Результаты поиска

Microsoft Windows - Uniscribe Font Processing Buffer Overflow in 'USP10!FillAlternatesList' (MS17-011) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1030 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!FillAlternatesList function, while...

Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption in 'USP10!MergeLigRecords' (MS17-011) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1026&desc=2 We have encountered a crash in the Windows Uniscribe user-mode library, in the memcpy() function called by...

uHotelBooking System - 'system_page' SQL Injection # Exploit Title: uHotelBooking System - 'system_page' SQL Injection # Date: 21.03.2019 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.hotel-booking-script.com # Demo Site: https://www.hotel-booking-script.com/demo/ #...

Microsoft Windows - Uniscribe Font Processing Heap Buffer Overflow in 'USP10!ttoGetTableData' (MS17-011) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1027 We have encountered a crash in the Windows Uniscribe user-mode library, in an unnamed function called by...

Microsoft Windows - Uniscribe Font Processing Heap Out-of-Bounds Read/Write in 'USP10!AssignGlyphTypes' (MS17-011) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1023 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!AssignGlyphTypes...

Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption in 'USP10!otlCacheManager::GlyphsSubstituted' (MS17-011) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1025 We have encountered a crash in the Windows Uniscribe user-mode library, in the memset() function...

The Company Business Website CMS - Multiple Vulnerabilities # Exploit Title: The Company Business Website CMS - 'user_name' SQL Injection # Date: 20.03.2019 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms # Demo Site...

Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=993 We have encountered Windows kernel crashes in the internal nt!nt!HvpGetBinMemAlloc and...

Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1019 We have encountered a crash in the Windows Uniscribe user-mode library, in the...

Microsoft Windows - 'USP10!otlList::insertAt' Uniscribe Font Processing Heap Buffer Overflow (MS17-011) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1022 We have encountered a crash in the Windows Uniscribe user-mode library, in the memmove() function called by...

FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail...

HttpServer 1.0 - Directory Traversal # Exploit Title: HttpServer 1.0 DolinaySoft Directory Traversal # Date: 2017-03-19 # Exploit Author: malwrforensics # Software Link: http://www.softpedia.com/get/Internet/Servers/WEB-Servers/HttpServer.shtml#download # Version: 1.0 # Tested on: Windows...

Art of Anti Detection - Shellcode Alchemy 41640.pdf

Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject Attached is a PoC file that bypasses Flash click2play in Microsoft Edge. This was tested on Windows 10 64bit v 1809 with the latest patches applied. The PoC currently loads a swf from wwwimages.adobe.com...

Google Chrome < M73 - MidiManagerWin Use-After-Free MidiManagerWin uses a similar instance_id mechanism to the TaskService implementation to ensure that delayed tasks are only executed if the MidiManager instance that they were scheduled on is still alive. However, this instance_id is an...

Google Chrome < M73 - FileSystemOperationRunner Use-After-Free There's a comment in FileSystemOperationRunner::BeginOperation OperationID FileSystemOperationRunner::BeginOperation( std::unique_ptr<FileSystemOperation> operation) { OperationID id = next_operation_id_++; //...

Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule <...

FTPShell Client 6.53 - 'Session name' Local Buffer Overflow print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail...

Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML <!-- Windows: Windows: IE11 VBScript execution policy bypass in MSHTML Platform: Windows 10 1809 (not tested earlier) Class: Security Feature Bypass Summary: MSHTML only checks for the CLSID associated with VBScript...

Microsoft VBScript - VbsErase Memory Corruption <!-- There is an issue in VBScript in the VbsErase function. In some cases (see the attached PoC), VbsErase fails to clear the argument variable properly, which can trivially lead to crafting a variable with the array type, but with a pointer...

libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons When libseccomp compiles filters for 64-bit systems, it needs to split 64-bit comparisons into 32-bit comparisons because classic BPF can't operate on 64-bit values directly. libseccomp offers both bitwise comparisons (NE...

Google Chrome < M73 - Double-Destruction Race in StoragePartitionService There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned...

Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently. See the comment in the code...

Netartmedia PHP Mall 4.1 - SQL Injection # Exploit Title: Netartmedia PHP Mall 4.1 - Multiple SQL Injection # Date: 19.03.2019 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.netartmedia.net/mall/ # Demo Site: https://www.phpscriptdemos.com/mall/ # Version: 4.1 # Tested on...

Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1043 I noticed that some javascript getters behave strangely. My test code: var whitelist = ["closed", "document", "frames", "length", "location", "opener"...