This holds the sources for the SWAPGS attack PoC publicly shown at Black Hat USA, 2019. It includes leakgsbkva - variant 1 (look for random values in kernel memory; limited to PE kernel image header), leakgsbkvat - variant 2 (extract random values from kernel memory; limited to PE kernel image header), whitepaper and Black Hat USA 2019 presentation.
SprintWork v2.3.1 (x86) suffers from insecure file & service & folder permissions, unquoted service paths, and a missing executable for one of the two Service it installs; to be ran as 'LocalSystem'. This allows any local user to gain persistent code-execution as 'LocalSystem'. Both the 32bit & 64bit build of SprintWork v2.3.1 create the services 'SP52 AMC' & 'SprintWork TM VI', with the 'StartMode' set to 'Auto', to be ran as 'LocalSystem'; these services will ran every time the computer starts. The 'SP52 AMC' Service is set to use the 'nvlsimw.exe' file. On the 32bit version, the 'nvlsimw.exe' file is never created. This, in combination with its other vulnerabilities, results in persistent code-execution for any local user as 'LocalSystem'.
The phpMyChat Plus 1.98 application is vulnerable to Sql Injection (Boolean based blind, Error-based, time-based blind) on the deluser.php page through the pmc_user parameter. POC code: Capture the request through Burpsuite and then use sqlmap to get the user tables.
An attacker can exploit this vulnerability by sending a crafted POST request to the vulnerable page with a malicious payload in the 'pack' parameter. This will allow the attacker to include a malicious file from the local system.
This exploit can be used to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS. In case the default vulnerable variable won't work, the payload can be changed to one of the following ip_src, dst_port, src_port.
An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable Wordpress Plugin wordfence.7.4.5. The attacker can use the 'file' parameter to read arbitrary files from the server. The vulnerable code is located in the 'wordfenceClass.php' file, where the 'readfile' function is used to read the file specified in the 'file' parameter.
On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. This allows a low-privilge, local attacker to escalate their permissions to Administrator; by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the default installation. After the attacker has planted the malicious binary, the code will be executed with System priviledges on the next boot of the windows device.
An attacker can inject malicious JavaScript code into the 'topic_id' parameter of the 'Quiz.php' page of the Wordpress Plugin tutor.1.5.3, which is not properly sanitized. This can lead to persistent Cross-Site Scripting (XSS) vulnerability.
The vulnerability exists due to insufficient validation of user-supplied input in the 'sub_page' parameter of '/instructors.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary PHP code on the target system.
This exploit is a privilege escalation vulnerability in sudo. It allows a user to gain root privileges by exploiting a vulnerability in the sudo askpass feature. The vulnerability is triggered when a user runs the sudo command with the -S flag and the SUDO_ASKPASS environment variable set to a malicious program. The malicious program then executes a setuid shell which gives the user root privileges. The vulnerability was discovered in 2019 and affects all versions of sudo prior to 1.8.28.
Services By CQR