Skip to main content
Information Security

Questions tagged [exploit]

Ask Question

The data, tools, and procedures which, when applied to a specific vulnerability, predictably violate the security design of a system.

1,302 questions
Newest Active Bountied Unanswered
1 vote
1 answer
24 views

Opening PowerShell (PS) session with STs

I am solving Tryhackme> Exploiting Active Directory > Task 3. At very last, how new powershell session is opening with the dumped Service Tickets (STs)? He typed this command... PS> New-...
Aryan's user avatar
Aryan
  • 61
1 vote
0 answers
46 views

Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?

Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget? My understanding of JOP: In jump-...
user25100341's user avatar
user25100341
  • 11
0 votes
0 answers
26 views

Jump-Oriented Programming: Harder than ROP because the registers need to be prepared individually? + Turing complete, but large overhead/slow?

Full title: Jump-Oriented Programming: Is it harder than traditional return-oriented programming because you need to manually prepare all the addresses and registers or is there a different reason? ...
user25100341's user avatar
user25100341
  • 11
2 votes
0 answers
76 views

When gets reads a string, it does not read \x00, which is the NULL character. So how to separate two different addresses to complete ROP?

First I used ROPgadget to find two assembly instructions: xor rax; ret and pop rcx; ret, They are at 0x401270 and 0x40133b. Then I tried to put them at the top of the stack, but because the gets ...
Maple's user avatar
Maple
  • 21
0 votes
0 answers
56 views

Buffer Overflow shell

I'm trying to exploit the code posted by ir0nstone at this link https://ir0nstone.gitbook.io/notes/types/stack/shellcode. I followed any of the steps listed in the tutorial, ASLR is not enabled on my ...
xChineze's user avatar
xChineze
  • 1
0 votes
0 answers
80 views

how to exploit CVE-2023-1613

I am trying to understand the vulnerability in Rebuild in chromium which is identified as CVE-2023-1613. I found this poc online: https://github.com/getrebuild/rebuild/issues/596 What I understood so ...
anonymous's user avatar
anonymous
  • 67
1 vote
1 answer
135 views

Does PDF level compression implicitly cleans file of malware?

Recently I've been looking into PDF files security, specifically about malware exploiting vulnerabilities in PDF readers. I thought about one thing - does compressing PDF file (for example, by using ...
Madzik's user avatar
Madzik
  • 13
2 votes
1 answer
166 views

Can I use SELinux to add an extra layer of protection against 0-day VM escape exploits in KVM/QEMU?

My host is Fedora, and I want to add an extra layer of protection against 0day KVM/QEMU exploits that execute code on the host. For example there have been CVEs where if we run a specially crafted ...
OneAndOnly's user avatar
OneAndOnly
  • 410
0 votes
1 answer
148 views

How are virus or exploits tested without being detected?

I was wondering how threat actors actually test their exploits without them being automatically detected and added to the library of an antivirus detection system, thereby being marked as useless and ...
birdd's user avatar
birdd
  • 41
1 vote
2 answers
182 views

How does malware work when compressed?

I have read up on compressed folders of file types such as .zip, .rar and .7zip being the malicious file itself (excluding cases such as an .exe file being disguised as a .zip file etc...), only ...
ReaLiTy-UnFatHom's user avatar
ReaLiTy-UnFatHom
  • 11
1 vote
1 answer
94 views

Metasploit search features returns intersection of results

When I use multiple search criteria in Metasploit it shows the results as an "or" rather than an "and". I see that this was asked several years ago so now I am wondering if this ...
osus71's user avatar
osus71
  • 13
0 votes
0 answers
109 views

Cache poisoning from rfc6455 (WebSockets) not requiring server message to be masked?

In RFC6455 section 10.3, it explains why they have made clients mask their outgoing frames (so that a malicious server cannot manipulate a client into sending something in plaintext, as the message ...
Secto Kia's user avatar
Secto Kia
  • 101
2 votes
2 answers
286 views

How malware triggers without user running an executable?

It is known that downloading a file without actually executing it can be a security vulnerability, if the operating system does something which is not known by the user. See here for some good answers....
Ma Joad's user avatar
Ma Joad
  • 121
0 votes
1 answer
335 views

SSRF trough Gopher

Gopher protocol is used a lot when exploiting SSRF, but how? a Gopher URL takes the form: gopher://<host>:<port>/<gopher-path> but let's take this example: gopher://10.10.10.3:80/...
jeff's user avatar
jeff
  • 3
0 votes
0 answers
234 views

how to exploit read -p in bash script

i wanna execute ls command inplace of the output being "your name is ls" is there a way to do it ? read -p "name??" name echo "your name is $name"
AverageUser69's user avatar
AverageUser69
  • 1

15 30 50 per page
1
2 3 4 5
87