SEIG SCADA System 9 Remote Code Execution

Title: SEIG SCADA SYSTEM 9 - Remote Code Execution Author: Alejandro Parodi Date: 2018-08-17 Vendor Homepage: https://www.schneider-electric.com Software Link: https://www.schneider-electric.ie/en/download/document/V9Fullinstallationpackageregisterandreceivefile/ Version: v9 Tested on: Windows7 x...

AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH) Exploit

Exploit for windows platform in category local exploits Exploit Title: AgataSoft Auto PingMaster 1.5 - Buffer Overflow SEH Exploit Author: bzyo Twitter: @bzyo Vulnerable Software: AgataSoft Auto PingMaster 1.5 Vendor Homepage: http://agatasoft.com/ Version: 1.5 Software Link :...

UBUNTU-CVE-2018-11219

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking...

ALPINE-CVE-2018-11219

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking...

Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)

/ Name : Jonathan "Chops" Crosby Email : email protected Twitter : @securitychops Website : https://securitychops.com Blog Post : https://securitychops.com/2018/05/21/slae-assignment-2-reverse-shell-tcp-shellcode.html Student ID : SLAE-1250 Assignment 2 : Reverse Shell TCP Linux/x86 Shellcode...

Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field Exploit

Exploit for linux platform in category dos / poc / Linux tai. If doadjtimex doesn't write to -tai e.g. because the arguments are invalid, compatputtimex then copies the uninitialized -tai field to userspace. Demo: $ cat leak32.c / include include include include include include include / from...

Linux 4.16.9 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall

Linux 4.16.9 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall / Commit 3a4d44b61625 "ntp: Move adjtimex related compat syscalls to native counterparts" removed the memset in compatgettimex. Since then, the compat adjtimex syscall can invoke doadjtimex with an...

kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c

A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory...

Exim 4.90.1 - base64d Remote Code Execution

Exim 4.90.1 - base64d Remote Code Execution !/usr/bin/python import time import socket import struct s = None f = None def logo: print print " CVE-2018-6789 Poc Exploit" print "@straightblast ; [email protected]" print def connecthost, port: global s global f s =...

Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow Exploit

Exploit for windows platform in category local exploits SWAMI KARUPASAMI THUNAI Exploit Title: Allok soft WMV to AVI MPEG DVD WMV Converter - Buffer Overflow Vulnerability Windows XP SP3 Date: 06-03-2018 Exploit Author: Mohan Ravichandran & Velayutham Selvaraj Organization : TwinTech Solutions...

Allok Quicktime to AVI MPEG DVD Converter 4.6.1217 - Stack-Based Buffer Overflow

SWAMI KARUPASAMI THUNAI Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability Windows XP SP3 Date: 06-03-2018 Exploit Author: Mohan Ravichandran & Velayutham Selvaraj Organization : TwinTech Solutions Vulnerable Software: Allok Video Converter Vendor Homepage:...

macOS - sysctl_vfs_generic_conf Stack Leak Through Struct Padding

macOS - sysctlvfsgenericconf Stack Leak Through Struct Padding / The sysctls vfs.generic.conf. are handled by sysctlvfsgenericconf, which is implemented as follows: static int sysctlvfsgenericconf SYSCTLHANDLERARGS int name, namelen; struct vfstable vfsp; struct vfsconf vfsc; voidoidp; name = arg...

macOS - sysctl_vfs_generic_conf Stack Leak Through Struct Padding Exploit

Exploit for macOS platform in category dos / poc / The sysctls vfs.generic.conf. are handled by sysctlvfsgenericconf, which is implemented as follows: static int sysctlvfsgenericconf SYSCTLHANDLERARGS int name, namelen; struct vfstable vfsp; struct vfsconf vfsc; voidoidp; name = arg1; namelen =...

macOS - &#039;sysctl_vfs_generic_conf&#039; Stack Leak Through Struct Padding

/ The sysctls vfs.generic.conf. are handled by sysctlvfsgenericconf, which is implemented as follows: static int sysctlvfsgenericconf SYSCTLHANDLERARGS int name, namelen; struct vfstable vfsp; struct vfsconf vfsc; voidoidp; name = arg1; namelen = arg2; check for namelen==1 mountlistlock; for vfsp...

Linux/x86 - Bind TCP (3879/TCP) Shell (/bin/sh) Shellcode (113 bytes)

/ Connecting shellcode written by lamagra http://lamagra.seKure.de May 2000 .file "connect" .version "01.01" .text .align 4 start: socketAFINET,SOCKSTREAM,IPPROTOIP; movl %esp,%ebp xorl %edx,%edx movb $102,%edx movl %edx,%eax 102 = socketcall xorl %ecx,%ecx movl %ecx,%ebx incl %ebx socket movl...

Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)

; =================================================================== ; Password Protected Bind Shell ; Author: SLAE64-1351 Keyman ; Date: 03/09/2014 ; ; Shellcode length: 147 bytes ; ; Description: ; ; Simple bind shell listens on port 4444 by default with 4 bytes ; password protection. Using a ...

macOS - &#039;process_policy&#039; Stack Leak Through Uninitialized Field

/ The syscall processpolicyscope=PROCPOLICYSCOPEPROCESS, action=PROCPOLICYACTIONGET, policy=PROCPOLICYRESOURCEUSAGE, policysubtype=PROCPOLICYRUSAGECPU, attrp=, targetpid=0, targetthreadid= causes 4 bytes of uninitialized kernel stack memory to be written to userspace. The call graph looks as...

MacOS getrusage stack leak through struct padding(CVE-2017-13869)

For 64-bit processes, the getrusage syscall handler converts a struct rusage to a struct user64rusage using mungeuser64rusage, then copies the struct user64rusage to userspace: int getrusagestruct proc p, struct getrusageargs uap, unused int32t retval struct rusage rup, rubuf; struct user64rusage...

macOS getrusage Stack Leak

MacOS getrusage stack leak through struct padding CVE-2017-13869 For 64-bit processes, the getrusage syscall handler converts a struct rusage to a struct user64rusage using mungeuser64rusage, then copies the struct user64rusage to userspace: int getrusagestruct proc p, struct getrusageargs uap,...

Apple XNU Kernel - Memory Corruption due to Integer Overflow in __offsetof Usage in posix_spawn on 32-bit Platforms

Apple XNU Kernel - Memory Corruption due to Integer Overflow in offsetof Usage in posixspawn on 32-bit Platforms posixspawn is a complex syscall which takes a lot of arguments from userspace. The third argument is a pointer to a further arguments descriptor in userspace with the following structu...