Результаты поиска

Google Android - get_user/put_user (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking...

Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download # Exploit Title: Microsoft Lync for Mac 2011 Injection Forced Browsing/Download # Author: @nyxgeek - TrustedSec # Date: 2018-03-20 # Vendor Homepage: microsoft.com # Software Link...

Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation ===================================================== # Vendor Homepage: http://www.wampserver.com/ # Date: 10 Dec 2016 # Version : Wampserver 3.0.6 32 bit x86 # Tested on: Windows 7 Ultimate SP1 (EN) # Author: Heliand Dema #...

Apache Spark - (Unauthenticated) Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

PHPMailer < 5.2.18 - Remote Code Execution #!/bin/bash # CVE-2016-10033 exploit by opsxcq # https://github.com/opsxcq/exploit-CVE-2016-10033 echo '[+] CVE-2016-10033 exploit by opsxcq' if [ -z "$1" ] then echo '[-] Please inform an host as parameter' exit -1 fi host=$1 echo '[+]...

VBScript - 'OLEAUT32!VariantClear' and 'scrrun!VBADictionary::put_Item' Use-After-Free <!-- There is a use-after-free vulnerability (possibly two vulnerabilities triggerable by the same PoC, see below) in Microsoft VBScript. The vulnerability has been confirmed in Internet Explorer on Windows...

FTPShell Server 6.36 - '.csv' Local Denial of Service #Exploit FTPShell server 6.36 '.csv' Crash(PoC) #Author: albalawi_sultan #Tested on:win7 #st :http://www.ftpshell.com/download.htm #1-open FTPShell Server Administrator #2-manage Ftp accounts #3-import from csv ban=...

VBScript - 'rtFilter' Out-of-Bounds Read <!-- There is an out-of-bounds vulnerability in Microsoft VBScript. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied. PoC: (Note that Page Heap might need to be enabled to observe the crash)...

Microsoft Internet Explorer 11 - MSHTML CPasteCommand::ConvertBitmaptoPng Heap Buffer Overflow (MS14-056) <!-- Source: http://blog.skylined.nl/20161221001.html Synopsis A specially crafted web-page can trigger an out-of-bounds write in Microsoft Internet Explorer 11. Code that handles...

OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010 This issue affects OpenSSH if privilege separation is disabled (config option UsePrivilegeSeparation=no). While privilege...

OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1009 The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if...

TeamCity Agent - XML-RPC Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=976 powerd (running as root) hosts the com.apple.PowerManagement.control mach service. It checks in with launchd to get a server port and then wraps that...

Apple macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=977 syslogd (running as root) hosts the com.apple.system.logger mach service. It's part of the system.sb sandbox profile and so reachable from a lot of...

Mac OS X - libxpc MITM Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File...

Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=941 Proofs of Concept...

Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=959 Proofs of Concept...

PHP imap_open - Remote Code Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include...

Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=926 mach ports are really struct ipc_port_t's in the kernel; this is a reference-counted...

Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking...

Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include...

Apple macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=954 Proofs of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40954.zip Userspace MIG services often...

WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion /* case ArrayPushIntrinsic: { ... if (static_cast<unsigned>(argumentCountIncludingThis) >= MIN_SPARSE_ARRAY_INDEX) return false; ArrayMode arrayMode =...

Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974 There are two ways for IOServices to define their IOUserClient classes: they can override IOService::newUserClient and allocate...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object /* This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding...