exploit the possibilities
Showing 1 - 14 of 14 RSS Feed

Files from timwr

First Active2015-02-09
Last Active2020-05-08
Microsoft Windows NtUserMNDragOver Local Privilege Escalation
Posted May 8, 2020
Authored by Clement LECIGNE, timwr, Grant Willcox | Site metasploit.com

This Metasploit module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.

tags | exploit, x86
systems | windows, 7
advisories | CVE-2019-0808
MD5 | e65eeb8c736544fe952269396a557f62
Google Chrome 72 / 73 Array.map Corruption
Posted Mar 5, 2020
Authored by timwr, Istvan Kurucsai, dmxcsnsbh | Site metasploit.com

This Metasploit module exploits an issue in Chrome version 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, arbitrary
advisories | CVE-2019-5825
MD5 | 2d254d561447d584fca1cf0562293577
Google Chrome 67 / 68 / 69 Object.create Type Confusion
Posted Mar 5, 2020
Authored by saelo, timwr | Site metasploit.com

This Metasploit modules exploits a type confusion in Google Chrome's JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.

tags | exploit
advisories | CVE-2018-17463
MD5 | 2040ec95b119e742369ae8f7039cd437
Google Chrome 80 JSCreate Side-Effect Type Confusion
Posted Mar 5, 2020
Authored by Clement LECIGNE, timwr, Istvan Kurucsai, Vignesh S Rao | Site metasploit.com

This Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, shellcode
advisories | CVE-2020-6418
MD5 | 2477d57f77b12b3980be7a18ed9dedf2
Android Binder Use-After-Free
Posted Feb 24, 2020
Authored by Jann Horn, timwr, Maddie Stone, grant-h | Site metasploit.com

Android Binder use-after-free exploit.

tags | exploit
advisories | CVE-2019-2215
MD5 | b8930f3f9adad2325c20b748158a44e3
Android Janus APK Signature Bypass
Posted Nov 7, 2019
Authored by h00die, timwr, V-E-O, GuardSquare | Site metasploit.com

This Metasploit module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable. Payload handler is disabled, and a multi/handler must be started first.

tags | exploit
advisories | CVE-2017-13156
MD5 | 64f1c304613a13c0a1b0f19f8913efec
Linux Polkit pkexec Helper PTRACE_TRACEME Local Root
Posted Oct 23, 2019
Authored by Brendan Coles, Jann Horn, timwr | Site metasploit.com

This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.

tags | exploit, kernel, local, root
systems | linux
advisories | CVE-2019-13272
MD5 | a67b52657090e25d42aa370f66e7ca88
Microsoft Windows 10 UAC Protection Bypass Via Windows Store
Posted Sep 6, 2019
Authored by timwr, sailay1996, ACTIVELabs | Site metasploit.com

This Metasploit module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool is run with the "autoElevate" property set to true, however it can be moved to a new Windows directory containing a space (C:\Windows \System32\) where, upon execution, it will load our payload dll (propsys.dll).

tags | exploit
systems | windows
MD5 | b188fc5d0237e2798ceb17453907bcbe
Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation
Posted Jul 1, 2019
Authored by timwr, CodeColorist | Site metasploit.com

This Metasploit module exploits a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label. The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root privileges.

tags | exploit, shell, root
systems | apple
advisories | CVE-2019-8513
MD5 | 88ce8400a2b47fff385110d9d04c371b
Mac OS X Feedback Assistant Race Condition
Posted May 22, 2019
Authored by timwr, CodeColorist | Site metasploit.com

This Metasploit module exploits a race condition vulnerability in Mac's Feedback Assistant. A successful attempt would result in remote code execution under the context of root.

tags | exploit, remote, root, code execution
advisories | CVE-2019-8565
MD5 | 92e9e59de8b1c44532025e2d75591bf9
Chrome 72.0.3626.119 FileReader Use-After-Free
Posted May 8, 2019
Authored by Clement LECIGNE, timwr, Istvan Kurucsai | Site metasploit.com

This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.

tags | exploit, arbitrary, x86, javascript, shellcode
systems | windows, 7
advisories | CVE-2019-5786
MD5 | 1845174659a656cb293c5dd2f17fe75c
WebKit not_number defineProperties Use-After-Free
Posted Jun 4, 2018
Authored by timwr, qwertyoruiop, Siguza, tihmstar | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability in WebKit's JavaScriptCore library.

tags | exploit
advisories | CVE-2016-4655, CVE-2016-4656, CVE-2016-4657
MD5 | abdecc9782f078b615026a3d08e32a3d
Android get_user/put_user Exploit
Posted Dec 26, 2016
Authored by timwr, fi01, cubeundcube | Site metasploit.com

This Metasploit module exploits a missing check in the get_user and put_user API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commit_creds and ptmx_fops address, then uses the write primitive to execute shellcode as uid 0. The exploit was first discovered in the wild in the vroot rooting application.

tags | exploit, kernel, root, shellcode
systems | linux
advisories | CVE-2013-6282
MD5 | 6ac7470332daea5b3fb0c0b2de23f30c
Android Futex Requeue Kernel Exploit
Posted Feb 9, 2015
Authored by timwr, geohot, Pinkie Pie | Site metasploit.com

This Metasploit module exploits a bug in futex_requeue in the linux kernel. Any android phone with a kernel built before June 2014 should be vulnerable.

tags | exploit, kernel
systems | linux
advisories | CVE-2014-3153
MD5 | 78f789dafc84bef7347723159caaa530
Page 1 of 1
Back1Next

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close