exploit the possibilities
Showing 1 - 16 of 16 RSS Feed

Files from timwr

First Active2015-02-09
Last Active2020-09-07
macOS cfprefsd Arbitrary File Write / Local Privilege Escalation
Posted Sep 7, 2020
Authored by timwr, Insu Yun, Taesoo Kim, Jungwon Lim, Yonghwi Jin | Site metasploit.com

This Metasploit module exploits an arbitrary file write in cfprefsd on macOS versions 10.15.4 and below in order to run a payload as root. The CFPreferencesSetAppValue function, which is reachable from most unsandboxed processes, can be exploited with a race condition in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login a user can then login as root with the login root command without a password.

tags | exploit, arbitrary, root
advisories | CVE-2020-9839
MD5 | 5bc27419d79ae20808b9b53825a1e970
Safari Webkit For iOS 7.1.2 JIT Optimization Bug
Posted Aug 14, 2020
Authored by timwr, Ian Beer, kudima, WanderingGlitch | Site metasploit.com

This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.

tags | exploit, kernel, root, shellcode
systems | apple, iphone, ios
advisories | CVE-2016-4669, CVE-2018-4162
MD5 | 193bef4f6ec1463a50a80fcde4b59fa1
Microsoft Windows NtUserMNDragOver Local Privilege Escalation
Posted May 8, 2020
Authored by Clement LECIGNE, timwr, Grant Willcox | Site metasploit.com

This Metasploit module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.

tags | exploit, x86
systems | windows, 7
advisories | CVE-2019-0808
MD5 | e65eeb8c736544fe952269396a557f62
Google Chrome 72 / 73 Array.map Corruption
Posted Mar 5, 2020
Authored by timwr, Istvan Kurucsai, dmxcsnsbh | Site metasploit.com

This Metasploit module exploits an issue in Chrome version 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, arbitrary
advisories | CVE-2019-5825
MD5 | 2d254d561447d584fca1cf0562293577
Google Chrome 67 / 68 / 69 Object.create Type Confusion
Posted Mar 5, 2020
Authored by saelo, timwr | Site metasploit.com

This Metasploit modules exploits a type confusion in Google Chrome's JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.

tags | exploit
advisories | CVE-2018-17463
MD5 | 2040ec95b119e742369ae8f7039cd437
Google Chrome 80 JSCreate Side-Effect Type Confusion
Posted Mar 5, 2020
Authored by Clement LECIGNE, timwr, Istvan Kurucsai, Vignesh S Rao | Site metasploit.com

This Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, shellcode
advisories | CVE-2020-6418
MD5 | 2477d57f77b12b3980be7a18ed9dedf2
Android Binder Use-After-Free
Posted Feb 24, 2020
Authored by Jann Horn, timwr, Maddie Stone, grant-h | Site metasploit.com

Android Binder use-after-free exploit.

tags | exploit
advisories | CVE-2019-2215
MD5 | b8930f3f9adad2325c20b748158a44e3
Android Janus APK Signature Bypass
Posted Nov 7, 2019
Authored by h00die, timwr, V-E-O, GuardSquare | Site metasploit.com

This Metasploit module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable. Payload handler is disabled, and a multi/handler must be started first.

tags | exploit
advisories | CVE-2017-13156
MD5 | 64f1c304613a13c0a1b0f19f8913efec
Linux Polkit pkexec Helper PTRACE_TRACEME Local Root
Posted Oct 23, 2019
Authored by Brendan Coles, Jann Horn, timwr | Site metasploit.com

This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.

tags | exploit, kernel, local, root
systems | linux
advisories | CVE-2019-13272
MD5 | a67b52657090e25d42aa370f66e7ca88
Microsoft Windows 10 UAC Protection Bypass Via Windows Store
Posted Sep 6, 2019
Authored by timwr, sailay1996, ACTIVELabs | Site metasploit.com

This Metasploit module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool is run with the "autoElevate" property set to true, however it can be moved to a new Windows directory containing a space (C:\Windows \System32\) where, upon execution, it will load our payload dll (propsys.dll).

tags | exploit
systems | windows
MD5 | b188fc5d0237e2798ceb17453907bcbe
Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation
Posted Jul 1, 2019
Authored by timwr, CodeColorist | Site metasploit.com

This Metasploit module exploits a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label. The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root privileges.

tags | exploit, shell, root
systems | apple
advisories | CVE-2019-8513
MD5 | 88ce8400a2b47fff385110d9d04c371b
Mac OS X Feedback Assistant Race Condition
Posted May 22, 2019
Authored by timwr, CodeColorist | Site metasploit.com

This Metasploit module exploits a race condition vulnerability in Mac's Feedback Assistant. A successful attempt would result in remote code execution under the context of root.

tags | exploit, remote, root, code execution
advisories | CVE-2019-8565
MD5 | 92e9e59de8b1c44532025e2d75591bf9
Chrome 72.0.3626.119 FileReader Use-After-Free
Posted May 8, 2019
Authored by Clement LECIGNE, timwr, Istvan Kurucsai | Site metasploit.com

This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.

tags | exploit, arbitrary, x86, javascript, shellcode
systems | windows, 7
advisories | CVE-2019-5786
MD5 | 1845174659a656cb293c5dd2f17fe75c
WebKit not_number defineProperties Use-After-Free
Posted Jun 4, 2018
Authored by timwr, qwertyoruiop, Siguza, tihmstar | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability in WebKit's JavaScriptCore library.

tags | exploit
advisories | CVE-2016-4655, CVE-2016-4656, CVE-2016-4657
MD5 | abdecc9782f078b615026a3d08e32a3d
Android get_user/put_user Exploit
Posted Dec 26, 2016
Authored by timwr, fi01, cubeundcube | Site metasploit.com

This Metasploit module exploits a missing check in the get_user and put_user API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commit_creds and ptmx_fops address, then uses the write primitive to execute shellcode as uid 0. The exploit was first discovered in the wild in the vroot rooting application.

tags | exploit, kernel, root, shellcode
systems | linux
advisories | CVE-2013-6282
MD5 | 6ac7470332daea5b3fb0c0b2de23f30c
Android Futex Requeue Kernel Exploit
Posted Feb 9, 2015
Authored by timwr, geohot, Pinkie Pie | Site metasploit.com

This Metasploit module exploits a bug in futex_requeue in the linux kernel. Any android phone with a kernel built before June 2014 should be vulnerable.

tags | exploit, kernel
systems | linux
advisories | CVE-2014-3153
MD5 | 78f789dafc84bef7347723159caaa530
Page 1 of 1
Back1Next

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close