Showing 1 - 7 of 7

Files from saelo

First Active	2013-05-23
Last Active	2018-12-13

Safari Proxy Object Type Confusion: Posted Dec 13, 2018; Authored by saelo | Site metasploit.com; This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion.; tags | exploit, arbitrary, javascript; advisories | CVE-2018-4233, CVE-2018-4404; MD5 | c501475e6a50c14cfc8ea6a100c5476d; Download | Favorite | Comments (0)

Mac OS X libxpc MITM Privilege Escalation: Posted Nov 28, 2018; Authored by saelo | Site metasploit.com; This Metasploit module exploits a vulnerability in libxpc on macOS versions 10.13.3 and below. The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.; tags | exploit, root; advisories | CVE-2018-4237; MD5 | 45269b24778bad6f66dc74a38caefbe2; Download | Favorite | Comments (0)

Foxit PDF Reader 9.0.1.1049 Pointer Overwrite Use-After-Free: Posted Aug 24, 2018; Authored by mr_me, saelo, Jacob Robles, bit from meepwnn | Site metasploit.com; Foxit PDF Reader version 9.0.1.1049 has a use-after-free vulnerability in the Text Annotations component and the TypedArray's use uninitialized pointers. The vulnerabilities can be combined to leak a vtable memory address, which can be adjusted to point to the base address of the executable. A ROP chain can be constructed that will execute when Foxit Reader performs the UAF.; tags | exploit, vulnerability; advisories | CVE-2018-9948, CVE-2018-9958; MD5 | e97b836581258dc59d81b67b330175e8; Download | Favorite | Comments (0)

Phrack - Attacking JavaScript Engines: Posted Sep 26, 2017; Authored by phrack, saelo; Phrack: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622.; tags | javascript, magazine; advisories | CVE-2016-4622; MD5 | 7eb5ac7affbfc927e6c0294bb84baa2c; Download | Favorite | Comments (0)

Apple Safari 10.1 Spread Operator Integer Overflow: Posted Jun 5, 2017; Authored by saelo; Apple Safari version 10.1 suffers from a spread operator integer overflow vulnerability.; tags | exploit, overflow; systems | apple; advisories | CVE-2017-2536; MD5 | 3a943d9ae9fc03a27794d0ca8ba5bd54; Download | Favorite | Comments (0)

X86_X32 recvmmsg Arbitrary Write Local Root: Posted Feb 3, 2014; Authored by saelo; Linux 3.4+ arbitrary write exploit for CONFIG_X86_X32 that spawns a root shell.; tags | exploit, arbitrary, shell, root; systems | linux; advisories | CVE-2014-0038; MD5 | f1b57ea21800bad181a5c6367fd1763e; Download | Favorite | Comments (0)

Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow: Posted May 23, 2013; Authored by Greg MacManus, hal, saelo | Site metasploit.com; This Metasploit module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.; tags | exploit, overflow; advisories | CVE-2013-2028, OSVDB-93037; MD5 | 94362300dbd4b7f9d4fd7deca32fd52d; Download | Favorite | Comments (0)

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days