Результаты поиска

Microsoft Edge Chakra JIT - 'LdThis' Type Confusion /* LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly. PoC: */ function...

Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include...

Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass /* Here's a snippet of ExecuteImplicitCall which is responsible for updating the ImplicitCallFlags flag. template <class Fn> inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn...

Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions /* If a native array is used as a prototype, it is converted to a Var array by the Js::JavascriptNativeFloatArray::SetIsPrototype method. In the JIT compiler, it uses InitProto instructions to set object literals'...

Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion /* This is simillar to the previous issue 1457. But this time, we use Array.prototype.reverse. Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of "this" to a Var...

Microsoft Edge Chakra JIT - Memory Corruption /* Let's consider the following example code. function opt() { let arr = []; return arr['x']; } // Optimize the "opt" function. for (let i = 0; i < 100; i++) { opt(); } Array.prototype.__defineGetter__('x', function () { })...

Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution # Exploit Title: Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution # Date: 2019-10-19 # Exploit Author: hyp3rlinx # Vendor Homepage: www.trendmicro.com # Version: 1.62.0.1218 and below # Tested on: Microsoft...

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2) We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (7f2c.8be8): Access violation...

Dell EMC Isilon OneFS - Multiple Vulnerabilities Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Dell EMC Isilon OneFS Multiple Vulnerabilities 1. **Advisory Information** Title: Dell EMC Isilon OneFS Multiple Vulnerabilities Advisory ID: CORE-2017-0009 Advisory URL...

ThinVNC 1.0b1 - Authentication Bypass # Exploit Title: ThinVNC 1.0b1 - Authentication Bypass # Date: 2019-10-17 # Exploit Author: Nikhith Tumamlapalli # Contributor WarMarX # Vendor Homepage: https://sourceforge.net/projects/thinvnc/ # Software Link...

Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2) It seems this is the patch for the bug. https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a The following two cases will bypass the fix. 1: function...

glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/local/linux' require 'msf/core/exploit/exe' class MetasploitModule...

glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/local/linux' require 'msf/core/exploit/exe' class...

CloudMe Sync < 1.11.0 - Buffer Overflow [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt [+] ISR: Apparition Security [+] SSD Beyond Security...

Android - 'getpidcon' Permission Bypass in KeyStore Service The keystore binder service ("android.security.IKeystoreService") allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to...

macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort' /* AppleEmbeddedOSSupportHost.kext is presumably involved in the communication with the OS running on the touch bar on new MBP models. Here's the userclient's...

Juju-run Agent - Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File...

Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption # Exploit Author: Juan Sacco <[email protected]> - http://exploitpack.com # Vulnerability found using Exploit Pack v10 - Fuzzer module # CVE-2017-17090 - AST-2017-013 # # Tested on: Asterisk 13.17.2~dfsg-2 # # Description...

Online Test Script 2.0.7 - 'cid' SQL Injection # Exploit Title: Online Test Script 2.0.7 - 'cid' SQL Injection # Dork: N/A # Date: 2018-02-07 # Exploit Author: Borna nematzadeh (L0RD) or [email protected] # Vendor Homepage: https://www.phpscriptsmall.com/product/online-test-script/...

Entrepreneur Dating Script 2.0.2 - Authentication Bypass # Exploit Title: Entrepreneur Dating Script 2.0.2 - Authentication Bypass # Dork: N/A # Date: 2018-02-07 # Exploit Author: Borna nematzadeh (L0RD) or [email protected] # Vendor Homepage...

Wonder CMS 2.3.1 - Unrestricted File Upload Affected Code: public static function _uploadFile() { + - if ( ! wCMS::$loggedIn && ! isset($_FILES['uploadFile']) && ! isset($_REQUEST['token'])) return; + private static function uploadFileAction() - if (isset($_REQUEST['token']) &&...

Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## # Windows XP systems that are not...

Apport/ABRT - 'chroot' Local Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include...

BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking...