113 bytes small Linux/x64 anti-debug trick (INT3 trap) with execve("/bin/sh") shellcode that is NULL free.

Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.

Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.

This is the sixteenth issue of POC || GTFO.

This is the seventeenth issue of POC || GTFO.

129 bytes small Linux/x86_64 bind (4444/TCP) shell (/bin/sh) + password (pass) shellcode.

157 bytes small Linux/MIPS64 reverse (localhost:4444/TCP) shell shellcode.

120 bytes small Linux/x86_64 reverse (127.0.0.1:4444/TCP) shell (/bin/sh) + password (pass) shellcode.

Linux/x86 TCP reverse shell 127.0.0.1 nullbyte free shellcode.

53 bytes small Linux/x86 bind TCP port 43690 null-free shellcode.

This Metasploit module uses the FreeSWITCH event socket interface to execute system commands using the system API command. The event socket service is enabled by default and listens on TCP port 8021 on the local network interface. This module has been tested successfully on FreeSWITCH versions: 1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine; 1.8.4~64bit on Ubuntu 19.04 (x64); and 1.10.1~64bit on Windows 7 SP1 (EN) (x64).

188 bytes small Lnux/x64 reverse TCP stager shellcode.

This exploit uses the Cable Haunt vulnerability to open a shell for the Sagemcom F@ST 3890 (50_10_19-T1) cable modem. The exploit serves a website that sends a malicious websocket request to the cable modem. The request will overflow a return address in the spectrum analyzer of the cable modem and using a rop chain start listening for a tcp connection on port 1337. The server will then send a payload over this tcp connection and the modem will start executing the payload. The payload will listen for commands to be run in the eCos shell on the cable modem and redirect STDOUT to the tcp connection.

This simple tool is useful to test a PABX with "allow guest" parameter set to "yes" (in this scenario an anonymous caller could place a call). The aim of the tool is to ring all the sip Terminal Equipment (phones).

The Juniper SRX suffers from a dual-homed swapfile overflow error that can cause denial of service conditions.

This is a presentation called Router Exploitation. It was given at BlackHat 2009. It discusses various vendors such as Cisco, Juniper, Huawei, and more.

Juniper JunOS version 9.x suffers from a html injection vulnerability that allows for cross site scripting attacks.

This whitepaper is a study that gives an overview about what methodology a hacker uses to hack into a system, discusses a theft of millions from the central bank of Bangladesh, and more.

REVULN 20x3 is an international conference taking place on September 9th through the 10th, 2020 in Bangkok (Thailand) at Ibis Styles Bangkok Sukhumvit Phra Khanong.

This document illustrates the manual exploitation of the vulnerability found in the Intel Active Management Technology in 2017 that stripped off the primary authentication mechanism in the Intel AMT web interface.

This is a whitepaper tutorial that walks through creating a proof of concept exploit for a remote command execution vulnerability in NagiosXI version 5.6.

This is a whitepaper tutorial that walks through creating a proof of concept exploit for a pre-authentication remote command execution vulnerability in Symantec Web Gateway version 5.0.2.8.

This is a whitepaper tutorial that describes steps taken to identify post-authentication remote command execution vulnerabilities in NagiosXI version 5.6.11.

This is a whitepaper tutorial that describes steps taken to identify post-authentication remote code execution vulnerabilities in ManageEngine version 14.

This is a whitepaper tutorial that describes steps taken to identify post-authentication remote code execution vulnerabilities in Symantec Web Gateway version 5.0.2.8.

Whitepaper called Exploiting CAN-Bus using Instrument Cluster Simulator.

Oracle Java versions prior to 7u25 suffer from an invalid array indexing vulnerability that exists within the native storeImageArray() function inside jre/bin/awt.dll. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program.

The IntegerInterleavedRaster.verify() method in Oracle Java versions prior to 7u25 is vulnerable to a signed integer overflow that allows bypassing of "dataOffsets[0]" boundary checks. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program.

This Metasploit module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to produce a memory corruption and finally escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems. This was created based upon the Packet Storm Bug Bounty release for this issue.

The BytePackedRaster.verify() method in Oracle Java versions prior to 7u25 is vulnerable to a signed integer overflow that allows bypassing of "dataBitOffset" boundary checks. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program.

The ByteComponentRaster.verify() method in Oracle Java versions prior to 7u25 is vulnerable to a memory corruption vulnerability that allows bypassing of "dataOffsets[]" boundary checks. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program.

The ShortComponentRaster.verify() method in Oracle Java versions prior to 7u25 is vulnerable to a memory corruption vulnerability that allows bypassing of "dataOffsets[]" boundary checks when the "numDataElements" field is 0. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program.

This exploit leverages both invalid typecast and memory disclosure vulnerabilities in Microsoft Silverlight 5 in order to achieve code execution. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program. Google flags this as malware so only use this if you know what you are doing. The password to unarchive this zip is the word "infected".

This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.

Proof of concept code that demonstrates an ASLR bypass of PIE compiled 64bit Linux.

The release of this advisory provides exploitation details in relation a weakness in the Linux ASLR implementation. The problem appears when the executable is PIE compiled and it has an address leak belonging to the executable. These details were obtained through the Packet Storm Bug Bounty program and are being released to the community.

The handling of the virtual registry for desktop bridge applications can allow an application to create arbitrary files as system resulting in privilege escalation. This is because the fix for CVE-2018-0880 (MSRC case 42755) did not cover all similar cases which were reported at the same time in the issue.

Oracle WebLogic version 12.1.2.0 RMI registry UnicastRef object java deserialization remote code execution exploit.

The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.

The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.

This Metasploit module exploits a flaw in the WSReset.exe file associated with the Windows Store. This binary has autoelevate privs, and it will run a binary file contained in a low-privilege registry location. By placing a link to the binary in the registry location, WSReset.exe will launch the binary as a privileged user.

This Metasploit module exploits a buffer overflow in Xinfire TV Player Pro and Standard version 6.0.1.2. When the application is used to import a specially crafted plf file, a buffer overflow occurs allowing arbitrary code execution. Tested successfully on Win7, Win10. This software is similar as Aviosoft Digital TV Player and BlazeVideo HDTV Player.

This Metasploit module exploits a buffer overflow in Xinfire DVD Player Pro and Standard version 5.5.0.0. When the application is used to import a specially crafted plf file, a buffer overflow occurs allowing arbitrary code execution. Tested successfully on Win7, Win10. This software is similar as DVD X Player and BlazeDVD.

IQrouter firmware version 3.3.1 suffers from a remote code execution vulnerability.