what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

JavaScriptCore Crash Proof Of Concept
Posted Aug 19, 2021
Authored by Ivan Fratric, Google Security Research

JavaScriptCore suffers from a crash condition due to an uninitialized register in slow_path_profile_catch. Proof of concept that affects Safari is included.

tags | exploit, proof of concept
advisories | CVE-2021-30797
SHA-256 | 8dd2cde7c2edb66fc6061ca48debe795fc639981944e4354c301b47af6a7c4b1

Related Files

Safari Webkit For iOS 7.1.2 JIT Optimization Bug
Posted Aug 14, 2020
Authored by timwr, Ian Beer, kudima, WanderingGlitch | Site metasploit.com

This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.

tags | exploit, kernel, root, shellcode
systems | apple, iphone, ios
advisories | CVE-2016-4669, CVE-2018-4162
SHA-256 | 8ca4b125e9aba514f4d2bd3c12b5189f4dceafcaab577262cc602a11c87480fb
JSC DFG ObjectAllocationSinkingPhase Crash
Posted Mar 2, 2020
Authored by saelo, Google Security Research

An issue in JSC leaves the data flow graph inconsistent. While fuzzing JavaScriptCore with fuzzilli, the researcher found a crash condition in JSC.

tags | exploit
SHA-256 | f2e43004dcfceafecefbc6c781e8b7b7c0553fe8bd4f4bb81b7c35e3f2629141
JavaScriptCore GetterSetter Type Confusion
Posted Oct 30, 2019
Authored by saelo, Google Security Research

JavaScriptCore (JSC) GetterSetter suffers from a type confusion vulnerability during DFG compilation.

tags | exploit
advisories | CVE-2019-8765
SHA-256 | f8e60930397de757314b85c289c63228a5b19761b6793d77e58b54ffc9aab262
JSC ValueProfiles JSValue Use-After-Free
Posted Jul 29, 2019
Authored by saelo, Google Security Research

JavaScriptCore suffers from an issue where there's a JSValue use-after-free vulnerability in ValueProfiles.

tags | advisory
advisories | CVE-2019-8672
SHA-256 | a9501df8f786600223589a22ac96f06da65cf505b543b54f2ef6219f16639ac6
JSC DFG LICM Object Property Access Unguarded
Posted Jul 29, 2019
Authored by saelo, Google Security Research

JavaScriptCore DFG loop-invariant code motion (LICM) has an issue where it leaves object property access unguarded.

tags | advisory
advisories | CVE-2019-8671
SHA-256 | 8fd7bdc27408729bccdf334f804fe0fb27728920396e0444c1671aec6b62ab56
JavaScriptCore LICM Uninitialized Stack Variable
Posted May 21, 2019
Authored by saelo, Google Security Research

JavaScriptCore loop-invariant code motion (LICM) in DFG JIT leaves a stack variable uninitialized.

tags | exploit
advisories | CVE-2019-8623
SHA-256 | 27425be0903bc29c98b9ac1f8d97a7534299a0640fd9a7853018e50fa5fb5df7
JavaScriptCore AIR Optimization Incorrectly Removes Assignment To Register
Posted May 21, 2019
Authored by saelo, Google Security Research

JavaScriptCore AIR optimization incorrectly removes assignment to register.

tags | advisory
advisories | CVE-2019-8611
SHA-256 | a8dd00ac9f2bcbdc2b915ee79af5769a43a82c3045a988444400a182ce34eb0c
JavaScriptCore Out-Of-Bounds Access
Posted Apr 2, 2019
Authored by saelo, Google Security Research

JavaScriptCore suffer from an out-of-bounds access vulnerability in FTL JIT due to LICM moving array access before the bounds check.

tags | advisory
advisories | CVE-2019-8518
SHA-256 | 9a02a54289b2b9f809f566be2d17028c79e568ca28237359ba4a8b4c918b6c32
JavaScriptCore CodeBlock Use-After-Free
Posted Apr 2, 2019
Authored by saelo, Google Security Research

JavaScriptCore suffers from CodeBlock use-after-free vulnerabilities due to dangling Watchpoints.

tags | advisory, vulnerability
advisories | CVE-2019-8558
SHA-256 | 30aab9e3b032f95ac520c57e1d074e71d3dfc7391284ee4107e7ab009d5eb514
JavaScriptCore createRegExpMatchesArray Fails To Respect Inferred Types
Posted Apr 1, 2019
Authored by saelo, Google Security Research

JavaScriptCore has an issue where createRegExpMatchesArray does not respect inferred types.

tags | exploit
advisories | CVE-2019-8506
SHA-256 | e3e805d860fc95f3375effbe7e1765bebfec64afa85c31a72c61f81229111064
WebKit not_number defineProperties Use-After-Free
Posted Jun 4, 2018
Authored by timwr, qwertyoruiop, Siguza, tihmstar | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability in WebKit's JavaScriptCore library.

tags | exploit
advisories | CVE-2016-4655, CVE-2016-4656, CVE-2016-4657
SHA-256 | e0baf08d0593f705fb8158e36e5ab1b2b1b43896b0acaaa4c81e4d5a9f019f9d
Phrack - Attacking JavaScript Engines
Posted Sep 26, 2017
Authored by phrack, saelo

Phrack: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622.

tags | javascript, magazine
advisories | CVE-2016-4622
SHA-256 | a2a651765bcc685814d2b564c3c669f0395802f26c4a1113472d38c2118c52fd
Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.

tags | exploit, arbitrary
systems | linux
advisories | CVE-2015-2525
SHA-256 | c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02e
Windows NtUserGetClipboardAccessToken Token Leak Redux
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.

tags | exploit
systems | linux
advisories | CVE-2015-2527
SHA-256 | 9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296
Windows CreateObjectTask TileUserBroker Privlege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2528
SHA-256 | 6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3
Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2524
SHA-256 | 6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554
OS X IOKit Kernel Memory Corruption
Posted Sep 18, 2015
Authored by Google Security Research, Ian Beer

An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.

tags | exploit, kernel
systems | linux, apple, osx
advisories | CVE-2014-8836
SHA-256 | f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052c
Adobe Reader X And XI For Windows Out-of-bounds Write In CoolType.dll
Posted Sep 18, 2015
Authored by Google Security Research, mjurczyk

Adobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.

tags | exploit
systems | linux, windows
advisories | CVE-2014-9160
SHA-256 | 94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259f
Windows Type-Confusion / Memory Corruption
Posted Sep 14, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.

tags | advisory, kernel, vulnerability
systems | linux, windows
SHA-256 | 1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013ba
OS X Suid Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.

tags | exploit, shell, root
systems | linux, bsd
advisories | CVE-2015-5754
SHA-256 | 1fd4f2bf985f7460d71d17680841dc5c059fe7c05b9a7ac1a776291868ff74e3
OS X Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.

tags | exploit, root
systems | linux
advisories | CVE-2015-3704
SHA-256 | a34aa2485110ffeff9b63cf7063d71e3ac6548549f001e7517073b7f1ffaa5ca
OS X Install.framework Suid Root Binary
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

Install.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2015-5784
SHA-256 | 4b9ea14e8540ddbdec18fe305074224119369e420b4ed663a1f2bac393fa7f15
Windows win32k!NtUserSetInformationThread Type Confusion
Posted Sep 9, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to a kernel-mode type-confusion vulnerability inside win32k!NtUserSetInformationThread due to referencing a user-mode handle via ObReferenceObjectByHandle with a "NULL" type specified (it should instead be using *LpcPortObjectType to protect against this vulnerability). This vulnerability can be triggered from inside CSRSS via the syscall win32k!NtUserSetInformationThread with ThreadInformationClass set to "UserThreadCsrApiPort" and the parameter of the syscall set to a HANDLE that is not an LPC object.

tags | advisory, kernel
systems | linux, windows
SHA-256 | f08ca467d2241babc70e51da65057abb65b9ecf85249b35405cfc513910c45d6
QEMU Programmable Interrupt Timer Controller Heap Overflow
Posted Aug 28, 2015
Authored by Google Security Research, matttait

The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and a heap overflow within the context of the host.

tags | exploit, overflow, info disclosure
systems | linux
SHA-256 | 13f86bfcab19e0b4b4a2b31f5267866e4f2e1bf60fa810d064d79e7a787b0c07
Microsoft Office 2007 RTF XML SmartTags Use-After-Free
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.

tags | advisory
systems | linux
advisories | CVE-2015-1651
SHA-256 | 9112fd06f8a9594124ac555685a4c390b42d8b36cbf029a9deca63894f80b49e
Page 1 of 4
Back1234Next

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close