Exploits and Advisories

Repository that tracks public exploits, vulnerabilities and advisories that I [co-]discovered or [co-]authored.

CVEs

CVE	ID	Target	Description	Disclosure
CVE-2020-10881	ZDI-20-333	TP-Link Archer A7/C7	DNS stack overflow	Pwn2Own Tokyo 2019
CVE-2020-10882	ZDI-20-334	TP-Link Archer A7/C7	command injection	Pwn2Own Tokyo 2019
CVE-2020-10883	ZDI-20-335	TP-Link Archer A7/C7	insecure filesystem	Pwn2Own Tokyo 2019
CVE-2020-10884	ZDI-20-336	TP-Link Archer A7/C7	hardcoded crypto key	Pwn2Own Tokyo 2019
CVE-2020-10885	ZDI-20-337	TP-Link Archer A7/C7	DNS validation error	Pwn2Own Tokyo 2019
CVE-2020-10923	ZDI-20-703	Netgear R6700	auth bypass	Pwn2Own Tokyo 2019
CVE-2020-10924	ZDI-20-704	Netgear R6700	stack buffer overflow	Pwn2Own Tokyo 2019
CVE-2020-10925	ZDI-20-705	Netgear R6700	improper cert validation	Pwn2Own Tokyo 2019
CVE-2020-10926	ZDI-20-706	Netgear R6700	download and execution of unverified code	Pwn2Own Tokyo 2019
CVE-2020-10927	ZDI-20-707	Netgear R6700	hardcoded crypto keys / weak crypto	Pwn2Own Tokyo 2019
CVE-2020-12004	ZDI-20-685	Inductive Automation Ignition	missing authentication	Pwn2Own Miami 2020
CVE-2020-10544	ZDI-20-686	Inductive Automation Ignition	deserialization of untrusted data	Pwn2Own Miami 2020
CVE-2020-12027	ZDI-20-727	Rockwell FactoryTalk SE	info disclosure (project list)	Pwn2Own Miami 2020
	ZDI-20-728	Rockwell FactoryTalk SE	info disclosure (project path)	Pwn2Own Miami 2020
CVE-2020-12028	ZDI-20-729	Rockwell FactoryTalk SE	missing auth for critical function	Pwn2Own Miami 2020
CVE-2020-12029	ZDI-20-730	Rockwell FactoryTalk SE	directory traversal	Pwn2Own Miami 2020
CVE-2020-12009	ZDI-20-777	Iconics Genesis64	dir traversal / rce	Pwn2Own Miami 2020
CVE-2020-15635	ZDI-20-936	Netgear R6700	pre-authentication buffer overflow
CVE-2020-15636	ZDI-20-937	Netgear R6400, R6700, R7000, R7850, R7900, R8000, RS400, XR300	stack buffer overflow
CVE-2020-28347		TP-Link Archer A7/C7	command injection	Pwn2Own Miami 2020
CVE-2021-27245	ZDI-21-214	TP-Link Archer A7	Firewall Bypass Vulnerability	Pwn2Own Tokyo 2020
CVE-2021-27251	ZDI-21-247	Netgear Nighthawk R7800	ready-genie-cloud Insecure Download of Critical Component RCE	Pwn2Own Tokyo 2020
CVE-2021-27257	ZDI-21-264	Netgear Nighthawk R7800	ready-genie-cloud Improper Certificate Validation RCE
CVE-2021-31505	ZDI-21-683	Arlo Q Plus	SSH Use of Hard-coded Credentials Privilege Escalation Vulnerability
CVE-2021-35003	ZDI-22-080	TP-Link Archer C90	DNS stack buffer overflow
CVE-2021-35004	ZDI-22-081	TP-Link TL-WA1201	DNS stack buffer overflow
CVE-2022-1069	ZDI-22-1159	Softing SIS	out of bounds read dos
CVE-2022-2335	ZDI-22-1160	Softing SIS	int underflow dos
CVE-2022-2336	ZDI-22-1161	Softing SIS	auth bypass
CVE-2022-2337	ZDI-22-1157	Softing SIS	uri null deref
CVE-2022-2547	ZDI-22-1158	Softing SIS	content-type null deref
CVE-2022-20699		Cisco RV340 VPN Gateway	SSL VPN stack buffer overflow	Pwn2Own Austin 2021
CVE-2022-28687	ZDI-22-1126	AVEVA Edge	uncontrolled search path rce	Pwn2Own Miami 2022

Exploits

Target	Link	Write-up
Inductive Automation Ignition	inductive_ignition_rce	rce_me_v2
Netgear R6700	netgear_r6700_pass_reset	tokyo_drift
TP-Link Archer A7/C7	tplink_archer_a7_c7_lan_rce	lao_bomb
Rockwell FactoryTalk	rockwell_factorytalk_rce	replicant
Cisco RV340	flashback_connects_original	flashback_connects
WesterDigital PR4100		weekend_destroyer

~ Team Flashback