Результаты поиска

ILIAS < 5.2.4 - Cross-Site Scripting # Exploit Title: Cross Site Scripting in ILIAS CMS 5.2.3 # Date: Apr 24, 2017 # Software Link: https://www.ilias.de # Exploit Author: Florian Kunushevci # Contact: https://facebook.com/florianx00 # CVE: CVE-2018-5688 # Category: webapps 1. Description...

Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution #!/usr/local/bin/python """ Synology Photo Station <= 6.8.2-3461 (latest) SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution Vulnerability Found by...

phpCollab 2.5.1 - File Upload (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

macOS - 'process_policy' Stack Leak Through Uninitialized Field /* The syscall process_policy(scope=PROC_POLICY_SCOPE_PROCESS, action=PROC_POLICY_ACTION_GET, policy=PROC_POLICY_RESOURCE_USAGE, policy_subtype=PROC_POLICY_RUSAGE_CPU, attrp=<userbuf>, target_pid=0, target_threadid=<ignored>)...

Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read /* Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl. growby = endSeg->length; current = current->GrowByMin(recycler, growby); CopyArray(current->elements + endIndex + 1, endSeg->length...

PyroBatchFTP < 3.19 - Buffer Overflow ============================================= MGC ALERT 2018-001 - Original release date: December 22, 2017 - Last revised: January 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,5/10 (CVSS Base Score)...

Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Windows: NtImpersonateAnonymousToken LPAC to Non-LPAC EoP Platform: Windows 10 1703 and 1709 (not tested Windows 8.x) Class: Elevation of Privilege Summary: When impersonating the anonymous token in an LPAC...

Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation Windows: SMB Server (v1 and v2) Mount Point Arbitrary Device Open EoP Platform: Windows 10 1703 and 1709 (seems the same on 7 and 8.1 but not extensively tested) Class: Elevation of Privilege...

LabF nfsAxe 3.7 FTP Client - Stack Buffer Overflow (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include...

Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon This bug is similar to Jann Horn's issue (https://bugs.chromium.org/p/project-zero/issues/detail?id=851) -- credit should go to him. The hardware service manager allows the registration of HAL services. These...

Microsoft Windows - NTFS Owner/Mandatory Label Privilege Bypass /* Windows: NTFS Owner/Mandatory Label Privilege Bypass EoP Platform: Windows 10 1709 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege Summary: When creating a new file on an NTFS drive it’s possible to...

Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation Windows: NtImpersonateAnonymousToken AC to Non-AC EoP Platform: Windows 10 1703 and 1709 Class: Elevation of Privilege Summary: The check for an AC token when impersonating the anonymous token doesn’t check...

Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check /* The method "Lowerer::LowerSetConcatStrMultiItem" is used to generate machine code to concatenate strings. Here's a snippet of the method. void Lowerer::LowerSetConcatStrMultiItem(IR::Instr *...

HPE iMC - dbman 'RestoreDBase' Remote Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Commvault Communications Service (cvd) - Command Injection (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/powershell' class MetasploitModule <...

Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting # Exploit Title: Joomla Plugin Easydiscuss <4.0.21 Persistent XSS in Edit Message # Date: 06-01-2018 # Software Link: https://stackideas.com/easydiscuss # Exploit Author: Mattia Furlani # CVE: CVE-2018-5263 # Category: webapps 1...

Multiple CPUs - Information Leak Using Speculative Execution == INTRODUCTION == This is a bug report about a CPU security issue that affects processors by Intel, AMD and (to some extent) ARM. I have written a PoC for this issue that, when executed in userspace on an Intel Xeon CPU E5-1650 v3...

Microsoft Edge Chakra JIT - Escape Analysis Bug /* Escape analysis: https://en.wikipedia.org/wiki/Escape_analysis Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. PoC: */ function opt() { let tmp = []...

Microsoft Windows - 'nt!NtQueryInformationProcess (information class 76, QueryProcessEnergyValues)' Kernel Stack Memory Disclosure /* We have discovered that the nt!NtQueryInformationProcess system call invoked with the 76 information class discloses portions of uninitialized kernel stack...

Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138, QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure /* We have discovered that the nt!NtQuerySystemInformation system call invoked with the 138 information class discloses portions of uninitialized kernel pool...

Microsoft Windows - Local XPS Print Spooler Sandbox Escape Windows: Local XPS Print Spooler Sandbox Escape Platform: Windows 10 1703 and 1709 (not tested Windows 7 or 8.x) Class: Elevation of Privilege Summary: The local print spooler can be abused to create an arbitrary file from a low...

Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined JavaScript Functions /* 1. Call patterns like "Math.max.apply(Math, [1, 2, 3, 4, 5])" and "Math.max.apply(Math, arr)" can be optimized to directly call the method "JavascriptMath::MaxInAnArray" in...

Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches /* The optimizations for memory operations may leave empty loops as follows: for (let i = 0; i < arr.length; i++) { arr[i] = 0; } Becomes: Memset(arr, 0, arr.length); for (let i = 0; i <...

Microsoft Edge Chakra - 'asm.js' Out-of-Bounds Read /* Here's a snippet of AsmJSByteCodeGenerator::EmitAsmJsFunctionBody. AsmJsVar * initSource = nullptr; if (decl->sxVar.pnodeInit->nop == knopName) { AsmJsSymbol * initSym =...