exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Flash UAF With Color.setRGB In AS2
Posted Aug 20, 2015
Authored by Google Security Research, external

When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.

tags | exploit
systems | linux
advisories | CVE-2015-3128
SHA-256 | 025afc3b744a755fe32430c68ff260ef742b1772b907721185ee3c58dbde5b57

Related Files

Windows Kernel Win32k!vSolidFillRect Buffer Overflow
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a buffer overflow vulnerability in Win32k!vSolidFillRect.

tags | exploit, overflow, kernel
systems | linux, windows
advisories | CVE-2015-1725
SHA-256 | 25f32ba5359a051b672c78122c332f74c82b3772f7ba804f808898f00fe1a921
Windows Kernel Brush Object Use-After-Free
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a brush object use-after-free vulnerability.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1724
SHA-256 | ac1c9bbd47bafbca773cb80340ef700f905cab76f26f62766346947479e35793
Windows Kernel HmgAllocateObjectAttr Use-After-Free
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a use-after-free vulnerability in HmgAllocateObjectAttr.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1726
SHA-256 | e74e9b4659ae9cc8949897e4622853fa73eab51a3dc0249b28c703fe239770d4
Windows Kernel NULL Pointer Dereference With Window Station And Clipboard
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a NULL pointer dereference with window station and clipboard.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1721
SHA-256 | 9f32e011ab66422b9eb1d0b4cb638eddddc956ca54dbeb3f19ad2f6d022e0f60
Windows Kernel Use-After-Free In WindowStation
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a use-after-free vulnerability in WindowStation.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1723
SHA-256 | aa3efde61185dc1eb0cb8968c6c591a89fd27959b2d48dd4fabbf0770e09ec6e
Pdfium Opj_dwt_decode_1 Out Of Bounds Read
Posted Sep 22, 2015
Authored by Google Security Research, mjurczyk

Pdfium suffers from a heap-based out-of-bounds read vulnerability in Opj_dwt_decode_1 (libopenjpeg).

tags | exploit
systems | linux
SHA-256 | d20c039518c40f0e159c48830e1d0f707213086eb513383b2e55a5136f0ce263
Pdfium CPDF_SampledFunc:v_Call Unmapped Memory Read (SIGSEGV) Crash
Posted Sep 22, 2015
Authored by Google Security Research, mjurczyk

Pdfium suffers from an unmapped memory read (SIGSEGV) crash in CPDF_SampledFunc:v_Call.

tags | exploit
systems | linux
SHA-256 | bcea2e10f4a34c9f72f86396283659a515a7b1802c1e85445c9e56df7078cd48
Windows Kernel Possible NULL Pointer Dereference Of A SURFOBJ
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel may suffer from a NULL pointer dereference vulnerability.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1725
SHA-256 | d1f43b6047662ac0572f8e52b2d49d1b8975a8e50330286cb80ba2d1809962ef
Windows Kernel Use-After-Free In Bitmap Handling
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a use-after-free vulnerability in bitmap handling.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1722
SHA-256 | 42a9706efcbff35685e37dd9c3a82c7ad193672a2463d2614d211e7e27a8f41c
Windows Kernel Bitmap Handling Use-After-Free
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a use-after-free vulnerability in the bitmap handling code.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1722
SHA-256 | f6216ef039b9fe229af00a9dbb5b21966f586b28c32b15cad36ba45f7e468271
Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.

tags | exploit, arbitrary
systems | linux
advisories | CVE-2015-2525
SHA-256 | c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02e
Windows NtUserGetClipboardAccessToken Token Leak Redux
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.

tags | exploit
systems | linux
advisories | CVE-2015-2527
SHA-256 | 9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296
Microsoft Office 2007 OGL.dll ValidateBitmapInfo Bounds Check Failure
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

A bounds check crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.

tags | exploit
systems | linux
advisories | CVE-2015-2510
SHA-256 | 05a60e7019067851141f1787a5bbda75454773b40b9acf97e8b754f2fad758fd
Microsoft Office Excel 2007, 2010, 2013 Use-After-Free With BIFFRecord
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

Microsoft Excel 2007 running on Windows 2003 suffers from a use-after-free vulnerability.

tags | exploit
systems | linux, windows
advisories | CVE-2015-2523
SHA-256 | 460bd27af88f7165a795d698b85d2e4cd8c83732200f70dc5c84e7b8e4818f79
Windows User Mode Font Driver Thread Permissions EoP
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It's possible execute arbitrary code within the context of the process because it's possible to access the processes threads leading to local EoP.

tags | exploit, arbitrary, local
systems | linux
advisories | CVE-2015-2508
SHA-256 | f0ec77ee8811de8feb9edad30b69fae9734672773f9e5a37d08fdba2317cebd5
Microsoft Office 2007 BIFFRecord Length Use-After-Free
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

A use-after-free crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.

tags | exploit
systems | linux
advisories | CVE-2015-2520
SHA-256 | 3b2e620089c3777eb2d36942713f33cf68f9865e894dbaee83bdbdb3af57385c
Microsoft Office 2007 OLESSDirectyEntry.CreateTime Type Confusion
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

A type confusion crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.

tags | exploit
systems | linux
advisories | CVE-2015-2521
SHA-256 | 247823ed9395d266e8674965a149848a04a5b7380aa2bf3723839d71d6ca65a6
Windows CreateObjectTask TileUserBroker Privlege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2528
SHA-256 | 6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3
Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2524
SHA-256 | 6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554
OS X IOKit Kernel Memory Corruption
Posted Sep 18, 2015
Authored by Google Security Research, Ian Beer

An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.

tags | exploit, kernel
systems | linux, apple, osx
advisories | CVE-2014-8836
SHA-256 | f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052c
Adobe Reader X And XI For Windows Out-of-bounds Write In CoolType.dll
Posted Sep 18, 2015
Authored by Google Security Research, mjurczyk

Adobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.

tags | exploit
systems | linux, windows
advisories | CVE-2014-9160
SHA-256 | 94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259f
Windows Type-Confusion / Memory Corruption
Posted Sep 14, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.

tags | advisory, kernel, vulnerability
systems | linux, windows
SHA-256 | 1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013ba
OS X Suid Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.

tags | exploit, shell, root
systems | linux, bsd
advisories | CVE-2015-5754
SHA-256 | 1fd4f2bf985f7460d71d17680841dc5c059fe7c05b9a7ac1a776291868ff74e3
OS X Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.

tags | exploit, root
systems | linux
advisories | CVE-2015-3704
SHA-256 | a34aa2485110ffeff9b63cf7063d71e3ac6548549f001e7517073b7f1ffaa5ca
OS X Install.framework Suid Root Binary
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

Install.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2015-5784
SHA-256 | 4b9ea14e8540ddbdec18fe305074224119369e420b4ed663a1f2bac393fa7f15
Page 1 of 4
Back1234Next

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close