Результаты поиска

Easy AVI DivX Converter 1.2.24 - Local Buffer Overflow (SEH) #!/usr/bin/python ############################################################################### # Exploit Title: Easy AVI DivX Converter 1.2.24 - 'Enter User Name' Field Buffer Overflow (SEH) # Date...

Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution This is an advisory for CVE-2017-6327 which is an unauthenticated remote code execution flaw in the web interface of Symantec Messaging Gateway prior to and including version 10.6.3-2, which can be used to execute commands as...

Disk Pulse Enterprise 9.9.16 - 'Import Command' Local Buffer Overflow #!/usr/bin/python # Exploit Title : Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow # Discovery by : Anurag Srivastava # Email : [email protected] # Website ...

Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3 <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1316 Coincidentally, Microsoft released the patch for the issue 1290 the day after I reported it. But it seems they fixed it...

Adobe Flash - Invoke Accesses Trait Out-of-Bounds Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1320 The attached fuzzed swf file causes the traits of an ActionScript object to be accessed out of bounds. This can probably lead to exploitable type confusion. Proof of...

Microsoft Edge - Out-of-Bounds Access when Fetching Source // The attached JavaScript file causes an out-of-bounds access of the source buffer when fetching the source for one of the functions during delayed compilation. The out-of-bounds value is then treated as the pointer to the source...

MyDoomScanner 1.00 - Local Buffer Overflow (PoC) #!/usr/bin/python # Exploit Title : MyDoomScanner1.00 Hostname/IP Field SEH Overwrite POC # Discovery by : Anurag Srivastava # Email : [email protected] # Discovery Date : 17/08/2017 # Software Link ...

Microsoft Edge Chakra - Uninitialized Arguments (1) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1297 Here's a snippet of "ParseVariableDeclaration" which is used for parsing declarations. template<bool buildAST> ParseNodePtr Parser::ParseVariableDeclaration(...

Microsoft Edge Chakra - Uninitialized Arguments (2) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1298 Similar to the issue #1297 . But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArguments_overriddenInParam" flag. template<bool...

Microsoft Edge Chakra - 'EmitNew' Integer Overflow <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1315 The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. void EmitNew(ParseNode*...

Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1292 Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer...

Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1295 Here's the method. Var JavascriptFunction::EntryCall(RecyclableObject* function, CallInfo callInfo, ...) {...

Microsoft Edge Chakra - 'TryUndeleteProperty' Incorrect Usage (Denial of Service) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1281 Chakra implemented the reuse of deleted properties of an unordered dictionary object with the following code. bool...

Microsoft Edge Chakra - 'EmitAssignment' uses the 'this' Register Without Initializing <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1283 "EmitAssignment" doesn't call "EmitSuperMethodBegin" that initializes the "this" register for the case when the super keyword is...

Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2 <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1290 I think the fix for #1045 is incorrect. Here's the original PoC. 'use strict'; function func(a, b, c) { a[0] = 1.2; b[0] = c...

Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrectly Re-parses <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1271 When Chakra fails to link an asmjs module, it tries to re-parse the failed-to-link asmjs function to treat it as a...

Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrect Usage of 'PushPopFrameHelper' (Denial of Service) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1277 PushPopFrameHelper is a class that pushes the current stack frame object in its...

AdvanDate iCupid Dating Software 12.2 - SQL Injection # # # # # # Exploit Title: iCupid Dating Software 12.2 - SQL Injection # Dork: N/A # Date: 15.08.2017 # Vendor Homepage : https://www.advandate.com/ # Software Link: https://www.advandate.com/dating-software-features/ # Demo...

Microsoft Edge 38.14393.1066.0 - 'CInputDateTimeScrollerElement::_SelectValueInternal' Out-of-Bounds Read <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1264 The vulnerability has been confirmed on Windows 10 Enterprise 64-bit (OS version 1607, OS build 14393.1198) and...

Microsoft Edge Chakra - 'PreVisitCatch' Missing Call <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1266 function trigger() { try { } catch (x) { var x = 1; } print(x); } trigger(); When Chakra executes the above code, it declares two "x"s...

Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Local Privilege Escalation Source: https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html Abstract Xamarin Studio is an Integrated Development...

ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode) #!/usr/bin/python # Exploit Title: ALL Player v7.4 SEH Buffer Overflow (Unicode) # Version: 7.4 # Date: 15-08-2017 # Exploit Author: f3ci # Tested on: Windows 7 SP1 x86 head = "http://" seh = "\x0f\x47" #0x0047000f nseh = "\x61\x41" #popad...

Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1255 There is a use-after free vulnerability in Microsoft Edge that can lead to memory disclosure. The vulnerability has been confirmed on Windows...

Tomabo MP4 Converter 3.19.15 - Denial of Service #!/usr/bin/python # Exploit Title: Tomabo MP4 Converter DOS # Date: 13/08/17 # Exploit Author: Andy Bowden # Vendor Homepage: http://www.tomabo.com/ # Software Link: http://www.tomabo.com/mp4-converter/index.html # Version: 3.19.15 # Tested on...

WordPress Plugin Easy Modal 2.0.17 - SQL Injection DefenseCode ThunderScan SAST Advisory WordPress Easy Modal Plugin Multiple Security Vulnerabilities Advisory ID: DC-2017-01-007 Advisory Title: WordPress Easy Modal Plugin Multiple Vulnerabilities Advisory URL...