exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 26 - 50 of 100 RSS Feed


Microsoft XML Core Services Uninitialized Memory
Posted Jul 5, 2012
Authored by Brian Mariani, High-Tech Bridge SA, Frederic Bourla | Site htbridge.com

This is a thorough analysis of the Microsoft XML core services uninitialized memory vulnerability as noted by CVE-2012-1889. It includes proof of concept data to trigger the issue and goes through the flow.

tags | paper, proof of concept
advisories | CVE-2012-1889
SHA-256 | 71478922d4d7dd398af9e4e90d1f859e3494d8ddf266086e502d50612e95667a

Related Files

Microsoft Spooler Local Privilege Elevation
Posted Sep 17, 2020
Authored by bwatters-r7, shubham0d, Yarden Shafir, Alex Ionescu | Site metasploit.com

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.

tags | exploit
advisories | CVE-2020-1048
SHA-256 | 042eb96d4be3493ee746dfaae2491220ba9b12278e37c6ccaaa1b2d1f175f42f
AnyDesk GUI Format String Write
Posted Jul 2, 2020
Authored by Spencer McIntyre, scryh | Site metasploit.com

The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.

tags | exploit
advisories | CVE-2020-13160
SHA-256 | 3a9a77f3da97e3fa3eabb2ff840fb3ea885747038fdb66fcbcb8f64ab38332f4
Qmail Local Privilege Escalation / Remote Code Execution
Posted Jun 23, 2020
Authored by Qualys Security Advisory

Qualys has released their local privilege escalation and remote code execution exploit for qmail that leverages the vulnerability as described in CVE-2005-1513.

tags | exploit, remote, local, code execution
systems | unix
advisories | CVE-2005-1513
SHA-256 | aeddf83bcc9a800cd02239af4a54d57183ef075fb1b760208db0cc07f6338385
Background Intelligent Transfer Service Privilege Escalation
Posted Jun 11, 2020
Authored by itm4n, gwillcox-r7 | Site metasploit.com

This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later.

tags | exploit, arbitrary, code execution
systems | windows
advisories | CVE-2020-0787
SHA-256 | 881389db7516cd93002413a591d878987421d6e664f4be1ea349fe9d3d4000cf
Service Tracing Privilege Escalation
Posted May 8, 2020
Authored by bwatters-r7, itm4n | Site metasploit.com

This Metasploit module leverages a trusted file overwrite with a dll hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets.

tags | exploit
systems | windows
advisories | CVE-2020-0668
SHA-256 | c361a1c2decc4120fb83b82770836ac6e075d3657ad91fe7ca2189c9dd6ec994
SMBv3 Compression Buffer Overflow
Posted Apr 6, 2020
Authored by Spencer McIntyre, Daniel Garcia Gutierrez, Manuel Blanco Parajon | Site metasploit.com

A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.

tags | exploit, local, protocol
advisories | CVE-2020-0796
SHA-256 | b897523218de261b528a25b48e985e91f958585e7ae9753a0c897e339abe8503
BlueKeep RDP Remote Windows Kernel Use-After-Free
Posted Sep 23, 2019
Authored by OJ Reeves, Sean Dillon, Brent Cook, Ryan Hanson | Site metasploit.com

The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause a use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2019-0708
SHA-256 | 1aecbe52ce929c3de3a4cf90e7b8a03dc74a2a1edd4797fbc7bf61bee611bb3c
Webmin 1.920 Remote Code Execution
Posted Sep 15, 2019
Authored by BoSSaLiNiE

Webmin version 1.920 remote code execution exploit that leverages the vulnerability noted in CVE-2019-15107.

tags | exploit, remote, code execution
advisories | CVE-2019-15107
SHA-256 | 233192a3d19175ea1314a59b24a433a47278e7d0fd3f5a72f4fdeb8334763b0e
Cisco RV110W / RV130(W) / RV215W Remote Command Execution
Posted Sep 2, 2019
Authored by Quentin Kaiser, Yu Zhang, T. Shiomitsu, Haoliang Lu | Site metasploit.com

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to are affected. RV130W Wireless-N Multifunction VPN Router versions prior to are affected. RV215W Wireless-N VPN Router versions prior to are affected. Note: successful exploitation may not result in a session, and as such, on_new_session will never repair the HTTP server, leading to a denial-of-service condition.

tags | exploit, remote, web, arbitrary
systems | cisco
advisories | CVE-2019-1663
SHA-256 | 2c771b51eb75ada179bdbfecb74aebaee8b16721ebc04a5e5d918a82a211ed0a
Microsoft Windows NtUserSetWindowFNID Win32k User Callback
Posted Jul 16, 2019
Authored by ze0r, Jacob Robles, Kaspersky Lab | Site metasploit.com

An elevation of privilege vulnerability exists in Microsoft Windows when the Win32k component fails to properly handle objects in memory. This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This Metasploit module is tested against Windows 10 v1703 x86.

tags | exploit, x86
systems | windows
advisories | CVE-2018-8453
SHA-256 | b12d041b74805140215567e34bac24168770da5ed39aeeca4562c66332b7d517
systemd-journald Memory Corruption / Information Leak
Posted Jan 9, 2019
Authored by Qualys Security Advisory

This is a thorough analysis of how Qualys approached exploiting three vulnerabilities in systemd-journald. Although they have not released formal exploits yet, they detail in here is useful in understanding the flaws.

tags | advisory, vulnerability
advisories | CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
SHA-256 | 19a689d664d755e0625285bb3e35b7cb5791449a424da89709b8ef0bf6fdcb91
Microsoft Windows LNK File Code Execution
Posted Nov 8, 2017
Authored by Yorick Koster, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2015-0095, CVE-2017-8464
SHA-256 | 81346e7020afd7e94a6d9b253a4b2b5b1c2eba12306e57cf746fb11c43f51e4b
Linux Kernel 4.4.1 REFCOUNT Overflow / Use-After-Free
Posted Jan 19, 2016
Authored by Federico Bento

Linux kernel versions 4.4.1 and below REFCOUNT overflow / use-after free keyrings local root exploit.

tags | exploit, overflow, kernel, local, root
systems | linux
advisories | CVE-2016-0728
SHA-256 | ff28a80090cf606fd0d4f578152d8d24cafca71bf951cb58596dc39c575c5aae
ISC DHCP dhclient Buffer Overflow
Posted Nov 17, 2009
Authored by Jon Oberheide

ISC DHCP dhclient scripts_write_params() stack buffer overflow exploit.

tags | exploit, overflow
advisories | CVE-2009-0692
SHA-256 | 2014e6abc56455168433974101c55c09624023f1879081dc6ce5c0c8823eb70e
Microsoft TCP/IP Orphaned Connections
Posted Sep 10, 2009
Authored by Fabian Yamaguchi | Site recurity-labs.com

The TCP/IP-Stack of the Microsoft Windows XP/Vista Operating System is vulnerable to a remote resource exhaustion vulnerability. By taking advantage of this vulnerability, an attacker can cause a connection's Transmission Control Block (TCB) to remain in memory for an indefinite amount of time without the need for the attacker to further maintain the connection's activity.

tags | advisory, remote, tcp
systems | windows
advisories | CVE-2009-1926
SHA-256 | 15a60a5f477e09ee40822768593559d188cfaca8a7a7e280c79b97103571951d
Adobe Reader Collab.getIcon() Buffer Overflow
Posted Sep 3, 2009
Authored by Kralor

Adobe Reader Collab.getIcon() buffer overflow exploit.

tags | exploit, overflow
advisories | CVE-2009-0927
SHA-256 | 4c864bafa7d7369b396207fd655fe2e4ab8cbd7010dcb62abe900dec15e17645
Linux Kernel procfs Memory Disclosure
Posted Aug 5, 2009
Authored by Jon Oberheide

procfs memory disclosure exploit for Linux kernel versions prior to

tags | exploit, kernel
systems | linux
advisories | CVE-2005-4605
SHA-256 | a870ac7b48160c6a68b2fabfa0d763085a457e0261e1bcfb589827d445df5e4d
Oracle Network Foundation Vulnerability
Posted Jul 25, 2009
Authored by Dennis Yurichev

The Network Foundation component in Oracle Database versions,,,, and suffers from an unspecified vulnerability. Proof of concept code included.

tags | exploit, proof of concept
advisories | CVE-2009-1020
SHA-256 | b72c7dda245813a64d3b0a4289c19093bf2dd482068da52abee287e8b36d133a
Oracle Denial Of Service
Posted Jul 25, 2009
Authored by Dennis Yurichev

Oracle version win32 denial of service exploit.

tags | exploit, denial of service
systems | windows
advisories | CVE-2009-1019
SHA-256 | 8216ea65330bb3e430c0dd5a009534972e3e11372ad6213bf79493989e91ba7f
FreeBSD nmount() Local Root Exploit
Posted Jul 3, 2009
Authored by Patroklos Argyroudis | Site census-labs.com

Local root exploit for FreeBSD nmount(). This affects FreeBSD 7.0-RELEASE and 7.0-STABLE.

tags | exploit, local, root
systems | freebsd
advisories | CVE-2008-3531
SHA-256 | f73657bff4c5f05a9a63c9564bcf7f676f9adf0f6b8a1b9a13e53473275ca23d
Apache Tomcat Information Disclosure
Posted Jun 9, 2009
Authored by Mark Thomas | Site tomcat.apache.org

When using a RequestDispatcher obtained from the Request in Apache Tomcat, the target path was normalized before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.

tags | exploit, web
advisories | CVE-2008-5515
SHA-256 | c0a0a2a9804149cddfa6d775c7f68367d06311ea65f71bbd9aad52799158a793
Apache Tomcat Information Disclosure
Posted Jun 4, 2009
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat suffers from a XML parser replacement related information disclosure vulnerability. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.

tags | advisory, info disclosure
advisories | CVE-2009-0783
SHA-256 | c2b64deb31914b487990416282c15bcbf60ade318ae9adeff66567f4a45f4d69
Apache Tomcat Denial Of Service
Posted Jun 4, 2009
Authored by Mark Thomas | Site tomcat.apache.org

If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.

tags | advisory, java, denial of service
advisories | CVE-2009-0033
SHA-256 | c1222adcdce7d85aa41a91cfdf45704103468dc97af6d891ef3a467ed12ed3c9
Tomcat Information Disclosure
Posted Jun 4, 2009
Authored by Mark Thomas | Site tomcat.apache.org

Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.

tags | advisory
advisories | CVE-2009-0580
SHA-256 | 23d04996953f18e735ec39419f21aa830d1507afe0c131cb6125bc7e54f441ba
OpenSSL 0.9.8.h DTLS Denial Of Service
Posted Jun 4, 2009
Authored by Jon Oberheide

OpenSSL versions below 0.9.8i DTLS ChangeCipherSpec remote denial of service exploit.

tags | exploit, remote, denial of service
advisories | CVE-2009-1386
SHA-256 | c423dfdd2b8cf9bdc5f6306e55b415b44cbfafa64e6fbbae22549b1a42b3810c
Page 2 of 4

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    65 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    23 Files
  • 23
    May 23rd
    15 Files
  • 24
    May 24th
    49 Files
  • 25
    May 25th
    20 Files
  • 26
    May 26th
    13 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    11 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By