exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 24 of 24 RSS Feed

Files from joev

Email addressjvennix at rapid7.com
First Active2013-08-26
Last Active2019-10-15
sudo 1.8.28 Security Bypass
Posted Oct 15, 2019
Authored by joev, Mohin Paramasivam

sudo version 1.8.28 suffers from a security bypass vulnerability.

tags | exploit, bypass
SHA-256 | ec35a5c3501bc30592776b4e452cfc692b4f63c07d8cfcfbaac9a2658edd5f5a
Android ADB Debug Server Remote Payload Execution
Posted Jan 25, 2016
Authored by joev | Site metasploit.com

This Metasploit module writes and spawns a native payload on an android device that is listening for adb debug messages.

tags | exploit
SHA-256 | 2640ae56b805049663375ef5896d5d962a5262a64ccd23e5e08906e8bd85f1c9
Safari User-Assisted Applescript Exec Attack
Posted Oct 23, 2015
Authored by joev | Site metasploit.com

In versions of Mac OS X before 10.11.1, the applescript:// URL scheme is provided, which opens the provided script in the Applescript Editor. Pressing cmd-R in the Editor executes the code without any additional confirmation from the user. By getting the user to press cmd-R in Safari, and by hooking the cmd-key keypress event, a user can be tricked into running arbitrary Applescript code. Gatekeeper should be disabled from Security and Privacy in order to avoid the unidentified Developer prompt.

tags | exploit, arbitrary
systems | apple, osx
advisories | CVE-2015-7007
SHA-256 | 9ce25e64b927af84c807e90aff34d53a6d9d3e37334d7f8087944eb2e190924f
Apple OS X Entitlements Rootpipe Privilege Escalation
Posted Aug 28, 2015
Authored by joev, Emil Kvarnhammar | Site metasploit.com

This Metasploit module exploits the rootpipe vulnerability and bypasses Apple's initial fix for the issue by injecting code into a process with the 'admin.writeconfig' entitlement.

tags | exploit
systems | apple
advisories | CVE-2015-3673
SHA-256 | 675bfb209258c4d794420d872c3ae4a648abbf5cb0e2af4ea23e9559348211b2
Firefox PDF.js Privileged Javascript Injection
Posted Aug 23, 2015
Authored by temp66, joev, Marius Mlynski | Site metasploit.com

This Metasploit module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2015-0816
SHA-256 | c7380b4bd424349eceddb0191b851de4ff91a0a5afb8b3430ceffce5b834c992
Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation
Posted Jul 23, 2015
Authored by Stefan Esser, joev | Site metasploit.com

In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE environment variable is used for redirecting logging data to a file instead of stderr. Due to a design error, this feature can be abused by a local attacker to write arbitrary files as root via restricted, SUID-root binaries.

tags | exploit, arbitrary, local, root
systems | apple, osx
SHA-256 | 5f8a24055c7eacceccce25d80da65ff0a662a967a7f926c2fe621369f5e41ae2
Mac OS X Rootpipe Privilege Escalation
Posted Apr 10, 2015
Authored by joev, wvu, Emil Kvarnhammar | Site metasploit.com

This Metasploit module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed Rootpipe. Tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.

tags | exploit, root
systems | apple, osx
advisories | CVE-2015-1130
SHA-256 | 6e27a1e1f2bcf759b740ad9887024027c9c87f0045ced259f32d35e3a7522fe1
Firefox Proxy Prototype Privileged Javascript Injection
Posted Mar 24, 2015
Authored by joev | Site metasploit.com

This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2014-8636
SHA-256 | 13186b54048c8cc06f8faee910912cf899136fc7728d1db2115267711277790d
Javascript Injection For Eval-Based Unpackers
Posted Feb 19, 2015
Authored by joev | Site metasploit.com

This Metasploit module generates a Javascript file that executes arbitrary code when an eval-based unpacker is run on it. Works against js-beautify's P_A_C_K_E_R unpacker.

tags | exploit, arbitrary, javascript
SHA-256 | 194f0e7d20b41bd0f60332ef1dde95810fea4f44e8d6390c5cd8dd449d473c9b
Mac OS X IOKit Keyboard Driver Root Privilege Escalation
Posted Dec 2, 2014
Authored by joev, Ian Beer | Site metasploit.com

A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue has been patched silently in Yosemite.

tags | exploit, overflow, kernel
systems | apple, osx
advisories | CVE-2014-4404
SHA-256 | 11133f34a345562636b3137fbe3bb6e9f2ec2aa4045b1360d1b0885244f3d580
Samsung Galaxy KNOX Android Browser Remote Code Execution
Posted Nov 18, 2014
Authored by joev, Andre Moulu | Site metasploit.com

This Metasploit module exploits a vulnerability that exists in the KNOX security component of the Samsung Galaxy firmware that allows a remote webpage to install an APK with arbitrary permissions by abusing the 'smdm://' protocol handler registered by the KNOX component. The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3, and Ace 4.

tags | exploit, remote, arbitrary, protocol
SHA-256 | 03a3f71c2c2fa9fd0b119371b2d55e432974a0922073ac802b493949e3fd1f34
Mac OS X VMWare Fusion Root Privilege Escalation
Posted Sep 25, 2014
Authored by mubix, joev, Stephane Chazelas, juken | Site metasploit.com

This abuses the bug in bash environment variables (CVE-2014-6271) to get a suid binary inside of VMWare Fusion to launch our payload as root.

tags | exploit, root, bash
advisories | CVE-2014-6271
SHA-256 | f04f53cef923e1ebad417dccfb1f6d01ee754b3ddac0ef16fcb609fa3f055392
GDB Server Remote Payload Execution
Posted Sep 8, 2014
Authored by joev | Site metasploit.com

This Metasploit module attempts to execute an arbitrary payload on a loose gdbserver service.

tags | exploit, arbitrary
SHA-256 | 22f9dfcd1753eef9d08e04be2668d3d18e028c7c2608acca1cfc555f0e9e7004
Firefox WebIDL Privileged Javascript Injection
Posted Aug 27, 2014
Authored by joev, Marius Mlynski | Site metasploit.com

This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs.

tags | exploit, remote, javascript, vulnerability, code execution
advisories | CVE-2014-1510, CVE-2014-1511
SHA-256 | d5cc945e074cb09855a57374de57a97262b3ec3bd1140179dace08bfcb49db35
Firefox toString console.time Privileged Javascript Injection
Posted Aug 18, 2014
Authored by moz_bug_r_a4, joev, Cody Crews | Site metasploit.com

This Metasploit module gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges.

tags | exploit, remote, javascript, vulnerability, code execution
advisories | CVE-2013-1670, CVE-2013-1710
SHA-256 | 723732f5e9f85d7844a5395a8a59e9af072256440c604cfc1138fd3468e2d08d
Adobe Reader for Android addJavascriptInterface Exploit
Posted Jun 16, 2014
Authored by Yorick Koster, joev | Site metasploit.com

Adobe Reader versions less than 11.2.0 exposes insecure native interfaces to untrusted javascript in a PDF. This Metasploit module embeds the browser exploit from android/webview_addjavascriptinterface into a PDF to get a command shell on vulnerable versions of Reader.

tags | exploit, shell, javascript
advisories | CVE-2014-0514
SHA-256 | 69ded45839e62a1eaba48f4c3a1ce02d6b51e29a52d0dd93b2dcdbc8d905f180
Mac OS X NFS Mount Privilege Escalation
Posted Apr 25, 2014
Authored by joev, Kenzley Alphonse | Site metasploit.com

This exploit leverage a stack overflow vulnerability to escalate privileges. The vulnerable function nfs_convert_old_nfs_args does not verify the size of a user-provided argument before copying it to the stack. As a result by passing a large size, a local user can overwrite the stack with arbitrary content. Mac OS X Lion Kernel versions equal to and below xnu-1699.32.7 except xnu-1699.24.8 are affected.

tags | exploit, overflow, arbitrary, kernel, local
systems | apple, osx
SHA-256 | 7dda844fc6c2159587750ff9bbb7d5956502e05e69840baeb969d48120b1443f
IBM Server RAID Manager Browser Edition Blind SQL Injection
Posted Apr 23, 2014
Authored by joev

IBM Server RAID Manager Browser Edition version 1.2 suffers from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | d8f87ec4a9233f7fa59befd16e4c3d3bf7213674c7527531b03d9b76e5b42d2e
Firefox Exec Shellcode From Privileged Javascript Shell
Posted Mar 13, 2014
Authored by joev | Site metasploit.com

This Metasploit module allows execution of native payloads from a privileged Firefox Javascript shell. It puts the specified payload into memory, adds the necessary protection flags, and calls it. Useful for upgrading a Firefox javascript shell to a Meterpreter session without touching the disk.

tags | exploit, shell, javascript
SHA-256 | 40ee936bfb600213287236e414efdc58ac1d496e3897d1cdc7107c2457f599b3
Safari User-Assisted Download / Run Attack
Posted Mar 7, 2014
Authored by joev | Site metasploit.com

This Metasploit module abuses some Safari functionality to force the download of a zipped .app OSX application containing our payload. The app is then invoked using a custom URL scheme. At this point, the user is presented with Gatekeeper's prompt: "APP_NAME" is an application downloaded from the internet. Are you sure you want to open it? If the user clicks "Open", the app and its payload are executed. If the user has the "Only allow applications downloaded from Mac App Store and identified developers (on by default on OS 10.8+), the user will see an error dialog containing "can't be opened because it is from an unidentified developer." To work around this issue, you will need to manually build and sign an OSX app containing your payload with a custom URL handler called "openurl". You can put newlines and unicode in your APP_NAME, although you must be careful not to create a prompt that is too tall, or the user will not be able to click the buttons, and will have to either logout or kill the CoreServicesUIAgent process.

tags | exploit
systems | apple
SHA-256 | b7ff7cca509aa03399b9e3275e886062895930a5f35857244852f59bfb27aeaf
Android Browser / WebView addJavascriptInterface Code Execution
Posted Feb 7, 2014
Authored by jduck, joev | Site metasploit.com

This Metasploit module exploits a privilege escalation issue in Android versions prior 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup).

tags | exploit, web, arbitrary, shell, javascript
SHA-256 | dbb32d05e01054ebc7b29568cea429ebb06111292c8c20ba817f8d844646e5ff
Linksys WRT110 Remote Command Execution
Posted Oct 8, 2013
Authored by juan vazquez, Craig Young, joev | Site metasploit.com

The Linksys WRT110 consumer router is vulnerable to a command injection exploit in the ping field of the web interface.

tags | exploit, web
advisories | CVE-2013-3568
SHA-256 | 44b428488518ed2abeee03160462e56c8203577c382cafa8ace86476e15928be
Nodejs js-yaml load() Code Execution
Posted Sep 25, 2013
Authored by joev | Site metasploit.com

For node.js applications that parse user-supplied YAML input using the load() function from the 'js-yaml' package versions below 2.0.5, specifying a self-executing function allows us to execute arbitrary javascript code. This Metasploit module demonstrates that behavior.

tags | exploit, arbitrary, javascript
advisories | CVE-2013-4660
SHA-256 | cc5320d102ad2ea9d6b424995476c2aab54c6ea13234fab7e8cf266af00a87a5
Mac OS X Sudo Password Bypass
Posted Aug 26, 2013
Authored by Todd C. Miller, juan vazquez, joev | Site metasploit.com

This Metasploit module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This Metasploit module will fail silently if the user is not an admin or if the user has never run the sudo command.

tags | exploit, root
systems | apple, osx
advisories | CVE-2013-1775, OSVDB-90677
SHA-256 | 861501e9890ef0e4cff6780f3ce32dadf2038337f7e60f127a1275773d181e73
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close