what you don't know can hurt you
Showing 1 - 18 of 18 RSS Feed

Files from hawkes

First Active2015-08-20
Last Active2020-09-08
Qualcomm Adreno GPU Ringbuffer Corruption / Protected Mode Bypass
Posted Sep 8, 2020
Authored by Google Security Research, hawkes

The Qualcomm Adreno GPU shares a global mapping called a "scratch" buffer with the Adreno KGSL kernel driver. The contents of the scratch buffer can be overwritten by untrusted GPU commands. This results in a logic error in the Adreno driver's ringbuffer allocation code, which can be used to corrupt ringbuffer data. A race condition exists between the ringbuffer corruption and a GPU context switch, and this results in a bypass of the GPU protected mode setting. This ultimately means that an attacker can read and write arbitrary physical addresses from userland by running GPU commands while protected mode disabled, which results in arbitrary kernel code execution.

tags | exploit, arbitrary, kernel, code execution
advisories | CVE-2020-11179
MD5 | 1b8910b13d2d3595dcd217d98080e491
Windows 7 win32k Bitmap Use-After-Free
Posted Jun 16, 2016
Authored by Google Security Research, hawkes, Nils Sommer

This proof of concept crashes 32-bit Windows 7 with special pool enabled on win32k.sys. It might take several runs in order to reproduce.

tags | exploit, proof of concept
systems | linux, windows, 7
advisories | CVE-2016-0173
MD5 | 160e4fa92c75ae0cd439e35c508ca694
Windows 7 win32k Bitmap Use-After-Free
Posted Jun 16, 2016
Authored by Google Security Research, hawkes

This proof of concept triggers a blue screen on Windows 7 with special pool enabled on win32k.sys. A reference to the bitmap object still exists in the device context after it has been deleted.

tags | exploit, proof of concept
systems | linux, windows, 7
advisories | CVE-2016-0171
MD5 | 7b31ec4bf7cf5a7032dd8cecf1de4699
Windows Kernel DrawMenuBarTemp Wild Write
Posted Apr 19, 2016
Authored by Google Security Research, hawkes

The attached testcases crashes Windows 7 64-bit while attempting to write to an unmapped memory region. On 32-bit Windows 7 it triggers a null pointer read.

tags | exploit
systems | linux, windows, 7
advisories | CVE-2016-0143
MD5 | a57566654e391784b1ed361e0eef9e66
Windows Kernel Bitmap Use-After-Free
Posted Mar 31, 2016
Authored by Google Security Research, hawkes

The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggering in multiple different ways (two examples attached).

tags | exploit
systems | linux, windows, 7
advisories | CVE-2016-0094
MD5 | 3defdb2525d89c17d6295174598fc97a
Windows Kernel NtGdiGetTextExtentExW Out-Of-Bounds Memory Read
Posted Mar 31, 2016
Authored by Google Security Research, hawkes

The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crash is due to accessing memory past the end of a buffer.

tags | exploit, proof of concept
systems | linux, windows, 7
advisories | CVE-2016-0093
MD5 | e05989cd4b370bea012d96b631c5ffc0
Linux Netfilter IPT_SO_SET_REPLACE Memory Corruption
Posted Mar 11, 2016
Authored by Google Security Research, hawkes

A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing.

tags | exploit
systems | linux
MD5 | 2bb163d4c99aef67a29bb7b35a88ecb7
Qualcomm Adreno GPU MSM Driver Perfcounter Query Heap Overflow
Posted Feb 29, 2016
Authored by Google Security Research, hawkes

The Adreno GPU driver for the MSM Linux kernel contains a heap overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug results from an incorrect conversion to a signed type when calculating the minimum count value for the query option. This results in a negative integer being used to calculate the size of a buffer, which can result in an integer overflow and a small sized allocation on 32-bit systems.

tags | exploit, overflow, kernel
systems | linux
MD5 | c63ace51362852575e5b13f1d0785958
Linux io_submit L2TP Sendmsg Integer Overflow
Posted Feb 25, 2016
Authored by Google Security Research, hawkes

In certain kernel versions it is possible to use the AIO subsystem (io_submit syscall) to pass size values larger than MAX_RW_COUNT to the networking subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a large size parameter can lead to an integer overflow and kernel heap corruption during socket buffer allocation. This could be exploited to allow local privilege escalation from an unprivileged user account.

tags | exploit, overflow, kernel, local
systems | linux
MD5 | baa8ce9b45b1f1852ce12173de5c6701
Samsung M2m1shot Kernel Driver Buffer Overflow
Posted Oct 28, 2015
Authored by Google Security Research, hawkes

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server. The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-7892
MD5 | db1dc1c9fb0edf79900cfbb5e71d03a4
Microsoft Office 2007 RTF XML SmartTags Use-After-Free
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.

tags | advisory
systems | linux
advisories | CVE-2015-1651
MD5 | cff115aa1b1fa2e2fe86d91cac8c0fef
Microsoft Office 2007 OneTableDocumentStream Invalid Object
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.

tags | exploit
systems | linux
advisories | CVE-2015-0065
MD5 | 7d8654a8cadad963976da4666f02c813
Microsoft Office 2007 Malformed Document Stack-Based Buffer Overflow
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-0064
MD5 | 5941a755c3ef62f340fb450cd1a9d1a4
Adobe Flash URL Resource Use-After-Free
Posted Aug 21, 2015
Authored by Google Security Research, hawkes

Adobe Flash suffers from a URL resource use-after-free vulnerability.

tags | exploit
systems | linux
advisories | CVE-2015-4430
MD5 | d9e356128cf3ebc5a4503dbe3e05dee1
Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated TTF File Embedded In SWF
Posted Aug 21, 2015
Authored by Google Security Research, hawkes

An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.

tags | exploit
systems | linux
advisories | CVE-2015-5133
MD5 | 29760ef7df914bd90d9f5b3db7465e32
Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated SWF File
Posted Aug 20, 2015
Authored by Google Security Research, hawkes

An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.

tags | exploit
systems | linux
advisories | CVE-2015-5132
MD5 | a8c2959381f256cd9fa62ce495f60382
Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated SWF File
Posted Aug 20, 2015
Authored by Google Security Research, hawkes

An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.

tags | exploit
systems | linux
advisories | CVE-2015-5131
MD5 | 98783e7375acc63c04b5809fe911e197
Flash Out-Of-Bounds Read In UTF Conversion
Posted Aug 20, 2015
Authored by Google Security Research, hawkes

This is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.

tags | exploit
systems | linux
advisories | CVE-2015-3134
MD5 | b37ae7ca4b5966bf0417d718a7c2e83d
Page 1 of 1
Back1Next

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close