exploit the possibilities
Showing 1 - 25 of 27 RSS Feed

Files from Imre Rad

Email addressimre.rad at search-lab.hu
First Active2015-02-06
Last Active2021-09-29
Google Extensible Service Proxy Header Forgery
Posted Sep 29, 2021
Authored by Imre Rad

Google's Extensible Service Proxy suffers from a header forgery vulnerability.

tags | exploit
SHA-256 | c2a95ac806be1e61288f44e7ec319f21ec2702adefa41386a2ad0039ac44ff37
Microsoft DiagHub Privilege Escalation
Posted Apr 20, 2021
Authored by Imre Rad

Microsoft Diaghub suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2021-28313, CVE-2021-28321, CVE-2021-28322, CVE-2021-28323
SHA-256 | 844a4c936f2538ce3463038b174f339bb043e808dd20dea21867c792cccc8425
Microsoft Windows Update Orchestrator Unchecked ScheduleWork Call
Posted Sep 28, 2020
Authored by Imre Rad, bwatters-r7 | Site metasploit.com

This Metasploit module exploit uses access to the UniversalOrchestrator ScheduleWork API call which does not verify the caller's token before scheduling a job to be run as SYSTEM. You cannot schedule something in a given time, so the payload will execute as system sometime in the next 24 hours.

tags | exploit
advisories | CVE-2020-1313
SHA-256 | 3a60a69dcbeb7de997adcc7d739647b41b00df07ef99e3f346dd78c5b1f47616
GoogleCloudPlatform OSConfig Privilege Escalation
Posted Sep 22, 2020
Authored by Imre Rad | Site github.com

Google's osconfig agent was vulnerable to local privilege escalation due to relying on a predictable path inside the /tmp directory. An unprivileged malicious process could abuse this flaw to win a race condition and take over the files managed by the high privileged agent process and thus execute arbitrary commands as the root user (full capabilities). Exploitation was possible only during an osconfig recipe being deployed.

tags | exploit, arbitrary, local, root
SHA-256 | 1cc92e5ebabd438a79296409a717f268826979019ed2cd8fa31fe695998e710e
OpenSSL signature_algorithms_cert Denial Of Service
Posted May 1, 2020
Authored by Imre Rad | Site github.com

Proof of concept denial of service exploit for the recent OpenSSL signature_algorithms_cert vulnerability.

tags | exploit, denial of service, proof of concept
advisories | CVE-2020-1967
SHA-256 | 1d08073755309441e120ada922d200c5276431e79d7c9bdd66bbb529a2013702
Microsoft Windows Modules Installer Service Information Disclosure
Posted Feb 17, 2020
Authored by Imre Rad | Site github.com

The TrustedInstaller service running on the Microsoft Windows operating system hosts a COM service called Sxs Store Class; its ISxsStore interface provides methods to install/uninstall assembles via application manifests files into the WinSxS store. These API methods were meant to be available for users with administrative privileges only, but the logic was unintentionally exposed to anyone on the system due to improper implementation of the authorization logic.

tags | exploit
systems | windows
advisories | CVE-2020-0728
SHA-256 | 9c1655d1ae3d7a8de85f05069a4d75abf6276f84421c75d2885fafffef09b981
Microsoft .diagcab Directory Traversal / Code Execution
Posted Jan 18, 2020
Authored by Imre Rad

A flaw in the implementation of Microsoft's Troubleshooter technology could lead to remote code execution if a crafted .diagcab file is opened by the victim. The exploit leverages a rogue webdav server to trick MSDT to drop files to attacker controller locations on the file system.

tags | exploit, remote, code execution
SHA-256 | cbe54b81542a05ea1e6eca61a96e5a5cf9a912e2b9399db4856ff9dcd2335482
IcedTeaWeb Validation Bypass / Directory Traversal / Code Execution
Posted Oct 7, 2019
Authored by Imre Rad

IcedTeaWeb suffers from multiple vulnerabilities including directory traversal and validation bypass issues that can lead to remote code execution. The affected versions are 1.7.2 and below, 1.8.2 and below. 1.6 is also vulnerable and not patched due to being EOL. Proof of concepts are provided.

tags | exploit, remote, vulnerability, code execution, proof of concept
advisories | CVE-2019-10181, CVE-2019-10182, CVE-2019-10185
SHA-256 | 1337c5ba88da32d6b2f207e5dfaef357aba71650ba7c348c9a4b63c551a403cd
GNU patch Command Injection / Directory Traversal
Posted Aug 16, 2019
Authored by Imre Rad

GNU patch suffers from command injection and various other vulnerabilities when handling specially crafted patch files.

tags | exploit, vulnerability
advisories | CVE-2018-1000156, CVE-2018-20969, CVE-2019-13636, CVE-2019-13638
SHA-256 | 46e27d51accb7a7405dd3c34e724a12c052ab52ecfe5b3acffb883ba165d5e6b
WordPress WP Fastest Cache 0.8.9.5 Directory Traversal
Posted Jul 30, 2019
Authored by Imre Rad

WordPress WP Fastest Cache plugin versions 0.8.9.5 and below suffer from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2019-13635
SHA-256 | a48aa7f98293e513ef94ab9b82442089b2529f76733376c84e5da8863c042fd3
Wampserver 3.1.8 Cross Site Request Forgery
Posted Jun 10, 2019
Authored by Imre Rad

Wampserver versions 3.1.4 through 3.1.8 suffer from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 5f29238634e5da41f867c1af60f848f8e1bd8f7c8c7c9ac99b7b56d2d1b57d67
PHP PHP_INI_SYSTEM Ineffective Controls
Posted May 21, 2019
Authored by Imre Rad

Security controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included.

tags | exploit, php, proof of concept
systems | linux
SHA-256 | a746a7f8973556b23ebea90b00627034fee20f44dce632fd39f31dcfa7483ceb
knc (Kerberized NetCat) Denial Of Service
Posted Nov 29, 2018
Authored by Imre Rad

knc (Kerberised NetCat) versions before 1.11-1 are vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another service running on the targeted host. Proof of concept included.

tags | exploit, denial of service, proof of concept
advisories | CVE-2017-9732
SHA-256 | 5f21249af2b570413ccedbc2d38d69f7569143fd0ffd8e6431e4db2f29a7fb53
Shell In A Box 2.2.0 Denial Of Service
Posted Oct 27, 2018
Authored by Imre Rad

Shell In A Box versions 2.2.0 and below suffer from an infinite loop denial of service vulnerability.

tags | exploit, denial of service, shell
advisories | CVE-2018-16789
SHA-256 | cf504b640b61a6a0ad0b121dbbe3f7bee85c6e61335a525740f2aa402cebc279
ProjectPier 0.8.8 SQL Injection / Authentication Bypass / RFI
Posted May 14, 2018
Authored by Imre Rad

ProjectPier versions 0.8.8 and below suffer from remote file inclusion, authentication bypass, remote shell upload, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, sql injection, bypass, file inclusion
advisories | CVE-2018-10759, CVE-2018-10760
SHA-256 | 7a13b186e33609dbaaf95ba6ece84bee3002a77278845c2990abfd1f456f1050
Spring Jackson-Databind Default Typing Issue
Posted Jan 10, 2018
Authored by Imre Rad

Proof of concept that exploits the default typing issue in Jackson-databind via Spring application contexts and expressions.

tags | exploit, proof of concept
advisories | CVE-2017-17485, CVE-2017-7525
SHA-256 | 556baf38b3cbd6a00b1977182d2e52222d11bc57c0158fa40ccf472a8568c448
pmount 0.9.23 Arbitrary Device Mount
Posted Jul 13, 2016
Authored by Imre Rad

pmount is a wrapper around the standard mount program which permits normal users to mount removable devices without a matching /etc/fstab entry. Due to a missing input validation check local users could mount devices to arbitrary destinations and thus taking over the targeted system completely. Versions 0.9.23 is affected.

tags | exploit, arbitrary, local
SHA-256 | 2721035920e3ee68f9a9ba12f5b428e825d1682c57e62014bc2baa2e25fb29e5
Monsta Box WebFTP Arbitrary File Read
Posted Apr 8, 2016
Authored by Imre Rad

Monsta Box WebFTP suffers from an arbitrary file read vulnerability.

tags | exploit, arbitrary, info disclosure
SHA-256 | 17b16ca800abe893b240e9494d98637b640c281294456b8dcb365bb6eb74581f
PHP File Manager 0.9.8 Authentication Bypass / Code Execution
Posted Jan 26, 2016
Authored by Imre Rad

PHP File Manager version 0.9.8 suffers from authentication bypass and code execution vulnerabilities.

tags | exploit, php, vulnerability, code execution
SHA-256 | 65273401e57b33b4f6cd1df07fa16fbea93fa1f5b6c5d27ff3f44a84188080a5
PHP FastCGI Process Manager (FPM) SAPI Memory Leak / Buffer Overflow
Posted Jan 25, 2016
Authored by Imre Rad

PHP-FPM suffered from memory leak and buffer overflow vulnerabilities in the access logging feature. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.

tags | advisory, overflow, php, vulnerability, memory leak
SHA-256 | 51daba0a03b7d26034ec17e1ea4ebf73742706c017813cd75bc99f3e30eb351b
PHP LiteSpeed suEXEC_Daemon Secret Disclosure
Posted Jan 25, 2016
Authored by Imre Rad

In suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master process during startup. It is running as root and accepts LSAPI requests, which in turn specify what user under the script should run. The LSAPI request is authenticated with a MAC, which is based on pre-shared random key between the the PHP and the web server. The researchers found that the Litespeed PHP SAPI module did not clear this secret in its child processes so it was available in the PHP process memory space of the child processes. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.

tags | advisory, web, root, php, info disclosure
SHA-256 | dcdfba0d864d56f1eab83f8a2d054770a95e1e8eb5d10e504881b19b952d0a78
ADB Backup APK Injection
Posted Jul 10, 2015
Authored by Imre Rad

The Android ABD utility backup manager, which invokes the custom BackupAgent, does not filter the data stream returned by the applications. While a BackupAgent is being executed during the backup process, it is able to inject additional applications (APKs) into the backup archive without the user's consent. The BackupAgent needs no Android permissions. Upon restoration of the backup archive, the system installs the injected, additional application (since it is part of the backup archive and the system believes it is authentic) with escalated privileges. Proof of concept code included.

tags | exploit, proof of concept
systems | linux
advisories | CVE-2014-7952
SHA-256 | d376ef512eaaa814a39535b0eb8c3bd952e0156ea5d7dc7981001d630f3697b5
Microsec e-Szigno / Netlock Mokka XML Signature Wrapping
Posted Jun 29, 2015
Authored by Imre Rad

Microsec e-Szigno and Netlock Mokka computer applications suffer from a e-akta signature verification weakness. Microsec e-Szigno version older than 3.2.7.12 and Netlock Mokka versions older than 2.7.8.1204 are affected.

tags | advisory
advisories | CVE-2015-3931, CVE-2015-3932
SHA-256 | 7c9175ecb67d017613e97ac84c7dc3741a8dc378d1f6b845cd5bdd140f7d842b
ADB Backup Traversal / File Overwrite
Posted Apr 19, 2015
Authored by Imre Rad

ADB backup on Android version 4.0.4 allows for file overwrite via modified tar headers.

tags | exploit, file inclusion
advisories | CVE-2014-7951
SHA-256 | 05f57d5729d25c00164ccfa74bfb76fe4328bb79a10efd4cf3e895cd21b26843
Android 4.4 MTP Path Traversal
Posted Apr 19, 2015
Authored by Imre Rad

The doSendObjectInfo() method of the MtpServer class implemented in frameworks/av/media/mtp/MtpServer.cpp on Android 4.4 does not validate the name parameter of the incoming MTP packet, leading to a path traversal vulnerability.

tags | advisory, file inclusion
advisories | CVE-2014-7954
SHA-256 | 9645f86fa24dbcf40e5f7dd36ca986ccbcd0f124fb94b860bde8a37c6cb42100
Page 1 of 2
Back12Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close