The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to version 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service will then launch the vulnerable installer component (vpndownloader), which copies itself to an arbitrary location before being executed with system privileges. Since vpndownloader is also vulnerable to DLL hijacking, a specially crafted DLL (dbghelp.dll) is created at the same location vpndownloader will be copied to get code execution with system privileges. This exploit has been successfully tested against Cisco AnyConnect Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10 version 1909 (x64) and Windows 7 SP1 (x86).
0ce466f922be78b19e5b1169c13ef711Keystone is a lightweight multi-platform, multi-architecture assembler framework. Highlight features include multi-architecture, with support for Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ, and X86 (include 16/32/64bit). It has a clean and lightweight architecture-neutral API. It's implemented in C/C++ languages, with bindings for Python, NodeJS, Ruby, Go and Rust available and also has native support for Windows and various Unix flavors.
358fb4dc10cac08d9463bb9c2c7a8695102 bytes small Linux/x86 add map in /etc/hosts file polymorphic shellcode.
979a6e0e42c8f46c1647b1c2de0c533a75 bytes small Linux/x86 tiny read polymorphic shellcode.
d6f58fd7c7c280218ab60f1656e524b7This Metasploit module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.
e65eeb8c736544fe952269396a557f6239 bytes small Linux/x86 egghunter null-free shellcode. The egghunter dynamically searches memory for 2 instances of the egg. When the eggs are found, the egghunter passes execution control to the payload at the memory address of the eggs.
3cc1d7e8ad5391ad63e8cd52726be7e080 bytes small Linux/x86 reverse shell generator shellcode with customizable TCP port and IP address.
937201f1ff92ab4fabd623cad7224a07155 bytes small Linux/x86 shellcode that has a MMX stub decoder that dynamically decodes the payload in memory. The FPU GetPC technique is used to determine the offset from EIP dynamically in running memory. Once decoded. this shellcode adds the user 'ctl' with the password 'ctl' to the /etc/passwd file with the UID and GID of 0 (root). This shellcode uses legacy passwd functionality. Therefore the /etc/shadow file does not need to be accessed or modified.
b4cd1c73f54aff707a22b55b2944bd8d107 bytes small Linux/x86 shellcode that adds the user 'ctl' with the password 'ctl' to the /etc/passwd file with the UID and GID of 0 (root). This shellcode uses legacy passwd functionality. Therefore the /etc/shadow file does not need to be accessed or modified.
20be4a130a7c7deaf759ff5c00029968644 bytes small Microsoft Windows x86 shellcode that disables the Windows firewall, adds the user MajinBuu with password TurnU2C@ndy!! to the system, adds the user MajinBuu to the local groups Administrators and Remote Desktop Users, and then enables the RDP Service.
a1d9a1235afb2e385b7e22e9cfe721eb33 bytes small Linux/x86 egghunter null-free shellcode.
f143c7106d8f990b5f7946ceed5264ed10Strike LANState version 9.32 on x86 Host Check hostname SEH buffer overflow exploit.
7f1eb06b56c5aa79bd94057284b6f22226 bytes small Linux/x86 reboot polymorphic shellcode.
0bb419e343fdc1c9caa66d7e15685c4f195 bytes small Windows/x86 null-free WinExec Calc.exe shellcode.
3a4badf48892d3a5e330a3f28dc99060114 bytes small Linux/x86 bind shell generator shellcode.
9b7bafc7ff4aa9cacdbde1039bca23ca571 bytes small Microsoft Windows x86 dynamic bind shell and null-free shellcode.
61ae8434a5edb8b37775ebb965df9ff6114 bytes small Linux/x86 random bytes encoder and XOR/SUB/NOT/ROR execve(/bin/sh) shellcode.
6821b8b561a61bc5d34076f52fd398bd66 bytes small Linux/x86 Execve() alphanumeric shellcode.
dc65b7d56e2af0a082cb78cc43043b20117 bytes small Linux/x86 encoding of random bytes + XOR/SUB/NOT/ROR and also decodes ROL/NOT/ADD/XOR execve(/bin/sh) shellcode.
e07a6559c970bfcdf5f4081ecd9a49e7Microsoft Windows 7 (x86) BlueKeep remote desktop protocol windows kernel use-after-free exploit.
2c3d703bbfbb24401c0d36420ac618d0Ubuntu Security Notice 4186-3 - USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 was incomplete on 64-bit Intel x86 systems. This update addresses the issue. Various other issues were also addressed.
35657c491a35b8937950f7a7a72bcfecUbuntu Security Notice 4185-3 - USN-4185-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables are disabled or not supported. This update addresses both issues. Various other issues were also addressed.
48c055fdc23ec8eaea074849871aa586Ubuntu Security Notice 4183-2 - USN-4183-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 was incomplete on 64-bit Intel x86 systems. This update addresses the issue. Various other issues were also addressed.
63968a584ee33d219857ed9bdd445938Ubuntu Security Notice 4184-2 - USN-4184-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables are disabled or not supported. This update addresses both issues. Various other issues were also addressed.
729df00f6313e1ee60a63c8d339f79f447 bytes small Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) null free shellcode.
a9113f7b013779f563b04b416050d879
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed