exploit the possibilities
Showing 26 - 50 of 57 RSS Feed

Files from forshaw

First Active2015-08-21
Last Active2017-05-18
Microsoft Windows RegLoadAppKey Privilege Elevation
Posted Sep 23, 2016
Authored by Google Security Research, forshaw

RegLoadAppKey is documented to load keys in a location which can't be enumerated and also non-guessable. However it's possible to enumerate loaded hives and find ones which can be written to which might lead to elevation of privilege.

tags | exploit
advisories | CVE-2016-3373
MD5 | c8ed8832e1f116600c4be3fa0cfa87d4
Windows NtCreateProcessEx NULL Pointer Dereference
Posted Jun 28, 2016
Authored by Google Security Research, forshaw

PspInitializeFullProcessImageName does not correctly handle a NULL pointer being passed to it leading to a dereference at NULL for a file object which might be exploitable on 32 bit systems for elevation of privilege.

tags | exploit
systems | linux
MD5 | 20d25064ebfd2c1e9dc3e3ebd943bab2
Windows Local WebDAV NTLM Reflection Elevation Of Privilege
Posted Jun 23, 2016
Authored by Google Security Research, forshaw

A default installation of Windows 7/8 can be made to perform a NTLM reflection attack through WebDAV which allows a local user to elevate privileges to local system.

tags | exploit, local
systems | linux, windows, 7
advisories | CVE-2016-3225
MD5 | 82d6af8e271805e83f08f43f439eb387
Windows Custom Font Disable Policy Bypass
Posted Jun 20, 2016
Authored by Google Security Research, forshaw

It is possible to bypass the ProcessFontDisablePolicy check in win32k to load a custom font from an arbitrary file on disk even in a sandbox.

tags | exploit, arbitrary
systems | linux
advisories | CVE-2016-3219
MD5 | b1947832881f2d0ed0b3fc8280e69630
Android Service Manager One Way Binder Transaction Crash
Posted Apr 28, 2016
Authored by Google Security Research, forshaw

If an application sends a one way binder transaction the service tries to send a reply which fails. This causes the service manager to exit its binder loop and the process dies causing the system to reboot. Tested on Android version 6.0.1 February patches.

tags | exploit, denial of service
systems | linux
MD5 | 99e18c7b5134fd0d4dcd4383654d1372
Microsoft Windows CSRSS Privilege Escalation
Posted Apr 27, 2016
Authored by Google Security Research, forshaw

The CSRSS BaseSrv RPC call BaseSrvCheckVDM allows you to create a new process with the anonymous token, which results on a new process in session 0 which can be abused to elevate privileges.

tags | exploit
systems | linux
advisories | CVE-2016-0151
MD5 | b53f1c042d141766251ba3d2c5ce4315
Android IOMX getConfig/getParameter Information Disclosure
Posted Apr 9, 2016
Authored by Google Security Research, forshaw

The GET_CONFIG and GET_PARAMETER calls on IOMX are vulnerable to an information disclosure of uninitialized heap memory. This could be used by an attacker to break ASLR in the media server process by reading out heap memory which contains useful address information.

tags | exploit, info disclosure
systems | linux
advisories | CVE-2016-2417
MD5 | 66e59acf2d705f1b7f2bf56ae18ab2a5
Android IMemory Native Interface Insecure IPC Use
Posted Apr 9, 2016
Authored by Google Security Research, forshaw

The IMemory interface in frameworks/native/libs/binder/IMemory.cpp, used primarily by the media services can be tricked to return arbitrary memory locations leading to information disclosure or memory corruption.

tags | exploit, arbitrary, info disclosure
systems | linux
advisories | CVE-2016-0846
MD5 | ec093c2a518746cb8fe96c41275efde3
Microsoft Windows 8.1 Console Driver Job Object Process Limit Bypass
Posted Apr 7, 2016
Authored by Google Security Research, forshaw

One change in Windows 8.1 from Windows 7 is the introduction of the console driver (condrv.sys) which is responsible for handling the management of consoles. It contains a method, CdpLaunchServerProcess which creates an instance of conhost.exe. This method calls ZwCreateUserProcess which means that the system call runs with kernel permissions, it also passes a flag (0x400) to the system call which indicates that the new process should not be assigned to the parent job. This allows for the conhost process to bypass the job restrictions.

tags | exploit, kernel
systems | linux, windows, 7
MD5 | 19c23ba38514cdf1e5097db2a3684f70
Window Secondary Login Failed Sanitization
Posted Mar 17, 2016
Authored by Google Security Research, forshaw

The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.

tags | exploit, local
systems | linux
advisories | CVE-2016-0099
MD5 | fc86862f0df844b5376706adb86d85f5
Android BnBluetoothGattServer / BnBluetoothGatServerCallback IPC Memory Corruption
Posted Mar 11, 2016
Authored by Google Security Research, forshaw

The SEND_RESPONSE_TRANSACTION and SEND_NOTIFICATION_TRANSACTION IPC calls in BnBluetoothGattServer::onTransact are vulnerable to stack corruption which could allow an attacker to locally elevate privileges to the level of the bluetooth service.

tags | advisory
systems | linux
MD5 | 153772ea89b8a8898aee537986bef494
Android Calling Getpidcon Gets Wrong Security Context
Posted Feb 23, 2016
Authored by Google Security Research, forshaw

The servicemanager, keystore and drmserver all use getpidcon function to get the security context of the caller from a binder. When combined with a one way binder transaction this results in getting the security context of the current process which might allow a selinux mac bypass.

tags | advisory
systems | linux
MD5 | 6ce23a75db73489ee0a2ef4120537678
Samsung SecEmailUI Script Injection
Posted Feb 7, 2016
Authored by Google Security Research, forshaw

The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events.

tags | exploit, arbitrary, javascript
systems | linux
advisories | CVE-2015-7893
MD5 | 8a47c6ddd80bdce6d9af835b275d4ed2
Microsoft Windows Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2
Posted Jan 22, 2016
Authored by Google Security Research, forshaw

The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks by abusing anonymous token impersonation.

tags | exploit
systems | linux
advisories | CVE-2016-0007
MD5 | 07a5cc920afddb9b88b0f8f099d9d48b
Microsoft Windows Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 1
Posted Jan 22, 2016
Authored by Google Security Research, forshaw

The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks.

tags | exploit
systems | linux
advisories | CVE-2016-0006
MD5 | 76a2a2dae02d9162ed0b0ae7b5409649
NVIDIA Stereoscopic 3D Driver Service Arbitrary Run Key Creation
Posted Nov 24, 2015
Authored by Google Security Research, forshaw

The 3D Vision service nvSCPAPISvr.exe installed as part of typical driver installations runs at Local System and has an insecure named pipe server. One of the commands in the server can be used to set an Explorer Run key for the system which would allow a user to get code executing in the session of any other user who logs on to the same machine leading to elevation of privilege. In Windows Domain environments it would also be possible to exploit the vulnerability between machines if the attacker has access to a valid user account on one domain joined machine.

tags | exploit, local
systems | linux, windows
advisories | CVE-2015-7865
MD5 | 8303a96ab3098262bbd0ee9fdaffd2c2
Microsoft Windows Hardlink Permission Issue
Posted Nov 17, 2015
Authored by Google Security Research, forshaw

On Microsoft Windows you can create NTFS hardlinks without needing write permissions on the target file.

tags | advisory
systems | linux, windows
advisories | CVE-2015-6113
MD5 | 6075d3d3870b6e4c1f75b3c3c5e80210
Microsoft Windows 8.1 Ahcache.sys/NtApphelpCacheControl Privilege Escalation
Posted Nov 17, 2015
Authored by Google Security Research, forshaw

On Windows 8.1 Update 32/64 bit, the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check.

tags | exploit, local
systems | linux, windows
advisories | CVE-2015-0001
MD5 | 60f7d8c70155b2b1c5f188a27a78d2f2
Windows NtCreateLowBoxToken Handle Capture Local DoS/Elevation Of Privilege
Posted Nov 2, 2015
Authored by Google Security Research, forshaw

The NtCreateLowBoxToken API allows the capture of arbitrary handles which can lead to to local denial of service or elevation of privilege.

tags | exploit, denial of service, arbitrary, local
systems | linux
advisories | CVE-2015-2554
MD5 | 78c1d449de1db9c95b71c5fb5b2aae6d
Samsung SecEmailComposer QUICK_REPLY_BACKGROUND Permission Weakness
Posted Oct 28, 2015
Authored by Google Security Research, forshaw

The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content.

tags | exploit
systems | linux
advisories | CVE-2015-7889
MD5 | e00fb26f301383f9782fcee941870eb1
Windows Sandboxed Mount Reparse Point Creation Mitigation Bypass
Posted Oct 15, 2015
Authored by Google Security Research, forshaw

A mitigation added to Windows 10 to prevent NTFS Mount Reparse Points being created at integrity levels below medium can be bypassed.

tags | exploit
systems | linux, windows
advisories | CVE-2015-2553
MD5 | 14c29ffbdf03915a72fc87aa0b6cae13
Truecrypt 7 Privilege Escalation
Posted Oct 6, 2015
Authored by Google Security Research, forshaw

The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by checking process of impersonation token which allow a user to inspect and potentially manipulate other users mounted encrypted volumes on the same machine.

tags | exploit, local
systems | linux, windows
advisories | CVE-2015-7359
MD5 | d4c1059c95e584bc27cd63a4c99e5071
Cisco AnyConnect Secure Mobility Client 3.1.08009 Privilege Elevation
Posted Oct 6, 2015
Authored by Google Security Research, forshaw

Cisco AnyConnect Secure Mobility Client version 3.1.08009 suffers from a privilege escalation vulnerability. The fix for CVE-2015-4211 is insufficient which allows a local application to elevate to local system through the CMainThread::launchDownloader command.

tags | exploit, local
systems | cisco, linux
advisories | CVE-2015-6305
MD5 | 2287bf46457bb87b38593e1abc50a6bb
Truecrypt 7 Derived Code/Windows: Drive Letter Symbolic Link Creation Privilege Escalation
Posted Oct 5, 2015
Authored by Google Security Research, forshaw

The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped it's trivial to get a new process running under the local system account.

tags | exploit, local
systems | linux, windows
advisories | CVE-2015-7358
MD5 | 7bfc0b79894fde4463321eaa399da255
Flash Failing Checks On uint Capacity Field
Posted Sep 28, 2015
Authored by Google Security Research, forshaw

The latest version of the Vector.primitive length check in Flash 18,0,0,232 is not robust against memory corruptions such as heap overflows. While it is no longer possible to obviously bypass the length check there is still unguarded data in the object which could be corrupted to serve as a useful primitive.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-5568
MD5 | d8d63f278bfaf7212db84743a736c353
Page 2 of 3
Back123Next

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close