what you don't know can hurt you
Showing 1 - 7 of 7 RSS Feed

Files from saelo

First Active2013-05-23
Last Active2018-12-13
Safari Proxy Object Type Confusion
Posted Dec 13, 2018
Authored by saelo | Site metasploit.com

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion.

tags | exploit, arbitrary, javascript
advisories | CVE-2018-4233, CVE-2018-4404
MD5 | c501475e6a50c14cfc8ea6a100c5476d
Mac OS X libxpc MITM Privilege Escalation
Posted Nov 28, 2018
Authored by saelo | Site metasploit.com

This Metasploit module exploits a vulnerability in libxpc on macOS versions 10.13.3 and below. The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.

tags | exploit, root
advisories | CVE-2018-4237
MD5 | 45269b24778bad6f66dc74a38caefbe2
Foxit PDF Reader 9.0.1.1049 Pointer Overwrite Use-After-Free
Posted Aug 24, 2018
Authored by mr_me, saelo, Jacob Robles, bit from meepwnn | Site metasploit.com

Foxit PDF Reader version 9.0.1.1049 has a use-after-free vulnerability in the Text Annotations component and the TypedArray's use uninitialized pointers. The vulnerabilities can be combined to leak a vtable memory address, which can be adjusted to point to the base address of the executable. A ROP chain can be constructed that will execute when Foxit Reader performs the UAF.

tags | exploit, vulnerability
advisories | CVE-2018-9948, CVE-2018-9958
MD5 | e97b836581258dc59d81b67b330175e8
Phrack - Attacking JavaScript Engines
Posted Sep 26, 2017
Authored by phrack, saelo

Phrack: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622.

tags | javascript, magazine
advisories | CVE-2016-4622
MD5 | 7eb5ac7affbfc927e6c0294bb84baa2c
Apple Safari 10.1 Spread Operator Integer Overflow
Posted Jun 5, 2017
Authored by saelo

Apple Safari version 10.1 suffers from a spread operator integer overflow vulnerability.

tags | exploit, overflow
systems | apple
advisories | CVE-2017-2536
MD5 | 3a943d9ae9fc03a27794d0ca8ba5bd54
X86_X32 recvmmsg Arbitrary Write Local Root
Posted Feb 3, 2014
Authored by saelo

Linux 3.4+ arbitrary write exploit for CONFIG_X86_X32 that spawns a root shell.

tags | exploit, arbitrary, shell, root
systems | linux
advisories | CVE-2014-0038
MD5 | f1b57ea21800bad181a5c6367fd1763e
Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow
Posted May 23, 2013
Authored by Greg MacManus, hal, saelo | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.

tags | exploit, overflow
advisories | CVE-2013-2028, OSVDB-93037
MD5 | 94362300dbd4b7f9d4fd7deca32fd52d
Page 1 of 1
Back1Next

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    3 Files
  • 21
    Jan 21st
    17 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close