Posts Tagged "0day"

Symantec Endpoint Protection: Privilege Escalation

Symantec Endpoint Protection 0day

In a recent engagement, we had the opportunity to audit a leading Antivirus Endpoint Protection solution, where we found a multitude of vulnerabilities. Some of these made it to CERT, while others have been scheduled for review during our upcoming AWE course at Black Hat 2014, Las Vegas. Ironically, the same software that was meant to protect the organization under review was the reason for its compromise.

Read More
NDPROXY local SYSTEM exploit CVE-2013-5065

NDPROXY Local SYSTEM exploit CVE-2013-5065

In the past few days there has been some online chatter about a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC.

Read More
Yahoo XSS 0-Day

Yahoo DOM XSS 0day – Not fixed yet!

After discussing the recent Yahoo DOM XSS with Shahin from Abysssec.com, it was discovered that Yahoo’s fix is not effective as one would hope. According to Yahoo, this issue was fixed at 6:20 PM EST, Jan 7th, 2013. With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account. The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed. This can demonstrated by the video we have created just this morning (Jan 8th, 2013) after Shahin kindly shared proof of concept code with us.

Read More
CA ARCserve – CVE-2012-2971

CA ARCserve – CVE-2012-2971

On a recent penetration test, we encountered an installation of CA ARCserve Backup on one of the target systems that piqued our interest. Like most “good” enterprise applications, ARCserve has processes that are running as SYSTEM so naturally, we went straight to work looking for vulnerabilities.

Read More
Return Oriented Exploitation (ROP)

Return Oriented Exploitation (ROP)

For all those who registered to AWE in BlackHat Vegas 2010 – we have special surprise for you… We’ve updated our “Bypassing NX” module with the buzzing ROP exploitation method.

Read More
PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit

PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit

An interesting submission to EDB today from the guys at http://www.nullbyte.org.il – a PHP 6.0 0day buffer overflow.

Read More

QuickZip Stack BOF : A box of chocolates – part 2

Today (as promised in part 1 of the QuickZip Stack BOF exploit write-up), I will explain how to build the exploit for the quickzip vulnerability using a pop pop ret pointer from an OS dll. At the end of part 1, I challenged you, the Offensive Security Blog reader, to…

Read More
QuickZip Stack BOF 0day: a box of chocolates

QuickZip Stack BOF 0day: a box of chocolates

A few days ago, one of my friends (mr_me) pointed me to an application that appeared to be acting somewhat “buggy” while processing “specifically” crafted zip files.  After playing with the zip file structure for a while (thanks again, mr_me, for documenting the zip file structure), I found a way…

Read More