This exploit is a heap spray attack against Samsung iPOLiS 1.12.2. It uses a malicious JavaScript code to trigger a crash in the ReadConfigValue function. The code contains a shellcode which is unescaped and stored in a variable. The code then creates an array of 500 blocks, each containing the shellcode. The code then creates a buffer of 5000 bytes, which is passed to the ReadConfigValue function, triggering the crash. The SEH and nSEH will point to 0x06060606, which will point to the (nops+shellcode) chunk.
Wordpress Video Gallery 2.8 suffers from SQL injection. The file '/contus-video-gallery/hdflvvideoshare.php' contains the vulnerable code, where the variable '$vid' is not sanitized.
This is a race condition exploit for CVE-2015-1862, targeting Fedora. It can take a few minutes to win the race condition.
This exploit is used to gain root access by exploiting the Apport and Abrt vulnerabilities. It checks for a dynamic segment in the program headers and if found, it exits with an error. If not found, it checks if the user is root and if so, it creates a setuid root executable. If the user is not root but the effective user id is 0, then it spawns a shell and cleans up the exploit. Otherwise, it exits with an error.
This module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root. Dubbed "Rootpipe." Tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.
This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.
The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem.
Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthenticated clients. He provides another, scarier example, where a malicious user can copy a file from the server to a php script, which can be run by the php interpreter.
The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()' in libtalloc does not write a value on 'creds' address.
This exploit is used to copy a file from one location to another without being root. It is done by enabling 'Assistive Devices' in the 'Universal Access' preferences pane which drops a file (“/var/db/.AccessibilityAPIEnabled”) in a directory without being root.
Services By CQR