exploit the possibilities
Showing 1 - 21 of 21 RSS Feed

Files from hawkes

First Active2015-08-20
Last Active2021-06-17
Samsung NPU npu_session_format Out-Of-Bounds Write
Posted Jun 17, 2021
Authored by Google Security Research, hawkes

Samsung NPU (Neural Processing Unit) suffers from an out-of-bounds write vulnerability in npu_session_format.

tags | exploit
advisories | CVE-2021-25407
MD5 | 1d07a468d88f6847215bbd10504dbcf2
Qualcomm Adreno GPU PID Reuse Mapping Leak
Posted Dec 15, 2020
Authored by Google Security Research, hawkes

Qualcomm Adreno GPU PID reuse can lead to a shared mapping leak vulnerability.

tags | exploit
advisories | CVE-2020-11311
MD5 | 35acf4ac51c404442520651898879148
Microsoft Windows Kernel cng.sys Buffer Overflow
Posted Oct 30, 2020
Authored by Mateusz Jurczyk, Google Security Research, hawkes

The Microsoft Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).

tags | exploit, kernel
systems | windows
advisories | CVE-2020-17087
MD5 | 6e04f989132d4f0fcd1f22d984a8aedf
Qualcomm Adreno GPU Ringbuffer Corruption / Protected Mode Bypass
Posted Sep 8, 2020
Authored by Google Security Research, hawkes

The Qualcomm Adreno GPU shares a global mapping called a "scratch" buffer with the Adreno KGSL kernel driver. The contents of the scratch buffer can be overwritten by untrusted GPU commands. This results in a logic error in the Adreno driver's ringbuffer allocation code, which can be used to corrupt ringbuffer data. A race condition exists between the ringbuffer corruption and a GPU context switch, and this results in a bypass of the GPU protected mode setting. This ultimately means that an attacker can read and write arbitrary physical addresses from userland by running GPU commands while protected mode disabled, which results in arbitrary kernel code execution.

tags | exploit, arbitrary, kernel, code execution
advisories | CVE-2020-11179
MD5 | 1b8910b13d2d3595dcd217d98080e491
Windows 7 win32k Bitmap Use-After-Free
Posted Jun 16, 2016
Authored by Google Security Research, hawkes, Nils Sommer

This proof of concept crashes 32-bit Windows 7 with special pool enabled on win32k.sys. It might take several runs in order to reproduce.

tags | exploit, proof of concept
systems | linux, windows, 7
advisories | CVE-2016-0173
MD5 | 160e4fa92c75ae0cd439e35c508ca694
Windows 7 win32k Bitmap Use-After-Free
Posted Jun 16, 2016
Authored by Google Security Research, hawkes

This proof of concept triggers a blue screen on Windows 7 with special pool enabled on win32k.sys. A reference to the bitmap object still exists in the device context after it has been deleted.

tags | exploit, proof of concept
systems | linux, windows, 7
advisories | CVE-2016-0171
MD5 | 7b31ec4bf7cf5a7032dd8cecf1de4699
Windows Kernel DrawMenuBarTemp Wild Write
Posted Apr 19, 2016
Authored by Google Security Research, hawkes

The attached testcases crashes Windows 7 64-bit while attempting to write to an unmapped memory region. On 32-bit Windows 7 it triggers a null pointer read.

tags | exploit
systems | linux, windows, 7
advisories | CVE-2016-0143
MD5 | a57566654e391784b1ed361e0eef9e66
Windows Kernel Bitmap Use-After-Free
Posted Mar 31, 2016
Authored by Google Security Research, hawkes

The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggering in multiple different ways (two examples attached).

tags | exploit
systems | linux, windows, 7
advisories | CVE-2016-0094
MD5 | 3defdb2525d89c17d6295174598fc97a
Windows Kernel NtGdiGetTextExtentExW Out-Of-Bounds Memory Read
Posted Mar 31, 2016
Authored by Google Security Research, hawkes

The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crash is due to accessing memory past the end of a buffer.

tags | exploit, proof of concept
systems | linux, windows, 7
advisories | CVE-2016-0093
MD5 | e05989cd4b370bea012d96b631c5ffc0
Linux Netfilter IPT_SO_SET_REPLACE Memory Corruption
Posted Mar 11, 2016
Authored by Google Security Research, hawkes

A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing.

tags | exploit
systems | linux
MD5 | 2bb163d4c99aef67a29bb7b35a88ecb7
Qualcomm Adreno GPU MSM Driver Perfcounter Query Heap Overflow
Posted Feb 29, 2016
Authored by Google Security Research, hawkes

The Adreno GPU driver for the MSM Linux kernel contains a heap overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug results from an incorrect conversion to a signed type when calculating the minimum count value for the query option. This results in a negative integer being used to calculate the size of a buffer, which can result in an integer overflow and a small sized allocation on 32-bit systems.

tags | exploit, overflow, kernel
systems | linux
MD5 | c63ace51362852575e5b13f1d0785958
Linux io_submit L2TP Sendmsg Integer Overflow
Posted Feb 25, 2016
Authored by Google Security Research, hawkes

In certain kernel versions it is possible to use the AIO subsystem (io_submit syscall) to pass size values larger than MAX_RW_COUNT to the networking subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a large size parameter can lead to an integer overflow and kernel heap corruption during socket buffer allocation. This could be exploited to allow local privilege escalation from an unprivileged user account.

tags | exploit, overflow, kernel, local
systems | linux
MD5 | baa8ce9b45b1f1852ce12173de5c6701
Samsung M2m1shot Kernel Driver Buffer Overflow
Posted Oct 28, 2015
Authored by Google Security Research, hawkes

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server. The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-7892
MD5 | db1dc1c9fb0edf79900cfbb5e71d03a4
Microsoft Office 2007 RTF XML SmartTags Use-After-Free
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.

tags | advisory
systems | linux
advisories | CVE-2015-1651
MD5 | cff115aa1b1fa2e2fe86d91cac8c0fef
Microsoft Office 2007 OneTableDocumentStream Invalid Object
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.

tags | exploit
systems | linux
advisories | CVE-2015-0065
MD5 | 7d8654a8cadad963976da4666f02c813
Microsoft Office 2007 Malformed Document Stack-Based Buffer Overflow
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-0064
MD5 | 5941a755c3ef62f340fb450cd1a9d1a4
Adobe Flash URL Resource Use-After-Free
Posted Aug 21, 2015
Authored by Google Security Research, hawkes

Adobe Flash suffers from a URL resource use-after-free vulnerability.

tags | exploit
systems | linux
advisories | CVE-2015-4430
MD5 | d9e356128cf3ebc5a4503dbe3e05dee1
Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated TTF File Embedded In SWF
Posted Aug 21, 2015
Authored by Google Security Research, hawkes

An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.

tags | exploit
systems | linux
advisories | CVE-2015-5133
MD5 | 29760ef7df914bd90d9f5b3db7465e32
Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated SWF File
Posted Aug 20, 2015
Authored by Google Security Research, hawkes

An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.

tags | exploit
systems | linux
advisories | CVE-2015-5132
MD5 | a8c2959381f256cd9fa62ce495f60382
Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated SWF File
Posted Aug 20, 2015
Authored by Google Security Research, hawkes

An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.

tags | exploit
systems | linux
advisories | CVE-2015-5131
MD5 | 98783e7375acc63c04b5809fe911e197
Flash Out-Of-Bounds Read In UTF Conversion
Posted Aug 20, 2015
Authored by Google Security Research, hawkes

This is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.

tags | exploit
systems | linux
advisories | CVE-2015-3134
MD5 | b37ae7ca4b5966bf0417d718a7c2e83d
Page 1 of 1
Back1Next

File Archive:

July 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    12 Files
  • 3
    Jul 3rd
    1 Files
  • 4
    Jul 4th
    2 Files
  • 5
    Jul 5th
    34 Files
  • 6
    Jul 6th
    21 Files
  • 7
    Jul 7th
    21 Files
  • 8
    Jul 8th
    13 Files
  • 9
    Jul 9th
    6 Files
  • 10
    Jul 10th
    1 Files
  • 11
    Jul 11th
    3 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    19 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    15 Files
  • 16
    Jul 16th
    9 Files
  • 17
    Jul 17th
    2 Files
  • 18
    Jul 18th
    2 Files
  • 19
    Jul 19th
    19 Files
  • 20
    Jul 20th
    21 Files
  • 21
    Jul 21st
    53 Files
  • 22
    Jul 22nd
    14 Files
  • 23
    Jul 23rd
    14 Files
  • 24
    Jul 24th
    1 Files
  • 25
    Jul 25th
    1 Files
  • 26
    Jul 26th
    21 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close