Yorick Koster

40 exploits Active since Jul 2009
CVE-2020-3153 NOMISEC MEDIUM WORKING POC
Cisco AnyConnect < - Path Traversal
A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.
CVSS 6.5
CVE-2017-8464 NOMISEC HIGH WORKING POC
Windows Shell - Remote Code Execution via Crafted .LNK File
Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."
CVSS 8.8
CVE-2016-6897 METASPLOIT MEDIUM ruby WORKING POC
WordPress < 4.5.5 - Cross-Site Request Forgery via Late check_ajax_referer Call
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
CVSS 6.5
CVE-2017-8464 METASPLOIT HIGH ruby WORKING POC
Windows Shell - Remote Code Execution via Crafted .LNK File
Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."
CVSS 8.8
CVE-2015-6128 EXPLOITDB ruby WORKING POC
Windows Vista SP2, Windows Server 2008 SP2/R2 SP1, Windows 7 SP1 - Privilege Escalation via Library Loading
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."
CVE-2015-6132 EXPLOITDB ruby WORKING POC
Microsoft Windows - Local Privilege Escalation via Library Loading
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."
CVE-2015-6133 EXPLOITDB ruby WORKING POC
Microsoft Windows 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, and 10 - Privilege Escalation via Library Loading
Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."
CVE-2016-0041 EXPLOITDB HIGH ruby WORKING POC
Internet Explorer - DLL Loading Remote Code Execution
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold and 1511, and Internet Explorer 10 and 11 mishandle DLL loading, which allows local users to gain privileges via a crafted application, aka "DLL Loading Remote Code Execution Vulnerability."
CVSS 7.8
CVE-2016-0100 EXPLOITDB HIGH ruby WORKING POC
Windows Vista SP2 and Server 2008 SP2 - Local Privilege Escalation via Library Loading
Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Library Loading Input Validation Remote Code Execution Vulnerability."
CVSS 8.4
CVE-2016-6896 EXPLOITDB HIGH text WORKING POC
WordPress Traversal Directory DoS
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
CVSS 7.1
CVE-2016-6896 METASPLOIT HIGH ruby WORKING POC
WordPress Traversal Directory DoS
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
CVSS 7.1
CVE-2014-0514 METASPLOIT ruby WORKING POC
Adobe Reader Mobile < 11.2 - Remote Code Execution via JavaScript in PDF
The Adobe Reader Mobile application before 11.2 for Android does not properly restrict use of JavaScript, which allows remote attackers to execute arbitrary code via a crafted PDF document, a related issue to CVE-2012-6636.
CVE-2017-1000479 METASPLOIT HIGH ruby WORKING POC
pfSense < 2.4.2 - Clickjacking via CSRF Error Page
pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.
CVSS 8.8
CVE-2016-3321 METASPLOIT LOW ruby WORKING POC
Microsoft Internet Explorer 10 and 11 - Information Disclosure via HTML5 Sandbox IFrame
Microsoft Internet Explorer 10 and 11 load different files for attempts to open a file:// URL depending on whether the file exists, which allows local users to enumerate files via vectors involving a file:// URL and an HTML5 sandbox iframe, aka "Internet Explorer Information Disclosure Vulnerability."
CVSS 2.5
CVE-2016-5330 METASPLOIT HIGH ruby WORKING POC
VMware Workstation Player 12.1.0-12.1.1 - Untrusted Search Path via HGFS Shared Folders
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.
CVSS 7.8
CVE-2017-0372 METASPLOIT CRITICAL ruby WORKING POC
MediaWiki < 1.23.16, 1.27.3, 1.28.2 - Parameter Injection in SyntaxHighlight Extension
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
CVSS 9.8
CVE-2015-0096 METASPLOIT ruby WORKING POC
Microsoft Windows Shell LNK Code Execution
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
CVE-2020-3153 METASPLOIT MEDIUM ruby WORKING POC
Cisco AnyConnect < - Path Traversal
A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.
CVSS 6.5
CVE-2016-0100 METASPLOIT HIGH ruby WORKING POC
Windows Vista SP2 and Server 2008 SP2 - Local Privilege Escalation via Library Loading
Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Library Loading Input Validation Remote Code Execution Vulnerability."
CVSS 8.4
CVE-2015-0096 METASPLOIT ruby WORKING POC
Microsoft Windows Shell LNK Code Execution
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
CVE-2012-0013 METASPLOIT ruby WORKING POC
MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files, aka "Assembly Execution Vulnerability."
CVE-2010-0266 METASPLOIT ruby WORKING POC
Microsoft Outlook 2002 SP3, 2003 SP3, 2007 SP1/SP2 - Remote Code Execution via SMB Attachment Handling
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability."
CVE-2010-0266 METASPLOIT ruby WORKING POC
Microsoft Outlook 2002 SP3, 2003 SP3, 2007 SP1/SP2 - Remote Code Execution via SMB Attachment Handling
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability."
CVE-2010-0266 EXPLOITDB ruby WORKING POC
Microsoft Outlook 2002 SP3, 2003 SP3, 2007 SP1/SP2 - Remote Code Execution via SMB Attachment Handling
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability."
CVE-2010-0266 EXPLOITDB ruby WORKING POC
Microsoft Outlook 2002 SP3, 2003 SP3, 2007 SP1/SP2 - Remote Code Execution via SMB Attachment Handling
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability."