Результаты поиска

Microsoft Edge - Internationalization Initialization Type Confusion (MS16-144) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=972 In Chakra, Internationlization is initialized the first time the Intl object is used, by executing the script in Intl.js...

Netgear Devices - (Unauthenticated) Remote Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking...

WebKit JSC JIT - 'JSPropertyNameEnumerator' Type Confusion /* When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every...

Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=961 The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp: Var* newArgs = HeapNewArray(Var, numArgs)...

Xorg X11 Server - SUID privilege escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE...

Google Chrome < 31.0.1650.48 - HTTP 1xx base::StringTokenizerT<...>::QuickGetNext Out-of-Bounds Read ''' Source: http://blog.skylined.nl/20161219001.html Synopsis A specially crafted HTTP response can allow a malicious web-page to trigger a out-of-bounds read vulnerability in Google Chrome...

Google Android - WifiNative::setHotlist Stack Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=958 The following code in frameworks/opt/net/wifi/service/jni/com_android_server_wifi_WifiNative.cpp doesn't validate the parameter params.num_bssid, and then copies that...

Microsoft Internet Explorer 11 - MSHTML CSpliceTreeEngine::RemoveSplice Use-After-Free (MS14-035) <!-- Source: http://blog.skylined.nl/20161220001.html Synopsis A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 11. There is sufficient time...

WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection # Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection # Exploit Author: Lenon Leite # Vendor Homepage...

WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1) # Exploit Title: WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection # Exploit Author: Lenon Leite # Vendor Homepage: https://wordpress.org/plugins/wp-private-messages/ # Software Link...

Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download Source: https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html ## Overview Full reliable 0day drive-by exploit against Fedora 25 + Google...

Microsoft Internet Explorer 9 - IEFRAME CView::EnsureSize Use-After-Free (MS13-021) <!-- Source: http://blog.skylined.nl/20161216001.html Synopsis A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this...

Naenara Browser 3.5 (RedStar 3.0 Desktop) - 'JACKRABBIT' Client-Side Command Execution <!-- Download: https://github.com/HackerFantastic/Public/blob/master/exploits/jackrabbit.tgz Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40936.tgz --> <html>...

RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection #!/usr/bin/env python # RedStar OS 3.0 Server (BEAM & RSSMON) shellshock exploit # ======================================================== # BEAM & RSSMON are Webmin based configuration utilities # that ship with RSS server...

Microsoft Edge Chakra - OP_Memset Type Confusion /* Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it doesn't check the "value" argument to OP_Memset...

Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=965 set_dp_control_port is a MIG method on the host_priv_port so this bug is a root->kernel escalation. kern_return_t...

Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows 10 1803 (not tested earlier, although code looks similar on Win8+) Class: Elevation of Privilege Note, this is the master issue...

Nagios < 4.2.4 - Local Privilege Escalation #!/bin/bash # # Source: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html # # Nagios Core < 4.2.4 Root Privilege Escalation PoC Exploit # nagios-root-privesc.sh (ver. 1.0) # # CVE-2016-9566 # # Discovered and coded...

Microsoft Internet Explorer 9 - IEFRAME CMarkup::RemovePointerPos Use-After-Free (MS13-055) <!-- Source: http://blog.skylined.nl/20161214001.html Synopsis A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this...

Linux - Broken uid/gid Mapping for Nested User Namespaces commit 6397fac4915a ("userns: bump idmap limits to 340") increases the number of possible uid/gid mappings that a namespace can have from 5 to 340. This is implemented by switching to a different data structure if the number of mappings...

Adobe Animate 15.2.1.95 - Memory Corruption [+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-ANIMATE-MEMORY-CORRUPTION-VULNERABILITY.txt [+] ISR: ApparitionSec Vendor: ============= www.adobe.com...

APT - Repository Signing Bypass via Memory Allocation Failure Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 == Vulnerability == When apt-get updates a repository that uses an InRelease file (clearsigned Release files), this file is processed as follows: First, the...

Nidesoft MP3 Converter 2.6.18 - Local Buffer Overflow (SEH) #!python ##################################################################################### # Exploit title: MP3 converter v 2.6.18 License code SEH exploit # Date: 2016-12-15 # Vendor homepage...

Nagios < 4.2.2 - Arbitrary Code Execution #!/usr/bin/env python # Source: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html intro = """\033[94m Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit CVE-2016-9565...

McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution ''' Source: https://nation.state.actor/mcafee.html Vulnerabilities CVE-2016-8016: Remote Unauthenticated File Existence Test CVE-2016-8017: Remote Unauthenticated File Read (with Constraints) CVE-2016-8018: No...