41207 matches found
Microsoft Windows - win32k!ClientPrinterThunk Kernel Stack Memory Disclosure
Microsoft Windows - win32k!ClientPrinterThunk Kernel Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1186 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other...
Microsoft Windows - win32k!NtGdiMakeFontDir Kernel Stack Memory Disclosure
Microsoft Windows - win32k!NtGdiMakeFontDir Kernel Stack Memory Disclosure Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1191 We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients. The...
Microsoft Windows - win32k!NtGdiExtGetObjectW Kernel Stack Memory Disclosure
Microsoft Windows - win32k!NtGdiExtGetObjectW Kernel Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1178 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory in Windows 7-10 through the...
Microsoft Windows - win32k!NtGdiGetTextMetricsW Kernel Stack Memory Disclosure
Microsoft Windows - win32k!NtGdiGetTextMetricsW Kernel Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1180 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 other...
Microsoft Windows - nt!NtQueryInformationJobObject (BasicLimitInformation_ ExtendedLimitInformation) Kernel Stack Memory Disclosure
Microsoft Windows - nt!NtQueryInformationJobObject BasicLimitInformation ExtendedLimitInformation Kernel Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1189&desc=2 We have discovered that the nt!NtQueryInformationJobObject system call corresponding to...
Microsoft Windows - win32k!NtGdiGetOutlineTextMetricsInternalW Kernel Stack Memory Disclosure
Microsoft Windows - win32k!NtGdiGetOutlineTextMetricsInternalW Kernel Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1179 We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in...
Microsoft Windows - nt!NtQueryInformationProcess (ProcessVmCounters) Kernel Stack Memory Disclosure
Microsoft Windows - nt!NtQueryInformationProcess ProcessVmCounters Kernel Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1190&desc=2 We have discovered that the nt!NtQueryInformationProcess system call called with the ProcessVmCounters information clas...
Microsoft Windows - nt!NtQueryInformationTransaction (information class 1) Kernel Stack Memory Disclosure
Microsoft Windows - nt!NtQueryInformationTransaction information class 1 Kernel Stack Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1196 We have discovered that the nt!NtQueryInformationTransaction system call called with the 1 information class discloses...
Microsoft Windows - 0x224000 IOCTL (WmiQueryAllData) Kernel WMIDataDevice Pool Memory Disclosure
Microsoft Windows - 0x224000 IOCTL WmiQueryAllData Kernel WMIDataDevice Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1152 We have discovered that the handler of the 0x224000 IOCTL corresponding to the WmiQueryAllData functionality implemented by the...
PHPMailer 5.2.20 with Exim MTA - Remote Code Execution
PHPMailer 5.2.20 with Exim MTA - Remote Code Execution !/usr/bin/python Exploit Title: RCE for PHPMailer 5.2.20 with Exim MTA Date: 16/06/2017 Exploit Author: @phacktul Software Link: https://github.com/PHPMailer/PHPMailer Version: 5.2.20 Tested on: Debian x86/x64 CVE :...
Microsoft Windows - nt!KiDispatchException Kernel Stack Memory Disclosure in Exception Handling
Microsoft Windows - nt!KiDispatchException Kernel Stack Memory Disclosure in Exception Handling / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1177 According to our tests, the generic exception dispatching code present in the Windows kernel Windows 7-10 discloses portions of...
Microsoft Windows - IOCTL_DISK_GET_DRIVE_GEOMETRY_EX Kernel partmgr Pool Memory Disclosure
Microsoft Windows - IOCTLDISKGETDRIVEGEOMETRYEX Kernel partmgr Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1156&desc=2 We have discovered that the handler of the IOCTLDISKGETDRIVEGEOMETRYEX IOCTL in partmgr.sys discloses portions of uninitialized poo...
Microsoft Windows - IOCTL_DISK_GET_DRIVE_LAYOUT_EX Kernel partmgr Pool Memory Disclosure
Microsoft Windows - IOCTLDISKGETDRIVELAYOUTEX Kernel partmgr Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159 We have discovered that the handler of the IOCTLDISKGETDRIVELAYOUTEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to...
Microsoft Windows - nt!NtQueryVolumeInformationFile (FileFsVolumeInformation) Kernel Pool Memory Disclosure
Microsoft Windows - nt!NtQueryVolumeInformationFile FileFsVolumeInformation Kernel Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1166 We have discovered that the nt!NtQueryVolumeInformationFile system call discloses portions of uninitialized pool memor...
Microsoft Windows - IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS volmgr Pool Memory Disclosure
Microsoft Windows - IOCTLVOLUMEGETVOLUMEDISKEXTENTS volmgr Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1154 We have discovered that the handler of the IOCTLVOLUMEGETVOLUMEDISKEXTENTS IOCTL in volmgr.sys discloses portions of uninitialized pool memory...
Microsoft Windows - win32k!NtGdiEnumFonts Kernel Pool Memory Disclosure
Microsoft Windows - win32k!NtGdiEnumFonts Kernel Pool Memory Disclosure Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1153 We have discovered that the win32k!NtGdiEnumFonts system call handler discloses very large portions of uninitialized pool memory to user-mode clients. The...
Microsoft Windows - nt!NtNotifyChangeDirectoryFile Kernel Pool Memory Disclosure
Microsoft Windows - nt!NtNotifyChangeDirectoryFile Kernel Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1169 We have discovered that the nt!NtNotifyChangeDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients, du...
Microsoft Windows - IOCTL_MOUNTMGR_QUERY_POINTS Kernel Mountmgr Pool Memory Disclosure
Microsoft Windows - IOCTLMOUNTMGRQUERYPOINTS Kernel Mountmgr Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1150&desc=2 We have discovered that the handler of the IOCTLMOUNTMGRQUERYPOINTS IOCTL in mountmgr.sys discloses portions of uninitialized pool...
Microsoft Windows - win32k!NtGdiGetOutlineTextMetricsInternalW Kernel Pool Memory Disclosure
Microsoft Windows - win32k!NtGdiGetOutlineTextMetricsInternalW Kernel Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1144 The win32k!NtGdiGetOutlineTextMetricsInternalW system call corresponds to the documented GetOutlineTextMetrics API function 1, and ...
Microsoft Windows - IOCTL 0x390400_ operation code 0x00020000 Kernel KsecDD Pool Memory Disclosure
Microsoft Windows - IOCTL 0x390400 operation code 0x00020000 Kernel KsecDD Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1147 We have discovered that the IOCTL sent to the \Device\KsecDD device by the BCryptOpenAlgorithmProvider documented API returns...
BOA Web Server 0.94.14rc21 - Arbitrary File Access
BOA Web Server 0.94.14rc21 - Arbitrary File Access BOA Web Server 0.94.14 - Access to arbitrary files as privileges Title: Vulnerability in BOA Webserver 0.94.14 Date: 20-06-2017 Status: Vendor contacted, patch available Scope: Arbitrary file access Platforms: Unix Author: Miguel Mendez Z Vendor...
Freeware Advanced Audio Coder (FAAC) 1.28 - Denial of Service
Freeware Advanced Audio Coder FAAC 1.28 - Denial of Service Freeware Advanced Audio Coder FAAC multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= FAAC is an encoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part ...
SpyCamLizard 1.230 - Remote Buffer Overflow
SpyCamLizard 1.230 - Remote Buffer Overflow !/usr/bin/python Exploit Title: SpyCamLizard v1.230 Remote Buffer Overflow SafeSEH Bypass Date: 20-06-2017 Exploit Author: @abatchy17 -- www.abatchy.com Vulnerable Software: SpyCamLizard Vendor Homepage: http://www.spycamlizard.com/ Version: 1.230...
GNU binutils - ieee_object_p Stack Buffer Overflow
GNU binutils - ieeeobjectp Stack Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21582 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...
GNU binutils - print_insn_score16 Buffer Overflow
GNU binutils - printinsnscore16 Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21576 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...
WonderCMS 2.1.0 - Cross-Site Request Forgery
WonderCMS 2.1.0 - Cross-Site Request Forgery document.forms0.submit; !-- Disclosure Timeline: --------------------- 2017-06-16: Vulnerability found. 2017-06-17: Reported to vendor. 2017-06-17: Vendor responded and send a new version for test in it. 2017-06-17: Test new version and vulernability...
GNU binutils - disassemble_bytes Heap Overflow
GNU binutils - disassemblebytes Heap Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21580 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal Vulnerabilities Summary The following advisory describe two 2 vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4. Sophos XG Firewall provides “unprecedented visibility into your network...
GNU binutils - bfd_get_string Stack Buffer Overflow
GNU binutils - bfdgetstring Stack Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21581 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...
GNU binutils - rx_decode_opcode Buffer Overflow
GNU binutils - rxdecodeopcode Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21587 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is the...
GNU binutils - aarch64_ext_ldst_reglist Buffer Overflow
GNU binutils - aarch64extldstreglist Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21595 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is...
GNU binutils - decode_pseudodbg_assert_0 Buffer Overflow
GNU binutils - decodepseudodbgassert0 Buffer Overflow Source: https://sourceware.org/bugzilla/showbug.cgi?id=21586 I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue "Input" and the ASAN report log "Output". Below is...
D-Link DSL-2640B ADSL Router - dnscfg Remote DNS Change
D-Link DSL-2640B ADSL Router - dnscfg Remote DNS Change !/bin/bash D-Link ADSL DSL-2640B GE1.07 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interfac...
Beetel BCM96338 Router - DNS Change
Beetel BCM96338 Router - DNS Change !/bin/bash Beetel BCM96338 ADSL Router Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessibl...
D-Link DSL-2640U - DNS Change
D-Link DSL-2640U - DNS Change !/bin/bash D-Link ADSL DSL-2640U IM1.00 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible...
UTstarcom WA3002G4 - DNS Change
UTstarcom WA3002G4 - DNS Change !/bin/bash UTstarcom WA3002G4 Unauthenticated Remote DNS Change Exploit Copyright 2017 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible without...
WebKit JSC - Intl.getCanonicalLocales Heap Buffer Overflow
WebKit JSC - Intl.getCanonicalLocales Heap Buffer Overflow arrayStorage; storage-msparseMap.clear; storage-mindexBias = 0; storage-mnumValuesInVector = 0; return butterfly; It allocates a fixed sizeBASEARRAYSTORAGEVECTORLEN of memory without caring about |initialLength|. So a BOF occurs in the...
WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices
WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if !result return JSValue::encodethrowOutOfMemoryErrorexec, scope; for unsigned k = 0; k initializeIndexvm, k, v;...
WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions
WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions switchToSlowPutArrayStoragevm; = MINSPARSEARRAYINDEX || structurevm-holesMustForwardToPrototypevm return nullptr; Structure resultStructure = exec.l...
WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock
WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock range.mmaxBound range.mmaxBound = data.maddend; range.mmaxOrigin = node-origin.semantic; else if data.maddend origin.semantic; ... The problem is that the check |data.maddend range.mmaxBound| is a signed...
iBall Baton iB-WRA150N - DNS Change
iBall Baton iB-WRA150N - DNS Change !/bin/bash iBall Baton iB-WRA150N Unauthenticated Remote DNS Change Exploit Copyright 2016 c Todor Donev https://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Description: The vulnerability exist in the web interface, which is accessible...
IBM Informix Dynamic Server - Code Injection Remote Code Execution
IBM Informix Dynamic Server - Code Injection Remote Code Execution !/usr/local/bin/python """ IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability 0DAY Bonus: free XXE bug included! Download:...
Joomla! Component JoomRecipe 1.0.3 - SQL Injection
Joomla! Component JoomRecipe 1.0.3 - SQL Injection Exploit Title: Joomla! Component JoomRecipe 1.0.3 - SQL Injection Dork: N/A Date: 15.06.2017 Vendor : http://joomboost.com/ Software: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/ Demo:...
Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation
Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation / Author: bee13oy BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus 11.1.2253 Source: https://github.com/bee13oy/AVKernelVulns/tree/master/Avast/aswSnxBSoD2ZDI-16-681 There is a Memory...
VX Search Enterprise 9.7.18 - Local Buffer Overflow
VX Search Enterprise 9.7.18 - Local Buffer Overflow import os import struct author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln. Date: 2017.06.15 Exploit Author: Greg Priest Versio...
Easy File Sharing Web Server 7.2 - POST Remote Buffer Overflow (DEP Bypass)
Easy File Sharing Web Server 7.2 - POST Remote Buffer Overflow DEP Bypass !/usr/bin/python Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow DEP Bypass with ROP Exploit Author: bl4ck h4ck3r Software Link: http://www.sharing-file.com/efssetup.exe Version: Easy File Sharing W...
KBVault MySQL 0.16a - Arbitrary File Upload
KBVault MySQL 0.16a - Arbitrary File Upload Exploit Title: KBVault MySQL v0.16a - Unauthenticated File Upload to Run Code Google Dork: inurl:"FileExplorer/Explorer.aspx" Date: 2017-06-14 Exploit Author: Fatih Emiral Vendor Homepage: http://kbvaultmysql.codeplex.com/ Software Link:...
Google Chrome - V8 Private Property Arbitrary Code Execution
Google Chrome - V8 Private Property Arbitrary Code Execution // Source: https://github.com/secmob/pwnfest2016/ function exploit function tohexnum return num0.toString16; function intarraytodoubleintarr var uBuf = new Uint32Array2; var dBuf = new Float64ArrayuBuf.buffer; uBuf0=intarr0;...
Sudo 1.8.20 - get_process_ttyname() Local Privilege Escalation
Sudo 1.8.20 - getprocessttyname Local Privilege Escalation / E-DB Note: http://www.openwall.com/lists/oss-security/2017/05/30/16 E-DB Note: http://seclists.org/oss-sec/2017/q2/470 LinuxsudoCVE-2017-1000367.c Copyright C 2017 Qualys, Inc. This program is free software: you can redistribute it and/...
HP PageWide Printers HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
HP PageWide Printers HP OfficeJet Pro Printers OfficeJet Pro 8210 - Arbitrary Code Execution Create a bind shell on an unpatched OfficeJet 8210 Write a script to profile.d and reboot the device. When it comes back online then nc to port 1270. easysnmp instructions: sudo apt-get install libsnmp-de...