This is a thorough analysis of the Microsoft XML core services uninitialized memory vulnerability as noted by CVE-2012-1889. It includes proof of concept data to trigger the issue and goes through the flow.
71478922d4d7dd398af9e4e90d1f859e3494d8ddf266086e502d50612e95667aThis exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.
042eb96d4be3493ee746dfaae2491220ba9b12278e37c6ccaaa1b2d1f175f42fThe AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.
3a9a77f3da97e3fa3eabb2ff840fb3ea885747038fdb66fcbcb8f64ab38332f4Qualys has released their local privilege escalation and remote code execution exploit for qmail that leverages the vulnerability as described in CVE-2005-1513.
aeddf83bcc9a800cd02239af4a54d57183ef075fb1b760208db0cc07f6338385This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later.
881389db7516cd93002413a591d878987421d6e664f4be1ea349fe9d3d4000cfThis Metasploit module leverages a trusted file overwrite with a dll hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets.
c361a1c2decc4120fb83b82770836ac6e075d3657ad91fe7ca2189c9dd6ec994A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.
b897523218de261b528a25b48e985e91f958585e7ae9753a0c897e339abe8503The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause a use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.
1aecbe52ce929c3de3a4cf90e7b8a03dc74a2a1edd4797fbc7bf61bee611bb3cWebmin version 1.920 remote code execution exploit that leverages the vulnerability noted in CVE-2019-15107.
233192a3d19175ea1314a59b24a433a47278e7d0fd3f5a72f4fdeb8334763b0eA vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected. Note: successful exploitation may not result in a session, and as such, on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
2c771b51eb75ada179bdbfecb74aebaee8b16721ebc04a5e5d918a82a211ed0aAn elevation of privilege vulnerability exists in Microsoft Windows when the Win32k component fails to properly handle objects in memory. This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This Metasploit module is tested against Windows 10 v1703 x86.
b12d041b74805140215567e34bac24168770da5ed39aeeca4562c66332b7d517This is a thorough analysis of how Qualys approached exploiting three vulnerabilities in systemd-journald. Although they have not released formal exploits yet, they detail in here is useful in understanding the flaws.
19a689d664d755e0625285bb3e35b7cb5791449a424da89709b8ef0bf6fdcb91This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.
81346e7020afd7e94a6d9b253a4b2b5b1c2eba12306e57cf746fb11c43f51e4bLinux kernel versions 4.4.1 and below REFCOUNT overflow / use-after free keyrings local root exploit.
ff28a80090cf606fd0d4f578152d8d24cafca71bf951cb58596dc39c575c5aaeISC DHCP dhclient scripts_write_params() stack buffer overflow exploit.
2014e6abc56455168433974101c55c09624023f1879081dc6ce5c0c8823eb70eThe TCP/IP-Stack of the Microsoft Windows XP/Vista Operating System is vulnerable to a remote resource exhaustion vulnerability. By taking advantage of this vulnerability, an attacker can cause a connection's Transmission Control Block (TCB) to remain in memory for an indefinite amount of time without the need for the attacker to further maintain the connection's activity.
15a60a5f477e09ee40822768593559d188cfaca8a7a7e280c79b97103571951dAdobe Reader Collab.getIcon() buffer overflow exploit.
4c864bafa7d7369b396207fd655fe2e4ab8cbd7010dcb62abe900dec15e17645procfs memory disclosure exploit for Linux kernel versions prior to 2.6.14.6.
a870ac7b48160c6a68b2fabfa0d763085a457e0261e1bcfb589827d445df5e4dThe Network Foundation component in Oracle Database versions 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 suffers from an unspecified vulnerability. Proof of concept code included.
b72c7dda245813a64d3b0a4289c19093bf2dd482068da52abee287e8b36d133aOracle version 11.1.0.6.0 win32 denial of service exploit.
8216ea65330bb3e430c0dd5a009534972e3e11372ad6213bf79493989e91ba7fLocal root exploit for FreeBSD nmount(). This affects FreeBSD 7.0-RELEASE and 7.0-STABLE.
f73657bff4c5f05a9a63c9564bcf7f676f9adf0f6b8a1b9a13e53473275ca23dWhen using a RequestDispatcher obtained from the Request in Apache Tomcat, the target path was normalized before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
c0a0a2a9804149cddfa6d775c7f68367d06311ea65f71bbd9aad52799158a793Apache Tomcat suffers from a XML parser replacement related information disclosure vulnerability. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
c2b64deb31914b487990416282c15bcbf60ade318ae9adeff66567f4a45f4d69If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
c1222adcdce7d85aa41a91cfdf45704103468dc97af6d891ef3a467ed12ed3c9Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
23d04996953f18e735ec39419f21aa830d1507afe0c131cb6125bc7e54f441baOpenSSL versions below 0.9.8i DTLS ChangeCipherSpec remote denial of service exploit.
c423dfdd2b8cf9bdc5f6306e55b415b44cbfafa64e6fbbae22549b1a42b3810c
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed