2035 matches found
Microsoft MsMpEng - Use-After-Free via Saved Callers
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259 In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState objectrcx+158h in 64-bit. But the garbage collector doesn't mark this saved value. So it results in a UAF. Unlike in our test environmentLinux, it...
Apple iOS / MacOS Domain Socket Kernel Use-After-Free(CVE-2017-2501)
iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which...
WebKit: UXSS via Editor::Command::execute(CVE-2017-2504)
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS UXSS attacks via a crafted web site that improperly...
WebKit Editor::Command::execute Universal Cross Site Scripting
WebKit: UXSS via Editor::Command::execute CVE-2017-2504 Here's a snippet of Editor::Command::execute used to handle |document.execCommand|. bool Editor::Command::executeconst String& parameter, Event triggeringEvent const if !isEnabledtriggeringEvent // Let certain commands be executed when...
Apple WebKit Safari 10.0.3(12602.4.8) - Editor::Command::execute Universal Cross-Site Scripting
Apple WebKit Safari 10.0.312602.4.8 - Editor::Command::execute Universal Cross-Site Scripting document-updateLayoutIgnorePendingStylesheets; return mcommand-executemframe, triggeringEvent, msource, parameter; This method is invoked under an |EventQueueScope|. But...
Apple iOS / macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor E
Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver...
MS16-145: Edge browser the TypedArray. sort UAF vulnerability analysis-vulnerability warning-the black bar safety net
In this article, we will provide the reader detailed analysis of how to use the MS Edge browser in the UAF vulnerability to remote code execution. This article will provide readers in-depth analysis of the impact of MS Edge CVE-2016-7288 UAF vulnerability root causes, and how to reliably trigger...
XNU kernel UaF due to lack of locking in set_dp_control_port (CVE-2016-7644)
setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv == HOSTPRIVNULL return KERNINVALIDHOST; if IPVALIDdynamicpagercontrolport ipcportreleasesenddynamicpagercontrolport;...
Apple macOSiOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free
Apple macOSiOS Kernel 10.12.3 16D32 - Bad Locking in necpopen Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap...
MacOS kernel uaf due to double-release in posix_spawn(CVE-2017-2472)
exechandleportactions is responsible for handling the map port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION, PSPAAUSESSION and PSPAIMPWATCHPORTS For the special, exception and audit the ports it tries to update the new task to reflect the port...
MacOS/iOS kernel uaf due to bad locking in necp_open (CVE-2017-2478)
necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd, vfscontextcurrent; --------------------- a if error != 0 goto done; if fddata =...
Apple macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION, PSPAAUSESSION and PSPAIMPWATCHPORTS For the special, exception...
macOS / iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free Exploit
Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code fr...
Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free Exploit
Exploit for windows platform in category dos / poc f.onload = null; for var x in window if whitelist.indexOfx != -1 continue; try window.lookupGetterx.callf.contentWindow; logx; catch e ; f.src = "https://abc.xyz/"; document.body.appendChildf; And after some plays, finally reached an UAF conditio...
Windows Exploit development tutorial series--stack injection a-vulnerability warning-the black bar safety net
! Foreword Welcome to the heap spray tutorial the first part. This Part I will introduce the IE under typical heap spray technique, the second part will introduce the precise injection and IE8 under UAF vulnerabilities. It is worth mentioning that, the stack injection is just a payload Delivery...
Reverse Safety series: Use After Free vulnerability analysis-vulnerability warning-the black bar safety net
One, Foreword Thinking the next step is to write a use after free small summary, just happened to be the nearest Lake Gordon Cup 2016 the one.---- game Use the use after free can be out. This title is their first in more formal competitions, make pwn title, do this question of time spent a lot, t...
MacOS Kernel < 10.12.2 / iOS < 10.2 - ipc_port_t Reference Count Leak Due to Incorrect externa
Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930 IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return kIOReturnSuccess they actually take ownership of the machportt...
MacOS Kernel < 10.12.2 / iOS < 10.2 - _kernelrpc_mach_port_insert_right_trap Reference Count L
Exploit for multiple platform in category local exploits / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=941 Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40956.zip The previous ref count overflow bugs were all kinda...
PHP garbage collection mechanism UAF vulnerability analysis-vulnerability warning-the black bar safety net
First, the PHP garbage collection mechanism introduction Because PHP is among the presence of circular references, only the refcount of the counter as a garbage collection mechanism is not enough, so in PHP5. 3 introduced a new garbage collection mechanism. $a = array'one'; $a = &$a; unset$a; ?&...
Overflow using FILE structure-vulnerability warning-the black bar safety net
Recently, the Shanghai University student network security game it only shows a title pwn450, for not a lot of me, and instantly rip off forced, but the gangster or gangster, and finally was quite what the Yankees do come up, but anyway I didn't make out, and finally see explanations, with two...