Результаты поиска

FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::File...

Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem By following the codepath that Andrea Arcangeli pointed out in his mails regarding the last bug I reported, I noticed that it is possible for userspace on a normal distro to map virtual address 0, which on an...

Android - binder Use-After-Free via racy Initialization of ->allow_user_free The following bug report solely looks at the situation on the upstream master branch; while from a cursory look, at least the wahoo kernel also looks affected, I have only properly tested this on upstream master. The...

Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass We already reported four bugs in Android that are caused by the use of getpidcon(), which is fundamentally unsafe: https://bugs.chromium.org/p/project-zero/issues/detail?id=727 (AndroidID-27111481...

Azure Data Expert Ultimate 2.2.16 - Remote Buffer Overflow # Exploit Title: Azure Data Expert Ultimate 2.2.16 – buffer overflow # Date: 2017-03-07 # Exploit Author: Peter Baris # Vendor Homepage: http://www.saptech-erp.com.au # Software Link: http://www.azuredex.com/downloads.html # Version...

Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities Bull Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters. Marble effect in the web banner and questionable font: it smells the 90s ! Tool is mainly a web app with CGIs (shell scripts and...

Java Debug Wire Protocol (JDWP) - Remote Code Execution #!/usr/bin/python ################################################################################ # # Universal JDWP shellifier # # @_hugsy_ # # And special cheers to @lanjelot # import socket import time import sys import struct import...

Conext ComBox 865-1058 - Denial of Service #Exploit Title: Conext ComBox - Denial of Service (HTTP-POST) #Description: The exploit cause the device to self-reboot, constituting a denial of service. #Google Dork: "Conext ComBox" + "JavaScript was not detected" /OR/ "Conext ComBox" + "Recover...

macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected...

elFinder 2.1.47 - 'PHP connector' Command Injection #!/usr/bin/python ''' # Exploit Title: elFinder <= 2.1.47 - Command Injection vulnerability in the PHP connector. # Date: 26/02/2019 # Exploit Author: @q3rv0 # Vulnerability reported by: Thomas Chauchefoin # Google Dork: intitle:"elFinder...

Google Chrome < M72 - FileWriterImpl Use-After-Free There's a use-after-free in the implementation of the FileWriter component of the mojo bindings for the filesystem API. The browser-process side of this API is defined in...

tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads Through fuzzing of network capture .pcap files, we have identified 16 crashes with unique stack traces in tcpdump. These crashes are caused by heap-based out-of-bounds memory reads, and can be reproduced with the latest tcpdump source...

Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module commit cc2d58634e0f ("netfilter: nf_nat_snmp_basic: use asn1 decoder library", first in 4.16) changed the nf_nat_snmp_basic module (which, when enabled, parses and modifies the ASN.1-encoded payloads of SNMP...

Google Chrome < M72 - PaymentRequest Service Use-After-Free There are several object-lifetime issues in the browser process in the implementation of payments.mojom.PaymentRequest. The PaymentRequest object contains a std::unique_ptr to a PaymentRequestSpec, which is initialised during the...

Google Chrome < M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free There's a race-condition / object-lifetime issue in the browser process when the browser process shutdown races against the IO thread handling mojo messages from the renderer. It's (at least) possible to...

Google Chrome < M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost There's an object-lifetime issue in the browser process in the handling of P2PSocketDispatcherHost binding in parallel with OnBloatedRenderer event handling. In RenderProcessHostImpl, we have a...

Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking...

Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Micro Focus Filr Multiple Vulnerabilities 1. *Advisory Information* Title: Micro Focus Filr Multiple Vulnerabilities Advisory ID: SAUTH-2019-0001...

FTPShell Client 6.53 - Remote Buffer Overflow # Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection # Date: 2017-03-04 # Exploit Author: Peter Baris # Vendor Homepage: http://www.saptech-erp.com.au # Software Link: http://www.ftpshell.com/downloadclient.htm #...

Joomla! Component J2Store < 3.3.7 - SQL Injection # Exploit Title: J2Store Plugin for Joomla! < 3.3.6 - SQL Injection # Date: 19/02/2019 # Author: Andrei Conache # Twitter: @andrei_conache # Contact: andrei.conache[at]protonmail.com # Software Link: https://www.j2store.org # Version: 3.x-3.3.6...

NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection # Exploit Title: NetGain Enterprise Manager – “Ping” Command Injection # Date: 23.02.2017 # Exploit Author: MrChaZ # Vendor Homepage: http://www.netgain-systems.com/ # Version: <= v7.2.562 build 853 # Tested on: Windows 10 Pro...

pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery ###################################################################### # Exploit Title: pfSense 2.3.2 XSS - CSRF-bypass & Reverse-root-shell # Date: 01/03/2017 # Author: Yann CAM @ASafety / Synetis # Vendor or Software Link...

MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass # CVE-2019-3924 A remote, unauthenticated attacker can proxy traffic through RouterOS via probes sent to the agent binary. This PoC demonstrates how to exploit a LAN host from the WAN. A video demonstrating...

MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates I happened to notice that a public X.509 certificate testcase for CVE-2014-1569 caused a stack buffer overflow in MatrixSSL. I cleaned up the testcase a bit, to make a better demonstration. You can test it with the...