header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

*BSD setusercontext vulnerabilites

BSD derived operating systems have a special function to set a 'user context'. The function setusercontext() is available on for example FreeBSD 5.0 and 7.0. An example from ftpd.c : setusercontext(lc, pw, (uid_t)0, LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY| LOGIN_SETRESOURCES|LOGIN_SETUMASK). An interesing setting here is LOGIN_SETRESOURCES with which a USER is allowed to set resources actually. From the manpage: LOGIN_SETRESOURCES Set resource limits for the current process based on values specified in the system login class database. Class capability tags used, with and without -cur (soft limit) or -max (hard limit) suffixes and the corresponding resource setting: cputime RLIMIT_CPU, filesize RLIMIT_FSIZE, datasize RLIMIT_DATA, stacksize RLIMIT_STACK, coredumpsize RLIMIT_CORE, memoryuse RLIMIT_RSS, memorylocked RLIMIT_MEMLOCK, maxproc RLIMIT_NPROC, openfiles RLIMIT_NOFILE, sbsize RLIMIT_SBSIZE, vmemoryuse RLIMIT_VMEM. Now one can set (means: upload) their own ~/.login_conf and play around a bit. For example the chroot() call in ftpd.c can be bypassed by setting 'openfiles' to a value of 5.

FreeBSD <= 6.1 SMP kevent() Race Condition Exploit

FreeBSD <= 6.1 suffers from classical check/use race condition on SMP systems in kevent() syscall, leading to kernel mode NULL pointer dereference. It can be triggered by spawning two threads: 1st thread looping on open() and close() syscalls, and the 2nd thread looping on kevent(), trying to add possibly invalid filedescriptor. The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized as security vulnerability. The following code exploits this vulnerability to run root shell.

Faslo Player 7.0 (.m3u) Local Buffer Overflow PoC

Faslo Player 7.0 is vulnerable to a local buffer overflow vulnerability when a specially crafted .m3u file is opened. This can be exploited to execute arbitrary code by tricking a user into opening a malicious .m3u file. The vulnerability is caused due to a boundary error within the application when processing the file. This can be exploited to cause a stack-based buffer overflow by supplying a specially crafted .m3u file with an overly long string.

KSP 2006 FINAL ( .M3U) Universal Local Buffer Exploit (SEH)

KSP 2006 FINAL is vulnerable to a local buffer overflow vulnerability when a specially crafted .M3U file is loaded. This vulnerability can be exploited by an attacker to execute arbitrary code on the vulnerable system by tricking a user into loading a malicious .M3U file. The vulnerability is caused due to a boundary error when handling .M3U files, which can be exploited to cause a stack-based buffer overflow by writing past the end of a buffer on the stack.

PHP Dir Submit Version 1.00 (aid) Remote SQL Injection Vuln

A vulnerability exists in PHP Dir Submit Version 1.00 (aid) which allows an attacker to inject arbitrary SQL commands. An attacker can exploit this vulnerability by registering in the site, adding a post, and pressing on 'View Article'. The attacker can then inject arbitrary SQL commands via the 'aid' parameter in the 'showarticle' menu.

Moa gallery 1.1.0 (gallery_id) Remote Sql injection vuln

A remote SQL injection vulnerability exists in Moa gallery 1.1.0. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate data, disclose sensitive information, or gain access to the system.

0x82-CVE-2009-2692

This exploit is a local ring0 root exploit for Linux kernel 2.4/2.6 (32bit) sock_sendpage(). It has been tested on RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, and CentOS 4.x. The exploit is slow and dirty and was discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. It was written by p0c73n1 and is based on the code of spender and venglin.

Recent Exploits: