A vulnerable driver: lesson almost learned

Recently, we started receiving suspicious events from our internal sandbox Exploit Checker plugin. Our heuristics for supervisor mode code execution in the user address space were constantly being triggered, and an executable file was being flagged for further analysis. At first, it looked like...

Polaris office 2017 suffers from a denial of service vulnerability (CNVD-2018-03856)

Polaris Office is an office software developed by INFRAWARE of Korea. You can view and edit Word documents, Excel tables, Microsoft Office PowerPoint slides and other commonly used office documents. A denial of service vulnerability exists in PSlide.exe of Polaris office 2017 when opening a ppt...

Vivotek IP Cameras - Remote Stack Overflow (PoC) Vulnerability

Exploit for multiple platform in category remote exploits STX Subject: Vivotek IP Cameras - Remote Stack Overflow Researcher: bashis September-October 2017 PoC: https://github.com/mcw0/PoC Release date: November 13, 2017 Full Disclosure: 43 days Attack Vector: Remote Authentication: Anonymous no...

UBUNTU-CVE-2018-6759

The bfdgetdebuglinkinfo1 function in opncls.c in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service segmentation fault via a crafted ELF file...

GNU Binutils load_specific_debug_section() function denial of service vulnerability

GNU Binutils a.k.a. GNU Binary Utilities or binutils is a set of programming language utility programs developed by the GNU Project to work with target files in a variety of formats, with connectors, assemblers, and other tools for target files and archives. A security vulnerability exists in the...

MagniComp SysInfo mcsiwrapper Privilege Escalation

This module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This module abuses...

Denial of Service Vulnerability in WPS Software of Kingsoft Corporation Ltd.

WPS Office is an office software suite independently developed by Kingsoft Corporation Limited, which can realize the most commonly used text, table, presentation and many other functions of office software. Kingsoft WPS software has a memory access vulnerability when viewing the executable progr...

CVE-2017-3160

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity...

Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)

Exploit Title: Sync Breeze Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH Date: 29/01/2018 Exploit Author: Daniel Teixeira Vendor Homepage: http://www.syncbreeze.com Software Link: http://www.syncbreeze.com/setups/syncbreezeentsetupv10.4.18.exe Version: 10.4.18 Tested on:...

HPE Intelligent Management Center PLAT Remote Code Execution Vulnerability (CNVD-2018-03956)

HPE Intelligent Management Center iMC PLAT for Windows is a suite of intelligent management center solutions for networks based on the Windows platform from Hewlett Packard Enterprise HPE. The solution provides network-wide visibility and enables comprehensive management of resources, services an...

Linux/x86 - Egghunter Shellcode (12 Bytes)

/ Title: Linux/x86 - EggHunter Shellcode 12 Bytes Description: Smallest Null-Free Egg Hunter Shellcode - 12 Bytes Date : 14/Jan/2018 Author: Nipun Jaswal @nipunjaswal ; SLAE-1080 Details: 1. Works with an executable EGG 2. Make sure you clear EDX, EAX registers in the shellcode before any other...

nautilus: Insufficient validation of trust of .desktop files with execute permission

An untrusted .desktop file with executable permission set could choose its displayed name and icon, and execute commands without warning when opened by the user. An attacker could use this flaw to trick a user into opening a .desktop file disguised as a document, such as a PDF, and execute...

Unix Command Shell, Bind UDP (via socat)

Creates an interactive shell via socat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 70 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...

Unix Command Shell, Reverse UDP (via socat)

Creates an interactive shell via socat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 87 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...

CVE-2018-5105

WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. This vulnerability affects Firefox 58...

Code Execution Vulnerability in WPS Office

WPS Office is an office software suite developed independently by Kingsoft Corporation. A code execution vulnerability exists in the EqnEdit.exe program in the WPS Office software, which can be exploited by an attacker to execute malicious code on the target system, remotely install malware, and...

DNSExfiltrator - Data exfiltration over DNS request covert channel

DNSExfiltrator allows for transfering exfiltrate a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel. DNSExfiltrator has two sides: 1. The server side , coming as a single python script dnsexfiltrator.py, which act...

Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation

Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Windows: NtImpersonateAnonymousToken LPAC to Non-LPAC EoP Platform: Windows 10 1703 and 1709 not tested Windows 8.x Class: Elevation of Privilege Summary: When impersonating the anonymous token in an LPAC the...

Unspecified Vulnerability in GuixSD

GuixSD is an advanced version of a set of GNU Linux operating systems developed by the GNU Project. It is equipped with the GNU Guix package manager, support for transactional upgrades, etc., and provides an interface to the Guile Scheme API. GuixSD Git commit...

CVE-2017-17968

A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response...