exploit the possibilities
Showing 1 - 25 of 26 RSS Feed

Files from Imre Rad

Email addressimre.rad at search-lab.hu
First Active2015-02-06
Last Active2021-04-20
Microsoft DiagHub Privilege Escalation
Posted Apr 20, 2021
Authored by Imre Rad

Microsoft Diaghub suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2021-28313, CVE-2021-28321, CVE-2021-28322, CVE-2021-28323
MD5 | 524e5dde4767b98885a71c971e7d92e8
Microsoft Windows Update Orchestrator Unchecked ScheduleWork Call
Posted Sep 28, 2020
Authored by Imre Rad, bwatters-r7 | Site metasploit.com

This Metasploit module exploit uses access to the UniversalOrchestrator ScheduleWork API call which does not verify the caller's token before scheduling a job to be run as SYSTEM. You cannot schedule something in a given time, so the payload will execute as system sometime in the next 24 hours.

tags | exploit
advisories | CVE-2020-1313
MD5 | 58a0c7691e25387d090e181d07ae360d
GoogleCloudPlatform OSConfig Privilege Escalation
Posted Sep 22, 2020
Authored by Imre Rad | Site github.com

Google's osconfig agent was vulnerable to local privilege escalation due to relying on a predictable path inside the /tmp directory. An unprivileged malicious process could abuse this flaw to win a race condition and take over the files managed by the high privileged agent process and thus execute arbitrary commands as the root user (full capabilities). Exploitation was possible only during an osconfig recipe being deployed.

tags | exploit, arbitrary, local, root
MD5 | 819b19459bc7ce2b7e573c7913774ecd
OpenSSL signature_algorithms_cert Denial Of Service
Posted May 1, 2020
Authored by Imre Rad | Site github.com

Proof of concept denial of service exploit for the recent OpenSSL signature_algorithms_cert vulnerability.

tags | exploit, denial of service, proof of concept
advisories | CVE-2020-1967
MD5 | 66e71c63af8db99b6bf887232cc88280
Microsoft Windows Modules Installer Service Information Disclosure
Posted Feb 17, 2020
Authored by Imre Rad | Site github.com

The TrustedInstaller service running on the Microsoft Windows operating system hosts a COM service called Sxs Store Class; its ISxsStore interface provides methods to install/uninstall assembles via application manifests files into the WinSxS store. These API methods were meant to be available for users with administrative privileges only, but the logic was unintentionally exposed to anyone on the system due to improper implementation of the authorization logic.

tags | exploit
systems | windows
advisories | CVE-2020-0728
MD5 | 43e4dda8d7b626f4e1978913d99a548b
Microsoft .diagcab Directory Traversal / Code Execution
Posted Jan 18, 2020
Authored by Imre Rad

A flaw in the implementation of Microsoft's Troubleshooter technology could lead to remote code execution if a crafted .diagcab file is opened by the victim. The exploit leverages a rogue webdav server to trick MSDT to drop files to attacker controller locations on the file system.

tags | exploit, remote, code execution
MD5 | b8326808b53e39ccbf0e5710fae5f1af
IcedTeaWeb Validation Bypass / Directory Traversal / Code Execution
Posted Oct 7, 2019
Authored by Imre Rad

IcedTeaWeb suffers from multiple vulnerabilities including directory traversal and validation bypass issues that can lead to remote code execution. The affected versions are 1.7.2 and below, 1.8.2 and below. 1.6 is also vulnerable and not patched due to being EOL. Proof of concepts are provided.

tags | exploit, remote, vulnerability, code execution, proof of concept
advisories | CVE-2019-10181, CVE-2019-10182, CVE-2019-10185
MD5 | ea6508180f62fca63a4c9cdbaca675ad
GNU patch Command Injection / Directory Traversal
Posted Aug 16, 2019
Authored by Imre Rad

GNU patch suffers from command injection and various other vulnerabilities when handling specially crafted patch files.

tags | exploit, vulnerability
advisories | CVE-2018-1000156, CVE-2018-20969, CVE-2019-13636, CVE-2019-13638
MD5 | 2736ae611fb76064752962e9ab5133a4
WordPress WP Fastest Cache Directory Traversal
Posted Jul 30, 2019
Authored by Imre Rad

WordPress WP Fastest Cache plugin versions and below suffer from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2019-13635
MD5 | 9deac8976fd2d05c11be729802921378
Wampserver 3.1.8 Cross Site Request Forgery
Posted Jun 10, 2019
Authored by Imre Rad

Wampserver versions 3.1.4 through 3.1.8 suffer from a cross site request forgery vulnerability.

tags | exploit, csrf
MD5 | 371fb1ffa0f488be53a31b94a2d1e9e1
PHP PHP_INI_SYSTEM Ineffective Controls
Posted May 21, 2019
Authored by Imre Rad

Security controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included.

tags | exploit, php, proof of concept
systems | linux
MD5 | f04fc6f6465d117497efa31d8a63fc4e
knc (Kerberized NetCat) Denial Of Service
Posted Nov 29, 2018
Authored by Imre Rad

knc (Kerberised NetCat) versions before 1.11-1 are vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another service running on the targeted host. Proof of concept included.

tags | exploit, denial of service, proof of concept
advisories | CVE-2017-9732
MD5 | ae47c891e14b49e09ebf721184f792e1
Shell In A Box 2.2.0 Denial Of Service
Posted Oct 27, 2018
Authored by Imre Rad

Shell In A Box versions 2.2.0 and below suffer from an infinite loop denial of service vulnerability.

tags | exploit, denial of service, shell
advisories | CVE-2018-16789
MD5 | 07020adca6e97df6e795a45fee4ff700
ProjectPier 0.8.8 SQL Injection / Authentication Bypass / RFI
Posted May 14, 2018
Authored by Imre Rad

ProjectPier versions 0.8.8 and below suffer from remote file inclusion, authentication bypass, remote shell upload, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, sql injection, bypass, file inclusion
advisories | CVE-2018-10759, CVE-2018-10760
MD5 | 981d011a590304ccd6de6e3510500b73
Spring Jackson-Databind Default Typing Issue
Posted Jan 10, 2018
Authored by Imre Rad

Proof of concept that exploits the default typing issue in Jackson-databind via Spring application contexts and expressions.

tags | exploit, proof of concept
advisories | CVE-2017-17485, CVE-2017-7525
MD5 | bd94dd448499d73f15b54018b06b7f7f
pmount 0.9.23 Arbitrary Device Mount
Posted Jul 13, 2016
Authored by Imre Rad

pmount is a wrapper around the standard mount program which permits normal users to mount removable devices without a matching /etc/fstab entry. Due to a missing input validation check local users could mount devices to arbitrary destinations and thus taking over the targeted system completely. Versions 0.9.23 is affected.

tags | exploit, arbitrary, local
MD5 | e3c08454f70126f83ffa6f790129db26
Monsta Box WebFTP Arbitrary File Read
Posted Apr 8, 2016
Authored by Imre Rad

Monsta Box WebFTP suffers from an arbitrary file read vulnerability.

tags | exploit, arbitrary, info disclosure
MD5 | c3cf0c2478f30bc077b7bddc73a27652
PHP File Manager 0.9.8 Authentication Bypass / Code Execution
Posted Jan 26, 2016
Authored by Imre Rad

PHP File Manager version 0.9.8 suffers from authentication bypass and code execution vulnerabilities.

tags | exploit, php, vulnerability, code execution
MD5 | 34ec1229128a3f5e38806e1464eaf74e
PHP FastCGI Process Manager (FPM) SAPI Memory Leak / Buffer Overflow
Posted Jan 25, 2016
Authored by Imre Rad

PHP-FPM suffered from memory leak and buffer overflow vulnerabilities in the access logging feature. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.

tags | advisory, overflow, php, vulnerability, memory leak
MD5 | 944d9a43e37f1ce26917b2cf0a973874
PHP LiteSpeed suEXEC_Daemon Secret Disclosure
Posted Jan 25, 2016
Authored by Imre Rad

In suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master process during startup. It is running as root and accepts LSAPI requests, which in turn specify what user under the script should run. The LSAPI request is authenticated with a MAC, which is based on pre-shared random key between the the PHP and the web server. The researchers found that the Litespeed PHP SAPI module did not clear this secret in its child processes so it was available in the PHP process memory space of the child processes. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.

tags | advisory, web, root, php, info disclosure
MD5 | d25313bc2ac96b7c25905a3525cc4e8e
ADB Backup APK Injection
Posted Jul 10, 2015
Authored by Imre Rad

The Android ABD utility backup manager, which invokes the custom BackupAgent, does not filter the data stream returned by the applications. While a BackupAgent is being executed during the backup process, it is able to inject additional applications (APKs) into the backup archive without the user's consent. The BackupAgent needs no Android permissions. Upon restoration of the backup archive, the system installs the injected, additional application (since it is part of the backup archive and the system believes it is authentic) with escalated privileges. Proof of concept code included.

tags | exploit, proof of concept
systems | linux
advisories | CVE-2014-7952
MD5 | dca4e34e854215aabe54d26273992d37
Microsec e-Szigno / Netlock Mokka XML Signature Wrapping
Posted Jun 29, 2015
Authored by Imre Rad

Microsec e-Szigno and Netlock Mokka computer applications suffer from a e-akta signature verification weakness. Microsec e-Szigno version older than and Netlock Mokka versions older than are affected.

tags | advisory
advisories | CVE-2015-3931, CVE-2015-3932
MD5 | 47183f89b14f6e7c9b5b026c7106b06d
ADB Backup Traversal / File Overwrite
Posted Apr 19, 2015
Authored by Imre Rad

ADB backup on Android version 4.0.4 allows for file overwrite via modified tar headers.

tags | exploit, file inclusion
advisories | CVE-2014-7951
MD5 | e4e9268b88452697ab4830733dc3ff44
Android 4.4 MTP Path Traversal
Posted Apr 19, 2015
Authored by Imre Rad

The doSendObjectInfo() method of the MtpServer class implemented in frameworks/av/media/mtp/MtpServer.cpp on Android 4.4 does not validate the name parameter of the incoming MTP packet, leading to a path traversal vulnerability.

tags | advisory, file inclusion
advisories | CVE-2014-7954
MD5 | 31e2c89ebd60eaddd94891616bc2289f
Android Backup Agent Arbitrary Code Execution
Posted Apr 19, 2015
Authored by Imre Rad

The Android backup agent implementation was vulnerable to privilege escalation and race condition. An attacker with adb shell access could run arbitrary code as the system (1000) user (or any other valid package). The attack is tested on Android OS 4.4.4.

tags | exploit, arbitrary, shell
advisories | CVE-2014-7951
MD5 | 92dd96fde3a8b8327d8c6cc2f73c7c09
Page 1 of 2

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By