Результаты поиска

NVIDIA Driver - Stack Buffer Overflow in Escape 0x7000014 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=946 There is a missing bounds check in inner loop of the escape handler for 0x7000014 that leads to a stack buffer overflow: ... for (DWORD i = 0; < escape->num_data...

NVIDIA Driver - No Bounds Checking in Escape 0x7000170 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936 The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size input escape data, and relies on a user provided size as the upper bound for...

NVIDIA Driver - Unchecked User-Provided Pointer in Escape 0x5000027 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=937 The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer, but does no checks on it before using it. ... DWORD* user_ptr =...

NVIDIA Driver - Incorrect Bounds Check in Escape 0x70001b2 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=940 The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its variable size input. void sub_8C4304(...) { ... // escape_->size is...

NVIDIA Driver - NvStreamKms 'PsSetCreateProcessNotifyRoutineEx Local Stack Buffer Overflow Callback / Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=918 The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process...

NVIDIA Driver - Escape 0x100010b Missing Bounds Check Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=927 The DxgkDdiEscape handler for escape code 0x100010b looks like: char escape_100010b(NvMiniportDeviceContext *miniport_context, HANDLE handle, unsigned int idx) {...

Any Sound Recorder 2.93 - Buffer Overflow (SEH) # Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH) # Exploit Author: Abdullah Alic # Discovery Date: 2018-10-16 # Homepage: http://www.any-sound-recorder.com # Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe #...

NVIDIA Driver - No Bounds Checking in Escape 0x7000194 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=895 The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the user provided lengths it receives. When these lengths are passed to memcpy, overreads and...

VLC Media Player - MKV Use-After-Free (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit Rank = GreatRanking include Msf::Exploit::FILEFORMAT def...

NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x600000D Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=911 The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided pointer as the destination for a memcpy call. This leads to kernel...

NVIDIA Driver - Escape Code Leaks Uninitialised ExAllocatePoolWithTag Memory to Userspace Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=892 The handler for the DxgkDdiEscape escape code 0x70000D4 has the following pseudocode: void __fastcall...

NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x700010d Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=894 The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the destination for a memcpy call, without doing any checks on said...

Solaris - RSH Stack Clash Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File...

Apple OS X/iOS - 'mach_ports_register' Multiple Memory Safety s Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882 mach_ports_register is a kernel task port MIG method. It's defined in MIG like this: routine mach_ports_register( target_task : task_t...

NVIDIA Driver - UVMLiteController ioctl Handling Unchecked Input/Output Lengths Privilege Escalation /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=880 The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver...

Microsoft Windows - 'FSCTL_FIND_FILES_BY_SID' Information Disclosure Windows: FSCTL_FIND_FILES_BY_SID Information Disclosure Platform: Windows 10 (1709, 1803) Class: Information Disclosure / Elevation of Privilege Summary: The FSCTL_FIND_FILES_BY_SID control code doesn’t check for permissions...

S9Y Serendipity 2.0.4 - Cross-Site Scripting ======================================== Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting Application: Serendipity Class: Sensitive Information disclosure Versions Affected: <= latest version Vendor URL...

Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 When you create a new IOKit user client from userspace you call: kern_return_t IOServiceOpen( io_service_t service, task_port_t owningTask, uint32_t type...

Apple OS X/iOS Kernel - IOSurface Use-After-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831 IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference. By killing the corrisponding task we can...

freeFTPd 1.0.8 - 'mkd' Denial of Service from ftplib import FTP print ''' `,;'++';,` `'++++++++++++++++;` .+++++++++++++++++++++++'`...

Micro Focus Rumba 9.4 - Local Denial of Service # Exploit Title: Micro Focus Rumba 9.4 Multiple Local Stack-overflow # Date: 29-10-2016 # Exploit Author: Umit Aksu # Vendor Homepage: http://www.microfocus.com/ # Software Link...

Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow (PoC) # Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow # Date: 29-10-2016 # Exploit Author: Umit Aksu # Vendor Homepage...

uSQLite 1.0.0 - Denial of Service #!/usr/bin/python # Exploit Title: Remote buffer overflow vulnerability in uSQLite 1.0.0 PoC # Date: 27/10/1016 # Exploit Author: Peter Baris # Software Link: https://sourceforge.net/projects/usqlite/?source=directory # Version: 1.0.0 # Tested on: windows 7...

CherryTree 0.36.9 - Memory Corruption (PoC) #!/usr/bin/python ### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ### # Date: 2016-10-27 # PoC Author: n30m1nd # Vendor Homepage: http://www.giuspen.com/cherrytree/ # Software Link...

Baby FTP server 1.24 - Denial of Service (2) #!/usr/bin/python ### Baby FTP 1.24 - Denial of Service by n30m1nd ### # Date: 2016-10-27 # PoC Author: n30m1nd # Vendor Homepage: http://www.pablosoftwaresolutions.com/ # Software Link: http://www.pablosoftwaresolutions.com/download.php?id=1 #...