Результаты поиска

AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass /* ======== Intro / Overview ======== After Michael Schwarz made some interesting observations, we started looking into variants other than the three already-known ones. I noticed that Intel's Optimization Manual...

Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking...

Microsoft Windows - 'POP/MOV SS' Privilege Escalation Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages. - KVA Shadowing should be disabled and the relevant security update should be uninstalled. - This may not work with...

Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank =...

Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient...

Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit) require "msf/core" class MetasploitModule < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, "Name" => "Ghostcat"...

Microsoft Edge Chakra JIT - Magic Value Type Confusion /* BOOL JavascriptNativeFloatArray::SetItem(uint32 index, double dValue) { if (*(uint64*)&dValue == *(uint64*)&JavascriptNativeFloatArray::MissingItem) { JavascriptArray *varArr =...

Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) #!/usr/bin/python # -*- coding: UTF-8 -*- # Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) # Date: September 12, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description...

Monitorr 1.7.6m - Authorization Bypass #!/usr/bin/python # -*- coding: UTF-8 -*- # Exploit Title: Monitorr 1.7.6m - Authorization Bypass # Date: September 12, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description...

Foxit Reader 9.7.1 - Remote Command Execution (Javascript API) # Exploit Title: Foxit Reader 9.7.1 - Remote Command Execution (Javascript API) # Exploit Author: Nassim Asrir # Vendor Homepage: https://www.foxitsoftware.com/ # Description: Foxit Reader before 10.0 allows Remote Command...

Microsoft Edge Chakra JIT - Bound Check Elimination Bug /* Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instaed of the control flow. This may lead to incorrectly remove the bound...

Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking...

Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass) #!/usr/bin/python #------------------------------------------------------------------------------------------------------------------------------------# # Exploit: Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local...

TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated) #!/usr/bin/python3 # Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload # Google Dork: N/A # Date: 16/10/2020 # Exploit Author: Michele '0blio_' Cisternino # Vendor Homepage...

InoERP 0.7.2 - Remote Code Execution (Unauthenticated) #!/usr/bin/python # -*- coding: UTF-8 -*- # Exploit Title: InoERP 0.7.2 Unauthenticated Remote Code Execution # Date: March 14, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description...

DynoRoot DHCP Client - Command Injection # Exploit Title: DynoRoot DHCP - Client Command Injection # Date: 2018-05-18 # Exploit Author: Kevin Kirsche # Exploit Repository: https://github.com/kkirsche/CVE-2018-1111 # Exploit Discoverer: Felix Wilhelm # Vendor Homepage: https://www.redhat.com/ #...

Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall /* Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts") removed the memset() in compat_get_timex(). Since then, the compat adjtimex syscall can invoke...

Jenkins CLI - HTTP Java Deserialization (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking STAGE1 =...

Bludit 3.9.2 - Auth Bruteforce Bypass #!/usr/bin/python3 # Exploit ## Title: Bludit <= 3.9.2 - Bruteforce Mitigation Bypass ## Author: ColdFusionX (Mayank Deshmukh) ## Author website: https://coldfusionx.github.io ## Date: 2020-10-19 ## Vendor Homepage: https://www.bludit.com/ ## Software...

Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking...

Libuser - 'roothelper' Local Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include...

Nanopool Claymore Dual Miner 7.3 - Remote Code Execution # Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution # Date: 2018/02/09 # Exploit Author: ReverseBrain # Vendor Homepage: https://nanopool.org/ # Software Link: https://github.com/nanopool/Claymore-Dual-Miner #...

Lot Reservation Management System 1.0 - Authentication Bypass #Exploit Title: lot reservation management system 1.0 - Authentication Bypass #Date: 2020-10-22 #Exploit Author: Ankita Pal #Vendor Homepage...

Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution #!/usr/bin/env python # -*- coding: utf-8 -*- #Tested in Windows Server 2003 SP2 (ES) - Only works when RRAS service is enabled. #The exploited vulnerability is an arbitraty pointer deference affecting the dwVarID field of the...

Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation Windows: Token Trust SID Access Check Bypass EOP Platform: Windows 10 1709 (also tested current build of RS4) Class: Elevation of Privilege Summary: A token’s trust SID isn’t reset when setting a token after...