header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

win32k!NtGdiGetDIBitsInternal Double-fetch vulnerability

The win32k!NtGdiGetDIBitsInternal system call in Windows is vulnerable to a double-fetch vulnerability. This can potentially lead to kernel pool memory disclosure or denial of service. The vulnerability occurs when accessing the BITMAPINFOHEADER structure multiple times, specifically its .biSize field. By manipulating the user-controlled 'bmi' buffer, an attacker can exploit this vulnerability to corrupt memory or cause a denial of service. However, the exploit is mostly harmless due to various checks in place that prevent major consequences.

Use-After-Free Vulnerability in IOBluetoothHCIUserClient

This vulnerability exists in the IOBluetoothHCIUserClient of the IOKit framework in macOS. When creating a new IOBluetoothHCIUserClient, if the userclient doesn't take a reference to the owningTask, an attacker can pass a task port for another task, kill that task, and get the user client to use the freed task struct. This can lead to a use-after-free vulnerability, allowing an attacker to manipulate IOMemoryDescriptors and potentially execute arbitrary code.

Microsoft Windows Media Center .MCL File Processing Remote Code Execution Vulnerability (MS16-059)

Microsoft Windows Media Center (all versions prior to May 11th, 2016) contains a remote code execution upon processing specially crafted .MCL files. The vulnerability exists because Windows Media Center does not correctly processes paths in the "Run" parameter of the "Application" tag, bypassing the usual security warning displayed upon trying to run programs residing on remote (WebDAV/SMB) shares. In order to bypass the Windows Media Center security warning an attacker only needs to write the prefix "file://" before the actual remote location. For example : file:///192.168.10.10shareapp.exe. However, Windows will still display an "Open File" security warning for files placed in remote locations (Internet Security Zone of IE), which can also be bypassed using a special "Control Panel Shortcut" that points to a remote DLL/CPL file. Upon pointing to a shortcut located in a remote share it is possible to run arbitrary code in the context of the currently logged on user. Note: On 64 bits Windows OSes, a 64-bits DLL should be provided, but 32-bits DLL files should work as well. A PoC MCL file is provided, which points to a default Windows share, to retrieve a special "Control Panel Shortcut", that runs a CPL file from the same location (127.0.0.1c$programdatacpl.lnk). Notice that although the address points to the "Localhost", Windows treats it the same way as any other IP based location, placing it in the context of the IE "Internet Security Zone" (default for non-local places). The PoC CPL file only runs "cmd.exe /c calc" for demonstration purposes. Another important note is that after this Micr

RICOH SP 4520DN Printer – HTML Injection

An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN printer via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn or entryDisplayNameIn parameter. An attacker can inject arbitrary HTML code into the affected parameter, potentially leading to code execution or information disclosure.

SysGauge Pro v4.6.12 – Local Buffer Overflow (SEH)

The SysGauge Pro v4.6.12 software is vulnerable to a local buffer overflow vulnerability. By providing a specially crafted payload in the Customer Name and Unlock Key fields, an attacker can trigger a buffer overflow and potentially execute arbitrary code on the target system. The vulnerability has been tested on Windows XP Professional - SP3.

Recent Exploits: