: ================================================================= -->...

Blizzard Update Agent - JSON RPC DNS Rebinding All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed. The agent utility creates an...

Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution #!/usr/local/bin/python """ Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability Found by: Steven Seeley of Source Incite & Roberto Suggi...

macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding /* The sysctls vfs.generic.conf.* are handled by sysctl_vfs_generic_conf(), which is implemented as follows: static int sysctl_vfs_generic_conf SYSCTL_HANDLER_ARGS { int *name, namelen; struct vfstable *vfsp...

Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking...

Kaltura - Remote PHP Code Execution over Cookie (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking CookieSecret =...

GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank =...

Oracle JDeveloper 11.1.x/12.x - Directory Traversal [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-JDEVELOPER-DIRECTORY-TRAVERSAL.txt [+] ISR: apparition security Vendor: =============...

HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation #Tested on HP Connected Backup version 8.8.2.0 on Windows 7 x64 import os import sys import time import requests from bs4 import BeautifulSoup def send_request(body): url="http://localhost:16386/" headers = {"Content-Type"...

WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure # Exploit Title: WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure # Google Dork: # Date: 2018-01-23 # Exploit Author: ThreatPress Security # Vendor Homepage: http://icegram.com/ #...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy /* If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should...

glibc < 2.26 - 'getcwd()' Local Privilege Escalation /** This software is provided by the copyright owner "as is" and any * expressed or implied warranties, including, but not limited to, * the implied warranties of merchantability and fitness for a particular * purpose are disclaimed...

macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' /* AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure input buffer which it uses to...

Microsoft Edge Chakra - Incorrect Scope Handling // PoC: (function func(arg = function () { print(func); // SetHasOwnLocalInClosure should be called for the param scope in the PostVisitFunction function. }()) { print(func); function func() { } })(); // Chakra fails to...

Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes (2) /* Since the PoC is only triggerable when the "DeferParse" flag enabled and requires a with statement, I think this is simillar to issue 1310 . PoC: */ // Enable the flag using '\n'.repeat(0x1000) eval(`(function f() { with...

Microsoft Edge Chakra JIT - Out-of-Bounds Write // Here's the PoC demonstrating OOB write. function opt(arr, start, end) { for (let i = start; i < end; i++) { if (i === 10) { i += 0; // <<-- (a) } arr[i] = 2.3023e-320; } } function main() {...

Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read /* AsmJSByteCodeGenerator::EmitCall which is used to emit call insturctions doesn't check if an array identifier is used as callee. The method handles those invalid calls in the same way it handles valid calls such...

Transmission - RPC DNS Rebinding The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to a web server...

Microsoft Edge Chakra JIT - Incorrect Bounds Calculation /* Let's start with comments in the "GlobOpt::TrackIntSpecializedAddSubConstant" method. // Track bounds for add or sub with a constant. For instance, consider (b = a + 2). The value of 'b' should track // that it...

Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion /* Here's a snippet of the method. bool JavascriptGeneratorFunction::GetPropertyBuiltIns(Var originalInstance, PropertyId propertyId, Var* value, PropertyValueInfo* info, ScriptContext* requestContext...

Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect # Exploit Title: Oracle E-Business suite Open Redirect # Google Dork: inurl:OA_HTML/cabo/ # Date: April 2017 # Exploit Author: [author] # Vendor Homepage: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html #...