header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Symantec Messaging Gateway Remote Code Execution

This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server user which is root. The backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing operating system command. One of the user input is being passed to the service without proper validation. That cause an command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage. This module was tested against Symantec Messaging Gateway 10.6.2-7.

Type Confusion Vulnerability in Microsoft Edge

There is a type confusion vulnerability in Microsoft Edge. The crash happens inside CAttrArray::PrivateFindInl. Rcx (this) pointer is supposed to point to a CAttrArray but it actually points to a CAttribute. CAttrArray::PrivateFindInl is only going to perform reads and its return value is going to be discarded by the calling function (CAttrArray::SetParsed). However, the actual type confusion happens further down the stack (possibly inside CssParser::RecordProperty) and if CAttrArray::PrivateFindInl returns false (can be controlled by an attacker), then CAttrArray::Set is going to also be called with the wrong type, which might lead to more serious consequences.

win32k!NtGdiMakeFontDir Information Disclosure

The win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients. The proof of concept code fills the kernel stack with a controlled marker byte and then invokes the affected syscall to leak stack bytes to user-mode.

Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit

This exploit targets a stack overflow vulnerability in Ipswitch IMail Server 2006. The vulnerability allows an attacker to execute arbitrary code by sending a specially crafted IMAP SEARCH COMMAND. The vulnerable code can be found in the imap4d32.exe file, version 6.8.8.1. The exploit takes advantage of a buffer overflow in the code, causing it to overwrite the return address and execute the attacker's payload.

Disclosing uninitialized kernel stack memory in Windows

It is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetOutlineTextMetricsInternalW system call. Only the first 4 bytes of the source structure on the kernel stack are initialized under normal circumstances, while the other 4 bytes are set to leftover data.

Disclosed uninitialized kernel stack memory in Windows

The win32k!NtGdiExtGetObjectW system call in Windows 7-10 allows disclosing portions of uninitialized kernel stack memory to user-mode applications. This is possible due to leftover kernel stack data in the trailing, uninitialized bytes of the LOGFONT structure for some stock fonts, which can be read back using the GetObject() function.

Recent Exploits: