Questions tagged [exploit]
The data, tools, and procedures which, when applied to a specific vulnerability, predictably violate the security design of a system.
1,318 questions
0
votes
0
answers
45
views
Are "scammer payback" videos real? How are they still getting exposed? [duplicate]
A lot of these videos don't go into the technical details of how they gain access to the scammer's network, but the scammers are usually using genuine software, which is made for remote assistance.
...
- 281
0
votes
0
answers
72
views
Is dependency confusion attack possible with hardcoded path
On a private bug bounty, i encountered the below scenario and I was wondering whether it was possible to perform a dependency confusion attack, or not. The package.json looks like this:
{
"name&...
- 1
0
votes
1
answer
112
views
How to confirm that CVE-2024-53677 is fixed in SAP Data Services
A customer's security team found CVE-2024-53677 in SAP Data Services (4.3 SP3) during a security scan.
Is there an exploit to test the fix provided by SAP?
Patching of SAP Data Services to the latest ...
1
vote
0
answers
47
views
why would arena_get() function from malloc return the arena_key in house of prime
I'm trying to understand how in glibc 2.3.5 arena_get function (called by public_mALLOc) will return the arena_key in house of prime exploit, where the arena_key is first overridden to the value of ...
- 11
1
vote
0
answers
65
views
Can setting a value in localStorage bypass PayPal's 2FA during support chat? [closed]
I saw a video where someone used the browser console to change a value in localStorage during PayPal's support chat, and it supposedly skipped the 2FA step. It didn’t touch the main login flow, just ...
- 11
4
votes
2
answers
1k
views
How to check if a file contains exploit for a specific zero day vulnerability?
The latest iOS update contains a fix for some zero day vulnerabilities involving core audio, where a maliciously crafted media file can cause harm.
I have received a file - how can I verify it does ...
- 149
4
votes
0
answers
113
views
How much do ARM-like link registers make return-oriented programming harder?
ROP usually uses a buffer overflow to overwrite the x86 return address. However, ARM stores that in a register. What is the effect of this on return-oriented programming attacks on non-x86 ...
- 161
4
votes
1
answer
1k
views
Unexpected Mixpanel Cookie: Is this an attempted exploit?
Web application, large user base.
Every now and then we see a Mixpanel cookie, and this is blocked by a WAF ruleset (Azure DefaultRuleSet_1.0 942200
"Detects MySQL comment-/space-obfuscated ...
- 539
1
vote
0
answers
274
views
could XXE vulnerability lead to an RCE
I have identified an XXE vulnerability in an XML parser of an application that allows external entities.
I used the below crafted xml to do a get request on localhost on port 9090, and on the same ...
- 559
3
votes
1
answer
187
views
Why does this payload only work within pwntools?
I'm trying to learn binary exploitation. I started with the following:
https://github.com/tripoloski1337/learn-to-pwn/tree/master/overwrite_instruction_pointer
After a bit of experimentation, I ...
- 6,724
1
vote
0
answers
538
views
What was the "random" number Sony used for the PS3?
I've read that fail0verflow was able to hack the PS3 because Sony used a static number for the random number generator.
I'm just really curious, what number was used? 42? 4? 7669773?
Please note that ...
- 111
1
vote
0
answers
474
views
Potato exploits dont spawn reverse shell
What could be the reason for potato exploits not being able to spawn a reverse shell?
OS: Microsoft Windows Server 2022 Standard
Build: 20348
Exploits tried: RoguePotato, SigmaPotato, GodPotato
What ...
- 11
3
votes
1
answer
141
views
how is CVE-2021-22044 risky
I am looking at this CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-22044
The description says:
In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to
2.2.9.RELEASE, and older unsupported ...
- 559
0
votes
0
answers
86
views
benefit to reading sensitive file chunks via a "middleman" shell script?
tldr: is using a script spawned by my main process, which reads only a chunk of a sensitive file then passing the result to my main process - of any benefit?
in contrast to loading the file in my ...
- 101
1
vote
1
answer
101
views
can a tomcat application sitting behind a reverse proxy be exploited
I am trying to exploit a vulnerability in tomcat based on CVE-2020-13935.
I found online this interesting poc https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/
In my case, the ...
- 559
1
vote
2
answers
149
views
Linux Privilege Escalation - (running) Services [closed]
Since I'm quite new to the whole topic of linux privilege escalation I've done a few courses in which usually the enumeration of services is mentioned with commands like:
ps aux
systemctl --type=...
- 29
1
vote
1
answer
109
views
how to exploit pathtraversal vulnerability
I am pentesting an http server using jetty, where I have access to the code.
One of the urls I am looking at is get /services/test.js
Looking at the code below:
@GET
@Path("services/{...
- 559
3
votes
1
answer
214
views
can vulnerabilities in transitive dependencies be exploitable?
I am running nmap on an http server, and I got the netty version used by the server.
Netty version used is 9.4.53.v20231009 , I tried to check online for CVEs related to this version, and it seems ...
- 559
2
votes
1
answer
476
views
Ret2libc exploit not working but it seems correct in GDB
I am currently trying to perform a return-to-libc attack against a locally run program. Here are the steps I did:
I calculated the bytes needed to overwrite the saved return address
I used a buffer ...
- 21
2
votes
0
answers
160
views
Can recent VirtualBox vulnerabilities escape to host?
I ran an unpatched VirtualBox with a Windows guest that might have been compromised. Now I'm unsure if some recent exploits can escape guest-to-host in this scenario.
An example would be CVE-2024-...
- 21
1
vote
1
answer
202
views
Segmentation fault without rip even getting overwritten Buffer Overflow
I was trying to overflow the return pointer of a simple program. I have asrl disabled and I compiled like this gcc returnexp.c -o returnexp -fno-stack-protector.
(I would disable noexecstack later on ...
2
votes
1
answer
105
views
Opening PowerShell (PS) session with Service Tickets (STs)
I am solving Tryhackme> Exploiting Active Directory > Task 3. At very last, how new powershell session is opening with the dumped STs? He typed this command...
PS> New-PSSession -ComputerName ...
- 85
1
vote
0
answers
114
views
Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?
Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-...
- 21
2
votes
0
answers
159
views
When gets reads a string, it does not read \x00, which is the NULL character. So how to separate two different addresses to complete ROP?
First I used ROPgadget to find two assembly instructions:
xor rax; ret and pop rcx; ret,
They are at 0x401270 and 0x40133b.
Then I tried to put them at the top of the stack, but because the gets ...
- 21
1
vote
0
answers
528
views
Buffer Overflow shell
I'm trying to exploit the code posted by ir0nstone at this link. I followed any of the steps listed in the tutorial, but Address space layout randomization (ASLR) is not enabled on my machine. When I ...
- 11
1
vote
1
answer
214
views
Does PDF level compression implicitly cleans file of malware?
Recently I've been looking into PDF files security, specifically about malware exploiting vulnerabilities in PDF readers. I thought about one thing - does compressing PDF file (for example, by using ...
- 13
2
votes
1
answer
389
views
Can I use SELinux to add an extra layer of protection against 0-day VM escape exploits in KVM/QEMU?
My host is Fedora, and I want to add an extra layer of protection against 0day KVM/QEMU exploits that execute code on the host. For example there have been CVEs where if we run a specially crafted ...
- 410
0
votes
1
answer
197
views
How are virus or exploits tested without being detected?
I was wondering how threat actors actually test their exploits without them being automatically detected and added to the library of an antivirus detection system, thereby being marked as useless and ...
- 41
1
vote
2
answers
451
views
How does malware work when compressed?
I have read up on compressed folders of file types such as .zip, .rar and .7zip being the malicious file itself (excluding cases such as an .exe file being disguised as a .zip file etc...), only ...
1
vote
1
answer
157
views
Metasploit search features returns intersection of results
When I use multiple search criteria in Metasploit it shows the results as an "or" rather than an "and". I see that this was asked several years ago so now I am wondering if this ...
- 13
0
votes
0
answers
170
views
Cache poisoning from rfc6455 (WebSockets) not requiring server message to be masked?
In RFC6455 section 10.3, it explains why they have made clients mask their outgoing frames (so that a malicious server cannot manipulate a client into sending something in plaintext, as the message ...
- 101
2
votes
2
answers
384
views
How malware triggers without user running an executable?
It is known that downloading a file without actually executing it can be a security vulnerability, if the operating system does something which is not known by the user. See here for some good answers....
- 121
1
vote
1
answer
767
views
SSRF trough Gopher
Gopher protocol is used a lot when exploiting SSRF, but how?
a Gopher URL takes the form:
gopher://<host>:<port>/<gopher-path>
but let's take this example:
gopher://10.10.10.3:80/...
- 13
0
votes
0
answers
323
views
how to exploit read -p in bash script
i wanna execute ls command inplace of the output being "your name is ls"
is there a way to do it ?
read -p "name??" name
echo "your name is $name"
1
vote
1
answer
188
views
Security vulnerabilites in Windows updates from local network
Windows has offered the ability to download updates from machines in the local network for some time. My gut feeling tells me this would be a great attack vector for Windows security vulnerabilites.
...
- 123
1
vote
0
answers
180
views
How can I exploit the following code using string format vulnerabilities, Global offset table & GDB? [closed]
The following code should be exploited and I need to exploit it in such a way that it runs my command (l33t) and there should be shellcode and exploit included, so that it runs my command. I believe I ...
- 11
1
vote
0
answers
85
views
Information on the Exploitation and Automatability Data for Vulnerable components
Is there any tool providing information such as exploitability state (i.e., None, POC & Functional/Active) and automatability data for a specified vulnerable component name and version?
1
vote
0
answers
134
views
Why do I suddenly receive print notifications on Windows 10? [closed]
I have seen whats's in the image.
But i don't have any printer.
OS: Windows 10 22H2
1
vote
0
answers
205
views
How to properly pack address into bytes to overwrite EIP register
I'm learning how to exploit a tiny web server based on a well written post here: https://blog.coffinsec.com/2017/11/10/tiny-web-server-buffer-overflow-discovery-and-poc.html
I am very close to ...
- 111
1
vote
1
answer
181
views
Is there a possible attack on a MySQL database using an input window [closed]
My app has an input field that is used as a source for a HTML and PDF file.
I also store this input in my database.
My question is: Is it possible to somehow write something in the text field which ...
- 11
1
vote
0
answers
130
views
How could the contents of multiple LastPass vaults be compromised?
According to this newly published article:
Now, it appears that the LastPass hack has led cybercriminals to steal over $35 million in cryptocurrencies.
...
Nick Bax, director of analytics at ...
- 3,194
2
votes
1
answer
477
views
Does Routersploit install any malware or executables on my PC?
If I install Routersploit on my PC, would it install any malware or executable binaries as part of it to PC? Even though developers of Routersploit do not have any nefarious intention to add malware, ...
- 51
0
votes
1
answer
206
views
What to do if a bank doesn't admit it leaked millions of customer's data [closed]
I found a breach on a bank's website a few months ago which exposed customer data including: SSNs, account numbers, account balances, physical addresses, payment history, tax forms, temporary login ...
- 3
1
vote
0
answers
323
views
Is UAC an overestimated protection measure in Windows? Does Linux do it better?
Windows is an API-based operating system, whereas Linux is file-based. Hence in my opinion, any operating system API security measures alone aren't effective in Windows. One of such examples would be ...
- 1,697
0
votes
2
answers
864
views
Unable to execute shellcode on x86_64 architecture
I currently got interested in binary exploitation (even though I do not know if today is still useful).
I started studying shellcode and buffer overflow (stack-buffer overflow, specifically). I know ...
0
votes
2
answers
945
views
Is it possible to run a code only with an environment variable?
I'm researching the possibility that modifiable environment variables could have security implications.
I mounted all writable volumes with noexec.
LD_PRELOAD could be an attack surface, but I don't ...
- 101
1
vote
1
answer
435
views
"PUT /SDK/webLanguage HTTP/1.1" on a server with only port 22 open
I've recently spun on a new droplet on Digital Ocean with Ubuntu 22 and enabled UFW and allowed only SSH, which reports being active even after a reboot:
sudo ufw status
Status: active
To ...
- 13
3
votes
1
answer
459
views
NULL dereference - Why does it work?
I know that exploiting NULL dereferences is a thing of the past and that modern systems prohibit user processes from mapping NULL page, but I also know that back in the day, a NULL dereference in the ...
- 31
3
votes
1
answer
793
views
Is running rsync as root problematic?
Is there a security risk with running rsync as root to copy potentially malicious files? Or for that matter with any read command like cp, cat, du?
Background:
I'm moving data from various systems ...
- 31
52
votes
1
answer
10k
views
What vulnerability is a math operation in an HTTP request trying to exploit?
I found the following string '<?=print(9347655345-4954366);?>' in a blocked request logged by our WAF this morning. This string was contained in the path as well as a number of headers.
GET /?'&...
- 645