CHT漏洞数据库
记录包含各种WordPress/Windows/PHP/Linux等各种系统漏洞或模板。
15,047个主题在此版块
-
/* XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process. This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, if the filesystem mutates the file contents (e.g. because the ftruncate() syscall was used), the filesystem must inform the memory management subsystem so that affected pages can be deduplicated. If this doesn…
Xiao7的最后回复, -
- 0 篇回复
- 105 次查看
# Exploit Title: FlexHEX v2.46 - Denial of Service (PoC) and SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Discovery Date: 2018-12-20 # Vendor Homepage: http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Software Link : http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Tested Version: 2.46 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run FlexHEX.exe # 2.- Go to Menu "Stream" - "New Stream" and copy content of FlexHEX_SEH_Crash.txt to clipboard # 3.- Paste the content into the field: 'Stream Name:' # 4.- Click 'OK' button and you will see a crash. ''' L…
KaiWn的最后回复, -
- 0 篇回复
- 102 次查看
# Exploit Title: PassFab Excel Password Recovery SEH Local Exploit # Date: 31.01.19 # Vendor Homepage:https://www.passfab.com/products/excel-password-recovery.html # Software Link: https://www.passfab.com/downloads/passfab-excel-password-recovery.exe # Exploit Author: Achilles # Tested Version: 8.3.1 # Tested on: Windows XP SP3 # 1.- Run python code : PassFab_RAR # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open PassFab RAR Password Recovery # 4.- In the new Window click on the key in the upper right corner # 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code' # 6.- Click 'Register'and the calculator will open # 7.- Gree…
尖REN的最后回复, -
- 0 篇回复
- 104 次查看
# Exploit Title: ASPRunner Professional v6.0.766 - Denial of Service (PoC) # Discovery by: Rafael Pedrero # Discovery Date: 2019-01-30 # Vendor Homepage: http://www.xlinesoft.com/asprunnerpro # Software Link : http://www.xlinesoft.com/asprunnerpro # Tested Version: v6.0.766 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run AspRunnerPro.exe # 2.- copy content AspRunnerPro_Crash.txt or 180 "A" to clipboard (result from this python script) # 3.- Go to Wizard "Create a new project" - in "Project name:" field paste the result (180 "A" or more) # 4.- Click in Next button and you will see a cr…
CHQ1d的最后回复, -
#!/usr/bin/python # Exploit Title: UltraISO 9.7.1.3519 - Local Buffer Overflow (SEH) # Date: 30/01/2019 # Exploit Author: Dino Covotsos - Telspace Systems # Vendor Homepage: https://www.ultraiso.com/ # Version: 9.7.1.3519 # Software Link: https://www.ultraiso.com/download.html # Contact: services[@]telspace.co.za # Twitter: @telspacesystems (Greets to the Telspace Crew) # Tested on: Windows XP Prof SP3 ENG x86 # CVE: TBC from Mitre # Thanks to Francisco Ramirez for the original Windows 10 x64 DOS. # Created in preparation for OSCE - DC - Telspace Systems # PoC: # 1.) Generate exploit.txt, copy the content to clipboard # 2.) In the application, click "Make CD/DVD Image" #…
CHQ1d的最后回复, -
/* Inspired by Ned Williamsons's fuzzer I took a look at the netkey code. key_getsastat handles SADB_GETSASTAT messages: It allocates a buffer based on the number of SAs there currently are: bufsize = (ipsec_sav_count + 1) * sizeof(*sa_stats_sav); KMALLOC_WAIT(sa_stats_sav, __typeof__(sa_stats_sav), bufsize); It the retrieves the list of SPIs we are querying for, and the length of that list: sa_stats_arg = (__typeof__(sa_stats_arg))(void *)mhp->ext[SADB_EXT_SASTAT]; arg_count = sa_stats_arg->sadb_sastat_list_len; // exit early if there are no requested SAs if (arg_count == 0) { printf("%s: No SAs requested.\n", __FUNCTION__); error = …
Tenfk的最后回复, -
- 0 篇回复
- 97 次查看
#!/usr/bin/python # Exploit Title: R i386 3.5.0 - Local Buffer Overflow (SEH) # Date: 30/01/2019 # Exploit Author: Dino Covotsos - Telspace Systems # Vendor Homepage: https://www.r-project.org/ # Version: 3.5.0 # Software Link: https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe # Contact: services[@]telspace.co.za # Twitter: @telspacesystems (Greets to the Telspace Crew) # Version: 3.5.0 # Tested on: Windows XP Prof SP3 ENG x86 # Note: SEH exploitation method (SEH + DEP Bypass exploit for Windows 7 x86 by Bzyo available on exploit-db) # CVE: TBC from Mitre # Created in preparation for OSCE - DC - Telspace Systems # PoC: # 1.) Generate exploit.txt, copy …
XenoG的最后回复, -
/* vm_map_copyin_internal in vm_map.c converts a region of a vm_map into "copied in" form, constructing a vm_map_copy structure representing the copied memory which can then be mapped into another vm_map (or the same one.) The function contains a while loop which walks through each of the vm_map_entry structures which make up the region to be copied and tries to append a "copy" of each in turn to a vm_map_copy structure. Under certain circumstances the copy operation can be optimized, here's a code snippet describing one such optimization: // Attempt non-blocking copy-on-write optimizations. if (src_destroy && …
Tenfk的最后回复, -
- 0 篇回复
- 98 次查看
# Exploit Title: Necrosoft DIG v0.4 - Denial of Service (PoC) SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Discovery Date: 2005-01-10 # Vendor Homepage: http://www.nscan.org/?index=dns # Software Link : http://www.nscan.org/?index=dns # Tested Version: 0.4 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run Necrosoft DIG v0.4 (dig.exe) # 2.- copy content DIG_Crash.txt to clipboard (result from this python script) # 3.- Paste the content into the field: 'Target' # 4.- Click 'TCP lookup' button and you will see a crash. ''' SEH chain of thread 000003CC Address SE handler …
风尘剑心的最后回复, -
# Exploit Title: Advanced Host Monitor 11.90 Beta - 'Registration number' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2019-01-30 # Vendor Homepage: https://www.ks-soft.net # Software Link : https://www.ks-soft.net/download/hm1190.exe # Tested Version: 11.90 Beta # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code : python Advanced_Host_Monitor_11.90_Beta.py # 2.- Open Advanced_Host_Monitor_11.90_Beta.txt and copy content to clipboard # 3.- Open HostMonitor # 4.- Help -> License... # 5.- Register Now # 6.- Name (Organization): -> l4m5 # 7.- Paste Cl…
Anonymous的最后回复, -
- 0 篇回复
- 103 次查看
# Exploit Title: LanHelper v1.74 - Denial of Service (PoC) # Discovery by: Rafael Pedrero # Discovery Date: 2019-01-31 # Vendor Homepage: http://www.hainsoft.com/ # Software Link : http://www.hainsoft.com/ # Tested Version: 1.74 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run LanHelper.exe # 2.- copy content LanHelper_Crash.txt or 6000 "A" to clipboard (result from this python script) # 3.- Go to "NT-Utilities" - "Form Send Message" - Tab "Message" - "Add" - "Add target" and paste the result from this python script # 4.- Paste the result from this python script in "Message text:", sam…
KaiWn的最后回复, -
- 0 篇回复
- 105 次查看
# Exploit Title: a-Mac Address Change v5.4 - Denial of Service (PoC) # Discovery by: Rafael Pedrero # Discovery Date: 2019-01-30 # Vendor Homepage: http://amac.paqtool.com/ # Software Link : http://amac.paqtool.com/ # Tested Version: 5.4 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run amac.exe # 2.- copy content amac_Crash.txt or 212 "A" to clipboard (result from this python script) # 3.- Go to Register - Amac Register Form and paste the result in all fields: "Your Name", "Your Company", "Register Code" # 4.- Click in Register button and you will see a crash. #!/usr/bin/env python c…
XenoG的最后回复, -
- 0 篇回复
- 114 次查看
#!/usr/bin/python # Exploit Title: AnyBurn x86 - Denial of Service (DoS) # Date: 30-01-2019 # Exploit Author: Dino Covotsos - Telspace Systems # Vendor Homepage: http://www.anyburn.com/ # Version: 4.3 (32-bit) # Software Link : http://www.anyburn.com/anyburn_setup.exe # Contact: services[@]telspace.co.za # Twitter: @telspacesystems (Greets to the Telspace Crew) # Tested Version: 4.3 (32-bit) # Tested on: Windows XP SP3 ENG x86 # Note: The other exploitation field in Anyburn was discovered by Achilles # CVE: TBC from Mitre # Created in preparation for OSCE - DC - Telspace Systems # DOS PoC: # 1.) Generate exploit.txt, copy the contents to clipboard # 2.) In the application…
轩辕三官的最后回复, -
/* XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process. This copy-on-write behavior works not only with anonymous memory, but also with file mappings. This means that, if the filesystem mutates the file contents (e.g. because the ftruncate() syscall was used), the filesystem must inform the memory management subsystem so that affected pages can be deduplicated. If this doesn…
剑道尘心的最后回复, -
# Exploit Title: Remote Process Explorer v1.0.0.16 - Denial of Service (PoC) and SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Discovery Date: 2019-01-30 # Vendor Homepage: http://lizardsystems.com/action.php?action=home&product=rpexplorer&version=1.0.0.16 # Software Link : http://lizardsystems.com/action.php?action=home&product=rpexplorer&version=1.0.0.16 # Tested Version: 1.0.0.16 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run rpexplorer.exe # 2.- copy content rpexplorer_Crash.txt to clipboard (result from this python script) # 3.- Go to "Add computer" …
Tenfk的最后回复, -
- 0 篇回复
- 93 次查看
# Exploit Title: SureMDM LFI/RFI (Prior to 2018-11 Patch) # Google Dork: inurl:/api/DownloadUrlResponse.ashx # Date: 2019-02-01 # Exploit Author: Digital Interruption # Vendor Homepage: https://www.42gears.com/ # Software Link: https://www.42gears.com/products/suremdm-home/ # Version: Versions prior to the November 2018 patch # Tested on: Windows # CVE : CVE-2018-15657 An attacker can force the web server to request remote files and display the output by placing any arbitrary URL in the "url" parameter of /api/DownloadUrlResponse.ashx. This can also be utilised to request files from the local file system by using the file:// URI syntax, such as file://C:/WINDOWS/System32…
Tenfk的最后回复, -
/* It's possible that this should be two separate issues but I'm filing it as one as I'm still understanding this service. com.apple.iohideventsystem is hosted in hidd on MacOS and backboardd on iOS. You can talk to it from the app sandbox on iOS. It uses an IOMIGMachPortCache to translate between ports on which messages were received and CF objects on which actions should be performed. There is insufficient checking that the types are correct; so far as I can tell all the io_hideventsystem_* methods apart from io_hideventsystem_open expect to be called on a "connection" port, but that's not enforced. Specifically, the service port is put in the cache mapped to an IOHID…
尖REN的最后回复, -
- 0 篇回复
- 102 次查看
# Exploit Title: FlexHEX v2.46 - Denial of Service (PoC) and SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Discovery Date: 2018-12-20 # Vendor Homepage: http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Software Link : http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1 # Tested Version: 2.46 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run FlexHEX.exe # 2.- Go to Menu "Stream" - "New Stream" and copy content of FlexHEX_SEH_Crash.txt to clipboard # 3.- Paste the content into the field: 'Stream Name:' # 4.- Click 'OK' button and you will see a crash. ''' L…
CHQ1d的最后回复, -
- 0 篇回复
- 100 次查看
# Exploit Title: PassFab Excel Password Recovery SEH Local Exploit # Date: 31.01.19 # Vendor Homepage:https://www.passfab.com/products/excel-password-recovery.html # Software Link: https://www.passfab.com/downloads/passfab-excel-password-recovery.exe # Exploit Author: Achilles # Tested Version: 8.3.1 # Tested on: Windows XP SP3 # 1.- Run python code : PassFab_RAR # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open PassFab RAR Password Recovery # 4.- In the new Window click on the key in the upper right corner # 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code' # 6.- Click 'Register'and the calculator will open # 7.- Gree…
Xiao7的最后回复, -
/* _xpc_serializer_unpack in libxpc parses mach messages which contain xpc messages. There are two reasons for an xpc mach message to contain descriptors: if the message body is large, then it's sent as a MACH_MSG_OOL_DESCRIPTOR. Also if the message contains other port resources (eg memory entry ports) then they're also transfered as MACH_PORT_OOL_PORT descriptors. Whilst looking through a dump of system mach message traffic gathered via a dtrace script I noticed something odd: It's possible for a message to have the MACH_MSGH_BITS_COMPLEX bit set and also have a msgh_descriptor_count of 0. Looking at ipc_kmsg_copyin_body you can see that this is in fact the case. Thi…
Tenfk的最后回复,