47885 matches found
Linux Kernel - 'offset2lib' Stack Clash
/ Linuxoffset2lib.c for CVE-2017-1000370 and CVE-2017-1000371 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or a...
NetBSD - 'Stack Clash' (PoC)
/ NetBSDCVE-2017-1000375.c please compile with -O0 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or at your opti...
Easy File Sharing Web Server 7.2 - Account Import Local Buffer Overflow (SEH)
!/usr/bin/python 2017/6/17 Chako EFS Web Server 7.2 - Local Buffer OverflowSEH Tested on: Windows XP SP3 EN DEP Off Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe Description: When importing a large user account file on to EFS Web Server 7.2 will...
Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation
/ Solarisrsh.c for CVE-2017-3630, CVE-2017-3629, CVE-2017-3631 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or ...
FreeBSD - 'setrlimit' Stack Clash (PoC)
/ FreeBSDCVE-2017-1085.c Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or at your option any later version. This...
FreeBSD - 'FGPU' Stack Clash (PoC)
/ FreeBSDCVE-2017-FGPU.c for CVE-2017-1084 please compile with -O0 Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License,...
Easy File Sharing Web Server 7.2 - Unrestricted File Upload
2017/6/15 Chako EFS Web Server 7.2 Unrestricted File Upload Vendor Homepage: http://www.sharing-file.com Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe Version: Easy File Sharing Web Server 7.2 Tested on: WinXP SP3 EFS Web Server 7.2 allows unauthoriz...
Kaspersky Anti-Virus File Server 8.0.3.297 - Multiple Vulnerabilities
Advisory Information Title: Kaspersky Anti-Virus File Server Multiple Vulnerabilities Advisory ID: CORE-2017-0003 Advisory URL: http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities Date published: 2017-06-28 Date of last update: 2017-06-28 Vendors...
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation
/ Linuxldsohwcap64.c for CVE-2017-1000366, CVE-2017-1000379 Copyright C 2017 Qualys, Inc. myimportanthwcaps adapted from elf/dl-hwcaps.c, part of the GNU C Library: Copyright C 2012-2017 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under t...
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation
/ Linuxldsohwcap.c for CVE-2017-1000366, CVE-2017-1000370 Copyright C 2017 Qualys, Inc. myimportanthwcaps adapted from elf/dl-hwcaps.c, part of the GNU C Library: Copyright C 2012-2017 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the...
Flat Assembler 1.7.21 - Local Buffer Overflow
!/usr/bin/python Developed using Exploit Pack - http://exploitpack.com - Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Tested on: GNU/Linux - Kali 2017.1 Release What is FASM? Flat assembler is a fast, self-compilable assembly language compiler for the x86 and x86-64 architectur...
Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2 In issue 1260 I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if...
Easy File Sharing Web Server 7.2 - GET 'PassWD' Remote Buffer Overflow (SEH)
!/usr/bin/python Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP Request PassWD Buffer Overflow SEH Date: 19 June 2017 Exploit Author: clubjk Author Contact: [email protected] Vendor Homepage: http://www.sharing-file.com Software Link:...
GLPI 0.90.4 - SQL Injection
Exploit Title: Multiple SQL injection vulnerabilities in GLPI 0.90.4 Date: 2016/09/09 Exploit Author: Eric CARTER in/ericcarterengineer - CS c-s.fr Vendor Homepage: http://glpi-project.org Software Link: http://glpi-project.org/spip.php?article3 Version: 0.90.4 Tested on: GLPI 0.90.4 running on a...
WordPress Plugin Ultimate Product Catalogue 4.2.2 - SQL Injection
Exploit Title: Ultimate Product Catalogue 4.2.2 Sql Injection – Plugin WordPress – Sql Injection Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/ Contact:...
Linux/x86 - Bind Shell Shellcode (75 bytes)
Linux/x86 - Bind Shell Shellcode 75 bytes. Shellcode exploit for Linx86 platform / Architecture : x86 OS : Linux Author : wetw0rk ID : SLAE-958 Shellcode Size : 75 bytes Bind Port : 4444 Description : A linux/x86 bind shell via /bin/sh. Created by analysing msfvenom; original payload was 78 bytes...
Eltek SmartPack - Backdoor Account
Eltek SmartPack - Backdoor Account Author: Saeed reza Zamanian penetrationtest @ Linkedin Product: Eltek SmartPack Vendor: http://www.eltek.com/ Product Link : http://www.eltek.com/detailproducts.epl?k1=25507&id=1123846 About Product: The Smartpack controller is a powerful and cost-effective...
Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/http' require "base64" class MetasploitModule "Netgear DGN2200 dnslookup.cgi Command Injection", 'Description' = %q This module exploits a command injection...
IBM DB2 9.7/10.1/10.5/11.1 - Command Line Processor Buffer Overflow
''' DefenseCode Security Advisory IBM DB2 Command Line Processor Buffer Overflow Advisory ID: DC-2017-04-002 Advisory Title: IBM DB2 Command Line Processor Buffer Overflow Advisory URL: http://www.defensecode.com/advisories/IBMDB2CommandLineProcessorBufferOverflow.pdf Software: IBM DB2 Version:...
Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Symantec Messaging Gateway Remote Code Execution", 'Description' = %q This module exploits the command injection vulnerability of Symantec Messagi...
LAME 3.99.5 - 'II_step_one' Buffer Overflow
Description: lame is a high quality MPEG Audio Layer III MP3 encoder licensed under the LGPL. Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and...
JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)
!/usr/bin/python Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com Developed using Exploit Pack - http://exploitpack.com - Tested on: GNU/Linux - Kali 2017.1 Release Description: JAD Java Decompiler 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow vulnerability...
NTFS 3.1 - Master File Table Denial of Service
Y0U HAVE BEEN EXPL0ITED!...
LAME 3.99.5 - 'III_dequantize_sample' Stack Buffer Overflow
Description: lame is a high quality MPEG Audio Layer III MP3 encoder licensed under the LGPL. Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and...
Microsoft Windows Kernel - 'ATMFD.DLL' Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1213 We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file, see below: --- DRIVERPAGEFAULTBEYONDENDOFALLOCATION d6 N bytes of memory was allocated and more than N byt...
Adobe Flash - ATF Parser Heap Corruption
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1216 The attached file causes heap corruption in the ATF parser. To reproduce the issue, copy atffree.atf and LoadImage.swf to a server, and visit http://127.0.0.1/LoadImage.swf?img=atffree.png. Proof of Concept:...
Microsoft Windows - 'USP10!MergeLigRecords' Uniscribe Font Processing Heap Memory Corruption
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1198 We have encountered a crash in the Windows Uniscribe user-mode library, in the memmove function called by USP10!MergeLigRecords, while trying to display text using a corrupted font file: --- 4e0.6dc: Access violation - code...
Microsoft Windows - 'USP10!otlValueRecord::adjustPos' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1204 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlValueRecord::adjustPos function, while trying to display text using a corrupted TTF font file: --- 470.4d4: Access violation - code c00000...
Microsoft Windows - 'USP10!SubstituteNtoM' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1200 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!SubstituteNtoM function, while trying to display text using a corrupted TTF font file: --- 69c.164: Access violation - code c0000005 first...
Adobe Flash - Image Decoding Out-of-Bounds Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1215 The attached png file causes an out-of-bounds read when being decoded by flash. To reproduce the issue, put LoadImage.swf and read1.png on a server, and visit: http://127.0.0.1/LoadImage.swf=read1.png Proof of Concept:...
Microsoft Windows - 'nt!NtQueryInformationResourceManager (information class 0)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1207 We have discovered that the nt!NtQueryInformationResourceManager system call called with the 0 information class discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10. The...
Microsoft Windows - 'USP10!NextCharInLiga' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1202 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!NextCharInLiga function, while trying to display text using a corrupted TTF font file: --- 3d4.454: Access violation - code c0000005 first...
Microsoft Edge - 'CssParser::RecordProperty' Type Confusion
function go window.addEventListener"DOMAttrModified", undefined; m.style.cssText = "clip-path: urlfoo;"; !-- ========================================= Preliminary analysis: The crash happens inside CAttrArray::PrivateFindInl. Rcx this pointer is supposed to point to a CAttrArray but it actually...
unrar 5.40 - 'VMSF_DELTA' Filter Arbitrary Memory Write
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&desc=6 It appears that the VMSFDELTA memory corruption that was reported to Sophos AV in 2012 and fixed there was actually inherited from upstream unrar. For unknown reasons the information did not reach upstream rar or was...
Microsoft Windows - 'USP10!CreateIndexTable' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1201 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!CreateIndexTable function, while trying to display text using a corrupted TTF font file: --- 5cc.74: Access violation - code c0000005 first...
Adobe Flash - AVC Edge Processing Out-of-Bounds Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1212 The attached file causes an out-of-bounds read in avc edge processing. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42247.zip...
Microsoft Windows - 'USP10!otlSinglePosLookup::getCoverageTable' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1203 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlSinglePosLookup::getCoverageTable function, while trying to display text using a corrupted TTF font file: --- 7f0.488: Access violation -...
Microsoft Windows - 'USP10!otlReverseChainingLookup::apply' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1205 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlReverseChainingLookup::apply function, while trying to display text using a corrupted TTF font file: --- 678.6c8: Access violation - code...
Microsoft Windows - 'USP10!ttoGetTableData' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1199 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ttoGetTableData function, while trying to display text using a corrupted TTF font file: --- 210.274: Access violation - code c0000005 first...
Microsoft Windows - 'nt!NtQueryInformationWorkerFactory (WorkerFactoryBasicInformation)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1214&desc=2 We have discovered that the nt!NtQueryInformationWorkerFactory system call called with the WorkerFactoryBasicInformation 7 information class discloses portions of uninitialized kernel stack memory to user-mode clients...
Microsoft Windows - 'win32k!ClientPrinterThunk' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1186 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other platforms untested indirectly through the win32k!NtGdiOpenDCW system call. The...
Microsoft Windows - 'nt!NtQueryInformationTransaction (information class 1)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1196 We have discovered that the nt!NtQueryInformationTransaction system call called with the 1 information class discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10. The...
Microsoft Windows - 'nt!NtQueryInformationJobObject (information class 28)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1194 We have discovered that the nt!NtQueryInformationJobObject system call corresponding to the documented QueryInformationJobObject API function called with the 28 information class discloses portions of uninitialized kernel...
Microsoft Windows - 'win32k!NtGdiMakeFontDir' Kernel Stack Memory Disclosure
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1191 We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients. The attached proof of concept code which is specific to Windows 7 32-bit works...
Microsoft Windows - 'nt!NtQueryInformationProcess (ProcessVmCounters)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1190&desc=2 We have discovered that the nt!NtQueryInformationProcess system call called with the ProcessVmCounters information class discloses portions of uninitialized kernel stack memory to user-mode clients, due to output...
Microsoft Windows - 'win32k!NtGdiGetTextMetricsW' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1180 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other systems untested through the win32k!NtGdiGetTextMetricsW system call. The output...
Microsoft Windows - 'win32k!NtGdiGetRealizationInfo' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1181 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetRealizationInfo system call. The concrete layout of the...
Microsoft Windows - 'nt!NtQueryInformationJobObject (information class 12)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1193 We have discovered that the nt!NtQueryInformationJobObject system call corresponding to the documented QueryInformationJobObject API function called with the 12 information class discloses portions of uninitialized kernel...
Microsoft Windows - 'nt!NtQueryInformationJobObject (BasicLimitInformation, ExtendedLimitInformation)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1189&desc=2 We have discovered that the nt!NtQueryInformationJobObject system call corresponding to the documented QueryInformationJobObject API function called with the JobObjectExtendedLimitInformation information class disclos...
Microsoft Windows - 'win32k!NtGdiGetOutlineTextMetricsInternalW' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1179 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetOutlineTextMetricsInternalW system call. The system call...