Результаты поиска

Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require "msf/core" class MetasploitModule <...

Bassmaster 1.5.1 - Batch Arbitrary JavaScript Injection Remote Code Execution (Metasploit) require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include...

Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas /* There was recently some cleanup in the persona code to fix some race conditions there, I don't think it was sufficient: In kpersona_alloc_syscall if we provide an invalid userspace pointer for the ipd outptr we can...

Alienvault OSSIM/USM 5.3.1 - Persistent Cross-Site Scripting Details ======= Product: Alienvault OSSIM/USM Vulnerability: Stored XSS Author: Peter Lapp, lappsec () gmail com CVE: CVE-2016-8581 CVSS: 3.5 Vulnerable Versions: <=5.3.1 Fixed Version: 5.3.2 Vulnerability Details...

Alienvault OSSIM/USM 5.3.1 - SQL Injection Details ======= Product: Alienvault OSSIM/USM Vulnerability: SQL Injection Author: Peter Lapp, lappsec () gmail com CVE: CVE-2016-8582 Vulnerable Versions: <=5.3.1 Fixed Version: 5.3.2 Vulnerability Details ===================== A SQL injection...

Freefloat FTP Server 1.0 - 'DIR' Remote Buffer Overflow import socket import sys import os print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest #...

Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport /* IOHIDResourceQueue inherits from IOSharedDataQueue and adds its own ::enqueueReport method, which seems to be mostly copy-pasted from IOSharedDataQueue and IODataQueue's ::enqueue...

Alienvault OSSIM/USM 5.3.1 - PHP Object Injection Details ======= Product: Alienvault OSSIM/USM Vulnerability: PHP Object Injection Author: Peter Lapp, lappsec () gmail com CVE: CVE-2016-8580 Vulnerable Versions: <=5.3.1 Fixed Version: 5.3.2 Vulnerability Details ===================== A...

Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value Here's a code snippet from sleh.c with the second level exception handler for undefined instruction exceptions: static void handle_uncategorized(arm_saved_state_t *state, boolean_t instrLen2) {...

PCMan FTP Server 2.0.7 - 'UMASK' Remote Buffer Overflow #!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: PCMan's FTP Server 2.0.7 UMASK Command Buffer Overflow Exploit # Date: 1/11/2016 # Exploit Author: Eagleblack # Tested on: Windows XP Profesional SP3...

Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory io_hideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts a mach message which it sends whenever it wants to notify a client that there's data available in the queue. As a...

Freefloat FTP Server 1.0 - 'RENAME' Remote Buffer Overflow #!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server RENAME Command Buffer Overflow Exploit # Date: 29/10/2016 # Exploit Author: Eagleblack # Software Link...

Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking /* This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405.) That report showed the bug in the unmap_user_memory external methods; a variant also exists in the...

Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem io_hideventsystem is a MIG service which provides proxy access to various HID devices for untrusted clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual...

Freefloat FTP Server 1.0 - 'ABOR' Remote Buffer Overflow #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server BoF ABOR Command # Date: 29/10/2016 # Exploit Author: Ger # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.0 #...

KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH) #/usr/bin/python #-*- Coding: utf-8 -*- ### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### # Date: 2016-01-11 # Exploit Author: n30m1nd # Vendor Homepage: http://www.karjasoft.com/ # Software...

My Little Forum 2.3.7 - Multiple Vulnerabilities Title: ====== My Little Forum 2.3.7 - Multiple Vulnerability Product & Service Introduction: =============================== My little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view...

School Registration and Fee System - Authentication Bypass # Exploit Title.............. School Registration and Fee System Auth Bypass # Google Dork................ N/A # Date....................... 01/11/2016 # Exploit Author............. opt1lc # Vendor Homepage...

Freefloat FTP Server 1.0 - 'RMD' Remote Buffer Overflow #!/usr/bin/env python # -*- coding: utf-8 -*- import socket #Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command #Date: 29 Octubre 2016 #Exploit Author: Karri93 #Software Link...

Freefloat FTP Server 1.0 - 'HOST' Remote Buffer Overflow #!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit # Date: 30/10/2016 # Exploit Author: Cybernetic # Software Link...

NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947 The escape handler for 0x10000e9 lacks bounds checks, and passes a user specified size as the size to memcpy, resulting in a stack buffer overflow: bool...

Apple macOS 10.12 - 'task_t' Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many...

PCMan FTP Server 2.0.7 - 'DELETE' Remote Buffer Overflow from ftplib import FTP print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest #...

NVIDIA Driver - Missing Bounds Check in Escape 0x100009a Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=942 The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks: case 0x100009A: ... size_0 = escape_data->size_1; ... size_1 = 2 -...

NVIDIA Driver - Missing Bounds Check in Escape 0x70000d5 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944 The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks: ... if ( g_saved_size ) { escape->size = g_saved_size; if ( (unsigned int)g_saved_size >...