FreeBSD - 'mbufs()' sendfile Cache Poisoning Privilege Escalation

/ freebsd x86/x64 sendfile cache local root xpl v2 by Kingcope 2010 -- should h4x any freebsd 8. and 7. prior to 12Jul2010 tampers /bin/sh to contain a shellcode which does ' chmod a+s /tmp/sh chown root /tmp/sh execve /tmp/sh2 ' how to use: terminal 1: $ cp /bin/sh /tmp/sh $ cp /bin/sh /tmp/sh2 ...

SOMPL Music Player v1.0 (.m3u) Local Buffer Overflow (SEH)

Exploit for windows platform in category local exploits ========================================================== SOMPL Music Player v1.0 .m3u Local Buffer Overflow SEH ========================================================== Exploit Title: SOMPL Music Player v1.0 .m3u Local Buffer Overflow SE...

rpc.ttdbserverd x86 Proof Of Concept Exploit

Check Point Software Technologies - Vulnerability Discovery Team VDT Rodrigo Rubira Branco - RPC TTDB .rec parser Heap Overflow thrjmptable does not exist on Solaris 10 u8 See the SPARC version of this exploit to see how to specify other addresses to be overwritten use POSIX; use IO::Socket; use...

Triologic Media Player 8 (.m3u) Universal Unicode Buffer Overflow (SEH)

Exploit for windows platform in category local exploits ======================================================================= Triologic Media Player 8 .m3u Universal Unicode Buffer Overflow SEH ======================================================================= Exploit Title: Triologic Medi...

linux/x86 setuid(0) && execve(/bin/sh,0,0) 27 bytes

Exploit for linux/x86 platform in category shellcode ============================================================= linux/x86 setuid0 && execve/bin/sh,0,0 shellcode 27 bytes ============================================================= Special Thanks Inj3ct0r Exploit DataBase I Love Inj3ct0r.Com...

linux/x86 setuid(0) && execve(/usr/sbin/pwunconv,0,0) 42 bytes

Exploit for linux/x86 platform in category shellcode ======================================================================== linux/x86 setuid0 && execve/usr/sbin/pwunconv,0,0 shellcode 42 bytes ======================================================================== Special Thanks Inj3ct0r Explo...

Rosoft Media Player 4.4.4 - Local Buffer Overflow (SEH) (2)

!/usr/bin/python Title: Rosoft media player 4.4.4 SEH buffer overflow Date: August 15, 2010 Author: dijital1 Original Advisory: http://www.exploit-db.com/exploits/14601 - abhishek lyall Platform: Windows XP SP3 EN Professional - VMware Greetz to: Corelan Security Team, Exploit-db, OffSec...

Mediacoder 0.7.5.4710 Buffer Overflow

media coder 0.7.5.4710 0 day buffer overflow exploit vulnerble application link http://www.mediacoderhq.com/dlfull.htm tested on XP SP2 author abhishek lyall - abhilyallatgmaildotcom web - http://www.aslitsecurity.com/ blog - http://www.aslitsecurity.blogspot.com/ !/usr/bin/python to exploit load...

Easy FTP 1.7.0.11 Buffer Overflow

Exploit Title: Easy FTP Server v1.7.0.11 NLST , NLST -al, APPE, RETR , SIZE and XCWD Commands Remote Buffer Overflow Exploit Date: 10/8/2010 Author: Rabih Mohsen Software Link:http://code.google.com/p/easyftpsvr/downloads/detail?name=easyftp-server-1.7.0.11-cn.zip Version: 1.7.0.11 Tested on:...

myMP3-Player 3.0 Buffer Overflow

Exploit Title: myMP3-Player 3.0 NOT SEH Overwrite Date: 8 / 8 / 2010 Author: Oh Yaw Theng Software Link: http://www.chip.de/downloads/myMP3-Player-3.013008621.html Version: 3.0 Tested on: Windows XP SP 2 CVE : N / A !/usr/bin/python filename = "crash.m3u" junk = "\x41" 1024 ret = "\x65\x82\xA5\x7...

Mediacoder 0.7.5.4710 Buffer Overflow Exploit

Exploit for windows platform in category local exploits ============================================= Mediacoder 0.7.5.4710 Buffer Overflow Exploit ============================================= media coder 0.7.5.4710 0 day buffer overflow exploit vulnerble application link...

Mediacoder 0.7.5.4710 - Local Buffer Overflow

Mediacoder 0.7.5.4710 - Local Buffer Overflow media coder 0.7.5.4710 0 day buffer overflow exploit vulnerble application link http://www.mediacoderhq.com/dlfull.htm tested on XP SP2 !/usr/bin/python to exploit load the crash.m3u file and double click on it filename = "crash.m3u" junk = "\x41" 256...

Mediacoder 0.7.5.4710 - Local Buffer Overflow

media coder 0.7.5.4710 0 day buffer overflow exploit vulnerble application link http://www.mediacoderhq.com/dlfull.htm tested on XP SP2 !/usr/bin/python to exploit load the crash.m3u file and double click on it filename = "crash.m3u" junk = "\x41" 256 eip = "\x65\x82\xa5\x7c" JMP ESP shell32.dll...

myMP3-Player v3.0 Buffer Overflow Exploit

No description provided by source. Exploit Title: myMP3-Player 3.0 NOT SEH Overwrite Date: 8 / 8 / 2010 Author: Oh Yaw Theng Software Link: http://www.chip.de/downloads/myMP3-Player-3.013008621.html Version: 3.0 Tested on: Windows XP SP 2 CVE : N / A !/usr/bin/python filename = "crash.m3u" junk =...

SopCast 3.2.9 - Remote Command Execution

SopCast 3.2.9 - Remote Command Execution Sopcast POC by Sud0 Tested on XP SP3 EN on VBox with IE 7 Spraying a lot to get a nice unicode usable address 0x20260078 I sprayed with a set of P/P/R instructions to come back to the stack Need internet connection on the box to trigger the vuln Wait for t...

myMP3-Player v3.0 Buffer Overflow Exploit

Exploit for windows platform in category local exploits ========================================= myMP3-Player v3.0 Buffer Overflow Exploit ========================================= Exploit Title: myMP3-Player 3.0 NOT SEH Overwrite Date: 8 / 8 / 2010 Author: Oh Yaw Theng Software Link:...

myMP3-Player 3.0 - Local Buffer Overflow

Exploit Title: myMP3-Player 3.0 NOT SEH Overwrite Date: 8 / 8 / 2010 Author: Oh Yaw Theng Software Link: http://www.chip.de/downloads/myMP3-Player-3.013008621.html Version: 3.0 Tested on: Windows XP SP 2 CVE : N / A !/usr/bin/python filename = "crash.m3u" junk = "\x41" 1024 ret = "\x65\x82\xA5\x7...

linux/x86 sethostname to "c0debreaker" shellcode 37 bytes

Exploit for linux/x86 platform in category shellcode ========================================================= linux/x86 sethostname to "c0debreaker" shellcode 37 bytes ========================================================= / Title : sethostname to "c0debreaker" linux shellcode . Name : 37 byt...

Easy RM To MP3 2.7.3.7000 Buffer Overflow

Exploit Title: Easy RM to MP3 2.7.3.700 Local Buffer Overflow .m3u , .pls , .smi , .wpl , .wax , .wvx , .ram Date: 4 / 8 / 2010 Author: Oh Yaw Theng Software Link: http://www.exploit-db.com/application/10642/ Version: 2.7.3.700 Tested on: Windows XP SP 1 CVE : N / A !/usr/bin/python This exploit...

Easy RM to MP3 2.7.3.700 - .m3u .pls .smi .wpl .wax .wvx .ram Local Overflow

Easy RM to MP3 2.7.3.700 - .m3u .pls .smi .wpl .wax .wvx .ram Local Overflow Exploit Title: Easy RM to MP3 2.7.3.700 Local Buffer Overflow .m3u , .pls , .smi , .wpl , .wax , .wvx , .ram Date: 4 / 8 / 2010 Author: Oh Yaw Theng Version: 2.7.3.700 Tested on: Windows XP SP 1 CVE : N / A...