RIOT versions 2024.01 and below suffers from multiple buffer overflows, ineffective size checks, and out-of-bounds memory access vulnerabilities.
43c245ca872e84173b6225084f324209f789f4e49b0b9c392d621feab1e1de58RT-Thread RTOS versions 5.0.2 and below suffer from multiple buffer overflows, a weak random source in rt_random driver, and various other vulnerabilities.
7668e32fd902661f2969390da3ee78a01c4b634481c7dec7530ab68c48399ff3Proof of concept format string exploit for Zyxel zysh. Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.
274400da6832cf3ae8c1a6277041c603d352c6bf51a08f409168fc36a69f146cTinyDir versions 1.2.5 and below suffer from a buffer overflow vulnerability with long path names.
cdcc3ee8902aca56a1a663bef58fe0cd58c43fd5918cc6c25bfa566f389d2573Zephyr RTOS versions 3.5.0 and below suffer from a multitude of buffer overflow vulnerabilities.
a7c59cc89cb9ce2fcf88b9ff433accbf339f75522df978dd46fbde16839fcaa8Solaris 10 CDE local privilege escalation exploit that achieves root by injecting a fake printer via lpstat and uses a buffer overflow in libXM ParseColors().
8fed0e704e1d7fbb2603ba2f25e66d64bafc8105967e5ce69f807ea920fafcb1Multiple vulnerabilities have been discovered across Common Desktop Environment version 1.6, Motif version 2.1, and X.Org libXpm versions prior to 3.5.15 on Oracle Solaris 10 that can be chained together to achieve root.
df742682c57b6ead37ab3635d026ba2a6078f335b9b6d36b4eb85c2cf0870088Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.
79406602a0c385dac42a7bfb84e9d7b7c26a7d4a46efafc40a5870b2cd7836d264 bytes small Solaris/SPARC setuid(0) + chmod (/bin/ksh) + exit(0) shellcode.
ac0a8ce6fdd207649a67626e1818a1afd680783d1a46fb94677718a1d199421060 bytes small Solaris/SPARC setuid(0) + execve (/bin/ksh) shellcode.
d785c150823ddd32cb42d29580182ea9055608bea403fff7662eca6bf006f946Linux/MIPS N32 MSB reverse shell shellcode that showcases various techniques to avoid badchars.
b1b0100dc2ab1910886ea650ac52df457851a4b14a3d07a98e33678c077b6d6eSolaris/SPARC chmod() shellcode with a max size of 36 bytes.
844bef47108ea6b399c1949416ca0526422e2fc8ce504d583c3f36aaa4144470This archive contains five proof of concept exploits that leverage a dtprintinfo vulnerability in Solaris 10 1/13. It contains three exploits for SPARC and two for Intel.
10f71ccdb906e501c54f2745a839efada98f12e952d73ba38a22ad24bd4b5f3eA difficult to exploit heap-based buffer overflow in setuid root whodo and w binaries distributed with Solaris allows local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges.
b4fd5ab59754c50d0a4004387d6ef82f58b1de0dc8f81de2438e2e8a8dd7f4fbA difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may allow local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges via a long X11 display name. The vulnerable function is located in the libDtSvc library and can be reached by executing the setuid program dtsession. Versions 2.3.1 and below as well as 1.6 and earlier are affected.
7f50111057b19d6619dd24b1f2d5b993965259bb33db3ffa61cb8236878b3cc3A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file. The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable program. Versions 1.6 and below are affected.
77a96ff828853997303f6f447de00f2ca068b80d3a3c567e8415e33a6e0d0922smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell meta-characters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
f42f9b3d984851bedec7966cba6c70991ad906a48462064b1ae90325c6aa112bA buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file. Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based.
d25b46d48230e23cf621654e72fc9113aa59c9c5cd75e5f0f889790d85edd1e5A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely.
a03fb7575a6762318b5f522c1cd86e250b04e78f95dc0676d4b6ae90596cb912SunOS version 5.10 Generic_147148-26 local privilege escalation exploit. A buffer overflow in the CheckMonitor() function in the Common Desktop Environment versions 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.
aa916b476c438bad08b7aea8b01a918e991d3830378d96635e1586a0f7f2b220This Metasploit module exploits a vulnerability in xscreensaver versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. xscreensaver allows users to create a user-owned file at any location on the filesystem using the -log command line argument introduced in version 5.06. This module uses xscreensaver to create a log file in /usr/lib/secure/, overwrites the log file with a shared object, and executes the shared object using the LD_PRELOAD environment variable. This module has been tested successfully on xscreensaver version 5.15 on Solaris 11.1 (x86) and xscreensaver version 5.15 on Solaris 11.3 (x86).
61fc2ea992be47242e9913209ccde2e47b80ce69f13985b6c1cff3d42dbfc4cfSolaris version 11.4 xscreensaver local privilege escalation exploit.
3fa7ecaa53e22bbbf5fa735cf10b22a008a02e7bd17c04bcfd1abb124cb3e6f8This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.
7b1fe00dfa2c9cc882752b38e5a6e0f2df1617a466c97478e2257a3f314a59fdExim versions 4.87 through 4.91 suffer from a local privilege escalation vulnerability.
f66d7f3a31ac18712c80085004dbe2a60269462f0ed94217c0afa6f03a4f8107A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long printer name passed to dtprintinfo by a malicious lpstat program.
061ca4997bee326476bbf713f5e74683ca863ebc4120b082849a1add69987dfe
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed