Результаты поиска

Microsoft Windows - '0x224000 IOCTL (WmiQueryAllData)' Kernel WMIDataDevice Pool Memory Disclosure /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1152 We have discovered that the handler of the 0x224000 IOCTL (corresponding to the WmiQueryAllData functionality)...

[Turkish] Blind SQL Injection Attacks 42209.pdf

Microsoft Windows - 'win32k!NtGdiGetOutlineTextMetricsInternalW' Kernel Pool Memory Disclosure /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1144 The win32k!NtGdiGetOutlineTextMetricsInternalW system call corresponds to the documented GetOutlineTextMetrics API function...

Microsoft Windows - 'IOCTL 0x390400, operation code 0x00020000' Kernel KsecDD Pool Memory Disclosure /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1147 We have discovered that the IOCTL sent to the \Device\KsecDD device by the BCryptOpenAlgorithmProvider documented API...

WonderCMS 2.1.0 - Cross-Site Request Forgery <!-- # Exploit Title: Cross-Site Request Forgery in WonderCMS # Date: 2017-06-19 # Exploit Author: Zerox Security Lab # Software Link: https://www.wondercms.com # Version: 2.1.0 # Twitter: https://twitter.com/ZeroxSecLab 0xCode Lab ID...

[Italian] How to write Fully Undetectable malware 42206.pdf

Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation Windows: RPCSS Activation Kernel Security Callback EoP Platform: Windows 10 1903/1809 (not tested earlier) Class: Elevation of Privilege Security Boundary (per Windows Security Service Criteria)...

GNU binutils - 'print_insn_score16' Buffer Overflow Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21576 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output")...

GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21595 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log...

Microsoft Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank =...

GNU binutils - 'decode_pseudodbg_assert_0' Buffer Overflow Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21586 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log...

GNU binutils - 'ieee_object_p' Stack Buffer Overflow Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21582 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output")...

Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME == Summary == This bug report describes two issues introduced by commit 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP", introduced in v4.10 but also stable-backported to older versions). I will...

PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote...

GNU binutils - 'disassemble_bytes' Heap Overflow Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21580 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output")...

GNU binutils - 'bfd_get_string' Stack Buffer Overflow Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21581 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log...

Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source...

Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank =...

GNU binutils - 'rx_decode_opcode' Buffer Overflow Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21587 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output")...

WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1218&desc=2 Here's a snippet of arrayProtoFuncSplice. EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec) { ... result =...

WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1220 When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound...

WebKit JSC - 'Intl.getCanonicalLocales' Heap Buffer Overflow <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1229 Here's tryCreateArrayButterfly which is invoked from intlObjectFuncGetCanonicalLocales to create a JSArray object. inline Butterfly*...

Xymon 4.3.25 - useradm Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation VULNERABILITY DETAILS It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the sandboxed process is allowed to create TCP sockets. In particular, I was able to...

WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1208 After JSGlobalObject::haveABadTime is called, the type of all JavaScript arrays(including newly created arrays) are of the same type...