47904 matches found
Microsoft Windows - 'USP10!NextCharInLiga' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1202 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!NextCharInLiga function, while trying to display text using a corrupted TTF font file: --- 3d4.454: Access violation - code c0000005 first...
Microsoft Windows - 'USP10!ttoGetTableData' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1199 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ttoGetTableData function, while trying to display text using a corrupted TTF font file: --- 210.274: Access violation - code c0000005 first...
Microsoft Windows Kernel - 'ATMFD.DLL' Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1213 We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file, see below: --- DRIVERPAGEFAULTBEYONDENDOFALLOCATION d6 N bytes of memory was allocated and more than N byt...
Microsoft Windows - 'nt!NtQueryInformationResourceManager (information class 0)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1207 We have discovered that the nt!NtQueryInformationResourceManager system call called with the 0 information class discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10. The...
Microsoft Windows - 'USP10!SubstituteNtoM' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1200 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!SubstituteNtoM function, while trying to display text using a corrupted TTF font file: --- 69c.164: Access violation - code c0000005 first...
Microsoft Windows - 'USP10!MergeLigRecords' Uniscribe Font Processing Heap Memory Corruption
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1198 We have encountered a crash in the Windows Uniscribe user-mode library, in the memmove function called by USP10!MergeLigRecords, while trying to display text using a corrupted font file: --- 4e0.6dc: Access violation - code...
Microsoft Windows - 'USP10!otlValueRecord::adjustPos' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1204 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlValueRecord::adjustPos function, while trying to display text using a corrupted TTF font file: --- 470.4d4: Access violation - code c00000...
Microsoft Windows - 'USP10!otlReverseChainingLookup::apply' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1205 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlReverseChainingLookup::apply function, while trying to display text using a corrupted TTF font file: --- 678.6c8: Access violation - code...
Microsoft Windows - 'USP10!CreateIndexTable' Uniscribe Font Processing Out-of-Bounds Memory Read
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1201 We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!CreateIndexTable function, while trying to display text using a corrupted TTF font file: --- 5cc.74: Access violation - code c0000005 first...
Microsoft Windows - 'win32k!NtGdiExtGetObjectW' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1178 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory in Windows 7-10 through the win32k!NtGdiExtGetObjectW system call accessible via a documented GetObject API function to user-mo...
Microsoft Windows - 'nt!NtQueryInformationJobObject (information class 12)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1193 We have discovered that the nt!NtQueryInformationJobObject system call corresponding to the documented QueryInformationJobObject API function called with the 12 information class discloses portions of uninitialized kernel...
Microsoft Windows - 'win32k!NtGdiMakeFontDir' Kernel Stack Memory Disclosure
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1191 We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients. The attached proof of concept code which is specific to Windows 7 32-bit works...
Microsoft Windows - 'nt!NtQueryInformationJobObject (information class 28)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1194 We have discovered that the nt!NtQueryInformationJobObject system call corresponding to the documented QueryInformationJobObject API function called with the 28 information class discloses portions of uninitialized kernel...
Microsoft Windows - 'win32k!ClientPrinterThunk' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1186 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other platforms untested indirectly through the win32k!NtGdiOpenDCW system call. The...
Microsoft Windows - 'nt!NtQueryInformationTransaction (information class 1)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1196 We have discovered that the nt!NtQueryInformationTransaction system call called with the 1 information class discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10. The...
Microsoft Windows - 'win32k!NtGdiGetRealizationInfo' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1181 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetRealizationInfo system call. The concrete layout of the...
Microsoft Windows - 'nt!NtQueryInformationProcess (ProcessVmCounters)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1190&desc=2 We have discovered that the nt!NtQueryInformationProcess system call called with the ProcessVmCounters information class discloses portions of uninitialized kernel stack memory to user-mode clients, due to output...
Microsoft Windows - 'nt!NtQueryInformationJobObject (BasicLimitInformation, ExtendedLimitInformation)' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1189&desc=2 We have discovered that the nt!NtQueryInformationJobObject system call corresponding to the documented QueryInformationJobObject API function called with the JobObjectExtendedLimitInformation information class disclos...
Microsoft Windows - 'win32k!NtGdiGetOutlineTextMetricsInternalW' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1179 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetOutlineTextMetricsInternalW system call. The system call...
Microsoft Windows - 'win32k!NtGdiGetTextMetricsW' Kernel Stack Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1180 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other systems untested through the win32k!NtGdiGetTextMetricsW system call. The output...
Microsoft Windows - 'win32k!NtGdiGetOutlineTextMetricsInternalW' Kernel Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1144 The win32k!NtGdiGetOutlineTextMetricsInternalW system call corresponds to the documented GetOutlineTextMetrics API function 1, and is responsible for returning information about the outline text metrics associated with a...
Microsoft Windows - '0x224000 IOCTL (WmiQueryAllData)' Kernel WMIDataDevice Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1152 We have discovered that the handler of the 0x224000 IOCTL corresponding to the WmiQueryAllData functionality implemented by the \.\WMIDataDevice device in ntoskrnl.exe as dispatched by the nt!WmipIoControl routine discloses...
Microsoft Windows - 'IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS' volmgr Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1154 We have discovered that the handler of the IOCTLVOLUMEGETVOLUMEDISKEXTENTS IOCTL in volmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Window...
Microsoft Windows - 'win32k!NtGdiEnumFonts' Kernel Pool Memory Disclosure
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1153 We have discovered that the win32k!NtGdiEnumFonts system call handler discloses very large portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached proof-of-concept progra...
Microsoft Windows - 'IOCTL 0x390400, operation code 0x00020000' Kernel KsecDD Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1147 We have discovered that the IOCTL sent to the \Device\KsecDD device by the BCryptOpenAlgorithmProvider documented API returns some uninitialized pool memory in the output buffer. Let's consider the following input data for t...
Microsoft Windows - 'IOCTL_MOUNTMGR_QUERY_POINTS' Kernel Mountmgr Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1150&desc=2 We have discovered that the handler of the IOCTLMOUNTMGRQUERYPOINTS IOCTL in mountmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test...
Microsoft Windows - 'nt!NtQueryVolumeInformationFile (FileFsVolumeInformation)' Kernel Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1166 We have discovered that the nt!NtQueryVolumeInformationFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Windows 10 32-bit workstation...
Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_GEOMETRY_EX' Kernel partmgr Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1156&desc=2 We have discovered that the handler of the IOCTLDISKGETDRIVEGEOMETRYEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test...
Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_LAYOUT_EX' Kernel partmgr Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159 We have discovered that the handler of the IOCTLDISKGETDRIVELAYOUTEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached...
Microsoft Windows - 'nt!KiDispatchException' Kernel Stack Memory Disclosure in Exception Handling
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1177 According to our tests, the generic exception dispatching code present in the Windows kernel Windows 7-10 discloses portions of uninitialized kernel stack memory to user-mode clients via the CONTEXT structure set up for the...
Microsoft Windows - 'nt!NtNotifyChangeDirectoryFile' Kernel Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1169 We have discovered that the nt!NtNotifyChangeDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test Windows 10 32-bit workstation,...
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
!/usr/bin/python Exploit Title: RCE for PHPMailer 5.2.20 with Exim MTA Date: 16/06/2017 Exploit Author: @phacktul Software Link: https://github.com/PHPMailer/PHPMailer Version: 5.2.20 Tested on: Debian x86/x64 CVE : CVE-2016-10033,CVE-2016-10074,CVE-2016-10034,CVE-2016-10045 @phacktul -...
Linux/x86 - Reverse UDP Shellcode (668 bytes)
Linux/x86 - Reverse UDP Shellcode 668 bytes. Shellcode exploit for Linx86 platform ; SLAE-X ; thanks to writesup from previou students : ; assignment: 2. create a reverse shell ; originality: using UDP instead TCP ; usage : sudo ncat -lup 53 on the receiving end ; warning, this shellcode might...
BOA Web Server 0.94.14rc21 - Arbitrary File Access
BOA Web Server 0.94.14 - Access to arbitrary files as privileges Title: Vulnerability in BOA Webserver 0.94.14 Date: 20-06-2017 Status: Vendor contacted, patch available Scope: Arbitrary file access Platforms: Unix Author: Miguel Mendez Z Vendor Homepage: http://www.boa.org Version: Boa Webserver...
SpyCamLizard 1.230 - Remote Buffer Overflow
!/usr/bin/python Exploit Title: SpyCamLizard v1.230 Remote Buffer Overflow SafeSEH Bypass Date: 20-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: SpyCamLizard Vendor Homepage: http://www.spycamlizard.com/ Version: 1.230 Software Link:...
Freeware Advanced Audio Coder (FAAC) 1.28 - Denial of Service
Freeware Advanced Audio Coder FAAC multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= FAAC is an encoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part 3 standards and known as Advanced Audio Coding AAC. This...
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal
Vulnerabilities Summary The following advisory describe two 2 vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4. Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-n...
WonderCMS 2.1.0 - Cross-Site Request Forgery
document.forms0.submit; !-- Disclosure Timeline: --------------------- 2017-06-16: Vulnerability found. 2017-06-17: Reported to vendor. 2017-06-17: Vendor responded and send a new version for test in it. 2017-06-17: Test new version and vulernability patched successfully. 2017-06-18: Vendor...
GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow
Source: https://sourceware.org/bugzilla/showbug.cgi?id=21595 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...
GNU binutils - 'rx_decode_opcode' Buffer Overflow
Source: https://sourceware.org/bugzilla/showbug.cgi?id=21587 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...
GNU binutils - 'print_insn_score16' Buffer Overflow
Source: https://sourceware.org/bugzilla/showbug.cgi?id=21576 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...
GNU binutils - 'decode_pseudodbg_assert_0' Buffer Overflow
Source: https://sourceware.org/bugzilla/showbug.cgi?id=21586 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...
GNU binutils - 'ieee_object_p' Stack Buffer Overflow
Source: https://sourceware.org/bugzilla/showbug.cgi?id=21582 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...
GNU binutils - 'bfd_get_string' Stack Buffer Overflow
Source: https://sourceware.org/bugzilla/showbug.cgi?id=21581 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...
GNU binutils - 'disassemble_bytes' Heap Overflow
Source: https://sourceware.org/bugzilla/showbug.cgi?id=21580 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the reduced stacktrace with links to the correspondin...
D-Link DSL-2640B ADSL Router - 'dnscfg' Remote DNS Change
!/bin/bash D-Link ADSL DSL-2640B GE1.07 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...
Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Easy File Sharing HTTP Server 7.2 POST Buffer Overflow', 'Description' = %q This module exploits a POST buffer overflow in the Easy File Sharing F...
Beetel BCM96338 Router - DNS Change
!/bin/bash Beetel BCM96338 ADSL Router Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...
D-Link DSL-2640U - DNS Change
!/bin/bash D-Link ADSL DSL-2640U IM1.00 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once...
UTstarcom WA3002G4 - DNS Change
!/bin/bash UTstarcom WA3002G4 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without authentication. Once modified,...