exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Arm Mali CSF VMA Split Mishandling
Posted Aug 25, 2022
Authored by Jann Horn, Google Security Research

In the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.

tags | exploit, kernel
advisories | CVE-2022-33917
SHA-256 | 6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592

Related Files

Android Arm Mali GPU Arbitrary Code Execution
Posted Jun 11, 2023
Authored by Man Yue Mo, GitHub Security Lab

Proof of concept exploit for a memory corruption vulnerability in the Arm Mali GPU kernel driver that was reported in January of 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6 and supports patch levels from November 2021 to February 2022. It is easy to add support for other firmware by changing a few image offsets.

tags | exploit, arbitrary, kernel, root, code execution, proof of concept
advisories | CVE-2022-20186
SHA-256 | 66eea2398301c881c76dc1359392bb4e7585bacb1998c8e4de619ba964588857
Windows Kernel Brush Object Use-After-Free
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a brush object use-after-free vulnerability.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1724
SHA-256 | ac1c9bbd47bafbca773cb80340ef700f905cab76f26f62766346947479e35793
Windows Kernel NULL Pointer Dereference With Window Station And Clipboard
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a NULL pointer dereference with window station and clipboard.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1721
SHA-256 | 9f32e011ab66422b9eb1d0b4cb638eddddc956ca54dbeb3f19ad2f6d022e0f60
Windows Kernel Use-After-Free In WindowStation
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a use-after-free vulnerability in WindowStation.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1723
SHA-256 | aa3efde61185dc1eb0cb8968c6c591a89fd27959b2d48dd4fabbf0770e09ec6e
Pdfium Opj_dwt_decode_1 Out Of Bounds Read
Posted Sep 22, 2015
Authored by Google Security Research, mjurczyk

Pdfium suffers from a heap-based out-of-bounds read vulnerability in Opj_dwt_decode_1 (libopenjpeg).

tags | exploit
systems | linux
SHA-256 | d20c039518c40f0e159c48830e1d0f707213086eb513383b2e55a5136f0ce263
Pdfium CPDF_SampledFunc:v_Call Unmapped Memory Read (SIGSEGV) Crash
Posted Sep 22, 2015
Authored by Google Security Research, mjurczyk

Pdfium suffers from an unmapped memory read (SIGSEGV) crash in CPDF_SampledFunc:v_Call.

tags | exploit
systems | linux
SHA-256 | bcea2e10f4a34c9f72f86396283659a515a7b1802c1e85445c9e56df7078cd48
Windows Kernel Possible NULL Pointer Dereference Of A SURFOBJ
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel may suffer from a NULL pointer dereference vulnerability.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1725
SHA-256 | d1f43b6047662ac0572f8e52b2d49d1b8975a8e50330286cb80ba2d1809962ef
Windows Kernel Use-After-Free In Bitmap Handling
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a use-after-free vulnerability in bitmap handling.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1722
SHA-256 | 42a9706efcbff35685e37dd9c3a82c7ad193672a2463d2614d211e7e27a8f41c
Windows Kernel Bitmap Handling Use-After-Free
Posted Sep 22, 2015
Authored by Nils, Google Security Research

The Microsoft Windows kernel suffers from a use-after-free vulnerability in the bitmap handling code.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-1722
SHA-256 | f6216ef039b9fe229af00a9dbb5b21966f586b28c32b15cad36ba45f7e468271
Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.

tags | exploit, arbitrary
systems | linux
advisories | CVE-2015-2525
SHA-256 | c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02e
Windows NtUserGetClipboardAccessToken Token Leak Redux
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.

tags | exploit
systems | linux
advisories | CVE-2015-2527
SHA-256 | 9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296
Microsoft Office 2007 OGL.dll ValidateBitmapInfo Bounds Check Failure
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

A bounds check crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.

tags | exploit
systems | linux
advisories | CVE-2015-2510
SHA-256 | 05a60e7019067851141f1787a5bbda75454773b40b9acf97e8b754f2fad758fd
Microsoft Office Excel 2007, 2010, 2013 Use-After-Free With BIFFRecord
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

Microsoft Excel 2007 running on Windows 2003 suffers from a use-after-free vulnerability.

tags | exploit
systems | linux, windows
advisories | CVE-2015-2523
SHA-256 | 460bd27af88f7165a795d698b85d2e4cd8c83732200f70dc5c84e7b8e4818f79
Windows User Mode Font Driver Thread Permissions EoP
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It's possible execute arbitrary code within the context of the process because it's possible to access the processes threads leading to local EoP.

tags | exploit, arbitrary, local
systems | linux
advisories | CVE-2015-2508
SHA-256 | f0ec77ee8811de8feb9edad30b69fae9734672773f9e5a37d08fdba2317cebd5
Microsoft Office 2007 BIFFRecord Length Use-After-Free
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

A use-after-free crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.

tags | exploit
systems | linux
advisories | CVE-2015-2520
SHA-256 | 3b2e620089c3777eb2d36942713f33cf68f9865e894dbaee83bdbdb3af57385c
Microsoft Office 2007 OLESSDirectyEntry.CreateTime Type Confusion
Posted Sep 18, 2015
Authored by Google Security Research, scvitti

A type confusion crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.

tags | exploit
systems | linux
advisories | CVE-2015-2521
SHA-256 | 247823ed9395d266e8674965a149848a04a5b7380aa2bf3723839d71d6ca65a6
Windows CreateObjectTask TileUserBroker Privlege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2528
SHA-256 | 6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3
Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2524
SHA-256 | 6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554
OS X IOKit Kernel Memory Corruption
Posted Sep 18, 2015
Authored by Google Security Research, Ian Beer

An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.

tags | exploit, kernel
systems | linux, apple, osx
advisories | CVE-2014-8836
SHA-256 | f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052c
Adobe Reader X And XI For Windows Out-of-bounds Write In CoolType.dll
Posted Sep 18, 2015
Authored by Google Security Research, mjurczyk

Adobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.

tags | exploit
systems | linux, windows
advisories | CVE-2014-9160
SHA-256 | 94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259f
Windows Type-Confusion / Memory Corruption
Posted Sep 14, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.

tags | advisory, kernel, vulnerability
systems | linux, windows
SHA-256 | 1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013ba
OS X Suid Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.

tags | exploit, shell, root
systems | linux, bsd
advisories | CVE-2015-5754
SHA-256 | 1fd4f2bf985f7460d71d17680841dc5c059fe7c05b9a7ac1a776291868ff74e3
OS X Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.

tags | exploit, root
systems | linux
advisories | CVE-2015-3704
SHA-256 | a34aa2485110ffeff9b63cf7063d71e3ac6548549f001e7517073b7f1ffaa5ca
OS X Install.framework Suid Root Binary
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

Install.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2015-5784
SHA-256 | 4b9ea14e8540ddbdec18fe305074224119369e420b4ed663a1f2bac393fa7f15
Windows win32k!NtUserSetInformationThread Type Confusion
Posted Sep 9, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to a kernel-mode type-confusion vulnerability inside win32k!NtUserSetInformationThread due to referencing a user-mode handle via ObReferenceObjectByHandle with a "NULL" type specified (it should instead be using *LpcPortObjectType to protect against this vulnerability). This vulnerability can be triggered from inside CSRSS via the syscall win32k!NtUserSetInformationThread with ThreadInformationClass set to "UserThreadCsrApiPort" and the parameter of the syscall set to a HANDLE that is not an LPC object.

tags | advisory, kernel
systems | linux, windows
SHA-256 | f08ca467d2241babc70e51da65057abb65b9ecf85249b35405cfc513910c45d6
Page 1 of 4
Back1234Next

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close