Apple Mac OSX - Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=708 The external methods IGAccelGLContext::unmapusermemory and IGAccelCLContext::unmapusermemory take an 8 byte struct input which is a user-space pointer previously passed to the...

Apple Mac OSX Kernel - Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=708 The external methods IGAccelGLContext::unmapusermemory and IGAccelCLContext::unmapusermemory take an 8 byte struct input which is a user-space pointer previously passed to the equivilent mapusermemory method. The Context...

Exploiting a Leaked Thread Handle

Posted by logged on user, James Forshaw. Once in awhile you’ll find a bug that allows you to leak a handle opened in a privileged process into a lower privileged process. I found just such a bug in the Secondary Logon service on Windows, which was fixed this month as MS16-032. The bug allowed you...

PT-2016-6698 · Linux +5 · Linux Kernel +5

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 4.6.3 on powerpc platforms Description: The issue is related to the mishandling of transactional state by the start thread function in the Linux kernel, which can be exploited by local users to cause a denial of...

Immunity Canvas: MS16_032

Name| ms16032 ---|--- CVE| CVE-2016-0099 Exploit Pack| CANVAS Description| MS16-032 Seclogon Thread Handle Leak Notes| CVE Name: CVE-2016-0099 VENDOR: Microsoft Notes: Our exploit module is really two modules: 1 An exploit, based off of Google Project Zero's post by James Foreshaw. It is extremel...

IIS Short Name Scanner - Scanner For IIS Short File Name Disclosure Vulnerability (using the tilde [~] character)

Scanner for IIS short file name 8.3 disclosure vulnerability by using the tilde character. Description Microsoft IIS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered during the parsing of a request that contains a tilde character . This may allow a...

Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)

import struct import time import sys from threading import Thread Thread is imported incase you would like to modify try: from impacket import smb from impacket import uuid from impacket import dcerpc from impacket.dcerpc.v5 import transport except ImportError, : print 'Install the following...

Microsoft Windows - NetAPI32.dll Code Execution (Python) (MS08-067)

Microsoft Windows - NetAPI32.dll Code Execution Python MS08-067 import struct import time import sys from threading import Thread Thread is imported incase you would like to modify try: from impacket import smb from impacket import uuid from impacket import dcerpc from impacket.dcerpc.v5 import...

Microsoft Windows - NetAPI32.dll Code Execution (Python) (MS08-067) Exploit

Exploit for windows platform in category remote exploits EDB-Note: Source https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS08067.py import struct import time import sys from threading import Thread Thread is imported incase you would like to modify try: from impacket import smb from...

Foolav - Pentest Tool For Antivirus Evasion and Running Arbitrary Payload on Target Wintel Host

Executable compiled with this code is useful during penetration tests where there is a need to execute some payload meterpreter maybe? while being certain that it will not be detected by antivirus software. The only requirement is to be able to upload two files: binary executable and payload file...

Sophos Unified Thread Management (UTM) Detection (HTTP)

HTTP based detection of Sophos Unified Thread Management UTM. Copyright C 2016 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software;...

glibc, nscd security update

CentOS Errata and Security Advisory CESA-2016:0175 Updated glibc packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System CVSS base...

RedHat Update for glibc RHSA-2016:0175-01

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

RHEL 6 : glibc (RHSA-2016:0175)

Updated glibc packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Apache Httpd < 2.4.20 : mod_http2: denial of service by thread starvation

By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18...

Apple Mac OSX iOS Kernel - iokit Registry Iterator Manipulation Double-Free

Apple Mac OSX iOS Kernel - iokit Registry Iterator Manipulation Double-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=598 The userspace MIG wrapper IORegistryIteratorExitEntry invokes the following kernel function: kernreturnt isioregistryiteratorexitentry...

Apple Mac OSX - IOBluetoothHCIPacketLogUserClient Memory Corruption

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=572 The OS data types OSArray etc are explicity not thread safe; they rely on their callers to implement the required locking to serialize all accesses and manipulations of them. By sending two spoofed no-more-senders...

Wireshark - dissect_nhdr_extopt Stack Based Buffer Overflow

Exploit for multiple platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=696 The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$...

Debian DLA-380-1 : libvncserver security update

An issue had been discovered and resolved by the libvncserver upstream developer Karl Runge addressing thread-safety in libvncserver when libvncserver is used for handling multiple VNC connections 1. Unfortunately, it is not trivially feasible because of ABI breakage to backport the related patch...

[SECURITY] [DLA 380-1] libvncserver security update

Package : libvncserver Version : 0.9.7-2+deb6u2 An issue had been discovered and resolved by the libvncserver upstream developer Karl Runge addressing thread-safety in libvncserver when libvncserver is used for handling multiple VNC connections 1. Unfortunately, it is not trivially feasible becau...