This exploit triggers a panic by overwriting a stack_canary. It does this by calling IOBluetoothHCIUserClient::DispatchHCIReadLocalName() with an argument that overflows a local buffer and the adjacent stack canary.
This exploit is written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. It exploits a missing check in IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic. It uses IOConnectCallMethod() to call the vulnerable function and causes an out-of-bounds write.
Gecko CMS suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting and SQL Injection.
This exploit enables some features of the modem, forcing the administrator of the device, accessing the page to reconfigure the modem again, occurring script execution in the browser of internal network users.
Red Star OS 3.0 is vulnerable to a privilege escalation vulnerability due to the Software Manager (swmng.app) running as root through sudo and allowing the installation of any RPM package, even if unsigned. An attacker can get root access by downloading a malicious RPM package, double-clicking it to open it with the Software Manager, and clicking through the blue buttons until it’s done. After that, running rootsh will give the attacker a root shell. SELinux can be disabled by running setenforce 0 as root.
Red Star 2.0 desktop ships with a world-writeable /etc/rc.d/rc.sysinit which can be abused to execute commands on boot. An example exploitation of this vulnerability is shown in the link provided, which adds a new user 'r00t' to the /etc/passwd file and then switches to the root user.
This exploit is used to gain root access on RedStar 3.0 systems. It involves creating a malicious udev rule which will execute a shell script that adds a new entry to the sudoers file. This allows the user to gain root access without a password.
sysmond is a daemon running as root. It can be interacted with via XPC (com.apple.sysmond). This PoC uses liblorgnette to resolve some private symbols. It allocates a sysmond_request object and fills in fields from the attacker-controlled xpc request dictionary. The sysmond_request is returned from this function and passed as the first argument to sub_10000337D. This function contains a buffer overflow vulnerability which can be exploited to gain root privileges.
A buffer overflow vulnerability was discovered in Palringo version 2.8.1. The vulnerability is caused due to a boundary error within the application when handling user supplied input. This can be exploited to cause a stack-based buffer overflow by sending an overly long HTTP request to the affected application. Successful exploitation may allow execution of arbitrary code.
This plugin is fairly old but still used by a lot of people and received its last update nearly 4 years ago. It’s vulnerable to arbitrary file deletion and SQL injection. By simply sending a POST request to the file folderdel_.php, we can delete every single file in specified folder. There’s another vulnerability which resides in the /microcart/editor/assetmanager/assetmanager.php file. It contains an upload function, which is safe, and a file deletion function, which is not safe. We can delete any file off the server by abusing this.
Services By CQR