Linux kernel versions starting at 4.10 and below 5.1.7 PTRACE_TRACEME local root exploit that uses the pkexec technique.

TP-LINK Cloud Cameras including products NC260 and NC450 suffer from a command injection vulnerability. The issue is located in the httpSetEncryptKeyRpm method (handler for /setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled EncryptKey parameter is used directly as part of a command line to be executed as root without any input sanitization.

Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy.

User Management System version 2.0 suffers from a persistent cross site scripting vulnerability.

Complaint Management System version 4.2 suffers from a persistent cross site scripting vulnerability.

WordPress WooCommerce Advanced Order Export plugin version 3.1.3 suffers from a cross site scripting vulnerability.

WordPress Dosimple theme version 2.0 suffers from a cross site scripting vulnerability.

Grub2 has grub2-set-bootflag setuid in the new Fedora release and has the ability to corrupt the environment.

Whitepaper from Phrack called .NET Instrumentation via MSIL bytecode injection.

This whitepaper goes into detail on design and implementation details for performing voice encryption on telephone networks. Written in Spanish.

An ICMPv6 router announcement flooding denial of service vulnerability affects multiple systems including Cisco, Juniper, Microsoft, and FreeBSD. Cisco has addressed the issue but Microsoft has decided to ignore it.

Whitepaper called Blue Team vs. Red Team: How to run your encrypted binaries in memory and go undetected. This paper discusses the golden frieza project.

Whitepaper called Exploiting CAN-Bus using Instrument Cluster Simulator.

Whitepaper called Bypassing Root Detection Mechanism. Written in Persian.

The ByteComponentRaster.verify() method in Oracle Java versions prior to 7u25 is vulnerable to a memory corruption vulnerability that allows bypassing of "dataOffsets[]" boundary checks. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program.

The ShortComponentRaster.verify() method in Oracle Java versions prior to 7u25 is vulnerable to a memory corruption vulnerability that allows bypassing of "dataOffsets[]" boundary checks when the "numDataElements" field is 0. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program.

This exploit leverages both invalid typecast and memory disclosure vulnerabilities in Microsoft Silverlight 5 in order to achieve code execution. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program. Google flags this as malware so only use this if you know what you are doing. The password to unarchive this zip is the word "infected".

Microsoft Silverlight 5 suffers from invalid typecast and memory disclosure vulnerabilities that, when leveraged together, allow for arbitrary code execution. A memory disclosure vulnerability exists in the public WriteableBitmap class from System.Windows.dll. This class allows reading of image pixels from the user-defined data stream via the public SetSource() method. BitmapSource.ReadStream() allocates and returns byte array and a count of array items as out parameters. These returned values are taken from the input stream and they can be fully controlled by the untrusted code. When returned "count" is greater than "array.Length", then data outside the "array" are used as input stream data by the native BitmapSource_SetSource() from agcore.dll. Later all data can be viewed via the public WriteableBitmap.Pixels[] property. Exploitation details related to these findings were purchased through the Packet Storm Bug Bounty program.

This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.

Triologic Media Player version 8 suffers from a .m3l local buffer overflow vulnerability.

WordPress Media Library Assistant plugin version 2.81 suffers from a local file inclusion vulnerability.

The Microsoft Windows kernel suffers from a 64-bit pool memory disclosure vulnerability via REG_RESOURCE_LIST registry values (CmResourceTypeDevicePrivate entries).

The Microsoft Windows kernel suffers from a 64-bit pool memory disclosure vulnerability via REG_RESOURCE_LIST registry values (videoprt.sys descriptors).

The Microsoft Windows kernel suffers from a 64-bit pool memory disclosure vulnerability via REG_RESOURCE_REQUIREMENTS_LIST registry values.

The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.

The Microsoft Windows kernel's Registry Virtualization does not safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in privilege escalation.

AVideo Platform version 8.1 suffers from an information disclosure vulnerability that allows for user enumeration.

Cisco M1070 Content Security Management Appliance IronPort remote host header injection exploit.