This module attempts to gain root privileges by exploiting a vulnerability in the `staprun` executable included with SystemTap version 1.3. The `staprun` executable does not clear environment variables prior to executing `modprobe`, allowing an arbitrary configuration file to be specified in the `MODPROBE_OPTIONS` environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64).
This exploit is a shell bind TCP exploit for the MSF framework on OSX x86. It is 81 bytes in size and binds to port 5354 before executing the exit() function.
The exploit allows an attacker to traverse through directories and access files outside the intended directory.
asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.
This module exploits sql and command injection vulnerability in the ManageEngine AM 14 and prior versions. An unauthenticated user can gain the authority of "system" on the server due to SQL injection vulnerability. Exploit allows the writing of the desired file to the system using the postgesql structure. Module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring by the ManageEngine which working with "system" authority. In addition, it dumps the users and passwords from the database for us. Keep in mind! After the harmful ".vbs" file is written, the shell session may be a bit late. Because the ManageEngine application should run this file itself.
A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of a crash when running the command 'bin/java -cp . DisplaySfntFont test.ttf'. The crash can also be triggered under Valgrind on Linux platforms.
This exploit takes advantage of a remote buffer overflow vulnerability in the "RETR" command of the MailCarrier 2.51 POP3 server. By sending a specially crafted request, an attacker can overwrite the Structured Exception Handler (SEH) and gain control of the program flow. This exploit creates a bind shell on port 443 and waits for a connection from the attacker.
The NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard. The exploit involves creating a file with the contents of a valid Microsoft signed file, virtualizing that file using LUAFV, copying an unsigned executable to the virtual store with the target virtualized name, and calling NtSetCachedSigningLevel on the virtualized file.
The LUAFV driver in Windows 10 1809 allows an attacker to bypass security checks and write an arbitrary short name during file virtualization, leading to an elevation of privilege.
The SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to EoP.