CVE-2016-9679

Citrix Provisioning Services before 7.12 allows attackers to execute arbitrary code by overwriting a function pointer...

CVE-2016-9679

Citrix Provisioning Services before 7.12 allows attackers to execute arbitrary code by overwriting a function pointer...

Reverse Safety series: Use After Free vulnerability analysis-vulnerability warning-the black bar safety net

One, Foreword Thinking the next step is to write a use after free small summary, just happened to be the nearest Lake Gordon Cup 2016 the one.---- game Use the use after free can be out. This title is their first in more formal competitions, make pwn title, do this question of time spent a lot, t...

Oracle IOT IX SDK libvs_pdf XRef Index Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0086 Oracle IOT IX SDK libvspdf XRef Index Code Execution Vulnerability April 19, 2016 CVE Number CVE-2016-3455 DESCRIPTION A vulnerability in PDF parser of the IX SDK exists that allows an out of bounds heap memory overwrite potentially leading to remote cod...

Fedora 23 : glibc-2.22-6.fc23 (2015-7174c4d68d)

This update re-adds large file support to the openat function, removes support for the LDPOINTERGUARD environment variable which could be used to weaken security protections in ATSECURE/SUID binaries, and adds function pointer obfuscation to the TLS destructor list. Note that Tenable Network...

Internet Bug Bounty: Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack

See my official writeups here: http://bugs.python.org/issue25944 http://bugs.python.org/issue25945 The maintainers merged these bug reports. In one case, the type confusion leads to a reliable control of the instruction pointer as calling repr on a corrupted partial calls a function pointer that ...

Null pointer dereference

The Monitor Control Command Set kernel extension in the Display Drivers subsystem in Apple OS X before 10.10.4 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages control of a function pointer...

MagicISO <= 5.4 (build239) - .cue File Heap Overflow PoC

No description provided by source. !/usr/bin/env ruby Credits to n00b for finding this bug. Magic iso has a stacked based buffer over-flow when We pass an overly-long file name inside the .cue file We are able to control alot of the registers so Command execution is possible,But im still learning...

PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability

No description provided by source. $Id: pcvuefunc.rb 13889 2011-10-12 10:57:31Z sinn3r $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...

Sybase Advantage Data Architect - "*.SQL" Format Heap Oveflow

No description provided by source. Exploit Title: Sybase Advantage Data Architect .SQL Format Heap Oveflow RCE Date: 2010-10-16 Author: d0lc3 @rmallof - http://elotrolad0.blogspot.com/ Software Link: http://www.sybase.com/products/databasemanagement/advantagedatabaseserver/data-architect-utility...

Linux Kernel 2.x - sock_sendpage() Local Ring0 Root Exploit

Linux...

Telnetd encrypt_keyid: Remote Root function pointer overwrite

No description provided by source. / telnetd-encryptkeyid.c Mon Dec 26 20:37:05 CET 2011 Copyright 2011 Jaime Penalba Estebanez NighterMan Copyright 2011 Gonzalo J. Carracedo BatchDrake [email protected] - [email protected] [email protected] - [email protected] / / // / / / // /\ \...

ComSndFTP 1.3.7 Beta - USER Format String (Write4) Vulnerability

No description provided by source. $Id$ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit...

Microsoft Publisher Function Pointer Overwrite (MS11-091) - Ver2 (CVE-2011-1508)

A memory corruption vulnerability has been reported in Microsoft Publisher. The vulnerability is due to the way Microsoft Publisher does not properly handle memory for function pointers while parsing specially crafted Publisher files. A remote attacker may exploit this vulnerability by enticing a...

Linux Kernel 3.4 &lt; 3.13.2 (Ubuntu 13.10) - &#039;CONFIG_X86_X32&#039; Arbitrary Write (2)

/ Local root exploit for CVE-2014-0038. https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c Bug: The X86X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace. Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg, if the...

Microsoft - Tagged Image File Format &#039;.TIFF&#039; Integer Overflow (Metasploit)

This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'rex/zip' require 'nokogiri' module ::Nokogiri module XML class Builder Some XML documents don't declare the namespace before referencing, but...

CVE-2013-2477

The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service application crash via a malformed packet...

CVE-2013-2477

The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service application crash via a malformed packet...

HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution

Exploit for windows platform in category remote exploits This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework...

NTR ActiveX Control StopModule() Remote Code Execution

This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The vulnerability exists in the StopModule method, where the lModule parameter is used to dereference memory to get a function pointer, which leads to code execution under the context of the user visiting a malicious web page...