macOS getrusage Stack Leak Exploit

Exploit for macOS platform in category dos / poc MacOS getrusage stack leak through struct padding CVE-2017-13869 For 64-bit processes, the getrusage syscall handler converts a struct rusage to a struct user64rusage using mungeuser64rusage, then copies the struct user64rusage to userspace: int...

UBUNTU-CVE-2017-17507

In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5Tconvstructopt in H5Tconv.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file...

DEBIAN-CVE-2017-17507

In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5Tconvstructopt in H5Tconv.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file...

PT-2017-14818 · Hdf +2 · Hdf5 +2

Name of the Vulnerable Software and Affected Versions: HDF5 version 1.10.1 Description: The issue is related to an out of bounds read vulnerability in the H5T conv struct opt function in H5Tconv.c within libhdf5.a. This could cause a crash, for example, when using h5dump to open a crafted hdf5...

Apple macOS - 'getrusage' Stack Leak Through struct Padding

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1405 For 64-bit processes, the getrusage syscall handler converts a struct rusage to a struct user64rusage using mungeuser64rusage, then copies the struct user64rusage to userspace: int getrusagestruct proc p, struct getrusagearg...

Apple macOS - getrusage Stack Leak Through struct Padding

Apple macOS - getrusage Stack Leak Through struct Padding / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1405 For 64-bit processes, the getrusage syscall handler converts a struct rusage to a struct user64rusage using mungeuser64rusage, then copies the struct user64rusage to...

Linux Kernel XFRM Privilege Escalation

Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer information between the kernel and user-space processes. It...

Linux Kernel (Ubuntu 17.04) - XFRM Local Privilege Escalation

Linux Kernel Ubuntu 17.04 - XFRM Local Privilege Escalation Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer...

Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation

Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer information between the kernel and user-space processes. It...

FreeBSD -- Kernel data leak via ptrace(PT_LWPINFO)

Problem Description: Not all information in the struct ptracelwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of informatio...

Linux Kernel 4.1.3 (Ubuntu 17.10) waitid() SMEP/SMAP Privilege Escalation

// Proof of concept exploit for waitid bug introduced in Linux Kernel 4.13 // By Chris Salls twitter.com/chrissalls // This exploit can be used to break out out of sandboxes such as that in google chrome // In this proof of concept we install the seccomp filter from chrome as well as a chroot, //...

Linux Kernel 4.13 (Ubuntu 17.10) - 'waitid()' SMEP/SMAP/Chrome Sandbox Privilege Escalation

// Proof of concept exploit for waitid bug introduced in Linux Kernel 4.13 // By Chris Salls twitter.com/chrissalls // This exploit can be used to break out out of sandboxes such as that in google chrome // In this proof of concept we install the seccomp filter from chrome as well as a chroot, //...

GraphicsMagick - Memory Disclosure Heap Overflow

GraphicsMagick - Memory Disclosure Heap Overflow '''Vulnerabilities summary The following advisory describes two 2 vulnerabilities found in GraphicsMagick. GraphicsMagick is “The swiss army knife of image processing. Comprised of 267K physical lines according to David A. Wheeler’s SLOCCount of...

Linux Kernel 4.14.0-rc4+ - 'waitid()' Privilege Escalation(CVE-2017-5123)

This is a guest post by a young and talented Portuguese exploiter, Federico Bento. He won this year’s Pwnie for Epic Achievement exploiting TIOCSTI ioctl. Days ago he posted a video demonstrating an exploit for CVE-2017-5123 and luckly for you I managed to convince him to do a write-up about it. ...

ASX to MP3 converter < 3.1.3.7 - Stack Overflow (DEP Bypass) Exploit

Exploit for windows platform in category local exploits import struct,sys head =''' REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes''' offset 17375 junk = "A" 17375 0x1003df8e 0x774e1035 EIP="\x36\x10\x4e\x77" adjust="A" 4 def createropchain: ropgadgets = 0x73dd5dce, POP EAX RETN...

ASX to MP3 converter &lt; 3.1.3.7 - &#039;.asx&#039; Local Stack Overflow (DEP Bypass)

import struct,sys head =''' REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes''' offset 17375 junk = "A" 17375 0x1003df8e 0x774e1035 EIP="\x36\x10\x4e\x77" adjust="A" 4 def createropchain: ropgadgets = 0x73dd5dce, POP EAX RETN MFC42.DLL 0x5d091368, ptr to &VirtualProtect IAT COMCTL32.dll...

DiskBoss Enterprise 8.4.16 - Local Buffer Overflow Exploit

Exploit for windows platform in category local exploits !/usr/bin/python ======================================================================================================================== Exploit Author: C4t0ps1s Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer OverflowCode execution...

Dup Scout Enterprise 10.0.18 - Import Command Local Buffer Overflow

Dup Scout Enterprise 10.0.18 - Import Command Local Buffer Overflow !/usr/bin/python ======================================================================================================================== Exploit Author: Touhid M.Shaikh Exploit Title: Dup Scout Enterprise v10.0.18 "Import Comman...

DEBIAN-CVE-2017-11714

psi/ztoken.c in Artifex Ghostscript 9.21 mishandles references to the scanner state structure, which allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via a crafted PostScript document, related to an out-of-bounds read in the...

Counter Strike Condition Zero - .BSP Map File Code Execution Exploit

Exploit for windows platform in category local exploits !/usr/bin/env python Counter Strike: Condition Zero BSP map exploit By @DigitalCold Jun 11, 2017 E-DB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42325.zip bsp-exploit-source.zip from binascii...