Lucene search
+L

2035 matches found

Exploit DB
Exploit DB
added 2017/05/30 12:0 a.m.49 views

Microsoft MsMpEng - Use-After-Free via Saved Callers

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259 In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState objectrcx+158h in 64-bit. But the garbage collector doesn't mark this saved value. So it results in a UAF. Unlike in our test environmentLinux, it...

7.4AI score
Exploits0
seebug.org
seebug.org
added 2017/05/27 12:0 a.m.68 views

Apple iOS / MacOS Domain Socket Kernel Use-After-Free(CVE-2017-2501)

iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which...

7.6CVSS8.3AI score0.04189EPSS
Exploits3
seebug.org
seebug.org
added 2017/05/26 12:0 a.m.40 views

WebKit: UXSS via Editor::Command::execute(CVE-2017-2504)

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS UXSS attacks via a crafted web site that improperly...

4.3CVSS6.7AI score0.03347EPSS
Exploits4
Packet Storm
Packet Storm
added 2017/05/25 12:0 a.m.74 views

WebKit Editor::Command::execute Universal Cross Site Scripting

WebKit: UXSS via Editor::Command::execute CVE-2017-2504 Here's a snippet of Editor::Command::execute used to handle |document.execCommand|. bool Editor::Command::executeconst String& parameter, Event triggeringEvent const if !isEnabledtriggeringEvent // Let certain commands be executed when...

6.9AI score0.03347EPSS
Exploits4
exploitpack
exploitpack
added 2017/05/25 12:0 a.m.28 views

Apple WebKit Safari 10.0.3(12602.4.8) - Editor::Command::execute Universal Cross-Site Scripting

Apple WebKit Safari 10.0.312602.4.8 - Editor::Command::execute Universal Cross-Site Scripting document-updateLayoutIgnorePendingStylesheets; return mcommand-executemframe, triggeringEvent, msource, parameter; This method is invoked under an |EventQueueScope|. But...

6.7AI score
Exploits0
0day.today
0day.today
added 2017/05/23 12:0 a.m.65 views

Apple iOS / macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor E

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver...

7.6CVSS8.4AI score0.04189EPSS
Exploits3
myhack58
myhack58
added 2017/05/08 12:0 a.m.75 views

MS16-145: Edge browser the TypedArray. sort UAF vulnerability analysis-vulnerability warning-the black bar safety net

In this article, we will provide the reader detailed analysis of how to use the MS Edge browser in the UAF vulnerability to remote code execution. This article will provide readers in-depth analysis of the impact of MS Edge CVE-2016-7288 UAF vulnerability root causes, and how to reliably trigger...

7.6CVSS0.70354EPSS
Exploits2
seebug.org
seebug.org
added 2017/04/17 12:0 a.m.62 views

XNU kernel UaF due to lack of locking in set_dp_control_port (CVE-2016-7644)

setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv == HOSTPRIVNULL return KERNINVALIDHOST; if IPVALIDdynamicpagercontrolport ipcportreleasesenddynamicpagercontrolport;...

9.3CVSS7.7AI score0.0676EPSS
Exploits7
exploitpack
exploitpack
added 2017/04/04 12:0 a.m.27 views

Apple macOSiOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free

Apple macOSiOS Kernel 10.12.3 16D32 - Bad Locking in necpopen Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap...

7.3AI score
Exploits0
seebug.org
seebug.org
added 2017/04/04 12:0 a.m.50 views

MacOS kernel uaf due to double-release in posix_spawn(CVE-2017-2472)

exechandleportactions is responsible for handling the map port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION, PSPAAUSESSION and PSPAIMPWATCHPORTS For the special, exception and audit the ports it tries to update the new task to reflect the port...

9.3CVSS8.9AI score0.04579EPSS
Exploits2
seebug.org
seebug.org
added 2017/04/04 12:0 a.m.56 views

MacOS/iOS kernel uaf due to bad locking in necp_open (CVE-2017-2478)

necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd, vfscontextcurrent; --------------------- a if error != 0 goto done; if fddata =...

7.6CVSS8.5AI score0.04748EPSS
Exploits2
Exploit DB
Exploit DB
added 2017/04/04 12:0 a.m.44 views

Apple macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION, PSPAAUSESSION and PSPAIMPWATCHPORTS For the special, exception...

7.4AI score
Exploits0
0day.today
0day.today
added 2017/04/04 12:0 a.m.124 views

macOS / iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code fr...

7.6CVSS8.4AI score0.04748EPSS
Exploits2
0day.today
0day.today
added 2017/03/16 12:0 a.m.62 views

Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free Exploit

Exploit for windows platform in category dos / poc f.onload = null; for var x in window if whitelist.indexOfx != -1 continue; try window.lookupGetterx.callf.contentWindow; logx; catch e ; f.src = "https://abc.xyz/"; document.body.appendChildf; And after some plays, finally reached an UAF conditio...

7.6CVSS7.7AI score0.78538EPSS
Exploits2
myhack58
myhack58
added 2017/03/01 12:0 a.m.41 views

Windows Exploit development tutorial series--stack injection a-vulnerability warning-the black bar safety net

! Foreword Welcome to the heap spray tutorial the first part. This Part I will introduce the IE under typical heap spray technique, the second part will introduce the precise injection and IE8 under UAF vulnerabilities. It is worth mentioning that, the stack injection is just a payload Delivery...

8AI score
Exploits0
myhack58
myhack58
added 2017/01/10 12:0 a.m.33 views

Reverse Safety series: Use After Free vulnerability analysis-vulnerability warning-the black bar safety net

One, Foreword Thinking the next step is to write a use after free small summary, just happened to be the nearest Lake Gordon Cup 2016 the one.---- game Use the use after free can be out. This title is their first in more formal competitions, make pwn title, do this question of time spent a lot, t...

7.5AI score
Exploits0
0day.today
0day.today
added 2016/12/23 12:0 a.m.56 views

MacOS Kernel < 10.12.2 / iOS < 10.2 - ipc_port_t Reference Count Leak Due to Incorrect externa

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930 IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return kIOReturnSuccess they actually take ownership of the machportt...

9.3CVSS7.3AI score0.04229EPSS
Exploits6
0day.today
0day.today
added 2016/12/23 12:0 a.m.73 views

MacOS Kernel < 10.12.2 / iOS < 10.2 - _kernelrpc_mach_port_insert_right_trap Reference Count L

Exploit for multiple platform in category local exploits / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=941 Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40956.zip The previous ref count overflow bugs were all kinda...

7.2CVSS8.1AI score0.01256EPSS
Exploits1
myhack58
myhack58
added 2016/12/19 12:0 a.m.106 views

PHP garbage collection mechanism UAF vulnerability analysis-vulnerability warning-the black bar safety net

First, the PHP garbage collection mechanism introduction Because PHP is among the presence of circular references, only the refcount of the counter as a garbage collection mechanism is not enough, so in PHP5. 3 introduced a new garbage collection mechanism. $a = array'one'; $a = &$a; unset$a; ?&...

7.5CVSS0.2AI score0.15484EPSS
Exploits5
myhack58
myhack58
added 2016/11/26 12:0 a.m.53 views

Overflow using FILE structure-vulnerability warning-the black bar safety net

Recently, the Shanghai University student network security game it only shows a title pwn450, for not a lot of me, and instantly rip off forced, but the gangster or gangster, and finally was quite what the Yankees do come up, but anyway I didn't make out, and finally see explanations, with two...

7.9AI score
Exploits0
Rows per page
Query Builder